| Age | Commit message (Collapse) | Author |
|---|
|
Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the
documentation in doc/uImage.FIT to doc/usage/fit, subsequently all
documents and example sources have been converted to reStructuredText.
Fix (almost) all of the remaining occurrences of the old path and
filenames across the tree.
The exception is doc/uImage.FIT/command_syntax_extensions.txt which
apparently has been removed entirely, or at least I was unable to
locate where that document is now.
Signed-off-by: Daniel Golle <[email protected]>
|
|
If realloc fails, list->strings was set to NULL and
it would create a leak. This commit ensures that if we cannot
add a string to the list, the list stays in a good state.
Signed-off-by: Francois Berder <[email protected]>
|
|
Currently, when one wants to use an OpenSSL engine to sign a FIT image,
one needs to pass a keydir (via -k) to mkimage which will then be
prepended to the value of the key-name-hint before being passed as
key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to
mkimage.
My OpenSSL engine only has "slots" which are not mapped like
directories, so using keydir is not proper, though I could simply have
-k '' I guess but this won't work currently with binman anyway.
Additionally, passing a keyfile (-G) when using an engine doesn't make
sense as the key is stored in the engine.
Let simply allow FIT images be signed if both keydir and keyfile are
missing but an engine is to be used.
The keyname member is already filled by looking at key-name-hint
property in the FIT and passed to the engine, which is exactly what is
needed here.
Reviewed-by: Wolfgang Wallner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Quentin Schulz <[email protected]>
|
|
The symbol TOOLS_IMAGE_PRE_LOAD doesn't depend on TOOLS_LIBCRYPTO.
If we choose to build tools without openssl, rsa_verify_openssl()
will attempt to call the unavailable openssl library functions.
Fixes: 942c8c8e6697 ("rsa: Add rsa_verify_openssl() to use openssl for host builds")
Signed-off-by: Shiji Yang <[email protected]>
|
|
builds"
Paul HENRYS <[email protected]> says:
This serie of patches adds a new tool to authenticate files signed with
a preload header. This tool is also used in the tests to actually
verify the authenticity of the file signed with such a preload header.
Link: https://lore.kernel.org/r/[email protected]
|
|
rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data
when building host tools.
Signed-off-by: Paul HENRYS <[email protected]>
|
|
Prepare v2025.04-rc3
|
|
This reverts commit c8750efe02c20725388dd4279896aaf306acfad4, reversing
changes made to 8c6cf8aeea7e57ca686de8b765e4baf3a7ef1fa7.
Unfortunately these changes do not build on macOS hosts.
Signed-off-by: Tom Rini <[email protected]>
|
|
Paul HENRYS <[email protected]> says:
This serie of patches adds a new tool to authenticate files signed
with a preload header.
This tool is also used in the tests to actually verify the
authenticity of the file signed with such a preload header.
Link: https://lore.kernel.org/r/[email protected]
|
|
rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data
when building host tools.
Signed-off-by: Paul HENRYS <[email protected]>
|
|
The PRNG implementing the random() function only has 2^31 states and
therefore is unsafe to use for cryptography. Use arc4random() instead.
Fixes: cc34f04efd63 ("tools: image-host.c: use random instead of rand")
Addresses-Coverity-ID: 312953 Calling risky function
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Report of the static analyzer:
1. NULL_AFTER_DEREF Pointer 'str', which is dereferenced at
image-host.c:688 by calling function 'strdup', is compared to a NULL
value at image-host.c:691.
2. NULL_AFTER_DEREF Pointer 'list', which is dereferenced at
image-host.c:689, is compared to a NULL value at image-host.c:691.
Corrections explained:
1. Checking for NULL before using pointers: The if (!list || !str) check
is now performed before calling strdup and realloc, which prevents
null pointer dereferences.
2. Checking the result of strdup: strdup can return NULL if memory
allocation fails. This also needs to be checked.
3. Checking the result of realloc: If realloc returns NULL, then memory
has not been allocated and dup must be freed to avoid memory leaks.
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <[email protected]>
|
|
Simon Glass <[email protected]> says:
The current UPL spec[1] has been tidied up and improved over the last
year, since U-Boot's original UPL support was written.
This series includes some prerequisite patches needed for the real UPL
patches. It is split from [2]
[1] https://github.com/UniversalPayload/spec/tree/3f1450d
[2] https://patchwork.ozlabs.org/project/uboot/list/?series=438574&state=*
Link: https://lore.kernel.org/r/[email protected]
|
|
This function can only be used with FITs that use embedded data. Rename
it so this is clear.
Signed-off-by: Simon Glass <[email protected]>
Acked-by: Heinrich Schuchardt <[email protected]>
|
|
When the initialisation vector is randomly generated, its value shall be
stored in the FIT together with the encrypted data. The changes allow to
store the IV in the FIT also in the case where the key is not stored in
the DTB but retrieved somewhere else at runtime.
Signed-off-by: Paul HENRYS <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Fix error message like this:
Can't add verification data for node 'fdt-1' (<unknown error>)
We get unknown error because we decode error as fdt error
but actually it is system error.
Signed-off-by: Alexander Kochetkov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
U-Boot configured for verified boot with the "required" option set to
"conf" also checks scripts put in FIT images for a valid signature, and
refuses to source and run such a script if the signature for the
configuration is bad or missing. Such a script could not be packaged
before, because mkimage failed like this:
% tools/mkimage -T script -C none -d tmp/my.scr -f auto-conf -k tmp -g dev -o sha256,rsa4096 my.uimg
Failed to find any images for configuration 'conf-1/signature'
tools/mkimage Can't add hashes to FIT blob: -1
Error: Bad parameters for FIT image type
This is especially unfortunate if LEGACY_IMAGE_FORMAT is disabled as
recommended.
Listing the script configuration in a "sign-images" subnode instead,
would have added even more complexity to the already complex auto fit
generation code.
Signed-off-by: Alexander Dahl <[email protected]>
|
|
A recent refactoring in image-host.c messed up the return values of
the function that reads the encryptiong keys. This patch fixes this
and also makes sure that error output goes to stderr instead of to
stdout.
Signed-off-by: Hugo Cornelis <[email protected]>
|
|
This patch adds a function fit_image_read_key_iv_data that checks the
return value of snprintf and allows to generate a sensible error
message when generating binary images using filenames that are too
long for the OS to handle.
This is especially relevant for automated builds such as Buildroot and
Yocto builds.
Signed-off-by: Hugo Cornelis <[email protected]>
|
|
Commit cb9faa6f98ae ("tools: Use a single target-independent config to
enable OpenSSL") introduced a target-independent configuration to build
crypto features in host tools.
But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
host tools and SPL") the build without OpenSSL is broken, due to FIT
signature/encryption features. Add missing conditional compilation
tokens to fix this.
Signed-off-by: Paul-Erwan Rio <[email protected]>
Tested-by: Alexander Dahl <[email protected]>
Cc: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The make by default cuts off the stdout output from external tools,
so all error messages from the image-host are not shown in a make
output. Besides that, it is a common approach to use stderr stream
for error messages.
Use stderr for all error messages in image-host.
Signed-off-by: Oleksandr Suvorov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add messages to make it clearer which part of the FIT creation is failing.
This can happen when an invalid 'algo' property is provided in the .its
file.
Signed-off-by: Simon Glass <[email protected]>
|
|
Just like we exclude data-size, data-position, and data-offset from
fit_config_check_sig, we must exclude them while signing as well.
While we're at it, use the FIT_DATA_* defines for fit_config_check_sig
as welll.
Fixes: 8edecd3110e ("fit: Fix verification of images with external data")
Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding")
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Putting these definitions in a header will allow signatures to be
validated independently of bootm.
Signed-off-by: Steven Lawrance <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
ENODATA isn't part of POSIX. Use EINVAL instead.
Signed-off-by: Mark Kettenis <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
This commit enhances mkimage to update the node
/image/pre-load/sig with the public key.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Philippe Reynes <[email protected]>
|
|
At present mkimage displays the node information but it is not clear what
signing action was taken. Add a message that shows it. For now it only
supports showing a single signing action, since that is the common case.
Sample:
Signature written to 'sha1-basic/test.fit',
node '/configurations/conf-1/signature'
Public key written to 'sha1-basic/sandbox-u-boot.dtb',
node '/signature/key-dev'
Signed-off-by: Simon Glass <[email protected]>
|
|
Update the two functions that call add_verify_data() so that the caller
can see the node that was written to.
Signed-off-by: Simon Glass <[email protected]>
|
|
It is useful to know where the verification data was written. Update the
API to return this.
Signed-off-by: Simon Glass <[email protected]>
|
|
The name is created but never used. Drop it.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add some more comments to explain what is going on in the signing
functions. Fix two repeated typos.
Signed-off-by: Simon Glass <[email protected]>
|
|
This permits to prepare FIT image description that do not hard-code the
final choice of the signature algorithm, possibly requiring the user to
patch the sources.
When -o <algo> is specified, this information is used in favor of the
'algo' property in the signature node. Furthermore, that property is set
accordingly when writing the image.
Signed-off-by: Jan Kiszka <[email protected]>
|
|
Modifications would be invalid.
Signed-off-by: Jan Kiszka <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Sphinx expects Return: and not @return to indicate a return value.
find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Signed-off-by: Vagrant Cascadian <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
This value is either 0 for success or -1 for error. Coverity reports that
"ret" is passed to a parameter that cannot be negative, pointing to the
condition 'if (ret < 0)'.
Adjust it to just check for non-zero and avoid showing -1 in the error
message, which is pointless. Perhaps these changes will molify Coverity.
Reported-by: Coverity (CID: 312956)
Signed-off-by: Simon Glass <[email protected]>
|
|
The return value '-ENOSPC' of fit_set_timestamp function does not match
the caller fit_image_write_sig's expection which is '-FDT_ERR_NOSPACE'.
Fix it by not calling fit_set_timestamp, but call fdt_setprop instead.
This fixes a following mkimage error:
| Can't write signature for 'signature@1' signature node in
| '[email protected]' conf node: <unknown error>
| mkimage Can't add hashes to FIT blob: -1
Signed-off-by: Ming Liu <[email protected]>
Tested-by: Igor Opaniuk <[email protected]>
|
|
It's not always desirable to use 'keydir' and some ad-hoc heuristics
to get the filename of the signing key. More often, just passing the
filename is the simpler, easier, and logical thing to do.
Since mkimage doesn't use long options, we're slowly running out of
letters. I've chosen '-G' because it was available.
Signed-off-by: Alexandru Gagniuc <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The propoerty sign-images points to images in the configuration
node. But thoses images may references severals "sub-images" (for
example for images loadable). This commit adds the support of
severals sub-images.
Signed-off-by: Philippe Reynes <[email protected]>
|
|
This commit creates a function fit_config_add_hash that will be
used in the next commit to support several 'sub-images'.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
In the function get_random_data, strerrno is called with
the variable ret (which is the return of the function
clock_gettime). It should be called with errnor. This
commit fixes this mistake.
Reported-by: Coverity (CID: 312956)
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
According to the manpage of rand, it is recommended
to use random instead of rand. This commit updates
the function get_random_data to use random.
Reported-by: Coverity (CID: 312953)
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
When building on a 32bit host the following warning occurs:
tools/image-host.c: In function ‘fit_image_read_data’:
tools/image-host.c:296:56: warning: format ‘%ld’ expects argument of
type ‘long int’, but argument 3 has type ‘__off64_t’
{aka ‘long long int’} [-Wformat=]
printf("File %s don't have the expected size (size=%ld, expected=%d)\n",
~~^
%lld
filename, sbuf.st_size, expected_size);
~~~~~~~~~~~~
tools/image-host.c:311:62: warning: format ‘%ld’ expects argument of
type ‘long int’, but argument 4 has type ‘__off64_t’
{aka ‘long long int’} [-Wformat=]
printf("Can't read all file %s (read %zd bytes, expexted %ld)\n",
~~^
%lld
filename, n, sbuf.st_size);
~~~~~~~~~~~~
Fix the format strings.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Binaries may be encrypted in a FIT image with AES. This
algo needs a key and an IV (Initialization Vector). The
IV is provided in a file (pointer by iv-name-hint in the
ITS file) when building the ITB file.
This commits adds provide an alternative way to manage
the IV. If the property iv-name-hint is not provided in
the ITS file, the tool mkimage will generate an random
IV and store it in the FIT image.
Signed-off-by: Philippe Reynes <[email protected]>
|
|
This patch addresses issue #2 for signed configurations.
-----8<-----
Including the image cipher properties in the configuration signature
prevents an attacker from modifying cipher, key or iv properties.
Signed-off-by: Patrick Oppenlander <[email protected]>
Reviewed-by: Philippe Reynes <[email protected]>
|
|
Previously, mkimage -F could be run multiple times causing already
ciphered image data to be ciphered again.
Signed-off-by: Patrick Oppenlander <[email protected]>
Reviewed-by: Philippe Reynes <[email protected]>
|
|
Also replace fdt_delprop/fdt_setprop with fdt_setprop as fdt_setprop can
replace an existing property value.
Signed-off-by: Patrick Oppenlander <[email protected]>
Reviewed-by: Philippe Reynes <[email protected]>
|
|
Previously mkimage would process any node matching the regex cipher.*
and apply the ciphers to the image data in the order they appeared in
the FDT. This meant that data could be inadvertently ciphered multiple
times.
Switch to processing a single cipher node which exactly matches
FIT_CIPHER_NODENAME.
Signed-off-by: Patrick Oppenlander <[email protected]>
Reviewed-by: Philippe Reynes <[email protected]>
|
|
fdt_region APIs are not part of libfdt. They are U-Boot extension
for the verified boot. Split the declarations related to fdt_region
out of <fdt_region.h>. This allows <linux/libfdt.h> to become a
simple wrapper file, like Linux does.
Signed-off-by: Masahiro Yamada <[email protected]>
|
|
When building on a 32bit host the following warning occurs:
tools/image-host.c: In function ‘fit_image_read_data’:
tools/image-host.c:310:42: warning: format ‘%ld’ expects argument of type
‘long int’, but argument 3 has type ‘ssize_t’ {aka ‘int’} [-Wformat=]
printf("Can't read all file %s (read %ld bytes, expexted %ld)\n",
~~^
%d
filename, n, sbuf.st_size);
~
n is of type ssize_t so we should use %zd for printing.
Fixes: 7298e422504e ("mkimage: fit: add support to encrypt image with aes")
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
