Some platform designs include support for disabling secure-boot via a jumper on the board. Sometimes this control can be separate from the mechanism enabling the root-of-trust for the platform. Add support for this latter scenario by allowing boards to implement board_fit_image_require_verfied(), which is then invoked in the usual FIT verification paths.
Signed-off-by: Andrew Jeffery andrew@aj.id.au --- Hi,
This patch is extracted from and motivated by a series adding run-time control of FIT signature verification to u-boot in OpenBMC:
https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking upstream and contains a bunch of out-of-tree work as well. As such I'm looking to upstream the couple of changes that make sense against master.
Please take a look!
Andrew
boot/Kconfig | 8 ++++++++ boot/image-fit.c | 21 +++++++++++++++++---- include/image.h | 9 +++++++++ 3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -78,6 +78,14 @@ config FIT_SIGNATURE format support in this case, enable it using CONFIG_LEGACY_IMAGE_FORMAT.
+if FIT_SIGNATURE +config FIT_RUNTIME_SIGNATURE + bool "Control verification of FIT uImages at runtime" + help + This option allows board support to disable verification of + signatures at runtime, for example through the state of a GPIO. +endif # FIT_SIGNATURE + config FIT_SIGNATURE_MAX_SIZE hex "Max size of signed FIT structures" depends on FIT_SIGNATURE diff --git a/boot/image-fit.c b/boot/image-fit.c index f01cafe4e277..919dbfa4ee1d 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1308,6 +1308,14 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data, return 0; }
+#ifndef __weak +#define __weak +#endif +__weak int board_fit_image_require_verified(void) +{ + return 1; +} + int fit_image_verify_with_data(const void *fit, int image_noffset, const void *key_blob, const void *data, size_t size) @@ -1319,6 +1327,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
/* Verify all required signatures */ if (FIT_IMAGE_ENABLE_VERIFY && + fit_image_require_verified() && fit_image_verify_required_sigs(fit, image_noffset, data, size, key_blob, &verify_all)) { err_msg = "Unable to verify required signature"; @@ -1340,9 +1349,11 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, &err_msg)) goto error; puts("+ "); - } else if (FIT_IMAGE_ENABLE_VERIFY && verify_all && - !strncmp(name, FIT_SIG_NODENAME, - strlen(FIT_SIG_NODENAME))) { + } else if (FIT_IMAGE_ENABLE_VERIFY && + fit_image_require_verified() && + verify_all && + !strncmp(name, FIT_SIG_NODENAME, + strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, size, gd_fdt_blob(), -1, &err_msg);
@@ -2061,7 +2072,9 @@ int fit_image_load(bootm_headers_t *images, ulong addr, if (image_type == IH_TYPE_KERNEL) images->fit_uname_cfg = fit_base_uname_config;
- if (FIT_IMAGE_ENABLE_VERIFY && images->verify) { + if (FIT_IMAGE_ENABLE_VERIFY && + fit_image_require_verified() && + images->verify) { puts(" Verifying Hash Integrity ... "); if (fit_config_verify(fit, cfg_noffset)) { puts("Bad Data Hash\n"); diff --git a/include/image.h b/include/image.h index 97e5f2eb24d6..98900c2e839b 100644 --- a/include/image.h +++ b/include/image.h @@ -1173,6 +1173,15 @@ int calculate_hash(const void *data, int data_len, const char *algo, # define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) #endif
+/* + * Further, allow run-time control of verification, e.g. via a jumper + */ +#if defined(CONFIG_FIT_RUNTIME_SIGNATURE) +# define fit_image_require_verified() board_fit_image_require_verified() +#else +# define fit_image_require_verified() FIT_IMAGE_ENABLE_VERIFY +#endif + #ifdef USE_HOSTCC void *image_get_host_blob(void); void image_set_host_blob(void *host_blob);