[PATCH v3] spl: allow board_spl_fit_post_load() to fail

[Peng Fan]

> Subject: [PATCH v3] spl: allow board_spl_fit_post_load() to fail
> 
> On i.MX platforms board_spl_fit_post_load() can check the loaded SPL image
> for authenticity using its HAB engine.  U-Boot's SPL mechanism allows
> booting images from other sources as well, but in the current setup the SPL
> would just hang if it encounters an image that does not pass scrutiny.

security.

> Allowing the function to return an error, allows the SPL to try booting from
> another source as a fallback instead of ending up as a brick.

This will break secure boot chain.

Regards,
Peng.

> 
> Signed-off-by: Patrick Wildt <patrick at blueri.se>
> ---
> Changes in v3:
>  - use EINVAL as return value to have a proper errno
> 
> Changes in v2:
>  - set SPL_FIT_FOUND only after successful post load
> 
>  arch/arm/mach-imx/spl.c |  6 ++++--
>  common/spl/spl_fit.c    | 10 ++++++----
>  include/spl.h           |  2 +-
>  3 files changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c index
> 1a231c67f5a..1a0d979e2d0 100644
> --- a/arch/arm/mach-imx/spl.c
> +++ b/arch/arm/mach-imx/spl.c
> @@ -313,7 +313,7 @@ ulong board_spl_fit_size_align(ulong size)
>  	return size;
>  }
> 
> -void board_spl_fit_post_load(ulong load_addr, size_t length)
> +int board_spl_fit_post_load(ulong load_addr, size_t length)
>  {
>  	u32 offset = length - CONFIG_CSF_SIZE;
> 
> @@ -321,8 +321,10 @@ void board_spl_fit_post_load(ulong load_addr,
> size_t length)
>  				       offset + IVT_SIZE + CSF_PAD_SIZE,
>  				       offset)) {
>  		puts("spl: ERROR:  image authentication unsuccessful\n");
> -		hang();
> +		return -EINVAL;
>  	}
> +
> +	return 0;
>  }
>  #endif
> 
> diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index
> f581a224213..ead4c6713af 100644
> --- a/common/spl/spl_fit.c
> +++ b/common/spl/spl_fit.c
> @@ -26,8 +26,9 @@ DECLARE_GLOBAL_DATA_PTR;
>  #define CONFIG_SYS_BOOTM_LEN	(64 << 20)
>  #endif
> 
> -__weak void board_spl_fit_post_load(ulong load_addr, size_t length)
> +__weak int board_spl_fit_post_load(ulong load_addr, size_t length)
>  {
> +	return 0;
>  }
> 
>  __weak ulong board_spl_fit_size_align(ulong size) @@ -677,11 +678,12 @@
> int spl_load_simple_fit(struct spl_image_info *spl_image,
>  	if (spl_image->entry_point == FDT_ERROR || spl_image->entry_point ==
> 0)
>  		spl_image->entry_point = spl_image->load_addr;
> 
> -	spl_image->flags |= SPL_FIT_FOUND;
> -
>  #ifdef CONFIG_IMX_HAB
> -	board_spl_fit_post_load((ulong)fit, size);
> +	ret = board_spl_fit_post_load((ulong)fit, size);
> +	if (ret)
> +		return ret;
>  #endif
> 
> +	spl_image->flags |= SPL_FIT_FOUND;
>  	return 0;
>  }
> diff --git a/include/spl.h b/include/spl.h index b31c9bb4ab2..2607767d940
> 100644
> --- a/include/spl.h
> +++ b/include/spl.h
> @@ -564,7 +564,7 @@ int board_return_to_bootrom(struct spl_image_info
> *spl_image,
>   * board_spl_fit_post_load - allow process images after loading finished
>   *
>   */
> -void board_spl_fit_post_load(ulong load_addr, size_t length);
> +int board_spl_fit_post_load(ulong load_addr, size_t length);
> 
>  /**
>   * board_spl_fit_size_align - specific size align before processing payload
> --
> 2.26.2