This change adds a callback for preprocessing the FIT header before it is parsed. There are 3 main reasons for this callback:
(1) If a vulnerability is discovered in the FIT parsing/loading code, or libfdt, this callback allows users to scan the FIT header for specific exploit signatures and prevent flashing/booting of the image
(2) If users want to implement a single signature which covers the entire FIT header, which is then appended to the end of the header, then this callback can be used to authenticate that signature.
(3) If users want to check the FIT header contents against specific metadata stored outside the FIT header, then this callback allows them to do that.
Signed-off-by: Farhan Ali farhan.ali@broadcom.com --- Cc: Simon Glass sjg@chromium.org Cc: Alexandru Gagniuc mr.nuke.me@gmail.com Cc: Marek Vasut marex@denx.de Cc: Michal Simek michal.simek@xilinx.com Cc: Philippe Reynes philippe.reynes@softathome.com Cc: Samuel Holland samuel@sholland.org
common/spl/spl_fit.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index 75c8ff0..e03c67b 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -43,6 +43,12 @@ __weak ulong board_spl_fit_size_align(ulong size) return size; }
+__weak void board_spl_fit_pre_load(struct spl_load_info *load_info, void *fit, + ulong start_sector, + ulong loaded_sector_count) +{ +} + static int find_node_from_desc(const void *fit, int node, const char *str) { int child; @@ -552,6 +558,9 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx, debug("fit read sector %lx, sectors=%d, dst=%p, count=%lu, size=0x%lx\n", sector, sectors, buf, count, size);
+ /* preprocess loaded fit header before parsing and loading binaries */ + board_spl_fit_pre_load(info, fit_header, sector, sectors); + return (count == 0) ? -EIO : 0; }