From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Glass Date: Thu, 6 May 2021 08:24:25 -0600 Subject: [PATCH v2 37/50] image: Drop IMAGE_ENABLE_SIGN/VERIFY defines In-Reply-To: <20210506142438.1310977-1-sjg@chromium.org> References: <20210506142438.1310977-1-sjg@chromium.org> Message-ID: <20210506142438.1310977-10-sjg@chromium.org> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop FIT_IMAGE_ENABLE_VERIFY which is not actually used. Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete and needs to be integrated with RSA. Signed-off-by: Simon Glass --- (no changes since v1) common/image-fit.c | 6 +++--- common/image-sig.c | 10 +++++----- include/image.h | 13 ++----------- include/u-boot/ecdsa.h | 2 +- include/u-boot/rsa.h | 4 ++-- tools/Kconfig | 10 ++++++++++ tools/image-host.c | 4 ++-- 7 files changed, 25 insertions(+), 24 deletions(-) diff --git a/common/image-fit.c b/common/image-fit.c index c13ff6bba24..e81a0858dc1 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, int ret; /* Verify all required signatures */ - if (FIT_IMAGE_ENABLE_VERIFY && + if (CONFIG_IS_ENABLED(RSA_VERIFY) && fit_image_verify_required_sigs(fit, image_noffset, data, size, gd_fdt_blob(), &verify_all)) { err_msg = "Unable to verify required signature"; @@ -1323,7 +1323,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, &err_msg)) goto error; puts("+ "); - } else if (FIT_IMAGE_ENABLE_VERIFY && verify_all && + } else if (CONFIG_IS_ENABLED(RSA_VERIFY) && verify_all && !strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, @@ -2045,7 +2045,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr, if (image_type == IH_TYPE_KERNEL) images->fit_uname_cfg = fit_base_uname_config; - if (FIT_IMAGE_ENABLE_VERIFY && images->verify) { + if (CONFIG_IS_ENABLED(RSA_VERIFY) && images->verify) { puts(" Verifying Hash Integrity ... "); if (fit_config_verify(fit, cfg_noffset)) { puts("Bad Data Hash\n"); diff --git a/common/image-sig.c b/common/image-sig.c index bbc6bb3b1e3..74ca96a39e9 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -29,7 +29,7 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA1_SUM_LEN, .der_len = SHA1_DER_LEN, .der_prefix = sha1_der_prefix, -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) .calculate_sign = EVP_sha1, #endif .calculate = hash_calculate, @@ -39,7 +39,7 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA256_SUM_LEN, .der_len = SHA256_DER_LEN, .der_prefix = sha256_der_prefix, -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) .calculate_sign = EVP_sha256, #endif .calculate = hash_calculate, @@ -50,7 +50,7 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA384_SUM_LEN, .der_len = SHA384_DER_LEN, .der_prefix = sha384_der_prefix, -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) .calculate_sign = EVP_sha384, #endif .calculate = hash_calculate, @@ -62,7 +62,7 @@ struct checksum_algo checksum_algos[] = { .checksum_len = SHA512_SUM_LEN, .der_len = SHA512_DER_LEN, .der_prefix = sha512_der_prefix, -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) .calculate_sign = EVP_sha512, #endif .calculate = hash_calculate, @@ -122,7 +122,7 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name) struct checksum_algo *algo = &checksum_algos[i]; MANUAL_RELOC(algo->name); -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) MANUAL_RELOC(algo->calculate_sign); #endif MANUAL_RELOC(algo->calculate); diff --git a/include/image.h b/include/image.h index 64866c609f4..12043abd049 100644 --- a/include/image.h +++ b/include/image.h @@ -1139,22 +1139,13 @@ int calculate_hash(const void *data, int data_len, const char *algo, */ #if defined(USE_HOSTCC) # if defined(CONFIG_FIT_SIGNATURE) -# define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY 1 # define IMAGE_ENABLE_VERIFY_ECDSA 1 -# define FIT_IMAGE_ENABLE_VERIFY 1 # include # else -# define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY 0 # define IMAGE_ENABLE_VERIFY_ECDSA 0 -# define FIT_IMAGE_ENABLE_VERIFY 0 # endif #else -# define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY) # define IMAGE_ENABLE_VERIFY_ECDSA 0 -# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) #endif #if CONFIG_IS_ENABLED(FIT) @@ -1209,7 +1200,7 @@ struct image_region { int size; }; -#if IMAGE_ENABLE_VERIFY +#if CONFIG_IS_ENABLED(RSA_VERIFY) # include #endif struct checksum_algo { @@ -1217,7 +1208,7 @@ struct checksum_algo { const int checksum_len; const int der_len; const uint8_t *der_prefix; -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) const EVP_MD *(*calculate_sign)(void); #endif int (*calculate)(const char *name, diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h index 979690d9660..a446b656a29 100644 --- a/include/u-boot/ecdsa.h +++ b/include/u-boot/ecdsa.h @@ -15,7 +15,7 @@ * @see "struct crypto_algo" * @{ */ -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) /** * sign() - calculate and return signature for given input data * diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index 45fe3509093..84cefbab442 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -31,7 +31,7 @@ struct rsa_public_key { struct image_sign_info; -#if IMAGE_ENABLE_SIGN +#if CONFIG_IS_ENABLED(FIT_SIGN) /** * sign() - calculate and return signature for given input data * @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info, } #endif -#if IMAGE_ENABLE_VERIFY +#if CONFIG_IS_ENABLED(RSA_VERIFY) /** * rsa_verify_hash() - Verify a signature against a hash * diff --git a/tools/Kconfig b/tools/Kconfig index bbd6e8b9d79..13f923c7ac7 100644 --- a/tools/Kconfig +++ b/tools/Kconfig @@ -59,6 +59,11 @@ config HOST_FIT_SIGNATURE help Enable signature verification of FIT uImages in the host build +config HOST_FIT_SIGN + def_bool y + help + Enable signing FIT uImages in the host build + config HOST_FIT_SIGNATURE_MAX_SIZE hex depends on HOST_FIT_SIGNATURE @@ -79,6 +84,11 @@ config HOST_OF_LIBFDT help Enable libfdt support in the host build. +config HOST_RSA_VERIFY + def_bool y + help + Enable RSA verification support in the host build. + config HOST_SHA1 def_bool y help diff --git a/tools/image-host.c b/tools/image-host.c index 270d36fe451..2be897db943 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -636,7 +636,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, strlen(FIT_HASH_NODENAME))) { ret = fit_image_process_hash(fit, image_name, noffset, data, size); - } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) && + } else if (CONFIG_IS_ENABLED(FIT_SIGN) && (keydir || keyfile) && !strncmp(node_name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_process_sig(keydir, keyfile, keydest, @@ -1086,7 +1086,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile, } /* If there are no keys, we can't sign configurations */ - if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile)) + if (!CONFIG_IS_ENABLED(FIT_SIGN) || !(keydir || keyfile)) return 0; /* Find configurations parent node offset */ -- 2.31.1.607.g51e8a6a459-goog