[PATCH] mkimage: fit: Fix signing of configs with external data
Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well.
Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson sean.anderson@seco.com ---
tools/image-host.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..5ba6e3bbce0 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) { - char * const exc_prop[] = {"data"}; + char * const exc_prop[] = { + "data", + "data-size", + "data-position", + "data-offset" + }; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];
Hi Sean,
On Tue, 11 Oct 2022 at 15:52, Sean Anderson sean.anderson@seco.com wrote:
Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well.
Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson sean.anderson@seco.com
tools/image-host.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..5ba6e3bbce0 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) {
char * const exc_prop[] = {"data"};
char * const exc_prop[] = {"data","data-size","data-position","data-offset"}; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];-- 2.35.1.1320.gc452695387.dirty
It looks like we should be able to use FIT_DATA_POSITION_PROP (etc.) here?
Regards, Simon
On 10/12/22 08:59, Simon Glass wrote:
Hi Sean,
On Tue, 11 Oct 2022 at 15:52, Sean Anderson sean.anderson@seco.com wrote:
Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well.
Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson sean.anderson@seco.com
tools/image-host.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..5ba6e3bbce0 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) {
char * const exc_prop[] = {"data"};
char * const exc_prop[] = {"data","data-size","data-position","data-offset"}; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];-- 2.35.1.1320.gc452695387.dirty
It looks like we should be able to use FIT_DATA_POSITION_PROP (etc.) here?
Probably. fit_config_check_sig would also need to be updated.
--Sean
participants (2)
-
Sean Anderson -
Simon Glass