On Wed, Jun 6, 2018 at 4:35 AM, Jun Nie jun.nie@linaro.org wrote:
2018-06-06 9:08 GMT+08:00 Teddy Reed teddy.reed@gmail.com:
When using verified-boot in the SPL, the FIT content must be verified before it can be used.
Currently the load_addr FIT property is read and used as input to memcpy before the property is verified.
Signed-off-by: Teddy Reed teddy.reed@gmail.com
Reviewed-by: Jun Nie jun.nie@linaro.org
Thanks for taking a look Jun! I did not see any sandbox tests exercising the SPL/signature checking so I included 'RFC'. I know you are familiar with using the signature checking within the SPL, and you helped make it possible in the first place.
The three minor concerns I had when moving the validation earlier are: (1) the signature was originally calculated on the potentially uncompressed version, but this seems unlikely; similarly (2) the post process board-specific methods can mutate the signed content; and (3) now using the src address means reading directly from storage / etc instead of potentially SRAM/DRAM.
For (1) see that line 256 was uncompressing the data before signature checking. Then the signature check was applied to the uncompressed region. To be clear I think this patch is the correct approach, and the signature check should apply to the compressed content.
For (2) see that line 248 is board-specific, I am assuming that can mutate the content. Thus the signature check should be placed before that call.
Thanks again!