From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 917C5C636D7
	for <u-boot@archiver.kernel.org>; Tue, 21 Feb 2023 20:32:40 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 72BD285B7A;
	Tue, 21 Feb 2023 21:24:36 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="RVrWKL46";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 976D785B54; Tue, 21 Feb 2023 21:23:54 +0100 (CET)
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 9258785A6B
 for <u-boot@lists.denx.de>; Tue, 21 Feb 2023 21:22:45 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=kernel.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=pali@kernel.org
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dfw.source.kernel.org (Postfix) with ESMTPS id 7D01A611F3;
 Tue, 21 Feb 2023 20:22:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32B1EC433EF;
 Tue, 21 Feb 2023 20:22:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1677010955;
 bh=xtBejRyPjsdX+RDw+vi+R9nVIcjqn5MQLExK/0C7GHs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=RVrWKL46CSGiAyox1miaH0vvDs26OIBioqpf36OLtiBYjw4L/BTTQ9EUzvDHeeauR
 46FgRC78Pete3Ah8sEUDTzDmQy4ocRtfJAT6L1Bq2SU/PvJ8bwQntBCBf+n2KjqymA
 O7OjNLOl3hjXm+tWrmHAz+LzVHBJAeMY6L7cXCQkkKHASrKC9N37RGb6RLhd96tsGg
 Yiir0n7X0SNvDQM6+IUbJ2qRXAXrh1+xqquIgK7IeWdvUMZM4naNXG8cYJRUzCVvUn
 xTgOxrUvsIe+kc5OPezypUimkm+3Avgg3qpuTg6DnoR+1iIEG+90D+wEy4KZkDmVoG
 v2Cx3FIaEGZ0g==
Received: by pali.im (Postfix)
 id E3A3D9E0; Tue, 21 Feb 2023 21:22:34 +0100 (CET)
From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
To: u-boot@lists.denx.de
Cc: Stefan Roese <sr@denx.de>, Tony Dinh <mibodhi@gmail.com>,
 Josua Mayer <josua@solid-run.com>
Subject: [PATCH RFC u-boot-mvebu 43/59] tools: kwbimage: Fix generating secure
 boot data image signature
Date: Tue, 21 Feb 2023 21:19:09 +0100
Message-Id: <20230221201925.9644-44-pali@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20230221201925.9644-1-pali@kernel.org>
References: <20230221201925.9644-1-pali@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Secure boot data image signature is calculated from the data image without
trailing 4-bit checksum. Commit 37cb9c15d70d ("tools: kwbimage: Simplify
aligning and calculating checksum") unintentionally broke this calculation
when it increased payloadsz variable by 4 bytes which was propagated also
into the add_secure_header_v1() function. Fix this issue by decreasing size
of buffer by 4 bytes from which is calculated secure boot data image
signature.

Fixes: 37cb9c15d70d ("tools: kwbimage: Simplify aligning and calculating checksum")
Signed-off-by: Pali Rohár <pali@kernel.org>
---
 tools/kwbimage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/kwbimage.c b/tools/kwbimage.c
index b32f845b7e2d..a8a59c154b9c 100644
--- a/tools/kwbimage.c
+++ b/tools/kwbimage.c
@@ -1355,7 +1355,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *image
 	if (kwb_sign_csk_with_kak(params, secure_hdr, csk))
 		return 1;
 
-	if (kwb_sign_and_verify(csk, image_ptr, image_size,
+	if (kwb_sign_and_verify(csk, image_ptr, image_size - 4,
 				&secure_hdr->imgsig, "image") < 0)
 		return 1;
 
-- 
2.20.1