LM
/
u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vboot: add DTB policy for supporting multiple required conf keys 

Currently FIT image must be signed by all required conf keys. This means
Verified Boot fails if there is a signature verification failure
using any required key in U-Boot DTB.

This patch introduces a new policy in DTB that can be set to any required
conf key. This means if verified boot passes with one of the required
keys, U-Boot will continue the OS hand off.

There were prior attempts to address this:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".
https://lists.denx.de/pipermail/u-boot/2020-January/396629.html

Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Thirupathaiah Annapureddy 2020-08-16 23:01:09 -07:00 committed by Tom Rini
parent 9885313b9a
commit 182eeefcb4
1 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
common/image-fit-sig.c
View File

@ -416,6 +416,10 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
{ {
int noffset; int noffset;
int sig_node; int sig_node;
int verified = 0;
int reqd_sigs = 0;
bool reqd_policy_all = true;
const char *reqd_mode;
/* Work out what we need to verify */ /* Work out what we need to verify */
sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
@ -425,6 +429,14 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
return 0; return 0;
} }
/* Get required-mode policy property from DTB */
reqd_mode = fdt_getprop(sig_blob, sig_node, "required-mode", NULL);
if (reqd_mode && !strcmp(reqd_mode, "any"))
reqd_policy_all = false;
debug("%s: required-mode policy set to '%s'\n", __func__,
reqd_policy_all ? "all" : "any");
fdt_for_each_subnode(noffset, sig_blob, sig_node) { fdt_for_each_subnode(noffset, sig_blob, sig_node) {
const char *required; const char *required;
int ret; int ret;
@ -433,15 +445,29 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
NULL); NULL);
if (!required || strcmp(required, "conf")) if (!required || strcmp(required, "conf"))
continue; continue;
reqd_sigs++;
ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
noffset); noffset);
if (ret) { if (ret) {
printf("Failed to verify required signature '%s'\n", if (reqd_policy_all) {
fit_get_name(sig_blob, noffset, NULL)); printf("Failed to verify required signature '%s'\n",
return ret; fit_get_name(sig_blob, noffset, NULL));
return ret;
}
} else {
verified++;
if (!reqd_policy_all)
break;
} }
} }
if (reqd_sigs && !verified) {
printf("Failed to verify 'any' of the required signature(s)\n");
return -EPERM;
}
return 0; return 0;
} }