[PATCH] image: Control FIT signature verification at runtime

Mon Jan 31 04:41:47 CET 2022

Some platform designs include support for disabling secure-boot via a
jumper on the board. Sometimes this control can be separate from the
mechanism enabling the root-of-trust for the platform. Add support for
this latter scenario by allowing boards to implement
board_fit_image_require_verfied(), which is then invoked in the usual
FIT verification paths.

Signed-off-by: Andrew Jeffery <andrew at aj.id.au>
---
Hi,

This patch is extracted from and motivated by a series adding run-time
control of FIT signature verification to u-boot in OpenBMC:

https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/

Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking
upstream and contains a bunch of out-of-tree work as well. As such I'm
looking to upstream the couple of changes that make sense against
master.

Please take a look!

Andrew

 boot/Kconfig     |  8 ++++++++
 boot/image-fit.c | 21 +++++++++++++++++----
 include/image.h  |  9 +++++++++
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index c8d5906cd304..ec413151fd5a 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -78,6 +78,14 @@ config FIT_SIGNATURE
 	  format support in this case, enable it using
 	  CONFIG_LEGACY_IMAGE_FORMAT.
 
+if FIT_SIGNATURE
+config FIT_RUNTIME_SIGNATURE
+	bool "Control verification of FIT uImages at runtime"
+	help
+	  This option allows board support to disable verification of
+	  signatures at runtime, for example through the state of a GPIO.
+endif # FIT_SIGNATURE
+
 config FIT_SIGNATURE_MAX_SIZE
 	hex "Max size of signed FIT structures"
 	depends on FIT_SIGNATURE
diff --git a/boot/image-fit.c b/boot/image-fit.c
index f01cafe4e277..919dbfa4ee1d 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1308,6 +1308,14 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
 	return 0;
 }
 
+#ifndef __weak
+#define __weak
+#endif
+__weak int board_fit_image_require_verified(void)
+{
+	return 1;
+}
+
 int fit_image_verify_with_data(const void *fit, int image_noffset,
 			       const void *key_blob, const void *data,
 			       size_t size)
@@ -1319,6 +1327,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
 
 	/* Verify all required signatures */
 	if (FIT_IMAGE_ENABLE_VERIFY &&
+	    fit_image_require_verified() &&
 	    fit_image_verify_required_sigs(fit, image_noffset, data, size,
 					   key_blob, &verify_all)) {
 		err_msg = "Unable to verify required signature";
@@ -1340,9 +1349,11 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
 						 &err_msg))
 				goto error;
 			puts("+ ");
-		} else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
-				!strncmp(name, FIT_SIG_NODENAME,
-					strlen(FIT_SIG_NODENAME))) {
+		} else if (FIT_IMAGE_ENABLE_VERIFY &&
+			   fit_image_require_verified() &&
+			   verify_all &&
+			   !strncmp(name, FIT_SIG_NODENAME,
+				    strlen(FIT_SIG_NODENAME))) {
 			ret = fit_image_check_sig(fit, noffset, data, size,
 						  gd_fdt_blob(), -1, &err_msg);
 
@@ -2061,7 +2072,9 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
 		if (image_type == IH_TYPE_KERNEL)
 			images->fit_uname_cfg = fit_base_uname_config;
 
-		if (FIT_IMAGE_ENABLE_VERIFY && images->verify) {
+		if (FIT_IMAGE_ENABLE_VERIFY &&
+		    fit_image_require_verified() &&
+		    images->verify) {
 			puts("   Verifying Hash Integrity ... ");
 			if (fit_config_verify(fit, cfg_noffset)) {
 				puts("Bad Data Hash\n");
diff --git a/include/image.h b/include/image.h
index 97e5f2eb24d6..98900c2e839b 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1173,6 +1173,15 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 # define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #endif
 
+/*
+ * Further, allow run-time control of verification, e.g. via a jumper
+ */
+#if defined(CONFIG_FIT_RUNTIME_SIGNATURE)
+# define fit_image_require_verified()	board_fit_image_require_verified()
+#else
+# define fit_image_require_verified()	FIT_IMAGE_ENABLE_VERIFY
+#endif
+
 #ifdef USE_HOSTCC
 void *image_get_host_blob(void);
 void image_set_host_blob(void *host_blob);
-- 
2.32.0

