Hi Heiko,
On 8 June 2017 at 22:52, Heiko Schocher <h...@denx.de> wrote:
> Hello Simon,
>
> Am 09.06.2017 um 05:05 schrieb Simon Glass:
>>
>> Hi Heiko,
>>
>> On 8 June 2017 at 03:52, Heiko Schocher <h...@denx.de> wrote:
>>>
>>> fit_image_verify_required_sigs() must return != 0, on error.
>>>
>>> When fit_image_verify_required_sigs() does not find a signature
>>> node, it returns 0, which leads in booting a signed FIT image.
>>>
>>> Fix this!
>>>
>>> Signed-off-by: Heiko Schocher <h...@denx.de>
>>> ---
>>>
>>> Found on an imx28 based board, with key dtb appended to u-boot.bin.
>>>
>>> Booting signed FIT image without an valid key dtb appended to u-boot.bin
>>> shows:
>
> [...]
>>>
>>> common/image-sig.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/common/image-sig.c b/common/image-sig.c
>>> index 455f2b9..646fb08 100644
>>> --- a/common/image-sig.c
>>> +++ b/common/image-sig.c
>>> @@ -265,7 +265,7 @@ int fit_image_verify_required_sigs(const void *fit,
>>> int image_noffset,
>>> if (sig_node < 0) {
>>> debug("%s: No signature node found: %s\n", __func__,
>>> fdt_strerror(sig_node));
>>> - return 0;
>>> + return 1;
>>
>>
>> Thanks for finding/fixing this! I suggest returning -EPERM.
>
>
> Ok, changed.
>
>> Also note that using image-based security is somewhat insecure since
>> people can mix and match them. Configuration signing is preferred if
>> you can do it.
>
>
> I do this, here my configurations node from the its file:
>
> configurations {
> default = "conf@1";
> conf@1 {
> description = "board config 1";
> kernel = "kernel@1";
> fdt = "fdt@1";
> ramdisk = "ramdisk@1";
> signature@1 {
> algo = "sha256,rsa4096";
> key-name-hint = "dev";
> };
> };
> };
>
>> As Tom said, can you add a test please?
>
>
> Hmm... tried with current U-Boot, the steps described in
>
> test/image/test-fit.py
>
> # make O=sandbox sandbox_config
> # make O=sandbox
> # ./test/image/test-fit.py -u sandbox/u-boot
>
> and get:
>
> pollux:u-boot hs [master] $ ./test/image/test-fit.py -u sandbox/u-boot
> FIT Tests
> =========
[...]
> Traceback (most recent call last):
> File "./test/image/test-fit.py", line 481, in <module>
> run_tests()
> File "./test/image/test-fit.py", line 470, in run_tests
> run_fit_test(mkimage, options.u_boot)
> File "./test/image/test-fit.py", line 388, in run_fit_test
> fail('Kernel not loaded', stdout)
> File "./test/image/test-fit.py", line 306, in fail
> raise ValueError("Test '%s' failed: %s" % (test_name, msg))
> ValueError: Test 'Kernel load' failed: Kernel not loaded
> pollux:u-boot hs [master] $
>
> Can you verify this?
>
Yes I see that too. I bisected it and sent a patch.
Regards,
Simon
> Thanks!
>
> bye,
> Heiko
>
>>
>>> }
>>>
>>> fdt_for_each_subnode(noffset, sig_blob, sig_node) {
>>> --
>>> 2.7.4
>>>
>>
>> Regards,
>> Simon
>>
>
> --
> DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
