[PATCH v1 1/2] tools: kwbimage: disable secure boot build without LIBCRYPTO support

Paul-Erwan RIO paulerwan.rio at gmail.com
Sat Jan 21 17:40:04 CET 2023


Le sam. 21 janv. 2023 à 17:35, Pali Rohar <pali at kernel.org> a écrit :
>
> On Saturday 21 January 2023 17:31:15 Paul-Erwan RIO wrote:
> > Le sam. 21 janv. 2023 à 17:21, Pali Rohar <pali at kernel.org> a écrit :
> > >
> > > On Saturday 21 January 2023 17:08:42 Paul-Erwan RIO wrote:
> > > > Le sam. 21 janv. 2023 à 16:56, Pali Rohar <pali at kernel.org> a écrit :
> > > > >
> > > > > On Saturday 21 January 2023 16:47:41 Paul-Erwan Rio wrote:
> > > > > > The secure boot features cannot be built without 'LIBCRYPTO' enabled.
> > > > > > This kind of reverts some of <b4f3cc2c42d97967a3a3c8796c340f6b07ecccac>
> > > > > > changes.
> > > > > >
> > > > > > Signed-off-by: Paul-Erwan Rio <paulerwan.rio at gmail.com>
> > > > > > ---
> > > > > >
> > > > > >  tools/kwbimage.c | 18 ++++++++++++++++++
> > > > > >  1 file changed, 18 insertions(+)
> > > > > >
> > > > > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c
> > > > > > index 6abb9f2d5c..0db99dbb02 100644
> > > > > > --- a/tools/kwbimage.c
> > > > > > +++ b/tools/kwbimage.c
> > > > > > @@ -19,6 +19,7 @@
> > > > > >  #include <stdint.h>
> > > > > >  #include "kwbimage.h"
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  #include <openssl/bn.h>
> > > > > >  #include <openssl/rsa.h>
> > > > > >  #include <openssl/pem.h>
> > > > > > @@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
> > > > > >       EVP_MD_CTX_reset(ctx);
> > > > > >  }
> > > > > >  #endif
> > > > > > +#endif
> > > > > >
> > > > > >  /* fls - find last (most-significant) bit set in 4-bit integer */
> > > > > >  static inline int fls4(int num)
> > > > > > @@ -62,7 +64,9 @@ static inline int fls4(int num)
> > > > > >
> > > > > >  static struct image_cfg_element *image_cfg;
> > > > > >  static int cfgn;
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int verbose_mode;
> > > > > > +#endif
> > > > > >
> > > > > >  struct boot_mode {
> > > > > >       unsigned int id;
> > > > > > @@ -278,6 +282,7 @@ image_count_options(unsigned int optiontype)
> > > > > >       return count;
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int image_get_csk_index(void)
> > > > > >  {
> > > > > >       struct image_cfg_element *e;
> > > > > > @@ -299,6 +304,7 @@ static bool image_get_spezialized_img(void)
> > > > > >
> > > > > >       return e->sec_specialized_img;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static int image_get_bootfrom(void)
> > > > > >  {
> > > > > > @@ -432,6 +438,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
> > > > > >       }
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static void kwb_msg(const char *fmt, ...)
> > > > > >  {
> > > > > >       if (verbose_mode) {
> > > > > > @@ -926,6 +933,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
> > > > > >  done:
> > > > > >       return ret;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static size_t image_headersz_align(size_t headersz, uint8_t blockid)
> > > > > >  {
> > > > > > @@ -1079,11 +1087,13 @@ static size_t image_headersz_v1(int *hasext)
> > > > > >        */
> > > > > >       headersz = sizeof(struct main_hdr_v1);
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (image_get_csk_index() >= 0) {
> > > > > >               headersz += sizeof(struct secure_hdr_v1);
> > > > > >               if (hasext)
> > > > > >                       *hasext = 1;
> > > > > >       }
> > > > > > +#endif
> > > > > >
> > > > > >       cpu_sheeva = image_is_cpu_sheeva();
> > > > > >
> > > > > > @@ -1270,6 +1280,7 @@ err_close:
> > > > > >       return -1;
> > > > > >  }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >  static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
> > > > > >  {
> > > > > >       FILE *hashf;
> > > > > > @@ -1382,6 +1393,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
> > > > > >
> > > > > >       return 0;
> > > > > >  }
> > > > > > +#endif
> > > > > >
> > > > > >  static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
> > > > > >                                         struct register_set_hdr_v1 *register_set_hdr,
> > > > > > @@ -1406,7 +1418,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >       struct main_hdr_v1 *main_hdr;
> > > > > >       struct opt_hdr_v1 *ohdr;
> > > > > >       struct register_set_hdr_v1 *register_set_hdr;
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       struct secure_hdr_v1 *secure_hdr = NULL;
> > > > > > +#endif
> > > > > >       size_t headersz;
> > > > > >       uint8_t *image, *cur;
> > > > > >       int hasext = 0;
> > > > > > @@ -1491,6 +1505,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >       if (main_hdr->blockid == IBR_HDR_PEX_ID)
> > > > > >               main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (image_get_csk_index() >= 0) {
> > > > > >               /*
> > > > > >                * only reserve the space here; we fill the header later since
> > > > > > @@ -1501,6 +1516,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >               *next_ext = 1;
> > > > > >               next_ext = &secure_hdr->next;
> > > > > >       }
> > > > > > +#endif
> > > > > >
> > > > > >       datai = 0;
> > > > > >       for (cfgi = 0; cfgi < cfgn; cfgi++) {
> > > > > > @@ -1552,9 +1568,11 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
> > > > > >                                             &datai, delay);
> > > > > >       }
> > > > > >
> > > > > > +#if CONFIG_IS_ENABLED(LIBCRYPTO)
> > > > > >       if (secure_hdr && add_secure_header_v1(params, ptr, payloadsz + headersz,
> > > > > >                                              headersz, image, secure_hdr))
> > > > > >               return NULL;
> > > > > > +#endif
> > > > > >
> > > > > >       *imagesz = headersz;
> > > > > >
> > > > > > --
> > > > > > 2.39.0
> > > > > >
> > > > >
> > > > > This is entirely wrong change as it completely skips processing of some
> > > > > command lone or config file options. It can lead to generating of broken
> > > > > images by mkimage without any notice by user or any automated CI
> > > > > testing. You really cannot randomly disable or comment some of functions
> > > > > which are currently called.
> > > >
> > > > Hello,
> > > > That is true, especially since I do not know how to test my changes
> > > > regarding kwbimage. But I do not really randomly disable some
> > > > functions.
> > > > I looked at the commit that introduced the issue:
> > > >
> > > > Date: Fri Jul 23 11:14:13 2021 +0200
> > > > tools: kwbimage: Do not hide usage of secure header under CONFIG_ARMADA_38X
> > > > commit b4f3cc2c42d97967a3a3c8796c340f6b07eccca upstream
> > > >
> > > > And reverted its change. But instead of hiding the secure header usage
> > > > under the previous CONFIG_ARMADA_38X config, I used the the config
> > > > that really shows the issue: CONFIG_TOOLS_LIBCRYPTO.
> > > >
> > > > Regards,
> > >
> > > And that is wrong. You cannot disable calling of some functions which
> > > has to be called based on some settings (e.g. cmdline or config file).
> > >
> > > mkimage parses command line options from argv[] and from config file and
> > > based on these options it generates output file.
> > >
> > > Look at the proposed change. What you have done is that you have
> > > randomly disabled calling of some functions which was previously called
> > > based on the options specified in mkimage argv[].
> > >
> > > mkimage works like any other tool, based on the cmdline supplied in the
> > > argv[] it calls specific functions which affects generated output file.
> > >
> > > And not calling of some functions which were previously called cause
> > > generating of different - broken output file (because it would not match
> > > supplied command line options).
> >
> > So, if I understand you correctly, the right way to do it would be to
> > prevent the user to call the very functions that need OpenSSL crypto
> > features (and output some kind of warning/error) when LIBCRYPTO
> > support is disabled ? So that the user could not even attempt to
> > create kwbimage v1 with secure header (in this particular case),
> > instead of having a broken output file like you said.
>
> Of course, u-boot (and also any other) tools must not generate broken
> output files. I thought that this is pretty obvious.

Understood. Then I will need to rework this a lot, and I will
re-submit it again when it is ready.

Thanks for your time.


More information about the U-Boot mailing list