On Wed, Apr 11, 2018 at 11:13:05PM +0800, Jun Nie wrote:
It may be unnecessary to check signature on unlocked board. Get the hint from platform specific code to support secure boot and non-secure boot with the same binary, so that boot is not blocked if board is not locked and has no key for signature verification.
Signed-off-by: Jun Nie jun.nie@linaro.org
common/image-sig.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/common/image-sig.c b/common/image-sig.c index d9f712f..f3d1252 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -151,6 +151,11 @@ struct image_region *fit_region_make_list(const void *fit, return region; }
+int __attribute__((weak)) fit_board_skip_sig_verification(void) +{
- return 0;
+}
static int fit_image_setup_verify(struct image_sign_info *info, const void *fit, int noffset, int required_keynode, char **err_msgp) @@ -188,6 +193,12 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data, uint8_t *fit_value; int fit_value_len;
- /* Skip verification if board says that */
- if (fit_board_skip_sig_verification()) {
printf("signature check skipped\n");return 0;- }
- *err_msgp = NULL; if (fit_image_setup_verify(&info, fit, noffset, required_keynode, err_msgp))
@@ -438,6 +449,12 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, int noffset; int sig_node;
- /* Skip verification if board says that */
- if (fit_board_skip_sig_verification()) {
printf("signature check skipped\n");return 0;- }
- /* Work out what we need to verify */ sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); if (sig_node < 0) {
I'm not sure I like the concept here. Wouldn't this make it easier to break in to a secure setup with some binary editing? Or is that really no worse than today? Also, can you please follow up with an implementation of fit_board_skip_sig_verification? Thanks!