1 files changed, 160 insertions, 0 deletions
diff --git a/tools/preload_check_sign.c b/tools/preload_check_sign.c
new file mode 100644
index 00000000000..ebead459273
--- /dev/null
+++ b/tools/preload_check_sign.c
@@ -0,0 +1,160 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Check a file including a preload header including a signature
+ *
+ * Copyright (c) 2025 Paul HENRYS <paul.henrys_ext@softathome.com>
+ *
+ * Binman makes it possible to generate a preload header signing part or the
+ * complete file. The tool preload_check_sign allows to verify and authenticate
+ * a file starting with a preload header.
+ */
+#include <stdio.h>
+#include <unistd.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <image.h>
+
+extern void image_pre_load_sig_set_info(struct image_sig_info *info);
+extern int image_pre_load_sig(ulong addr);
+
+static void usage(char *cmdname)
+{
+	fprintf(stderr, "Usage: %s -f file -k PEM key file\n"
+			"          -f ==> set file which should be checked\n"
+			"          -k ==> PEM key file\n"
+			"          -a ==> algo (default: sha256,rsa2048)\n"
+			"          -p ==> padding (default: pkcs-1.5)\n"
+			"          -h ==> help\n",
+		cmdname);
+	exit(EXIT_FAILURE);
+}
+
+int main(int argc, char **argv)
+{
+	int ret = 0;
+	char cmdname[256];
+	char *file = NULL;
+	char *keyfile = NULL;
+	int c;
+	FILE *fp = NULL;
+	FILE *fp_key = NULL;
+	size_t bytes;
+	long filesize;
+	void *buffer = NULL;
+	EVP_PKEY *pkey = NULL;
+	char *algo = "sha256,rsa2048";
+	char *padding = "pkcs-1.5";
+	struct image_sig_info info = {0};
+
+	strncpy(cmdname, *argv, sizeof(cmdname) - 1);
+	cmdname[sizeof(cmdname) - 1] = '\0';
+	while ((c = getopt(argc, argv, "f:k:a:p:h")) != -1)
+		switch (c) {
+		case 'f':
+			file = optarg;
+			break;
+		case 'k':
+			keyfile = optarg;
+			break;
+		case 'a':
+			algo = optarg;
+			break;
+		case 'p':
+			padding = optarg;
+			break;
+		default:
+			usage(cmdname);
+			break;
+	}
+
+	if (!file) {
+		fprintf(stderr, "%s: Missing file\n", *argv);
+		usage(*argv);
+	}
+
+	if (!keyfile) {
+		fprintf(stderr, "%s: Missing key file\n", *argv);
+		usage(*argv);
+	}
+
+	fp = fopen(file, "r");
+	if (!fp) {
+		fprintf(stderr, "Error opening file: %s\n", file);
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	fseek(fp, 0, SEEK_END);
+	filesize = ftell(fp);
+	rewind(fp);
+
+	buffer = malloc(filesize);
+	if (!buffer) {
+		fprintf(stderr, "Memory allocation failed");
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	bytes = fread(buffer, 1, filesize, fp);
+	if (bytes != filesize) {
+		fprintf(stderr, "Error reading file\n");
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	fp_key = fopen(keyfile, "r");
+	if (!fp_key) {
+		fprintf(stderr, "Error opening file: %s\n", keyfile);
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	/* Attempt to read the private key */
+	pkey = PEM_read_PrivateKey(fp_key, NULL, NULL, NULL);
+	if (!pkey) {
+		/* If private key reading fails, try reading as a public key */
+		fseek(fp_key, 0, SEEK_SET);
+		pkey = PEM_read_PUBKEY(fp_key, NULL, NULL, NULL);
+	}
+	if (!pkey) {
+		fprintf(stderr, "Unable to retrieve the public key: %s\n",
+			ERR_error_string(ERR_get_error(), NULL));
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	info.algo_name = algo;
+	info.padding_name = padding;
+	info.key = (uint8_t *)pkey;
+	info.mandatory = 1;
+	info.sig_size = EVP_PKEY_size(pkey);
+	if (info.sig_size < 0) {
+		fprintf(stderr, "Fail to retrieve the signature size: %s\n",
+			ERR_error_string(ERR_get_error(), NULL));
+		ret = EXIT_FAILURE;
+		goto out;
+	}
+
+	/* Compute signature information */
+	info.sig_info.name     = info.algo_name;
+	info.sig_info.padding  = image_get_padding_algo(info.padding_name);
+	info.sig_info.checksum = image_get_checksum_algo(info.sig_info.name);
+	info.sig_info.crypto   = image_get_crypto_algo(info.sig_info.name);
+	info.sig_info.key      = info.key;
+	info.sig_info.keylen   = info.key_len;
+
+	/* Check the signature */
+	image_pre_load_sig_set_info(&info);
+	ret = image_pre_load_sig((ulong)buffer);
+out:
+	if (fp)
+		fclose(fp);
+	if (fp_key)
+		fclose(fp_key);
+	if (info.key)
+		EVP_PKEY_free(pkey);
+	free(buffer);
+
+	exit(ret);
+}