static int fit_image_verify_sig(const void *fit, int image_noffset, const char *data, size_t size, const void *sig_blob, int sig_offset) { int noffset; char *err_msg = ""; int verified = 0; int ret; /* Process all hash subnodes of the component image node */ fdt_for_each_subnode(noffset, fit, image_noffset) { const char *name = fit_get_name(fit, noffset, NULL); if (!strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, size, -1, &err_msg); if (ret) { puts("- "); } else { puts("+ "); verified = 1; break; } } } if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) { err_msg = "Corrupted or truncated tree"; goto error; } return verified ? 0 : -EPERM; error: printf(" error!\n%s for '%s' hash node in '%s' image node\n", err_msg, fit_get_name(fit, noffset, NULL), fit_get_name(fit, image_noffset, NULL)); return -1; }
/** * fit_image_verify - verify data intergity * @fit: pointer to the FIT format image header * @image_noffset: component image node offset * * fit_image_verify() goes over component image hash nodes, * re-calculates each data hash and compares with the value stored in hash * node. * * returns: * 1, if all hashes are valid * 0, otherwise (or on error) */ int fit_image_verify(const void *fit, int image_noffset) { const void *data; size_t size; int noffset = 0; char *err_msg = ""; int verify_all = 1; int ret; /* Get image data and data length */ if (fit_image_get_data(fit, image_noffset, &data, &size)) { err_msg = "Can't get image data/size"; goto error; } /* Verify all required signatures */ if (IMAGE_ENABLE_VERIFY && fit_image_verify_required_sigs(fit, image_noffset, data, size, gd_fdt_blob(), &verify_all)) { err_msg = "Unable to verify required signature"; goto error; } /* Process all hash subnodes of the component image node */ for (noffset = fdt_first_subnode(fit, image_noffset); noffset >= 0; noffset = fdt_next_subnode(fit, noffset)) { const char *name = fit_get_name(fit, noffset, NULL); /* * Check subnode name, must be equal to "hash". * Multiple hash nodes require unique unit node * names, e.g. hash@1, hash@2, etc. */ if (!strncmp(name, FIT_HASH_NODENAME, strlen(FIT_HASH_NODENAME))) { if (fit_image_check_hash(fit, noffset, data, size, &err_msg)) goto error; puts("+ "); } else if (IMAGE_ENABLE_VERIFY && verify_all && !strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, size, -1, &err_msg); if (ret) puts("- "); else puts("+ "); } } if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) { err_msg = "Corrupted or truncated tree"; goto error; } return 1; error: printf(" error!\n%s for '%s' hash node in '%s' image node\n", err_msg, fit_get_name(fit, noffset, NULL), fit_get_name(fit, image_noffset, NULL)); return 0; }