From: Andrew Davis Date: Fri, 15 Jul 2022 16:34:33 +0000 (-0500) Subject: arm: mach-k3: security: Allow signing bypass if type is HS-FS X-Git-Tag: v2025.01-rc5-pxa1908~1325^2~5 X-Git-Url: http://git.dujemihanovic.xyz/img/static/%7B%7B%20%24style.RelPermalink%20%7D%7D?a=commitdiff_plain;h=e1ef04fb3e3a1eb417700e34510714be0277bee9;p=u-boot.git arm: mach-k3: security: Allow signing bypass if type is HS-FS On HS-FS devices signing boot images is optional. To ease use we check if we are HS-FS and if no certificate is attached to the image we skip the authentication step with a warning that this will fail when the device is set to security enforcing. Signed-off-by: Andrew Davis --- diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c index 8de9739a40..5bfcecd44d 100644 --- a/arch/arm/mach-k3/security.c +++ b/arch/arm/mach-k3/security.c @@ -2,10 +2,11 @@ /* * K3: Security functions * - * Copyright (C) 2018 Texas Instruments Incorporated - http://www.ti.com/ + * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/ * Andrew F. Davis */ +#include #include #include #include @@ -18,6 +19,17 @@ #include #include +#include "common.h" + +static bool ti_secure_cert_detected(void *p_image) +{ + /* Primitive certificate detection, check for DER starting with + * two 4-Octet SEQUENCE tags + */ + return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 && + ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82); +} + void ti_secure_image_post_process(void **p_image, size_t *p_size) { struct ti_sci_handle *ti_sci = get_ti_sci_handle(); @@ -29,6 +41,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size) image_addr = (uintptr_t)*p_image; image_size = *p_size; + if (get_device_type() != K3_DEVICE_TYPE_HS_SE && + !ti_secure_cert_detected(*p_image)) { + printf("Warning: Did not detect image signing certificate. " + "Skipping authentication to prevent boot failure. " + "This will fail on Security Enforcing(HS-SE) devices\n"); + return; + } + debug("Authenticating image at address 0x%016llx\n", image_addr); debug("Authenticating image of size %d bytes\n", image_size);