| // SPDX-License-Identifier: GPL-2.0+ |
| /* |
| * Copyright (c) 2013, Google Inc. |
| * |
| * (C) Copyright 2008 Semihalf |
| * |
| * (C) Copyright 2000-2006 |
| * Wolfgang Denk, DENX Software Engineering, wd@denx.de. |
| */ |
| |
| #include "mkimage.h" |
| #include <bootm.h> |
| #include <fdt_region.h> |
| #include <image.h> |
| #include <version.h> |
| |
| #if CONFIG_IS_ENABLED(FIT_SIGNATURE) |
| #include <openssl/pem.h> |
| #include <openssl/evp.h> |
| #endif |
| |
| /** |
| * fit_set_hash_value - set hash value in requested has node |
| * @fit: pointer to the FIT format image header |
| * @noffset: hash node offset |
| * @value: hash value to be set |
| * @value_len: hash value length |
| * |
| * fit_set_hash_value() attempts to set hash value in a node at offset |
| * given and returns operation status to the caller. |
| * |
| * returns |
| * 0, on success |
| * -1, on failure |
| */ |
| static int fit_set_hash_value(void *fit, int noffset, uint8_t *value, |
| int value_len) |
| { |
| int ret; |
| |
| ret = fdt_setprop(fit, noffset, FIT_VALUE_PROP, value, value_len); |
| if (ret) { |
| fprintf(stderr, "Can't set hash '%s' property for '%s' node(%s)\n", |
| FIT_VALUE_PROP, fit_get_name(fit, noffset, NULL), |
| fdt_strerror(ret)); |
| return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; |
| } |
| |
| return 0; |
| } |
| |
| /** |
| * fit_image_process_hash - Process a single subnode of the images/ node |
| * |
| * Check each subnode and process accordingly. For hash nodes we generate |
| * a hash of the supplied data and store it in the node. |
| * |
| * @fit: pointer to the FIT format image header |
| * @image_name: name of image being processed (used to display errors) |
| * @noffset: subnode offset |
| * @data: data to process |
| * @size: size of data in bytes |
| * Return: 0 if ok, -1 on error |
| */ |
| static int fit_image_process_hash(void *fit, const char *image_name, |
| int noffset, const void *data, size_t size) |
| { |
| uint8_t value[FIT_MAX_HASH_LEN]; |
| const char *node_name; |
| int value_len; |
| const char *algo; |
| int ret; |
| |
| node_name = fit_get_name(fit, noffset, NULL); |
| |
| if (fit_image_hash_get_algo(fit, noffset, &algo)) { |
| fprintf(stderr, |
| "Can't get hash algo property for '%s' hash node in '%s' image node\n", |
| node_name, image_name); |
| return -ENOENT; |
| } |
| |
| if (calculate_hash(data, size, algo, value, &value_len)) { |
| fprintf(stderr, |
| "Unsupported hash algorithm (%s) for '%s' hash node in '%s' image node\n", |
| algo, node_name, image_name); |
| return -EPROTONOSUPPORT; |
| } |
| |
| ret = fit_set_hash_value(fit, noffset, value, value_len); |
| if (ret) { |
| fprintf(stderr, "Can't set hash value for '%s' hash node in '%s' image node\n", |
| node_name, image_name); |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| /** |
| * fit_image_write_sig() - write the signature to a FIT |
| * |
| * This writes the signature and signer data to the FIT. |
| * |
| * @fit: pointer to the FIT format image header |
| * @noffset: hash node offset |
| * @value: signature value to be set |
| * @value_len: signature value length |
| * @comment: Text comment to write (NULL for none) |
| * |
| * returns |
| * 0, on success |
| * -FDT_ERR_..., on failure |
| */ |
| static int fit_image_write_sig(void *fit, int noffset, uint8_t *value, |
| int value_len, const char *comment, const char *region_prop, |
| int region_proplen, const char *cmdname, const char *algo_name) |
| { |
| int string_size; |
| int ret; |
| |
| /* |
| * Get the current string size, before we update the FIT and add |
| * more |
| */ |
| string_size = fdt_size_dt_strings(fit); |
| |
| ret = fdt_setprop(fit, noffset, FIT_VALUE_PROP, value, value_len); |
| if (!ret) { |
| ret = fdt_setprop_string(fit, noffset, "signer-name", |
| "mkimage"); |
| } |
| if (!ret) { |
| ret = fdt_setprop_string(fit, noffset, "signer-version", |
| PLAIN_VERSION); |
| } |
| if (comment && !ret) |
| ret = fdt_setprop_string(fit, noffset, "comment", comment); |
| if (!ret) { |
| time_t timestamp = imagetool_get_source_date(cmdname, |
| time(NULL)); |
| uint32_t t = cpu_to_uimage(timestamp); |
| |
| ret = fdt_setprop(fit, noffset, FIT_TIMESTAMP_PROP, &t, |
| sizeof(uint32_t)); |
| } |
| if (region_prop && !ret) { |
| uint32_t strdata[2]; |
| |
| ret = fdt_setprop(fit, noffset, "hashed-nodes", |
| region_prop, region_proplen); |
| /* This is a legacy offset, it is unused, and must remain 0. */ |
| strdata[0] = 0; |
| strdata[1] = cpu_to_fdt32(string_size); |
| if (!ret) { |
| ret = fdt_setprop(fit, noffset, "hashed-strings", |
| strdata, sizeof(strdata)); |
| } |
| } |
| if (algo_name && !ret) |
| ret = fdt_setprop_string(fit, noffset, "algo", algo_name); |
| |
| return ret; |
| } |
| |
| static int fit_image_setup_sig(struct image_sign_info *info, |
| const char *keydir, const char *keyfile, void *fit, |
| const char *image_name, int noffset, const char *require_keys, |
| const char *engine_id, const char *algo_name) |
| { |
| const char *node_name; |
| const char *padding_name; |
| |
| node_name = fit_get_name(fit, noffset, NULL); |
| if (!algo_name) { |
| if (fit_image_hash_get_algo(fit, noffset, &algo_name)) { |
| fprintf(stderr, |
| "Can't get algo property for '%s' signature node in '%s' image node\n", |
| node_name, image_name); |
| return -1; |
| } |
| } |
| |
| padding_name = fdt_getprop(fit, noffset, "padding", NULL); |
| |
| memset(info, '\0', sizeof(*info)); |
| info->keydir = keydir; |
| info->keyfile = keyfile; |
| info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); |
| info->fit = fit; |
| info->node_offset = noffset; |
| info->name = strdup(algo_name); |
| info->checksum = image_get_checksum_algo(algo_name); |
| info->crypto = image_get_crypto_algo(algo_name); |
| info->padding = image_get_padding_algo(padding_name); |
| info->require_keys = require_keys; |
| info->engine_id = engine_id; |
| if (!info->checksum || !info->crypto) { |
| fprintf(stderr, |
| "Unsupported signature algorithm (%s) for '%s' signature node in '%s' image node\n", |
| algo_name, node_name, image_name); |
| return -1; |
| } |
| |
| return 0; |
| } |
| |
| /** |
| * fit_image_process_sig- Process a single subnode of the images/ node |
| * |
| * Check each subnode and process accordingly. For signature nodes we |
| * generate a signed hash of the supplied data and store it in the node. |
| * |
| * @keydir: Directory containing keys to use for signing |
| * @keydest: Destination FDT blob to write public keys into (NULL if none) |
| * @fit: pointer to the FIT format image header |
| * @image_name: name of image being processed (used to display errors) |
| * @noffset: subnode offset |
| * @data: data to process |
| * @size: size of data in bytes |
| * @comment: Comment to add to signature nodes |
| * @require_keys: Mark all keys as 'required' |
| * @engine_id: Engine to use for signing |
| * Return: keydest node if @keydest is non-NULL, else 0 if none; -ve error code |
| * on failure |
| */ |
| static int fit_image_process_sig(const char *keydir, const char *keyfile, |
| void *keydest, void *fit, const char *image_name, |
| int noffset, const void *data, size_t size, |
| const char *comment, int require_keys, const char *engine_id, |
| const char *cmdname, const char *algo_name) |
| { |
| struct image_sign_info info; |
| struct image_region region; |
| const char *node_name; |
| uint8_t *value; |
| uint value_len; |
| int ret; |
| |
| if (fit_image_setup_sig(&info, keydir, keyfile, fit, image_name, |
| noffset, require_keys ? "image" : NULL, |
| engine_id, algo_name)) |
| return -1; |
| |
| node_name = fit_get_name(fit, noffset, NULL); |
| region.data = data; |
| region.size = size; |
| ret = info.crypto->sign(&info, ®ion, 1, &value, &value_len); |
| if (ret) { |
| fprintf(stderr, "Failed to sign '%s' signature node in '%s' image node: %d\n", |
| node_name, image_name, ret); |
| |
| /* We allow keys to be missing */ |
| if (ret == -ENOENT) |
| return 0; |
| return -1; |
| } |
| |
| ret = fit_image_write_sig(fit, noffset, value, value_len, comment, |
| NULL, 0, cmdname, algo_name); |
| if (ret) { |
| if (ret == -FDT_ERR_NOSPACE) |
| return -ENOSPC; |
| fprintf(stderr, |
| "Can't write signature for '%s' signature node in '%s' conf node: %s\n", |
| node_name, image_name, fdt_strerror(ret)); |
| return -1; |
| } |
| free(value); |
| |
| /* Get keyname again, as FDT has changed and invalidated our pointer */ |
| info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); |
| |
| /* |
| * Write the public key into the supplied FDT file; this might fail |
| * several times, since we try signing with successively increasing |
| * size values |
| */ |
| if (keydest) { |
| ret = info.crypto->add_verify_data(&info, keydest); |
| if (ret < 0) { |
| fprintf(stderr, |
| "Failed to add verification data for '%s' signature node in '%s' image node\n", |
| node_name, image_name); |
| return ret; |
| } |
| /* Return the node that was written to */ |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| static int fit_image_read_data(char *filename, unsigned char *data, |
| int expected_size) |
| { |
| struct stat sbuf; |
| int fd, ret = -1; |
| ssize_t n; |
| |
| /* Open file */ |
| fd = open(filename, O_RDONLY | O_BINARY); |
| if (fd < 0) { |
| fprintf(stderr, "Can't open file %s (err=%d => %s)\n", |
| filename, errno, strerror(errno)); |
| return -1; |
| } |
| |
| /* Compute file size */ |
| if (fstat(fd, &sbuf) < 0) { |
| fprintf(stderr, "Can't fstat file %s (err=%d => %s)\n", |
| filename, errno, strerror(errno)); |
| goto err; |
| } |
| |
| /* Check file size */ |
| if (sbuf.st_size != expected_size) { |
| fprintf(stderr, "File %s don't have the expected size (size=%lld, expected=%d)\n", |
| filename, (long long)sbuf.st_size, expected_size); |
| goto err; |
| } |
| |
| /* Read data */ |
| n = read(fd, data, sbuf.st_size); |
| if (n < 0) { |
| fprintf(stderr, "Can't read file %s (err=%d => %s)\n", |
| filename, errno, strerror(errno)); |
| goto err; |
| } |
| |
| /* Check that we have read all the file */ |
| if (n != sbuf.st_size) { |
| fprintf(stderr, "Can't read all file %s (read %zd bytes, expected %lld)\n", |
| filename, n, (long long)sbuf.st_size); |
| goto err; |
| } |
| |
| ret = 0; |
| |
| err: |
| close(fd); |
| return ret; |
| } |
| |
| static int fit_image_read_key_iv_data(const char *keydir, const char *key_iv_name, |
| unsigned char *key_iv_data, int expected_size) |
| { |
| char filename[PATH_MAX]; |
| int ret = -1; |
| |
| ret = snprintf(filename, sizeof(filename), "%s/%s%s", |
| keydir, key_iv_name, ".bin"); |
| if (ret >= sizeof(filename)) { |
| printf("Can't format the key or IV filename when setting up the cipher: insufficient buffer space\n"); |
| ret = -1; |
| } |
| if (ret < 0) { |
| printf("Can't format the key or IV filename when setting up the cipher: snprintf error\n"); |
| ret = -1; |
| } |
| |
| ret = fit_image_read_data(filename, key_iv_data, expected_size); |
| |
| return ret; |
| } |
| |
| static int get_random_data(void *data, int size) |
| { |
| unsigned char *tmp = data; |
| struct timespec date; |
| int i, ret; |
| |
| if (!tmp) { |
| fprintf(stderr, "%s: pointer data is NULL\n", __func__); |
| ret = -1; |
| goto out; |
| } |
| |
| ret = clock_gettime(CLOCK_MONOTONIC, &date); |
| if (ret) { |
| fprintf(stderr, "%s: clock_gettime has failed (%s)\n", __func__, |
| strerror(errno)); |
| goto out; |
| } |
| |
| srandom(date.tv_nsec); |
| |
| for (i = 0; i < size; i++) { |
| *tmp = random() & 0xff; |
| tmp++; |
| } |
| |
| out: |
| return ret; |
| } |
| |
| static int fit_image_setup_cipher(struct image_cipher_info *info, |
| const char *keydir, void *fit, |
| const char *image_name, int image_noffset, |
| int noffset) |
| { |
| char *algo_name; |
| int ret = -1; |
| |
| if (fit_image_cipher_get_algo(fit, noffset, &algo_name)) { |
| fprintf(stderr, "Can't get algo name for cipher in image '%s'\n", |
| image_name); |
| goto out; |
| } |
| |
| info->keydir = keydir; |
| |
| /* Read the key name */ |
| info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); |
| if (!info->keyname) { |
| fprintf(stderr, "Can't get key name for cipher in image '%s'\n", |
| image_name); |
| goto out; |
| } |
| |
| /* |
| * Read the IV name |
| * |
| * If this property is not provided then mkimage will generate |
| * a random IV and store it in the FIT image |
| */ |
| info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL); |
| |
| info->fit = fit; |
| info->node_noffset = noffset; |
| info->name = algo_name; |
| |
| info->cipher = image_get_cipher_algo(algo_name); |
| if (!info->cipher) { |
| fprintf(stderr, "Can't get algo for cipher '%s'\n", image_name); |
| goto out; |
| } |
| |
| info->key = malloc(info->cipher->key_len); |
| if (!info->key) { |
| fprintf(stderr, "Can't allocate memory for key\n"); |
| ret = -1; |
| goto out; |
| } |
| |
| /* Read the key in the file */ |
| ret = fit_image_read_key_iv_data(info->keydir, info->keyname, |
| (unsigned char *)info->key, |
| info->cipher->key_len); |
| if (ret < 0) |
| goto out; |
| |
| info->iv = malloc(info->cipher->iv_len); |
| if (!info->iv) { |
| fprintf(stderr, "Can't allocate memory for iv\n"); |
| ret = -1; |
| goto out; |
| } |
| |
| if (info->ivname) { |
| /* Read the IV in the file */ |
| ret = fit_image_read_key_iv_data(info->keydir, info->ivname, |
| (unsigned char *)info->iv, |
| info->cipher->iv_len); |
| if (ret < 0) |
| goto out; |
| } else { |
| /* Generate an ramdom IV */ |
| ret = get_random_data((void *)info->iv, info->cipher->iv_len); |
| } |
| |
| out: |
| return ret; |
| } |
| |
| int fit_image_write_cipher(void *fit, int image_noffset, int noffset, |
| const void *data, size_t size, |
| unsigned char *data_ciphered, int data_ciphered_len) |
| { |
| int ret = -1; |
| |
| /* Replace data with ciphered data */ |
| ret = fdt_setprop(fit, image_noffset, FIT_DATA_PROP, |
| data_ciphered, data_ciphered_len); |
| if (ret == -FDT_ERR_NOSPACE) { |
| ret = -ENOSPC; |
| goto out; |
| } |
| if (ret) { |
| fprintf(stderr, "Can't replace data with ciphered data (err = %d)\n", ret); |
| goto out; |
| } |
| |
| /* add non ciphered data size */ |
| ret = fdt_setprop_u32(fit, image_noffset, "data-size-unciphered", size); |
| if (ret == -FDT_ERR_NOSPACE) { |
| ret = -ENOSPC; |
| goto out; |
| } |
| if (ret) { |
| fprintf(stderr, "Can't add unciphered data size (err = %d)\n", ret); |
| goto out; |
| } |
| |
| out: |
| return ret; |
| } |
| |
| static int |
| fit_image_process_cipher(const char *keydir, void *keydest, void *fit, |
| const char *image_name, int image_noffset, |
| int node_noffset, const void *data, size_t size, |
| const char *cmdname) |
| { |
| struct image_cipher_info info; |
| unsigned char *data_ciphered = NULL; |
| int data_ciphered_len; |
| int ret; |
| |
| memset(&info, 0, sizeof(info)); |
| |
| ret = fit_image_setup_cipher(&info, keydir, fit, image_name, |
| image_noffset, node_noffset); |
| if (ret) |
| goto out; |
| |
| ret = info.cipher->encrypt(&info, data, size, |
| &data_ciphered, &data_ciphered_len); |
| if (ret) |
| goto out; |
| |
| /* |
| * Write the public key into the supplied FDT file; this might fail |
| * several times, since we try signing with successively increasing |
| * size values |
| * And, if needed, write the iv in the FIT file |
| */ |
| if (keydest) { |
| ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset); |
| if (ret) { |
| fprintf(stderr, |
| "Failed to add verification data for cipher '%s' in image '%s'\n", |
| info.keyname, image_name); |
| goto out; |
| } |
| } |
| |
| ret = fit_image_write_cipher(fit, image_noffset, node_noffset, |
| data, size, |
| data_ciphered, data_ciphered_len); |
| |
| out: |
| free(data_ciphered); |
| free((void *)info.key); |
| free((void *)info.iv); |
| return ret; |
| } |
| |
| int fit_image_cipher_data(const char *keydir, void *keydest, |
| void *fit, int image_noffset, const char *comment, |
| int require_keys, const char *engine_id, |
| const char *cmdname) |
| { |
| const char *image_name; |
| const void *data; |
| size_t size; |
| int cipher_node_offset, len; |
| |
| /* Get image name */ |
| image_name = fit_get_name(fit, image_noffset, NULL); |
| if (!image_name) { |
| fprintf(stderr, "Can't get image name\n"); |
| return -1; |
| } |
| |
| /* Get image data and data length */ |
| if (fit_image_get_data(fit, image_noffset, &data, &size)) { |
| fprintf(stderr, "Can't get image data/size\n"); |
| return -1; |
| } |
| |
| /* |
| * Don't cipher ciphered data. |
| * |
| * If the data-size-unciphered property is present the data for this |
| * image is already encrypted. This is important as 'mkimage -F' can be |
| * run multiple times on a FIT image. |
| */ |
| if (fdt_getprop(fit, image_noffset, "data-size-unciphered", &len)) |
| return 0; |
| if (len != -FDT_ERR_NOTFOUND) { |
| fprintf(stderr, "Failure testing for data-size-unciphered\n"); |
| return -1; |
| } |
| |
| /* Process cipher node if present */ |
| cipher_node_offset = fdt_subnode_offset(fit, image_noffset, |
| FIT_CIPHER_NODENAME); |
| if (cipher_node_offset == -FDT_ERR_NOTFOUND) |
| return 0; |
| if (cipher_node_offset < 0) { |
| fprintf(stderr, "Failure getting cipher node\n"); |
| return -1; |
| } |
| if (!IMAGE_ENABLE_ENCRYPT || !keydir) |
| return 0; |
| return fit_image_process_cipher(keydir, keydest, fit, image_name, |
| image_noffset, cipher_node_offset, data, size, cmdname); |
| } |
| |
| /** |
| * fit_image_add_verification_data() - calculate/set verig. data for image node |
| * |
| * This adds hash and signature values for an component image node. |
| * |
| * All existing hash subnodes are checked, if algorithm property is set to |
| * one of the supported hash algorithms, hash value is computed and |
| * corresponding hash node property is set, for example: |
| * |
| * Input component image node structure: |
| * |
| * o image-1 (at image_noffset) |
| * | - data = [binary data] |
| * o hash-1 |
| * |- algo = "sha1" |
| * |
| * Output component image node structure: |
| * |
| * o image-1 (at image_noffset) |
| * | - data = [binary data] |
| * o hash-1 |
| * |- algo = "sha1" |
| * |- value = sha1(data) |
| * |
| * For signature details, please see doc/uImage.FIT/signature.txt |
| * |
| * @keydir Directory containing *.key and *.crt files (or NULL) |
| * @keydest FDT Blob to write public keys into (NULL if none) |
| * @fit: Pointer to the FIT format image header |
| * @image_noffset: Requested component image node |
| * @comment: Comment to add to signature nodes |
| * @require_keys: Mark all keys as 'required' |
| * @engine_id: Engine to use for signing |
| * @return: 0 on success, <0 on failure |
| */ |
| int fit_image_add_verification_data(const char *keydir, const char *keyfile, |
| void *keydest, void *fit, int image_noffset, |
| const char *comment, int require_keys, const char *engine_id, |
| const char *cmdname, const char* algo_name) |
| { |
| const char *image_name; |
| const void *data; |
| size_t size; |
| int noffset; |
| |
| /* Get image data and data length */ |
| if (fit_image_get_data(fit, image_noffset, &data, &size)) { |
| fprintf(stderr, "Can't get image data/size\n"); |
| return -1; |
| } |
| |
| image_name = fit_get_name(fit, image_noffset, NULL); |
| |
| /* Process all hash subnodes of the component image node */ |
| for (noffset = fdt_first_subnode(fit, image_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| const char *node_name; |
| int ret = 0; |
| |
| /* |
| * Check subnode name, must be equal to "hash" or "signature". |
| * Multiple hash nodes require unique unit node |
| * names, e.g. hash-1, hash-2, signature-1, etc. |
| */ |
| node_name = fit_get_name(fit, noffset, NULL); |
| if (!strncmp(node_name, FIT_HASH_NODENAME, |
| strlen(FIT_HASH_NODENAME))) { |
| ret = fit_image_process_hash(fit, image_name, noffset, |
| data, size); |
| } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) && |
| !strncmp(node_name, FIT_SIG_NODENAME, |
| strlen(FIT_SIG_NODENAME))) { |
| ret = fit_image_process_sig(keydir, keyfile, keydest, |
| fit, image_name, noffset, data, size, |
| comment, require_keys, engine_id, cmdname, |
| algo_name); |
| } |
| if (ret < 0) |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| struct strlist { |
| int count; |
| char **strings; |
| }; |
| |
| static void strlist_init(struct strlist *list) |
| { |
| memset(list, '\0', sizeof(*list)); |
| } |
| |
| static void strlist_free(struct strlist *list) |
| { |
| int i; |
| |
| for (i = 0; i < list->count; i++) |
| free(list->strings[i]); |
| free(list->strings); |
| } |
| |
| static int strlist_add(struct strlist *list, const char *str) |
| { |
| char *dup; |
| |
| dup = strdup(str); |
| list->strings = realloc(list->strings, |
| (list->count + 1) * sizeof(char *)); |
| if (!list || !str) |
| return -1; |
| list->strings[list->count++] = dup; |
| |
| return 0; |
| } |
| |
| static const char *fit_config_get_image_list(const void *fit, int noffset, |
| int *lenp, int *allow_missingp) |
| { |
| static const char default_list[] = FIT_KERNEL_PROP "\0" |
| FIT_FDT_PROP; |
| const char *prop; |
| |
| /* If there is an "sign-image" property, use that */ |
| prop = fdt_getprop(fit, noffset, "sign-images", lenp); |
| if (prop) { |
| *allow_missingp = 0; |
| return *lenp ? prop : NULL; |
| } |
| |
| /* Default image list */ |
| *allow_missingp = 1; |
| *lenp = sizeof(default_list); |
| |
| return default_list; |
| } |
| |
| /** |
| * fit_config_add_hash() - Add a list of nodes to hash for an image |
| * |
| * This adds a list of paths to image nodes (as referred to by a particular |
| * offset) that need to be hashed, to protect a configuration |
| * |
| * @fit: Pointer to the FIT format image header |
| * @image_noffset: Offset of image to process (e.g. /images/kernel-1) |
| * @node_inc: List of nodes to add to |
| * @conf_name Configuration-node name, child of /configurations node (only |
| * used for error messages) |
| * @sig_name Signature-node name (only used for error messages) |
| * @iname: Name of image being processed (e.g. "kernel-1" (only used |
| * for error messages) |
| */ |
| static int fit_config_add_hash(const void *fit, int image_noffset, |
| struct strlist *node_inc, const char *conf_name, |
| const char *sig_name, const char *iname) |
| { |
| char path[200]; |
| int noffset; |
| int hash_count; |
| int ret; |
| |
| ret = fdt_get_path(fit, image_noffset, path, sizeof(path)); |
| if (ret < 0) |
| goto err_path; |
| if (strlist_add(node_inc, path)) |
| goto err_mem; |
| |
| /* Add all this image's hashes */ |
| hash_count = 0; |
| for (noffset = fdt_first_subnode(fit, image_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| const char *name = fit_get_name(fit, noffset, NULL); |
| |
| if (strncmp(name, FIT_HASH_NODENAME, |
| strlen(FIT_HASH_NODENAME))) |
| continue; |
| ret = fdt_get_path(fit, noffset, path, sizeof(path)); |
| if (ret < 0) |
| goto err_path; |
| if (strlist_add(node_inc, path)) |
| goto err_mem; |
| hash_count++; |
| } |
| |
| if (!hash_count) { |
| fprintf(stderr, |
| "Failed to find any hash nodes in configuration '%s/%s' image '%s' - without these it is not possible to verify this image\n", |
| conf_name, sig_name, iname); |
| return -ENOMSG; |
| } |
| |
| /* Add this image's cipher node if present */ |
| noffset = fdt_subnode_offset(fit, image_noffset, |
| FIT_CIPHER_NODENAME); |
| if (noffset != -FDT_ERR_NOTFOUND) { |
| if (noffset < 0) { |
| fprintf(stderr, |
| "Failed to get cipher node in configuration '%s/%s' image '%s': %s\n", |
| conf_name, sig_name, iname, |
| fdt_strerror(noffset)); |
| return -EIO; |
| } |
| ret = fdt_get_path(fit, noffset, path, sizeof(path)); |
| if (ret < 0) |
| goto err_path; |
| if (strlist_add(node_inc, path)) |
| goto err_mem; |
| } |
| |
| return 0; |
| |
| err_mem: |
| fprintf(stderr, "Out of memory processing configuration '%s/%s'\n", conf_name, |
| sig_name); |
| return -ENOMEM; |
| |
| err_path: |
| fprintf(stderr, "Failed to get path for image '%s' in configuration '%s/%s': %s\n", |
| iname, conf_name, sig_name, fdt_strerror(ret)); |
| return -ENOENT; |
| } |
| |
| /** |
| * fit_config_get_hash_list() - Get the regions to sign |
| * |
| * This calculates a list of nodes to hash for this particular configuration, |
| * returning it as a string list (struct strlist, not a devicetree string list) |
| * |
| * @fit: Pointer to the FIT format image header |
| * @conf_noffset: Offset of configuration node to sign (child of |
| * /configurations node) |
| * @sig_offset: Offset of signature node containing info about how to sign it |
| * (child of 'signatures' node) |
| * @return 0 if OK, -ENOENT if an image referred to by the configuration cannot |
| * be found, -ENOMSG if ther were no images in the configuration |
| */ |
| static int fit_config_get_hash_list(const void *fit, int conf_noffset, |
| int sig_offset, struct strlist *node_inc) |
| { |
| int allow_missing; |
| const char *prop, *iname, *end; |
| const char *conf_name, *sig_name; |
| char name[200]; |
| int image_count; |
| int ret, len; |
| |
| conf_name = fit_get_name(fit, conf_noffset, NULL); |
| sig_name = fit_get_name(fit, sig_offset, NULL); |
| |
| /* |
| * Build a list of nodes we need to hash. We always need the root |
| * node and the configuration. |
| */ |
| strlist_init(node_inc); |
| snprintf(name, sizeof(name), "%s/%s", FIT_CONFS_PATH, conf_name); |
| if (strlist_add(node_inc, "/") || |
| strlist_add(node_inc, name)) |
| goto err_mem; |
| |
| /* Get a list of images that we intend to sign */ |
| prop = fit_config_get_image_list(fit, sig_offset, &len, |
| &allow_missing); |
| if (!prop) |
| return 0; |
| |
| /* Locate the images */ |
| end = prop + len; |
| image_count = 0; |
| for (iname = prop; iname < end; iname += strlen(iname) + 1) { |
| int image_noffset; |
| int index, max_index; |
| |
| max_index = fdt_stringlist_count(fit, conf_noffset, iname); |
| |
| for (index = 0; index < max_index; index++) { |
| image_noffset = fit_conf_get_prop_node_index(fit, conf_noffset, |
| iname, index); |
| |
| if (image_noffset < 0) { |
| fprintf(stderr, |
| "Failed to find image '%s' in configuration '%s/%s'\n", |
| iname, conf_name, sig_name); |
| if (allow_missing) |
| continue; |
| |
| return -ENOENT; |
| } |
| |
| ret = fit_config_add_hash(fit, image_noffset, node_inc, |
| conf_name, sig_name, iname); |
| if (ret < 0) |
| return ret; |
| |
| image_count++; |
| } |
| } |
| |
| if (!image_count) { |
| fprintf(stderr, "Failed to find any images for configuration '%s/%s'\n", |
| conf_name, sig_name); |
| return -ENOMSG; |
| } |
| |
| return 0; |
| |
| err_mem: |
| fprintf(stderr, "Out of memory processing configuration '%s/%s'\n", conf_name, |
| sig_name); |
| return -ENOMEM; |
| } |
| |
| /** |
| * fit_config_get_regions() - Get the regions to sign |
| * |
| * This calculates a list of node to hash for this particular configuration, |
| * then finds which regions of the devicetree they correspond to. |
| * |
| * @fit: Pointer to the FIT format image header |
| * @conf_noffset: Offset of configuration node to sign (child of |
| * /configurations node) |
| * @sig_offset: Offset of signature node containing info about how to sign it |
| * (child of 'signatures' node) |
| * @regionp: Returns list of regions that need to be hashed (allocated; must be |
| * freed by the caller) |
| * @region_count: Returns number of regions |
| * @region_propp: Returns string-list property containing the list of nodes |
| * that correspond to the regions. Each entry is a full path to the node. |
| * This is in devicetree format, i.e. a \0 between each string. This is |
| * allocated and must be freed by the caller. |
| * @region_proplen: Returns length of *@@region_propp in bytes |
| * @return 0 if OK, -ENOMEM if out of memory, -EIO if the regions to hash could |
| * not be found, -EINVAL if no registers were found to hash |
| */ |
| static int fit_config_get_regions(const void *fit, int conf_noffset, |
| int sig_offset, struct image_region **regionp, |
| int *region_countp, char **region_propp, |
| int *region_proplen) |
| { |
| char * const exc_prop[] = { |
| FIT_DATA_PROP, |
| FIT_DATA_SIZE_PROP, |
| FIT_DATA_POSITION_PROP, |
| FIT_DATA_OFFSET_PROP, |
| }; |
| struct strlist node_inc; |
| struct image_region *region; |
| struct fdt_region fdt_regions[100]; |
| const char *conf_name, *sig_name; |
| char path[200]; |
| int count, i; |
| char *region_prop; |
| int ret, len; |
| |
| conf_name = fit_get_name(fit, conf_noffset, NULL); |
| sig_name = fit_get_name(fit, sig_offset, NULL); |
| debug("%s: conf='%s', sig='%s'\n", __func__, conf_name, sig_name); |
| |
| /* Get a list of nodes we want to hash */ |
| ret = fit_config_get_hash_list(fit, conf_noffset, sig_offset, |
| &node_inc); |
| if (ret) |
| return ret; |
| |
| /* Get a list of regions to hash */ |
| count = fdt_find_regions(fit, node_inc.strings, node_inc.count, |
| exc_prop, ARRAY_SIZE(exc_prop), |
| fdt_regions, ARRAY_SIZE(fdt_regions), |
| path, sizeof(path), 1); |
| if (count < 0) { |
| fprintf(stderr, "Failed to hash configuration '%s/%s': %s\n", conf_name, |
| sig_name, fdt_strerror(ret)); |
| return -EIO; |
| } |
| if (count == 0) { |
| fprintf(stderr, "No data to hash for configuration '%s/%s': %s\n", |
| conf_name, sig_name, fdt_strerror(ret)); |
| return -EINVAL; |
| } |
| |
| /* Build our list of data blocks */ |
| region = fit_region_make_list(fit, fdt_regions, count, NULL); |
| if (!region) { |
| fprintf(stderr, "Out of memory hashing configuration '%s/%s'\n", |
| conf_name, sig_name); |
| return -ENOMEM; |
| } |
| |
| /* Create a list of all hashed properties */ |
| debug("Hash nodes:\n"); |
| for (i = len = 0; i < node_inc.count; i++) { |
| debug(" %s\n", node_inc.strings[i]); |
| len += strlen(node_inc.strings[i]) + 1; |
| } |
| region_prop = malloc(len); |
| if (!region_prop) { |
| fprintf(stderr, "Out of memory setting up regions for configuration '%s/%s'\n", |
| conf_name, sig_name); |
| return -ENOMEM; |
| } |
| for (i = len = 0; i < node_inc.count; |
| len += strlen(node_inc.strings[i]) + 1, i++) |
| strcpy(region_prop + len, node_inc.strings[i]); |
| strlist_free(&node_inc); |
| |
| *region_countp = count; |
| *regionp = region; |
| *region_propp = region_prop; |
| *region_proplen = len; |
| |
| return 0; |
| } |
| |
| /** |
| * fit_config_process_sig - Process a single subnode of the configurations/ node |
| * |
| * Generate a signed hash of the supplied data and store it in the node. |
| * |
| * @keydir: Directory containing keys to use for signing |
| * @keydest: Destination FDT blob to write public keys into (NULL if none) |
| * @fit: pointer to the FIT format image header |
| * @conf_name name of config being processed (used to display errors) |
| * @conf_noffset: Offset of configuration node, e.g. '/configurations/conf-1' |
| * @noffset: subnode offset, e.g. '/configurations/conf-1/sig-1' |
| * @comment: Comment to add to signature nodes |
| * @require_keys: Mark all keys as 'required' |
| * @engine_id: Engine to use for signing |
| * @cmdname: Command name used when reporting errors |
| * @return keydest node if @keydest is non-NULL, else 0 if none; -ve error code |
| * on failure |
| */ |
| static int fit_config_process_sig(const char *keydir, const char *keyfile, |
| void *keydest, void *fit, const char *conf_name, |
| int conf_noffset, int noffset, const char *comment, |
| int require_keys, const char *engine_id, const char *cmdname, |
| const char *algo_name) |
| { |
| struct image_sign_info info; |
| const char *node_name; |
| struct image_region *region; |
| char *region_prop; |
| int region_proplen; |
| int region_count; |
| uint8_t *value; |
| uint value_len; |
| int ret; |
| |
| node_name = fit_get_name(fit, noffset, NULL); |
| if (fit_config_get_regions(fit, conf_noffset, noffset, ®ion, |
| ®ion_count, ®ion_prop, |
| ®ion_proplen)) |
| return -1; |
| |
| if (fit_image_setup_sig(&info, keydir, keyfile, fit, conf_name, noffset, |
| require_keys ? "conf" : NULL, engine_id, |
| algo_name)) |
| return -1; |
| |
| ret = info.crypto->sign(&info, region, region_count, &value, |
| &value_len); |
| free(region); |
| if (ret) { |
| fprintf(stderr, "Failed to sign '%s' signature node in '%s' conf node\n", |
| node_name, conf_name); |
| |
| /* We allow keys to be missing */ |
| if (ret == -ENOENT) |
| return 0; |
| return -1; |
| } |
| |
| ret = fit_image_write_sig(fit, noffset, value, value_len, comment, |
| region_prop, region_proplen, cmdname, |
| algo_name); |
| if (ret) { |
| if (ret == -FDT_ERR_NOSPACE) |
| return -ENOSPC; |
| fprintf(stderr, |
| "Can't write signature for '%s' signature node in '%s' conf node: %s\n", |
| node_name, conf_name, fdt_strerror(ret)); |
| return -1; |
| } |
| free(value); |
| free(region_prop); |
| |
| /* Get keyname again, as FDT has changed and invalidated our pointer */ |
| info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); |
| |
| /* Write the public key into the supplied FDT file */ |
| if (keydest) { |
| ret = info.crypto->add_verify_data(&info, keydest); |
| if (ret < 0) { |
| fprintf(stderr, |
| "Failed to add verification data for '%s' signature node in '%s' configuration node\n", |
| node_name, conf_name); |
| } |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| static int fit_config_add_verification_data(const char *keydir, |
| const char *keyfile, void *keydest, void *fit, int conf_noffset, |
| const char *comment, int require_keys, const char *engine_id, |
| const char *cmdname, const char *algo_name, |
| struct image_summary *summary) |
| { |
| const char *conf_name; |
| int noffset; |
| |
| conf_name = fit_get_name(fit, conf_noffset, NULL); |
| |
| /* Process all hash subnodes of the configuration node */ |
| for (noffset = fdt_first_subnode(fit, conf_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| const char *node_name; |
| int ret = 0; |
| |
| node_name = fit_get_name(fit, noffset, NULL); |
| if (!strncmp(node_name, FIT_SIG_NODENAME, |
| strlen(FIT_SIG_NODENAME))) { |
| ret = fit_config_process_sig(keydir, keyfile, keydest, |
| fit, conf_name, conf_noffset, noffset, comment, |
| require_keys, engine_id, cmdname, algo_name); |
| if (ret < 0) |
| return ret; |
| |
| summary->sig_offset = noffset; |
| fdt_get_path(fit, noffset, summary->sig_path, |
| sizeof(summary->sig_path)); |
| |
| if (keydest) { |
| summary->keydest_offset = ret; |
| fdt_get_path(keydest, ret, |
| summary->keydest_path, |
| sizeof(summary->keydest_path)); |
| } |
| } |
| } |
| |
| return 0; |
| } |
| |
| #if CONFIG_IS_ENABLED(FIT_SIGNATURE) |
| /* |
| * 0) open file (open) |
| * 1) read certificate (PEM_read_X509) |
| * 2) get public key (X509_get_pubkey) |
| * 3) provide der format (d2i_RSAPublicKey) |
| */ |
| static int read_pub_key(const char *keydir, const void *name, |
| unsigned char **pubkey, int *pubkey_len) |
| { |
| char path[1024]; |
| EVP_PKEY *key = NULL; |
| X509 *cert; |
| FILE *f; |
| int ret; |
| |
| memset(path, 0, 1024); |
| snprintf(path, sizeof(path), "%s/%s.crt", keydir, (char *)name); |
| |
| /* Open certificate file */ |
| f = fopen(path, "r"); |
| if (!f) { |
| fprintf(stderr, "Couldn't open RSA certificate: '%s': %s\n", |
| path, strerror(errno)); |
| return -EACCES; |
| } |
| |
| /* Read the certificate */ |
| cert = NULL; |
| if (!PEM_read_X509(f, &cert, NULL, NULL)) { |
| fprintf(stderr, "Couldn't read certificate"); |
| ret = -EINVAL; |
| goto err_cert; |
| } |
| |
| /* Get the public key from the certificate. */ |
| key = X509_get_pubkey(cert); |
| if (!key) { |
| fprintf(stderr, "Couldn't read public key\n"); |
| ret = -EINVAL; |
| goto err_pubkey; |
| } |
| |
| /* Get DER form */ |
| ret = i2d_PublicKey(key, pubkey); |
| if (ret < 0) { |
| fprintf(stderr, "Couldn't get DER form\n"); |
| ret = -EINVAL; |
| goto err_pubkey; |
| } |
| |
| *pubkey_len = ret; |
| ret = 0; |
| |
| err_pubkey: |
| X509_free(cert); |
| err_cert: |
| fclose(f); |
| return ret; |
| } |
| |
| int fit_pre_load_data(const char *keydir, void *keydest, void *fit) |
| { |
| int pre_load_noffset; |
| const void *algo_name; |
| const void *key_name; |
| unsigned char *pubkey = NULL; |
| int ret, pubkey_len; |
| |
| if (!keydir || !keydest || !fit) |
| return 0; |
| |
| /* Search node pre-load sig */ |
| pre_load_noffset = fdt_path_offset(keydest, IMAGE_PRE_LOAD_PATH); |
| if (pre_load_noffset < 0) { |
| ret = 0; |
| goto out; |
| } |
| |
| algo_name = fdt_getprop(keydest, pre_load_noffset, "algo-name", NULL); |
| key_name = fdt_getprop(keydest, pre_load_noffset, "key-name", NULL); |
| |
| /* Check that all mandatory properties are present */ |
| if (!algo_name || !key_name) { |
| if (!algo_name) |
| fprintf(stderr, "The property algo-name is missing in the node %s\n", |
| IMAGE_PRE_LOAD_PATH); |
| if (!key_name) |
| fprintf(stderr, "The property key-name is missing in the node %s\n", |
| IMAGE_PRE_LOAD_PATH); |
| ret = -EINVAL; |
| goto out; |
| } |
| |
| /* Read public key */ |
| ret = read_pub_key(keydir, key_name, &pubkey, &pubkey_len); |
| if (ret < 0) |
| goto out; |
| |
| /* Add the public key to the device tree */ |
| ret = fdt_setprop(keydest, pre_load_noffset, "public-key", |
| pubkey, pubkey_len); |
| if (ret) |
| fprintf(stderr, "Can't set public-key in node %s (ret = %d)\n", |
| IMAGE_PRE_LOAD_PATH, ret); |
| |
| out: |
| return ret; |
| } |
| #endif |
| |
| int fit_cipher_data(const char *keydir, void *keydest, void *fit, |
| const char *comment, int require_keys, |
| const char *engine_id, const char *cmdname) |
| { |
| int images_noffset; |
| int noffset; |
| int ret; |
| |
| /* Find images parent node offset */ |
| images_noffset = fdt_path_offset(fit, FIT_IMAGES_PATH); |
| if (images_noffset < 0) { |
| fprintf(stderr, "Can't find images parent node '%s' (%s)\n", |
| FIT_IMAGES_PATH, fdt_strerror(images_noffset)); |
| return images_noffset; |
| } |
| |
| /* Process its subnodes, print out component images details */ |
| for (noffset = fdt_first_subnode(fit, images_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| /* |
| * Direct child node of the images parent node, |
| * i.e. component image node. |
| */ |
| ret = fit_image_cipher_data(keydir, keydest, |
| fit, noffset, comment, |
| require_keys, engine_id, |
| cmdname); |
| if (ret) |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| int fit_add_verification_data(const char *keydir, const char *keyfile, |
| void *keydest, void *fit, const char *comment, |
| int require_keys, const char *engine_id, |
| const char *cmdname, const char *algo_name, |
| struct image_summary *summary) |
| { |
| int images_noffset, confs_noffset; |
| int noffset; |
| int ret; |
| |
| /* Find images parent node offset */ |
| images_noffset = fdt_path_offset(fit, FIT_IMAGES_PATH); |
| if (images_noffset < 0) { |
| fprintf(stderr, "Can't find images parent node '%s' (%s)\n", |
| FIT_IMAGES_PATH, fdt_strerror(images_noffset)); |
| return images_noffset; |
| } |
| |
| /* Process its subnodes, print out component images details */ |
| for (noffset = fdt_first_subnode(fit, images_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| /* |
| * Direct child node of the images parent node, |
| * i.e. component image node. |
| */ |
| ret = fit_image_add_verification_data(keydir, keyfile, keydest, |
| fit, noffset, comment, require_keys, engine_id, |
| cmdname, algo_name); |
| if (ret) { |
| fprintf(stderr, "Can't add verification data for node '%s' (%s)\n", |
| fdt_get_name(fit, noffset, NULL), |
| fdt_strerror(ret)); |
| return ret; |
| } |
| } |
| |
| /* If there are no keys, we can't sign configurations */ |
| if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile)) |
| return 0; |
| |
| /* Find configurations parent node offset */ |
| confs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH); |
| if (confs_noffset < 0) { |
| fprintf(stderr, "Can't find images parent node '%s' (%s)\n", |
| FIT_CONFS_PATH, fdt_strerror(confs_noffset)); |
| return -ENOENT; |
| } |
| |
| /* Process its subnodes, print out component images details */ |
| for (noffset = fdt_first_subnode(fit, confs_noffset); |
| noffset >= 0; |
| noffset = fdt_next_subnode(fit, noffset)) { |
| ret = fit_config_add_verification_data(keydir, keyfile, keydest, |
| fit, noffset, comment, |
| require_keys, |
| engine_id, cmdname, |
| algo_name, summary); |
| if (ret) |
| return ret; |
| } |
| |
| return 0; |
| } |
| |
| #ifdef CONFIG_FIT_SIGNATURE |
| int fit_check_sign(const void *fit, const void *key, |
| const char *fit_uname_config) |
| { |
| int cfg_noffset; |
| int ret; |
| |
| cfg_noffset = fit_conf_get_node(fit, fit_uname_config); |
| if (!cfg_noffset) |
| return -1; |
| |
| printf("Verifying Hash Integrity for node '%s'... ", |
| fdt_get_name(fit, cfg_noffset, NULL)); |
| ret = fit_config_verify(fit, cfg_noffset); |
| if (ret) |
| return ret; |
| printf("Verified OK, loading images\n"); |
| ret = bootm_host_load_images(fit, cfg_noffset); |
| |
| return ret; |
| } |
| #endif |