[U-Boot] [PATCH 2/7] fdt: add "fdt sign" command

Sun Jan 26 22:04:42 CET 2014

Hi Heiko,

On 24 January 2014 23:44, Heiko Schocher <hs at denx.de> wrote:
> check if a fdt is correct signed
> pass an optional addr value. Contains the addr of the key blob
>
> Signed-off-by: Heiko Schocher <hs at denx.de>
> Cc: Simon Glass <sjg at chromium.org>
> ---
>  common/cmd_fdt.c | 38 +++++++++++++++++++++++++++++++++++++-
>  1 file changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/common/cmd_fdt.c b/common/cmd_fdt.c
> index 3a9edd6..b8468ea 100644
> --- a/common/cmd_fdt.c
> +++ b/common/cmd_fdt.c
> @@ -243,7 +243,7 @@ static int do_fdt(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
>         /*
>          * Set the value of a property in the working_fdt.
>          */
> -       } else if (argv[1][0] == 's') {
> +       } else if (strncmp(argv[1], "se", 2) == 0) {
>                 char *pathp;            /* path */
>                 char *prop;             /* property */
>                 int  nodeoffset;        /* node offset from libfdt */
> @@ -283,6 +283,37 @@ static int do_fdt(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
>                         return 1;
>                 }
>
> +#if defined(CONFIG_FIT_SIGNATURE)
> +       } else if (strncmp(argv[1], "si", 2) == 0) {
> +               int cfg_noffset;
> +               int ret;
> +               unsigned long addr;
> +               struct fdt_header *blob;
> +
> +               if (!working_fdt)
> +                       return CMD_RET_FAILURE;
> +
> +               if (argc > 2) {
> +                       addr = simple_strtoul(argv[2], NULL, 16);
> +                       blob = map_sysmem(addr, 0);
> +               } else {
> +                       blob = (struct fdt_header *)gd->fdt_blob;
> +               }
> +               if (!fdt_valid(&blob))
> +                       return 1;
> +
> +               gd->fdt_blob = blob;
> +               cfg_noffset = fit_conf_get_node(working_fdt, NULL);
> +               if (!cfg_noffset)
> +                       return CMD_RET_FAILURE;

May need to print an error here, since otherwise it won't be clear
what went wrong.

> +
> +               ret = fit_config_verify(working_fdt, cfg_noffset);
> +               if (ret == 1)
> +                       return CMD_RET_SUCCESS;
> +               else
> +                       return CMD_RET_FAILURE;
> +#endif
> +
>         /********************************************************************
>          * Get the value of a property in the working_fdt.
>          ********************************************************************/
> @@ -992,6 +1023,11 @@ static char fdt_help_text[] =
>         "fdt rsvmem delete <index>           - Delete a mem reserves\n"
>         "fdt chosen [<start> <end>]          - Add/update the /chosen branch in the tree\n"
>         "                                        <start>/<end> - initrd start/end addr\n"
> +#if defined(CONFIG_FIT_SIGNATURE)
> +       "fdt sign [<addr>]                   - check FIT signature\n"

How about checksig instead of sign? 'sign' sounds like you are going to sign it.

> +       "                                        <start> - addr of key blob\n"
> +       "                                                  default gd->fdt_blob\n"
> +#endif
>         "NOTE: Dereference aliases by omiting the leading '/', "
>                 "e.g. fdt print ethernet0.";
>  #endif
> --
> 1.8.3.1
>

Regards,
Simon