From: Sascha Hauer <s.hauer@pengutronix.de>
To: Marco Felsch <m.felsch@pengutronix.de>
Cc: "open list:BAREBOX" <barebox@lists.infradead.org>
Subject: Re: [PATCH 08/13] ARM: am625: support hash verification of full barebox
Date: Tue, 11 Mar 2025 08:53:54 +0100 [thread overview]
Message-ID: <Z8_sEu7Ta1RuJwk4@pengutronix.de> (raw)
In-Reply-To: <20250310192226.x7g2jq6vf5rx4c7c@pengutronix.de>
On Mon, Mar 10, 2025 at 08:22:26PM +0100, Marco Felsch wrote:
> On 25-02-28, Sascha Hauer wrote:
> > This implements the necessary SoC code to check the full barebox against
> > a sha256 compiled into the first stage barebox.
> >
> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> > ---
> > arch/arm/mach-k3/Kconfig | 1 +
> > arch/arm/mach-k3/r5.c | 14 ++++++++++++++
> > 2 files changed, 15 insertions(+)
> >
> > diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
> > index 50919dc7e3..561ad1dac4 100644
> > --- a/arch/arm/mach-k3/Kconfig
> > +++ b/arch/arm/mach-k3/Kconfig
> > @@ -16,6 +16,7 @@ config MACH_K3_CORTEX_R5
> > select ELF
> > select K3_DDRSS
> > select FIP
> > + select HAVE_FIRMWARE_VERIFY_NEXT_IMAGE
> > depends on 32BIT
> > select ARM_USE_COMPRESSED_DTB
> > default y
> > diff --git a/arch/arm/mach-k3/r5.c b/arch/arm/mach-k3/r5.c
> > index e12c888afa..cb52ff364d 100644
> > --- a/arch/arm/mach-k3/r5.c
> > +++ b/arch/arm/mach-k3/r5.c
> > @@ -248,6 +248,8 @@ static int load_fip(const char *filename, off_t offset)
> > {
> > struct fip_state *fip;
> > struct fip_image_desc *desc;
> > + unsigned char shasum[SHA256_DIGEST_SIZE];
> > + int ret;
> >
> > fip = fip_image_open(filename, offset);
> > if (IS_ERR(fip)) {
> > @@ -255,6 +257,18 @@ static int load_fip(const char *filename, off_t offset)
> > return PTR_ERR(fip);
> > }
> >
> > + if (IS_ENABLED(CONFIG_FIRMWARE_VERIFY_NEXT_IMAGE)) {
> > + ret = fip_sha256(fip, shasum);
> > + if (ret) {
> > + pr_err("Cannot calc fip sha256: %pe\n", ERR_PTR(ret));
> > + return ret;
> > + }
> > +
> > + ret = firmware_next_image_verify(shasum, SHA256_DIGEST_SIZE, true);
> > + if (ret)
> > + return ret;
>
> Albeit it would involve way more effort, I would like to see that the
> FIP image format does have support for signatures within their "struct
> image_desc" for each image.
> This way it would be far easier for us to verify each image separately
> and in a common way. Also it wouldn't require to rebuild the "r5"
> tiboot3.bin to include the the updated sha256sum each time.
Having to rebuild the tiboot3.bin for the updated sha256sum is not a
downside in this case, but actually the feature I wanted to implement.
Using a hash avoids mix-and-match attacks between different 1st stage
images combined with different 2nd stage images.
So yes, using the FIP image signing mechanisms would be nice to have,
but doesn't meet my goal.
> Also the shasum size seems like the user would have a choice to choose
> other sha-sums which he hasn't, therefore I would drop it.
ok.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-03-11 8:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 7:16 [PATCH 00/13] am625: support secure loading " Sascha Hauer
2025-02-28 7:16 ` [PATCH 01/13] firmware: always generate sha256sum Sascha Hauer
2025-02-28 7:16 ` [PATCH 02/13] firmware: add function to verify next image Sascha Hauer
2025-03-10 18:37 ` Marco Felsch
2025-03-11 7:35 ` Sascha Hauer
2025-02-28 7:16 ` [PATCH 03/13] ARM: k3: r5: drop loading of separate binaries Sascha Hauer
2025-03-10 18:44 ` Marco Felsch
2025-02-28 7:16 ` [PATCH 04/13] ARM: k3: r5: add proper error handling Sascha Hauer
2025-03-10 18:52 ` Marco Felsch
2025-03-11 8:24 ` Sascha Hauer
2025-03-11 8:50 ` Marco Felsch
2025-02-28 7:16 ` [PATCH 05/13] fip: rework fip_image_open() Sascha Hauer
2025-02-28 7:16 ` [PATCH 06/13] fip: fix wrong function call Sascha Hauer
2025-02-28 7:16 ` [PATCH 07/13] fip: add function to calculate a sha256 over FIP image Sascha Hauer
2025-02-28 7:16 ` [PATCH 08/13] ARM: am625: support hash verification of full barebox Sascha Hauer
2025-03-10 19:22 ` Marco Felsch
2025-03-11 7:53 ` Sascha Hauer [this message]
2025-02-28 7:16 ` [PATCH 09/13] ARM: k3: add support for authenticating images against the ROM API Sascha Hauer
2025-02-28 7:16 ` [PATCH 10/13] ARM: k3: r5: delete fip image when it can't be opened Sascha Hauer
2025-02-28 7:16 ` [PATCH 11/13] ARM: k3: r5: Allow to authenticate next image by ROM API Sascha Hauer
2025-03-10 19:26 ` Marco Felsch
2025-03-11 7:54 ` Sascha Hauer
2025-02-28 7:17 ` [PATCH 12/13] scripts/k3img: remove temporary files Sascha Hauer
2025-02-28 7:17 ` [PATCH 13/13] scripts: add k3sign Sascha Hauer
2025-03-10 17:40 ` [PATCH 00/13] am625: support secure loading of full barebox Marco Felsch
2025-03-11 8:12 ` Sascha Hauer
2025-03-11 8:48 ` Marco Felsch
2025-03-11 9:13 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8_sEu7Ta1RuJwk4@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=m.felsch@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox