diff options
author | Albert Schwarzkopf <a.schwarzkopf@phytec.de> | 2020-09-15 15:36:30 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2020-09-18 11:42:17 +0200 |
commit | bf2f0514300b223bb78959f764e4f0eef6f6b4fe (patch) | |
tree | fe44baea2387d1f18f3c9aad81f2a3f4445c34e4 /arch | |
parent | 37fcc42b4a7c50480e5299b737127f594c78da51 (diff) | |
download | barebox-bf2f0514300b223bb78959f764e4f0eef6f6b4fe.tar.gz barebox-bf2f0514300b223bb78959f764e4f0eef6f6b4fe.tar.xz |
bootm: Allow loading OP-TEE from FIT image
Currently, TEE binaries can only be loaded if CONFIG_BOOTM_FORCE_SIGNED_IMAGES
is not set. No signature check is being performed on them.
Allow loading OP-TEE from FIT images. Therefore, now it's possible
to ensure that only trusted OP-TEE binaries will be loaded by using
signed FIT images.
Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/arm/lib32/bootm.c | 44 |
1 files changed, 39 insertions, 5 deletions
diff --git a/arch/arm/lib32/bootm.c b/arch/arm/lib32/bootm.c index 971ebee8ac..c33ecc2ad8 100644 --- a/arch/arm/lib32/bootm.c +++ b/arch/arm/lib32/bootm.c @@ -20,7 +20,7 @@ #include <restart.h> #include <globalvar.h> #include <tee/optee.h> - +#include <image-fit.h> #include <asm/byteorder.h> #include <asm/setup.h> #include <asm/barebox-arm.h> @@ -166,6 +166,34 @@ static int optee_verify_header_request_region(struct image_data *data, struct op return ret; } +static int bootm_load_tee_from_fit(struct image_data *data) +{ + int ret = 0; + struct optee_header hdr; + + if (data->os_fit && + fit_has_image(data->os_fit, data->fit_config, "tee")) { + const void *tee; + unsigned long tee_size; + + ret = fit_open_image(data->os_fit, data->fit_config, "tee", + &tee, &tee_size); + if (ret) { + pr_err("Error opening tee fit image: %s\n", strerror(-ret)); + return ret; + } + memcpy(&hdr, tee, sizeof(hdr)); + if (optee_verify_header_request_region(data, &hdr) < 0) { + pr_err("%s", strerror(errno)); + ret = -errno; + goto out; + } + memcpy((void *)data->tee_res->start, tee + sizeof(hdr), hdr.init_size); + printf("Read optee image to %pa, size 0x%08x\n", (void *)data->tee_res->start, hdr.init_size); + } +out: + return ret; +} static int bootm_load_tee_from_file(struct image_data *data) { int fd, ret; @@ -262,10 +290,16 @@ static int __do_bootm_linux(struct image_data *data, unsigned long free_mem, return ret; } - if (IS_ENABLED(CONFIG_BOOTM_OPTEE) && data->tee_file) { - ret = bootm_load_tee_from_file(data); - if (ret) - return ret; + if (IS_ENABLED(CONFIG_BOOTM_OPTEE)) { + if (data->tee_file && !IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) { + ret = bootm_load_tee_from_file(data); + if (ret) + return ret; + } else if (IS_ENABLED(CONFIG_FITIMAGE)) { + ret = bootm_load_tee_from_fit(data); + if (ret) + return ret; + } } |