mkimage: fit: include image cipher in configuration signature

This patch addresses issue #2 for signed configurations. -----8<----- Including the image cipher properties in the configuration signature prevents an attacker from modifying cipher, key or iv properties. Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com> Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
author: Patrick Oppenlander 2020-07-30 14:30:47 +1000
committer: Tom Rini 2020-08-07 11:47:18 -0400
commit: ef40129c33396d90a42e10f4a772390ac5b2ba05 (patch)
tree: 8040f7bba380d469a3ad63183c72ba626a69ddd5
parent: b33e5cc18263d438d11bb9a728b4117cc560cae4 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/tools/image-host.c b/tools/image-host.c
index e5417beee52..3d52593e361 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -744,6 +744,23 @@ static int fit_config_get_hash_list(void *fit, int conf_noffset,
 			return -ENOMSG;
 		}
 
+		/* Add this image's cipher node if present */
+		noffset = fdt_subnode_offset(fit, image_noffset,
+					     FIT_CIPHER_NODENAME);
+		if (noffset != -FDT_ERR_NOTFOUND) {
+			if (noffset < 0) {
+				printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n",
+				       conf_name, sig_name, iname,
+				       fdt_strerror(noffset));
+				return -EIO;
+			}
+			ret = fdt_get_path(fit, noffset, path, sizeof(path));
+			if (ret < 0)
+				goto err_path;
+			if (strlist_add(node_inc, path))
+				goto err_mem;
+		}
+
 		image_count++;
 	}
author	Patrick Oppenlander	2020-07-30 14:30:47 +1000
committer	Tom Rini	2020-08-07 11:47:18 -0400
commit	ef40129c33396d90a42e10f4a772390ac5b2ba05 (patch)
tree	8040f7bba380d469a3ad63183c72ba626a69ddd5
parent	b33e5cc18263d438d11bb9a728b4117cc560cae4 (diff)