Merge tag 'dm-pull-1apr20' of git://git.denx.de/u-boot-dm

Vboot vulnerability fix

3 files changed, 18 insertions, 10 deletions

diff --git a/tools/fdt_host.h b/tools/fdt_host.h
index 99b009b2210..15c07c7a96e 100644
--- a/tools/fdt_host.h
+++ b/tools/fdt_host.h
@@ -27,6 +27,7 @@
  */
 int fdt_remove_unused_strings(const void *old, void *new);
 
-int fit_check_sign(const void *working_fdt, const void *key);
+int fit_check_sign(const void *fit, const void *key,
+		   const char *fit_uname_config);
 
 #endif /* __FDT_HOST_H__ */
diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c
index 45287437928..9375d5cf72d 100644
--- a/tools/fit_check_sign.c
+++ b/tools/fit_check_sign.c
@@ -41,6 +41,7 @@ int main(int argc, char **argv)
 	void *fit_blob;
 	char *fdtfile = NULL;
 	char *keyfile = NULL;
+	char *config_name = NULL;
 	char cmdname[256];
 	int ret;
 	void *key_blob;
@@ -48,7 +49,7 @@ int main(int argc, char **argv)
 
 	strncpy(cmdname, *argv, sizeof(cmdname) - 1);
 	cmdname[sizeof(cmdname) - 1] = '\0';
-	while ((c = getopt(argc, argv, "f:k:")) != -1)
+	while ((c = getopt(argc, argv, "f:k:c:")) != -1)
 		switch (c) {
 		case 'f':
 			fdtfile = optarg;
@@ -56,6 +57,9 @@ int main(int argc, char **argv)
 		case 'k':
 			keyfile = optarg;
 			break;
+		case 'c':
+			config_name = optarg;
+			break;
 		default:
 			usage(cmdname);
 			break;
@@ -78,7 +82,7 @@ int main(int argc, char **argv)
 		return EXIT_FAILURE;
 
 	image_set_host_blob(key_blob);
-	ret = fit_check_sign(fit_blob, key_blob);
+	ret = fit_check_sign(fit_blob, key_blob, config_name);
 	if (!ret) {
 		ret = EXIT_SUCCESS;
 		fprintf(stderr, "Signature check OK\n");
diff --git a/tools/image-host.c b/tools/image-host.c
index 76a361b9d67..4e57ddea969 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -170,7 +170,7 @@ static int fit_image_setup_sig(struct image_sign_info *info,
 
 	memset(info, '\0', sizeof(*info));
 	info->keydir = keydir;
-	info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+	info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 	info->fit = fit;
 	info->node_offset = noffset;
 	info->name = strdup(algo_name);
@@ -249,7 +249,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
 	free(value);
 
 	/* Get keyname again, as FDT has changed and invalidated our pointer */
-	info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+	info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 
 	/*
 	 * Write the public key into the supplied FDT file; this might fail
@@ -337,7 +337,7 @@ static int fit_image_setup_cipher(struct image_cipher_info *info,
 	info->keydir = keydir;
 
 	/* Read the key name */
-	info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+	info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 	if (!info->keyname) {
 		printf("Can't get key name for cipher '%s' in image '%s'\n",
 		       node_name, image_name);
@@ -886,7 +886,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
 	free(region_prop);
 
 	/* Get keyname again, as FDT has changed and invalidated our pointer */
-	info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+	info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 
 	/* Write the public key into the supplied FDT file */
 	if (keydest) {
@@ -1025,19 +1025,22 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
 }
 
 #ifdef CONFIG_FIT_SIGNATURE
-int fit_check_sign(const void *fit, const void *key)
+int fit_check_sign(const void *fit, const void *key,
+		   const char *fit_uname_config)
 {
 	int cfg_noffset;
 	int ret;
 
-	cfg_noffset = fit_conf_get_node(fit, NULL);
+	cfg_noffset = fit_conf_get_node(fit, fit_uname_config);
 	if (!cfg_noffset)
 		return -1;
 
-	printf("Verifying Hash Integrity ... ");
+	printf("Verifying Hash Integrity for node '%s'... ",
+	       fdt_get_name(fit, cfg_noffset, NULL));
 	ret = fit_config_verify(fit, cfg_noffset);
 	if (ret)
 		return ret;
+	printf("Verified OK, loading images\n");
 	ret = bootm_host_load_images(fit, cfg_noffset);
 
 	return ret;