[PATCH] mkimage: ecdsa: add signature/key nodes to dtb if missing

Tue Aug 27 20:40:59 CEST 2024

On Tue, 27 Aug 2024 at 18:52, Matthias Pritschet <matthias at pritschet.eu> wrote:
>
> From: Matthias Pritschet <matthias.pritschet at itk-engineering.de>
>
> If the signature/key node(s) are not yet present in the U-Boot device
> tree, ecdsa_add_verify_data simply fails if it can't find the nodes.
> This behaviour differs from rsa_add_verify_data, wich does add the missing
> nodes and proceeds in that case.
>
> This change is mainly copy&paste from rsa_add_verify_data to add the
> same behaviour to ecdsa_add_verify_data.

Could the duplicated code be moved out into a function shared between
the two *_add_verify_data bits of code?

> Signed-off-by: Matthias Pritschet <matthias.pritschet at itk-engineering.de>
> ---
>  lib/ecdsa/ecdsa-libcrypto.c | 36 +++++++++++++++++++++++++++++-------
>  1 file changed, 29 insertions(+), 7 deletions(-)
>
> diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c
> index 5fa9be10b4..db0a828a29 100644
> --- a/lib/ecdsa/ecdsa-libcrypto.c
> +++ b/lib/ecdsa/ecdsa-libcrypto.c
> @@ -281,16 +281,35 @@ static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
>         BIGNUM *x, *y;
>
>         signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME);
> -       if (signature_node < 0) {
> -               fprintf(stderr, "Could not find 'signature node: %s\n",
> +       if (signature_node == -FDT_ERR_NOTFOUND) {
> +               signature_node = fdt_add_subnode(fdt, 0, FIT_SIG_NODENAME);
> +               if (signature_node < 0) {
> +                       if (signature_node != -FDT_ERR_NOSPACE) {
> +                               fprintf(stderr, "Couldn't create signature node: %s\n",
> +                                       fdt_strerror(signature_node));
> +                       }
> +                       return signature_node;
> +               }
> +       } else if (signature_node < 0) {
> +               fprintf(stderr, "Cannot select keys signature_node: %s\n",
>                         fdt_strerror(signature_node));
>                 return signature_node;
>         }
>
> -       key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
> -       if (key_node < 0) {
> -               fprintf(stderr, "Could not create '%s' node: %s\n",
> -                       key_node_name, fdt_strerror(key_node));
> +       /* Either create or overwrite the named key node */
> +       key_node = fdt_subnode_offset(fdt, signature_node, key_node_name);
> +       if (key_node == -FDT_ERR_NOTFOUND) {
> +               key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
> +               if (key_node < 0) {
> +                       if (key_node != -FDT_ERR_NOSPACE) {
> +                               fprintf(stderr, "Could not create key subnode: %s\n",
> +                                       fdt_strerror(key_node));
> +                       }
> +                       return key_node;
> +               }
> +       } else if (key_node < 0) {
> +               fprintf(stderr, "Cannot select keys key_node: %s\n",
> +                       fdt_strerror(key_node));
>                 return key_node;
>         }
>
> @@ -326,8 +345,11 @@ int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt)
>
>         fdt_key_name = info->keyname ? info->keyname : "default-key";
>         ret = prepare_ctx(&ctx, info);
> -       if (ret >= 0)
> +       if (ret >= 0){
>                 ret = do_add(&ctx, fdt, fdt_key_name);
> +               if (ret < 0)
> +                       ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
> +       }
>
>         free_ctx(&ctx);
>         return ret;
> --
> 2.34.1
>