[PATCH] bootm: Add option to force booting signed images

[PATCH] bootm: Add option to force booting signed images

[Sascha Hauer]

With CONFIG_BOOTM_FORCE_SIGNED_IMAGES the bootm code will refuse to boot
unsigned images. Since currently FIT is the only image type which
supports signing this means we with this option we enforce using FIT
images. All additionally passed in device trees and initrds will be
ignored so that only the ones from the FIT image can be used.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/bootm.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/common/bootm.c b/common/bootm.c
index d8acff8..3efc17e 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -68,8 +68,10 @@ enum bootm_verify bootm_get_verify_mode(void)
 }
 
 static const char * const bootm_verify_names[] = {
+#ifndef CONFIG_BOOTM_FORCE_SIGNED_IMAGES
 	[BOOTM_VERIFY_NONE] = "none",
 	[BOOTM_VERIFY_HASH] = "hash",
+#endif
 	[BOOTM_VERIFY_SIGNATURE] = "signature",
 };
 
@@ -526,6 +528,23 @@ int bootm_boot(struct bootm_data *bootm_data)
 		goto err_out;
 	}
 
+	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES))
+		data->verify = BOOTM_VERIFY_SIGNATURE;
+
+		/*
+		 * When we only allow booting signed images make sure everything
+		 * we boot is in the OS image and not given separately.
+		 */
+		data->oftree = NULL;
+		data->oftree_file = NULL;
+		data->initrd_file = NULL;
+		if (os_type != filetype_oftree) {
+			printf("Signed boot and image is no FIT image, aborting\n");
+			ret = -EINVAL;
+			goto err_out;
+		}
+	}
+
 	if (IS_ENABLED(CONFIG_FITIMAGE) && os_type == filetype_oftree) {
 		struct fit_handle *fit;
 
-- 
2.7.0.rc3


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] bootm: Add option to force booting signed images

[Yegor Yefremov]

Hi Sascha,

On Tue, Jan 19, 2016 at 8:55 AM, Sascha Hauer <s.hauer@pengutronix.de> wrote:
> With CONFIG_BOOTM_FORCE_SIGNED_IMAGES the bootm code will refuse to boot
> unsigned images. Since currently FIT is the only image type which
> supports signing this means we with this option we enforce using FIT

comma is missing after "supports signing", "we" after "means" must go away

> images. All additionally passed in device trees and initrds will be

a word is missing between "All" and "additionally"

> ignored so that only the ones from the FIT image can be used.

comma after "ignored"

Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>

Yegor

> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  common/bootm.c | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>
> diff --git a/common/bootm.c b/common/bootm.c
> index d8acff8..3efc17e 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -68,8 +68,10 @@ enum bootm_verify bootm_get_verify_mode(void)
>  }
>
>  static const char * const bootm_verify_names[] = {
> +#ifndef CONFIG_BOOTM_FORCE_SIGNED_IMAGES
>         [BOOTM_VERIFY_NONE] = "none",
>         [BOOTM_VERIFY_HASH] = "hash",
> +#endif
>         [BOOTM_VERIFY_SIGNATURE] = "signature",
>  };
>
> @@ -526,6 +528,23 @@ int bootm_boot(struct bootm_data *bootm_data)
>                 goto err_out;
>         }
>
> +       if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES))
> +               data->verify = BOOTM_VERIFY_SIGNATURE;
> +
> +               /*
> +                * When we only allow booting signed images make sure everything
> +                * we boot is in the OS image and not given separately.
> +                */
> +               data->oftree = NULL;
> +               data->oftree_file = NULL;
> +               data->initrd_file = NULL;
> +               if (os_type != filetype_oftree) {
> +                       printf("Signed boot and image is no FIT image, aborting\n");
> +                       ret = -EINVAL;
> +                       goto err_out;
> +               }
> +       }
> +
>         if (IS_ENABLED(CONFIG_FITIMAGE) && os_type == filetype_oftree) {
>                 struct fit_handle *fit;
>
> --
> 2.7.0.rc3
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] bootm: Add option to force booting signed images

[Sascha Hauer]

Hi Yegor,

On Tue, Jan 19, 2016 at 09:03:17AM +0100, Yegor Yefremov wrote:
> Hi Sascha,
> 
> On Tue, Jan 19, 2016 at 8:55 AM, Sascha Hauer <s.hauer@pengutronix.de> wrote:
> > With CONFIG_BOOTM_FORCE_SIGNED_IMAGES the bootm code will refuse to boot
> > unsigned images. Since currently FIT is the only image type which
> > supports signing this means we with this option we enforce using FIT
> 
> comma is missing after "supports signing", "we" after "means" must go away
> 
> > images. All additionally passed in device trees and initrds will be
> 
> a word is missing between "All" and "additionally"

I think not, I reread the sentence and it still makes sense to me.

I fixed the other things you mentioned.

Sascha


-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox