From patchwork Thu Jun 25 15:51:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thirupathaiah Annapureddy X-Patchwork-Id: 1317046 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.a=rsa-sha256 header.s=default header.b=Ph0RbMW9; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49t4Jh33VXz9sRf for ; Fri, 26 Jun 2020 01:52:04 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7A725821D6; Thu, 25 Jun 2020 17:51:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="Ph0RbMW9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C9E64821A0; Thu, 25 Jun 2020 17:51:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.2 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 4C5E08218C for ; Thu, 25 Jun 2020 17:51:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=thiruan@linux.microsoft.com Received: from thiru-la.corp.microsoft.com (unknown [131.107.147.159]) by linux.microsoft.com (Postfix) with ESMTPSA id 1A4B620B7188; Thu, 25 Jun 2020 08:51:37 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1A4B620B7188 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1593100297; bh=iULOpeREiDfou33Jdp4U3CMFesH7J/scg3G/OQApi5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ph0RbMW9SefrawAGcpqLBo2yuAIGixAtAJW3z56q5Z7UMCZDx9K8BANHjUUGLieGe RrsxaGGBvS+PitqSerNdRk17jgkrViaIXS3egCqH9QeXaf+RXriLV95RXRXAPSxIyY 9VE5owTrRQG8QeNlc8Nk4RMOekuFRSA1Mlw4c/pY= From: Thirupathaiah Annapureddy To: u-boot@lists.denx.de Cc: Simon Glass , thiruan@microsoft.com, thiruan@linux.microsoft.com, Philippe Reynes Subject: [PATCH 1/2] vboot: add support for multiple required keys Date: Thu, 25 Jun 2020 08:51:27 -0700 Message-Id: <0f920e6ee369718f3b7a0b9e07920383229715fd.1593045943.git.thiruan@linux.microsoft.com> X-Mailer: git-send-email 2.25.2 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean Currently Verified Boot fails if there is a signature verification failure using required key in U-boot DTB. This patch adds support for multiple required keys. This means if verified boot passes with one of the required keys, u-boot will continue the OS hand off. There was a prior attempt to resolve this with the following patch: https://lists.denx.de/pipermail/u-boot/2019-April/366047.html The above patch was failing "make tests". Signed-off-by: Thirupathaiah Annapureddy --- common/image-fit-sig.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index cc1967109e..4d25d4c541 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -416,6 +416,8 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, { int noffset; int sig_node; + int verified = 0; + int reqd_sigs = 0; /* Work out what we need to verify */ sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); @@ -433,15 +435,23 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, NULL); if (!required || strcmp(required, "conf")) continue; + + reqd_sigs++; + ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, noffset); if (ret) { printf("Failed to verify required signature '%s'\n", fit_get_name(sig_blob, noffset, NULL)); - return ret; + } else { + verified = 1; + break; } } + if (reqd_sigs && !verified) + return -EPERM; + return 0; } From patchwork Thu Jun 25 15:51:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thirupathaiah Annapureddy X-Patchwork-Id: 1317045 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.a=rsa-sha256 header.s=default header.b=lpbTjBSa; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49t4JZ0Jbzz9sSn for ; Fri, 26 Jun 2020 01:51:55 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A90308218C; Thu, 25 Jun 2020 17:51:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="lpbTjBSa"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EA361821C9; Thu, 25 Jun 2020 17:51:41 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.2 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 47EE68218A for ; Thu, 25 Jun 2020 17:51:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=thiruan@linux.microsoft.com Received: from thiru-la.corp.microsoft.com (unknown [131.107.147.159]) by linux.microsoft.com (Postfix) with ESMTPSA id 4763520B718A; Thu, 25 Jun 2020 08:51:37 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 4763520B718A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1593100297; bh=pzb2uY08wbVQHGY+hY8BaM+R08t/et2J8+wmiB9qbAs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lpbTjBSacFDSn+c05YQdj55u0sV0vEFWfBzsSOZ6bZI6NWhkhOrvqq+G8b4YRSnpa 6n6UaHnzn9oxgsZ84LUFzYexWDWfAPYCfeL7CwwottyovpLsCv12jRNBtZrgt34tAf w5e4gaFDsnSCCdx/argch/UbbbxCq5MOM/wCCwxc= From: Thirupathaiah Annapureddy To: u-boot@lists.denx.de Cc: Simon Glass , thiruan@microsoft.com, thiruan@linux.microsoft.com, Philippe Reynes Subject: [PATCH 2/2] test: vboot: add a test for multiple required keys Date: Thu, 25 Jun 2020 08:51:28 -0700 Message-Id: <73eb8f070a32c8351e9b06494c383cea1ae63ebf.1593045943.git.thiruan@linux.microsoft.com> X-Mailer: git-send-email 2.25.2 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean Add a test to verify the support for multiple required keys. This patch also fixes existing test where dev key is assumed to be marked as not required, although it is marked as required. Note that this patch re-added sign_fit_norequire(). sign_fit_norequire() was removed as part of the following: commit b008677daf2a ("test: vboot: Fix pylint errors"). This patch leverages sign_fit_norequire() to fix the existing bug. Signed-off-by: Thirupathaiah Annapureddy --- test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 6b998cfd70..9773ee3509 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -126,6 +126,23 @@ def test_vboot(u_boot_console, sha_algo, padding, sign_options, required): cons.log.action('%s: Sign images' % sha_algo) util.run_and_log(cons, args) + def sign_fit_norequire(sha_algo, options): + """Sign the FIT + + Signs the FIT and writes the signature into it. It also writes the + public key into the dtb. It does not mark key as 'required' in dtb. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to + use. + options: Options to provide to mkimage. + """ + args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, fit] + if options: + args += options.split(' ') + cons.log.action('%s: Sign images' % sha_algo) + util.run_and_log(cons, args) + def replace_fit_totalsize(size): """Replace FIT header's totalsize with something greater. @@ -279,15 +296,27 @@ def test_vboot(u_boot_console, sha_algo, padding, sign_options, required): # Build the FIT with dev key (keys NOT required). This adds the # signature into sandbox-u-boot.dtb, NOT marked 'required'. make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) - sign_fit(sha_algo, sign_options) + sign_fit_norequire(sha_algo, sign_options) # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys. # Only the prod key is set as 'required'. But FIT we just built has - # a dev signature only (sign_fit() overwrites the FIT). + # a dev signature only (sign_fit_norequire() overwrites the FIT). # Try to boot the FIT with dev key. This FIT should not be accepted by # U-Boot because the prod key is required. run_bootm(sha_algo, 'required key', '', False) + # Build the FIT with dev key (keys required) and sign it. This puts the + # signature into sandbox-u-boot.dtb, marked 'required'. + make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) + sign_fit(sha_algo, sign_options) + + # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys. + # Both the dev and prod key are set as 'required'. But FIT we just built has + # a dev signature only (sign_fit() overwrites the FIT). + # Try to boot the FIT with dev key. This FIT should be accepted by + # U-Boot because the dev key is required. + run_bootm(sha_algo, 'multi required key', '', True) + cons = u_boot_console tmpdir = cons.config.result_dir + '/' datadir = cons.config.source_dir + '/test/py/tests/vboot/'