Hi Simon
Le ven. 12 nov. 2021 à 20:36, Simon Glass <s...@chromium.org> a écrit :
> At present mkimage supports signing FITs, the standard U-Boot image type.
>
> Various people are opposed to using FIT since:
>
just to be sure: I am not one of those.
>
> a) it requires adding support for FIT into other bootloaders, notably
> UEFI
whatever happens to FIT is entirely orthogonal to U-Boot UEFI subsystem.
FIT can evolve, U-Boot UEFI does not have to change.
>
> b) it requires packaging a kernel in this standard U-Boot format, meaning
> that distros must run 'mkimage' and deal with the kernel and initrd
> being inside a FIT
>
> The kernel and initrd can be dealt with in other ways. But without FIT,
> we have no standard way of signing and grouping FDT files. Instead we must
> include them in the distro as separate files.
>
> In particular, some sort of mechanism for verifying FDT files is needed.
> One option would be to tack a signature on before or after the file,
> processing it accordingly. But due to the nature of the FDT binary format,
> it is possible to embed a signature inside the FDT itself, which is very
> convenient.
>
> This series provides a tool, fdt_sign, which can add a signature to an
> FDT. The signature can be checked later, preventing any change to the FDT,
> other than in permitted nodes (e.g. /chosen).
>
> This series also provides a fdt_check_sign tool, used to check signatures.
>
> Both of these tools are stand-alone do not require mkimage or FIT.
>
> As with FIT signing, multiple signatures are possible, but in this case
> that requires that fit_sign be called once for each signature. To make the
> check fail if a signature does not match, it should be marked as
> 'required' using the -r flag to fdt_sign.
>
> Run-time support for checking FDT signatures could be added to U-Boot
> fairly easily, but needs further discussion as the correct plumbing needs
> to be determined.
>
> For now there is absolutely no configurability in the signature mechanism.
> It would of course be possible to adjust which nodes are signed, as is
> done for FIT, but that needs further discussion also. The omission of the
> /chosen node is implemented in h_exclude_nodes() like this:
>
> if (type == FDT_IS_NODE) {
> /* Ignore the chosen node as well as /signature and subnodes */
> if (!strcmp("/chosen", data) || !strncmp("/signature", data, 10))
> return 0;
> }
>
> Man pages are provided with example usage of the tools. Use this to view
> them:
>
> man -l doc/fdt_check_sign.1
>
> This series also includes various clean-ups noticed along the way, as well
> as refactoring to avoid code duplication with the new tools. The last four
> patches are the new code.
>
> This series is available at u-boot-dm/fdt-sign-working :
>
>
> https://source.denx.de/u-boot/custodians/u-boot-dm/-/tree/fdt-sign-working
>
>
> Simon Glass (16):
> rsa: Add debugging for failure cases
> fit_check_sign: Update help to mention the key is in a dtb
> tools: Move copyfile() into a common file
> tools: Avoid leaving extra data at the end of copied files
> tools: Improve comments in signing functions
> tools: Drop unused name in image-host
> tools: Avoid confusion between keys and signatures
> tools: Tidy up argument order in fit_config_check_sig()
> tools: Pass the key blob around
> image: Return destination node for add_verify_data() method
> tools: Pass public-key node through to caller
> tools: mkimage: Show where signatures/keys are written
> tools: Add a new tool to sign FDT blobs
> tools: Add a new tool to check FDT-blob signatures
> test: Add a test for FDT signing
> tools: Add man pages for fdt_sign and fdt_check_sign
>
> MAINTAINERS | 7 +
> boot/image-fit-sig.c | 151 +++++++++----
> boot/image-fit.c | 12 +-
> common/spl/spl_fit.c | 3 +-
> doc/fdt_check_sign.1 | 74 +++++++
> doc/fdt_sign.1 | 111 ++++++++++
> include/image.h | 80 ++++++-
> include/u-boot/ecdsa.h | 5 +-
> include/u-boot/rsa.h | 5 +-
> lib/ecdsa/ecdsa-libcrypto.c | 4 +-
> lib/rsa/rsa-sign.c | 5 +-
> lib/rsa/rsa-verify.c | 13 +-
> test/py/tests/test_fdt_sign.py | 83 ++++++++
> test/py/tests/test_vboot.py | 21 +-
> test/py/tests/vboot/sign-fdt.dts | 23 ++
> test/py/tests/vboot_comm.py | 22 ++
> tools/Makefile | 10 +-
> tools/fdt-host.c | 353 +++++++++++++++++++++++++++++++
> tools/fdt_check_sign.c | 85 ++++++++
> tools/fdt_host.h | 46 ++++
> tools/fdt_sign.c | 210 ++++++++++++++++++
> tools/fit_check_sign.c | 4 +-
> tools/fit_common.c | 69 ++++++
> tools/fit_common.h | 23 ++
> tools/fit_image.c | 59 +-----
> tools/image-fdt-sig.c | 254 ++++++++++++++++++++++
> tools/image-host.c | 155 +++++++++++---
> tools/imagetool.h | 4 +
> tools/mkimage.c | 4 +
> 29 files changed, 1714 insertions(+), 181 deletions(-)
> create mode 100644 doc/fdt_check_sign.1
> create mode 100644 doc/fdt_sign.1
> create mode 100644 test/py/tests/test_fdt_sign.py
> create mode 100644 test/py/tests/vboot/sign-fdt.dts
> create mode 100644 test/py/tests/vboot_comm.py
> create mode 100644 tools/fdt-host.c
> create mode 100644 tools/fdt_check_sign.c
> create mode 100644 tools/fdt_sign.c
> create mode 100644 tools/image-fdt-sig.c
>
> --
> 2.34.0.rc1.387.gb447b232ab-goog
>
> --
François-Frédéric Ozog | *Director Business Development*
T: +33.67221.6485
francois.o...@linaro.org | Skype: ffozog
