diff options
author | Patrick Oppenlander <patrick.oppenlander@gmail.com> | 2020-07-30 14:30:47 +1000 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2020-08-07 11:47:18 -0400 |
commit | ef40129c33396d90a42e10f4a772390ac5b2ba05 (patch) | |
tree | 8040f7bba380d469a3ad63183c72ba626a69ddd5 /tools | |
parent | b33e5cc18263d438d11bb9a728b4117cc560cae4 (diff) |
mkimage: fit: include image cipher in configuration signature
This patch addresses issue #2 for signed configurations.
-----8<-----
Including the image cipher properties in the configuration signature
prevents an attacker from modifying cipher, key or iv properties.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/image-host.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tools/image-host.c b/tools/image-host.c index e5417beee5..3d52593e36 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -744,6 +744,23 @@ static int fit_config_get_hash_list(void *fit, int conf_noffset, return -ENOMSG; } + /* Add this image's cipher node if present */ + noffset = fdt_subnode_offset(fit, image_noffset, + FIT_CIPHER_NODENAME); + if (noffset != -FDT_ERR_NOTFOUND) { + if (noffset < 0) { + printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n", + conf_name, sig_name, iname, + fdt_strerror(noffset)); + return -EIO; + } + ret = fdt_get_path(fit, noffset, path, sizeof(path)); + if (ret < 0) + goto err_path; + if (strlist_add(node_inc, path)) + goto err_mem; + } + image_count++; } |