bootm: Add option to force booting signed images

With CONFIG_BOOTM_FORCE_SIGNED_IMAGES the bootm code will refuse to boot
unsigned images. Since currently FIT is the only image type which
supports signing, this means with this option we enforce using FIT
images. All additionally passed in device trees and initrds will be
ignored, so that only the ones from the FIT image can be used.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>

1 files changed, 19 insertions, 0 deletions

diff --git a/common/bootm.c b/common/bootm.c
index d8acff8dda..1199cb7ccc 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -68,8 +68,10 @@ enum bootm_verify bootm_get_verify_mode(void)
 }
 
 static const char * const bootm_verify_names[] = {
+#ifndef CONFIG_BOOTM_FORCE_SIGNED_IMAGES
 	[BOOTM_VERIFY_NONE] = "none",
 	[BOOTM_VERIFY_HASH] = "hash",
+#endif
 	[BOOTM_VERIFY_SIGNATURE] = "signature",
 };
 
@@ -526,6 +528,23 @@ int bootm_boot(struct bootm_data *bootm_data)
 		goto err_out;
 	}
 
+	if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+		data->verify = BOOTM_VERIFY_SIGNATURE;
+
+		/*
+		 * When we only allow booting signed images make sure everything
+		 * we boot is in the OS image and not given separately.
+		 */
+		data->oftree = NULL;
+		data->oftree_file = NULL;
+		data->initrd_file = NULL;
+		if (os_type != filetype_oftree) {
+			printf("Signed boot and image is no FIT image, aborting\n");
+			ret = -EINVAL;
+			goto err_out;
+		}
+	}
+
 	if (IS_ENABLED(CONFIG_FITIMAGE) && os_type == filetype_oftree) {
 		struct fit_handle *fit;