[PATCH] spl: fit: enable hash control even without signature
Tom Rini
trini at konsulko.com
Wed Jan 8 00:40:09 CET 2020
On Tue, Dec 03, 2019 at 10:06:18PM +0100, Dario Binacchi wrote:
> The function "fit_image_verify_with_data" that performs the integrity
> protection of FIT images is already able to correctly manage the device
> tree nodes that require signature and/or hash control.
> Tests with device tree with or without hash nodes but certainly not
> signed have given positive results. Furthermore, the hash calculation
> is performed only if the hash property has been detected, without
> adding unnecessary calculations.
> It is therefore useless and limiting to enable hash control only in
> the case of a signed image.
>
> Signed-off-by: Dario Binacchi <dariobin at libero.it>
> ---
>
> common/spl/spl_fit.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
> index cbc00a4e7c..58ba40cb2f 100644
> --- a/common/spl/spl_fit.c
> +++ b/common/spl/spl_fit.c
> @@ -242,14 +242,12 @@ static int spl_load_fit_image(struct spl_load_info *info, ulong sector,
> src = (void *)data;
> }
>
> -#ifdef CONFIG_SPL_FIT_SIGNATURE
> printf("## Checking hash(es) for Image %s ... ",
> fit_get_name(fit, node, NULL));
> if (!fit_image_verify_with_data(fit, node,
> src, length))
> return -EPERM;
> puts("OK\n");
> -#endif
>
> #ifdef CONFIG_SPL_FIT_IMAGE_POST_PROCESS
> board_fit_image_post_process(&src, &length);
This makes a massive number (of mainly sunxi boards in SPL) fail to link
due to size overflows as we're no longer discarding a lot of code I
believe.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200107/5166704b/attachment.sig>
More information about the U-Boot
mailing list