[PATCH] mkimage: fit: include image cipher in configuration signature
patrick.oppenlander at gmail.com
patrick.oppenlander at gmail.com
Thu Jul 30 06:30:47 CEST 2020
From: Patrick Oppenlander <patrick.oppenlander at gmail.com>
This patch addresses issue #2 for signed configurations.
-----8<-----
Including the image cipher properties in the configuration signature
prevents an attacker from modifying cipher, key or iv properties.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander at gmail.com>
---
tools/image-host.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/tools/image-host.c b/tools/image-host.c
index e5417beee5..3d52593e36 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -744,6 +744,23 @@ static int fit_config_get_hash_list(void *fit, int conf_noffset,
return -ENOMSG;
}
+ /* Add this image's cipher node if present */
+ noffset = fdt_subnode_offset(fit, image_noffset,
+ FIT_CIPHER_NODENAME);
+ if (noffset != -FDT_ERR_NOTFOUND) {
+ if (noffset < 0) {
+ printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n",
+ conf_name, sig_name, iname,
+ fdt_strerror(noffset));
+ return -EIO;
+ }
+ ret = fdt_get_path(fit, noffset, path, sizeof(path));
+ if (ret < 0)
+ goto err_path;
+ if (strlist_add(node_inc, path))
+ goto err_mem;
+ }
+
image_count++;
}
--
2.27.0
More information about the U-Boot
mailing list