[PATCH v2 1/2] bootm: replace CONFIG_BOOTM_FORCE_SIGNED_IMAGES with helper

[PATCH v2 1/2] bootm: replace CONFIG_BOOTM_FORCE_SIGNED_IMAGES with helper

[Marco Felsch]

From: Ahmad Fatoum <a.fatoum@pengutronix.de>

In preparation for allowing even CONFIG_BOOTM_FORCE_SIGNED_IMAGES=n
configurations to force boot of only signed images, replace direct
use of IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES) with a helper that
queries a static variable that can be forced at runtime in a follow-up
commit.

No functional change.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
Changelog:
v2:
- add my s-o-b tag
v1:
- https://lore.barebox.org/barebox/20231023162748.533468-1-a.fatoum@pengutronix.de/

 arch/arm/lib32/bootm.c |  2 +-
 common/bootm.c         | 11 +++++++++--
 include/bootm.h        |  2 ++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/arch/arm/lib32/bootm.c b/arch/arm/lib32/bootm.c
index e814593dce43..aeb873a3a723 100644
--- a/arch/arm/lib32/bootm.c
+++ b/arch/arm/lib32/bootm.c
@@ -294,7 +294,7 @@ static int __do_bootm_linux(struct image_data *data, unsigned long free_mem,
 	}
 
 	if (IS_ENABLED(CONFIG_BOOTM_OPTEE)) {
-		if (data->tee_file && !IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+		if (data->tee_file && !bootm_signed_images_are_forced()) {
 			ret = bootm_load_tee_from_file(data);
 			if (ret)
 				return ret;
diff --git a/common/bootm.c b/common/bootm.c
index a59fa35008a9..3cd4aa1528a7 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -87,6 +87,13 @@ static const char * const bootm_verify_names[] = {
 	[BOOTM_VERIFY_SIGNATURE] = "signature",
 };
 
+static bool force_signed_images = IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES);
+
+bool bootm_signed_images_are_forced(void)
+{
+	return force_signed_images;
+}
+
 static int uimage_part_num(const char *partname)
 {
 	if (!partname)
@@ -694,7 +701,7 @@ int bootm_boot(struct bootm_data *bootm_data)
 		goto err_out;
 	}
 
-	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+	if (bootm_signed_images_are_forced()) {
 		data->verify = BOOTM_VERIFY_SIGNATURE;
 
 		/*
@@ -985,7 +992,7 @@ static int bootm_init(void)
 		globalvar_add_simple("bootm.initrd.loadaddr", NULL);
 	}
 
-	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES))
+	if (bootm_signed_images_are_forced())
 		bootm_verify_mode = BOOTM_VERIFY_SIGNATURE;
 
 	globalvar_add_simple_int("bootm.verbose", &bootm_verbosity, "%u");
diff --git a/include/bootm.h b/include/bootm.h
index c69da85cdda1..e4d59b566edf 100644
--- a/include/bootm.h
+++ b/include/bootm.h
@@ -152,6 +152,8 @@ int bootm_get_os_size(struct image_data *data);
 enum bootm_verify bootm_get_verify_mode(void);
 void bootm_set_verify_mode(enum bootm_verify mode);
 
+bool bootm_signed_images_are_forced(void);
+
 #define UIMAGE_SOME_ADDRESS (UIMAGE_INVALID_ADDRESS - 1)
 
 void *booti_load_image(struct image_data *data, phys_addr_t *oftree);
-- 
2.39.2

[PATCH v2 2/2] bootm: add support for dynamically forcing signature verification

[Marco Felsch]

From: Ahmad Fatoum <a.fatoum@pengutronix.de>

So far, secure booting systems statically configured
CONFIG_BOOTM_FORCE_SIGNED_IMAGES=y to restrict bootm to signed images.

This remains the recommended way, but some systems require the ability
to decide at runtime whether to enforce secure boot or to disable it,
e.g. after verifying a JSON web token with the appropriate claim.

For such systems, provide a bootm_force_signed_images() function.
There's intentionally no unforce counterpart as this is meant to be
non-reversible.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
Changelog:
v2:
- fix commit message typo
- add my s-o-b tag
v1:
- https://lore.barebox.org/barebox/20231023162748.533468-1-a.fatoum@pengutronix.de/

 common/bootm.c  | 16 ++++++++++++++++
 include/bootm.h |  1 +
 2 files changed, 17 insertions(+)

diff --git a/common/bootm.c b/common/bootm.c
index 3cd4aa1528a7..c851ab0456b8 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -89,6 +89,22 @@ static const char * const bootm_verify_names[] = {
 
 static bool force_signed_images = IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES);
 
+void bootm_force_signed_images(void)
+{
+	static unsigned int verify_mode = 0;
+
+	if (force_signed_images)
+		return;
+
+	/* recreate bootm.verify with a single enumeration as option */
+	globalvar_remove("bootm.verify");
+	globalvar_add_simple_enum("bootm.verify", &verify_mode,
+				  &bootm_verify_names[BOOTM_VERIFY_SIGNATURE], 1);
+
+	bootm_verify_mode = BOOTM_VERIFY_SIGNATURE;
+	force_signed_images = true;
+}
+
 bool bootm_signed_images_are_forced(void)
 {
 	return force_signed_images;
diff --git a/include/bootm.h b/include/bootm.h
index e4d59b566edf..98ac5e5a9374 100644
--- a/include/bootm.h
+++ b/include/bootm.h
@@ -153,6 +153,7 @@ enum bootm_verify bootm_get_verify_mode(void);
 void bootm_set_verify_mode(enum bootm_verify mode);
 
 bool bootm_signed_images_are_forced(void);
+void bootm_force_signed_images(void);
 
 #define UIMAGE_SOME_ADDRESS (UIMAGE_INVALID_ADDRESS - 1)
 
-- 
2.39.2

Re: [PATCH v2 1/2] bootm: replace CONFIG_BOOTM_FORCE_SIGNED_IMAGES with helper

[Sascha Hauer]

On Mon, 08 Apr 2024 16:31:30 +0200, Marco Felsch wrote:
> In preparation for allowing even CONFIG_BOOTM_FORCE_SIGNED_IMAGES=n
> configurations to force boot of only signed images, replace direct
> use of IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES) with a helper that
> queries a static variable that can be forced at runtime in a follow-up
> commit.
> 
> No functional change.
> 
> [...]

Applied, thanks!

[1/2] bootm: replace CONFIG_BOOTM_FORCE_SIGNED_IMAGES with helper
      https://git.pengutronix.de/cgit/barebox/commit/?id=7c80ebdcecd9 (link may not be stable)
[2/2] bootm: add support for dynamically forcing signature verification
      https://git.pengutronix.de/cgit/barebox/commit/?id=933db056bbdf (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>