diff options
| author | Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> | 2020-08-16 23:01:09 -0700 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2020-10-12 21:30:37 -0400 |
| commit | 182eeefcb439282dfe3320f4a12ab752f313f6fe (patch) | |
| tree | c8f1d0063338046c9a4f3a396f4913ddb03739d9 /common | |
| parent | 9885313b9add6c04cf3059958c5ee51a4f0ac930 (diff) | |
| download | u-boot-182eeefcb439282dfe3320f4a12ab752f313f6fe.zip u-boot-182eeefcb439282dfe3320f4a12ab752f313f6fe.tar.gz u-boot-182eeefcb439282dfe3320f4a12ab752f313f6fe.tar.bz2 | |
vboot: add DTB policy for supporting multiple required conf keys
Currently FIT image must be signed by all required conf keys. This means
Verified Boot fails if there is a signature verification failure
using any required key in U-Boot DTB.
This patch introduces a new policy in DTB that can be set to any required
conf key. This means if verified boot passes with one of the required
keys, U-Boot will continue the OS hand off.
There were prior attempts to address this:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".
https://lists.denx.de/pipermail/u-boot/2020-January/396629.html
Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'common')
| -rw-r--r-- | common/image-fit-sig.c | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index cc19671..5401d94 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -416,6 +416,10 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, { int noffset; int sig_node; + int verified = 0; + int reqd_sigs = 0; + bool reqd_policy_all = true; + const char *reqd_mode; /* Work out what we need to verify */ sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); @@ -425,6 +429,14 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, return 0; } + /* Get required-mode policy property from DTB */ + reqd_mode = fdt_getprop(sig_blob, sig_node, "required-mode", NULL); + if (reqd_mode && !strcmp(reqd_mode, "any")) + reqd_policy_all = false; + + debug("%s: required-mode policy set to '%s'\n", __func__, + reqd_policy_all ? "all" : "any"); + fdt_for_each_subnode(noffset, sig_blob, sig_node) { const char *required; int ret; @@ -433,15 +445,29 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, NULL); if (!required || strcmp(required, "conf")) continue; + + reqd_sigs++; + ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, noffset); if (ret) { - printf("Failed to verify required signature '%s'\n", - fit_get_name(sig_blob, noffset, NULL)); - return ret; + if (reqd_policy_all) { + printf("Failed to verify required signature '%s'\n", + fit_get_name(sig_blob, noffset, NULL)); + return ret; + } + } else { + verified++; + if (!reqd_policy_all) + break; } } + if (reqd_sigs && !verified) { + printf("Failed to verify 'any' of the required signature(s)\n"); + return -EPERM; + } + return 0; } |