[PATCH RFC u-boot-mvebu 43/59] tools: kwbimage: Fix generating secure boot data image signature

Pali Rohár pali at kernel.org
Tue Feb 21 21:19:09 CET 2023

Secure boot data image signature is calculated from the data image without
trailing 4-bit checksum. Commit 37cb9c15d70d ("tools: kwbimage: Simplify
aligning and calculating checksum") unintentionally broke this calculation
when it increased payloadsz variable by 4 bytes which was propagated also
into the add_secure_header_v1() function. Fix this issue by decreasing size
of buffer by 4 bytes from which is calculated secure boot data image

Fixes: 37cb9c15d70d ("tools: kwbimage: Simplify aligning and calculating checksum")
Signed-off-by: Pali Rohár <pali at kernel.org>
 tools/kwbimage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/kwbimage.c b/tools/kwbimage.c
index b32f845b7e2d..a8a59c154b9c 100644
--- a/tools/kwbimage.c
+++ b/tools/kwbimage.c
@@ -1355,7 +1355,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *image
 	if (kwb_sign_csk_with_kak(params, secure_hdr, csk))
 		return 1;
-	if (kwb_sign_and_verify(csk, image_ptr, image_size,
+	if (kwb_sign_and_verify(csk, image_ptr, image_size - 4,
 				&secure_hdr->imgsig, "image") < 0)
 		return 1;

More information about the U-Boot mailing list