On Wed, Apr 11, 2018 at 11:13:05PM +0800, Jun Nie wrote: > It may be unnecessary to check signature on unlocked board. > Get the hint from platform specific code to support secure boot > and non-secure boot with the same binary, so that boot is not > blocked if board is not locked and has no key for signature > verification. > > Signed-off-by: Jun Nie <jun....@linaro.org> > --- > common/image-sig.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/common/image-sig.c b/common/image-sig.c > index d9f712f..f3d1252 100644 > --- a/common/image-sig.c > +++ b/common/image-sig.c > @@ -151,6 +151,11 @@ struct image_region *fit_region_make_list(const void > *fit, > return region; > } > > +int __attribute__((weak)) fit_board_skip_sig_verification(void) > +{ > + return 0; > +} > + > static int fit_image_setup_verify(struct image_sign_info *info, > const void *fit, int noffset, int required_keynode, > char **err_msgp) > @@ -188,6 +193,12 @@ int fit_image_check_sig(const void *fit, int noffset, > const void *data, > uint8_t *fit_value; > int fit_value_len; > > + /* Skip verification if board says that */ > + if (fit_board_skip_sig_verification()) { > + printf("signature check skipped\n"); > + return 0; > + } > + > *err_msgp = NULL; > if (fit_image_setup_verify(&info, fit, noffset, required_keynode, > err_msgp)) > @@ -438,6 +449,12 @@ int fit_config_verify_required_sigs(const void *fit, int > conf_noffset, > int noffset; > int sig_node; > > + /* Skip verification if board says that */ > + if (fit_board_skip_sig_verification()) { > + printf("signature check skipped\n"); > + return 0; > + } > + > /* Work out what we need to verify */ > sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); > if (sig_node < 0) {
I'm not sure I like the concept here. Wouldn't this make it easier to break in to a secure setup with some binary editing? Or is that really no worse than today? Also, can you please follow up with an implementation of fit_board_skip_sig_verification? Thanks! -- Tom
signature.asc
Description: PGP signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot