summaryrefslogtreecommitdiff
path: root/boot
diff options
context:
space:
mode:
authorSimon Glass <sjg@chromium.org>2021-11-12 12:28:10 -0700
committerSimon Glass <sjg@chromium.org>2022-01-26 08:50:44 -0700
commit99f844ba3a6b3ddd73742cddf7dee955bbb96c61 (patch)
tree27fbc1ca8b923dcfa06f090e6d0337993f0c9940 /boot
parent2ad90b395313a7350cfb0543b4979a24746413b3 (diff)
downloadu-boot-99f844ba3a6b3ddd73742cddf7dee955bbb96c61.tar.gz
tools: Pass the key blob around
At present we rely on the key blob being in the global_data fdt_blob pointer. This is true in U-Boot but not with tools. For clarity, pass the parameter around. Signed-off-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'boot')
-rw-r--r--boot/image-fit-sig.c31
-rw-r--r--boot/image-fit.c12
2 files changed, 25 insertions, 18 deletions
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index d6e16c29ed..a461d591a0 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -65,7 +65,8 @@ struct image_region *fit_region_make_list(const void *fit,
static int fit_image_setup_verify(struct image_sign_info *info,
const void *fit, int noffset,
- int required_keynode, char **err_msgp)
+ const void *key_blob, int required_keynode,
+ char **err_msgp)
{
const char *algo_name;
const char *padding_name;
@@ -91,7 +92,7 @@ static int fit_image_setup_verify(struct image_sign_info *info,
info->checksum = image_get_checksum_algo(algo_name);
info->crypto = image_get_crypto_algo(algo_name);
info->padding = image_get_padding_algo(padding_name);
- info->fdt_blob = gd_fdt_blob();
+ info->fdt_blob = key_blob;
info->required_keynode = required_keynode;
printf("%s:%s", algo_name, info->keyname);
@@ -104,7 +105,8 @@ static int fit_image_setup_verify(struct image_sign_info *info,
}
int fit_image_check_sig(const void *fit, int noffset, const void *data,
- size_t size, int required_keynode, char **err_msgp)
+ size_t size, const void *key_blob, int required_keynode,
+ char **err_msgp)
{
struct image_sign_info info;
struct image_region region;
@@ -112,8 +114,8 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data,
int fit_value_len;
*err_msgp = NULL;
- if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
- err_msgp))
+ if (fit_image_setup_verify(&info, fit, noffset, key_blob,
+ required_keynode, err_msgp))
return -1;
if (fit_image_hash_get_value(fit, noffset, &fit_value,
@@ -156,8 +158,8 @@ static int fit_image_verify_sig(const void *fit, int image_noffset,
}
if (!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
- ret = fit_image_check_sig(fit, noffset, data,
- size, -1, &err_msg);
+ ret = fit_image_check_sig(fit, noffset, data, size,
+ key_blob, -1, &err_msg);
if (ret) {
puts("- ");
} else {
@@ -244,6 +246,7 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
* @noffset: Offset of the signature node being checked (e.g.
* /configurations/conf-1/signature-1)
* @conf_noffset: Offset of configuration node (e.g. /configurations/conf-1)
+ * @key_blob: Blob containing the keys to check against
* @required_keynode: Offset in @key_blob of the required key node,
* if any. If this is given, then the configuration wil not
* pass verification unless that key is used. If this is
@@ -253,7 +256,8 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
* Return: 0 if all verified ok, <0 on error
*/
static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
- int required_keynode, char **err_msgp)
+ const void *key_blob, int required_keynode,
+ char **err_msgp)
{
static char * const exc_prop[] = {
"data",
@@ -275,12 +279,12 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
int count;
config_name = fit_get_name(fit, conf_noffset, NULL);
- debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
+ debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, key_blob,
fit_get_name(fit, noffset, NULL),
- fit_get_name(gd_fdt_blob(), required_keynode, NULL));
+ fit_get_name(key_blob, required_keynode, NULL));
*err_msgp = NULL;
- if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
- err_msgp))
+ if (fit_image_setup_verify(&info, fit, noffset, key_blob,
+ required_keynode, err_msgp))
return -1;
if (fit_image_hash_get_value(fit, noffset, &fit_value,
@@ -423,7 +427,8 @@ static int fit_config_verify_key(const void *fit, int conf_noffset,
if (!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_check_sig(fit, noffset, conf_noffset,
- key_offset, &err_msg);
+ key_blob, key_offset,
+ &err_msg);
if (ret) {
puts("- ");
} else {
diff --git a/boot/image-fit.c b/boot/image-fit.c
index 85a6f223c8..f01cafe4e2 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1309,7 +1309,8 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
}
int fit_image_verify_with_data(const void *fit, int image_noffset,
- const void *data, size_t size)
+ const void *key_blob, const void *data,
+ size_t size)
{
int noffset = 0;
char *err_msg = "";
@@ -1319,7 +1320,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
/* Verify all required signatures */
if (FIT_IMAGE_ENABLE_VERIFY &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
- gd_fdt_blob(), &verify_all)) {
+ key_blob, &verify_all)) {
err_msg = "Unable to verify required signature";
goto error;
}
@@ -1342,8 +1343,8 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
} else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
- ret = fit_image_check_sig(fit, noffset, data,
- size, -1, &err_msg);
+ ret = fit_image_check_sig(fit, noffset, data, size,
+ gd_fdt_blob(), -1, &err_msg);
/*
* Show an indication on failure, but do not return
@@ -1406,7 +1407,8 @@ int fit_image_verify(const void *fit, int image_noffset)
goto err;
}
- return fit_image_verify_with_data(fit, image_noffset, data, size);
+ return fit_image_verify_with_data(fit, image_noffset, gd_fdt_blob(),
+ data, size);
err:
printf("error!\n%s in '%s' image node\n", err_msg,