| Message ID | 20221020194110.2505089-1-sean.anderson@seco.com |
|---|---|
| State | Accepted |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | [v2] mkimage: fit: Fix signing of configs with external data | expand |
On Thu, 20 Oct 2022 at 13:41, Sean Anderson <sean.anderson@seco.com> wrote: > > Just like we exclude data-size, data-position, and data-offset from > fit_config_check_sig, we must exclude them while signing as well. > > While we're at it, use the FIT_DATA_* defines for fit_config_check_sig > as welll. > > Fixes: 8edecd3110e ("fit: Fix verification of images with external data") > Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") > Signed-off-by: Sean Anderson <sean.anderson@seco.com> > --- > > Changes in v2: > - Use FIT_DATA_* defines > > boot/image-fit-sig.c | 8 ++++---- > tools/image-host.c | 7 ++++++- > 2 files changed, 10 insertions(+), 5 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Thu, Oct 20, 2022 at 03:41:10PM -0400, Sean Anderson wrote: > Just like we exclude data-size, data-position, and data-offset from > fit_config_check_sig, we must exclude them while signing as well. > > While we're at it, use the FIT_DATA_* defines for fit_config_check_sig > as welll. > > Fixes: 8edecd3110e ("fit: Fix verification of images with external data") > Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") > Signed-off-by: Sean Anderson <sean.anderson@seco.com> > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot/master, thanks!
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index a461d591a0e..12369896fe3 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -260,10 +260,10 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset, char **err_msgp) { static char * const exc_prop[] = { - "data", - "data-size", - "data-position", - "data-offset" + FIT_DATA_PROP, + FIT_DATA_SIZE_PROP, + FIT_DATA_POSITION_PROP, + FIT_DATA_OFFSET_PROP, }; const char *prop, *end, *name; diff --git a/tools/image-host.c b/tools/image-host.c index 698adfb3e1d..4a4e1c10d1e 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -917,7 +917,12 @@ static int fit_config_get_regions(const void *fit, int conf_noffset, int *region_countp, char **region_propp, int *region_proplen) { - char * const exc_prop[] = {"data"}; + char * const exc_prop[] = { + FIT_DATA_PROP, + FIT_DATA_SIZE_PROP, + FIT_DATA_POSITION_PROP, + FIT_DATA_OFFSET_PROP, + }; struct strlist node_inc; struct image_region *region; struct fdt_region fdt_regions[100];
Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well. While we're at it, use the FIT_DATA_* defines for fit_config_check_sig as welll. Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson <sean.anderson@seco.com> --- Changes in v2: - Use FIT_DATA_* defines boot/image-fit-sig.c | 8 ++++---- tools/image-host.c | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-)