Kconfig: Add support for fit image signature enforcing

FIT_SIGNATURE doesn't enforce the U-boot setup to be correct for booting
the FIT images, the DTB might not have all the proper nodes and it just
boots up without any warning. This makes it difficult to get the correct
setup working.

Adds an enforcement flag that doesn't allow the setup to have problems
and enforces the environment to only pick the signature node from DTB
and don't rely on anything else.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>

2 files changed, 32 insertions, 10 deletions

diff --git a/boot/Kconfig b/boot/Kconfig
index b23959900c..c6058423a9 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -78,6 +78,17 @@ config FIT_SIGNATURE
 	  format support in this case, enable it using
 	  CONFIG_LEGACY_IMAGE_FORMAT.
 
+config FIT_SIGNATURE_ENFORCE
+	bool "Enforce the signature in fit images"
+	default y if TI_SECURE_DEVICE
+	depends on FIT_SIGNATURE
+	help
+	  Enabling FIT_SIGNATURE by default doesn't enforce the U-boot DTB to be
+	  having keys and allows booting the images without having proper setup.
+	  This option enforces the fit signature mechanism to contain the keys in
+	  the DTB and enforce the nodes to be authenticated without relying on
+	  the "required" node in the DTB.
+
 config FIT_SIGNATURE_MAX_SIZE
 	hex "Max size of signed FIT structures"
 	depends on FIT_SIGNATURE
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 12369896fe..8a324733e7 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -490,15 +490,24 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
 	/* Work out what we need to verify */
 	key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME);
 	if (key_node < 0) {
-		debug("%s: No signature node found: %s\n", __func__,
-		      fdt_strerror(key_node));
-		return 0;
+		if (IS_ENABLED(CONFIG_FIT_SIGNATURE_ENFORCE)) {
+			printf("%s: No signature node found: %s\n", __func__,
+			       fdt_strerror(key_node));
+			return -EPERM;
+		} else {
+			debug("%s: No signature node found: %s\n", __func__,
+			      fdt_strerror(key_node));
+			return 0;
+		}
 	}
 
 	/* Get required-mode policy property from DTB */
-	reqd_mode = fdt_getprop(key_blob, key_node, "required-mode", NULL);
-	if (reqd_mode && !strcmp(reqd_mode, "any"))
-		reqd_policy_all = false;
+	if (!IS_ENABLED(CONFIG_FIT_SIGNATURE_ENFORCE)) {
+		reqd_mode =
+			fdt_getprop(key_blob, key_node, "required-mode", NULL);
+		if (reqd_mode && !strcmp(reqd_mode, "any"))
+			reqd_policy_all = false;
+	}
 
 	debug("%s: required-mode policy set to '%s'\n", __func__,
 	      reqd_policy_all ? "all" : "any");
@@ -514,10 +523,12 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
 		const char *required;
 		int ret;
 
-		required = fdt_getprop(key_blob, noffset, FIT_KEY_REQUIRED,
-				       NULL);
-		if (!required || strcmp(required, "conf"))
-			continue;
+		if (!IS_ENABLED(CONFIG_FIT_SIGNATURE_ENFORCE)) {
+			required = fdt_getprop(key_blob, noffset,
+					       FIT_KEY_REQUIRED, NULL);
+			if (!required || strcmp(required, "conf"))
+				continue;
+		}
 
 		reqd_sigs++;