From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 137E8C433EF for ; Fri, 15 Jul 2022 16:34:47 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CC4C28210C; Fri, 15 Jul 2022 18:34:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="HNmZrvQI"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8B7A18210C; Fri, 15 Jul 2022 18:34:43 +0200 (CEST) Received: from lelv0142.ext.ti.com (lelv0142.ext.ti.com [198.47.23.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 442AC81F5D for ; Fri, 15 Jul 2022 18:34:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=afd@ti.com Received: from lelv0265.itg.ti.com ([10.180.67.224]) by lelv0142.ext.ti.com (8.15.2/8.15.2) with ESMTP id 26FGYa9t085836; Fri, 15 Jul 2022 11:34:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1657902876; bh=e5TowH5q2sWNCPI+1EnicOYWHoGS0cIU5HGXGNmBTmg=; h=From:To:CC:Subject:Date:In-Reply-To:References; b=HNmZrvQIsUl2wxFu287SlEYQwCTxBKWrcJ0kMxFbBgOO0OLWDuWGdzu+zFTfDxQgi QrD7V0EsW1jM91umrsMJhapWVo4tG5IZ9cbklhAuwzaUGRcyvJ1CbzypqShiP8MKtj kabuR12g+NBnoIYi/8KV+BGMyfcbbhspxM2AMxPs= Received: from DLEE111.ent.ti.com (dlee111.ent.ti.com [157.170.170.22]) by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 26FGYaQ0016925 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 15 Jul 2022 11:34:36 -0500 Received: from DLEE114.ent.ti.com (157.170.170.25) by DLEE111.ent.ti.com (157.170.170.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14; Fri, 15 Jul 2022 11:34:36 -0500 Received: from lelv0327.itg.ti.com (10.180.67.183) by DLEE114.ent.ti.com (157.170.170.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14 via Frontend Transport; Fri, 15 Jul 2022 11:34:36 -0500 Received: from ula0226330.dal.design.ti.com (ileax41-snat.itg.ti.com [10.172.224.153]) by lelv0327.itg.ti.com (8.15.2/8.15.2) with ESMTP id 26FGYZe7103933; Fri, 15 Jul 2022 11:34:36 -0500 From: Andrew Davis To: Simon Glass , Tom Rini , CC: Andrew Davis Subject: [PATCH 2/4] arm: mach-k3: security: Allow signing bypass if type is HS-FS Date: Fri, 15 Jul 2022 11:34:33 -0500 Message-ID: <20220715163435.1725-2-afd@ti.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220715163435.1725-1-afd@ti.com> References: <20220715163435.1725-1-afd@ti.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean On HS-FS devices signing boot images is optional. To ease use we check if we are HS-FS and if no certificate is attached to the image we skip the authentication step with a warning that this will fail when the device is set to security enforcing. Signed-off-by: Andrew Davis --- arch/arm/mach-k3/security.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c index 8de9739a40..5bfcecd44d 100644 --- a/arch/arm/mach-k3/security.c +++ b/arch/arm/mach-k3/security.c @@ -2,10 +2,11 @@ /* * K3: Security functions * - * Copyright (C) 2018 Texas Instruments Incorporated - http://www.ti.com/ + * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/ * Andrew F. Davis */ +#include #include #include #include @@ -18,6 +19,17 @@ #include #include +#include "common.h" + +static bool ti_secure_cert_detected(void *p_image) +{ + /* Primitive certificate detection, check for DER starting with + * two 4-Octet SEQUENCE tags + */ + return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 && + ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82); +} + void ti_secure_image_post_process(void **p_image, size_t *p_size) { struct ti_sci_handle *ti_sci = get_ti_sci_handle(); @@ -29,6 +41,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size) image_addr = (uintptr_t)*p_image; image_size = *p_size; + if (get_device_type() != K3_DEVICE_TYPE_HS_SE && + !ti_secure_cert_detected(*p_image)) { + printf("Warning: Did not detect image signing certificate. " + "Skipping authentication to prevent boot failure. " + "This will fail on Security Enforcing(HS-SE) devices\n"); + return; + } + debug("Authenticating image at address 0x%016llx\n", image_addr); debug("Authenticating image of size %d bytes\n", image_size); -- 2.36.1