All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sumit Garg <sumit.garg@nxp.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] verified-boot: Minimal support for booting U-Boot proper from SPL
Date: Mon, 30 May 2016 05:32:33 +0000	[thread overview]
Message-ID: <VI1PR04MB1455F996FA50A865F0D0D47598450@VI1PR04MB1455.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <20160528185800.7f05b6dde636aa478f766675@gmail.com>

Can you make this support more generic as you have used only CONFIG_SPL_FIT_SIGNATURE for SPL verified boot while our platforms doesn't use fit signature approach for verification?

May be you can use CONFIG_SPL_VERIFIED_BOOT?

> -----Original Message-----
> From: Teddy Reed [mailto:teddy.reed at gmail.com]
> Sent: Sunday, May 29, 2016 7:28 AM
> To: u-boot at lists.denx.de
> Cc: sjg at chromium.org; dannenberg at ti.com; Sumit Garg
> <sumit.garg@nxp.com>
> Subject: [PATCH] verified-boot: Minimal support for booting U-Boot proper
> from SPL
> 
> This allows a board to configure verified boot within the SPL using a FIT or FIT
> with external data. It also allows the SPL to perform signature verification
> without needing relocation.
> 
> The board configuration will need to add the following feature defines:
> CONFIG_SPL_CRYPTO_SUPPORT
> CONFIG_SPL_HASH_SUPPORT
> CONFIG_SPL_SHA256
> 
> In this example, SHA256 is the only selected hashing algorithm.
> 
> And the following booleans:
> CONFIG_SPL=y
> CONFIG_SPL_DM=y
> CONFIG_SPL_LOAD_FIT=y
> CONFIG_SPL_FIT=y
> CONFIG_SPL_OF_CONTROL=y
> CONFIG_SPL_OF_LIBFDT=y
> CONFIG_SPL_FIT_SIGNATURE=y
> 
> Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
> Cc: Simon Glass <sjg@chromium.org>
> Cc: Andreas Dannenberg <dannenberg@ti.com>
> ---
>  Kconfig                                 | 11 +++++++++++
>  common/Makefile                         |  1 +
>  drivers/Makefile                        |  1 +
>  drivers/crypto/rsa_mod_exp/mod_exp_sw.c |  1 +
>  lib/Makefile                            |  9 ++++-----
>  lib/rsa/Kconfig                         |  4 ++++
>  lib/rsa/Makefile                        |  2 +-
>  7 files changed, 23 insertions(+), 6 deletions(-)
> 
> diff --git a/Kconfig b/Kconfig
> index 4b46216..817f4f0 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -183,6 +183,11 @@ config FIT
>  	  verified boot (secure boot using RSA). This option enables that
>  	  feature.
> 
> +config SPL_FIT
> +	bool "Support Flattened Image Tree within SPL"
> +	depends on FIT
> +	depends on SPL
> +
>  config FIT_VERBOSE
>  	bool "Display verbose messages on FIT boot"
>  	depends on FIT
> @@ -205,6 +210,12 @@ config FIT_SIGNATURE
>  	  format support in this case, enable it using
>  	  CONFIG_IMAGE_FORMAT_LEGACY.
> 
> +config SPL_FIT_SIGNATURE
> +	bool "Enable signature verification of FIT firmware within SPL"
> +	depends on SPL_FIT
> +	depends on SPL_DM
> +	select SPL_RSA
> +
>  config FIT_BEST_MATCH
>  	bool "Select the best match for the kernel device tree"
>  	depends on FIT
> diff --git a/common/Makefile b/common/Makefile index 0562d5c..e6b0c22
> 100644
> --- a/common/Makefile
> +++ b/common/Makefile
> @@ -93,6 +93,7 @@ obj-$(CONFIG_USB_KEYBOARD) += usb_kbd.o  endif #
> !CONFIG_SPL_BUILD
> 
>  ifdef CONFIG_SPL_BUILD
> +obj-$(CONFIG_SPL_HASH_SUPPORT) += hash.o
>  obj-$(CONFIG_ENV_IS_IN_FLASH) += env_flash.o
>  obj-$(CONFIG_SPL_YMODEM_SUPPORT) += xyzModem.o
>  obj-$(CONFIG_SPL_NET_SUPPORT) += miiphyutil.o diff --git
> a/drivers/Makefile b/drivers/Makefile index 99dd07f..772d437 100644
> --- a/drivers/Makefile
> +++ b/drivers/Makefile
> @@ -10,6 +10,7 @@ obj-$(CONFIG_$(SPL_)RAM)	+= ram/
> 
>  ifdef CONFIG_SPL_BUILD
> 
> +obj-$(CONFIG_SPL_CRYPTO_SUPPORT) += crypto/
>  obj-$(CONFIG_SPL_I2C_SUPPORT) += i2c/
>  obj-$(CONFIG_SPL_GPIO_SUPPORT) += gpio/
>  obj-$(CONFIG_SPL_MMC_SUPPORT) += mmc/
> diff --git a/drivers/crypto/rsa_mod_exp/mod_exp_sw.c
> b/drivers/crypto/rsa_mod_exp/mod_exp_sw.c
> index dc6c064..3817fb3 100644
> --- a/drivers/crypto/rsa_mod_exp/mod_exp_sw.c
> +++ b/drivers/crypto/rsa_mod_exp/mod_exp_sw.c
> @@ -32,6 +32,7 @@ U_BOOT_DRIVER(mod_exp_sw) = {
>  	.name	= "mod_exp_sw",
>  	.id	= UCLASS_MOD_EXP,
>  	.ops	= &mod_exp_ops_sw,
> +	.flags	= DM_FLAG_PRE_RELOC,
>  };
> 
>  U_BOOT_DEVICE(mod_exp_sw) = {
> diff --git a/lib/Makefile b/lib/Makefile index 02dfa29..0df5395 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -9,7 +9,6 @@ ifndef CONFIG_SPL_BUILD
> 
>  obj-$(CONFIG_EFI) += efi/
>  obj-$(CONFIG_EFI_LOADER) += efi_loader/
> -obj-$(CONFIG_RSA) += rsa/
>  obj-$(CONFIG_LZMA) += lzma/
>  obj-$(CONFIG_LZO) += lzo/
>  obj-$(CONFIG_ZLIB) += zlib/
> @@ -25,8 +24,6 @@ obj-y += crc8.o
>  obj-y += crc16.o
>  obj-$(CONFIG_ERRNO_STR) += errno_str.o
>  obj-$(CONFIG_FIT) += fdtdec_common.o
> -obj-$(CONFIG_$(SPL_)OF_CONTROL) += fdtdec_common.o
> -obj-$(CONFIG_$(SPL_)OF_CONTROL) += fdtdec.o
>  obj-$(CONFIG_TEST_FDTDEC) += fdtdec_test.o
>  obj-$(CONFIG_GZIP) += gunzip.o
>  obj-$(CONFIG_GZIP_COMPRESSED) += gzip.o @@ -39,9 +36,7 @@ obj-y +=
> net_utils.o
>  obj-$(CONFIG_PHYSMEM) += physmem.o
>  obj-y += qsort.o
>  obj-y += rc4.o
> -obj-$(CONFIG_SHA1) += sha1.o
>  obj-$(CONFIG_SUPPORT_EMMC_RPMB) += sha256.o
> -obj-$(CONFIG_SHA256) += sha256.o
>  obj-y	+= strmhz.o
>  obj-$(CONFIG_TPM) += tpm.o
>  obj-$(CONFIG_RBTREE)	+= rbtree.o
> @@ -49,6 +44,10 @@ obj-$(CONFIG_BITREVERSE) += bitrev.o  obj-y +=
> list_sort.o  endif
> 
> +obj-$(CONFIG_$(SPL_)RSA) += rsa/
> +obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
> +obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
> +
>  obj-$(CONFIG_$(SPL_)OF_LIBFDT) += libfdt/  ifdef CONFIG_SPL_OF_CONTROL
>  obj-$(CONFIG_OF_LIBFDT) += libfdt/
> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig index 86df0a0..09ec358 100644
> --- a/lib/rsa/Kconfig
> +++ b/lib/rsa/Kconfig
> @@ -13,6 +13,10 @@ config RSA
>  	  option. The software based modular exponentiation is built into
>  	  mkimage irrespective of this option.
> 
> +config SPL_RSA
> +	bool "Use RSA Library within SPL"
> +	depends on RSA
> +
>  if RSA
>  config RSA_SOFTWARE_EXP
>  	bool "Enable driver for RSA Modular Exponentiation in software"
> diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile index 6867e50..4b2c1ba 100644
> --- a/lib/rsa/Makefile
> +++ b/lib/rsa/Makefile
> @@ -7,5 +7,5 @@
>  # SPDX-License-Identifier:	GPL-2.0+
>  #
> 
> -obj-$(CONFIG_FIT_SIGNATURE) += rsa-verify.o rsa-checksum.o
> +obj-$(CONFIG_$(SPL_)FIT_SIGNATURE) += rsa-verify.o rsa-checksum.o
>  obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
> --
> 2.7.4

  reply	other threads:[~2016-05-30  5:32 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-29  1:58 [U-Boot] [PATCH] verified-boot: Minimal support for booting U-Boot proper from SPL Teddy Reed
2016-05-30  5:32 ` Sumit Garg [this message]
2016-05-30 20:52   ` Teddy Reed
2016-06-02  4:40     ` Sumit Garg
2016-06-05 21:27       ` Teddy Reed
2016-06-06  4:05         ` Sumit Garg
2016-06-09  6:45         ` Sumit Garg
2016-06-09 16:36           ` Teddy Reed
2016-06-09 18:27             ` dannenberg at ti.com
2016-06-10 13:28           ` Tom Rini
2016-06-10  1:06 ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=VI1PR04MB1455F996FA50A865F0D0D47598450@VI1PR04MB1455.eurprd04.prod.outlook.com \
    --to=sumit.garg@nxp.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.