[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Marek Vasut]

This patch adds support for SHA-256 hash into the FIT image. The usage is
as with the other hashing algorithms:

"
	hash at 1 {
		algo = "sha256";
	};
"

Signed-off-by: Marek Vasut <marex@denx.de>
---
 common/image-fit.c |  5 +++++
 include/image.h    | 15 ++++++++++++++-
 tools/Makefile     |  2 ++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index cf4b67e..a7ecf8b 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -22,6 +22,7 @@ DECLARE_GLOBAL_DATA_PTR;
 
 #include <bootstage.h>
 #include <sha1.h>
+#include <sha256.h>
 #include <u-boot/crc.h>
 #include <u-boot/md5.h>
 
@@ -882,6 +883,10 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 		sha1_csum_wd((unsigned char *)data, data_len,
 			     (unsigned char *)value, CHUNKSZ_SHA1);
 		*value_len = 20;
+	} else if (IMAGE_ENABLE_SHA256 && strcmp(algo, "sha256") == 0) {
+		sha256_csum_wd((unsigned char *)data, data_len,
+			     (unsigned char *)value, CHUNKSZ_SHA256);
+		*value_len = 32;
 	} else if (IMAGE_ENABLE_MD5 && strcmp(algo, "md5") == 0) {
 		md5_wd((unsigned char *)data, data_len, value, CHUNKSZ_MD5);
 		*value_len = 16;
diff --git a/include/image.h b/include/image.h
index 7de2bb2..e5c76e7 100644
--- a/include/image.h
+++ b/include/image.h
@@ -57,13 +57,18 @@ struct lmb;
 #  ifdef CONFIG_SPL_SHA1_SUPPORT
 #   define IMAGE_ENABLE_SHA1	1
 #  endif
+#  ifdef CONFIG_SPL_SHA256_SUPPORT
+#   define IMAGE_ENABLE_SHA256	1
+#  endif
 # else
 #  define CONFIG_CRC32		/* FIT images need CRC32 support */
 #  define CONFIG_MD5		/* and MD5 */
 #  define CONFIG_SHA1		/* and SHA1 */
+#  define CONFIG_SHA256		/* and SHA256 */
 #  define IMAGE_ENABLE_CRC32	1
 #  define IMAGE_ENABLE_MD5	1
 #  define IMAGE_ENABLE_SHA1	1
+#  define IMAGE_ENABLE_SHA256	1
 # endif
 
 #ifndef IMAGE_ENABLE_CRC32
@@ -78,6 +83,10 @@ struct lmb;
 #define IMAGE_ENABLE_SHA1	0
 #endif
 
+#ifndef IMAGE_ENABLE_SHA256
+#define IMAGE_ENABLE_SHA256	0
+#endif
+
 #endif /* CONFIG_FIT */
 
 #ifdef CONFIG_SYS_BOOT_RAMDISK_HIGH
@@ -345,6 +354,10 @@ extern bootm_headers_t images;
 #define CHUNKSZ_SHA1 (64 * 1024)
 #endif
 
+#ifndef CHUNKSZ_SHA256
+#define CHUNKSZ_SHA256 (64 * 1024)
+#endif
+
 #define uimage_to_cpu(x)		be32_to_cpu(x)
 #define cpu_to_uimage(x)		cpu_to_be32(x)
 
@@ -691,7 +704,7 @@ int bootz_setup(ulong image, ulong *start, ulong *end);
 #define FIT_FDT_PROP		"fdt"
 #define FIT_DEFAULT_PROP	"default"
 
-#define FIT_MAX_HASH_LEN	20	/* max(crc32_len(4), sha1_len(20)) */
+#define FIT_MAX_HASH_LEN	32	/* max(crc32_len(4), sha1_len(20), sha256_len(32)) */
 
 /* cmdline argument format parsing */
 int fit_parse_conf(const char *spec, ulong addr_curr,
diff --git a/tools/Makefile b/tools/Makefile
index 328cea3..e025004 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -71,6 +71,7 @@ EXT_OBJ_FILES-y += common/image-sig.o
 EXT_OBJ_FILES-y += lib/crc32.o
 EXT_OBJ_FILES-y += lib/md5.o
 EXT_OBJ_FILES-y += lib/sha1.o
+EXT_OBJ_FILES-y += lib/sha256.o
 
 # Source files located in the tools directory
 NOPED_OBJ_FILES-y += aisimage.o
@@ -252,6 +253,7 @@ $(obj)mkimage$(SFX):	$(obj)aisimage.o \
 			$(obj)os_support.o \
 			$(obj)pblimage.o \
 			$(obj)sha1.o \
+			$(obj)sha256.o \
 			$(obj)ublimage.o \
 			$(LIBFDT_OBJS) \
 			$(RSA_OBJS)
-- 
1.8.5.3

[U-Boot] [PATCH 2/3] fit: rsa: Add groundwork to support other hashes

[Marek Vasut]

Separate out the SHA1 code from the rsa-sign.c and rsa-verify.c .
Each file now has a function which does the correct hashing operation
instead of having the SHA-1 hashing operation hard-coded in the rest
of the code. This makes adding a new hashing operating much easier and
cleaner.

Signed-off-by: Marek Vasut <marex@denx.de>
---
 lib/rsa/rsa-sign.c   | 45 ++++++++++++++++++++++++--
 lib/rsa/rsa-verify.c | 89 +++++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 110 insertions(+), 24 deletions(-)

diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 549130e..4e11720 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -15,6 +15,11 @@
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 
+enum rsa_hash_type {
+	RSA_HASH_SHA1,
+	RSA_HASH_UNKNOWN,
+};
+
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
 #define HAVE_ERR_REMOVE_THREAD_STATE
 #endif
@@ -159,7 +164,19 @@ static void rsa_remove(void)
 	EVP_cleanup();
 }
 
-static int rsa_sign_with_key(RSA *rsa, const struct image_region region[],
+static const EVP_MD *rsa_sign_get_hash(enum rsa_hash_type hash)
+{
+	switch (hash) {
+	case RSA_HASH_SHA1:
+		return EVP_sha1();
+	default:	/* This must never happen. */
+		rsa_err("Invalid hash type!\n");
+		exit(1);
+	};
+}
+
+static int rsa_sign_with_key(RSA *rsa, enum rsa_hash_type hash,
+		const struct image_region region[],
 		int region_count, uint8_t **sigp, uint *sig_size)
 {
 	EVP_PKEY *key;
@@ -192,7 +209,7 @@ static int rsa_sign_with_key(RSA *rsa, const struct image_region region[],
 		goto err_create;
 	}
 	EVP_MD_CTX_init(context);
-	if (!EVP_SignInit(context, EVP_sha1())) {
+	if (!EVP_SignInit(context, rsa_sign_get_hash(hash))) {
 		ret = rsa_err("Signer setup failed");
 		goto err_sign;
 	}
@@ -228,12 +245,34 @@ err_set:
 	return ret;
 }
 
+static enum rsa_hash_type rsa_get_sha_type(struct image_sign_info *info)
+{
+	char *pos;
+	unsigned int hash_str_len;
+
+	pos = strstr(info->algo->name, ",");
+	if (!pos)
+		return -EINVAL;
+
+	hash_str_len = pos - info->algo->name;
+
+	if (!strncmp(info->algo->name, "sha1", hash_str_len))
+		return RSA_HASH_SHA1;
+	else
+		return RSA_HASH_UNKNOWN;
+}
+
 int rsa_sign(struct image_sign_info *info,
 	     const struct image_region region[], int region_count,
 	     uint8_t **sigp, uint *sig_len)
 {
 	RSA *rsa;
 	int ret;
+	enum rsa_hash_type hash;
+
+	hash = rsa_get_sha_type(info);
+	if (hash == RSA_HASH_UNKNOWN)
+		return -EINVAL;
 
 	ret = rsa_init();
 	if (ret)
@@ -242,7 +281,7 @@ int rsa_sign(struct image_sign_info *info,
 	ret = rsa_get_priv_key(info->keydir, info->keyname, &rsa);
 	if (ret)
 		goto err_priv;
-	ret = rsa_sign_with_key(rsa, region, region_count, sigp, sig_len);
+	ret = rsa_sign_with_key(rsa, hash, region, region_count, sigp, sig_len);
 	if (ret)
 		goto err_sign;
 
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 02cc4e3..9617f8d 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -6,6 +6,7 @@
 
 #include <common.h>
 #include <fdtdec.h>
+#include <malloc.h>
 #include <rsa.h>
 #include <sha1.h>
 #include <asm/byteorder.h>
@@ -209,10 +210,9 @@ static int pow_mod(const struct rsa_public_key *key, uint32_t *inout)
 }
 
 static int rsa_verify_key(const struct rsa_public_key *key, const uint8_t *sig,
-		const uint32_t sig_len, const uint8_t *hash)
+		const uint32_t sig_len, const uint8_t *hash,
+		const uint8_t *padding, int pad_len)
 {
-	const uint8_t *padding;
-	int pad_len;
 	int ret;
 
 	if (!key || !sig || !hash)
@@ -238,10 +238,6 @@ static int rsa_verify_key(const struct rsa_public_key *key, const uint8_t *sig,
 	if (ret)
 		return ret;
 
-	/* Determine padding to use depending on the signature type. */
-	padding = padding_sha1_rsa2048;
-	pad_len = RSA2048_BYTES - SHA1_SUM_LEN;
-
 	/* Check pkcs1.5 padding bytes. */
 	if (memcmp(buf, padding, pad_len)) {
 		debug("In RSAVerify(): Padding check failed!\n");
@@ -266,7 +262,8 @@ static void rsa_convert_big_endian(uint32_t *dst, const uint32_t *src, int len)
 }
 
 static int rsa_verify_with_keynode(struct image_sign_info *info,
-		const void *hash, uint8_t *sig, uint sig_len, int node)
+		const void *hash, uint8_t *sig, uint sig_len, int node,
+		const uint8_t *padding, int pad_len)
 {
 	const void *blob = info->fdt_blob;
 	struct rsa_public_key key;
@@ -309,7 +306,7 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
 	}
 
 	debug("key length %d\n", key.len);
-	ret = rsa_verify_key(&key, sig, sig_len, hash);
+	ret = rsa_verify_key(&key, sig, sig_len, hash, padding, pad_len);
 	if (ret) {
 		printf("%s: RSA failed to verify: %d\n", __func__, ret);
 		return ret;
@@ -318,17 +315,64 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
 	return 0;
 }
 
+static int
+rsa_compute_hash_sha1(const struct image_region region[], int region_count,
+		     uint8_t **out_hash)
+{
+	sha1_context ctx;
+	int i;
+	uint8_t *hash;
+
+	hash = calloc(1, SHA1_SUM_LEN);
+	if (!hash)
+		return -ENOMEM;
+
+	sha1_starts(&ctx);
+	for (i = 0; i < region_count; i++)
+		sha1_update(&ctx, region[i].data, region[i].size);
+	sha1_finish(&ctx, hash);
+
+	*out_hash = hash;
+
+	return 0;
+}
+
+static int rsa_compute_hash(struct image_sign_info *info,
+			   const struct image_region region[], int region_count,
+			   uint8_t **out_hash, const uint8_t **padding,
+			   int *pad_len)
+{
+	int len, ret;
+	const uint8_t *pad;
+
+	if (!strcmp(info->algo->name, "sha1,rsa2048")) {
+		pad = padding_sha1_rsa2048;
+		len = RSA2048_BYTES - SHA1_SUM_LEN;
+		ret = rsa_compute_hash_sha1(region, region_count, out_hash);
+	} else {
+		ret = -EINVAL;
+	}
+
+	if (!ret) {
+		*padding = pad;
+		*pad_len = len;
+	}
+
+	return ret;
+}
+
 int rsa_verify(struct image_sign_info *info,
 	       const struct image_region region[], int region_count,
 	       uint8_t *sig, uint sig_len)
 {
 	const void *blob = info->fdt_blob;
-	uint8_t hash[SHA1_SUM_LEN];
+	uint8_t *hash = NULL;
 	int ndepth, noffset;
 	int sig_node, node;
 	char name[100];
-	sha1_context ctx;
-	int ret, i;
+	const uint8_t *padding;
+	int pad_len;
+	int ret;
 
 	sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
 	if (sig_node < 0) {
@@ -336,25 +380,26 @@ int rsa_verify(struct image_sign_info *info,
 		return -ENOENT;
 	}
 
-	sha1_starts(&ctx);
-	for (i = 0; i < region_count; i++)
-		sha1_update(&ctx, region[i].data, region[i].size);
-	sha1_finish(&ctx, hash);
+	ret = rsa_compute_hash(info, region, region_count, &hash,
+			       &padding, &pad_len);
+	if (ret)
+		return ret;
 
 	/* See if we must use a particular key */
 	if (info->required_keynode != -1) {
 		ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
-			info->required_keynode);
+			info->required_keynode, padding, pad_len);
 		if (!ret)
-			return ret;
+			goto exit;
 	}
 
 	/* Look for a key that matches our hint */
 	snprintf(name, sizeof(name), "key-%s", info->keyname);
 	node = fdt_subnode_offset(blob, sig_node, name);
-	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
+	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node,
+				      padding, pad_len);
 	if (!ret)
-		return ret;
+		goto exit;
 
 	/* No luck, so try each of the keys in turn */
 	for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
@@ -362,11 +407,13 @@ int rsa_verify(struct image_sign_info *info,
 			noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
 		if (ndepth == 1 && noffset != node) {
 			ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
-						      noffset);
+						      noffset, padding, pad_len);
 			if (!ret)
 				break;
 		}
 	}
 
+exit:
+	free(hash);
 	return ret;
 }
-- 
1.8.5.3

[U-Boot] [PATCH 3/3] fit: rsa: Add support for SHA256 hash

[Marek Vasut]

Add support for "sha256,rsa2048" signature. This patch utilises the previously
laid groundwork for adding other hashes.

Signed-off-by: Marek Vasut <marex@denx.de>
---
 common/image-sig.c   |  8 +++++++-
 lib/rsa/rsa-sign.c   |  5 +++++
 lib/rsa/rsa-verify.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/common/image-sig.c b/common/image-sig.c
index 973b06d..c3d63bc 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -23,7 +23,13 @@ struct image_sig_algo image_sig_algos[] = {
 		rsa_sign,
 		rsa_add_verify_data,
 		rsa_verify,
-	}
+	},
+	{
+		"sha256,rsa2048",
+		rsa_sign,
+		rsa_add_verify_data,
+		rsa_verify,
+	},
 };
 
 struct image_sig_algo *image_get_sig_algo(const char *name)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 4e11720..f1167b1 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -17,6 +17,7 @@
 
 enum rsa_hash_type {
 	RSA_HASH_SHA1,
+	RSA_HASH_SHA256,
 	RSA_HASH_UNKNOWN,
 };
 
@@ -169,6 +170,8 @@ static const EVP_MD *rsa_sign_get_hash(enum rsa_hash_type hash)
 	switch (hash) {
 	case RSA_HASH_SHA1:
 		return EVP_sha1();
+	case RSA_HASH_SHA256:
+		return EVP_sha256();
 	default:	/* This must never happen. */
 		rsa_err("Invalid hash type!\n");
 		exit(1);
@@ -258,6 +261,8 @@ static enum rsa_hash_type rsa_get_sha_type(struct image_sign_info *info)
 
 	if (!strncmp(info->algo->name, "sha1", hash_str_len))
 		return RSA_HASH_SHA1;
+	else if (!strncmp(info->algo->name, "sha256", hash_str_len))
+		return RSA_HASH_SHA256;
 	else
 		return RSA_HASH_UNKNOWN;
 }
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 9617f8d..67fb882 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -9,6 +9,7 @@
 #include <malloc.h>
 #include <rsa.h>
 #include <sha1.h>
+#include <sha256.h>
 #include <asm/byteorder.h>
 #include <asm/errno.h>
 #include <asm/unaligned.h>
@@ -70,6 +71,37 @@ static const uint8_t padding_sha1_rsa2048[RSA2048_BYTES - SHA1_SUM_LEN] = {
 	0x05, 0x00, 0x04, 0x14
 };
 
+static const uint8_t padding_sha256_rsa2048[RSA2048_BYTES - SHA256_SUM_LEN] = {
+	0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0x00, 0x30, 0x31, 0x30,
+	0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
+};
+
 /**
  * subtract_modulus() - subtract modulus from the given value
  *
@@ -337,6 +369,28 @@ rsa_compute_hash_sha1(const struct image_region region[], int region_count,
 	return 0;
 }
 
+static int
+rsa_compute_hash_sha256(const struct image_region region[], int region_count,
+		     uint8_t **out_hash)
+{
+	sha256_context ctx;
+	int i;
+	uint8_t *hash;
+
+	hash = calloc(1, SHA256_SUM_LEN);
+	if (!hash)
+		return -ENOMEM;
+
+	sha256_starts(&ctx);
+	for (i = 0; i < region_count; i++)
+		sha256_update(&ctx, region[i].data, region[i].size);
+	sha256_finish(&ctx, hash);
+
+	*out_hash = hash;
+
+	return 0;
+}
+
 static int rsa_compute_hash(struct image_sign_info *info,
 			   const struct image_region region[], int region_count,
 			   uint8_t **out_hash, const uint8_t **padding,
@@ -349,6 +403,10 @@ static int rsa_compute_hash(struct image_sign_info *info,
 		pad = padding_sha1_rsa2048;
 		len = RSA2048_BYTES - SHA1_SUM_LEN;
 		ret = rsa_compute_hash_sha1(region, region_count, out_hash);
+	} else if (!strcmp(info->algo->name, "sha256,rsa2048")) {
+		pad = padding_sha256_rsa2048;
+		len = RSA2048_BYTES - SHA256_SUM_LEN;
+		ret = rsa_compute_hash_sha256(region, region_count, out_hash);
 	} else {
 		ret = -EINVAL;
 	}
-- 
1.8.5.3

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Heiko Schocher]

Hello Marek,

Am 06.02.2014 04:47, schrieb Marek Vasut:
> This patch adds support for SHA-256 hash into the FIT image. The usage is
> as with the other hashing algorithms:
>
> "
> 	hash at 1 {
> 		algo = "sha256";
> 	};
> "
>
> Signed-off-by: Marek Vasut<marex@denx.de>
> ---
>   common/image-fit.c |  5 +++++
>   include/image.h    | 15 ++++++++++++++-
>   tools/Makefile     |  2 ++
>   3 files changed, 21 insertions(+), 1 deletion(-)

seems I posted similiar patches ... you find them here:

[U-Boot,1/7] tools/image-host: fix sign-images bug
http://patchwork.ozlabs.org/patch/314125/

[U-Boot,2/7] fdt: add "fdt sign" command
http://patchwork.ozlabs.org/patch/314120/

[U-Boot,3/7] fit: add sha256 support
http://patchwork.ozlabs.org/patch/314126/

[U-Boot,4/7] rsa: add sha256-rsa2048 algorithm
http://patchwork.ozlabs.org/patch/314124/

[U-Boot,5/7] rsa: add sha256,rsa4096 algorithm
http://patchwork.ozlabs.org/patch/314121/

I reworked the comments, except one is missing, and I can post "v2"
Maybe you can try this patches?

bye,
Heiko
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Wolfgang Denk]

Dear Marek,

In message <1391658426-24799-1-git-send-email-marex@denx.de> you wrote:
> This patch adds support for SHA-256 hash into the FIT image. The usage is
> as with the other hashing algorithms:
...
> -#define FIT_MAX_HASH_LEN	20	/* max(crc32_len(4), sha1_len(20)) */
> +#define FIT_MAX_HASH_LEN	32	/* max(crc32_len(4), sha1_len(20), sha256_len(32)) */

Line too long.

Please make sure to run your patches through checkpatch !

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I have made mistakes, but have never made the mistake of  claiming  I
never made one.                                     - James G. Bennet

[U-Boot] [PATCH 2/3] fit: rsa: Add groundwork to support other hashes

[Wolfgang Denk]

Dear Marek,

In message <1391658426-24799-2-git-send-email-marex@denx.de> you wrote:
> Separate out the SHA1 code from the rsa-sign.c and rsa-verify.c .
> Each file now has a function which does the correct hashing operation
> instead of having the SHA-1 hashing operation hard-coded in the rest
> of the code. This makes adding a new hashing operating much easier and
> cleaner.
...
> -						      noffset);
> +						      noffset, padding, pad_len);

Line too long.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
It is easier to write an incorrect program than understand a  correct
one.

[U-Boot] [PATCH 2/3] fit: rsa: Add groundwork to support other hashes

[Marek Vasut]

On Thursday, February 06, 2014 at 01:18:31 PM, Wolfgang Denk wrote:
> Dear Marek,
> 
> In message <1391658426-24799-2-git-send-email-marex@denx.de> you wrote:
> > Separate out the SHA1 code from the rsa-sign.c and rsa-verify.c .
> > Each file now has a function which does the correct hashing operation
> > instead of having the SHA-1 hashing operation hard-coded in the rest
> > of the code. This makes adding a new hashing operating much easier and
> > cleaner.
> 
> ...
> 
> > -						      noffset);
> > +						      noffset, padding, 
pad_len);
> 
> Line too long.

I will need to cross-correlate this with Heiko's efforts, so there'll be V2 of 
either mine or his stuff.

Thanks for the review though.

Best regards,
Marek Vasut

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Marek Vasut]

On Thursday, February 06, 2014 at 01:17:36 PM, Wolfgang Denk wrote:
> Dear Marek,
> 
> In message <1391658426-24799-1-git-send-email-marex@denx.de> you wrote:
> > This patch adds support for SHA-256 hash into the FIT image. The usage is
> 
> > as with the other hashing algorithms:
> ...
> 
> > -#define FIT_MAX_HASH_LEN	20	/* max(crc32_len(4), sha1_len(20)) */
> > +#define FIT_MAX_HASH_LEN	32	/* max(crc32_len(4), sha1_len(20),
> > sha256_len(32)) */
> 
> Line too long.
> 
> Please make sure to run your patches through checkpatch !

This is weird, since all my patches should be checked upon 'git commit' via 
hook. Thanks for bringing this up to my attention, I will verify that.

Nonetheless, I would vouch for applying Heiko's patches instead.

Best regards,
Marek Vasut

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Marek Vasut]

On Thursday, February 06, 2014 at 06:19:11 AM, Heiko Schocher wrote:
> Hello Marek,
> 
> Am 06.02.2014 04:47, schrieb Marek Vasut:
> > This patch adds support for SHA-256 hash into the FIT image. The usage is
> > as with the other hashing algorithms:
> > 
> > "
> > 
> > 	hash at 1 {
> > 	
> > 		algo = "sha256";
> > 	
> > 	};
> > 
> > "
> > 
> > Signed-off-by: Marek Vasut<marex@denx.de>
> > ---
> > 
> >   common/image-fit.c |  5 +++++
> >   include/image.h    | 15 ++++++++++++++-
> >   tools/Makefile     |  2 ++
> >   3 files changed, 21 insertions(+), 1 deletion(-)
> 
> seems I posted similiar patches ... you find them here:

Nice, thanks for bringing this up. Please review my series and check if there's 
possibly something interesting in that you might pull out into yours.

Otherwise, I'm all for applying your , since you also added rsa4096.

Best regards,
Marek Vasut

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Heiko Schocher]

Hello Marek,

Am 08.02.2014 15:18, schrieb Marek Vasut:
> On Thursday, February 06, 2014 at 06:19:11 AM, Heiko Schocher wrote:
>> Hello Marek,
>>
>> Am 06.02.2014 04:47, schrieb Marek Vasut:
>>> This patch adds support for SHA-256 hash into the FIT image. The usage is
>>> as with the other hashing algorithms:
>>>
>>> "
>>>
>>> 	hash at 1 {
>>> 	
>>> 		algo = "sha256";
>>> 	
>>> 	};
>>>
>>> "
>>>
>>> Signed-off-by: Marek Vasut<marex@denx.de>
>>> ---
>>>
>>>    common/image-fit.c |  5 +++++
>>>    include/image.h    | 15 ++++++++++++++-
>>>    tools/Makefile     |  2 ++
>>>    3 files changed, 21 insertions(+), 1 deletion(-)
>>
>> seems I posted similiar patches ... you find them here:
>
> Nice, thanks for bringing this up. Please review my series and check if there's
> possibly something interesting in that you might pull out into yours.

I think, all your changes are also in my patchseries ...

> Otherwise, I'm all for applying your , since you also added rsa4096.

bye,
Heiko
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[U-Boot] [PATCH 1/3] fit: Add support for SHA256 hash

[Marek Vasut]

On Monday, February 10, 2014 at 07:35:44 AM, Heiko Schocher wrote:
> Hello Marek,
> 
> Am 08.02.2014 15:18, schrieb Marek Vasut:
> > On Thursday, February 06, 2014 at 06:19:11 AM, Heiko Schocher wrote:
> >> Hello Marek,
> >> 
> >> Am 06.02.2014 04:47, schrieb Marek Vasut:
> >>> This patch adds support for SHA-256 hash into the FIT image. The usage
> >>> is as with the other hashing algorithms:
> >>> 
> >>> "
> >>> 
> >>> 	hash at 1 {
> >>> 	
> >>> 		algo = "sha256";
> >>> 	
> >>> 	};
> >>> 
> >>> "
> >>> 
> >>> Signed-off-by: Marek Vasut<marex@denx.de>
> >>> ---
> >>> 
> >>>    common/image-fit.c |  5 +++++
> >>>    include/image.h    | 15 ++++++++++++++-
> >>>    tools/Makefile     |  2 ++
> >>>    3 files changed, 21 insertions(+), 1 deletion(-)
> >> 
> >> seems I posted similiar patches ... you find them here:
> > Nice, thanks for bringing this up. Please review my series and check if
> > there's possibly something interesting in that you might pull out into
> > yours.
> 
> I think, all your changes are also in my patchseries ...

OK, thanks!

Best regards,
Marek Vasut

[U-Boot] [PATCH 3/3] fit: rsa: Add support for SHA256 hash

[Simon Glass]

Hi Marek,

On 5 February 2014 20:47, Marek Vasut <marex@denx.de> wrote:
> Add support for "sha256,rsa2048" signature. This patch utilises the previously
> laid groundwork for adding other hashes.
>
> Signed-off-by: Marek Vasut <marex@denx.de>

Does this conflict with Heiko's patch or is it the same?

Regards,
Simon

[U-Boot] [PATCH 3/3] fit: rsa: Add support for SHA256 hash

[Marek Vasut]

On Sunday, February 16, 2014 at 12:31:53 AM, Simon Glass wrote:
> Hi Marek,
> 
> On 5 February 2014 20:47, Marek Vasut <marex@denx.de> wrote:
> > Add support for "sha256,rsa2048" signature. This patch utilises the
> > previously laid groundwork for adding other hashes.
> > 
> > Signed-off-by: Marek Vasut <marex@denx.de>
> 
> Does this conflict with Heiko's patch or is it the same?

Heiko's patchset is superior, so I drop this one please.

Best regards,
Marek Vasut