Message ID | 20240620142059.2348379-1-ada@thorsis.com |
---|---|
State | Accepted |
Commit | 6074f6e85783f582e8524778fff170ff05b35a91 |
Delegated to: | Tom Rini |
Headers | show |
Series | mkimage: Allow 'auto-conf' signing of scripts | expand |
On Thu, Jun 20, 2024 at 04:20:59PM +0200, Alexander Dahl wrote: > U-Boot configured for verified boot with the "required" option set to > "conf" also checks scripts put in FIT images for a valid signature, and > refuses to source and run such a script if the signature for the > configuration is bad or missing. Such a script could not be packaged > before, because mkimage failed like this: > > % tools/mkimage -T script -C none -d tmp/my.scr -f auto-conf -k tmp -g dev -o sha256,rsa4096 my.uimg > Failed to find any images for configuration 'conf-1/signature' > tools/mkimage Can't add hashes to FIT blob: -1 > Error: Bad parameters for FIT image type > > This is especially unfortunate if LEGACY_IMAGE_FORMAT is disabled as > recommended. > > Listing the script configuration in a "sign-images" subnode instead, > would have added even more complexity to the already complex auto fit > generation code. > > Signed-off-by: Alexander Dahl <ada@thorsis.com> Applied to u-boot/master, thanks!
diff --git a/tools/image-host.c b/tools/image-host.c index 7bfc0cb6b18..49ce7436bb9 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -730,7 +730,7 @@ static const char *fit_config_get_image_list(const void *fit, int noffset, int *lenp, int *allow_missingp) { static const char default_list[] = FIT_KERNEL_PROP "\0" - FIT_FDT_PROP; + FIT_FDT_PROP "\0" FIT_SCRIPT_PROP; const char *prop; /* If there is an "sign-image" property, use that */
U-Boot configured for verified boot with the "required" option set to "conf" also checks scripts put in FIT images for a valid signature, and refuses to source and run such a script if the signature for the configuration is bad or missing. Such a script could not be packaged before, because mkimage failed like this: % tools/mkimage -T script -C none -d tmp/my.scr -f auto-conf -k tmp -g dev -o sha256,rsa4096 my.uimg Failed to find any images for configuration 'conf-1/signature' tools/mkimage Can't add hashes to FIT blob: -1 Error: Bad parameters for FIT image type This is especially unfortunate if LEGACY_IMAGE_FORMAT is disabled as recommended. Listing the script configuration in a "sign-images" subnode instead, would have added even more complexity to the already complex auto fit generation code. Signed-off-by: Alexander Dahl <ada@thorsis.com> --- tools/image-host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) base-commit: fe2ce09a0753634543c32cafe85eb87a625f76ca