| Age | Commit message (Collapse) | Author |
|---|
|
Our last sync with the kernel was 5.1.
We are so out of sync now, that tracking the patches and backporting
them one by one makes little sense and it's going to take ages.
This is an attempt to sync up Makefiles to 6.1.
Unfortunately due to sheer amount of patches this is not easy to review,
but that's what we decided during a community call for the bump to 5.1,
so we are following the same guidelines here.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>a #rebased on -next
|
|
Add support for creating an Amlogic Boot Image that pass CHK in BL1 on
Amlogic AArch64 SoCs.
Images can optionally be signed for secure boot scenario, however
creation of signed images has not been implemented.
Example of how to use it:
# Create an amlogic boot image
tools/mkimage -T amlimage -n gxbb -d u-boot-spl.bin u-boot-amlogic.bin
# List boot image header information
tools/mkimage -l u-boot-amlogic.bin
# Extract amlogic boot image payload
tools/dumpimage -T amlimage -o bl2-payload.bin u-boot-amlogic.bin
Or with binman using something like:
binman {
u-boot-amlogic {
filename = "u-boot-amlogic.bin";
pad-byte = <0xff>;
mkimage {
filename = "bl2.bin";
args = "-n", "gxbb", "-T", "amlimage";
u-boot-spl {
};
};
};
};
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
[Ferass: check digest type in _print_header, version in _verify_image]
Signed-off-by: Ferass El Hafidi <funderscore@postmarketos.org>
Link: https://patch.msgid.link/20251126-spl-gx-v5-1-6cbffb2451ca@postmarketos.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
|
|
This cannot work (unless qemu-user is registered in binfmt_misc) as the
tools will be for a different architecture.
Fixes "make cross_tools" in case CONFIG_VIDEO_LOGO is enabled.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
Introduced by 245b1029e1af, probably a debug left-over.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Heiko Schocher <hs@nabladev.com>
|
|
The function definition of fit_check_sign() is guarded by
"#ifdef CONFIG_FIT_SIGNATURE" in "tools/image-host.c". If we try
to build it without CONFIG_FIT_SIGNATURE, we will get an error:
/usr/bin/ld: tools/fit_check_sign.o: in function `main':
fit_check_sign.c:(.text.startup+0x165): undefined reference to `fit_check_sign'
collect2: error: ld returned 1 exit status
Fixes: 9c79c8fe70da ("tools/fit_check_sign: make key optional")
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
|
|
Allow invoking fit_check_sig without the key parameter, allowing to
validate only checksums and hashes for unsigned images.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
The cflags and ldflags of preload_check_sign depend on the openssl
package thus pkg-config is needed to get the location where openssl
is installed.
This fix a potential build failure when openssl is not from the
distro and installed in a varied place.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
|
|
HOSTCFLAGS of some tools components (image-host, rsa-sign and
ecdsa-libcrypto) depend on the directory where openssl is installed.
Add them via pkg-config.
This fixes a potential build failure in tools when openssl in installed
in varied directories.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Peter Robinson <pbrobinson@gmail.com>
|
|
preload_check_sign is added so that it can be used to authenticate images
signed with the pre-load signature supported by binman and U-Boot.
It could also be used to test the signature in binman tests signing
images with the pre-load.
Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
|
|
The function sha256_csum_wd is defined in lib/sha256.c
and in lib/mbedtls/sha256.c. To avoid duplicating this
function (and future function), we move this function
to the file lib/sha256_common.c
Reviewed-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
|
|
Replace the use of libuuid with U-Boot's own UUID library. This prepares
us to add support for generating v5 GUIDs.
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
|
|
Some users want to build with CONFIG_TOOLS_LIBCRYPTO disabled, which in
general is possible for at least some boards. 32-bit mvebu however
requires kwbimage for building SPL, and kwbimage has a hard dependency
to host OpenSSL.
The new symbol CONFIG_TOOLS_KWBIMAGE allows disabling kwbimage build on
non-mvebu platforms, and thus building without host libcrypto from
OpenSSL.
Based on previous work and discussions, see links below.
Link: https://lore.kernel.org/u-boot/20211021093304.25399-1-pali@kernel.org/
Link: https://lore.kernel.org/u-boot/20220111153120.1276641-1-marex@denx.de/
Link: https://lore.kernel.org/u-boot/20230121154743.667253-2-paulerwan.rio@gmail.com/
Cc: Marek Vasut <marex@denx.de>
Cc: Paul-Erwan Rio <paulerwan.rio@gmail.com>
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
The StarFive JH7110 base boards require a header to be prefixed to the SPL
binary image. This has previously done with a vendor tool 'spl_tool'
published under a GPL-2-or-later license. Integrate this capability into
mkimage.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: Chanho Park <chanho61.park@samsung.com>
Tested-by: Milan P. Stanić <mps@arvanta.net>
|
|
On 'make clean', generated C files in tools/env/ and tools/boot/ are
currently not removed, but they should.
Auto-generation for shared sources was first introduced with
ad80c4a3220b ("kbuild, tools: generate wrapper C sources automatically
by Makefile"). Cleanup later regressed (see Fixes:), because shared
files were moved out of lib/ and common/, but 'clean-dirs := lib common'
was not adjusted accordingly. Further, the generated
tools/env/embedded.c became a sibling to project files, which prevents
directory-wise cleanup at all.
To solve it, we establishe tools/generated/ as the sole place for
generated sources. Wrappers are now generated as
tools/generated/<orig_dirname>/<orig_filename>, and 'make clean' can
remove tools/generated/ as a whole (Linux Makefile.asm-generic headers
are cleaned similarly). This way we don't have to maintain separate
clean-files or clean-dirs entries for each single added or moved wrapper
file.
Fixes: 0649cd0d4908 ("Move environment files from common/ to env/")
Fixes: 19a91f2464a8 ("Create a new boot/ directory")
Signed-off-by: Tobias Deiminger <tdmg@linutronix.de>
[trini: Correct mkfwupdate case]
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Add 'mkfwumdata' tool to generate FWU metadata image for the meta-data
partition to be used in A/B Update imeplementation.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
|
|
Renesas RZ/N1 devices contain BootROM code that loads a custom SPKG
image from QSPI, NAND or USB DFU. Support this format in mkimage tool.
SPKGs can optionally be signed, however creation of signed SPKG is not
currently supported.
Example of how to use it:
tools/mkimage -n board/schneider/rzn1-snarc/spkgimage.cfg \
-T spkgimage -a 0x20040000 -e 0x20040000 \
-d u-boot.bin u-boot.bin.spkg
The config file (spkgimage.cfg in this example) contains additional
parameters such as NAND ECC settings.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
|
|
Having to use the -K option to mkimage to populate U-Boot's .dtb with the
public key while signing the kernel FIT image is often a little
awkward. In particular, when using a meta-build system such as
bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
intertwined, modifying deployed artifacts and rebuilding U-Boot with
an updated .dtb is quite cumbersome. Also, in some scenarios one may
wish to build U-Boot complete with the public key(s) embedded in the
.dtb without the corresponding private keys being present on the same
build host.
So this adds a simple tool that allows one to disentangle the kernel
and U-Boot builds, by simply copy-pasting just enough of the mkimage
code to allow one to add a public key to a .dtb. When using mkimage,
some of the information is taken from the .its used to build the
kernel (algorithm and key name), so that of course needs to be
supplied on the command line.
Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
|
|
The old text format is not much used anymore. Instead a new trace-cmd tool
has introduced a binary format for trace records.
Add support for generating this format. This involves removing the old
text format, adding various helpers for the new format and adjusting the
code to use an output file instead of stdout.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
This is very old and does not appear to be used. The CONFIG option
enabling it is no-longer present. Drop it.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
This seems to have been used by ppc4xx which was removed a while back.
The Kconfig does not exist so it is never built. Drop it.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
This is not a Kconfig option so we should not be setting it in the
Makefile. Rename it to use a CFS_ prefix, since this is still used in
mxsimage.c
In general tools should support all the features without reference to
CONFIG options, but this is left to the maintainer to look at.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
- Drop CONFIG_BUILD_ENVCRC as this is never set directly but instead
means ENV_IS_EMBEDDED, so reference that in code and rename the Makefile
usage to BUILD_ENVCRC.
- Remove extra-$(CONFIG_ENV_IS_EMBEDDED) line as it could never be true,
and likely why there is an extra- line for CONFIG_ENV_IS_IN_FLASH (the
only use case today of embedded environments).
- With these slight changes we can then see that using the calculated
symbol of ENV_IS_EMBEDDED is the right thing to use in any code which
needs to know this situation and can remove CONFIG_ENV_IS_EMBEDDED
entirely.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
With LTO enabled the U-Boot initial environment is no longer stored
in an easy accessible section in env/common.o. I.e. the section name
changes from build to build, its content maybe compressed and it is
annotated with additional data.
Drop trying to read the initial env with elf tools from the compiler
specific object file in favour of adding and using a host tool with
the only functionality of printing the initial env to stdout.
See also:
https://lore.kernel.org/all/927b122e-1f62-e790-f5ca-30bae4332c77@foss.st.com/
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
Add test cases for accessing the FWU Metadata on the sandbox
platform. The sandbox platform also uses the metadata access driver
for GPT partitioned block devices.
The FWU feature will be tested on the sandbox64 variant with a raw
capsule. Remove the FIT capsule testing from sandbox64 defconfig --
the FIT capsule test will be run on the sandbox_flattree variant.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
|
Now that all the old code is gone, rename this option. Driver model
migration is now complete.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
This relies on the old LCD implementation which is to be removed. Drop it.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
The predefined NAND headers take too much spaces in the mtk_image.c.
Moving them into a new file can significantly improve the readability of
both mtk_image.c and the new mtk_nand_headers.c.
This is a preparation for adding more NAND headers.
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Weijie Gao <weijie.gao@mediatek.com>
|
|
Call pkg-config for each library individually.
This improves fallback handling.
Suggested-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Fixes: 31a7688cbe0e ("tools: mkeficapsule: use pkg-config to get -luuid and -lgnutls")
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
|
|
Instead of hardcoding -ltinfo as the flags needed to build
kwboot, use pkg-config when available.
We gracefully fallback on the previous behavior of hardcoding -ltinfo
if pkg-config is not available or fails with an error.
Reviewed-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
|
|
Instead of hardcoding -luuid -lgnutls as the flags needed to build
mkeficapsule, use pkg-config when available.
We gracefully fallback on the previous behavior of hardcoding -luuid
-lgnutls if pkg-config is not available or fails with an error.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
|
|
U-Boot CRC-16 implementation uses polynomial x^16 + x^12 + x^5 + 1 which is
not standard CRC-16 algorithm, but it is known as CRC-16-CCITT. Rename file
crc16.c to crc16-ccitt.c to reduce confusion.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
|
|
Most Allwinner sunxi SoCs have separate boot ROMs in non-secure and
secure mode. The "non-secure" or "normal" boot ROM (NBROM) uses the
existing sunxi_egon image type. The secure boot ROM (SBROM) uses a
completely different image type, known as TOC0.
A TOC0 image is composed of a header and two or more items. One item
is the firmware binary. The others form a chain linking the firmware
signature to the root-of-trust public key (ROTPK), which has its hash
burned in the SoC's eFuses. Signatures are made using RSA-2048 + SHA256.
The pseudo-ASN.1 structure is manually assembled; this is done to work
around bugs/quirks in the boot ROM, which vary between SoCs. This TOC0
implementation has been verified to work with the A50, A64, H5, H6,
and H616 SBROMs, and it may work with other SoCs.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Acked-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
|
|
Marvell BootROM recognize only '\b' byte as backspace. Use terminfo
for retrieving current backspace sequence and replace any occurrence of
backspace sequence by the '\b' byte.
Reading terminfo database is possible via tigetstr() function from system
library libtinfo.so.*. So link kwboot with -ltinfo.
Normally terminfo functions are in <term.h> system header file. But this
header file conflicts with U-Boot "termios_linux.h" header file. So declare
terminfo functions manually.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
|
|
After BootROM successfully detects boot message pattern on UART it waits
until host stop sending data on UART. For example Armada 385 BootROM
requires that host does not send anything on UART at least 24 ms. If host
is still sending something then BootROM waits (possibly infinitely).
BootROM successfully detects boot message pattern if it receives it in
small period of time after power on.
So to ensure that host put BootROM into UART boot mode, host must send
continuous stream of boot message pattern with a small gap (for A385 at
least 24 ms) after series of pattern. But this gap cannot be too often or
too long to ensure that it does not cover whole BootROM time window when it
is detecting for boot message pattern.
Therefore it is needed to do following steps in cycle without any delay:
1. send series of boot message pattern over UART
2. wait until kernel transmit all data
3. sleep small period of time
At the same time, host needs to monitor input queue, data received on the
UART and checking if it contains NAK byte by which BootROM informs that
xmodem transfer is ready.
But it is not possible to wait until kernel transmit all data on UART and
at the same time in the one process to also wait for input data. This is
limitation of POSIX tty API and also by linux kernel that it does not
provide asynchronous function for waiting until all data are transmitted.
There is only synchronous variant tcdrain().
So to correctly implement this handshake on systems with linux kernel, it
is needed to use tcdrain() in separate thread.
Implement sending of boot message pattern in one thread and reading of
reply in the main thread. Use pthread library for threads.
This change makes UART booting on Armada 385 more reliable. It is possible
to start kwboot and power on board after minute and kwboot correctly put
board into UART boot mode.
Old implementation without separate thread has an issue that it read just
one byte from UART input queue and then it send 128 message pattern to the
output queue. If some noise was on UART then kwboot was not able to read
BootROM response as its input queue was just overflowed and kwboot was
sending more data than receiving.
This change basically fixed above issue too.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
|
|
The existing options, "--fit" and "--raw," are only used to put a proper
GUID in a capsule header, where GUID identifies a particular FMP (Firmware
Management Protocol) driver which then would handle the firmware binary in
a capsule. In fact, mkeficapsule does the exact same job in creating
a capsule file whatever the firmware binary type is.
To prepare for the future extension, the command syntax will be a bit
modified to allow users to specify arbitrary GUID for their own FMP driver.
OLD:
[--fit <image> | --raw <image>] <capsule file>
NEW:
[--fit | --raw | --guid <guid-string>] <image> <capsule file>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
With this enhancement, mkeficapsule will be able to sign a capsule
file when it is created. A signature added will be used later
in the verification at FMP's SetImage() call.
To do that, we need specify additional command parameters:
-monotonic-cout <count> : monotonic count
-private-key <private key file> : private key file
-certificate <certificate file> : certificate file
Only when all of those parameters are given, a signature will be added
to a capsule file.
Users are expected to maintain and increment the monotonic count at
every time of the update for each firmware image.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
|
Add CONFIG_TOOLS_MKEFICAPSULE. Then we want to always build mkeficapsule
if tools-only_defconfig is used.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
Quite a lot of the code in common/relates to booting and images. Before
adding more it seems like a good time to move the code into its own
directory.
Most files with 'boot' or 'image' in them are moved, except:
- autoboot.c which relates to U-Boot automatically running a script
- bootstage.c which relates to U-Boot timing
Drop the removal of boot* files from the output directory, since this
interfers with the symlinks created by tools and there does not appear
to be any such file from my brief testing.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Artem Lapkin <email2tema@gmail.com>
Tested-by: Artem Lapkin <email2tema@gmail.com>
|
|
While we intentionally set -std=gnu11 for building host tools, and have
for quite some time, we never dropped -std=gnu99 from tools/Makefile.
This resulted in passing -std=gnu11 ... -std=gnu99 when building, and
gnu99 would win. This in turn would result now in warnings such as:
tools/mkeficapsule.c:25:15: warning: redefinition of typedef 'u32' is a C11 feature [-Wtypedef-redefinition]
typedef __u32 u32;
^
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
To avoid having #ifdefs in a few functions which are completely different
in the board and host code, create a new image-host.c file.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
This padding depends on board config file and therefore it makes the
mkimage binary tool board specific, which is not correct. One cannot use
mkimage tool built as a result for board A to generate images for board
B, even if both A and B are on the same platform.
This CONFIG_SYS_U_BOOT_OFFS padding was needed when kwbimage v1 contained
SPL code which loaded U-Boot proper based on CONFIG_SYS_U_BOOT_OFFS,
instead of reading correct offset from kwbimage header.
Now that SPL code parses kwbimage header and deterinate correct offset,
there is no need for this CONFIG_SYS_U_BOOT_OFFS padding anymore.
By removing it we also reduce the size of SPL code and therefore also
decrease the final size of v1 kwbimage. This means there is more space
for U-Boot proper binary.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
|
|
The mkimage host tool can be used to generate kwbimage v1 image with
secure header on host system for A38x plaform also when U-Boot is being
compiled for different platform. So there is no reason to not allow
compiling of mkimage/kwbimage with secure header support for e.g. x86-64
host.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Chris Packham <judge.packham@gmail.com>
|
|
The CONFIG_SYS_U_BOOT_OFFS option may be defined as empty string.
In this case it causes compilation error:
tools/kwbimage.c: In function ‘image_headersz_v1’:
tools/kwbimage.c:1002:39: error: expected expression before ‘)’ token
if (headersz > CONFIG_SYS_U_BOOT_OFFS) {
^
tools/kwbimage.c:1006:41: error: expected expression before ‘)’ token
(int)headersz, CONFIG_SYS_U_BOOT_OFFS);
^
tools/kwbimage.c:1011:35: error: expected expression before ‘;’ token
headersz = CONFIG_SYS_U_BOOT_OFFS;
^
make[1]: *** [scripts/Makefile.host:112: tools/kwbimage.o] Error 1
make: *** [Makefile:1822: tools] Error 2
Check whether the value of CONFIG_SYS_U_BOOT_OFFS is really set.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Tested-by: Chris Packham <judge.packham@gmail.com>
|
|
Host tool features, such as mkimage's ability to sign FIT images were
enabled or disabled based on the target configuration. However, this
misses the point of a target-agnostic host tool.
A target's ability to verify FIT signatures is independent of
mkimage's ability to create those signatures. In fact, u-boot's build
system doesn't sign images. The target code can be successfully built
without relying on any ability to sign such code.
Conversely, mkimage's ability to sign images does not require that
those images will only work on targets which support FIT verification.
Linking mkimage cryptographic features to target support for FIT
verification is misguided.
Without loss of generality, we can say that host features are and
should be independent of target features.
While we prefer that a host tool always supports the same feature set,
we recognize the following
- some users prefer to build u-boot without a dependency on OpenSSL.
- some distros prefer to ship mkimage without linking to OpenSSL
To allow these use cases, introduce a host-only Kconfig which is used
to select or deselect libcrypto support. Some mkimage features or some
host tools might not be available, but this shouldn't affect the
u-boot build.
I also considered setting the default of this config based on
FIT_SIGNATURE. While it would preserve the old behaviour it's also
contrary to the goals of this change. I decided to enable it by
default, so that the default build yields the most feature-complete
mkimage.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
|
|
image-sig.c is used to map a hash or crypto algorithm name to a
handler of that algorithm. There is some similarity between the host
and target variants, with the differences worked out by #ifdefs. The
purpose of this change is to remove those ifdefs.
First, copy the file to a host-only version, and remove target
specific code. Although it looks like we are duplicating code,
subsequent patches will change the way target algorithms are searched.
Besides we are only duplicating three string to struct mapping
functions. This isn't something to fuss about.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
now supporting hardware-accelerated ECDSA, it makes sense to expand
signing support to elliptic curves.
Implement host-side ECDSA signing and verification with libcrypto.
Device-side implementation of signature verification is beyond the
scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
fdt_add_bignum() is useful for algorithms other than just RSA. To
allow its use for ECDSA, move it to a common file under lib/.
The new file is suffixed with '-libcrypto' because it has a direct
dependency on openssl. This is due to the use of the "BIGNUM *" type.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
rsa-checksum.c sontains the hash_calculate() implementations. Despite
the "rsa-" file prefix, this function is useful for other algorithms.
To prevent confusion, move this file to lib/, and rename it to
hash-checksum.c, to give it a more "generic" feel.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
Config option ARMADA_39X is never set so remove all dead code hidden under
ifdef CONFIG_ARMADA_39X blocks.
Also remove useless checks for CONFIG_ARMADA_38X define as this macro is
always defined for a38x code path.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
|
