Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well.

While we're at it, use the FIT_DATA_* defines for fit_config_check_sig as welll.

Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson sean.anderson@seco.com ---

Changes in v2: - Use FIT_DATA_* defines

boot/image-fit-sig.c | 8 ++++---- tools/image-host.c | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index a461d591a0e..12369896fe3 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -260,10 +260,10 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset, char **err_msgp) { static char * const exc_prop[] = { - "data", - "data-size", - "data-position", - "data-offset" + FIT_DATA_PROP, + FIT_DATA_SIZE_PROP, + FIT_DATA_POSITION_PROP, + FIT_DATA_OFFSET_PROP, };

const char *prop, *end, *name; diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..4a4e1c10d1e 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) { - char * const exc_prop[] = {"data"}; + char * const exc_prop[] = { + FIT_DATA_PROP, + FIT_DATA_SIZE_PROP, + FIT_DATA_POSITION_PROP, + FIT_DATA_OFFSET_PROP, + }; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];