From patchwork Wed Apr 11 15:13:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jun Nie <jun.nie@linaro.org>
X-Patchwork-Id: 133146
Delivered-To: patch@linaro.org
Received: by 10.46.84.29 with SMTP id i29csp750961ljb;
 Wed, 11 Apr 2018 08:15:23 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49clKR8heM/zFHVOaWP+1d5/Q7kEHJnjOA5XOHbluUZBpzy1livfQxJl5ZHsPXUBiqb6juD
X-Received: by 10.80.134.50 with SMTP id o47mr10221900edo.243.1523459723786; 
 Wed, 11 Apr 2018 08:15:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523459723; cv=none;
 d=google.com; s=arc-20160816;
 b=ixJGziT7o48KxzsGNURr8pHJfpj8nvY7mOQbE7Se3oPValqx+peLj18wKINpvh9YZ9
 moXnVJlMhmfRaRPbR/3FogtIw+xgr2m3h6v5OJ5KAOs4wL0FROPCIaWqcSjMxxqgptA7
 Nw61RGIbEXoQ8OXgFUoDMRfr+ZPTSnPmHAi0B18o+w0cI/lp7h86Okg2iBih2EkeqM/+
 tB0NPOXok5kmNFvAzASrS65OqeitRZkeMmrbUZ15KS1wum3YXYLHtvu+klSHQjcT97Br
 yBhHFp7gF8GpnqPgPl7o2XQLz3a7Pqv1bjTZ1bLh0S188mRrBq8dUQ0oAhRVL7Y/gPn2
 OgcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
 :list-id:precedence:subject:cc:message-id:date:to:from
 :dkim-signature:arc-authentication-results;
 bh=DAclY3euXP1WFPq758aK8grRCW6RRdkWy8++oKGzwew=;
 b=c5lJhWJiHN0s0MfyILD6i9gstIFcrftteOdEGu7dDyErAofT8ySpRpWHh1NS1Usjq3
 au6WItMW8C4xTbxjBV27GnzO4pL66ozVEPgtNnigk74GjLzIIzgn/ckmMyxfVoma9lCZ
 EQb4LPIgp5yFc50HY9DYeNO6eC3n8ljYLJNGcvDpAiOuhg865duwd97WoPiZTKBTJxHf
 LbYj6qjX9WnkJPaVyBNyYiCVMYG5dkpJ3aP9bZ6EUtAo9o74TWkZzZwKggzP9nYXeKBH
 WvT/nH08f1EYQVhNsDGn9s3r3zJff+kG0DydxUfZ8rWY3g1zQUGr329N8pukTK7Xudez
 9ajw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=fATevPcU; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from lists.denx.de (dione.denx.de. [81.169.180.215])
 by mx.google.com with ESMTP id
 n54si1305389edd.381.2018.04.11.08.15.23; 
 Wed, 11 Apr 2018 08:15:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) client-ip=81.169.180.215; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=fATevPcU; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: by lists.denx.de (Postfix, from userid 105)
 id 5B3B0C21C6A; Wed, 11 Apr 2018 15:15:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
 RCVD_IN_MSPIKE_H2,
 T_DKIM_INVALID autolearn=unavailable autolearn_force=no
 version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
 by lists.denx.de (Postfix) with ESMTP id 163B1C21C51;
 Wed, 11 Apr 2018 15:15:17 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
 id 33B32C21C51; Wed, 11 Apr 2018 15:15:16 +0000 (UTC)
Received: from mail-pf0-f194.google.com (mail-pf0-f194.google.com
 [209.85.192.194])
 by lists.denx.de (Postfix) with ESMTPS id 8A70CC21C38
 for <u-boot@lists.denx.de>; Wed, 11 Apr 2018 15:15:15 +0000 (UTC)
Received: by mail-pf0-f194.google.com with SMTP id g14so1094046pfh.3
 for <u-boot@lists.denx.de>; Wed, 11 Apr 2018 08:15:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id;
 bh=7qRE63H0FS8lEy3c9IDaEplh3ZEk8VFFWBwnau3gciQ=;
 b=fATevPcU0jT3dUil2XfbuY8IY+gKcx6Tnh3X8Gdrca370RawbePwMO7B5yLzrB3b9p
 2Xh6fNlGjvbuW+jb9ikuO3pzwIEvNp1mOgYq2f5pT3lDDKrqbQGxvKn3coHmMtwwSy0H
 pP6a+9uWE/lXMiHWUt9gclER2v7RfnrvWDu6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=7qRE63H0FS8lEy3c9IDaEplh3ZEk8VFFWBwnau3gciQ=;
 b=CPFNrAnVLB/9OdU9qPcbDSa8VbMu8nXbQAjzMlEOx4xAKj+VXKwY+e88Su7od1qbzN
 SiPfr+Dd10Dp8hWh5GJsQye08Pn3X1PoPkjq8CQ987HUlHV8q8nGhcbjiWH/OpCaskqe
 EFS4Tv/MEVhD0/jj3Eh/zahGpEpnOvZI/SvOP6oOnL0sj2VUHdixaCqz+qemiepiW/pt
 ym7kxSTOdV8OBXHxGwub0JGlRedtX4KQKRYawjtE+00EHlzWMBhzfE21qrNucWQ3okme
 wS9nZtvPM3CVGY3s6/MZKPGi1GInyOC8MZG9PJsekVO+2gB+8u1kCn1nuhAv3e+w0yCL
 JDxQ==
X-Gm-Message-State: ALQs6tCyieCnCOk7WO4oxKhdQXgyv4Xp9cofBUZ1VtqIIBVO8aL2CAHG
 jjssNgRcvdtSylcv6J7Scd223Q==
X-Received: by 10.101.99.8 with SMTP id g8mr3686713pgv.182.1523459714013;
 Wed, 11 Apr 2018 08:15:14 -0700 (PDT)
Received: from localhost.localdomain (li1168-94.members.linode.com.
 [45.79.69.94]) by smtp.gmail.com with ESMTPSA id
 e190sm3596209pfe.171.2018.04.11.08.15.10
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 11 Apr 2018 08:15:13 -0700 (PDT)
From: Jun Nie <jun.nie@linaro.org>
To: teddy.reed@gmail.com, sumit.garg@nxp.com,
 philipp.tomsich@theobroma-systems.com, sjg@chromium.org,
 andre.przywara@arm.com, michal.simek@xilinx.com,
 siarhei.siamashka@gmail.com
Date: Wed, 11 Apr 2018 23:13:05 +0800
Message-Id: <1523459585-7594-1-git-send-email-jun.nie@linaro.org>
X-Mailer: git-send-email 2.7.4
Cc: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] fit: skip signature verification if board request
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

It may be unnecessary to check signature on unlocked board.
Get the hint from platform specific code to support secure boot
and non-secure boot with the same binary, so that boot is not
blocked if board is not locked and has no key for signature
verification.

Signed-off-by: Jun Nie <jun.nie@linaro.org>
---
 common/image-sig.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/common/image-sig.c b/common/image-sig.c
index d9f712f..f3d1252 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -151,6 +151,11 @@ struct image_region *fit_region_make_list(const void *fit,
 	return region;
 }
 
+int __attribute__((weak)) fit_board_skip_sig_verification(void)
+{
+	return 0;
+}
+
 static int fit_image_setup_verify(struct image_sign_info *info,
 		const void *fit, int noffset, int required_keynode,
 		char **err_msgp)
@@ -188,6 +193,12 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data,
 	uint8_t *fit_value;
 	int fit_value_len;
 
+	/* Skip verification if board says that */
+	if (fit_board_skip_sig_verification()) {
+		printf("signature check skipped\n");
+		return 0;
+	}
+
 	*err_msgp = NULL;
 	if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
 				   err_msgp))
@@ -438,6 +449,12 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 	int noffset;
 	int sig_node;
 
+	/* Skip verification if board says that */
+	if (fit_board_skip_sig_verification()) {
+		printf("signature check skipped\n");
+		return 0;
+	}
+
 	/* Work out what we need to verify */
 	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
 	if (sig_node < 0) {