Merge branch '2022-03-31-image-add-a-stage-pre-load' into next

To quote the author:
This series adds a stage pre-load before launching an image.  This stage
is used to read a header before the image and this header contains the
signature of the full image.  So u-boot may check the full image before
using any data of the image.

The support of this header is added to binman, and a command verify
checks the signature of a blob and set the u-boot env variable
"loadaddr_verified" to the beginning of the "real" image.

The support of this header is only added to binman, but it may also be
added to mkimage.

1 files changed, 19 insertions, 0 deletions

diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index be9775bcceb..b773f17c261 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -47,6 +47,25 @@ config RSA_VERIFY_WITH_PKEY
 	  directly specified in image_sign_info, where all the necessary
 	  key properties will be calculated on the fly in verification code.
 
+config SPL_RSA_VERIFY_WITH_PKEY
+	bool "Execute RSA verification without key parameters from FDT within SPL"
+	depends on SPL
+	select SPL_RSA_VERIFY
+	select SPL_ASYMMETRIC_KEY_TYPE
+	select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	select SPL_RSA_PUBLIC_KEY_PARSER
+	help
+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
+	  pre-calculated key properties, that are stored in fdt blob, in
+	  decrypting a signature.
+	  This does not suit the use case where there is no way defined to
+	  provide such additional key properties in standardized form,
+	  particularly UEFI secure boot.
+	  This options enables RSA signature verification with a public key
+	  directly specified in image_sign_info, where all the necessary
+	  key properties will be calculated on the fly in verification code
+	  in the SPL.
+
 config RSA_SOFTWARE_EXP
 	bool "Enable driver for RSA Modular Exponentiation in software"
 	depends on DM