From mboxrd@z Thu Jan 1 00:00:00 1970 From: Philippe REYNES Date: Thu, 30 Jul 2020 16:59:40 +0200 (CEST) Subject: [PATCH] mkimage: fit: include image cipher in configuration signature In-Reply-To: <20200730043047.409762-1-patrick.oppenlander@gmail.com> References: <20200730043047.409762-1-patrick.oppenlander@gmail.com> Message-ID: <3477309.587596.1596121180682.JavaMail.zimbra@softathome.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Patrick, > From: Patrick Oppenlander > > This patch addresses issue #2 for signed configurations. > > -----8<----- This "line" will be included in the commit message ;) > Including the image cipher properties in the configuration signature > prevents an attacker from modifying cipher, key or iv properties. > > Signed-off-by: Patrick Oppenlander Reviewed-by: Philippe Reynes Regards, Philippe > --- > tools/image-host.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/tools/image-host.c b/tools/image-host.c > index e5417beee5..3d52593e36 100644 > --- a/tools/image-host.c > +++ b/tools/image-host.c > @@ -744,6 +744,23 @@ static int fit_config_get_hash_list(void *fit, int > conf_noffset, > return -ENOMSG; > } > > + /* Add this image's cipher node if present */ > + noffset = fdt_subnode_offset(fit, image_noffset, > + FIT_CIPHER_NODENAME); > + if (noffset != -FDT_ERR_NOTFOUND) { > + if (noffset < 0) { > + printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n", > + conf_name, sig_name, iname, > + fdt_strerror(noffset)); > + return -EIO; > + } > + ret = fdt_get_path(fit, noffset, path, sizeof(path)); > + if (ret < 0) > + goto err_path; > + if (strlist_add(node_inc, path)) > + goto err_mem; > + } > + > image_count++; > } > > -- > 2.27.0