[PATCH 1/3] mkimage: fit: only process one cipher node

Simon Glass sjg at chromium.org
Tue Jul 28 01:45:55 CEST 2020


Hi Patrick,

On Fri, 17 Jul 2020 at 05:30, <patrick.oppenlander at gmail.com> wrote:
>
> From: Patrick Oppenlander <patrick.oppenlander at gmail.com>
>
> Previously mkimage would process any node matching the regex cipher.*
> and apply the ciphers to the image data in the order they appeared in
> the FDT. This meant that data could be inadvertently ciphered multiple
> times.
>
> Switch to processing a single cipher node which exactly matches
> FIT_CIPHER_NODENAME.
>
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander at gmail.com>
> ---
>  tools/image-host.c | 56 +++++++++++++++++-----------------------------
>  1 file changed, 21 insertions(+), 35 deletions(-)

+Philippe Reynes for a review on these three patches too.

>
> diff --git a/tools/image-host.c b/tools/image-host.c
> index 9a83b7f675..8fa1b9aba7 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -323,15 +323,15 @@ err:
>  static int fit_image_setup_cipher(struct image_cipher_info *info,
>                                   const char *keydir, void *fit,
>                                   const char *image_name, int image_noffset,
> -                                 const char *node_name, int noffset)
> +                                 int noffset)
>  {
>         char *algo_name;
>         char filename[128];
>         int ret = -1;
>
>         if (fit_image_cipher_get_algo(fit, noffset, &algo_name)) {
> -               printf("Can't get algo name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get algo name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
> @@ -340,16 +340,16 @@ static int fit_image_setup_cipher(struct image_cipher_info *info,
>         /* Read the key name */
>         info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
>         if (!info->keyname) {
> -               printf("Can't get key name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get key name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
>         /* Read the IV name */
>         info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL);
>         if (!info->ivname) {
> -               printf("Can't get iv name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get iv name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
> @@ -428,8 +428,7 @@ int fit_image_write_cipher(void *fit, int image_noffset, int noffset,
>  static int
>  fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
>                          const char *image_name, int image_noffset,
> -                        const char *node_name, int node_noffset,
> -                        const void *data, size_t size,
> +                        int node_noffset, const void *data, size_t size,
>                          const char *cmdname)
>  {
>         struct image_cipher_info info;
> @@ -440,7 +439,7 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
>         memset(&info, 0, sizeof(info));
>
>         ret = fit_image_setup_cipher(&info, keydir, fit, image_name,
> -                                    image_noffset, node_name, node_noffset);
> +                                    image_noffset, node_noffset);
>         if (ret)
>                 goto out;
>
> @@ -482,7 +481,7 @@ int fit_image_cipher_data(const char *keydir, void *keydest,
>         const char *image_name;
>         const void *data;
>         size_t size;
> -       int node_noffset;
> +       int cipher_node_offset;
>
>         /* Get image name */
>         image_name = fit_get_name(fit, image_noffset, NULL);
> @@ -497,32 +496,19 @@ int fit_image_cipher_data(const char *keydir, void *keydest,
>                 return -1;
>         }
>
> -       /* Process all hash subnodes of the component image node */
> -       for (node_noffset = fdt_first_subnode(fit, image_noffset);
> -            node_noffset >= 0;
> -            node_noffset = fdt_next_subnode(fit, node_noffset)) {
> -               const char *node_name;
> -               int ret = 0;
> -
> -               node_name = fit_get_name(fit, node_noffset, NULL);
> -               if (!node_name) {
> -                       printf("Can't get node name\n");
> -                       return -1;
> -               }
>
> -               if (IMAGE_ENABLE_ENCRYPT && keydir &&
> -                   !strncmp(node_name, FIT_CIPHER_NODENAME,
> -                            strlen(FIT_CIPHER_NODENAME)))
> -                       ret = fit_image_process_cipher(keydir, keydest,
> -                                                      fit, image_name,
> -                                                      image_noffset,
> -                                                      node_name, node_noffset,
> -                                                      data, size, cmdname);
> -               if (ret)
> -                       return ret;
> +       /* Process cipher node if present */
> +       cipher_node_offset = fdt_subnode_offset(fit, image_noffset, "cipher");
> +       if (cipher_node_offset == -FDT_ERR_NOTFOUND)
> +               return 0;
> +       if (cipher_node_offset < 0) {
> +               printf("Failure getting cipher node\n");
> +               return -1;
>         }
> -
> -       return 0;
> +       if (!IMAGE_ENABLE_ENCRYPT || !keydir)
> +               return 0;
> +       return fit_image_process_cipher(keydir, keydest, fit, image_name,
> +               image_noffset, cipher_node_offset, data, size, cmdname);
>  }
>
>  /**
> --
> 2.27.0
>


More information about the U-Boot mailing list