[PATCH v2 1/8] fdt_add_pubkey: Add support for adding ESL public key under signature node

Sughosh Ganu sughosh.ganu at linaro.org
Sat Jun 24 15:41:11 CEST 2023


The fdt_add_pubkey tool is used for adding a public key to the
devicetree, which is then used for verifying the FIT signatures. Add a
function for embedding the public key in the form of an EFI Signature
List(ESL) file as a property under the signature node of the device
tree.

Unlike the public key added for FIT signature verification, the ESL
file contents are added as a whole, as a property under the signature
node in the DTB.

The public key in the ESL form is used by the capsule authentication
feature for authenticating the capsules, prior to update.

Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
---
Changes since V1:
* New patch
* Use fdt_add_pubkey tool for adding the ESL into the dtb instead of
  using the shell script used in the earlier version.

 tools/Makefile             |  2 +-
 tools/fdt_add_pubkey.c     | 16 +++++--
 tools/fdt_add_pubkey_esl.c | 98 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 112 insertions(+), 4 deletions(-)
 create mode 100644 tools/fdt_add_pubkey_esl.c

diff --git a/tools/Makefile b/tools/Makefile
index d793cf3bec..a5558eeb4d 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -152,7 +152,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
 mkimage-objs   := $(dumpimage-mkimage-objs) mkimage.o
 fit_info-objs   := $(dumpimage-mkimage-objs) fit_info.o
 fit_check_sign-objs   := $(dumpimage-mkimage-objs) fit_check_sign.o
-fdt_add_pubkey-objs   := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
+fdt_add_pubkey-objs   := $(dumpimage-mkimage-objs) fdt_add_pubkey.o fdt_add_pubkey_esl.o
 file2include-objs := file2include.o
 
 ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
index 5582d7a8ef..f536ab543b 100644
--- a/tools/fdt_add_pubkey.c
+++ b/tools/fdt_add_pubkey.c
@@ -2,18 +2,21 @@
 #include <image.h>
 #include "fit_common.h"
 
+extern int fdt_embed_esl(const char *esl_file, void *keydest);
+
 static const char *cmdname;
 
 static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
 static const char *keydir = "."; /* -k <keydir> */
 static const char *keyname = "key"; /* -n <keyname> */
 static const char *require_keys; /* -r <conf|image> */
+static const char *esl_file; /* -e <esl file> */
 static const char *keydest; /* argv[n] */
 
 static void __attribute__((__noreturn__)) print_usage(const char *msg)
 {
 	fprintf(stderr, "Error: %s\n", msg);
-	fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>]"
+	fprintf(stderr, "Usage: %s [-a <algo>] [-e <esl file>] [-k <keydir>] [-n <keyname>] [-r <conf|image>]"
 			" <fdt blob>\n", cmdname);
 	fprintf(stderr, "Help information: %s [-h]\n", cmdname);
 	exit(EXIT_FAILURE);
@@ -23,6 +26,7 @@ static void __attribute__((__noreturn__)) print_help(void)
 {
 	fprintf(stderr, "Options:\n"
 		"\t-a <algo>       Cryptographic algorithm. Optional parameter, default value: sha1,rsa2048\n"
+		"\t-e <esl file>   EFI Signature List(ESL) file to embed into the FDT\n"
 		"\t-k <keydir>     Directory with public key. Optional parameter, default value: .\n"
 		"\t-n <keyname>    Public key name. Optional parameter, default value: key\n"
 		"\t-r <conf|image> Required: If present this indicates that the key must be verified for the image / configuration to be considered valid.\n"
@@ -34,7 +38,7 @@ static void process_args(int argc, char *argv[])
 {
 	int opt;
 
-	while ((opt = getopt(argc, argv, "a:k:n:r:h")) != -1) {
+	while ((opt = getopt(argc, argv, "a:e:k:n:r:h")) != -1) {
 		switch (opt) {
 		case 'k':
 			keydir = optarg;
@@ -48,6 +52,9 @@ static void process_args(int argc, char *argv[])
 		case 'r':
 			require_keys = optarg;
 			break;
+		case 'e':
+			esl_file = optarg;
+			break;
 		case 'h':
 			print_help();
 		default:
@@ -106,7 +113,10 @@ static int add_pubkey(struct image_sign_info *info)
 		if (destfd < 0)
 			exit(EXIT_FAILURE);
 
-		ret = info->crypto->add_verify_data(info, dest_blob);
+
+		ret = esl_file ? fdt_embed_esl(esl_file, dest_blob) :
+			info->crypto->add_verify_data(info, dest_blob);
+
 		if (ret == -ENOSPC)
 			continue;
 		else if (ret < 0)
diff --git a/tools/fdt_add_pubkey_esl.c b/tools/fdt_add_pubkey_esl.c
new file mode 100644
index 0000000000..de6ee41535
--- /dev/null
+++ b/tools/fdt_add_pubkey_esl.c
@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2023 Linaro Limited
+ *
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <linux/libfdt.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "mkimage.h"
+
+#define ESL_SIG_NODENAME	"signature"
+
+static int get_esl_pub_key(const char *esl_file, void **key_ptr, int *key_fd,
+			   off_t *key_size)
+{
+	int ret;
+	struct stat pub_key;
+
+	debug("%s: esl file => %s\n", __func__, esl_file);
+	*key_fd = open(esl_file, O_RDONLY);
+	if (*key_fd == -1) {
+		fprintf(stderr, "Unable to open %s: %s\n",
+			esl_file, strerror(errno));
+		return -EACCES;
+	}
+
+	ret = fstat(*key_fd, &pub_key);
+	if (ret == -1) {
+		fprintf(stderr, "Can't stat %s: %s\n",
+			esl_file, strerror(errno));
+		ret = errno;
+		goto err;
+	}
+	*key_size = pub_key.st_size;
+
+	/* mmap the public key esl file */
+	*key_ptr = mmap(0, *key_size, PROT_READ, MAP_SHARED, *key_fd, 0);
+	if ((*key_ptr == MAP_FAILED) || (errno != 0)) {
+		fprintf(stderr, "Failed to mmap %s:%s\n",
+			esl_file, strerror(errno));
+		ret = errno;
+		goto err;
+	}
+
+	return 0;
+err:
+	close(*key_fd);
+
+	return ret;
+}
+
+int fdt_embed_esl(const char *esl_file, void *keydest)
+{
+	int ret, key_fd;
+	off_t key_size = 0;
+	void *key_ptr = NULL;
+	int parent;
+
+	ret = get_esl_pub_key(esl_file, &key_ptr, &key_fd, &key_size);
+	if (ret) {
+		debug("Unable to open the public key esl file\n");
+		goto out;
+	}
+
+	parent = fdt_subnode_offset(keydest, 0, ESL_SIG_NODENAME);
+	if (parent == -FDT_ERR_NOTFOUND) {
+		parent = fdt_add_subnode(keydest, 0, ESL_SIG_NODENAME);
+		if (parent < 0) {
+			ret = parent;
+			if (ret != -FDT_ERR_NOSPACE) {
+				fprintf(stderr, "Couldn't create signature node: %s\n",
+					fdt_strerror(parent));
+			}
+		}
+	}
+
+	if (ret)
+		goto out;
+
+	ret = fdt_setprop(keydest, parent, "capsule-key",
+			  key_ptr, key_size);
+
+out:
+	close(key_fd);
+	munmap(key_ptr, key_size);
+
+	if (ret)
+		return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
+
+	return ret;
+}
-- 
2.34.1



More information about the U-Boot mailing list