[v1,1/2] tools: kwbimage: disable secure boot build without LIBCRYPTO support

The secure boot features cannot be built without 'LIBCRYPTO' enabled.
This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
changes.

Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
---

 tools/kwbimage.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali@kernel.org> a écrit :
>
> On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > changes.
> >
> > Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> > ---
> >
> >  tools/kwbimage.c | 18 ++++++++++++++++++
> >  1 file changed, 18 insertions(+)
> >
> > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > index 6abb9f2d5c..0db99dbb02 100644
> > --- a/tools/kwbimage.c
> > +++ b/tools/kwbimage.c
> > @@ -19,6 +19,7 @@
> >  #include <stdint.h>
> >  #include "kwbimage.h"
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >  #include <openssl/bn.h>
> >  #include <openssl/rsa.h>
> >  #include <openssl/pem.h>
> > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> >       EVP_MD_CTX_reset(ctx);
> >  }
> >  #endif
> > +#endif
> >
> >  /* fls - find last (most-significant) bit set in 4-bit integer */
> >  static inline int fls4(int num)
> > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> >
> >  static struct image_cfg_element *image_cfg;
> >  static int cfgn;
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >  static int verbose_mode;
> > +#endif
> >
> >  struct boot_mode {
> >       unsigned int id;
> > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> >       return count;
> >  }
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >  static int image_get_csk_index(void)
> >  {
> >       struct image_cfg_element *e;
> > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> >
> >       return e->sec_specialized_img;
> >  }
> > +#endif
> >
> >  static int image_get_bootfrom(void)
> >  {
> > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> >       }
> >  }
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >  static void kwb_msg(const char *fmt, ...)
> >  {
> >       if (verbose_mode) {
> > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> >  done:
> >       return ret;
> >  }
> > +#endif
> >
> >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> >  {
> > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> >        */
> >       headersz = sizeof(struct main_hdr_v1);
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >       if (image_get_csk_index() >= 0) {
> >               headersz += sizeof(struct secure_hdr_v1);
> >               if (hasext)
> >                       *hasext = 1;
> >       }
> > +#endif
> >
> >       cpu_sheeva = image_is_cpu_sheeva();
> >
> > @@ -1270,6 +1280,7 @@ err_close:
> >       return -1;
> >  }
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> >  {
> >       FILE *hashf;
> > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> >
> >       return 0;
> >  }
> > +#endif
> >
> >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> >                                         struct register_set_hdr_v1 *register_set_hdr,
> > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> >       struct main_hdr_v1 *main_hdr;
> >       struct opt_hdr_v1 *ohdr;
> >       struct register_set_hdr_v1 *register_set_hdr;
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >       struct secure_hdr_v1 *secure_hdr = NULL;
> > +#endif
> >       size_t headersz;
> >       uint8_t *image, *cur;
> >       int hasext = 0;
> > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >       if (image_get_csk_index() >= 0) {
> >               /*
> >                * only reserve the space here; we fill the header later since
> > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> >               *next_ext = 1;
> >               next_ext = &secure_hdr->next;
> >       }
> > +#endif
> >
> >       datai = 0;
> >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> >                                             &datai, delay);
> >       }
> >
> > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> >                                              headersz, image, secure_hdr))
> >               return NULL;
> > +#endif
> >
> >       *imagesz = headersz;
> >
> > --
> > 2.39.0
> >
>
> This is entirely wrong change as it completely skips processing of some
> command lone or config file options. It can lead to generating of broken
> images by mkimage without any notice by user or any automated CI
> testing. You really cannot randomly disable or comment some of functions
> which are currently called.

Hello,
That is true, especially since I do not know how to test my changes
regarding kwbimage. But I do not really randomly disable some
functions.
I looked at the commit that introduced the issue:

Date: Fri Jul 23 11:14:13 2021 +0200
tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream

And reverted its change. But instead of hiding the secure header usage
under the previous CONFIG_ARMADA_38X config, I used the the config
that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.

Regards,

On Saturday 21 January 2023 17:08:42 Paul-Erwan RIO wrote:
> Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali@kernel.org> a écrit :
> >
> > On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > > changes.
> > >
> > > Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> > > ---
> > >
> > >  tools/kwbimage.c | 18 ++++++++++++++++++
> > >  1 file changed, 18 insertions(+)
> > >
> > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > > index 6abb9f2d5c..0db99dbb02 100644
> > > --- a/tools/kwbimage.c
> > > +++ b/tools/kwbimage.c
> > > @@ -19,6 +19,7 @@
> > >  #include <stdint.h>
> > >  #include "kwbimage.h"
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >  #include <openssl/bn.h>
> > >  #include <openssl/rsa.h>
> > >  #include <openssl/pem.h>
> > > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> > >       EVP_MD_CTX_reset(ctx);
> > >  }
> > >  #endif
> > > +#endif
> > >
> > >  /* fls - find last (most-significant) bit set in 4-bit integer */
> > >  static inline int fls4(int num)
> > > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> > >
> > >  static struct image_cfg_element *image_cfg;
> > >  static int cfgn;
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >  static int verbose_mode;
> > > +#endif
> > >
> > >  struct boot_mode {
> > >       unsigned int id;
> > > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> > >       return count;
> > >  }
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >  static int image_get_csk_index(void)
> > >  {
> > >       struct image_cfg_element *e;
> > > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> > >
> > >       return e->sec_specialized_img;
> > >  }
> > > +#endif
> > >
> > >  static int image_get_bootfrom(void)
> > >  {
> > > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> > >       }
> > >  }
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >  static void kwb_msg(const char *fmt, ...)
> > >  {
> > >       if (verbose_mode) {
> > > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> > >  done:
> > >       return ret;
> > >  }
> > > +#endif
> > >
> > >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> > >  {
> > > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> > >        */
> > >       headersz = sizeof(struct main_hdr_v1);
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >       if (image_get_csk_index() >= 0) {
> > >               headersz += sizeof(struct secure_hdr_v1);
> > >               if (hasext)
> > >                       *hasext = 1;
> > >       }
> > > +#endif
> > >
> > >       cpu_sheeva = image_is_cpu_sheeva();
> > >
> > > @@ -1270,6 +1280,7 @@ err_close:
> > >       return -1;
> > >  }
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> > >  {
> > >       FILE *hashf;
> > > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> > >
> > >       return 0;
> > >  }
> > > +#endif
> > >
> > >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> > >                                         struct register_set_hdr_v1 *register_set_hdr,
> > > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > >       struct main_hdr_v1 *main_hdr;
> > >       struct opt_hdr_v1 *ohdr;
> > >       struct register_set_hdr_v1 *register_set_hdr;
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >       struct secure_hdr_v1 *secure_hdr = NULL;
> > > +#endif
> > >       size_t headersz;
> > >       uint8_t *image, *cur;
> > >       int hasext = 0;
> > > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> > >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >       if (image_get_csk_index() >= 0) {
> > >               /*
> > >                * only reserve the space here; we fill the header later since
> > > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > >               *next_ext = 1;
> > >               next_ext = &secure_hdr->next;
> > >       }
> > > +#endif
> > >
> > >       datai = 0;
> > >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > >                                             &datai, delay);
> > >       }
> > >
> > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> > >                                              headersz, image, secure_hdr))
> > >               return NULL;
> > > +#endif
> > >
> > >       *imagesz = headersz;
> > >
> > > --
> > > 2.39.0
> > >
> >
> > This is entirely wrong change as it completely skips processing of some
> > command lone or config file options. It can lead to generating of broken
> > images by mkimage without any notice by user or any automated CI
> > testing. You really cannot randomly disable or comment some of functions
> > which are currently called.
> 
> Hello,
> That is true, especially since I do not know how to test my changes
> regarding kwbimage. But I do not really randomly disable some
> functions.
> I looked at the commit that introduced the issue:
> 
> Date: Fri Jul 23 11:14:13 2021 +0200
> tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
> commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream
> 
> And reverted its change. But instead of hiding the secure header usage
> under the previous CONFIG_ARMADA_38X config, I used the the config
> that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.
> 
> Regards,

And that is wrong. You cannot disable calling of some functions which
has to be called based on some settings (e.g. cmdline or config file).

mkimage parses command line options from argv[] and from config file and
based on these options it generates output file.

Look at the proposed change. What you have done is that you have
randomly disabled calling of some functions which was previously called
based on the options specified in mkimage argv[].

mkimage works like any other tool, based on the cmdline supplied in the
argv[] it calls specific functions which affects generated output file.

And not calling of some functions which were previously called cause
generating of different - broken output file (because it would not match
supplied command line options).

Le sam. 21 janv. 2023 à 17:21, Pali Rohar <pali@kernel.org> a écrit :
>
> On Saturday 21 January 2023 17:08:42 Paul-Erwan RIO wrote:
> > Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali@kernel.org> a écrit :
> > >
> > > On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > > > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > > > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > > > changes.
> > > >
> > > > Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> > > > ---
> > > >
> > > >  tools/kwbimage.c | 18 ++++++++++++++++++
> > > >  1 file changed, 18 insertions(+)
> > > >
> > > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > > > index 6abb9f2d5c..0db99dbb02 100644
> > > > --- a/tools/kwbimage.c
> > > > +++ b/tools/kwbimage.c
> > > > @@ -19,6 +19,7 @@
> > > >  #include <stdint.h>
> > > >  #include "kwbimage.h"
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >  #include <openssl/bn.h>
> > > >  #include <openssl/rsa.h>
> > > >  #include <openssl/pem.h>
> > > > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> > > >       EVP_MD_CTX_reset(ctx);
> > > >  }
> > > >  #endif
> > > > +#endif
> > > >
> > > >  /* fls - find last (most-significant) bit set in 4-bit integer */
> > > >  static inline int fls4(int num)
> > > > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> > > >
> > > >  static struct image_cfg_element *image_cfg;
> > > >  static int cfgn;
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >  static int verbose_mode;
> > > > +#endif
> > > >
> > > >  struct boot_mode {
> > > >       unsigned int id;
> > > > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> > > >       return count;
> > > >  }
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >  static int image_get_csk_index(void)
> > > >  {
> > > >       struct image_cfg_element *e;
> > > > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> > > >
> > > >       return e->sec_specialized_img;
> > > >  }
> > > > +#endif
> > > >
> > > >  static int image_get_bootfrom(void)
> > > >  {
> > > > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> > > >       }
> > > >  }
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >  static void kwb_msg(const char *fmt, ...)
> > > >  {
> > > >       if (verbose_mode) {
> > > > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> > > >  done:
> > > >       return ret;
> > > >  }
> > > > +#endif
> > > >
> > > >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> > > >  {
> > > > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> > > >        */
> > > >       headersz = sizeof(struct main_hdr_v1);
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >       if (image_get_csk_index() >= 0) {
> > > >               headersz += sizeof(struct secure_hdr_v1);
> > > >               if (hasext)
> > > >                       *hasext = 1;
> > > >       }
> > > > +#endif
> > > >
> > > >       cpu_sheeva = image_is_cpu_sheeva();
> > > >
> > > > @@ -1270,6 +1280,7 @@ err_close:
> > > >       return -1;
> > > >  }
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> > > >  {
> > > >       FILE *hashf;
> > > > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> > > >
> > > >       return 0;
> > > >  }
> > > > +#endif
> > > >
> > > >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> > > >                                         struct register_set_hdr_v1 *register_set_hdr,
> > > > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > >       struct main_hdr_v1 *main_hdr;
> > > >       struct opt_hdr_v1 *ohdr;
> > > >       struct register_set_hdr_v1 *register_set_hdr;
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >       struct secure_hdr_v1 *secure_hdr = NULL;
> > > > +#endif
> > > >       size_t headersz;
> > > >       uint8_t *image, *cur;
> > > >       int hasext = 0;
> > > > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> > > >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >       if (image_get_csk_index() >= 0) {
> > > >               /*
> > > >                * only reserve the space here; we fill the header later since
> > > > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > >               *next_ext = 1;
> > > >               next_ext = &secure_hdr->next;
> > > >       }
> > > > +#endif
> > > >
> > > >       datai = 0;
> > > >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > > > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > >                                             &datai, delay);
> > > >       }
> > > >
> > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> > > >                                              headersz, image, secure_hdr))
> > > >               return NULL;
> > > > +#endif
> > > >
> > > >       *imagesz = headersz;
> > > >
> > > > --
> > > > 2.39.0
> > > >
> > >
> > > This is entirely wrong change as it completely skips processing of some
> > > command lone or config file options. It can lead to generating of broken
> > > images by mkimage without any notice by user or any automated CI
> > > testing. You really cannot randomly disable or comment some of functions
> > > which are currently called.
> >
> > Hello,
> > That is true, especially since I do not know how to test my changes
> > regarding kwbimage. But I do not really randomly disable some
> > functions.
> > I looked at the commit that introduced the issue:
> >
> > Date: Fri Jul 23 11:14:13 2021 +0200
> > tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
> > commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream
> >
> > And reverted its change. But instead of hiding the secure header usage
> > under the previous CONFIG_ARMADA_38X config, I used the the config
> > that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.
> >
> > Regards,
>
> And that is wrong. You cannot disable calling of some functions which
> has to be called based on some settings (e.g. cmdline or config file).
>
> mkimage parses command line options from argv[] and from config file and
> based on these options it generates output file.
>
> Look at the proposed change. What you have done is that you have
> randomly disabled calling of some functions which was previously called
> based on the options specified in mkimage argv[].
>
> mkimage works like any other tool, based on the cmdline supplied in the
> argv[] it calls specific functions which affects generated output file.
>
> And not calling of some functions which were previously called cause
> generating of different - broken output file (because it would not match
> supplied command line options).

So, if I understand you correctly, the right way to do it would be to
prevent the user to call the very functions that need OpenSSL crypto
features (and output some kind of warning/error) when LIBCRYPTO
support is disabled ? So that the user could not even attempt to
create kwbimage v1 with secure header (in this particular case),
instead of having a broken output file like you said.

On Saturday 21 January 2023 17:31:15 Paul-Erwan RIO wrote:
> Le sam. 21 janv. 2023 à 17:21, Pali Rohar <pali@kernel.org> a écrit :
> >
> > On Saturday 21 January 2023 17:08:42 Paul-Erwan RIO wrote:
> > > Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali@kernel.org> a écrit :
> > > >
> > > > On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > > > > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > > > > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > > > > changes.
> > > > >
> > > > > Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> > > > > ---
> > > > >
> > > > >  tools/kwbimage.c | 18 ++++++++++++++++++
> > > > >  1 file changed, 18 insertions(+)
> > > > >
> > > > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > > > > index 6abb9f2d5c..0db99dbb02 100644
> > > > > --- a/tools/kwbimage.c
> > > > > +++ b/tools/kwbimage.c
> > > > > @@ -19,6 +19,7 @@
> > > > >  #include <stdint.h>
> > > > >  #include "kwbimage.h"
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >  #include <openssl/bn.h>
> > > > >  #include <openssl/rsa.h>
> > > > >  #include <openssl/pem.h>
> > > > > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> > > > >       EVP_MD_CTX_reset(ctx);
> > > > >  }
> > > > >  #endif
> > > > > +#endif
> > > > >
> > > > >  /* fls - find last (most-significant) bit set in 4-bit integer */
> > > > >  static inline int fls4(int num)
> > > > > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> > > > >
> > > > >  static struct image_cfg_element *image_cfg;
> > > > >  static int cfgn;
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >  static int verbose_mode;
> > > > > +#endif
> > > > >
> > > > >  struct boot_mode {
> > > > >       unsigned int id;
> > > > > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> > > > >       return count;
> > > > >  }
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >  static int image_get_csk_index(void)
> > > > >  {
> > > > >       struct image_cfg_element *e;
> > > > > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> > > > >
> > > > >       return e->sec_specialized_img;
> > > > >  }
> > > > > +#endif
> > > > >
> > > > >  static int image_get_bootfrom(void)
> > > > >  {
> > > > > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> > > > >       }
> > > > >  }
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >  static void kwb_msg(const char *fmt, ...)
> > > > >  {
> > > > >       if (verbose_mode) {
> > > > > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> > > > >  done:
> > > > >       return ret;
> > > > >  }
> > > > > +#endif
> > > > >
> > > > >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> > > > >  {
> > > > > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> > > > >        */
> > > > >       headersz = sizeof(struct main_hdr_v1);
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >       if (image_get_csk_index() >= 0) {
> > > > >               headersz += sizeof(struct secure_hdr_v1);
> > > > >               if (hasext)
> > > > >                       *hasext = 1;
> > > > >       }
> > > > > +#endif
> > > > >
> > > > >       cpu_sheeva = image_is_cpu_sheeva();
> > > > >
> > > > > @@ -1270,6 +1280,7 @@ err_close:
> > > > >       return -1;
> > > > >  }
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> > > > >  {
> > > > >       FILE *hashf;
> > > > > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> > > > >
> > > > >       return 0;
> > > > >  }
> > > > > +#endif
> > > > >
> > > > >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> > > > >                                         struct register_set_hdr_v1 *register_set_hdr,
> > > > > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > >       struct main_hdr_v1 *main_hdr;
> > > > >       struct opt_hdr_v1 *ohdr;
> > > > >       struct register_set_hdr_v1 *register_set_hdr;
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >       struct secure_hdr_v1 *secure_hdr = NULL;
> > > > > +#endif
> > > > >       size_t headersz;
> > > > >       uint8_t *image, *cur;
> > > > >       int hasext = 0;
> > > > > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> > > > >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >       if (image_get_csk_index() >= 0) {
> > > > >               /*
> > > > >                * only reserve the space here; we fill the header later since
> > > > > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > >               *next_ext = 1;
> > > > >               next_ext = &secure_hdr->next;
> > > > >       }
> > > > > +#endif
> > > > >
> > > > >       datai = 0;
> > > > >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > > > > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > >                                             &datai, delay);
> > > > >       }
> > > > >
> > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> > > > >                                              headersz, image, secure_hdr))
> > > > >               return NULL;
> > > > > +#endif
> > > > >
> > > > >       *imagesz = headersz;
> > > > >
> > > > > --
> > > > > 2.39.0
> > > > >
> > > >
> > > > This is entirely wrong change as it completely skips processing of some
> > > > command lone or config file options. It can lead to generating of broken
> > > > images by mkimage without any notice by user or any automated CI
> > > > testing. You really cannot randomly disable or comment some of functions
> > > > which are currently called.
> > >
> > > Hello,
> > > That is true, especially since I do not know how to test my changes
> > > regarding kwbimage. But I do not really randomly disable some
> > > functions.
> > > I looked at the commit that introduced the issue:
> > >
> > > Date: Fri Jul 23 11:14:13 2021 +0200
> > > tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
> > > commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream
> > >
> > > And reverted its change. But instead of hiding the secure header usage
> > > under the previous CONFIG_ARMADA_38X config, I used the the config
> > > that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.
> > >
> > > Regards,
> >
> > And that is wrong. You cannot disable calling of some functions which
> > has to be called based on some settings (e.g. cmdline or config file).
> >
> > mkimage parses command line options from argv[] and from config file and
> > based on these options it generates output file.
> >
> > Look at the proposed change. What you have done is that you have
> > randomly disabled calling of some functions which was previously called
> > based on the options specified in mkimage argv[].
> >
> > mkimage works like any other tool, based on the cmdline supplied in the
> > argv[] it calls specific functions which affects generated output file.
> >
> > And not calling of some functions which were previously called cause
> > generating of different - broken output file (because it would not match
> > supplied command line options).
> 
> So, if I understand you correctly, the right way to do it would be to
> prevent the user to call the very functions that need OpenSSL crypto
> features (and output some kind of warning/error) when LIBCRYPTO
> support is disabled ? So that the user could not even attempt to
> create kwbimage v1 with secure header (in this particular case),
> instead of having a broken output file like you said.

Of course, u-boot (and also any other) tools must not generate broken
output files. I thought that this is pretty obvious.

Le sam. 21 janv. 2023 à 17:35, Pali Rohar <pali@kernel.org> a écrit :
>
> On Saturday 21 January 2023 17:31:15 Paul-Erwan RIO wrote:
> > Le sam. 21 janv. 2023 à 17:21, Pali Rohar <pali@kernel.org> a écrit :
> > >
> > > On Saturday 21 January 2023 17:08:42 Paul-Erwan RIO wrote:
> > > > Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali@kernel.org> a écrit :
> > > > >
> > > > > On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > > > > > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > > > > > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > > > > > changes.
> > > > > >
> > > > > > Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
> > > > > > ---
> > > > > >
> > > > > >  tools/kwbimage.c | 18 ++++++++++++++++++
> > > > > >  1 file changed, 18 insertions(+)
> > > > > >
> > > > > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > > > > > index 6abb9f2d5c..0db99dbb02 100644
> > > > > > --- a/tools/kwbimage.c
> > > > > > +++ b/tools/kwbimage.c
> > > > > > @@ -19,6 +19,7 @@
> > > > > >  #include <stdint.h>
> > > > > >  #include "kwbimage.h"
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  #include <openssl/bn.h>
> > > > > >  #include <openssl/rsa.h>
> > > > > >  #include <openssl/pem.h>
> > > > > > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> > > > > >       EVP_MD_CTX_reset(ctx);
> > > > > >  }
> > > > > >  #endif
> > > > > > +#endif
> > > > > >
> > > > > >  /* fls - find last (most-significant) bit set in 4-bit integer */
> > > > > >  static inline int fls4(int num)
> > > > > > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> > > > > >
> > > > > >  static struct image_cfg_element *image_cfg;
> > > > > >  static int cfgn;
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int verbose_mode;
> > > > > > +#endif
> > > > > >
> > > > > >  struct boot_mode {
> > > > > >       unsigned int id;
> > > > > > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> > > > > >       return count;
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int image_get_csk_index(void)
> > > > > >  {
> > > > > >       struct image_cfg_element *e;
> > > > > > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> > > > > >
> > > > > >       return e->sec_specialized_img;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static int image_get_bootfrom(void)
> > > > > >  {
> > > > > > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> > > > > >       }
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static void kwb_msg(const char *fmt, ...)
> > > > > >  {
> > > > > >       if (verbose_mode) {
> > > > > > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> > > > > >  done:
> > > > > >       return ret;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> > > > > >  {
> > > > > > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> > > > > >        */
> > > > > >       headersz = sizeof(struct main_hdr_v1);
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (image_get_csk_index() >= 0) {
> > > > > >               headersz += sizeof(struct secure_hdr_v1);
> > > > > >               if (hasext)
> > > > > >                       *hasext = 1;
> > > > > >       }
> > > > > > +#endif
> > > > > >
> > > > > >       cpu_sheeva = image_is_cpu_sheeva();
> > > > > >
> > > > > > @@ -1270,6 +1280,7 @@ err_close:
> > > > > >       return -1;
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> > > > > >  {
> > > > > >       FILE *hashf;
> > > > > > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> > > > > >
> > > > > >       return 0;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> > > > > >                                         struct register_set_hdr_v1 *register_set_hdr,
> > > > > > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >       struct main_hdr_v1 *main_hdr;
> > > > > >       struct opt_hdr_v1 *ohdr;
> > > > > >       struct register_set_hdr_v1 *register_set_hdr;
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       struct secure_hdr_v1 *secure_hdr = NULL;
> > > > > > +#endif
> > > > > >       size_t headersz;
> > > > > >       uint8_t *image, *cur;
> > > > > >       int hasext = 0;
> > > > > > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> > > > > >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (image_get_csk_index() >= 0) {
> > > > > >               /*
> > > > > >                * only reserve the space here; we fill the header later since
> > > > > > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >               *next_ext = 1;
> > > > > >               next_ext = &secure_hdr->next;
> > > > > >       }
> > > > > > +#endif
> > > > > >
> > > > > >       datai = 0;
> > > > > >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > > > > > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >                                             &datai, delay);
> > > > > >       }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> > > > > >                                              headersz, image, secure_hdr))
> > > > > >               return NULL;
> > > > > > +#endif
> > > > > >
> > > > > >       *imagesz = headersz;
> > > > > >
> > > > > > --
> > > > > > 2.39.0
> > > > > >
> > > > >
> > > > > This is entirely wrong change as it completely skips processing of some
> > > > > command lone or config file options. It can lead to generating of broken
> > > > > images by mkimage without any notice by user or any automated CI
> > > > > testing. You really cannot randomly disable or comment some of functions
> > > > > which are currently called.
> > > >
> > > > Hello,
> > > > That is true, especially since I do not know how to test my changes
> > > > regarding kwbimage. But I do not really randomly disable some
> > > > functions.
> > > > I looked at the commit that introduced the issue:
> > > >
> > > > Date: Fri Jul 23 11:14:13 2021 +0200
> > > > tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
> > > > commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream
> > > >
> > > > And reverted its change. But instead of hiding the secure header usage
> > > > under the previous CONFIG_ARMADA_38X config, I used the the config
> > > > that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.
> > > >
> > > > Regards,
> > >
> > > And that is wrong. You cannot disable calling of some functions which
> > > has to be called based on some settings (e.g. cmdline or config file).
> > >
> > > mkimage parses command line options from argv[] and from config file and
> > > based on these options it generates output file.
> > >
> > > Look at the proposed change. What you have done is that you have
> > > randomly disabled calling of some functions which was previously called
> > > based on the options specified in mkimage argv[].
> > >
> > > mkimage works like any other tool, based on the cmdline supplied in the
> > > argv[] it calls specific functions which affects generated output file.
> > >
> > > And not calling of some functions which were previously called cause
> > > generating of different - broken output file (because it would not match
> > > supplied command line options).
> >
> > So, if I understand you correctly, the right way to do it would be to
> > prevent the user to call the very functions that need OpenSSL crypto
> > features (and output some kind of warning/error) when LIBCRYPTO
> > support is disabled ? So that the user could not even attempt to
> > create kwbimage v1 with secure header (in this particular case),
> > instead of having a broken output file like you said.
>
> Of course, u-boot (and also any other) tools must not generate broken
> output files. I thought that this is pretty obvious.

Understood. Then I will need to rework this a lot, and I will
re-submit it again when it is ready.

Thanks for your time.