So far we were not using the FIT image format to its full potential:
The SPL FIT loader was just loading the first image from the /images
node plus one of the listed DTBs.
Now with the refactored loader code it's easy to load an arbitrary
number of images in addition to the two mentioned above.
As described in the FIT image source file format description, iterate
over all images listed at the "loadables" property in the configuration
node and load every image at its desired location.
This allows to load any kind of images:
- firmware images to execute before U-Boot proper (for instance
ARM Trusted Firmware (ATF))
- firmware images for management processors (SCP, arisc, ...)
- firmware images for devices like WiFi controllers
- bit files for FPGAs
- additional configuration data
- kernels and/or ramdisks
The actual usage of this feature would be platform and/or board specific.
Also update the FIT documentation to mention the new SPL feature and
provide an example .its file to demonstrate its features.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Lokesh Vutla <lokeshvuta@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
To help automate the loading of custom image types we add the ability
to define custom handlers for the loadable section types. When we find
a compatible type while loading a "loadable" image from a FIT image we
run its associated handlers to perform any additional steps needed for
loading this image.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The README indicates that this is not supported, but this is no-longer true.
Update the text to indicate this and describe the FIT changes required.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When building a FIT with external data (-E), U-Boot proper may require
absolute positioning for executing the external firmware. To acheive this
use the (-p) switch, which will replace the amended 'data-offset' with
'data-position' indicating the absolute position of external data.
It is considered an error if the requested absolute position overlaps with the
initial data required for the compact FIT.
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Add FIT_FPGA_PROP that user can identify an optional
entry for fpga.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add some basic clarification that the dev.key file generated by OpenSSL
contains both the public and private key, and further highlight that
the certificate generated here contains the public key only.
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Different sections in the document suggest flattened image tree blob
files have a file name extension of .itb. Fix the list of file extensions
to reflect that.
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
One limitation of FIT is that all the data is 'inline' within it, using a
'data' property in each image node. This means that to find out what is in
the FIT it is necessary to scan the entire file. Once loaded it can be
scanned and then the images can be copied to the correct place in memory.
In SPL it can take a significant amount of time to copy images around in
memory. Also loading data that does not end up being used is wasteful. It
would be useful if the FIT were small, acting as a directory, with the
actual data stored elsewhere.
This allows SPL to load the entire FIT, without the images, then load the
images it wants later.
Add a -E option to mkimage to request that it output an 'external' FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
Correct spelling of "U-Boot" shall be used in all written text
(documentation, comments in source files etc.).
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Minkyu Kang <mk7.kang@samsung.com>
Added FIT_LOADABLE_PROP, so the user can identify an optional entry
named "loadables" in their .its configuration. "loadables" is a comma
separated list in the .its
Documentation can be found in doc/uImage.FIT/source_file_format.txt and
doc/uImage.Fit/multi-with-loadables.its
Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
According to fit_image_print(), the "os" property from "image" node is required
also when "type=ramdisk".
Signed-off-by: Guilherme Maciel Ferreira <guilherme.maciel.ferreira@gmail.com>
Add a new setup@ section to the FIT which can be used to provide a setup
binary for booting Linux on x86. This makes it possible to boot x86 from
a FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
Remove the verified boot limitation that only allows a single
RSA public exponent of 65537 (F4). This change allows use with
existing PKI infrastructure and has been tested with HSM-based
PKI.
Change the configuration OF tree format to store the RSA public
exponent as a 64 bit integer and implement backward compatibility
for verified boot configuration trees without this extra field.
Parameterise vboot_test.sh to test different public exponents.
Mathematics and other hard work by Andrew Bott.
Tested with the following public exponents: 3, 5, 17, 257, 39981,
50457, 65537 and 4294967297.
Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com>
Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com>
Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com>
Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com>
Cc: Simon Glass <sjg@chromium.org>
As an example of an end-to-end process for using verified boot in U-Boot,
add a detailed description of the steps to be used for a Beaglebone
Black.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this tool only checks the configuration signing. Have it also
look at each of the images in the configuration and confirm that they
verify.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Heiko Schocher <hs@denx.de> (v1)
make the use of legacy image format configurable through
the config define CONFIG_IMAGE_FORMAT_LEGACY.
When relying on signed FIT images with required signature check
the legacy image format should be disabled. Therefore introduce
this new define and enable legacy image format if CONFIG_FIT_SIGNATURE
is not set. If CONFIG_FIT_SIGNATURE is set disable per default
the legacy image format.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Lars Steubesand <lars.steubesand@philips.com>
Cc: Mike Pearce <mike@kaew.be>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Michal Simek <monstr@monstr.eu>
Acked-by: Simon Glass <sjg@chromium.org>
The Device Tree Compiler (DTC) used to have its master
repository located on jdl.com. While it is still there,
its official, new, shiny location is on kernel.org here:
git://git.kernel.org/pub/scm/utils/dtc/dtc.git
Update a few references to point there instead.
Signed-off-by: Jon Loeliger <jdl@jdl.com>
Acked-by: Simon Glass <sjg@chromium.org>
add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
based on patch from andreas@oetken.name:
http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.
aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>
- Fix the path to source_file_format.txt
- Fix a minor typo
- Fix the type for FIT blob: it must be "flat_dt"
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
Add a description of how to implement verified boot using signed FIT images,
and a simple test which verifies operation on sandbox.
The test signs a FIT image and verifies it, then signs a FIT configuration
and verifies it. Then it corrupts the signature to check that this is
detected.
Signed-off-by: Simon Glass <sjg@chromium.org>
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).
Add support for signing of FIT configurations using the libfdt's region
support.
Please see doc/uImage.FIT/signature.txt for more information.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add support for signing images using a new signature node. The process
is handled by fdt_add_verification_data() which now takes parameters to
provide the keys and related information.
Signed-off-by: Simon Glass <sjg@chromium.org>
since commit 1384f3bb8a ethernet names
with spaces drop a
Warning: eth device name has a space!
message. This patch fix it for:
- "FEC ETHERNET" devices found on
mpc512x, mpc5xxx, mpc8xx and mpc8220 boards.
renamed to "FEC".
- "SCC ETHERNET" devices found on
mpc8xx, mpc82xx based boards. Renamed to "SCC".
- "HDLC ETHERNET" devices found on mpc8xx boards
Renamed to "HDLC"
- "FCC ETHERNET" devices found on mpc8260 and mpc85xx based
boards. Renamed to "FCC"
Tested on the kup4k board.
Signed-off-by: Heiko Schocher <hs@denx.de>
Signed-off-by: Ben Warren <biggerbadderben@gmail.com>
The ramdisk sections in doc/uImage.FIT/multi.its lack
load address and entry point properties. Using examples
from this file will result in unbootable image, u-boot
will issue the following error messages:
Can't get ramdisk subimage load address!
Ramdisk image is corrupt or invalid
This patch adds missing properties to ramdisk sections.
Signed-off-by: Felix Radensky <felix@embedded-sol.com>
The example FIT image source files do not compile with the latest dtc and
mkimage. The following error message is produced:
DTC: dts->dtb on file "kernel.its"
Error: kernel.its 7:0 - 1:0 syntax error
FATAL ERROR: Unable to parse input tree
./mkimage: Can't read kernel.itb.tmp: Invalid argument
The FIT image source files are missing the "/dts-v1/;" directive at the
beginning of the file. Add the directive to the examples.
Signed-off-by: Ira W. Snyder <iws@ovro.caltech.edu>
The auto-update feature allows to automatically download software updates
from a TFTP server and store them in Flash memory during boot. Updates are
contained in a FIT file and protected with SHA-1 checksum.
More detailed description can be found in doc/README.update.
Signed-off-by: Rafal Czubak <rcz@semihalf.com>
Signed-off-by: Bartlomiej Sieka <tur@semihalf.com>
Pantelis Antoniou stated:
AFAIK, it is still used but the products using PPC are long gone.
Nuke it plz (from orbit).
So remove it since it cleans up a usage of env_get_char outside of
the environment code.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>