From patchwork Sun Feb 10 20:34:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
X-Patchwork-Id: 1039484
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="f2tKbvBg"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 43yLJM6FsMz9sBZ
	for <incoming@patchwork.ozlabs.org>;
	Mon, 11 Feb 2019 07:34:55 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id 9AD7CC22067; Sun, 10 Feb 2019 20:34:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H2,
	T_DKIM_INVALID autolearn=unavailable autolearn_force=no
	version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 73288C21F64;
	Sun, 10 Feb 2019 20:34:47 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 7A833C21F64; Sun, 10 Feb 2019 20:34:46 +0000 (UTC)
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com
	[209.85.128.67])
	by lists.denx.de (Postfix) with ESMTPS id 85588C21EA7
	for <u-boot@lists.denx.de>; Sun, 10 Feb 2019 20:34:44 +0000 (UTC)
Received: by mail-wm1-f67.google.com with SMTP id v26so13055377wmh.3
	for <u-boot@lists.denx.de>; Sun, 10 Feb 2019 12:34:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=9HmeFv37L0YBlvdBgpyp2unRUzmsfqsSbv5YjQfo8Cw=;
	b=f2tKbvBg4xfiw/iwqP/jywTZW399MdhwEc98irCAOnuCIUW41OdSFHdS8LXaCKJBlu
	iFDQoaMC1I1Em9QbPn/bqE+gqmeF4mfQRsKUMj/tKaAlR7yZgUgmS+1FrF6EeoDlNxdN
	1rtLKZfyzQcLbeP7282Jo7NxcPo4epOEHkh8Ihg6CHD4uEKauQ3L/i2/aAJ3EEL84mHx
	ZNPK36L1yQdvljNazoZZ9fZSvFZHQdOpyGWIp5DHmgC0Gsh/Ma8hgc/qX5G8pYWJ4pxu
	WuXdqWtwBpFBTrb7d5cMbIBkLmjE1BZJ4ioai+MadohUCqAhRDQ3KXsx8C02EwJ4YUfZ
	U5Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=9HmeFv37L0YBlvdBgpyp2unRUzmsfqsSbv5YjQfo8Cw=;
	b=LQ/TecUXfxkUVN04qQCYiu7QJO2bOcLdh14sl+GVQXciUZrie3umiV7qDX9zS7pQOo
	qBleMt5JV8KdgZ9NgmDRgBPkqJamMpra5mUiEuc4eYvM5c+bos2kqwmaDI89ionCzxT7
	pk8YMpBJwzKsphK1/JYKB6R7TWoRgEywOV9m/JC/PJx/miAZaL6bDGjUm+kwS2MU7l/U
	/HTPrK9h4kP3R4MLgdM/zYmZZpsH6qajz6BtXiIlLXiiOCLuva5gopLgzu163dNjzL/y
	dyWknXF2npz74aN7GSGs3LjKqTrStva5h/RFHg4j4HB6eKR2f0pcE25U8BjBBxdHM8lN
	2y1A==
X-Gm-Message-State: AHQUAuYO+0Cs1Yb6wPIUQGlm6tyGESCowuI9BytpYeHWQ6KL6XW0rDRY
	Mk8QwN+5fEewLj0kZ5Ymxlb5yk+A
X-Google-Smtp-Source: 
 AHgI3IaxLcL1/O66chkqYLy8SChZRp0gInQNvc08V9LhREltt/vIkJkzbyjqARQkf1opnZCE80cg7w==
X-Received: by 2002:adf:e5c5:: with SMTP id a5mr5520326wrn.13.1549830882990;
	Sun, 10 Feb 2019 12:34:42 -0800 (PST)
Received: from ubuntu.home ([2a02:8071:6a3:700:9065:254c:ff38:3288])
	by smtp.gmail.com with ESMTPSA id
	a20sm5318169wmj.39.2019.02.10.12.34.41
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 10 Feb 2019 12:34:42 -0800 (PST)
From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
To: u-boot@lists.denx.de,
	Tom Rini <trini@konsulko.com>
Date: Sun, 10 Feb 2019 21:34:37 +0100
Message-Id: <20190210203437.20644-1-simon.k.r.goldschmidt@gmail.com>
X-Mailer: git-send-email 2.17.1
Cc: Tien Fong Chee <tien.fong.chee@intel.com>,
	Fabio Estevam <fabio.estevam@nxp.com>,
	Miquel Raynal <miquel.raynal@bootlin.com>
Subject: [U-Boot] [PATCH v3] spl: implement CRC check on U-Boot uImage
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

SPL currently does not check uImage CRCs when loading U-Boot.

This patch adds checking the uImage CRC when SPL loads U-Boot. It does
this by reusing the existing config option SPL_CRC32_SUPPORT to allow
leaving out the CRC check on boards where the additional code size or
boot time is a problem (adding the CRC check currently adds ~1.4 kByte
to flash).

The SPL_CRC32_SUPPORT config option now gets enabled by default if SPL
support for legacy images is enabled to check the CRC on all boards
that don't actively take countermeasures.

Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---

Changes in v3:
- collected tags
- don't make new Kconfig option SPL_LEGACY_IMAGE_CRC_CHECK default 'y'
  to prevent breaking SPL size checks (requested for sunxi)
- make Kconfig help more explicit
- fix compiling TPL (don't use CONFIG_IS_ENABLED)

Changes in v2:
- added Kconfig option SPL_LEGACY_IMAGE_CRC_CHECK to enable/disable
  checking CRC on legacy images

 common/spl/Kconfig | 22 ++++++++++++++++------
 common/spl/spl.c   | 30 +++++++++++++++++++++++++++++-
 include/spl.h      |  5 +++++
 3 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 59028529c9..8a642b2ac3 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -100,6 +100,16 @@ config SPL_LEGACY_IMAGE_SUPPORT
 	  is y. If this is not set, SPL will move on to other available
 	  boot media to find a suitable image.
 
+config SPL_LEGACY_IMAGE_CRC_CHECK
+	bool "Check CRC of Legacy images"
+	depends on SPL_LEGACY_IMAGE_SUPPORT
+	select SPL_CRC32_SUPPORT
+	help
+	  Enable this to check the CRC of Legacy images. While this increases
+	  reliability, it affects both code size and boot duration.
+	  If disabled, Legacy images are booted if the image magic and size
+	  are correct, without further integrity checks.
+
 config SPL_SYS_MALLOC_SIMPLE
 	bool
 	prompt "Only use malloc_simple functions in the SPL"
@@ -236,13 +246,13 @@ config SYS_MMCSD_RAW_MODE_U_BOOT_PARTITION_TYPE
 
 config SPL_CRC32_SUPPORT
 	bool "Support CRC32"
-	depends on SPL_FIT
+	default y if SPL_LEGACY_IMAGE_SUPPORT
 	help
-	  Enable this to support CRC32 in FIT images within SPL. This is a
-	  32-bit checksum value that can be used to verify images. This is
-	  the least secure type of checksum, suitable for detected
-	  accidental image corruption. For secure applications you should
-	  consider SHA1 or SHA256.
+	  Enable this to support CRC32 in uImages or FIT images within SPL.
+	  This is a 32-bit checksum value that can be used to verify images.
+	  For FIT images, this is the least secure type of checksum, suitable
+	  for detected accidental image corruption. For secure applications you
+	  should consider SHA1 or SHA256.
 
 config SPL_MD5_SUPPORT
 	bool "Support MD5"
diff --git a/common/spl/spl.c b/common/spl/spl.c
index 35120b6efd..2e2af1b28e 100644
--- a/common/spl/spl.c
+++ b/common/spl/spl.c
@@ -239,6 +239,14 @@ int spl_parse_image_header(struct spl_image_info *spl_image,
 #ifdef CONFIG_SPL_LEGACY_IMAGE_SUPPORT
 		u32 header_size = sizeof(struct image_header);
 
+#ifdef CONFIG_SPL_LEGACY_IMAGE_CRC_CHECK
+		/* check uImage header CRC */
+		if (!image_check_hcrc(header)) {
+			puts("SPL: Image header CRC check failed!\n");
+			return -EINVAL;
+		}
+#endif
+
 		if (spl_image->flags & SPL_COPY_PAYLOAD_ONLY) {
 			/*
 			 * On some system (e.g. powerpc), the load-address and
@@ -256,6 +264,13 @@ int spl_parse_image_header(struct spl_image_info *spl_image,
 			spl_image->size = image_get_data_size(header) +
 				header_size;
 		}
+#ifdef CONFIG_SPL_LEGACY_IMAGE_CRC_CHECK
+		/* store uImage data length and CRC to check later */
+		spl_image->dcrc_data = image_get_load(header);
+		spl_image->dcrc_length = image_get_data_size(header);
+		spl_image->dcrc = image_get_dcrc(header);
+#endif
+
 		spl_image->os = image_get_os(header);
 		spl_image->name = image_get_name(header);
 		debug(SPL_TPL_PROMPT
@@ -495,12 +510,25 @@ static struct spl_image_loader *spl_ll_find_loader(uint boot_device)
 static int spl_load_image(struct spl_image_info *spl_image,
 			  struct spl_image_loader *loader)
 {
+	int ret;
 	struct spl_boot_device bootdev;
 
 	bootdev.boot_device = loader->boot_device;
 	bootdev.boot_device_name = NULL;
 
-	return loader->load_image(spl_image, &bootdev);
+	ret = loader->load_image(spl_image, &bootdev);
+#ifdef CONFIG_SPL_LEGACY_IMAGE_CRC_CHECK
+	if (!ret && spl_image->dcrc_length) {
+		/* check data crc */
+		ulong dcrc = crc32_wd(0, (unsigned char *)spl_image->dcrc_data,
+				      spl_image->dcrc_length, CHUNKSZ_CRC32);
+		if (dcrc != spl_image->dcrc) {
+			puts("SPL: Image data CRC check failed!\n");
+			ret = -EINVAL;
+		}
+	}
+#endif
+	return ret;
 }
 
 /**
diff --git a/include/spl.h b/include/spl.h
index c82f2fd033..f09909e189 100644
--- a/include/spl.h
+++ b/include/spl.h
@@ -74,6 +74,11 @@ struct spl_image_info {
 	u32 size;
 	u32 flags;
 	void *arg;
+#ifdef CONFIG_SPL_LEGACY_IMAGE_CRC_CHECK
+	ulong dcrc_data;
+	ulong dcrc_length;
+	ulong dcrc;
+#endif
 };
 
 /*