AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * Copyright (c) 2013, Google Inc. |
| 4 | */ |
| 5 | |
| 6 | #ifdef USE_HOSTCC |
| 7 | #include "mkimage.h" |
| 8 | #include <time.h> |
| 9 | #else |
Simon Glass | f7ae49f | 2020-05-10 11:40:05 -0600 | [diff] [blame] | 10 | #include <log.h> |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 11 | #include <malloc.h> |
Simon Glass | 401d1c4 | 2020-10-30 21:38:53 -0600 | [diff] [blame] | 12 | #include <asm/global_data.h> |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 13 | DECLARE_GLOBAL_DATA_PTR; |
| 14 | #endif /* !USE_HOSTCC*/ |
Masahiro Yamada | 64045a6 | 2020-04-16 18:30:18 +0900 | [diff] [blame] | 15 | #include <fdt_region.h> |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 16 | #include <image.h> |
| 17 | #include <u-boot/rsa.h> |
Alexandru Gagniuc | 0bcb28d | 2021-02-19 12:45:10 -0600 | [diff] [blame] | 18 | #include <u-boot/hash-checksum.h> |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 19 | |
| 20 | #define IMAGE_MAX_HASHED_NODES 100 |
| 21 | |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 22 | /** |
| 23 | * fit_region_make_list() - Make a list of image regions |
| 24 | * |
| 25 | * Given a list of fdt_regions, create a list of image_regions. This is a |
| 26 | * simple conversion routine since the FDT and image code use different |
| 27 | * structures. |
| 28 | * |
| 29 | * @fit: FIT image |
| 30 | * @fdt_regions: Pointer to FDT regions |
| 31 | * @count: Number of FDT regions |
| 32 | * @region: Pointer to image regions, which must hold @count records. If |
| 33 | * region is NULL, then (except for an SPL build) the array will be |
| 34 | * allocated. |
| 35 | * @return: Pointer to image regions |
| 36 | */ |
| 37 | struct image_region *fit_region_make_list(const void *fit, |
| 38 | struct fdt_region *fdt_regions, |
| 39 | int count, |
| 40 | struct image_region *region) |
| 41 | { |
| 42 | int i; |
| 43 | |
| 44 | debug("Hash regions:\n"); |
| 45 | debug("%10s %10s\n", "Offset", "Size"); |
| 46 | |
| 47 | /* |
| 48 | * Use malloc() except in SPL (to save code size). In SPL the caller |
| 49 | * must allocate the array. |
| 50 | */ |
Simon Glass | b53541f | 2021-09-25 19:43:39 -0600 | [diff] [blame] | 51 | if (!IS_ENABLED(CONFIG_SPL_BUILD) && !region) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 52 | region = calloc(sizeof(*region), count); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 53 | if (!region) |
| 54 | return NULL; |
| 55 | for (i = 0; i < count; i++) { |
| 56 | debug("%10x %10x\n", fdt_regions[i].offset, |
| 57 | fdt_regions[i].size); |
| 58 | region[i].data = fit + fdt_regions[i].offset; |
| 59 | region[i].size = fdt_regions[i].size; |
| 60 | } |
| 61 | |
| 62 | return region; |
| 63 | } |
| 64 | |
| 65 | static int fit_image_setup_verify(struct image_sign_info *info, |
| 66 | const void *fit, int noffset, |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 67 | const void *key_blob, int required_keynode, |
| 68 | char **err_msgp) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 69 | { |
Jan Kiszka | 4550ce9 | 2022-01-14 10:21:17 +0100 | [diff] [blame] | 70 | const char *algo_name; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 71 | const char *padding_name; |
| 72 | |
Simon Glass | b53541f | 2021-09-25 19:43:39 -0600 | [diff] [blame] | 73 | if (fdt_totalsize(fit) > CONFIG_VAL(FIT_SIGNATURE_MAX_SIZE)) { |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 74 | *err_msgp = "Total size too large"; |
| 75 | return 1; |
| 76 | } |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 77 | if (fit_image_hash_get_algo(fit, noffset, &algo_name)) { |
| 78 | *err_msgp = "Can't get hash algo property"; |
| 79 | return -1; |
| 80 | } |
| 81 | |
| 82 | padding_name = fdt_getprop(fit, noffset, "padding", NULL); |
| 83 | if (!padding_name) |
| 84 | padding_name = RSA_DEFAULT_PADDING_NAME; |
| 85 | |
| 86 | memset(info, '\0', sizeof(*info)); |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 87 | info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); |
Hannu Lounento | 2289629 | 2021-10-18 08:49:03 +0300 | [diff] [blame] | 88 | info->fit = fit; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 89 | info->node_offset = noffset; |
| 90 | info->name = algo_name; |
| 91 | info->checksum = image_get_checksum_algo(algo_name); |
| 92 | info->crypto = image_get_crypto_algo(algo_name); |
| 93 | info->padding = image_get_padding_algo(padding_name); |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 94 | info->fdt_blob = key_blob; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 95 | info->required_keynode = required_keynode; |
| 96 | printf("%s:%s", algo_name, info->keyname); |
| 97 | |
| 98 | if (!info->checksum || !info->crypto || !info->padding) { |
| 99 | *err_msgp = "Unknown signature algorithm"; |
| 100 | return -1; |
| 101 | } |
| 102 | |
| 103 | return 0; |
| 104 | } |
| 105 | |
| 106 | int fit_image_check_sig(const void *fit, int noffset, const void *data, |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 107 | size_t size, const void *key_blob, int required_keynode, |
| 108 | char **err_msgp) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 109 | { |
| 110 | struct image_sign_info info; |
| 111 | struct image_region region; |
| 112 | uint8_t *fit_value; |
| 113 | int fit_value_len; |
| 114 | |
| 115 | *err_msgp = NULL; |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 116 | if (fit_image_setup_verify(&info, fit, noffset, key_blob, |
| 117 | required_keynode, err_msgp)) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 118 | return -1; |
| 119 | |
| 120 | if (fit_image_hash_get_value(fit, noffset, &fit_value, |
| 121 | &fit_value_len)) { |
| 122 | *err_msgp = "Can't get hash value property"; |
| 123 | return -1; |
| 124 | } |
| 125 | |
| 126 | region.data = data; |
| 127 | region.size = size; |
| 128 | |
| 129 | if (info.crypto->verify(&info, ®ion, 1, fit_value, fit_value_len)) { |
| 130 | *err_msgp = "Verification failed"; |
| 131 | return -1; |
| 132 | } |
| 133 | |
| 134 | return 0; |
| 135 | } |
| 136 | |
| 137 | static int fit_image_verify_sig(const void *fit, int image_noffset, |
| 138 | const char *data, size_t size, |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 139 | const void *key_blob, int key_offset) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 140 | { |
| 141 | int noffset; |
| 142 | char *err_msg = ""; |
| 143 | int verified = 0; |
| 144 | int ret; |
| 145 | |
| 146 | /* Process all hash subnodes of the component image node */ |
| 147 | fdt_for_each_subnode(noffset, fit, image_noffset) { |
| 148 | const char *name = fit_get_name(fit, noffset, NULL); |
| 149 | |
Simon Glass | 79af75f | 2021-02-15 17:08:06 -0700 | [diff] [blame] | 150 | /* |
| 151 | * We don't support this since libfdt considers names with the |
| 152 | * name root but different @ suffix to be equal |
| 153 | */ |
| 154 | if (strchr(name, '@')) { |
| 155 | err_msg = "Node name contains @"; |
| 156 | goto error; |
| 157 | } |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 158 | if (!strncmp(name, FIT_SIG_NODENAME, |
| 159 | strlen(FIT_SIG_NODENAME))) { |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 160 | ret = fit_image_check_sig(fit, noffset, data, size, |
| 161 | key_blob, -1, &err_msg); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 162 | if (ret) { |
| 163 | puts("- "); |
| 164 | } else { |
| 165 | puts("+ "); |
| 166 | verified = 1; |
| 167 | break; |
| 168 | } |
| 169 | } |
| 170 | } |
| 171 | |
| 172 | if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) { |
| 173 | err_msg = "Corrupted or truncated tree"; |
| 174 | goto error; |
| 175 | } |
| 176 | |
| 177 | return verified ? 0 : -EPERM; |
| 178 | |
| 179 | error: |
| 180 | printf(" error!\n%s for '%s' hash node in '%s' image node\n", |
| 181 | err_msg, fit_get_name(fit, noffset, NULL), |
| 182 | fit_get_name(fit, image_noffset, NULL)); |
| 183 | return -1; |
| 184 | } |
| 185 | |
| 186 | int fit_image_verify_required_sigs(const void *fit, int image_noffset, |
| 187 | const char *data, size_t size, |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 188 | const void *key_blob, int *no_sigsp) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 189 | { |
| 190 | int verify_count = 0; |
| 191 | int noffset; |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 192 | int key_node; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 193 | |
| 194 | /* Work out what we need to verify */ |
| 195 | *no_sigsp = 1; |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 196 | key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); |
| 197 | if (key_node < 0) { |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 198 | debug("%s: No signature node found: %s\n", __func__, |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 199 | fdt_strerror(key_node)); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 200 | return 0; |
| 201 | } |
| 202 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 203 | fdt_for_each_subnode(noffset, key_blob, key_node) { |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 204 | const char *required; |
| 205 | int ret; |
| 206 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 207 | required = fdt_getprop(key_blob, noffset, FIT_KEY_REQUIRED, |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 208 | NULL); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 209 | if (!required || strcmp(required, "image")) |
| 210 | continue; |
| 211 | ret = fit_image_verify_sig(fit, image_noffset, data, size, |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 212 | key_blob, noffset); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 213 | if (ret) { |
| 214 | printf("Failed to verify required signature '%s'\n", |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 215 | fit_get_name(key_blob, noffset, NULL)); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 216 | return ret; |
| 217 | } |
| 218 | verify_count++; |
| 219 | } |
| 220 | |
| 221 | if (verify_count) |
| 222 | *no_sigsp = 0; |
| 223 | |
| 224 | return 0; |
| 225 | } |
| 226 | |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 227 | /** |
| 228 | * fit_config_check_sig() - Check the signature of a config |
| 229 | * |
Simon Glass | 2ad90b3 | 2021-11-12 12:28:09 -0700 | [diff] [blame] | 230 | * Here we are looking at a particular signature that needs verification (here |
| 231 | * signature-1): |
| 232 | * |
| 233 | * configurations { |
| 234 | * default = "conf-1"; |
| 235 | * conf-1 { |
| 236 | * kernel = "kernel-1"; |
| 237 | * fdt = "fdt-1"; |
| 238 | * signature-1 { |
| 239 | * algo = "sha1,rsa2048"; |
| 240 | * value = <...conf 1 signature...>; |
| 241 | * }; |
| 242 | * }; |
| 243 | * |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 244 | * @fit: FIT to check |
Simon Glass | 2ad90b3 | 2021-11-12 12:28:09 -0700 | [diff] [blame] | 245 | * @noffset: Offset of the signature node being checked (e.g. |
| 246 | * /configurations/conf-1/signature-1) |
| 247 | * @conf_noffset: Offset of configuration node (e.g. /configurations/conf-1) |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 248 | * @key_blob: Blob containing the keys to check against |
Simon Glass | 2ad90b3 | 2021-11-12 12:28:09 -0700 | [diff] [blame] | 249 | * @required_keynode: Offset in @key_blob of the required key node, |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 250 | * if any. If this is given, then the configuration wil not |
| 251 | * pass verification unless that key is used. If this is |
| 252 | * -1 then any signature will do. |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 253 | * @err_msgp: In the event of an error, this will be pointed to a |
| 254 | * help error string to display to the user. |
Heinrich Schuchardt | 185f812 | 2022-01-19 18:05:50 +0100 | [diff] [blame] | 255 | * Return: 0 if all verified ok, <0 on error |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 256 | */ |
Simon Glass | 2ad90b3 | 2021-11-12 12:28:09 -0700 | [diff] [blame] | 257 | static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset, |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 258 | const void *key_blob, int required_keynode, |
| 259 | char **err_msgp) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 260 | { |
John Keeping | 8edecd3 | 2021-04-20 19:19:44 +0100 | [diff] [blame] | 261 | static char * const exc_prop[] = { |
Sean Anderson | 0abe332 | 2022-10-20 15:41:10 -0400 | [diff] [blame] | 262 | FIT_DATA_PROP, |
| 263 | FIT_DATA_SIZE_PROP, |
| 264 | FIT_DATA_POSITION_PROP, |
| 265 | FIT_DATA_OFFSET_PROP, |
John Keeping | 8edecd3 | 2021-04-20 19:19:44 +0100 | [diff] [blame] | 266 | }; |
| 267 | |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 268 | const char *prop, *end, *name; |
| 269 | struct image_sign_info info; |
| 270 | const uint32_t *strings; |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 271 | const char *config_name; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 272 | uint8_t *fit_value; |
| 273 | int fit_value_len; |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 274 | bool found_config; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 275 | int max_regions; |
| 276 | int i, prop_len; |
| 277 | char path[200]; |
| 278 | int count; |
| 279 | |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 280 | config_name = fit_get_name(fit, conf_noffset, NULL); |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 281 | debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, key_blob, |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 282 | fit_get_name(fit, noffset, NULL), |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 283 | fit_get_name(key_blob, required_keynode, NULL)); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 284 | *err_msgp = NULL; |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 285 | if (fit_image_setup_verify(&info, fit, noffset, key_blob, |
| 286 | required_keynode, err_msgp)) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 287 | return -1; |
| 288 | |
| 289 | if (fit_image_hash_get_value(fit, noffset, &fit_value, |
| 290 | &fit_value_len)) { |
| 291 | *err_msgp = "Can't get hash value property"; |
| 292 | return -1; |
| 293 | } |
| 294 | |
| 295 | /* Count the number of strings in the property */ |
| 296 | prop = fdt_getprop(fit, noffset, "hashed-nodes", &prop_len); |
| 297 | end = prop ? prop + prop_len : prop; |
| 298 | for (name = prop, count = 0; name < end; name++) |
| 299 | if (!*name) |
| 300 | count++; |
| 301 | if (!count) { |
| 302 | *err_msgp = "Can't get hashed-nodes property"; |
| 303 | return -1; |
| 304 | } |
| 305 | |
| 306 | if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') { |
| 307 | *err_msgp = "hashed-nodes property must be null-terminated"; |
| 308 | return -1; |
| 309 | } |
| 310 | |
| 311 | /* Add a sanity check here since we are using the stack */ |
| 312 | if (count > IMAGE_MAX_HASHED_NODES) { |
| 313 | *err_msgp = "Number of hashed nodes exceeds maximum"; |
| 314 | return -1; |
| 315 | } |
| 316 | |
| 317 | /* Create a list of node names from those strings */ |
| 318 | char *node_inc[count]; |
| 319 | |
| 320 | debug("Hash nodes (%d):\n", count); |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 321 | found_config = false; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 322 | for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) { |
| 323 | debug(" '%s'\n", name); |
| 324 | node_inc[i] = (char *)name; |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 325 | if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) && |
| 326 | name[sizeof(FIT_CONFS_PATH) - 1] == '/' && |
| 327 | !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) { |
| 328 | debug(" (found config node %s)", config_name); |
| 329 | found_config = true; |
| 330 | } |
| 331 | } |
| 332 | if (!found_config) { |
| 333 | *err_msgp = "Selected config not in hashed nodes"; |
| 334 | return -1; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 335 | } |
| 336 | |
| 337 | /* |
| 338 | * Each node can generate one region for each sub-node. Allow for |
| 339 | * 7 sub-nodes (hash-1, signature-1, etc.) and some extra. |
| 340 | */ |
| 341 | max_regions = 20 + count * 7; |
| 342 | struct fdt_region fdt_regions[max_regions]; |
| 343 | |
| 344 | /* Get a list of regions to hash */ |
| 345 | count = fdt_find_regions(fit, node_inc, count, |
| 346 | exc_prop, ARRAY_SIZE(exc_prop), |
| 347 | fdt_regions, max_regions - 1, |
| 348 | path, sizeof(path), 0); |
| 349 | if (count < 0) { |
| 350 | *err_msgp = "Failed to hash configuration"; |
| 351 | return -1; |
| 352 | } |
| 353 | if (count == 0) { |
| 354 | *err_msgp = "No data to hash"; |
| 355 | return -1; |
| 356 | } |
| 357 | if (count >= max_regions - 1) { |
| 358 | *err_msgp = "Too many hash regions"; |
| 359 | return -1; |
| 360 | } |
| 361 | |
| 362 | /* Add the strings */ |
| 363 | strings = fdt_getprop(fit, noffset, "hashed-strings", NULL); |
| 364 | if (strings) { |
| 365 | /* |
| 366 | * The strings region offset must be a static 0x0. |
| 367 | * This is set in tool/image-host.c |
| 368 | */ |
| 369 | fdt_regions[count].offset = fdt_off_dt_strings(fit); |
| 370 | fdt_regions[count].size = fdt32_to_cpu(strings[1]); |
| 371 | count++; |
| 372 | } |
| 373 | |
| 374 | /* Allocate the region list on the stack */ |
| 375 | struct image_region region[count]; |
| 376 | |
| 377 | fit_region_make_list(fit, fdt_regions, count, region); |
| 378 | if (info.crypto->verify(&info, region, count, fit_value, |
| 379 | fit_value_len)) { |
| 380 | *err_msgp = "Verification failed"; |
| 381 | return -1; |
| 382 | } |
| 383 | |
| 384 | return 0; |
| 385 | } |
| 386 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 387 | /** |
| 388 | * fit_config_verify_key() - Verify that a configuration is signed with a key |
| 389 | * |
| 390 | * Here we are looking at a particular configuration that needs verification: |
| 391 | * |
| 392 | * configurations { |
| 393 | * default = "conf-1"; |
| 394 | * conf-1 { |
| 395 | * kernel = "kernel-1"; |
| 396 | * fdt = "fdt-1"; |
| 397 | * signature-1 { |
| 398 | * algo = "sha1,rsa2048"; |
| 399 | * value = <...conf 1 signature...>; |
| 400 | * }; |
| 401 | * }; |
| 402 | * |
| 403 | * We must check each of the signature subnodes of conf-1. Hopefully one of them |
| 404 | * will match the key at key_offset. |
| 405 | * |
| 406 | * @fit: FIT to check |
| 407 | * @conf_noffset: Offset of the configuration node to check (e.g. |
| 408 | * /configurations/conf-1) |
| 409 | * @key_blob: Blob containing the keys to check against |
| 410 | * @key_offset: Offset of the key to check within @key_blob |
| 411 | * @return 0 if OK, -EPERM if any signatures did not verify, or the |
| 412 | * configuration node has an invalid name |
| 413 | */ |
| 414 | static int fit_config_verify_key(const void *fit, int conf_noffset, |
| 415 | const void *key_blob, int key_offset) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 416 | { |
| 417 | int noffset; |
Alexandru Gagniuc | 76c78a5 | 2021-01-11 08:46:58 -0600 | [diff] [blame] | 418 | char *err_msg = "No 'signature' subnode found"; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 419 | int verified = 0; |
| 420 | int ret; |
| 421 | |
| 422 | /* Process all hash subnodes of the component conf node */ |
| 423 | fdt_for_each_subnode(noffset, fit, conf_noffset) { |
| 424 | const char *name = fit_get_name(fit, noffset, NULL); |
| 425 | |
| 426 | if (!strncmp(name, FIT_SIG_NODENAME, |
| 427 | strlen(FIT_SIG_NODENAME))) { |
Simon Glass | 2ad90b3 | 2021-11-12 12:28:09 -0700 | [diff] [blame] | 428 | ret = fit_config_check_sig(fit, noffset, conf_noffset, |
Simon Glass | 99f844b | 2021-11-12 12:28:10 -0700 | [diff] [blame] | 429 | key_blob, key_offset, |
| 430 | &err_msg); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 431 | if (ret) { |
| 432 | puts("- "); |
| 433 | } else { |
| 434 | puts("+ "); |
| 435 | verified = 1; |
| 436 | break; |
| 437 | } |
| 438 | } |
| 439 | } |
| 440 | |
| 441 | if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) { |
| 442 | err_msg = "Corrupted or truncated tree"; |
| 443 | goto error; |
| 444 | } |
| 445 | |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 446 | if (verified) |
| 447 | return 0; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 448 | |
| 449 | error: |
| 450 | printf(" error!\n%s for '%s' hash node in '%s' config node\n", |
| 451 | err_msg, fit_get_name(fit, noffset, NULL), |
| 452 | fit_get_name(fit, conf_noffset, NULL)); |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 453 | return -EPERM; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 454 | } |
| 455 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 456 | /** |
| 457 | * fit_config_verify_required_keys() - verify any required signatures for config |
| 458 | * |
| 459 | * This looks through all the signatures we expect and verifies that at least |
| 460 | * all the required ones are valid signatures for the configuration |
| 461 | * |
| 462 | * @fit: FIT to check |
| 463 | * @conf_noffset: Offset of the configuration node to check (e.g. |
| 464 | * /configurations/conf-1) |
| 465 | * @key_blob: Blob containing the keys to check against |
| 466 | * @return 0 if OK, -EPERM if any signatures did not verify, or the |
| 467 | * configuration node has an invalid name |
| 468 | */ |
| 469 | static int fit_config_verify_required_keys(const void *fit, int conf_noffset, |
| 470 | const void *key_blob) |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 471 | { |
Simon Glass | 79af75f | 2021-02-15 17:08:06 -0700 | [diff] [blame] | 472 | const char *name = fit_get_name(fit, conf_noffset, NULL); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 473 | int noffset; |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 474 | int key_node; |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 475 | int verified = 0; |
| 476 | int reqd_sigs = 0; |
| 477 | bool reqd_policy_all = true; |
| 478 | const char *reqd_mode; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 479 | |
Simon Glass | 79af75f | 2021-02-15 17:08:06 -0700 | [diff] [blame] | 480 | /* |
| 481 | * We don't support this since libfdt considers names with the |
| 482 | * name root but different @ suffix to be equal |
| 483 | */ |
| 484 | if (strchr(name, '@')) { |
| 485 | printf("Configuration node '%s' contains '@'\n", name); |
| 486 | return -EPERM; |
| 487 | } |
| 488 | |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 489 | /* Work out what we need to verify */ |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 490 | key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); |
| 491 | if (key_node < 0) { |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 492 | debug("%s: No signature node found: %s\n", __func__, |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 493 | fdt_strerror(key_node)); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 494 | return 0; |
| 495 | } |
| 496 | |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 497 | /* Get required-mode policy property from DTB */ |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 498 | reqd_mode = fdt_getprop(key_blob, key_node, "required-mode", NULL); |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 499 | if (reqd_mode && !strcmp(reqd_mode, "any")) |
| 500 | reqd_policy_all = false; |
| 501 | |
| 502 | debug("%s: required-mode policy set to '%s'\n", __func__, |
| 503 | reqd_policy_all ? "all" : "any"); |
| 504 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 505 | /* |
| 506 | * The algorithm here is a little convoluted due to how we want it to |
| 507 | * work. Here we work through each of the signature nodes in the |
| 508 | * public-key area. These are in the U-Boot control devicetree. Each |
| 509 | * node was created by signing a configuration, so we check if it is |
| 510 | * 'required' and if so, request that it be verified. |
| 511 | */ |
| 512 | fdt_for_each_subnode(noffset, key_blob, key_node) { |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 513 | const char *required; |
| 514 | int ret; |
| 515 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 516 | required = fdt_getprop(key_blob, noffset, FIT_KEY_REQUIRED, |
Tom Rini | 1f47e2a | 2020-04-07 11:58:44 -0400 | [diff] [blame] | 517 | NULL); |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 518 | if (!required || strcmp(required, "conf")) |
| 519 | continue; |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 520 | |
| 521 | reqd_sigs++; |
| 522 | |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 523 | ret = fit_config_verify_key(fit, conf_noffset, key_blob, |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 524 | noffset); |
| 525 | if (ret) { |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 526 | if (reqd_policy_all) { |
| 527 | printf("Failed to verify required signature '%s'\n", |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 528 | fit_get_name(key_blob, noffset, NULL)); |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 529 | return ret; |
| 530 | } |
| 531 | } else { |
| 532 | verified++; |
| 533 | if (!reqd_policy_all) |
| 534 | break; |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 535 | } |
| 536 | } |
| 537 | |
Thirupathaiah Annapureddy | 182eeef | 2020-08-16 23:01:09 -0700 | [diff] [blame] | 538 | if (reqd_sigs && !verified) { |
| 539 | printf("Failed to verify 'any' of the required signature(s)\n"); |
| 540 | return -EPERM; |
| 541 | } |
| 542 | |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 543 | return 0; |
| 544 | } |
| 545 | |
| 546 | int fit_config_verify(const void *fit, int conf_noffset) |
| 547 | { |
Simon Glass | e8aa558 | 2021-11-12 12:28:08 -0700 | [diff] [blame] | 548 | return fit_config_verify_required_keys(fit, conf_noffset, |
AKASHI Takahiro | b983cc2 | 2020-02-21 15:12:55 +0900 | [diff] [blame] | 549 | gd_fdt_blob()); |
| 550 | } |