* [PATCH 1/2] image-fit-sig: skip in tools build if key is missing @ 2025-03-29 3:12 Daniel Golle 2025-03-29 3:13 ` [PATCH 2/2] tools/fit_check_sign: make key optional Daniel Golle 0 siblings, 1 reply; 3+ messages in thread From: Daniel Golle @ 2025-03-29 3:12 UTC (permalink / raw) To: Tom Rini, Simon Glass, Chia-Wei Wang, u-boot; +Cc: Thomas Hühn Skip signature verification in case no public key was given in order to allow using fit_check_sign also to validate uImage.FIT images without signatures. Guarded by USE_HOSTCC macro the behavior on target is unchanged. Signed-off-by: Daniel Golle <daniel@makrotopia.org> --- boot/image-fit-sig.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index a121de60ae2..f23e9d5d0b0 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -191,6 +191,11 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset, int noffset; int key_node; +#ifdef USE_HOSTCC + if (!key_blob) + return 0; +#endif + /* Work out what we need to verify */ *no_sigsp = 1; key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); @@ -477,6 +482,11 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, bool reqd_policy_all = true; const char *reqd_mode; +#ifdef USE_HOSTCC + if (!key_blob) + return 0; +#endif + /* * We don't support this since libfdt considers names with the * name root but different @ suffix to be equal -- 2.49.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] tools/fit_check_sign: make key optional 2025-03-29 3:12 [PATCH 1/2] image-fit-sig: skip in tools build if key is missing Daniel Golle @ 2025-03-29 3:13 ` Daniel Golle 2025-03-29 5:08 ` Daniel Golle 0 siblings, 1 reply; 3+ messages in thread From: Daniel Golle @ 2025-03-29 3:13 UTC (permalink / raw) To: Tom Rini, Simon Glass, Chia-Wei Wang, Daniel Golle, u-boot Cc: Thomas Hühn Allow invoking fit_check_sig without the key parameter, allowing to validate only checksums and hashes for unsigned images. Signed-off-by: Daniel Golle <daniel@makrotopia.org> --- tools/fit_check_sign.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c index 3d1d33fdab1..bac299a70e5 100644 --- a/tools/fit_check_sign.c +++ b/tools/fit_check_sign.c @@ -45,7 +45,7 @@ int main(int argc, char **argv) char *config_name = NULL; char cmdname[256]; int ret; - void *key_blob; + void *key_blob = NULL; int c; strncpy(cmdname, *argv, sizeof(cmdname) - 1); @@ -70,18 +70,15 @@ int main(int argc, char **argv) fprintf(stderr, "%s: Missing fdt file\n", *argv); usage(*argv); } - if (!keyfile) { - fprintf(stderr, "%s: Missing key file\n", *argv); - usage(*argv); - } ffd = mmap_fdt(cmdname, fdtfile, 0, &fit_blob, &fsbuf, false, true); if (ffd < 0) return EXIT_FAILURE; - kfd = mmap_fdt(cmdname, keyfile, 0, &key_blob, &ksbuf, false, true); - if (kfd < 0) - return EXIT_FAILURE; - + if (keyfile) { + kfd = mmap_fdt(cmdname, keyfile, 0, &key_blob, &ksbuf, false, true); + if (kfd < 0) + return EXIT_FAILURE; + } image_set_host_blob(key_blob); ret = fit_check_sign(fit_blob, key_blob, config_name); if (!ret) { -- 2.49.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] tools/fit_check_sign: make key optional 2025-03-29 3:13 ` [PATCH 2/2] tools/fit_check_sign: make key optional Daniel Golle @ 2025-03-29 5:08 ` Daniel Golle 0 siblings, 0 replies; 3+ messages in thread From: Daniel Golle @ 2025-03-29 5:08 UTC (permalink / raw) To: Tom Rini, Simon Glass, Chia-Wei Wang, u-boot; +Cc: Thomas Hühn On Sat, Mar 29, 2025 at 03:13:01AM +0000, Daniel Golle wrote: > Allow invoking fit_check_sig without the key parameter, allowing to > validate only checksums and hashes for unsigned images. Sadly I've missed making the munmap() of the key_blob conditional as well, and while glibc seems to be graceful about munmap(NULL) other libc like musl are not. I will fix that in v2. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-03-29 5:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-03-29 3:12 [PATCH 1/2] image-fit-sig: skip in tools build if key is missing Daniel Golle 2025-03-29 3:13 ` [PATCH 2/2] tools/fit_check_sign: make key optional Daniel Golle 2025-03-29 5:08 ` Daniel Golle
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox