From: Michael Olbrich <m.olbrich@pengutronix.de>
To: barebox@lists.infradead.org
Subject: Re: [PATCH 02/13] boot_verify: use a new error ESECVIOLATION
Date: Sun, 26 Mar 2017 09:59:00 +0200 [thread overview]
Message-ID: <20170326075900.hhdcxlywoh5p5sxm@pengutronix.de> (raw)
In-Reply-To: <1490496304-30850-2-git-send-email-plagnioj@jcrosoft.com>
On Sun, Mar 26, 2017 at 04:44:53AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
> so we can indentify it correctly
>
> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> ---
> common/bootm.c | 7 ++++---
> common/efi/efi.c | 2 +-
> common/image-fit.c | 12 ++++++------
> include/asm-generic/errno.h | 1 +
> 4 files changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/common/bootm.c b/common/bootm.c
> index 64c933b3c..53311ab1c 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -541,9 +541,10 @@ int bootm_boot(struct bootm_data *bootm_data)
> data->oftree = NULL;
> data->oftree_file = NULL;
> data->initrd_file = NULL;
> - if (os_type != filetype_oftree) {
> - printf("Signed boot and image is no FIT image, aborting\n");
> - ret = -EINVAL;
> + if (!handler->is_secure_supported) {
is_secure_supported is introduced on the next patch, so this hunk belongs
into that patch.
Regards,
Michael
> + printf("Signed boot and image %s does not support it",
> + handler->name);
> + ret = -ESECVIOLATION;
> goto err_out;
> }
> }
> diff --git a/common/efi/efi.c b/common/efi/efi.c
> index 05c58250f..19ee96411 100644
> --- a/common/efi/efi.c
> +++ b/common/efi/efi.c
> @@ -244,7 +244,7 @@ int efi_errno(efi_status_t err)
> case EFI_TFTP_ERROR: ret = EINVAL; break;
> case EFI_PROTOCOL_ERROR: ret = EPROTO; break;
> case EFI_INCOMPATIBLE_VERSION: ret = EINVAL; break;
> - case EFI_SECURITY_VIOLATION: ret = EINVAL; break;
> + case EFI_SECURITY_VIOLATION: ret = ESECVIOLATION; break;
> case EFI_CRC_ERROR: ret = EINVAL; break;
> case EFI_END_OF_MEDIA: ret = EINVAL; break;
> case EFI_END_OF_FILE: ret = EINVAL; break;
> diff --git a/common/image-fit.c b/common/image-fit.c
> index 5c014d66b..5750199c3 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -353,23 +353,23 @@ static int fit_verify_hash(struct device_node *hash, const void *data, int data_
> value_read = of_get_property(hash, "value", &hash_len);
> if (!value_read) {
> pr_err("%s: \"value\" property not found\n", hash->full_name);
> - return -EINVAL;
> + return -ESECVIOLATION;
> }
>
> if (of_property_read_string(hash, "algo", &algo)) {
> pr_err("%s: \"algo\" property not found\n", hash->full_name);
> - return -EINVAL;
> + return -ESECVIOLATION;
> }
>
> d = digest_alloc(algo);
> if (!d) {
> pr_err("%s: unsupported algo %s\n", hash->full_name, algo);
> - return -EINVAL;
> + return -ESECVIOLATION;
> }
>
> if (hash_len != digest_length(d)) {
> pr_err("%s: invalid hash length %d\n", hash->full_name, hash_len);
> - ret = -EINVAL;
> + ret = -ESECVIOLATION;
> goto err_digest_free;
> }
>
> @@ -381,7 +381,7 @@ static int fit_verify_hash(struct device_node *hash, const void *data, int data_
>
> if (memcmp(value_read, value_calc, hash_len)) {
> pr_info("%s: hash BAD\n", hash->full_name);
> - ret = -EBADMSG;
> + ret = -ESECVIOLATION;
> } else {
> pr_info("%s: hash OK\n", hash->full_name);
> ret = 0;
> @@ -431,7 +431,7 @@ static int fit_open_image(struct fit_handle *handle, const char *unit, const voi
> if (handle->verify == BOOTM_VERIFY_AVAILABLE)
> ret = 0;
> else
> - ret = -EINVAL;
> + ret = -ESECVIOLATION;
> for_each_child_of_node(image, hash) {
> if (handle->verbose)
> of_print_nodes(hash, 0);
> diff --git a/include/asm-generic/errno.h b/include/asm-generic/errno.h
> index 7d99a9537..45b2a2065 100644
> --- a/include/asm-generic/errno.h
> +++ b/include/asm-generic/errno.h
> @@ -133,6 +133,7 @@
> #define EKEYREJECTED 129 /* Key was rejected by service */
>
> /* Should never be seen by user programs */
> +#define ESECVIOLATION 511
> #define ERESTARTSYS 512
> #define ERESTARTNOINTR 513
> #define ERESTARTNOHAND 514 /* restart if no handler.. */
> --
> 2.11.0
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2017-03-26 7:59 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-25 8:31 [PATCH 00/13] add efi secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 01/13] bootm: move open to image_handler Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 02/13] boot_verify: use a new error ESECVIOLATION Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:59 ` Michael Olbrich [this message]
2017-03-26 2:44 ` [PATCH 03/13] bootm: make security generic Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 04/13] boot: invert the secure boot forcing support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 05/13] move boot verify to generic code Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 06/13] boot_verify: make it modifiable at start time Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:16 ` Michael Olbrich
2017-03-26 2:44 ` [PATCH 07/13] go: only use it if boot signature is not required Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:23 ` Michael Olbrich
2017-03-27 11:50 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 08/13] boot_verify: allow to force unsigned image to boot Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:25 ` Michael Olbrich
2017-03-26 2:45 ` [PATCH 09/13] boot_verify: add password request support Jean-Christophe PLAGNIOL-VILLARD
2017-03-27 6:11 ` Sascha Hauer
2017-03-26 2:45 ` [PATCH 10/13] efi: add more security related guid for the efivars Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 11/13] efi: fix lds for secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:30 ` Michael Olbrich
2017-03-26 2:45 ` [PATCH 12/13] efi: fix secure and setup mode report Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 13/13] efi: enable sercure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:57 ` [PATCH 01/13] bootm: move open to image_handler Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170326075900.hhdcxlywoh5p5sxm@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox