mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled
@ 2024-04-08  7:36 Marco Felsch
  2024-04-08  7:36 ` [PATCH 2/2] bootm: always apply strict signed FIT boot rules Marco Felsch
  2024-04-08  8:21 ` [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Ahmad Fatoum
  0 siblings, 2 replies; 6+ messages in thread
From: Marco Felsch @ 2024-04-08  7:36 UTC (permalink / raw)
  To: barebox

The only allowed value for bootm_verify_mode is BOOTM_VERIFY_SIGNATURE
if CONFIG_BOOTM_FORCE_SIGNED_IMAGES is enabled. This is set via the
bootm_init() initcall. All further attempts to modify this variable
should be prevented.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
 common/bootm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/bootm.c b/common/bootm.c
index a59fa35008a9..e6703b19b3ba 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -75,6 +75,11 @@ enum bootm_verify bootm_get_verify_mode(void)
 
 void bootm_set_verify_mode(enum bootm_verify mode)
 {
+	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+		pr_err("BOOTM_FORCE_SIGNED_IMAGES enabled, prevent modifying bootm_verify_mode\n");
+		return;
+	}
+
 	bootm_verify_mode = mode;
 }
 
-- 
2.39.2




^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 2/2] bootm: always apply strict signed FIT boot rules
  2024-04-08  7:36 [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Marco Felsch
@ 2024-04-08  7:36 ` Marco Felsch
  2024-04-08  8:26   ` Ahmad Fatoum
  2024-04-08  8:21 ` [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Ahmad Fatoum
  1 sibling, 1 reply; 6+ messages in thread
From: Marco Felsch @ 2024-04-08  7:36 UTC (permalink / raw)
  To: barebox

We do use an strict boot rule if the CONFIG_BOOTM_FORCE_SIGNED_IMAGES
switch was enabled. Instead of only checking the compile time switch we
should check the runtime configurable $global.bootm.verify param too
while applying the rule.

Therefore make use of the bootm_get_verify_mode() to query the mode. If
CONFIG_BOOTM_FORCE_SIGNED_IMAGES was enabled the only allowed value is
BOOTM_VERIFY_SIGNATURE.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
 common/bootm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/bootm.c b/common/bootm.c
index e6703b19b3ba..03af3d2b28f7 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -699,7 +699,7 @@ int bootm_boot(struct bootm_data *bootm_data)
 		goto err_out;
 	}
 
-	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+	if (bootm_get_verify_mode() == BOOTM_VERIFY_SIGNATURE) {
 		data->verify = BOOTM_VERIFY_SIGNATURE;
 
 		/*
-- 
2.39.2




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled
  2024-04-08  7:36 [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Marco Felsch
  2024-04-08  7:36 ` [PATCH 2/2] bootm: always apply strict signed FIT boot rules Marco Felsch
@ 2024-04-08  8:21 ` Ahmad Fatoum
  2024-04-08 14:05   ` Marco Felsch
  1 sibling, 1 reply; 6+ messages in thread
From: Ahmad Fatoum @ 2024-04-08  8:21 UTC (permalink / raw)
  To: Marco Felsch, barebox

Hello Marco,

On 08.04.24 09:36, Marco Felsch wrote:
> The only allowed value for bootm_verify_mode is BOOTM_VERIFY_SIGNATURE
> if CONFIG_BOOTM_FORCE_SIGNED_IMAGES is enabled. This is set via the
> bootm_init() initcall. All further attempts to modify this variable
> should be prevented.
> 
> Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> ---
>  common/bootm.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/common/bootm.c b/common/bootm.c
> index a59fa35008a9..e6703b19b3ba 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -75,6 +75,11 @@ enum bootm_verify bootm_get_verify_mode(void)
>  
>  void bootm_set_verify_mode(enum bootm_verify mode)
>  {
> +	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
> +		pr_err("BOOTM_FORCE_SIGNED_IMAGES enabled, prevent modifying bootm_verify_mode\n");
> +		return;
> +	}

We bootm_set_verify_mode(BOOTM_VERIFY_SIGNATURE) shouldn't result
in a warning message.

With this addressed:

Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

> +
>  	bootm_verify_mode = mode;
>  }
>  

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] bootm: always apply strict signed FIT boot rules
  2024-04-08  7:36 ` [PATCH 2/2] bootm: always apply strict signed FIT boot rules Marco Felsch
@ 2024-04-08  8:26   ` Ahmad Fatoum
  2024-04-08 14:12     ` Marco Felsch
  0 siblings, 1 reply; 6+ messages in thread
From: Ahmad Fatoum @ 2024-04-08  8:26 UTC (permalink / raw)
  To: Marco Felsch, barebox

Hello Marco,

On 08.04.24 09:36, Marco Felsch wrote:
> We do use an strict boot rule if the CONFIG_BOOTM_FORCE_SIGNED_IMAGES
> switch was enabled. Instead of only checking the compile time switch we
> should check the runtime configurable $global.bootm.verify param too
> while applying the rule.
> 
> Therefore make use of the bootm_get_verify_mode() to query the mode. If
> CONFIG_BOOTM_FORCE_SIGNED_IMAGES was enabled the only allowed value is
> BOOTM_VERIFY_SIGNATURE.
> 
> Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

Are you aware of https://lore.barebox.org/barebox/20231023162748.533468-1-a.fatoum@pengutronix.de/

Would that address your use case?

Cheers,
Ahmad

> ---
>  common/bootm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/common/bootm.c b/common/bootm.c
> index e6703b19b3ba..03af3d2b28f7 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -699,7 +699,7 @@ int bootm_boot(struct bootm_data *bootm_data)
>  		goto err_out;
>  	}
>  
> -	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
> +	if (bootm_get_verify_mode() == BOOTM_VERIFY_SIGNATURE) {
>  		data->verify = BOOTM_VERIFY_SIGNATURE;
>  
>  		/*

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled
  2024-04-08  8:21 ` [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Ahmad Fatoum
@ 2024-04-08 14:05   ` Marco Felsch
  0 siblings, 0 replies; 6+ messages in thread
From: Marco Felsch @ 2024-04-08 14:05 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: barebox

On 24-04-08, Ahmad Fatoum wrote:
> Hello Marco,
> 
> On 08.04.24 09:36, Marco Felsch wrote:
> > The only allowed value for bootm_verify_mode is BOOTM_VERIFY_SIGNATURE
> > if CONFIG_BOOTM_FORCE_SIGNED_IMAGES is enabled. This is set via the
> > bootm_init() initcall. All further attempts to modify this variable
> > should be prevented.
> > 
> > Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> > ---
> >  common/bootm.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/common/bootm.c b/common/bootm.c
> > index a59fa35008a9..e6703b19b3ba 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -75,6 +75,11 @@ enum bootm_verify bootm_get_verify_mode(void)
> >  
> >  void bootm_set_verify_mode(enum bootm_verify mode)
> >  {
> > +	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
> > +		pr_err("BOOTM_FORCE_SIGNED_IMAGES enabled, prevent modifying bootm_verify_mode\n");
> > +		return;
> > +	}
> 
> We bootm_set_verify_mode(BOOTM_VERIFY_SIGNATURE) shouldn't result
> in a warning message.

I was considering this as well.. I will add it, thanks.

> With this addressed:
> 
> Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> 
> > +
> >  	bootm_verify_mode = mode;
> >  }
> >  
> 
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] bootm: always apply strict signed FIT boot rules
  2024-04-08  8:26   ` Ahmad Fatoum
@ 2024-04-08 14:12     ` Marco Felsch
  0 siblings, 0 replies; 6+ messages in thread
From: Marco Felsch @ 2024-04-08 14:12 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: barebox

On 24-04-08, Ahmad Fatoum wrote:
> Hello Marco,
> 
> On 08.04.24 09:36, Marco Felsch wrote:
> > We do use an strict boot rule if the CONFIG_BOOTM_FORCE_SIGNED_IMAGES
> > switch was enabled. Instead of only checking the compile time switch we
> > should check the runtime configurable $global.bootm.verify param too
> > while applying the rule.
> > 
> > Therefore make use of the bootm_get_verify_mode() to query the mode. If
> > CONFIG_BOOTM_FORCE_SIGNED_IMAGES was enabled the only allowed value is
> > BOOTM_VERIFY_SIGNATURE.
> > 
> > Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> 
> Are you aware of https://lore.barebox.org/barebox/20231023162748.533468-1-a.fatoum@pengutronix.de/
> 
> Would that address your use case?

Yes :) @Sascha do you have any concerns about Ahmads above patchset
(except the small typo in the 2nd commit message)?

Regards,
  Marco

> 
> Cheers,
> Ahmad
> 
> > ---
> >  common/bootm.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/common/bootm.c b/common/bootm.c
> > index e6703b19b3ba..03af3d2b28f7 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -699,7 +699,7 @@ int bootm_boot(struct bootm_data *bootm_data)
> >  		goto err_out;
> >  	}
> >  
> > -	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
> > +	if (bootm_get_verify_mode() == BOOTM_VERIFY_SIGNATURE) {
> >  		data->verify = BOOTM_VERIFY_SIGNATURE;
> >  
> >  		/*
> 
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-04-08 14:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-08  7:36 [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Marco Felsch
2024-04-08  7:36 ` [PATCH 2/2] bootm: always apply strict signed FIT boot rules Marco Felsch
2024-04-08  8:26   ` Ahmad Fatoum
2024-04-08 14:12     ` Marco Felsch
2024-04-08  8:21 ` [PATCH 1/2] bootm: don't allow bootm_set_verify_mode if BOOTM_FORCE_SIGNED_IMAGES is enabled Ahmad Fatoum
2024-04-08 14:05   ` Marco Felsch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox