From patchwork Sat Jun 24 13:41:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 695738 Delivered-To: patch@linaro.org Received: by 2002:adf:e885:0:0:0:0:0 with SMTP id d5csp2551859wrm; Sat, 24 Jun 2023 13:50:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ48Gx9moQzGzMj6Ii3Yo/GETwc04wPvDqEHep6MI2bRzqjwpRJ7+bE7q+Kvd6EZvU2r18vw X-Received: by 2002:a05:6214:2686:b0:620:a1be:c74d with SMTP id gm6-20020a056214268600b00620a1bec74dmr28963434qvb.37.1687639839883; Sat, 24 Jun 2023 13:50:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687639839; cv=none; d=google.com; s=arc-20160816; b=WyOSwMXz1bw5B2T6VPSF49Xj6FQs2VIe+36/1AQVA8dVnXRiQWI7cPpk4AAqjNBdAf tM81H85+I9rG1VzU+enFkUOJjaOUEW8qSTt8wMXRcASTSedTH6QAA2YlVuWFkMZlprlj SqKemaFo0BpllDSuUoW463pEj5L+K3syEVCPC97PdEXnGkStUpLISxPLIe2Lxlx9wv0x 4sYjYsLnmoZwgBvjO1jukPD9OYoUy6jG3kW706SiltvtbM1rh48G/AITEWhFQBMBWdo8 kCmSgXzmLXhQm4XLSft9Zu+7G7kGm/cZJY18VPMFXszZCtxwa2twYqwlUv1OcmJTPMtb fmsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=vqH1qlJBsVrvXCUchvRQBHyhN9vG09dUzoHha83NH1Q=; fh=lu5TYXXCc9HXOnqxAkmvhXm+orfKNM3ataUOg5fXk40=; b=gRcG3zHfkj9JBUH2+cqwkzdkmWJ/pw4kllQl4/iu/M+1v6iGjXIRmb2MhuZcfgRMHB 630vILmUI0oMtk7v1Lj4v00Lh9TW88NFSQffcNn3GWiFwm/GIe3Q5ndcGHiRSYoJi2e3 do2zX1ezS8Hnhy4ihIawMFp16xXAOn08mE76ui3yzYsrYtpj935gQ1bmSz2b6Lnq7c9T C0XlqxK7tTiqIFJIy4S193uJtwNFYLiYZhFMOVFlQil2NGR1IySBKEZrblCcemKSn6Ms BMvxGFn1nLfFE9oLQ7qSWtV5HDCWoZyyhKocnslNDWknTU6O/rPTWkOTB6/QhqUu8Jd/ y/8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id gc6-20020a056214230600b006213d2222b6si868385qvb.277.2023.06.24.13.50.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 24 Jun 2023 13:50:39 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 52F3E8623D; Sat, 24 Jun 2023 22:49:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id E34AC80181; Sat, 24 Jun 2023 22:49:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 896B185FD2 for ; Sat, 24 Jun 2023 22:49:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 792C4D75; Sat, 24 Jun 2023 06:42:35 -0700 (PDT) Received: from a076522.blr.arm.com (unknown [10.162.46.7]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D082F3F663; Sat, 24 Jun 2023 06:41:48 -0700 (PDT) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Michal Simek , Takahiro Akashi , Malte Schmidt , Tom Rini , Sughosh Ganu Subject: [PATCH v2 1/8] fdt_add_pubkey: Add support for adding ESL public key under signature node Date: Sat, 24 Jun 2023 19:11:11 +0530 Message-Id: <20230624134118.944567-2-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230624134118.944567-1-sughosh.ganu@linaro.org> References: <20230624134118.944567-1-sughosh.ganu@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The fdt_add_pubkey tool is used for adding a public key to the devicetree, which is then used for verifying the FIT signatures. Add a function for embedding the public key in the form of an EFI Signature List(ESL) file as a property under the signature node of the device tree. Unlike the public key added for FIT signature verification, the ESL file contents are added as a whole, as a property under the signature node in the DTB. The public key in the ESL form is used by the capsule authentication feature for authenticating the capsules, prior to update. Signed-off-by: Sughosh Ganu --- Changes since V1: * New patch * Use fdt_add_pubkey tool for adding the ESL into the dtb instead of using the shell script used in the earlier version. tools/Makefile | 2 +- tools/fdt_add_pubkey.c | 16 +++++-- tools/fdt_add_pubkey_esl.c | 98 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 tools/fdt_add_pubkey_esl.c diff --git a/tools/Makefile b/tools/Makefile index d793cf3bec..a5558eeb4d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -152,7 +152,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o mkimage-objs := $(dumpimage-mkimage-objs) mkimage.o fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o -fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o +fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o fdt_add_pubkey_esl.o file2include-objs := file2include.o ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),) diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c index 5582d7a8ef..f536ab543b 100644 --- a/tools/fdt_add_pubkey.c +++ b/tools/fdt_add_pubkey.c @@ -2,18 +2,21 @@ #include #include "fit_common.h" +extern int fdt_embed_esl(const char *esl_file, void *keydest); + static const char *cmdname; static const char *algo_name = "sha1,rsa2048"; /* -a */ static const char *keydir = "."; /* -k */ static const char *keyname = "key"; /* -n */ static const char *require_keys; /* -r */ +static const char *esl_file; /* -e */ static const char *keydest; /* argv[n] */ static void __attribute__((__noreturn__)) print_usage(const char *msg) { fprintf(stderr, "Error: %s\n", msg); - fprintf(stderr, "Usage: %s [-a ] [-k ] [-n ] [-r ]" + fprintf(stderr, "Usage: %s [-a ] [-e ] [-k ] [-n ] [-r ]" " \n", cmdname); fprintf(stderr, "Help information: %s [-h]\n", cmdname); exit(EXIT_FAILURE); @@ -23,6 +26,7 @@ static void __attribute__((__noreturn__)) print_help(void) { fprintf(stderr, "Options:\n" "\t-a Cryptographic algorithm. Optional parameter, default value: sha1,rsa2048\n" + "\t-e EFI Signature List(ESL) file to embed into the FDT\n" "\t-k Directory with public key. Optional parameter, default value: .\n" "\t-n Public key name. Optional parameter, default value: key\n" "\t-r Required: If present this indicates that the key must be verified for the image / configuration to be considered valid.\n" @@ -34,7 +38,7 @@ static void process_args(int argc, char *argv[]) { int opt; - while ((opt = getopt(argc, argv, "a:k:n:r:h")) != -1) { + while ((opt = getopt(argc, argv, "a:e:k:n:r:h")) != -1) { switch (opt) { case 'k': keydir = optarg; @@ -48,6 +52,9 @@ static void process_args(int argc, char *argv[]) case 'r': require_keys = optarg; break; + case 'e': + esl_file = optarg; + break; case 'h': print_help(); default: @@ -106,7 +113,10 @@ static int add_pubkey(struct image_sign_info *info) if (destfd < 0) exit(EXIT_FAILURE); - ret = info->crypto->add_verify_data(info, dest_blob); + + ret = esl_file ? fdt_embed_esl(esl_file, dest_blob) : + info->crypto->add_verify_data(info, dest_blob); + if (ret == -ENOSPC) continue; else if (ret < 0) diff --git a/tools/fdt_add_pubkey_esl.c b/tools/fdt_add_pubkey_esl.c new file mode 100644 index 0000000000..de6ee41535 --- /dev/null +++ b/tools/fdt_add_pubkey_esl.c @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright 2023 Linaro Limited + * + */ + +#include +#include +#include + +#include +#include +#include +#include + +#include "mkimage.h" + +#define ESL_SIG_NODENAME "signature" + +static int get_esl_pub_key(const char *esl_file, void **key_ptr, int *key_fd, + off_t *key_size) +{ + int ret; + struct stat pub_key; + + debug("%s: esl file => %s\n", __func__, esl_file); + *key_fd = open(esl_file, O_RDONLY); + if (*key_fd == -1) { + fprintf(stderr, "Unable to open %s: %s\n", + esl_file, strerror(errno)); + return -EACCES; + } + + ret = fstat(*key_fd, &pub_key); + if (ret == -1) { + fprintf(stderr, "Can't stat %s: %s\n", + esl_file, strerror(errno)); + ret = errno; + goto err; + } + *key_size = pub_key.st_size; + + /* mmap the public key esl file */ + *key_ptr = mmap(0, *key_size, PROT_READ, MAP_SHARED, *key_fd, 0); + if ((*key_ptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "Failed to mmap %s:%s\n", + esl_file, strerror(errno)); + ret = errno; + goto err; + } + + return 0; +err: + close(*key_fd); + + return ret; +} + +int fdt_embed_esl(const char *esl_file, void *keydest) +{ + int ret, key_fd; + off_t key_size = 0; + void *key_ptr = NULL; + int parent; + + ret = get_esl_pub_key(esl_file, &key_ptr, &key_fd, &key_size); + if (ret) { + debug("Unable to open the public key esl file\n"); + goto out; + } + + parent = fdt_subnode_offset(keydest, 0, ESL_SIG_NODENAME); + if (parent == -FDT_ERR_NOTFOUND) { + parent = fdt_add_subnode(keydest, 0, ESL_SIG_NODENAME); + if (parent < 0) { + ret = parent; + if (ret != -FDT_ERR_NOSPACE) { + fprintf(stderr, "Couldn't create signature node: %s\n", + fdt_strerror(parent)); + } + } + } + + if (ret) + goto out; + + ret = fdt_setprop(keydest, parent, "capsule-key", + key_ptr, key_size); + +out: + close(key_fd); + munmap(key_ptr, key_size); + + if (ret) + return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO; + + return ret; +}