From patchwork Thu Sep 16 13:09:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oleksandr Suvorov X-Patchwork-Id: 1528832 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=m5Upiuwn; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4H9HWm5ny0z9t0J for ; Thu, 16 Sep 2021 23:10:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 750BE8318E; Thu, 16 Sep 2021 15:10:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="m5Upiuwn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 36A8582EBB; Thu, 16 Sep 2021 15:10:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EF83A8312A for ; Thu, 16 Sep 2021 15:10:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=oleksandr.suvorov@foundries.io Received: by mail-lf1-x129.google.com with SMTP id h16so18257408lfk.10 for ; Thu, 16 Sep 2021 06:10:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=crLbxo0WYc+f4k2GYSUcFMtQHwtWeB5XT7LudnJcmx0=; b=m5Upiuwn6rrkborrBZrU331XwCGIvOKOPARksLkYj6aNsKL4zGgn26M5h833s+Qb3k iKo2IhBvzE2IV1SWFQ0LSzYpeWZTCP34DgcteXqRRLW9UTMOHmz+Hd2jkD8HJUYljFc+ Al63cV70nZ1v0kNS/Pdn3G+a9J3lMI4VPey6KA208T9qZk9DLuRmmqN7SVfZc4qPVStR eVF9/kknC4rv+c4RQ2KKxPunwQu9eVF9J4wuNTNZH3hg9UYsDw2ZMstzQbkUKNgw1HFY tO6kL5kmag7UCW/obeh2GHQz58uxqS3ClOOuMA9AUywjk3gUEgTuNFmM6118/vq+4YuH Xsxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=crLbxo0WYc+f4k2GYSUcFMtQHwtWeB5XT7LudnJcmx0=; b=DPqlZ1Y79EuV89nY/oT1w2N37WMdx/mXHp+P5L6LK1kgpoFpz0+gXe28RxPsAshhb2 rL+/NNvrER/pMxxucY8B80iSBP/+/+rWAoaaytHz2qxYFMJQyhhrX1v1F7fuI5EdGOgf q2KKL0c7314K+qhgP6Cvvmfs0Ipw2WsIGLo2NXtG8dGLnpOmI8A9H6z68V0m9SLqRjep 4evZMFVuN2aA0MlKbHXbtwJpmEByCd7s9Nr3lWvytXdIV6WMJv9NGSP1e3QtnajRvvKQ D5PtUh00lFuaxN609qyzlgHLIV2dtbXb9cgB/B3tI64FmgKVK19rsHwzKo51eeZKW5fS +qHw== X-Gm-Message-State: AOAM533xnOw9CS7TXFmbCj+Q2weOXkoOucjNb/7d4Xev22F1Hv2ztsO3 LrkwKL9+hDnIZCpnmzK1FZs64BGa/6py0A== X-Google-Smtp-Source: ABdhPJwRnSHEIVEGQpEnUygQVPMWPoKZUhwPjRfSixTVCSf4XMNz7Zjx0UaSEZgq6HDY5Zrc1cE3Bw== X-Received: by 2002:a2e:b52d:: with SMTP id z13mr4911570ljm.376.1631797810557; Thu, 16 Sep 2021 06:10:10 -0700 (PDT) Received: from localhost.localdomain ([82.193.109.226]) by smtp.gmail.com with ESMTPSA id f9sm256525lfp.273.2021.09.16.06.10.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Sep 2021 06:10:10 -0700 (PDT) From: Oleksandr Suvorov To: u-boot@lists.denx.de Cc: Henry Beberman , Ricardo Salveti , Oleksandr Suvorov , Alexandru Gagniuc , Bin Meng , Klaus Heinrich Kiwi , Marek Vasut , Michal Simek , Philippe Reynes , Simon Glass , Steffen Jaeckel Subject: [PATCH 1/2] spl: Add CONFIG_SPL_FIT_SIGNATURE_STRICT Date: Thu, 16 Sep 2021 16:09:57 +0300 Message-Id: <20210916130958.306964-2-oleksandr.suvorov@foundries.io> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210916130958.306964-1-oleksandr.suvorov@foundries.io> References: <20210916130958.306964-1-oleksandr.suvorov@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean From: Henry Beberman SPL FIT load checks the signature on loadable images but just continues in the case of a failure. This is undesirable behavior because the boot process depends on the authenticity of each loadable part. Adding CONFIG_SPL_FIT_SIGNATURE_STRICT to halt the platform when any image fails its signature check, including loadable parts. SPL already supports image signature verification but had no mechanism to check that the FIT's configuration block was signed correctly. Add a check near the start of spl_load_simple_fit that verifies the FIT's configuration block, and fails if it's not present or the signature doesn't match what's stored in the SPL DTB. Signed-off-by: Henry Beberman Signed-off-by: Ricardo Salveti Co-developed-by: Oleksandr Suvorov Signed-off-by: Oleksandr Suvorov --- common/Kconfig.boot | 7 +++++++ common/spl/spl_fit.c | 21 ++++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 902a5b8fbea..6f95d009dfa 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -166,6 +166,13 @@ config SPL_FIT_SIGNATURE select SPL_IMAGE_SIGN_INFO select SPL_FIT_FULL_CHECK +config SPL_FIT_SIGNATURE_STRICT + bool "Halt if loadables or firmware don't pass FIT signature verification" + select SPL_FIT_SIGNATURE + help + Strictly requires each loadable or firmware in a FIT image to be + passed verification. Halt if any loadable fails to be verified. + config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" select SPL_FIT diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index f41abca0ccb..e7eaaa4cb9e 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -315,7 +315,12 @@ static int spl_load_fit_image(struct spl_load_info *info, ulong sector, printf("## Checking hash(es) for Image %s ... ", fit_get_name(fit, node, NULL)); if (!fit_image_verify_with_data(fit, node, src, length)) - return -EPERM; + if (CONFIG_IS_ENABLED(FIT_SIGNATURE_STRICT)) { + puts("Invalid FIT signature found in a required image.\n"); + hang(); + } else { + return -EPERM; + } puts("OK\n"); } @@ -681,6 +686,20 @@ int spl_load_simple_fit(struct spl_image_info *spl_image, if (ret < 0) return ret; + if (CONFIG_IS_ENABLED(FIT_SIGNATURE_STRICT)) { + int cfg_noffset = fit_conf_get_node(fit, NULL); + + if (cfg_noffset >= 0) { + if (fit_config_verify(fit, cfg_noffset)) { + puts("Unable to verify the required FIT config.\n"); + hang(); + } + } else { + puts("SPL_FIT_SIGNATURE_STRICT needs a config node in FIT\n"); + hang(); + } + } + /* skip further processing if requested to enable load-only use cases */ if (spl_load_simple_fit_skip_processing()) return 0; From patchwork Thu Sep 16 13:09:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oleksandr Suvorov X-Patchwork-Id: 1528831 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=evQWye2B; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4H9HWZ526Jz9sXS for ; Thu, 16 Sep 2021 23:10:34 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 66AD58312C; Thu, 16 Sep 2021 15:10:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="evQWye2B"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 20B5B82ECC; Thu, 16 Sep 2021 15:10:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 12AA283143 for ; Thu, 16 Sep 2021 15:10:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=oleksandr.suvorov@foundries.io Received: by mail-lf1-x130.google.com with SMTP id i25so18426058lfg.6 for ; Thu, 16 Sep 2021 06:10:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UksrEruoG1153tC/vYT2vR7w89gpwbpfEQXvWPRuFHc=; b=evQWye2Bu9+uOz0bEbO3zK8nKcJ7WUgJbnn6tNiEYNnNOsk/9W4xaqfcvFo2vg5atW TL9NoPxZfBXFivpU4LGabezfG2fD6Cq2yR5QVeiQ1TYp27oR3mP4GwypiQ8TndzOkdfD jqWKVwtgZLXDPUXyZdu6DS1uDshtm65piZVqqxE41BiuCtwnX8NHro3WGeob/N+A0tGS RJYQ/oFvnZz/o1GVlr2+IycAboCLdnfAohLvR+Vkk04J9t6MsrfM0LTbECv8t1+HnDoy W8lJLTaXoRoPddQLr9jU7Ipb0X/pLXRyxbJZTIM0eHcL34Sp3JvxewZ7sV8lICDun8bR Dwsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UksrEruoG1153tC/vYT2vR7w89gpwbpfEQXvWPRuFHc=; b=Tb1XEKDEd8NUXRK2xeNBtZUERw3yozXkBc/yQJ44kA6F+nMIXkE5H81Bez58TCsRMR Exj43LPDfBRKEBzIidMLnZgsAmHTJVsOcn6OEkBTYBCyyCeUyYzrxXPdA12pXlTiHsV8 x/Oo9G6zAQktcNaX4Rcu+M3kCcInrSMHzFS1cdjm7y1lMTQTkDsrKQ2dPTR9rpRcWudl 7fflZ4bMKGWxj3Bdz+cF1gKTNCfTKATEetL0a+hx0Mh4fscSYMzE1Am1cFBwxYZQidOV TJ/LlKA9Xz6Mg/dyBuBlyRgu8GfRcvxJLWJH7dLWsPsZYtYcD86AT1q2l1yQEpA/mf6O 2Syw== X-Gm-Message-State: AOAM533VpurapkRyMXGUo9Uu/qpDrVpHPOMYR5T2TNyTgdtrdIYSBmKT 2S8QNiPM5aYWzA+4Osdy/DRxHfRfcwLGcw== X-Google-Smtp-Source: ABdhPJxDuVOX6Bn0DROx8muu1i3SScLmjIgNNPZ3A8pvCEpLYIT/5noHChURaHLewQm4qNTOQ4RTpA== X-Received: by 2002:a05:651c:a12:: with SMTP id k18mr2330059ljq.207.1631797811919; Thu, 16 Sep 2021 06:10:11 -0700 (PDT) Received: from localhost.localdomain ([82.193.109.226]) by smtp.gmail.com with ESMTPSA id f9sm256525lfp.273.2021.09.16.06.10.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Sep 2021 06:10:11 -0700 (PDT) From: Oleksandr Suvorov To: u-boot@lists.denx.de Cc: Ricardo Salveti , Oleksandr Suvorov , Alexandru Gagniuc , Bin Meng , Klaus Heinrich Kiwi , Masahisa Kojima , Michal Simek , Simon Glass , Steffen Jaeckel Subject: [PATCH 2/2] cmd: Add CONFIG_FIT_SIGNATURE_STRICT Date: Thu, 16 Sep 2021 16:09:58 +0300 Message-Id: <20210916130958.306964-3-oleksandr.suvorov@foundries.io> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210916130958.306964-2-oleksandr.suvorov@foundries.io> References: <20210916130958.306964-1-oleksandr.suvorov@foundries.io> <20210916130958.306964-2-oleksandr.suvorov@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean From: Ricardo Salveti Add CONFIG_FIT_SIGNATURE_STRICT to require a valid FIT configuration signature for each command that is able to manipulate FIT images. Signed-off-by: Ricardo Salveti Co-developed-by: Oleksandr Suvorov Signed-off-by: Oleksandr Suvorov --- cmd/fpga.c | 14 ++++++++++++++ cmd/source.c | 14 ++++++++++++++ cmd/ximg.c | 14 ++++++++++++++ common/Kconfig.boot | 4 ++++ 4 files changed, 46 insertions(+) diff --git a/cmd/fpga.c b/cmd/fpga.c index 3fdd0b35e80..16d329590fa 100644 --- a/cmd/fpga.c +++ b/cmd/fpga.c @@ -335,6 +335,20 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc, return CMD_RET_FAILURE; } + if (CONFIG_IS_ENABLED(FIT_SIGNATURE_STRICT)) { + /* validate required fit config entry */ + noffset = fit_conf_get_node(fit_hdr, NULL); + if (noffset >= 0) { + if (fit_config_verify(fit_hdr, noffset)) { + puts("Cannot verify FIT config node\n"); + return CMD_RET_FAILURE; + } + } else { + puts("FIT_SIGNATURE_STRICT requires a config node\n"); + return CMD_RET_FAILURE; + } + } + /* get fpga component image node offset */ noffset = fit_image_get_node(fit_hdr, fit_uname); if (noffset < 0) { diff --git a/cmd/source.c b/cmd/source.c index 81e015b64ef..b08406dfcbf 100644 --- a/cmd/source.c +++ b/cmd/source.c @@ -112,6 +112,20 @@ int image_source_script(ulong addr, const char *fit_uname) return 1; } + if (CONFIG_IS_ENABLED(FIT_SIGNATURE_STRICT)) { + /* validate required fit config entry */ + noffset = fit_conf_get_node(fit_hdr, NULL); + if (noffset >= 0) { + if (fit_config_verify(fit_hdr, noffset)) { + puts("Cannot verify FIT config node\n"); + return 1; + } + } else { + puts("FIT_SIGNATURE_STRICT requires a config node\n"); + return 1; + } + } + if (!fit_uname) fit_uname = get_default_image(fit_hdr); diff --git a/cmd/ximg.c b/cmd/ximg.c index 65ba41320a0..39fccd8179c 100644 --- a/cmd/ximg.c +++ b/cmd/ximg.c @@ -141,6 +141,20 @@ do_imgextract(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) return 1; } + if (CONFIG_IS_ENABLED(FIT_SIGNATURE_STRICT)) { + /* validate required fit config entry */ + noffset = fit_conf_get_node(fit_hdr, NULL); + if (noffset >= 0) { + if (fit_config_verify(fit_hdr, noffset)) { + puts("Cannot verify FIT config node\n"); + return 1; + } + } else { + puts("FIT_SIGNATURE_STRICT requires a config node\n"); + return 1; + } + } + /* get subimage node offset */ noffset = fit_image_get_node(fit_hdr, uname); if (noffset < 0) { diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 6f95d009dfa..ca7d9a8d971 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -77,6 +77,10 @@ config FIT_SIGNATURE_MAX_SIZE device memory. Assure this size does not extend past expected storage space. +config FIT_SIGNATURE_STRICT + bool "Requires a valid FIT configuration signature for every image" + select FIT_SIGNATURE + config FIT_RSASSA_PSS bool "Support rsassa-pss signature scheme of FIT image contents" depends on FIT_SIGNATURE