Merge branch '2020-10-12-assorted-encryption-changes'
- Fix verified boot on BE targets
- Add support for multiple required keys in verified boots
- Add support for Initialization Vectors in AES keys in FIT images
- Assorted fixes in the RSA code
diff --git a/common/image-cipher.c b/common/image-cipher.c
index 09869f7..4ca9eec 100644
--- a/common/image-cipher.c
+++ b/common/image-cipher.c
@@ -94,9 +94,11 @@
return -1;
}
+ info->iv = fdt_getprop(fit, cipher_noffset, "iv", NULL);
info->ivname = fdt_getprop(fit, cipher_noffset, "iv-name-hint", NULL);
- if (!info->ivname) {
- printf("Can't get IV name\n");
+
+ if (!info->iv && !info->ivname) {
+ printf("Can't get IV or IV name\n");
return -1;
}
@@ -120,8 +122,12 @@
* Search the cipher node in the u-boot fdt
* the path should be: /cipher/key-<algo>-<key>-<iv>
*/
- snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s-%s",
- FIT_CIPHER_NODENAME, algo_name, info->keyname, info->ivname);
+ if (info->ivname)
+ snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s-%s",
+ FIT_CIPHER_NODENAME, algo_name, info->keyname, info->ivname);
+ else
+ snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s",
+ FIT_CIPHER_NODENAME, algo_name, info->keyname);
noffset = fdt_path_offset(fdt, node_path);
if (noffset < 0) {
@@ -137,10 +143,12 @@
}
/* read iv */
- info->iv = fdt_getprop(fdt, noffset, "iv", NULL);
if (!info->iv) {
- printf("Can't get IV in cipher node '%s'\n", node_path);
- return -1;
+ info->iv = fdt_getprop(fdt, noffset, "iv", NULL);
+ if (!info->iv) {
+ printf("Can't get IV in cipher node '%s'\n", node_path);
+ return -1;
+ }
}
return 0;
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
index cc19671..5401d94 100644
--- a/common/image-fit-sig.c
+++ b/common/image-fit-sig.c
@@ -416,6 +416,10 @@
{
int noffset;
int sig_node;
+ int verified = 0;
+ int reqd_sigs = 0;
+ bool reqd_policy_all = true;
+ const char *reqd_mode;
/* Work out what we need to verify */
sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
@@ -425,6 +429,14 @@
return 0;
}
+ /* Get required-mode policy property from DTB */
+ reqd_mode = fdt_getprop(sig_blob, sig_node, "required-mode", NULL);
+ if (reqd_mode && !strcmp(reqd_mode, "any"))
+ reqd_policy_all = false;
+
+ debug("%s: required-mode policy set to '%s'\n", __func__,
+ reqd_policy_all ? "all" : "any");
+
fdt_for_each_subnode(noffset, sig_blob, sig_node) {
const char *required;
int ret;
@@ -433,15 +445,29 @@
NULL);
if (!required || strcmp(required, "conf"))
continue;
+
+ reqd_sigs++;
+
ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
noffset);
if (ret) {
- printf("Failed to verify required signature '%s'\n",
- fit_get_name(sig_blob, noffset, NULL));
- return ret;
+ if (reqd_policy_all) {
+ printf("Failed to verify required signature '%s'\n",
+ fit_get_name(sig_blob, noffset, NULL));
+ return ret;
+ }
+ } else {
+ verified++;
+ if (!reqd_policy_all)
+ break;
}
}
+ if (reqd_sigs && !verified) {
+ printf("Failed to verify 'any' of the required signature(s)\n");
+ return -EPERM;
+ }
+
return 0;
}
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index d4afd75..a345588 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -386,6 +386,20 @@
This happens automatically as part of a bootm command when FITs are used.
+For Signed Configurations, the default verification behavior can be changed by
+the following optional property in /signature node in U-Boot's control FDT.
+
+- required-mode: Valid values are "any" to allow verified boot to succeed if
+the selected configuration is signed by any of the 'required' keys, and "all"
+to allow verified boot to succeed if the selected configuration is signed by
+all of the 'required' keys.
+
+This property can be added to a binary device tree using fdtput as shown in
+below examples::
+
+ fdtput -t s control.dtb /signature required-mode any
+ fdtput -t s control.dtb /signature required-mode all
+
Enabling FIT Verification
-------------------------
diff --git a/include/image.h b/include/image.h
index 9a5a87d..10995b8 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1463,7 +1463,7 @@
unsigned char **cipher, int *cipher_len);
int (*add_cipher_data)(struct image_cipher_info *info,
- void *keydest);
+ void *keydest, void *fit, int node_noffset);
int (*decrypt)(struct image_cipher_info *info,
const void *cipher, size_t cipher_len,
diff --git a/include/u-boot/aes.h b/include/u-boot/aes.h
index 3228104..acbc50b 100644
--- a/include/u-boot/aes.h
+++ b/include/u-boot/aes.h
@@ -13,7 +13,8 @@
int image_aes_encrypt(struct image_cipher_info *info,
const unsigned char *data, int size,
unsigned char **cipher, int *cipher_len);
-int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest);
+int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
+ void *fit, int node_noffset);
#else
int image_aes_encrypt(struct image_cipher_info *info,
const unsigned char *data, int size,
@@ -22,7 +23,8 @@
return -ENXIO;
}
-int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
+int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
+ void *fit, int node_noffset)
{
return -ENXIO;
}
diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
index de00a83..a6d1720 100644
--- a/lib/aes/aes-encrypt.c
+++ b/lib/aes/aes-encrypt.c
@@ -74,7 +74,8 @@
return ret;
}
-int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
+int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
+ void *fit, int node_noffset)
{
int parent, node;
char name[128];
@@ -97,8 +98,13 @@
goto done;
/* Either create or overwrite the named key node */
- snprintf(name, sizeof(name), "key-%s-%s-%s",
- info->name, info->keyname, info->ivname);
+ if (info->ivname)
+ snprintf(name, sizeof(name), "key-%s-%s-%s",
+ info->name, info->keyname, info->ivname);
+ else
+ snprintf(name, sizeof(name), "key-%s-%s",
+ info->name, info->keyname);
+
node = fdt_subnode_offset(keydest, parent, name);
if (node == -FDT_ERR_NOTFOUND) {
node = fdt_add_subnode(keydest, parent, name);
@@ -116,9 +122,17 @@
ret = node;
}
+ if (ret)
+ goto done;
+
- if (!ret)
+ if (info->ivname)
+ /* Store the IV in the u-boot device tree */
ret = fdt_setprop(keydest, node, "iv",
info->iv, info->cipher->iv_len);
+ else
+ /* Store the IV in the FIT image */
+ ret = fdt_setprop(fit, node_noffset, "iv",
+ info->iv, info->cipher->iv_len);
if (!ret)
ret = fdt_setprop(keydest, node, "key",
diff --git a/lib/hashtable.c b/lib/hashtable.c
index 4a8c50b..7c08f5c 100644
--- a/lib/hashtable.c
+++ b/lib/hashtable.c
@@ -324,8 +324,7 @@
*/
unsigned hval2;
- if (htab->table[idx].used == USED_DELETED
- && !first_deleted)
+ if (htab->table[idx].used == USED_DELETED)
first_deleted = idx;
ret = _compare_and_overwrite_entry(item, action, retval, htab,
diff --git a/lib/rsa/rsa-mod-exp.c b/lib/rsa/rsa-mod-exp.c
index a437cbe..78c688d 100644
--- a/lib/rsa/rsa-mod-exp.c
+++ b/lib/rsa/rsa-mod-exp.c
@@ -25,6 +25,14 @@
#define get_unaligned_be32(a) fdt32_to_cpu(*(uint32_t *)a)
#define put_unaligned_be32(a, b) (*(uint32_t *)(b) = cpu_to_fdt32(a))
+static inline uint64_t fdt64_to_cpup(const void *p)
+{
+ fdt64_t w;
+
+ memcpy(&w, p, sizeof(w));
+ return fdt64_to_cpu(w);
+}
+
/* Default public exponent for backward compatibility */
#define RSA_DEFAULT_PUBEXP 65537
@@ -263,8 +271,7 @@
if (!prop->public_exponent)
key.exponent = RSA_DEFAULT_PUBEXP;
else
- rsa_convert_big_endian((uint32_t *)&key.exponent,
- prop->public_exponent, 2);
+ key.exponent = fdt64_to_cpup(prop->public_exponent);
if (!key.len || !prop->modulus || !prop->rr) {
debug("%s: Missing RSA key info", __func__);
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 2057f68..0ab0f62 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -439,12 +439,17 @@
struct key_prop prop;
int length;
int ret = 0;
+ const char *algo;
if (node < 0) {
debug("%s: Skipping invalid node", __func__);
return -EBADF;
}
+ algo = fdt_getprop(blob, node, "algo", NULL);
+ if (strcmp(info->name, algo))
+ return -EFAULT;
+
prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0);
prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);
@@ -540,7 +545,7 @@
{
/* Reserve memory for maximum checksum-length */
uint8_t hash[info->crypto->key_len];
- int ret = -EACCES;
+ int ret;
/*
* Verify that the checksum-length does not exceed the
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 6b998cf..e45800d 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -126,6 +126,23 @@
cons.log.action('%s: Sign images' % sha_algo)
util.run_and_log(cons, args)
+ def sign_fit_norequire(sha_algo, options):
+ """Sign the FIT
+
+ Signs the FIT and writes the signature into it. It also writes the
+ public key into the dtb. It does not mark key as 'required' in dtb.
+
+ Args:
+ sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
+ use.
+ options: Options to provide to mkimage.
+ """
+ args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, fit]
+ if options:
+ args += options.split(' ')
+ cons.log.action('%s: Sign images' % sha_algo)
+ util.run_and_log(cons, args)
+
def replace_fit_totalsize(size):
"""Replace FIT header's totalsize with something greater.
@@ -279,15 +296,40 @@
# Build the FIT with dev key (keys NOT required). This adds the
# signature into sandbox-u-boot.dtb, NOT marked 'required'.
make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
- sign_fit(sha_algo, sign_options)
+ sign_fit_norequire(sha_algo, sign_options)
# So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
# Only the prod key is set as 'required'. But FIT we just built has
- # a dev signature only (sign_fit() overwrites the FIT).
+ # a dev signature only (sign_fit_norequire() overwrites the FIT).
# Try to boot the FIT with dev key. This FIT should not be accepted by
# U-Boot because the prod key is required.
run_bootm(sha_algo, 'required key', '', False)
+ # Build the FIT with dev key (keys required) and sign it. This puts the
+ # signature into sandbox-u-boot.dtb, marked 'required'.
+ make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
+ sign_fit(sha_algo, sign_options)
+
+ # Set the required-mode policy to "any".
+ # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
+ # Both the dev and prod key are set as 'required'. But FIT we just built has
+ # a dev signature only (sign_fit() overwrites the FIT).
+ # Try to boot the FIT with dev key. This FIT should be accepted by
+ # U-Boot because the dev key is required and policy is "any" required key.
+ util.run_and_log(cons, 'fdtput -t s %s /signature required-mode any' %
+ (dtb))
+ run_bootm(sha_algo, 'multi required key', 'dev+', True)
+
+ # Set the required-mode policy to "all".
+ # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
+ # Both the dev and prod key are set as 'required'. But FIT we just built has
+ # a dev signature only (sign_fit() overwrites the FIT).
+ # Try to boot the FIT with dev key. This FIT should not be accepted by
+ # U-Boot because the prod key is required and policy is "all" required key
+ util.run_and_log(cons, 'fdtput -t s %s /signature required-mode all' %
+ (dtb))
+ run_bootm(sha_algo, 'multi required key', '', False)
+
cons = u_boot_console
tmpdir = cons.config.result_dir + '/'
datadir = cons.config.source_dir + '/test/py/tests/vboot/'
diff --git a/tools/image-host.c b/tools/image-host.c
index 3d52593..8886bef 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -320,6 +320,36 @@
return ret;
}
+static int get_random_data(void *data, int size)
+{
+ unsigned char *tmp = data;
+ struct timespec date;
+ int i, ret = 0;
+
+ if (!tmp) {
+ printf("%s: pointer data is NULL\n", __func__);
+ ret = -1;
+ goto out;
+ }
+
+ ret = clock_gettime(CLOCK_MONOTONIC, &date);
+ if (ret < 0) {
+ printf("%s: clock_gettime has failed (err=%d, str=%s)\n",
+ __func__, ret, strerror(ret));
+ goto out;
+ }
+
+ srand(date.tv_nsec);
+
+ for (i = 0; i < size; i++) {
+ *tmp = rand() & 0xff;
+ tmp++;
+ }
+
+ out:
+ return ret;
+}
+
static int fit_image_setup_cipher(struct image_cipher_info *info,
const char *keydir, void *fit,
const char *image_name, int image_noffset,
@@ -345,13 +375,13 @@
goto out;
}
- /* Read the IV name */
+ /*
+ * Read the IV name
+ *
+ * If this property is not provided then mkimage will generate
+ * a random IV and store it in the FIT image
+ */
info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL);
- if (!info->ivname) {
- printf("Can't get iv name for cipher in image '%s'\n",
- image_name);
- goto out;
- }
info->fit = fit;
info->node_noffset = noffset;
@@ -377,17 +407,23 @@
if (ret < 0)
goto out;
- /* Read the IV in the file */
- snprintf(filename, sizeof(filename), "%s/%s%s",
- info->keydir, info->ivname, ".bin");
info->iv = malloc(info->cipher->iv_len);
if (!info->iv) {
printf("Can't allocate memory for iv\n");
ret = -1;
goto out;
}
+
+ if (info->ivname) {
+ /* Read the IV in the file */
+ snprintf(filename, sizeof(filename), "%s/%s%s",
+ info->keydir, info->ivname, ".bin");
+ ret = fit_image_read_data(filename, (unsigned char *)info->iv,
+ info->cipher->iv_len);
+ } else {
+ /* Generate an ramdom IV */
+ ret = get_random_data((void *)info->iv, info->cipher->iv_len);
+ }
- ret = fit_image_read_data(filename, (unsigned char *)info->iv,
- info->cipher->iv_len);
out:
return ret;
@@ -453,9 +489,10 @@
* Write the public key into the supplied FDT file; this might fail
* several times, since we try signing with successively increasing
* size values
+ * And, if needed, write the iv in the FIT file
*/
if (keydest) {
- ret = info.cipher->add_cipher_data(&info, keydest);
+ ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset);
if (ret) {
printf("Failed to add verification data for cipher '%s' in image '%s'\n",
info.keyname, image_name);