* [U-Boot] FIT: add image hash validation in iminfo command @ 2008-09-09 10:58 Bartlomiej Sieka 2008-09-09 10:58 ` [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output Bartlomiej Sieka 2008-09-09 10:58 ` [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check Bartlomiej Sieka 0 siblings, 2 replies; 5+ messages in thread From: Bartlomiej Sieka @ 2008-09-09 10:58 UTC (permalink / raw) To: u-boot The following two patches extend the iminfo command with the ability to check if hashes in a FIT image are valid. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output 2008-09-09 10:58 [U-Boot] FIT: add image hash validation in iminfo command Bartlomiej Sieka @ 2008-09-09 10:58 ` Bartlomiej Sieka 2008-09-09 13:58 ` Wolfgang Denk 2008-09-09 10:58 ` [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check Bartlomiej Sieka 1 sibling, 1 reply; 5+ messages in thread From: Bartlomiej Sieka @ 2008-09-09 10:58 UTC (permalink / raw) To: u-boot - add function fit_all_image_check_hashes() that verifies if all hashes of all images in the FIT are valid - improve output of fit_image_check_hashes() when the hash check fails Signed-off-by: Bartlomiej Sieka <tur@semihalf.com> --- common/image.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++---- include/image.h | 1 + 2 files changed, 57 insertions(+), 5 deletions(-) diff --git a/common/image.c b/common/image.c index 94f01ad..7f55695 100644 --- a/common/image.c +++ b/common/image.c @@ -2645,27 +2645,29 @@ int fit_image_check_hashes (const void *fit, int image_noffset) continue; if (fit_image_hash_get_algo (fit, noffset, &algo)) { - err_msg = "Can't get hash algo property"; + err_msg = " error!\nCan't get hash algo " + "property"; goto error; } printf ("%s", algo); if (fit_image_hash_get_value (fit, noffset, &fit_value, &fit_value_len)) { - err_msg = "Can't get hash value property"; + err_msg = " error!\nCan't get hash value " + "property"; goto error; } if (calculate_hash (data, size, algo, value, &value_len)) { - err_msg = "Unsupported hash algorithm"; + err_msg = " error!\nUnsupported hash algorithm"; goto error; } if (value_len != fit_value_len) { - err_msg = "Bad hash value len"; + err_msg = " error !\nBad hash value len"; goto error; } else if (memcmp (value, fit_value, value_len) != 0) { - err_msg = "Bad hash value"; + err_msg = " error!\nBad hash value"; goto error; } printf ("+ "); @@ -2682,6 +2684,55 @@ error: } /** + * fit_all_image_check_hashes - verify data intergity for all images + * @fit: pointer to the FIT format image header + * + * fit_all_image_check_hashes() goes over all images in the FIT and + * for every images checks if all it's hashes are valid. + * + * returns: + * 1, if all hashes of all images are valid + * 0, otherwise (or on error) + */ +int fit_all_image_check_hashes (const void *fit) +{ + int images_noffset; + int noffset; + int ndepth; + int count; + + /* Find images parent node offset */ + images_noffset = fdt_path_offset (fit, FIT_IMAGES_PATH); + if (images_noffset < 0) { + printf ("Can't find images parent node '%s' (%s)\n", + FIT_IMAGES_PATH, fdt_strerror (images_noffset)); + return 0; + } + + /* Process all image subnodes, check hashes for each */ + printf ("## Checking hash(es) for FIT Image@%08lx ...\n", + (ulong)fit); + for (ndepth = 0, count = 0, + noffset = fdt_next_node (fit, images_noffset, &ndepth); + (noffset >= 0) && (ndepth > 0); + noffset = fdt_next_node (fit, noffset, &ndepth)) { + if (ndepth == 1) { + /* + * Direct child node of the images parent node, + * i.e. component image node. + */ + printf (" Hash(es) for Image %u (%s): ", count++, + fit_get_name (fit, noffset, NULL)); + + if (!fit_image_check_hashes (fit, noffset)) + return 0; + printf ("\n"); + } + } + return 1; +} + +/** * fit_image_check_os - check whether image node is of a given os type * @fit: pointer to the FIT format image header * @noffset: component image node offset diff --git a/include/image.h b/include/image.h index 9be806e..e4de513 100644 --- a/include/image.h +++ b/include/image.h @@ -573,6 +573,7 @@ int fit_image_hash_set_value (void *fit, int noffset, uint8_t *value, int value_len); int fit_image_check_hashes (const void *fit, int noffset); +int fit_all_image_check_hashes (const void *fit); int fit_image_check_os (const void *fit, int noffset, uint8_t os); int fit_image_check_arch (const void *fit, int noffset, uint8_t arch); int fit_image_check_type (const void *fit, int noffset, uint8_t type); -- 1.5.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output 2008-09-09 10:58 ` [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output Bartlomiej Sieka @ 2008-09-09 13:58 ` Wolfgang Denk 0 siblings, 0 replies; 5+ messages in thread From: Wolfgang Denk @ 2008-09-09 13:58 UTC (permalink / raw) To: u-boot Dear Bartlomiej Sieka, In message <1220957897997-git-send-email-tur@semihalf.com> you wrote: > - add function fit_all_image_check_hashes() that verifies if all hashes of all > images in the FIT are valid > - improve output of fit_image_check_hashes() when the hash check fails > > Signed-off-by: Bartlomiej Sieka <tur@semihalf.com> > --- > common/image.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++---- > include/image.h | 1 + > 2 files changed, 57 insertions(+), 5 deletions(-) Applied, thanks. Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de Sex is like air. It's only a big deal if you can't get any. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check 2008-09-09 10:58 [U-Boot] FIT: add image hash validation in iminfo command Bartlomiej Sieka 2008-09-09 10:58 ` [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output Bartlomiej Sieka @ 2008-09-09 10:58 ` Bartlomiej Sieka 2008-09-09 13:59 ` Wolfgang Denk 1 sibling, 1 reply; 5+ messages in thread From: Bartlomiej Sieka @ 2008-09-09 10:58 UTC (permalink / raw) To: u-boot Signed-off-by: Bartlomiej Sieka <tur@semihalf.com> --- common/cmd_bootm.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index 8dbab02..e537418 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -854,6 +854,12 @@ static int image_info (ulong addr) } fit_print_contents (hdr); + + if (!fit_all_image_check_hashes (hdr)) { + puts ("Bad hash in FIT image!\n"); + return 1; + } + return 0; #endif default: -- 1.5.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check 2008-09-09 10:58 ` [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check Bartlomiej Sieka @ 2008-09-09 13:59 ` Wolfgang Denk 0 siblings, 0 replies; 5+ messages in thread From: Wolfgang Denk @ 2008-09-09 13:59 UTC (permalink / raw) To: u-boot Dear Bartlomiej Sieka, In message <12209578971412-git-send-email-tur@semihalf.com> you wrote: > Signed-off-by: Bartlomiej Sieka <tur@semihalf.com> > --- > common/cmd_bootm.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) Applied, thanks. Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de He had quite a powerful intellect, but it was as powerful like a locomotive, and ran on rails and was therefore almost impossible to steer. - Terry Pratchett, _Lords and Ladies_ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-09-09 13:59 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-09-09 10:58 [U-Boot] FIT: add image hash validation in iminfo command Bartlomiej Sieka 2008-09-09 10:58 ` [U-Boot] [PATCH 1/2] FIT: add ability to check hashes of all images in FIT, improve output Bartlomiej Sieka 2008-09-09 13:58 ` Wolfgang Denk 2008-09-09 10:58 ` [U-Boot] [PATCH 2/2] FIT: make iminfo check hashes of all images in FIT, return 1 on failed check Bartlomiej Sieka 2008-09-09 13:59 ` Wolfgang Denk
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox