From c520266f9a796f5f447f5e3b1da04a874500290a Mon Sep 17 00:00:00 2001 From: Patrick Oppenlander Date: Thu, 30 Jul 2020 14:22:13 +1000 Subject: [PATCH] mkimage: fit: only process one cipher node Previously mkimage would process any node matching the regex cipher.* and apply the ciphers to the image data in the order they appeared in the FDT. This meant that data could be inadvertently ciphered multiple times. Switch to processing a single cipher node which exactly matches FIT_CIPHER_NODENAME. Signed-off-by: Patrick Oppenlander Reviewed-by: Philippe Reynes --- tools/image-host.c | 57 ++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 35 deletions(-) diff --git a/tools/image-host.c b/tools/image-host.c index 9a83b7f675..dd7ecc4b60 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -323,15 +323,15 @@ err: static int fit_image_setup_cipher(struct image_cipher_info *info, const char *keydir, void *fit, const char *image_name, int image_noffset, - const char *node_name, int noffset) + int noffset) { char *algo_name; char filename[128]; int ret = -1; if (fit_image_cipher_get_algo(fit, noffset, &algo_name)) { - printf("Can't get algo name for cipher '%s' in image '%s'\n", - node_name, image_name); + printf("Can't get algo name for cipher in image '%s'\n", + image_name); goto out; } @@ -340,16 +340,16 @@ static int fit_image_setup_cipher(struct image_cipher_info *info, /* Read the key name */ info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL); if (!info->keyname) { - printf("Can't get key name for cipher '%s' in image '%s'\n", - node_name, image_name); + printf("Can't get key name for cipher in image '%s'\n", + image_name); goto out; } /* Read the IV name */ info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL); if (!info->ivname) { - printf("Can't get iv name for cipher '%s' in image '%s'\n", - node_name, image_name); + printf("Can't get iv name for cipher in image '%s'\n", + image_name); goto out; } @@ -428,8 +428,7 @@ int fit_image_write_cipher(void *fit, int image_noffset, int noffset, static int fit_image_process_cipher(const char *keydir, void *keydest, void *fit, const char *image_name, int image_noffset, - const char *node_name, int node_noffset, - const void *data, size_t size, + int node_noffset, const void *data, size_t size, const char *cmdname) { struct image_cipher_info info; @@ -440,7 +439,7 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit, memset(&info, 0, sizeof(info)); ret = fit_image_setup_cipher(&info, keydir, fit, image_name, - image_noffset, node_name, node_noffset); + image_noffset, node_noffset); if (ret) goto out; @@ -482,7 +481,7 @@ int fit_image_cipher_data(const char *keydir, void *keydest, const char *image_name; const void *data; size_t size; - int node_noffset; + int cipher_node_offset; /* Get image name */ image_name = fit_get_name(fit, image_noffset, NULL); @@ -497,32 +496,20 @@ int fit_image_cipher_data(const char *keydir, void *keydest, return -1; } - /* Process all hash subnodes of the component image node */ - for (node_noffset = fdt_first_subnode(fit, image_noffset); - node_noffset >= 0; - node_noffset = fdt_next_subnode(fit, node_noffset)) { - const char *node_name; - int ret = 0; - - node_name = fit_get_name(fit, node_noffset, NULL); - if (!node_name) { - printf("Can't get node name\n"); - return -1; - } - if (IMAGE_ENABLE_ENCRYPT && keydir && - !strncmp(node_name, FIT_CIPHER_NODENAME, - strlen(FIT_CIPHER_NODENAME))) - ret = fit_image_process_cipher(keydir, keydest, - fit, image_name, - image_noffset, - node_name, node_noffset, - data, size, cmdname); - if (ret) - return ret; + /* Process cipher node if present */ + cipher_node_offset = fdt_subnode_offset(fit, image_noffset, + FIT_CIPHER_NODENAME); + if (cipher_node_offset == -FDT_ERR_NOTFOUND) + return 0; + if (cipher_node_offset < 0) { + printf("Failure getting cipher node\n"); + return -1; } - - return 0; + if (!IMAGE_ENABLE_ENCRYPT || !keydir) + return 0; + return fit_image_process_cipher(keydir, keydest, fit, image_name, + image_noffset, cipher_node_offset, data, size, cmdname); } /** -- 2.39.5