From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex G. Date: Fri, 14 May 2021 15:38:29 -0500 Subject: [PATCH v2 37/50] image: Drop IMAGE_ENABLE_SIGN/VERIFY defines In-Reply-To: <20210506142438.1310977-10-sjg@chromium.org> References: <20210506142438.1310977-1-sjg@chromium.org> <20210506142438.1310977-10-sjg@chromium.org> Message-ID: <648350e7-4dd5-d45b-64b0-b3c5522336fc@gmail.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 5/6/21 9:24 AM, Simon Glass wrote: > Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use > CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary > indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop > FIT_IMAGE_ENABLE_VERIFY which is not actually used. > > Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete > and needs to be integrated with RSA. > > Signed-off-by: Simon Glass > --- > > (no changes since v1) > > common/image-fit.c | 6 +++--- > common/image-sig.c | 10 +++++----- > include/image.h | 13 ++----------- > include/u-boot/ecdsa.h | 2 +- > include/u-boot/rsa.h | 4 ++-- > tools/Kconfig | 10 ++++++++++ > tools/image-host.c | 4 ++-- > 7 files changed, 25 insertions(+), 24 deletions(-) > > diff --git a/common/image-fit.c b/common/image-fit.c > index c13ff6bba24..e81a0858dc1 100644 > --- a/common/image-fit.c > +++ b/common/image-fit.c > @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, > int ret; > > /* Verify all required signatures */ > - if (FIT_IMAGE_ENABLE_VERIFY && > + if (CONFIG_IS_ENABLED(RSA_VERIFY) && NAK. Having verification depend directly on CONFIG_RSA_VERIFY will make adding ECDSA support that much more convoluted. > fit_image_verify_required_sigs(fit, image_noffset, data, size, > gd_fdt_blob(), &verify_all)) { > err_msg = "Unable to verify required signature"; > @@ -1323,7 +1323,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, > &err_msg)) > goto error; > puts("+ "); > - } else if (FIT_IMAGE_ENABLE_VERIFY && verify_all && > + } else if (CONFIG_IS_ENABLED(RSA_VERIFY) && verify_all && > !strncmp(name, FIT_SIG_NODENAME, > strlen(FIT_SIG_NODENAME))) { > ret = fit_image_check_sig(fit, noffset, data, > @@ -2045,7 +2045,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr, > if (image_type == IH_TYPE_KERNEL) > images->fit_uname_cfg = fit_base_uname_config; > > - if (FIT_IMAGE_ENABLE_VERIFY && images->verify) { > + if (CONFIG_IS_ENABLED(RSA_VERIFY) && images->verify) { > puts(" Verifying Hash Integrity ... "); > if (fit_config_verify(fit, cfg_noffset)) { > puts("Bad Data Hash\n"); > diff --git a/common/image-sig.c b/common/image-sig.c > index bbc6bb3b1e3..74ca96a39e9 100644 > --- a/common/image-sig.c > +++ b/common/image-sig.c > @@ -29,7 +29,7 @@ struct checksum_algo checksum_algos[] = { > .checksum_len = SHA1_SUM_LEN, > .der_len = SHA1_DER_LEN, > .der_prefix = sha1_der_prefix, > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > .calculate_sign = EVP_sha1, > #endif > .calculate = hash_calculate, > @@ -39,7 +39,7 @@ struct checksum_algo checksum_algos[] = { > .checksum_len = SHA256_SUM_LEN, > .der_len = SHA256_DER_LEN, > .der_prefix = sha256_der_prefix, > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > .calculate_sign = EVP_sha256, > #endif > .calculate = hash_calculate, > @@ -50,7 +50,7 @@ struct checksum_algo checksum_algos[] = { > .checksum_len = SHA384_SUM_LEN, > .der_len = SHA384_DER_LEN, > .der_prefix = sha384_der_prefix, > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > .calculate_sign = EVP_sha384, > #endif > .calculate = hash_calculate, > @@ -62,7 +62,7 @@ struct checksum_algo checksum_algos[] = { > .checksum_len = SHA512_SUM_LEN, > .der_len = SHA512_DER_LEN, > .der_prefix = sha512_der_prefix, > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > .calculate_sign = EVP_sha512, > #endif > .calculate = hash_calculate, > @@ -122,7 +122,7 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name) > struct checksum_algo *algo = &checksum_algos[i]; > > MANUAL_RELOC(algo->name); > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > MANUAL_RELOC(algo->calculate_sign); > #endif > MANUAL_RELOC(algo->calculate); > diff --git a/include/image.h b/include/image.h > index 64866c609f4..12043abd049 100644 > --- a/include/image.h > +++ b/include/image.h > @@ -1139,22 +1139,13 @@ int calculate_hash(const void *data, int data_len, const char *algo, > */ > #if defined(USE_HOSTCC) > # if defined(CONFIG_FIT_SIGNATURE) > -# define IMAGE_ENABLE_SIGN 1 > -# define IMAGE_ENABLE_VERIFY 1 > # define IMAGE_ENABLE_VERIFY_ECDSA 1 > -# define FIT_IMAGE_ENABLE_VERIFY 1 > # include > # else > -# define IMAGE_ENABLE_SIGN 0 > -# define IMAGE_ENABLE_VERIFY 0 > # define IMAGE_ENABLE_VERIFY_ECDSA 0 > -# define FIT_IMAGE_ENABLE_VERIFY 0 > # endif > #else > -# define IMAGE_ENABLE_SIGN 0 > -# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY) > # define IMAGE_ENABLE_VERIFY_ECDSA 0 > -# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) > #endif > > #if CONFIG_IS_ENABLED(FIT) > @@ -1209,7 +1200,7 @@ struct image_region { > int size; > }; > > -#if IMAGE_ENABLE_VERIFY > +#if CONFIG_IS_ENABLED(RSA_VERIFY) > # include > #endif > struct checksum_algo { > @@ -1217,7 +1208,7 @@ struct checksum_algo { > const int checksum_len; > const int der_len; > const uint8_t *der_prefix; > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > const EVP_MD *(*calculate_sign)(void); > #endif > int (*calculate)(const char *name, > diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h > index 979690d9660..a446b656a29 100644 > --- a/include/u-boot/ecdsa.h > +++ b/include/u-boot/ecdsa.h > @@ -15,7 +15,7 @@ > * @see "struct crypto_algo" > * @{ > */ > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > /** > * sign() - calculate and return signature for given input data > * > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h > index 45fe3509093..84cefbab442 100644 > --- a/include/u-boot/rsa.h > +++ b/include/u-boot/rsa.h > @@ -31,7 +31,7 @@ struct rsa_public_key { > > struct image_sign_info; > > -#if IMAGE_ENABLE_SIGN > +#if CONFIG_IS_ENABLED(FIT_SIGN) > /** > * sign() - calculate and return signature for given input data > * > @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info, > } > #endif > > -#if IMAGE_ENABLE_VERIFY > +#if CONFIG_IS_ENABLED(RSA_VERIFY) > /** > * rsa_verify_hash() - Verify a signature against a hash > * > diff --git a/tools/Kconfig b/tools/Kconfig > index bbd6e8b9d79..13f923c7ac7 100644 > --- a/tools/Kconfig > +++ b/tools/Kconfig > @@ -59,6 +59,11 @@ config HOST_FIT_SIGNATURE > help > Enable signature verification of FIT uImages in the host build > > +config HOST_FIT_SIGN > + def_bool y > + help > + Enable signing FIT uImages in the host build > + > config HOST_FIT_SIGNATURE_MAX_SIZE > hex > depends on HOST_FIT_SIGNATURE > @@ -79,6 +84,11 @@ config HOST_OF_LIBFDT > help > Enable libfdt support in the host build. > > +config HOST_RSA_VERIFY > + def_bool y > + help > + Enable RSA verification support in the host build. > + > config HOST_SHA1 > def_bool y > help > diff --git a/tools/image-host.c b/tools/image-host.c > index 270d36fe451..2be897db943 100644 > --- a/tools/image-host.c > +++ b/tools/image-host.c > @@ -636,7 +636,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, > strlen(FIT_HASH_NODENAME))) { > ret = fit_image_process_hash(fit, image_name, noffset, > data, size); > - } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) && > + } else if (CONFIG_IS_ENABLED(FIT_SIGN) && (keydir || keyfile) && > !strncmp(node_name, FIT_SIG_NODENAME, > strlen(FIT_SIG_NODENAME))) { > ret = fit_image_process_sig(keydir, keyfile, keydest, > @@ -1086,7 +1086,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile, > } > > /* If there are no keys, we can't sign configurations */ > - if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile)) > + if (!CONFIG_IS_ENABLED(FIT_SIGN) || !(keydir || keyfile)) > return 0; > > /* Find configurations parent node offset */ >