[PATCH 2/4] arm: mach-k3: security: Allow signing bypass if type is HS-FS
Andrew Davis
afd at ti.com
Fri Jul 15 18:34:33 CEST 2022
On HS-FS devices signing boot images is optional. To ease use
we check if we are HS-FS and if no certificate is attached
to the image we skip the authentication step with a warning
that this will fail when the device is set to security enforcing.
Signed-off-by: Andrew Davis <afd at ti.com>
---
arch/arm/mach-k3/security.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c
index 8de9739a40..5bfcecd44d 100644
--- a/arch/arm/mach-k3/security.c
+++ b/arch/arm/mach-k3/security.c
@@ -2,10 +2,11 @@
/*
* K3: Security functions
*
- * Copyright (C) 2018 Texas Instruments Incorporated - http://www.ti.com/
+ * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/
* Andrew F. Davis <afd at ti.com>
*/
+#include <asm/io.h>
#include <common.h>
#include <cpu_func.h>
#include <dm.h>
@@ -18,6 +19,17 @@
#include <spl.h>
#include <asm/arch/sys_proto.h>
+#include "common.h"
+
+static bool ti_secure_cert_detected(void *p_image)
+{
+ /* Primitive certificate detection, check for DER starting with
+ * two 4-Octet SEQUENCE tags
+ */
+ return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 &&
+ ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
+}
+
void ti_secure_image_post_process(void **p_image, size_t *p_size)
{
struct ti_sci_handle *ti_sci = get_ti_sci_handle();
@@ -29,6 +41,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size)
image_addr = (uintptr_t)*p_image;
image_size = *p_size;
+ if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
+ !ti_secure_cert_detected(*p_image)) {
+ printf("Warning: Did not detect image signing certificate. "
+ "Skipping authentication to prevent boot failure. "
+ "This will fail on Security Enforcing(HS-SE) devices\n");
+ return;
+ }
+
debug("Authenticating image at address 0x%016llx\n", image_addr);
debug("Authenticating image of size %d bytes\n", image_size);
--
2.36.1
More information about the U-Boot
mailing list