From 0003b8ada95068bef3522582fd7c211fb8b58e3c Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:29 -0500 Subject: [PATCH 01/19] image: Shorten FIT_ENABLE_SHAxxx_SUPPORT The ENABLE part of this name is redundant, since all boolean Kconfig options serve to enable something. The SUPPORT part is also redundant since Kconfigs can be assumed to enable support for something. Together they just serve to make these options overly long and inconsistent with other options. Rename FIT_ENABLE_SHAxxx_SUPPORT to FIT_SHAxxx Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/Kconfig.boot | 6 +++--- configs/mt8516_pumpkin_defconfig | 2 +- include/image.h | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 89a3161f1f..d28ce96a28 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -35,7 +35,7 @@ config FIT_EXTERNAL_OFFSET could be put in the hole between data payload and fit image header, such as CSF data on i.MX platform. -config FIT_ENABLE_SHA256_SUPPORT +config FIT_SHA256 bool "Support SHA256 checksum of FIT image contents" default y select SHA256 @@ -44,7 +44,7 @@ config FIT_ENABLE_SHA256_SUPPORT SHA256 checksum is a 256-bit (32-byte) hash value used to check that the image contents have not been corrupted. -config FIT_ENABLE_SHA384_SUPPORT +config FIT_SHA384 bool "Support SHA384 checksum of FIT image contents" default n select SHA384 @@ -54,7 +54,7 @@ config FIT_ENABLE_SHA384_SUPPORT the image contents have not been corrupted. Use this for the highest security. -config FIT_ENABLE_SHA512_SUPPORT +config FIT_SHA512 bool "Support SHA512 checksum of FIT image contents" default n select SHA512 diff --git a/configs/mt8516_pumpkin_defconfig b/configs/mt8516_pumpkin_defconfig index 945643ab25..cafad0ef62 100644 --- a/configs/mt8516_pumpkin_defconfig +++ b/configs/mt8516_pumpkin_defconfig @@ -13,7 +13,7 @@ CONFIG_DEBUG_UART_CLOCK=26000000 # CONFIG_PSCI_RESET is not set CONFIG_DEBUG_UART=y CONFIG_FIT=y -# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set +# CONFIG_FIT_SHA256 is not set # CONFIG_ARCH_FIXUP_FDT_MEMORY is not set CONFIG_DEFAULT_FDT_FILE="mt8516-pumpkin" # CONFIG_DISPLAY_BOARDINFO is not set diff --git a/include/image.h b/include/image.h index 0c24bf6f35..e54f12f472 100644 --- a/include/image.h +++ b/include/image.h @@ -31,9 +31,9 @@ struct fdt_region; #define IMAGE_ENABLE_OF_LIBFDT 1 #define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */ #define CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT 1 -#define CONFIG_FIT_ENABLE_SHA256_SUPPORT -#define CONFIG_FIT_ENABLE_SHA384_SUPPORT -#define CONFIG_FIT_ENABLE_SHA512_SUPPORT +#define CONFIG_FIT_SHA256 +#define CONFIG_FIT_SHA384 +#define CONFIG_FIT_SHA512 #define CONFIG_SHA1 #define CONFIG_SHA256 #define CONFIG_SHA384 @@ -89,21 +89,21 @@ struct fdt_region; #define IMAGE_ENABLE_SHA1 0 #endif -#if defined(CONFIG_FIT_ENABLE_SHA256_SUPPORT) || \ +#if defined(CONFIG_FIT_SHA256) || \ defined(CONFIG_SPL_SHA256_SUPPORT) #define IMAGE_ENABLE_SHA256 1 #else #define IMAGE_ENABLE_SHA256 0 #endif -#if defined(CONFIG_FIT_ENABLE_SHA384_SUPPORT) || \ +#if defined(CONFIG_FIT_SHA384) || \ defined(CONFIG_SPL_SHA384_SUPPORT) #define IMAGE_ENABLE_SHA384 1 #else #define IMAGE_ENABLE_SHA384 0 #endif -#if defined(CONFIG_FIT_ENABLE_SHA512_SUPPORT) || \ +#if defined(CONFIG_FIT_SHA512) || \ defined(CONFIG_SPL_SHA512_SUPPORT) #define IMAGE_ENABLE_SHA512 1 #else From f5bc9c25f3159db2e420cdcff974980a5258a44f Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:30 -0500 Subject: [PATCH 02/19] image: Rename SPL_SHAxxx_SUPPORT to SPL_FIT_SHAxxx These option are named inconsistently with other SPL options, thus making them incompatible with the CONFIG_IS_ENABLED() macro. Rename them. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/spl/Kconfig | 8 ++++---- include/image.h | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/common/spl/Kconfig b/common/spl/Kconfig index fa80524cfb..2b89ce71c1 100644 --- a/common/spl/Kconfig +++ b/common/spl/Kconfig @@ -429,7 +429,7 @@ config SPL_MD5_SUPPORT applications where images may be changed maliciously, you should consider SHA256 or SHA384. -config SPL_SHA1_SUPPORT +config SPL_FIT_SHA1 bool "Support SHA1" depends on SPL_FIT select SHA1 @@ -441,7 +441,7 @@ config SPL_SHA1_SUPPORT due to the expanding computing power available to brute-force attacks. For more security, consider SHA256 or SHA384. -config SPL_SHA256_SUPPORT +config SPL_FIT_SHA256 bool "Support SHA256" depends on SPL_FIT select SHA256 @@ -450,7 +450,7 @@ config SPL_SHA256_SUPPORT checksum is a 256-bit (32-byte) hash value used to check that the image contents have not been corrupted. -config SPL_SHA384_SUPPORT +config SPL_FIT_SHA384 bool "Support SHA384" depends on SPL_FIT select SHA384 @@ -461,7 +461,7 @@ config SPL_SHA384_SUPPORT image contents have not been corrupted. Use this for the highest security. -config SPL_SHA512_SUPPORT +config SPL_FIT_SHA512 bool "Support SHA512" depends on SPL_FIT select SHA512 diff --git a/include/image.h b/include/image.h index e54f12f472..bf92f6235d 100644 --- a/include/image.h +++ b/include/image.h @@ -68,7 +68,7 @@ struct fdt_region; # ifdef CONFIG_SPL_MD5_SUPPORT # define IMAGE_ENABLE_MD5 1 # endif -# ifdef CONFIG_SPL_SHA1_SUPPORT +# ifdef CONFIG_SPL_FIT_SHA1 # define IMAGE_ENABLE_SHA1 1 # endif # else @@ -90,21 +90,21 @@ struct fdt_region; #endif #if defined(CONFIG_FIT_SHA256) || \ - defined(CONFIG_SPL_SHA256_SUPPORT) + defined(CONFIG_SPL_FIT_SHA256) #define IMAGE_ENABLE_SHA256 1 #else #define IMAGE_ENABLE_SHA256 0 #endif #if defined(CONFIG_FIT_SHA384) || \ - defined(CONFIG_SPL_SHA384_SUPPORT) + defined(CONFIG_SPL_FIT_SHA384) #define IMAGE_ENABLE_SHA384 1 #else #define IMAGE_ENABLE_SHA384 0 #endif #if defined(CONFIG_FIT_SHA512) || \ - defined(CONFIG_SPL_SHA512_SUPPORT) + defined(CONFIG_SPL_FIT_SHA512) #define IMAGE_ENABLE_SHA512 1 #else #define IMAGE_ENABLE_SHA512 0 From ad74aed11e1dfe39b7f32dd855859abaf51d33f0 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:31 -0500 Subject: [PATCH 03/19] image: Rename CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT Drop the ENABLE and SUPPORT parts of this, which are redundant. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/Kconfig.boot | 2 +- common/image-sig.c | 4 ++-- configs/bcm963158_ram_defconfig | 2 +- configs/sandbox_defconfig | 2 +- include/image.h | 2 +- include/u-boot/rsa.h | 8 ++++---- lib/rsa/rsa-sign.c | 4 ++-- lib/rsa/rsa-verify.c | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/common/Kconfig.boot b/common/Kconfig.boot index d28ce96a28..ae3f2b6f62 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -103,7 +103,7 @@ config FIT_SIGNATURE_MAX_SIZE device memory. Assure this size does not extend past expected storage space. -config FIT_ENABLE_RSASSA_PSS_SUPPORT +config FIT_RSASSA_PSS bool "Support rsassa-pss signature scheme of FIT image contents" depends on FIT_SIGNATURE default n diff --git a/common/image-sig.c b/common/image-sig.c index 0f8e592aba..8b5cecbfa4 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -99,12 +99,12 @@ struct padding_algo padding_algos[] = { .name = "pkcs-1.5", .verify = padding_pkcs_15_verify, }, -#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +#ifdef CONFIG_FIT_RSASSA_PSS { .name = "pss", .verify = padding_pss_verify, } -#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ +#endif /* CONFIG_FIT_RSASSA_PSS */ }; struct checksum_algo *image_get_checksum_algo(const char *full_name) diff --git a/configs/bcm963158_ram_defconfig b/configs/bcm963158_ram_defconfig index 4eb3986c61..f7f1b35389 100644 --- a/configs/bcm963158_ram_defconfig +++ b/configs/bcm963158_ram_defconfig @@ -11,7 +11,7 @@ CONFIG_TARGET_BCM963158=y CONFIG_ENV_VARS_UBOOT_CONFIG=y CONFIG_FIT=y CONFIG_FIT_SIGNATURE=y -CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT=y +CONFIG_FIT_RSASSA_PSS=y CONFIG_FIT_VERBOSE=y CONFIG_LEGACY_IMAGE_FORMAT=y CONFIG_SUPPORT_RAW_INITRD=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index fc687e3c52..1655bb1e8a 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -10,7 +10,7 @@ CONFIG_DEBUG_UART=y CONFIG_DISTRO_DEFAULTS=y CONFIG_FIT=y CONFIG_FIT_SIGNATURE=y -CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT=y +CONFIG_FIT_RSASSA_PSS=y CONFIG_FIT_CIPHER=y CONFIG_FIT_VERBOSE=y CONFIG_BOOTSTAGE=y diff --git a/include/image.h b/include/image.h index bf92f6235d..b242007b9c 100644 --- a/include/image.h +++ b/include/image.h @@ -30,7 +30,7 @@ struct fdt_region; #define IMAGE_ENABLE_FIT 1 #define IMAGE_ENABLE_OF_LIBFDT 1 #define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */ -#define CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT 1 +#define CONFIG_FIT_RSASSA_PSS 1 #define CONFIG_FIT_SHA256 #define CONFIG_FIT_SHA384 #define CONFIG_FIT_SHA512 diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index bed1c097c2..bc564d56fa 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -119,11 +119,11 @@ int padding_pkcs_15_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len); -#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +#ifdef CONFIG_FIT_RSASSA_PSS int padding_pss_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len); -#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ +#endif /* CONFIG_FIT_RSASSA_PSS */ #else static inline int rsa_verify_hash(struct image_sign_info *info, const uint8_t *hash, @@ -146,14 +146,14 @@ static inline int padding_pkcs_15_verify(struct image_sign_info *info, return -ENXIO; } -#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +#ifdef CONFIG_FIT_RSASSA_PSS static inline int padding_pss_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len) { return -ENXIO; } -#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ +#endif /* CONFIG_FIT_RSASSA_PSS */ #endif #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 5a1583b8f7..f4ed11e74a 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -442,7 +442,7 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, goto err_sign; } -#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +#ifdef CONFIG_FIT_RSASSA_PSS if (padding_algo && !strcmp(padding_algo->name, "pss")) { if (EVP_PKEY_CTX_set_rsa_padding(ckey, RSA_PKCS1_PSS_PADDING) <= 0) { @@ -450,7 +450,7 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, goto err_sign; } } -#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ +#endif /* CONFIG_FIT_RSASSA_PSS */ for (i = 0; i < region_count; i++) { if (!EVP_DigestSignUpdate(context, region[i].data, diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index aee76f42d5..1998c773fc 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -95,7 +95,7 @@ int padding_pkcs_15_verify(struct image_sign_info *info, return 0; } -#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +#ifdef CONFIG_FIT_RSASSA_PSS static void u32_i2osp(uint32_t val, uint8_t *buf) { buf[0] = (uint8_t)((val >> 24) & 0xff); From 1e52db6799172cdd1612e0394da050d29164a13f Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:32 -0500 Subject: [PATCH 04/19] Kconfig: Rename SPL_CRC32_SUPPORT to SPL_CRC32 Drop the _SUPPORT suffix so we can use CONFIG_IS_ENABLED() with this option. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/spl/Kconfig | 4 ++-- configs/axm_defconfig | 2 +- configs/chromebit_mickey_defconfig | 2 +- configs/chromebook_jerry_defconfig | 2 +- configs/chromebook_minnie_defconfig | 2 +- configs/chromebook_speedy_defconfig | 2 +- configs/evb-px30_defconfig | 2 +- configs/firefly-px30_defconfig | 2 +- configs/imxrt1020-evk_defconfig | 2 +- configs/imxrt1050-evk_defconfig | 2 +- configs/odroid-go2_defconfig | 2 +- configs/px30-core-ctouch2-px30_defconfig | 2 +- configs/px30-core-edimm2.2-px30_defconfig | 2 +- configs/socfpga_agilex_atf_defconfig | 2 +- configs/socfpga_agilex_vab_defconfig | 2 +- configs/socfpga_stratix10_atf_defconfig | 2 +- configs/taurus_defconfig | 2 +- include/image.h | 2 +- 18 files changed, 19 insertions(+), 19 deletions(-) diff --git a/common/spl/Kconfig b/common/spl/Kconfig index 2b89ce71c1..896526aec6 100644 --- a/common/spl/Kconfig +++ b/common/spl/Kconfig @@ -204,7 +204,7 @@ config SPL_LEGACY_IMAGE_SUPPORT config SPL_LEGACY_IMAGE_CRC_CHECK bool "Check CRC of Legacy images" depends on SPL_LEGACY_IMAGE_SUPPORT - select SPL_CRC32_SUPPORT + select SPL_CRC32 help Enable this to check the CRC of Legacy images. While this increases reliability, it affects both code size and boot duration. @@ -407,7 +407,7 @@ config SYS_MMCSD_RAW_MODE_EMMC_BOOT_PARTITION the eMMC EXT_CSC_PART_CONFIG selection should be overridden in SPL by user defined partition number. -config SPL_CRC32_SUPPORT +config SPL_CRC32 bool "Support CRC32" default y if SPL_LEGACY_IMAGE_SUPPORT help diff --git a/configs/axm_defconfig b/configs/axm_defconfig index b613c5f8cd..cb64296993 100644 --- a/configs/axm_defconfig +++ b/configs/axm_defconfig @@ -32,7 +32,7 @@ CONFIG_BOOTCOMMAND="run flash_self" CONFIG_BOARD_EARLY_INIT_F=y # CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set CONFIG_SPL_SYS_MALLOC_SIMPLE=y -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_NAND_SUPPORT=y CONFIG_SPL_NAND_DRIVERS=y CONFIG_SPL_NAND_ECC=y diff --git a/configs/chromebit_mickey_defconfig b/configs/chromebit_mickey_defconfig index d652ab807d..0e63424605 100644 --- a/configs/chromebit_mickey_defconfig +++ b/configs/chromebit_mickey_defconfig @@ -25,7 +25,7 @@ CONFIG_BOARD_EARLY_INIT_R=y CONFIG_SPL_STACK_R=y CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x2000 # CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is not set -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set CONFIG_SPL_SPI_LOAD=y CONFIG_CMD_GPIO=y CONFIG_CMD_GPT=y diff --git a/configs/chromebook_jerry_defconfig b/configs/chromebook_jerry_defconfig index 5bb2735c41..dc5d06d65f 100644 --- a/configs/chromebook_jerry_defconfig +++ b/configs/chromebook_jerry_defconfig @@ -26,7 +26,7 @@ CONFIG_BOARD_EARLY_INIT_R=y CONFIG_SPL_STACK_R=y CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x2000 # CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is not set -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set CONFIG_SPL_SPI_LOAD=y CONFIG_CMD_GPIO=y CONFIG_CMD_GPT=y diff --git a/configs/chromebook_minnie_defconfig b/configs/chromebook_minnie_defconfig index 2549c49e8b..0a1d5930f6 100644 --- a/configs/chromebook_minnie_defconfig +++ b/configs/chromebook_minnie_defconfig @@ -26,7 +26,7 @@ CONFIG_BOARD_EARLY_INIT_R=y CONFIG_SPL_STACK_R=y CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x2000 # CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is not set -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set CONFIG_SPL_SPI_LOAD=y CONFIG_CMD_GPIO=y CONFIG_CMD_GPT=y diff --git a/configs/chromebook_speedy_defconfig b/configs/chromebook_speedy_defconfig index 8f7c70a8df..709af4cad5 100644 --- a/configs/chromebook_speedy_defconfig +++ b/configs/chromebook_speedy_defconfig @@ -26,7 +26,7 @@ CONFIG_BOARD_EARLY_INIT_R=y CONFIG_SPL_STACK_R=y CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x2000 # CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is not set -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set CONFIG_SPL_SPI_LOAD=y CONFIG_CMD_GPIO=y CONFIG_CMD_GPT=y diff --git a/configs/evb-px30_defconfig b/configs/evb-px30_defconfig index 8bcf8edec5..d3b52c127a 100644 --- a/configs/evb-px30_defconfig +++ b/configs/evb-px30_defconfig @@ -29,7 +29,7 @@ CONFIG_SPL_BOOTROM_SUPPORT=y # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set CONFIG_SPL_STACK_R=y # CONFIG_TPL_BANNER_PRINT is not set -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_ATF=y # CONFIG_TPL_FRAMEWORK is not set # CONFIG_CMD_BOOTD is not set diff --git a/configs/firefly-px30_defconfig b/configs/firefly-px30_defconfig index d902ab7a9b..1f24f927da 100644 --- a/configs/firefly-px30_defconfig +++ b/configs/firefly-px30_defconfig @@ -30,7 +30,7 @@ CONFIG_SPL_BOOTROM_SUPPORT=y # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set CONFIG_SPL_STACK_R=y # CONFIG_TPL_BANNER_PRINT is not set -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_ATF=y # CONFIG_TPL_FRAMEWORK is not set # CONFIG_CMD_BOOTD is not set diff --git a/configs/imxrt1020-evk_defconfig b/configs/imxrt1020-evk_defconfig index 0dc3743f88..79b25be678 100644 --- a/configs/imxrt1020-evk_defconfig +++ b/configs/imxrt1020-evk_defconfig @@ -24,7 +24,7 @@ CONFIG_SPL_BOARD_INIT=y CONFIG_SPL_SYS_MALLOC_SIMPLE=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x100 -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set # CONFIG_BOOTM_NETBSD is not set # CONFIG_BOOTM_PLAN9 is not set # CONFIG_BOOTM_RTEMS is not set diff --git a/configs/imxrt1050-evk_defconfig b/configs/imxrt1050-evk_defconfig index 0e426ce1ff..ca72f8c169 100644 --- a/configs/imxrt1050-evk_defconfig +++ b/configs/imxrt1050-evk_defconfig @@ -27,7 +27,7 @@ CONFIG_SPL_BOARD_INIT=y CONFIG_SPL_SYS_MALLOC_SIMPLE=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x100 -# CONFIG_SPL_CRC32_SUPPORT is not set +# CONFIG_SPL_CRC32 is not set # CONFIG_BOOTM_NETBSD is not set # CONFIG_BOOTM_PLAN9 is not set # CONFIG_BOOTM_RTEMS is not set diff --git a/configs/odroid-go2_defconfig b/configs/odroid-go2_defconfig index f5b03a30ab..7cb32f1f71 100644 --- a/configs/odroid-go2_defconfig +++ b/configs/odroid-go2_defconfig @@ -33,7 +33,7 @@ CONFIG_SPL_BOOTROM_SUPPORT=y # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set CONFIG_SPL_STACK_R=y # CONFIG_TPL_BANNER_PRINT is not set -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_I2C_SUPPORT=y CONFIG_SPL_POWER_SUPPORT=y CONFIG_SPL_ATF=y diff --git a/configs/px30-core-ctouch2-px30_defconfig b/configs/px30-core-ctouch2-px30_defconfig index 3e50d871bf..0b30ef6a0e 100644 --- a/configs/px30-core-ctouch2-px30_defconfig +++ b/configs/px30-core-ctouch2-px30_defconfig @@ -30,7 +30,7 @@ CONFIG_SPL_BOOTROM_SUPPORT=y # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set CONFIG_SPL_STACK_R=y # CONFIG_TPL_BANNER_PRINT is not set -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_ATF=y # CONFIG_TPL_FRAMEWORK is not set # CONFIG_CMD_BOOTD is not set diff --git a/configs/px30-core-edimm2.2-px30_defconfig b/configs/px30-core-edimm2.2-px30_defconfig index 01e0b5a80a..46a4fb97e3 100644 --- a/configs/px30-core-edimm2.2-px30_defconfig +++ b/configs/px30-core-edimm2.2-px30_defconfig @@ -30,7 +30,7 @@ CONFIG_SPL_BOOTROM_SUPPORT=y # CONFIG_SPL_RAW_IMAGE_SUPPORT is not set CONFIG_SPL_STACK_R=y # CONFIG_TPL_BANNER_PRINT is not set -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_ATF=y # CONFIG_TPL_FRAMEWORK is not set # CONFIG_CMD_BOOTD is not set diff --git a/configs/socfpga_agilex_atf_defconfig b/configs/socfpga_agilex_atf_defconfig index 6921575635..1a57a6e5d9 100644 --- a/configs/socfpga_agilex_atf_defconfig +++ b/configs/socfpga_agilex_atf_defconfig @@ -23,7 +23,7 @@ CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot" -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_CACHE=y CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y diff --git a/configs/socfpga_agilex_vab_defconfig b/configs/socfpga_agilex_vab_defconfig index 97eb7b4630..3135b61d6b 100644 --- a/configs/socfpga_agilex_vab_defconfig +++ b/configs/socfpga_agilex_vab_defconfig @@ -24,7 +24,7 @@ CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run mmcfitboot" -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_CACHE=y CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y diff --git a/configs/socfpga_stratix10_atf_defconfig b/configs/socfpga_stratix10_atf_defconfig index cd1b6f9bba..4eed5476a9 100644 --- a/configs/socfpga_stratix10_atf_defconfig +++ b/configs/socfpga_stratix10_atf_defconfig @@ -23,7 +23,7 @@ CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot" -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y CONFIG_SPL_ATF_NO_PLATFORM_PARAM=y diff --git a/configs/taurus_defconfig b/configs/taurus_defconfig index ce09450c9e..4c47d7b5ea 100644 --- a/configs/taurus_defconfig +++ b/configs/taurus_defconfig @@ -36,7 +36,7 @@ CONFIG_BOOTCOMMAND="nand read 0x22000000 0x200000 0x300000; bootm" CONFIG_BOARD_EARLY_INIT_F=y # CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set CONFIG_SPL_SYS_MALLOC_SIMPLE=y -CONFIG_SPL_CRC32_SUPPORT=y +CONFIG_SPL_CRC32=y CONFIG_SPL_NAND_SUPPORT=y CONFIG_SPL_NAND_DRIVERS=y CONFIG_SPL_NAND_ECC=y diff --git a/include/image.h b/include/image.h index b242007b9c..e2037d3159 100644 --- a/include/image.h +++ b/include/image.h @@ -62,7 +62,7 @@ struct fdt_region; #include #include # ifdef CONFIG_SPL_BUILD -# ifdef CONFIG_SPL_CRC32_SUPPORT +# ifdef CONFIG_SPL_CRC32 # define IMAGE_ENABLE_CRC32 1 # endif # ifdef CONFIG_SPL_MD5_SUPPORT From 4b00fd1a84c1ef15f640da1d7a1081d0dbfbfbfe Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:33 -0500 Subject: [PATCH 05/19] Kconfig: Rename SPL_MD5_SUPPORT to SPL_MD5 Drop the _SUPPORT suffix so we can use CONFIG_IS_ENABLED() with this option. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/spl/Kconfig | 2 +- include/image.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/spl/Kconfig b/common/spl/Kconfig index 896526aec6..2df3e5d869 100644 --- a/common/spl/Kconfig +++ b/common/spl/Kconfig @@ -417,7 +417,7 @@ config SPL_CRC32 for detected accidental image corruption. For secure applications you should consider SHA1 or SHA256. -config SPL_MD5_SUPPORT +config SPL_MD5 bool "Support MD5" depends on SPL_FIT help diff --git a/include/image.h b/include/image.h index e2037d3159..124448f9e4 100644 --- a/include/image.h +++ b/include/image.h @@ -65,7 +65,7 @@ struct fdt_region; # ifdef CONFIG_SPL_CRC32 # define IMAGE_ENABLE_CRC32 1 # endif -# ifdef CONFIG_SPL_MD5_SUPPORT +# ifdef CONFIG_SPL_MD5 # define IMAGE_ENABLE_MD5 1 # endif # ifdef CONFIG_SPL_FIT_SHA1 From 0ad75696d078e56ca8e4d09a875de8107590ab8a Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:34 -0500 Subject: [PATCH 06/19] image: Drop IMAGE_ENABLE_SHA1 We already have a host Kconfig for SHA1. Use CONFIG_IS_ENABLED(SHA1) directly in the code shared with the host build, so we can drop the unnecessary indirection. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/image-fit.c | 2 +- include/image.h | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/common/image-fit.c b/common/image-fit.c index e9b455dead..9a47d1becf 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1219,7 +1219,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, CHUNKSZ_CRC32); *((uint32_t *)value) = cpu_to_uimage(*((uint32_t *)value)); *value_len = 4; - } else if (IMAGE_ENABLE_SHA1 && strcmp(algo, "sha1") == 0) { + } else if (CONFIG_IS_ENABLED(SHA1) && strcmp(algo, "sha1") == 0) { sha1_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA1); *value_len = 20; diff --git a/include/image.h b/include/image.h index 124448f9e4..bca9033e7f 100644 --- a/include/image.h +++ b/include/image.h @@ -68,13 +68,9 @@ struct fdt_region; # ifdef CONFIG_SPL_MD5 # define IMAGE_ENABLE_MD5 1 # endif -# ifdef CONFIG_SPL_FIT_SHA1 -# define IMAGE_ENABLE_SHA1 1 -# endif # else # define IMAGE_ENABLE_CRC32 1 # define IMAGE_ENABLE_MD5 1 -# define IMAGE_ENABLE_SHA1 1 # endif #ifndef IMAGE_ENABLE_CRC32 @@ -85,10 +81,6 @@ struct fdt_region; #define IMAGE_ENABLE_MD5 0 #endif -#ifndef IMAGE_ENABLE_SHA1 -#define IMAGE_ENABLE_SHA1 0 -#endif - #if defined(CONFIG_FIT_SHA256) || \ defined(CONFIG_SPL_FIT_SHA256) #define IMAGE_ENABLE_SHA256 1 From 14f061dcb158a4ffbf09df10f2ac2d37c157437c Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:35 -0500 Subject: [PATCH 07/19] image: Drop IMAGE_ENABLE_SHAxxx We already have a host Kconfig for these SHA options. Use CONFIG_IS_ENABLED(SHAxxx) directly in the code shared with the host build, so we can drop the unnecessary indirections. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/image-fit.c | 6 +++--- include/image.h | 21 --------------------- 2 files changed, 3 insertions(+), 24 deletions(-) diff --git a/common/image-fit.c b/common/image-fit.c index 9a47d1becf..031d9d34c3 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1223,15 +1223,15 @@ int calculate_hash(const void *data, int data_len, const char *algo, sha1_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA1); *value_len = 20; - } else if (IMAGE_ENABLE_SHA256 && strcmp(algo, "sha256") == 0) { + } else if (CONFIG_IS_ENABLED(SHA256) && strcmp(algo, "sha256") == 0) { sha256_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA256); *value_len = SHA256_SUM_LEN; - } else if (IMAGE_ENABLE_SHA384 && strcmp(algo, "sha384") == 0) { + } else if (CONFIG_IS_ENABLED(SHA384) && strcmp(algo, "sha384") == 0) { sha384_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA384); *value_len = SHA384_SUM_LEN; - } else if (IMAGE_ENABLE_SHA512 && strcmp(algo, "sha512") == 0) { + } else if (CONFIG_IS_ENABLED(SHA512) && strcmp(algo, "sha512") == 0) { sha512_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA512); *value_len = SHA512_SUM_LEN; diff --git a/include/image.h b/include/image.h index bca9033e7f..dbb9bd0174 100644 --- a/include/image.h +++ b/include/image.h @@ -81,27 +81,6 @@ struct fdt_region; #define IMAGE_ENABLE_MD5 0 #endif -#if defined(CONFIG_FIT_SHA256) || \ - defined(CONFIG_SPL_FIT_SHA256) -#define IMAGE_ENABLE_SHA256 1 -#else -#define IMAGE_ENABLE_SHA256 0 -#endif - -#if defined(CONFIG_FIT_SHA384) || \ - defined(CONFIG_SPL_FIT_SHA384) -#define IMAGE_ENABLE_SHA384 1 -#else -#define IMAGE_ENABLE_SHA384 0 -#endif - -#if defined(CONFIG_FIT_SHA512) || \ - defined(CONFIG_SPL_FIT_SHA512) -#define IMAGE_ENABLE_SHA512 1 -#else -#define IMAGE_ENABLE_SHA512 0 -#endif - #endif /* IMAGE_ENABLE_FIT */ #ifdef CONFIG_SYS_BOOT_GET_CMDLINE From 70c1c8927e2c1fd97cd174d7924300d672e8313b Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 14 Jul 2021 17:05:36 -0500 Subject: [PATCH 08/19] image: Drop IMAGE_ENABLE_BEST_MATCH This is not needed with Kconfig, since we can use IS_ENABLED() easily enough. Drop it. Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc Signed-off-by: Alexandru Gagniuc --- common/image-fit.c | 2 +- include/image.h | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/common/image-fit.c b/common/image-fit.c index 031d9d34c3..8e23d51cf2 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -2027,7 +2027,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr, * fit_conf_get_node() will try to find default config node */ bootstage_mark(bootstage_id + BOOTSTAGE_SUB_NO_UNIT_NAME); - if (IMAGE_ENABLE_BEST_MATCH && !fit_uname_config) { + if (IS_ENABLED(CONFIG_FIT_BEST_MATCH) && !fit_uname_config) { cfg_noffset = fit_conf_find_compat(fit, gd_fdt_blob()); } else { cfg_noffset = fit_conf_get_node(fit, diff --git a/include/image.h b/include/image.h index dbb9bd0174..8b420f2c02 100644 --- a/include/image.h +++ b/include/image.h @@ -1221,11 +1221,6 @@ void image_set_host_blob(void *host_blob); # define gd_fdt_blob() (gd->fdt_blob) #endif -#ifdef CONFIG_FIT_BEST_MATCH -#define IMAGE_ENABLE_BEST_MATCH 1 -#else -#define IMAGE_ENABLE_BEST_MATCH 0 -#endif #endif /* IMAGE_ENABLE_FIT */ /* From e89660f5ec1ce9aa66df04b0c3e6a96cc342020b Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:37 -0500 Subject: [PATCH 09/19] common: Move host-only logic in image-sig.c to separate file image-sig.c is used to map a hash or crypto algorithm name to a handler of that algorithm. There is some similarity between the host and target variants, with the differences worked out by #ifdefs. The purpose of this change is to remove those ifdefs. First, copy the file to a host-only version, and remove target specific code. Although it looks like we are duplicating code, subsequent patches will change the way target algorithms are searched. Besides we are only duplicating three string to struct mapping functions. This isn't something to fuss about. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- tools/Makefile | 2 +- tools/image-sig-host.c | 133 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 tools/image-sig-host.c diff --git a/tools/Makefile b/tools/Makefile index d020c55d66..722355e984 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -58,7 +58,7 @@ hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o -FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := common/image-sig.o common/image-fit-sig.o +FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig-host.o common/image-fit-sig.o FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o # The following files are synced with upstream DTC. diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c new file mode 100644 index 0000000000..8ed6998dab --- /dev/null +++ b/tools/image-sig-host.c @@ -0,0 +1,133 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2013, Google Inc. + */ + +#include "mkimage.h" +#include +#include +#include +#include +#include +#include +#include + +struct checksum_algo checksum_algos[] = { + { + .name = "sha1", + .checksum_len = SHA1_SUM_LEN, + .der_len = SHA1_DER_LEN, + .der_prefix = sha1_der_prefix, + .calculate_sign = EVP_sha1, + .calculate = hash_calculate, + }, + { + .name = "sha256", + .checksum_len = SHA256_SUM_LEN, + .der_len = SHA256_DER_LEN, + .der_prefix = sha256_der_prefix, + .calculate_sign = EVP_sha256, + .calculate = hash_calculate, + }, + { + .name = "sha384", + .checksum_len = SHA384_SUM_LEN, + .der_len = SHA384_DER_LEN, + .der_prefix = sha384_der_prefix, + .calculate_sign = EVP_sha384, + .calculate = hash_calculate, + }, + { + .name = "sha512", + .checksum_len = SHA512_SUM_LEN, + .der_len = SHA512_DER_LEN, + .der_prefix = sha512_der_prefix, + .calculate_sign = EVP_sha512, + .calculate = hash_calculate, + }, +}; + +struct crypto_algo crypto_algos[] = { + { + .name = "rsa2048", + .key_len = RSA2048_BYTES, + .sign = rsa_sign, + .add_verify_data = rsa_add_verify_data, + .verify = rsa_verify, + }, + { + .name = "rsa4096", + .key_len = RSA4096_BYTES, + .sign = rsa_sign, + .add_verify_data = rsa_add_verify_data, + .verify = rsa_verify, + }, + { + .name = "ecdsa256", + .key_len = ECDSA256_BYTES, + .sign = ecdsa_sign, + .add_verify_data = ecdsa_add_verify_data, + .verify = ecdsa_verify, + }, +}; + +struct padding_algo padding_algos[] = { + { + .name = "pkcs-1.5", + .verify = padding_pkcs_15_verify, + }, + { + .name = "pss", + .verify = padding_pss_verify, + } +}; + +struct checksum_algo *image_get_checksum_algo(const char *full_name) +{ + int i; + const char *name; + + for (i = 0; i < ARRAY_SIZE(checksum_algos); i++) { + name = checksum_algos[i].name; + /* Make sure names match and next char is a comma */ + if (!strncmp(name, full_name, strlen(name)) && + full_name[strlen(name)] == ',') + return &checksum_algos[i]; + } + + return NULL; +} + +struct crypto_algo *image_get_crypto_algo(const char *full_name) +{ + int i; + const char *name; + + /* Move name to after the comma */ + name = strchr(full_name, ','); + if (!name) + return NULL; + name += 1; + + for (i = 0; i < ARRAY_SIZE(crypto_algos); i++) { + if (!strcmp(crypto_algos[i].name, name)) + return &crypto_algos[i]; + } + + return NULL; +} + +struct padding_algo *image_get_padding_algo(const char *name) +{ + int i; + + if (!name) + return NULL; + + for (i = 0; i < ARRAY_SIZE(padding_algos); i++) { + if (!strcmp(padding_algos[i].name, name)) + return &padding_algos[i]; + } + + return NULL; +} From cab22c8890e97e8b557295ba2177e26392720765 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:38 -0500 Subject: [PATCH 10/19] common: image-sig.c: Remove host-specific logic and #ifdefs Remove any ifdefs in image-sig.c that were previously used to differentiate from the host code. Note that all code dedicated to relocating ->sign() and ->add_verify_data)_ can be safely removed, as signing is not supported target-side. NOTE that although it appears we are removing ecdsa256 support, this is intentional. ecdsa_verify() is a no-op on the target, and is currently only used by host code. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- common/image-sig.c | 39 ++------------------------------------- 1 file changed, 2 insertions(+), 37 deletions(-) diff --git a/common/image-sig.c b/common/image-sig.c index 8b5cecbfa4..5e2d171975 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -3,18 +3,11 @@ * Copyright (c) 2013, Google Inc. */ -#ifdef USE_HOSTCC -#include "mkimage.h" -#include -#include -#include -#else #include #include #include #include DECLARE_GLOBAL_DATA_PTR; -#endif /* !USE_HOSTCC*/ #include #include #include @@ -28,9 +21,6 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA1_SUM_LEN, .der_len = SHA1_DER_LEN, .der_prefix = sha1_der_prefix, -#if IMAGE_ENABLE_SIGN - .calculate_sign = EVP_sha1, -#endif .calculate = hash_calculate, }, { @@ -38,9 +28,6 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA256_SUM_LEN, .der_len = SHA256_DER_LEN, .der_prefix = sha256_der_prefix, -#if IMAGE_ENABLE_SIGN - .calculate_sign = EVP_sha256, -#endif .calculate = hash_calculate, }, #ifdef CONFIG_SHA384 @@ -49,9 +36,6 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA384_SUM_LEN, .der_len = SHA384_DER_LEN, .der_prefix = sha384_der_prefix, -#if IMAGE_ENABLE_SIGN - .calculate_sign = EVP_sha384, -#endif .calculate = hash_calculate, }, #endif @@ -61,9 +45,6 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA512_SUM_LEN, .der_len = SHA512_DER_LEN, .der_prefix = sha512_der_prefix, -#if IMAGE_ENABLE_SIGN - .calculate_sign = EVP_sha512, -#endif .calculate = hash_calculate, }, #endif @@ -74,24 +55,13 @@ struct crypto_algo crypto_algos[] = { { .name = "rsa2048", .key_len = RSA2048_BYTES, - .sign = rsa_sign, - .add_verify_data = rsa_add_verify_data, .verify = rsa_verify, }, { .name = "rsa4096", .key_len = RSA4096_BYTES, - .sign = rsa_sign, - .add_verify_data = rsa_add_verify_data, .verify = rsa_verify, }, - { - .name = "ecdsa256", - .key_len = ECDSA256_BYTES, - .sign = ecdsa_sign, - .add_verify_data = ecdsa_add_verify_data, - .verify = ecdsa_verify, - }, }; struct padding_algo padding_algos[] = { @@ -112,16 +82,13 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name) int i; const char *name; -#if !defined(USE_HOSTCC) && defined(CONFIG_NEEDS_MANUAL_RELOC) +#if defined(CONFIG_NEEDS_MANUAL_RELOC) static bool done; if (!done) { done = true; for (i = 0; i < ARRAY_SIZE(checksum_algos); i++) { checksum_algos[i].name += gd->reloc_off; -#if IMAGE_ENABLE_SIGN - checksum_algos[i].calculate_sign += gd->reloc_off; -#endif checksum_algos[i].calculate += gd->reloc_off; } } @@ -143,15 +110,13 @@ struct crypto_algo *image_get_crypto_algo(const char *full_name) int i; const char *name; -#if !defined(USE_HOSTCC) && defined(CONFIG_NEEDS_MANUAL_RELOC) +#if defined(CONFIG_NEEDS_MANUAL_RELOC) static bool done; if (!done) { done = true; for (i = 0; i < ARRAY_SIZE(crypto_algos); i++) { crypto_algos[i].name += gd->reloc_off; - crypto_algos[i].sign += gd->reloc_off; - crypto_algos[i].add_verify_data += gd->reloc_off; crypto_algos[i].verify += gd->reloc_off; } } From 0980164b1306400e91e5ac389a514111ff74fc01 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:39 -0500 Subject: [PATCH 11/19] image: Add support for placing crypto_algo in linker lists The purpose of this change is to enable crypto algorithms to be placed in linker lists, rather than be declared as a static array. The goal is to remove the crypto_algos array in a subsequent patch. Create a new linker list named "cryptos", and search it when image_get_crypto_algo() is invoked. NOTE that adding support for manual relocation of crypto_algos within linker lists is beyond the scope of this patch. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- common/image-sig.c | 9 +++++++++ include/image.h | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/common/image-sig.c b/common/image-sig.c index 5e2d171975..81a3b739fe 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -107,6 +107,7 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name) struct crypto_algo *image_get_crypto_algo(const char *full_name) { + struct crypto_algo *crypto, *end; int i; const char *name; @@ -133,6 +134,14 @@ struct crypto_algo *image_get_crypto_algo(const char *full_name) return &crypto_algos[i]; } + crypto = ll_entry_start(struct crypto_algo, cryptos); + end = ll_entry_end(struct crypto_algo, cryptos); + for (; crypto < end; crypto++) { + if (!strcmp(crypto->name, name)) + return crypto; + } + + /* Not found */ return NULL; } diff --git a/include/image.h b/include/image.h index 8b420f2c02..d4c453428c 100644 --- a/include/image.h +++ b/include/image.h @@ -47,6 +47,7 @@ struct fdt_region; #include #include #include +#include /* Take notice of the 'ignore' property for hashes */ #define IMAGE_ENABLE_IGNORE 1 @@ -1328,6 +1329,10 @@ struct crypto_algo { uint8_t *sig, uint sig_len); }; +/* Declare a new U-Boot crypto algorithm handler */ +#define U_BOOT_CRYPTO_ALGO(__name) \ +ll_entry_declare(struct crypto_algo, __name, cryptos) + struct padding_algo { const char *name; int (*verify)(struct image_sign_info *info, From 6909edb4cedf90c7a1fb68302dc2cec6291a0fcd Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:40 -0500 Subject: [PATCH 12/19] image: rsa: Move verification algorithm to a linker list Move the RSA verification crytpo_algo structure out of the crypto_algos array, and into a linker list. Although it appears we are adding an #ifdef to rsa-verify.c, the gains outweigh this small inconvenience. This is because rsa_verify() is defined differently based on #ifdefs. This change allows us to have a single definition of rsa_verify(). Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- common/image-sig.c | 10 ---------- lib/rsa/rsa-verify.c | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/common/image-sig.c b/common/image-sig.c index 81a3b739fe..83f3e9fa09 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -52,16 +52,6 @@ struct checksum_algo checksum_algos[] = { }; struct crypto_algo crypto_algos[] = { - { - .name = "rsa2048", - .key_len = RSA2048_BYTES, - .verify = rsa_verify, - }, - { - .name = "rsa4096", - .key_len = RSA4096_BYTES, - .verify = rsa_verify, - }, }; struct padding_algo padding_algos[] = { diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 1998c773fc..bb8cc61d94 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -571,3 +571,19 @@ int rsa_verify(struct image_sign_info *info, return rsa_verify_hash(info, hash, sig, sig_len); } + +#ifndef USE_HOSTCC + +U_BOOT_CRYPTO_ALGO(rsa2048) = { + .name = "rsa2048", + .key_len = RSA2048_BYTES, + .verify = rsa_verify, +}; + +U_BOOT_CRYPTO_ALGO(rsa4096) = { + .name = "rsa4096", + .key_len = RSA4096_BYTES, + .verify = rsa_verify, +}; + +#endif From 24cee49fccf0ea699f044518f2672eeb7b9b7475 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:41 -0500 Subject: [PATCH 13/19] image: image-sig.c: Remove crypto_algos array Crytographic algorithms (currently RSA), are stored in linker lists. The crypto_algos array is unused, so remove it, and any logic associated with it. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- common/image-sig.c | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/common/image-sig.c b/common/image-sig.c index 83f3e9fa09..d680bf7d98 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -51,9 +51,6 @@ struct checksum_algo checksum_algos[] = { }; -struct crypto_algo crypto_algos[] = { -}; - struct padding_algo padding_algos[] = { { .name = "pkcs-1.5", @@ -98,32 +95,14 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name) struct crypto_algo *image_get_crypto_algo(const char *full_name) { struct crypto_algo *crypto, *end; - int i; const char *name; -#if defined(CONFIG_NEEDS_MANUAL_RELOC) - static bool done; - - if (!done) { - done = true; - for (i = 0; i < ARRAY_SIZE(crypto_algos); i++) { - crypto_algos[i].name += gd->reloc_off; - crypto_algos[i].verify += gd->reloc_off; - } - } -#endif - /* Move name to after the comma */ name = strchr(full_name, ','); if (!name) return NULL; name += 1; - for (i = 0; i < ARRAY_SIZE(crypto_algos); i++) { - if (!strcmp(crypto_algos[i].name, name)) - return &crypto_algos[i]; - } - crypto = ll_entry_start(struct crypto_algo, cryptos); end = ll_entry_end(struct crypto_algo, cryptos); for (; crypto < end; crypto++) { From 820c4968c3f5a3440344ca5ec51ccfb9271d05ac Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:42 -0500 Subject: [PATCH 14/19] lib: ecdsa: Remove #ifdefs from ecdsa.h It is no longer necessary to implement ecdsa_() functions as no-ops depending on config options. It is merely sufficient to provide the prototypes, as the ecdsa code is no longer linked when unused. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- include/u-boot/ecdsa.h | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h index 979690d966..f6951c7346 100644 --- a/include/u-boot/ecdsa.h +++ b/include/u-boot/ecdsa.h @@ -15,7 +15,6 @@ * @see "struct crypto_algo" * @{ */ -#if IMAGE_ENABLE_SIGN /** * sign() - calculate and return signature for given input data * @@ -49,22 +48,7 @@ int ecdsa_sign(struct image_sign_info *info, const struct image_region region[], * other -ve value on error */ int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest); -#else -static inline -int ecdsa_sign(struct image_sign_info *info, const struct image_region region[], - int region_count, uint8_t **sigp, uint *sig_len) -{ - return -ENXIO; -} -static inline -int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest) -{ - return -ENXIO; -} -#endif - -#if IMAGE_ENABLE_VERIFY_ECDSA /** * verify() - Verify a signature against some data * @@ -78,15 +62,6 @@ int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest) int ecdsa_verify(struct image_sign_info *info, const struct image_region region[], int region_count, uint8_t *sig, uint sig_len); -#else -static inline -int ecdsa_verify(struct image_sign_info *info, - const struct image_region region[], int region_count, - uint8_t *sig, uint sig_len) -{ - return -ENXIO; -} -#endif /** @} */ #define ECDSA256_BYTES (256 / 8) From 92c960bc1d4c8f702171fea0d87e86f317d4b597 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:43 -0500 Subject: [PATCH 15/19] lib: rsa: Remove #ifdefs from rsa.h It is no longer necessary to implement rsa_() functions as no-ops depending on config options. It is merely sufficient to provide the prototypes, as the rsa code is no longer linked when unused. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- include/u-boot/rsa.h | 47 -------------------------------------------- 1 file changed, 47 deletions(-) diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index bc564d56fa..89a9c4caa0 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -31,7 +31,6 @@ struct rsa_public_key { struct image_sign_info; -#if IMAGE_ENABLE_SIGN /** * sign() - calculate and return signature for given input data * @@ -66,22 +65,7 @@ int rsa_sign(struct image_sign_info *info, other -ve value on error */ int rsa_add_verify_data(struct image_sign_info *info, void *keydest); -#else -static inline int rsa_sign(struct image_sign_info *info, - const struct image_region region[], int region_count, - uint8_t **sigp, uint *sig_len) -{ - return -ENXIO; -} -static inline int rsa_add_verify_data(struct image_sign_info *info, - void *keydest) -{ - return -ENXIO; -} -#endif - -#if IMAGE_ENABLE_VERIFY /** * rsa_verify_hash() - Verify a signature against a hash * @@ -124,37 +108,6 @@ int padding_pss_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len); #endif /* CONFIG_FIT_RSASSA_PSS */ -#else -static inline int rsa_verify_hash(struct image_sign_info *info, - const uint8_t *hash, - uint8_t *sig, uint sig_len) -{ - return -ENXIO; -} - -static inline int rsa_verify(struct image_sign_info *info, - const struct image_region region[], int region_count, - uint8_t *sig, uint sig_len) -{ - return -ENXIO; -} - -static inline int padding_pkcs_15_verify(struct image_sign_info *info, - uint8_t *msg, int msg_len, - const uint8_t *hash, int hash_len) -{ - return -ENXIO; -} - -#ifdef CONFIG_FIT_RSASSA_PSS -static inline int padding_pss_verify(struct image_sign_info *info, - uint8_t *msg, int msg_len, - const uint8_t *hash, int hash_len) -{ - return -ENXIO; -} -#endif /* CONFIG_FIT_RSASSA_PSS */ -#endif #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" From 8be1818a4f0c9ec14d04a244196c6e265fd973b7 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:44 -0500 Subject: [PATCH 16/19] image: Eliminate IMAGE_ENABLE_VERIFY macro This macro is no longer needed for code flow or #ifdefs. Remove it. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- include/image.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/image.h b/include/image.h index d4c453428c..64663c591b 100644 --- a/include/image.h +++ b/include/image.h @@ -1196,19 +1196,16 @@ int calculate_hash(const void *data, int data_len, const char *algo, #if defined(USE_HOSTCC) # if defined(CONFIG_FIT_SIGNATURE) # define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY 1 # define IMAGE_ENABLE_VERIFY_ECDSA 1 # define FIT_IMAGE_ENABLE_VERIFY 1 # include # else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY 0 # define IMAGE_ENABLE_VERIFY_ECDSA 0 # define FIT_IMAGE_ENABLE_VERIFY 0 # endif #else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY) # define IMAGE_ENABLE_VERIFY_ECDSA 0 # define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) #endif @@ -1260,7 +1257,7 @@ struct image_region { int size; }; -#if IMAGE_ENABLE_VERIFY +#if FIT_IMAGE_ENABLE_VERIFY # include #endif struct checksum_algo { From 8387dba471de8d8668123ca0e158ab3f4f4bf81e Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:45 -0500 Subject: [PATCH 17/19] image: Eliminate IMAGE_ENABLE_VERIFY_ECDSA macro This macro is no longer needed for code flow or #ifdefs. Remove it. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass --- include/image.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/include/image.h b/include/image.h index 64663c591b..e20f0b69d5 100644 --- a/include/image.h +++ b/include/image.h @@ -1196,17 +1196,14 @@ int calculate_hash(const void *data, int data_len, const char *algo, #if defined(USE_HOSTCC) # if defined(CONFIG_FIT_SIGNATURE) # define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY_ECDSA 1 # define FIT_IMAGE_ENABLE_VERIFY 1 # include # else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY_ECDSA 0 # define FIT_IMAGE_ENABLE_VERIFY 0 # endif #else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY_ECDSA 0 # define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) #endif From b9826bf0c16ec225042c3fa760f8e22e6d9bc329 Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:46 -0500 Subject: [PATCH 18/19] image: Add support for relocating crypto_algos in linker lists Function pointers from crypto_algos array are relocated, when NEEDS_MANUAL_RELOC is set. This relocation doesn't happen if the algo is placed in a linker list. Implement this relocation. Signed-off-by: Alexandru Gagniuc Reviewed-by: Simon Glass Acked-by: Michal Simek --- common/image-sig.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/common/image-sig.c b/common/image-sig.c index d680bf7d98..fb0035524e 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -97,6 +97,19 @@ struct crypto_algo *image_get_crypto_algo(const char *full_name) struct crypto_algo *crypto, *end; const char *name; +#if defined(CONFIG_NEEDS_MANUAL_RELOC) + static bool done; + + if (!done) { + crypto = ll_entry_start(struct crypto_algo, cryptos); + end = ll_entry_end(struct crypto_algo, cryptos); + for (; crypto < end; crypto++) { + crypto->name += gd->reloc_off; + crypto->verify += gd->reloc_off; + } + } +#endif + /* Move name to after the comma */ name = strchr(full_name, ','); if (!name) From cb9faa6f98ae56d70d59505dad290dd3d381cb7b Mon Sep 17 00:00:00 2001 From: Alexandru Gagniuc Date: Wed, 14 Jul 2021 17:05:47 -0500 Subject: [PATCH 19/19] tools: Use a single target-independent config to enable OpenSSL Host tool features, such as mkimage's ability to sign FIT images were enabled or disabled based on the target configuration. However, this misses the point of a target-agnostic host tool. A target's ability to verify FIT signatures is independent of mkimage's ability to create those signatures. In fact, u-boot's build system doesn't sign images. The target code can be successfully built without relying on any ability to sign such code. Conversely, mkimage's ability to sign images does not require that those images will only work on targets which support FIT verification. Linking mkimage cryptographic features to target support for FIT verification is misguided. Without loss of generality, we can say that host features are and should be independent of target features. While we prefer that a host tool always supports the same feature set, we recognize the following - some users prefer to build u-boot without a dependency on OpenSSL. - some distros prefer to ship mkimage without linking to OpenSSL To allow these use cases, introduce a host-only Kconfig which is used to select or deselect libcrypto support. Some mkimage features or some host tools might not be available, but this shouldn't affect the u-boot build. I also considered setting the default of this config based on FIT_SIGNATURE. While it would preserve the old behaviour it's also contrary to the goals of this change. I decided to enable it by default, so that the default build yields the most feature-complete mkimage. Signed-off-by: Alexandru Gagniuc --- tools/Kconfig | 11 +++++++++++ tools/Makefile | 48 +++++++++++++++++++++++++++++++----------------- 2 files changed, 42 insertions(+), 17 deletions(-) diff --git a/tools/Kconfig b/tools/Kconfig index b2f5012240..d6f82cd949 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -9,4 +9,15 @@ config MKIMAGE_DTC_PATH some cases the system dtc may not support all required features and the path to a different version should be given here. +config TOOLS_LIBCRYPTO + bool "Use OpenSSL's libcrypto library for host tools" + default y + help + Cryptographic signature, verification, and encryption of images is + provided by host tools using OpenSSL's libcrypto. Select 'n' here if + you wish to build host tools without OpenSSL. mkimage will not have + the ability to sign images. + This selection does not affect target features, such as runtime FIT + signature verification. + endmenu diff --git a/tools/Makefile b/tools/Makefile index 722355e984..bae3f95c49 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -3,6 +3,25 @@ # (C) Copyright 2000-2006 # Wolfgang Denk, DENX Software Engineering, wd@denx.de. +# A note on target vs host configuration: +# +# Host tools can be used across multiple targets, or different configurations +# of the same target. Thus, host tools must be able to handle any combination +# of target configurations. To prevent having different variations of the same +# tool, the tool build options may not depend on target configuration. +# +# Some linux distributions package these utilities as u-boot-tools, and it +# would be unmaintainable to have a different tool variation for each +# arch or configuration. +# +# A couple of simple rules: +# +# 1) Do not use target CONFIG_* options to enable or disable features in host +# tools. Only use the configs from tools/Kconfig +# 2) It's okay to use target configs to disable building specific tools. +# That's as long as the features of those tools aren't modified. +# + # Enable all the config-independent tools ifneq ($(HOST_TOOLS_ALL),) CONFIG_ARCH_KIRKWOOD = y @@ -53,30 +72,30 @@ hostprogs-y += mkenvimage mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o hostprogs-y += dumpimage mkimage -hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign +hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include -FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o -FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig-host.o common/image-fit-sig.o -FIT_CIPHER_OBJS-$(CONFIG_FIT_CIPHER) := common/image-cipher.o +FIT_OBJS-y := fit_common.o fit_image.o image-host.o common/image-fit.o +FIT_SIG_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := image-sig-host.o common/image-fit-sig.o +FIT_CIPHER_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := common/image-cipher.o # The following files are synced with upstream DTC. # Use synced versions from scripts/dtc/libfdt/. LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o \ fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o) -RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \ +RSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/rsa/, \ rsa-sign.o rsa-verify.o \ rsa-mod-exp.o) -ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o) +ECDSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o) -AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \ +AES_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/aes/, \ aes-encrypt.o aes-decrypt.o) # Cryptographic helpers that depend on openssl/libcrypto -LIBCRYPTO_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/, \ +LIBCRYPTO_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix lib/, \ fdt-libcrypto.o) ROCKCHIP_OBS = lib/rc4.o rkcommon.o rkimage.o rksd.o rkspi.o @@ -136,22 +155,17 @@ fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o file2include-objs := file2include.o -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),) +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),) # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register # the mxsimage support within tools/mxsimage.c . HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS endif -ifdef CONFIG_FIT_SIGNATURE +ifdef CONFIG_TOOLS_LIBCRYPTO # This affects include/image.h, but including the board config file # is tricky, so manually define this options here. HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE -HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE) -endif - -ifdef CONFIG_FIT_CIPHER -# This affects include/image.h, but including the board config file -# is tricky, so manually define this options here. +HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=0xffffffff HOST_EXTRACFLAGS += -DCONFIG_FIT_CIPHER endif @@ -164,7 +178,7 @@ HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE endif # MXSImage needs LibSSL -ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_FIT_SIGNATURE)$(CONFIG_FIT_CIPHER),) +ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_TOOLS_LIBCRYPTO),) HOSTCFLAGS_kwbimage.o += \ $(shell pkg-config --cflags libssl libcrypto 2> /dev/null || echo "") HOSTLDLIBS_mkimage += \