From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LKRB=OO=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 932DFC433EF
	for <u-boot@archiver.kernel.org>; Fri, 24 Sep 2021 21:14:39 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 1911560F4C
	for <u-boot@archiver.kernel.org>; Fri, 24 Sep 2021 21:14:39 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1911560F4C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id C90FA83537;
	Fri, 24 Sep 2021 23:14:31 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="h0om18y3";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id E747D834F8; Fri, 24 Sep 2021 23:08:42 +0200 (CEST)
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 73E0F834D2
 for <u-boot@lists.denx.de>; Fri, 24 Sep 2021 23:08:01 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=kabel@kernel.org
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8529661374;
 Fri, 24 Sep 2021 21:07:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1632517680;
 bh=gGfBISyPbXLbEXMHXHj/mmIIthnNoQuOLJgTKaEfXPU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=h0om18y3nZAS3sVhm30lOawdecZ+ePjXmrgnEuIdO93PR8llxAnnduyRMq2OdiB2Z
 J9y04cALGQ0m9A+zYgbTmgZiyxG+4LvfaiWmnONtzltPuHWUbORw0NOKUalLNEOz5x
 kXE8IDzYoRIO474B4RVQkxiGQAlVEwRga7XvrfcQMPOd9TyGLhwrIiBTPHG+A/qVMR
 L6IfSNsiQn31hg4SnPgv2UZJ3ERbtLDarbzUP+7ETBK4kzFZvCPeQqaifAcI4CtfN5
 QQ3k34vUfcdD0XdibV4y4NNup86pZg9tK+f7ctxDziX/KsP8+4Hh+0dfuDBRP4PJz+
 /DHDuwbm5exog==
From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
To: Stefan Roese <sr@denx.de>
Cc: u-boot@lists.denx.de, pali@kernel.org,
 Chris Packham <judge.packham@gmail.com>, Baruch Siach <baruch@tkos.co.il>,
 Dennis Gilmore <dgilmore@redhat.com>, Mario Six <mario.six@gdsys.cc>,
 Jon Nettleton <jon@solid-run.com>,
 =?UTF-8?q?Marek=20Beh=C3=BAn?= <marek.behun@nic.cz>
Subject: [PATCH u-boot-marvell v3 20/39] tools: kwboot: Don't patch image
 header if signed
Date: Fri, 24 Sep 2021 23:06:57 +0200
Message-Id: <20210924210716.29752-21-kabel@kernel.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210924210716.29752-1-kabel@kernel.org>
References: <20210924210716.29752-1-kabel@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

From: Pali Rohár <pali@kernel.org>

It is not possible to modify image with secure header due to
cryptographic signature.

Signed-off-by: Pali Rohár <pali@kernel.org>
[ refactored ]
Signed-off-by: Marek Behún <marek.behun@nic.cz>
---
 tools/kwboot.c | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/tools/kwboot.c b/tools/kwboot.c
index 9394a51380..2446d0a7b5 100644
--- a/tools/kwboot.c
+++ b/tools/kwboot.c
@@ -756,6 +756,18 @@ kwboot_img_csum8(void *_data, size_t size)
 	return csum;
 }
 
+static int
+kwboot_img_is_secure(void *img)
+{
+	struct opt_hdr_v1 *ohdr;
+
+	for_each_opt_hdr_v1 (ohdr, img)
+		if (ohdr->headertype == OPT_HDR_V1_SECURE_TYPE)
+			return 1;
+
+	return 0;
+}
+
 static int
 kwboot_img_patch_hdr(void *img, size_t size)
 {
@@ -764,6 +776,7 @@ kwboot_img_patch_hdr(void *img, size_t size)
 	uint8_t csum;
 	size_t hdrsz = sizeof(*hdr);
 	int image_ver;
+	int is_secure;
 
 	rc = -1;
 	hdr = img;
@@ -796,12 +809,19 @@ kwboot_img_patch_hdr(void *img, size_t size)
 		goto out;
 	}
 
-	if (hdr->blockid == IBR_HDR_UART_ID) {
-		rc = 0;
-		goto out;
-	}
+	is_secure = kwboot_img_is_secure(img);
 
-	hdr->blockid = IBR_HDR_UART_ID;
+	if (hdr->blockid != IBR_HDR_UART_ID) {
+		if (is_secure) {
+			fprintf(stderr,
+				"Image has secure header with signature for non-UART booting\n");
+			errno = EINVAL;
+			goto out;
+		}
+
+		kwboot_printv("Patching image boot signature to UART\n");
+		hdr->blockid = IBR_HDR_UART_ID;
+	}
 
 	if (image_ver == 0) {
 		struct main_hdr_v0 *hdr_v0 = img;
-- 
2.32.0