[PATCH] fit: Fix verification of images with external data
The "-E" option to mkimage generates a FIT with external data using the data-size and data-offset properties which must both be ignored when verifying a signature.
Add "data-offset" to the list of excluded properties for signature verification; since the line is now too long, re-format the list to one-per-line and make it static since the data is constant.
Signed-off-by: John Keeping john@metanate.com --- common/image-fit-sig.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index 55ddf1879e..b979cd2a4b 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -245,7 +245,13 @@ static int fit_config_check_sig(const void *fit, int noffset, int required_keynode, int conf_noffset, char **err_msgp) { - char * const exc_prop[] = {"data", "data-size", "data-position"}; + static char * const exc_prop[] = { + "data", + "data-size", + "data-position", + "data-offset" + }; + const char *prop, *end, *name; struct image_sign_info info; const uint32_t *strings;
On Tue, 20 Apr 2021 19:19:44 +0100 John Keeping john@metanate.com wrote:
The "-E" option to mkimage generates a FIT with external data using the data-size and data-offset properties which must both be ignored when verifying a signature.
Add "data-offset" to the list of excluded properties for signature verification; since the line is now too long, re-format the list to one-per-line and make it static since the data is constant.
Signed-off-by: John Keeping john@metanate.com
Any feedback on this? It would be nice to be able to verify all image types produced by mkimage!
Thanks, John
common/image-fit-sig.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index 55ddf1879e..b979cd2a4b 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -245,7 +245,13 @@ static int fit_config_check_sig(const void *fit, int noffset, int required_keynode, int conf_noffset, char **err_msgp) {
- char * const exc_prop[] = {"data", "data-size", "data-position"};
- static char * const exc_prop[] = {
"data","data-size","data-position","data-offset"- };
- const char *prop, *end, *name; struct image_sign_info info; const uint32_t *strings;
On Tue, 20 Apr 2021 at 12:20, John Keeping john@metanate.com wrote:
The "-E" option to mkimage generates a FIT with external data using the data-size and data-offset properties which must both be ignored when verifying a signature.
Add "data-offset" to the list of excluded properties for signature verification; since the line is now too long, re-format the list to one-per-line and make it static since the data is constant.
Signed-off-by: John Keeping john@metanate.com
common/image-fit-sig.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
On Tue, Apr 20, 2021 at 07:19:44PM +0100, John Keeping wrote:
The "-E" option to mkimage generates a FIT with external data using the data-size and data-offset properties which must both be ignored when verifying a signature.
Add "data-offset" to the list of excluded properties for signature verification; since the line is now too long, re-format the list to one-per-line and make it static since the data is constant.
Signed-off-by: John Keeping john@metanate.com Reviewed-by: Simon Glass sjg@chromium.org
Applied to u-boot/master, thanks!
participants (3)
-
John Keeping -
Simon Glass -
Tom Rini