| Message ID | 20221011215231.4133441-1-sean.anderson@seco.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | mkimage: fit: Fix signing of configs with external data | expand |
Hi Sean, On Tue, 11 Oct 2022 at 15:52, Sean Anderson <sean.anderson@seco.com> wrote: > > Just like we exclude data-size, data-position, and data-offset from > fit_config_check_sig, we must exclude them while signing as well. > > Fixes: 8edecd3110e ("fit: Fix verification of images with external data") > Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") > Signed-off-by: Sean Anderson <sean.anderson@seco.com> > --- > > tools/image-host.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/tools/image-host.c b/tools/image-host.c > index 698adfb3e1d..5ba6e3bbce0 100644 > --- a/tools/image-host.c > +++ b/tools/image-host.c > @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, > int *region_countp, char **region_propp, > int *region_proplen) > { > - char * const exc_prop[] = {"data"}; > + char * const exc_prop[] = { > + "data", > + "data-size", > + "data-position", > + "data-offset" > + }; > struct strlist node_inc; > struct image_region *region; > struct fdt_region fdt_regions[100]; > -- > 2.35.1.1320.gc452695387.dirty > It looks like we should be able to use FIT_DATA_POSITION_PROP (etc.) here? Regards, Simon
On 10/12/22 08:59, Simon Glass wrote: > Hi Sean, > > On Tue, 11 Oct 2022 at 15:52, Sean Anderson <sean.anderson@seco.com> wrote: >> >> Just like we exclude data-size, data-position, and data-offset from >> fit_config_check_sig, we must exclude them while signing as well. >> >> Fixes: 8edecd3110e ("fit: Fix verification of images with external data") >> Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") >> Signed-off-by: Sean Anderson <sean.anderson@seco.com> >> --- >> >> tools/image-host.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/tools/image-host.c b/tools/image-host.c >> index 698adfb3e1d..5ba6e3bbce0 100644 >> --- a/tools/image-host.c >> +++ b/tools/image-host.c >> @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, >> int *region_countp, char **region_propp, >> int *region_proplen) >> { >> - char * const exc_prop[] = {"data"}; >> + char * const exc_prop[] = { >> + "data", >> + "data-size", >> + "data-position", >> + "data-offset" >> + }; >> struct strlist node_inc; >> struct image_region *region; >> struct fdt_region fdt_regions[100]; >> -- >> 2.35.1.1320.gc452695387.dirty >> > > It looks like we should be able to use FIT_DATA_POSITION_PROP (etc.) here? Probably. fit_config_check_sig would also need to be updated. --Sean
diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..5ba6e3bbce0 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) { - char * const exc_prop[] = {"data"}; + char * const exc_prop[] = { + "data", + "data-size", + "data-position", + "data-offset" + }; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];
Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well. Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson <sean.anderson@seco.com> --- tools/image-host.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)