[PATCH] mkimage: fit: include image cipher in configuration signature

Philippe REYNES philippe.reynes at softathome.com
Thu Jul 30 16:59:40 CEST 2020


Hi Patrick,


> From: Patrick Oppenlander <patrick.oppenlander at gmail.com>
> 
> This patch addresses issue #2 for signed configurations.
> 
> -----8<-----

This "line" will be included in the commit message ;)

> Including the image cipher properties in the configuration signature
> prevents an attacker from modifying cipher, key or iv properties.
> 
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander at gmail.com>


Reviewed-by: Philippe Reynes <philippe.reynes at softathome.com>


Regards,
Philippe

> ---
> tools/image-host.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
> 
> diff --git a/tools/image-host.c b/tools/image-host.c
> index e5417beee5..3d52593e36 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -744,6 +744,23 @@ static int fit_config_get_hash_list(void *fit, int
> conf_noffset,
> return -ENOMSG;
> }
> 
> + /* Add this image's cipher node if present */
> + noffset = fdt_subnode_offset(fit, image_noffset,
> + FIT_CIPHER_NODENAME);
> + if (noffset != -FDT_ERR_NOTFOUND) {
> + if (noffset < 0) {
> + printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n",
> + conf_name, sig_name, iname,
> + fdt_strerror(noffset));
> + return -EIO;
> + }
> + ret = fdt_get_path(fit, noffset, path, sizeof(path));
> + if (ret < 0)
> + goto err_path;
> + if (strlist_add(node_inc, path))
> + goto err_mem;
> + }
> +
> image_count++;
> }
> 
> --
> 2.27.0


More information about the U-Boot mailing list