[FIO extras] cmd: Add CONFIG_FIT_SIGNATURE_STRICT

Add CONFIG_FIT_SIGNATURE_STRICT to require a valid FIT configuration signature for every command that is able to manipulate FIT images. Signed-off-by: Ricardo Salveti <[email protected]>
foundriesio · Sep 9, 2019 · 5a6bd7f · 5a6bd7f
1 parent 8f435a1
commit 5a6bd7f
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/Kconfig b/Kconfig
@@ -359,6 +359,10 @@ config FIT_SIGNATURE_MAX_SIZE
 	  device memory. Assure this size does not extend past expected storage
 	  space.
 
+config FIT_SIGNATURE_STRICT
+	bool "Requires a valid FIT configuration signature for every image"
+	select FIT_SIGNATURE
+
 config FIT_ENABLE_RSASSA_PSS_SUPPORT
 	bool "Support rsassa-pss signature scheme of FIT image contents"
 	depends on FIT_SIGNATURE

diff --git a/cmd/fpga.c b/cmd/fpga.c
@@ -332,6 +332,20 @@ static int do_fpga_loadmk(cmd_tbl_t *cmdtp, int flag, int argc,
 			return CMD_RET_FAILURE;
 		}
 
+#if defined(CONFIG_FIT_SIGNATURE_STRICT)
+		/* validate required fit config entry */
+		noffset = fit_conf_get_node(fit_hdr, NULL);
+		if (noffset >= 0) {
+			if (fit_config_verify(fit_hdr, noffset)) {
+				puts("Cannot verify FIT config node\n");
+				return CMD_RET_FAILURE;
+			}
+		} else {
+			puts("FIT_SIGNATURE_STRICT requires a config node\n");
+			return CMD_RET_FAILURE;
+		}
+#endif
+
 		/* get fpga component image node offset */
 		noffset = fit_image_get_node(fit_hdr, fit_uname);
 		if (noffset < 0) {

diff --git a/cmd/source.c b/cmd/source.c
@@ -112,6 +112,20 @@ source (ulong addr, const char *fit_uname)
 			return 1;
 		}
 
+#if defined(CONFIG_FIT_SIGNATURE_STRICT)
+		/* validate required fit config entry */
+		noffset = fit_conf_get_node(fit_hdr, NULL);
+		if (noffset >= 0) {
+			if (fit_config_verify(fit_hdr, noffset)) {
+				puts("Cannot verify FIT config node\n");
+				return 1;
+			}
+		} else {
+			puts("FIT_SIGNATURE_STRICT requires a config node\n");
+			return 1;
+		}
+#endif
+
 		if (!fit_uname)
 			fit_uname = get_default_image(fit_hdr);
 

diff --git a/cmd/ximg.c b/cmd/ximg.c
@@ -138,6 +138,20 @@ do_imgextract(cmd_tbl_t * cmdtp, int flag, int argc, char * const argv[])
 			return 1;
 		}
 
+#if defined(CONFIG_FIT_SIGNATURE_STRICT)
+		/* validate required fit config entry */
+		noffset = fit_conf_get_node(fit_hdr, NULL);
+		if (noffset >= 0) {
+			if (fit_config_verify(fit_hdr, noffset)) {
+				puts("Cannot verify FIT config node\n");
+				return 1;
+			}
+		} else {
+			puts("FIT_SIGNATURE_STRICT requires a config node\n");
+			return 1;
+		}
+#endif
+
 		/* get subimage node offset */
 		noffset = fit_image_get_node(fit_hdr, uname);
 		if (noffset < 0) {