The fdt checksign command accepts an optional address for an FDT containing public keys. It currently installs that blob as gd->fdt_blob before verifying the FIT configuration.
This breaks verification with DM-backed crypto drivers which have not probed yet, since the later probe path expects gd->fdt_blob to remain U-Boot's control FDT. For example, an ECDSA verifier can be bound from the control FDT but fail to probe after fdt checksign points gd->fdt_blob at the key-only DTB. Add a FIT config verification helper that takes the key blob explicitly and use it from fdt checksign. This keeps gd->fdt_blob unchanged while still allowing the command to verify against an external key DTB. Signed-off-by: James Hilliard <[email protected]> --- boot/image-fit-sig.c | 8 +++++++- cmd/fdt.c | 14 ++++++-------- include/image.h | 9 +++++++++ 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 9b5ab754561..fe7ca6e4ab5 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -708,8 +708,14 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, return 0; } +int fit_config_verify_with_key_blob(const void *fit, int conf_noffset, + const void *key_blob) +{ + return fit_config_verify_required_keys(fit, conf_noffset, key_blob); +} + int fit_config_verify(const void *fit, int conf_noffset) { - return fit_config_verify_required_keys(fit, conf_noffset, + return fit_config_verify_with_key_blob(fit, conf_noffset, gd_fdt_blob()); } diff --git a/cmd/fdt.c b/cmd/fdt.c index d6d5b9fdfd2..7e2abf96103 100644 --- a/cmd/fdt.c +++ b/cmd/fdt.c @@ -719,22 +719,19 @@ static int do_fdt(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) } else if (strncmp(argv[1], "che", 3) == 0) { int cfg_noffset; int ret; - unsigned long addr; - struct fdt_header *blob; + struct fdt_header *key_blob; if (!working_fdt) return CMD_RET_FAILURE; if (argc > 2) { - addr = hextoul(argv[2], NULL); - blob = map_sysmem(addr, 0); + key_blob = map_sysmem(hextoul(argv[2], NULL), 0); } else { - blob = (struct fdt_header *)gd->fdt_blob; + key_blob = (struct fdt_header *)gd->fdt_blob; } - if (!fdt_valid(&blob)) + if (!fdt_valid(&key_blob)) return 1; - gd->fdt_blob = blob; cfg_noffset = fit_conf_get_node(working_fdt, NULL); if (cfg_noffset < 0) { printf("Could not find configuration node: %s\n", @@ -742,7 +739,8 @@ static int do_fdt(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) return CMD_RET_FAILURE; } - ret = fit_config_verify(working_fdt, cfg_noffset); + ret = fit_config_verify_with_key_blob(working_fdt, cfg_noffset, + key_blob); if (ret == 0) return CMD_RET_SUCCESS; else diff --git a/include/image.h b/include/image.h index 9c8a746d576..4b3c9c87bf5 100644 --- a/include/image.h +++ b/include/image.h @@ -1461,11 +1461,20 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, int fit_image_verify(const void *fit, int noffset); #if CONFIG_IS_ENABLED(FIT_SIGNATURE) int fit_config_verify(const void *fit, int conf_noffset); +int fit_config_verify_with_key_blob(const void *fit, int conf_noffset, + const void *key_blob); #else static inline int fit_config_verify(const void *fit, int conf_noffset) { return 0; } + +static inline int fit_config_verify_with_key_blob(const void *fit, + int conf_noffset, + const void *key_blob) +{ + return 0; +} #endif int fit_all_image_verify(const void *fit); int fit_config_decrypt(const void *fit, int conf_noffset); -- 2.53.0

