From: Andrew Davis <afd@ti.com>
To: Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>,
<u-boot@lists.denx.de>
Cc: Andrew Davis <afd@ti.com>
Subject: [PATCH 2/4] arm: mach-k3: security: Allow signing bypass if type is HS-FS
Date: Fri, 15 Jul 2022 11:34:33 -0500 [thread overview]
Message-ID: <20220715163435.1725-2-afd@ti.com> (raw)
In-Reply-To: <20220715163435.1725-1-afd@ti.com>
On HS-FS devices signing boot images is optional. To ease use
we check if we are HS-FS and if no certificate is attached
to the image we skip the authentication step with a warning
that this will fail when the device is set to security enforcing.
Signed-off-by: Andrew Davis <afd@ti.com>
---
arch/arm/mach-k3/security.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c
index 8de9739a40..5bfcecd44d 100644
--- a/arch/arm/mach-k3/security.c
+++ b/arch/arm/mach-k3/security.c
@@ -2,10 +2,11 @@
/*
* K3: Security functions
*
- * Copyright (C) 2018 Texas Instruments Incorporated - http://www.ti.com/
+ * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/
* Andrew F. Davis <afd@ti.com>
*/
+#include <asm/io.h>
#include <common.h>
#include <cpu_func.h>
#include <dm.h>
@@ -18,6 +19,17 @@
#include <spl.h>
#include <asm/arch/sys_proto.h>
+#include "common.h"
+
+static bool ti_secure_cert_detected(void *p_image)
+{
+ /* Primitive certificate detection, check for DER starting with
+ * two 4-Octet SEQUENCE tags
+ */
+ return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 &&
+ ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
+}
+
void ti_secure_image_post_process(void **p_image, size_t *p_size)
{
struct ti_sci_handle *ti_sci = get_ti_sci_handle();
@@ -29,6 +41,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size)
image_addr = (uintptr_t)*p_image;
image_size = *p_size;
+ if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
+ !ti_secure_cert_detected(*p_image)) {
+ printf("Warning: Did not detect image signing certificate. "
+ "Skipping authentication to prevent boot failure. "
+ "This will fail on Security Enforcing(HS-SE) devices\n");
+ return;
+ }
+
debug("Authenticating image at address 0x%016llx\n", image_addr);
debug("Authenticating image of size %d bytes\n", image_size);
--
2.36.1
next prev parent reply other threads:[~2022-07-15 16:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 16:34 [PATCH 1/4] arm: mach-k3: Add support for device type detection Andrew Davis
2022-07-15 16:34 ` Andrew Davis [this message]
2022-08-04 20:52 ` [PATCH 2/4] arm: mach-k3: security: Allow signing bypass if type is HS-FS Tom Rini
2022-07-15 16:34 ` [PATCH 3/4] arm: mach-k3: security: Bypass image signing at runtime for GP devices Andrew Davis
2022-08-04 20:52 ` Tom Rini
2022-07-15 16:34 ` [PATCH 4/4] arm: mach-k3: security: Remove certificate if detected on GP device Andrew Davis
2022-07-18 12:08 ` Tom Rini
2022-08-04 20:52 ` Tom Rini
2022-07-18 12:08 ` [PATCH 1/4] arm: mach-k3: Add support for device type detection Tom Rini
2022-07-25 16:57 ` Tom Rini
2022-07-26 1:29 ` Andrew Davis
2022-08-04 20:51 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220715163435.1725-2-afd@ti.com \
--to=afd@ti.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox