We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which
is enabled by default and now a positive option. Convert the handful of boards
that were disabling it before to save space.
Cc: Dirk Eibach <eibach@gdsys.de>
Cc: Lukasz Dalek <luk0104@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
The function 'board_fit_image_post_process' is defined only when the
config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
systems that do not use SPL but do use FIT kernel images, only
CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
implicit declaration of function 'board_fit_image_post_process' warning
while building u-boot. Fix this warning.
Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
FIT images require MD5 support to verify image checksums. So far this
was expressed by defining a CPP symbol in image.h. Since MD5 is now a
first class Kconfig citizen, express that in Kconfig instead.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In 35fc84f, bootm was refactored so plain 'bootm' and
'bootm <subcommand>' shared a common implementation.
The 'bootm ramdisk' command implementation is now part of the common
implementation but not invoke by plain 'bootm' since the original
implementation never did ramdisk relocation. Instead, ramdisk
relocation happened in image_setup_linux() which is typically called
during the OS portion of 'bootm'.
On ARM, parameters to the Linux kernel can either be passed by FDT or
ATAGS. When using FDT, image_setup_linux() is called which also triggers
ramdisk relocation. When using ATAGS, image_setup_linux() is _not_
called because it mostly does FDT setup.
Instead of calling image_setup_linux() in both FDT and ATAGS cases,
include BOOTM_STATE_RAMDISK in the requested states during a plain
'bootm' if CONFIG_SYS_BOOT_RAMDISK_HIGH is set and remove the ramdisk
relocation from image_setup_linux(). This causes ramdisk relocation to
happen on any system where CONFIG_SYS_BOOT_RAMDISK_HIGH regardless of
the OS being booted. Also remove IMAGE_ENABLE_RAMDISK_HIGH as it was
only used by the now-removed code from image_setup_linux().
Signed-off-by: Rick Altherr <raltherr@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Enable support for loading a splash image from within a FIT image.
The image is assumed to be generated with mkimage -E flag to hold
the data external to the FIT.
Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
Acked-by: Igor Grinberg <grinberg@compulab.co.il>
When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF.
Images generated as firmware_ivt can directly be signed using the
Freescale code signing tool. For creation of a CSF, mkimage outputs
the correct HAB Blocks for the image.
The changes to the usual firmware image class are quite small,
that is why I implemented that directly into the default_image.
Cc: sbabic@denx.de
v2-Changes: None
Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>
Add a new image type representing Trusted Execution Environment (TEE)
image types. For example, an OP-TEE OS binary image.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
To help automate the loading of custom image types we add the ability
to define custom handlers for the loadable section types. When we find
a compatible type while loading a "loadable" image from a FIT image we
run its associated handlers to perform any additional steps needed for
loading this image.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.
Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.
Indirectly adds support for "sha1,rsa4096" signing/verification.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SHA/RSA pairings. The padding can be easily computed
according to PKCS#1v2.1 as:
EM = 0x00 || 0x01 || PS || 0x00 || T
where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding
of the hash.
Store DER prefix in checksum_algo and create rsa_verify_padding
function to handle verification of a message for any SHA/RSA pairing.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
checksum_algo's pad_len field isn't actually used to store the length of
the padding but the total length of the RSA key (msg_len + pad_len)
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This format can be flashed directly at address 0 of
the NAND FLASH, as it contains all necessary headers.
Signed-off-by: Albert ARIBAUD (3ADEV) <albert.aribaud@3adev.fr>
The Xtensa processor architecture is a configurable, extensible,
and synthesizable 32-bit RISC processor core provided by Cadence.
This is the first part of the basic architecture port with changes to
common files. The 'arch/xtensa' directory, and boards and additional
drivers will be in separate commits.
Signed-off-by: Chris Zankel <chris@zankel.net>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Commit 555f45d8f9 ("image: Convert the IH_... values to enums")
accidentally changed some IH_ARCH_... values.
Prior to that commit, there existed a gap between IH_ARCH_M68K and
IH_ARCH_MICROBLAZE, like follows.
#define IH_ARCH_SPARC64 11 /* Sparc 64 Bit */
#define IH_ARCH_M68K 12 /* M68K */
#define IH_ARCH_MICROBLAZE 14 /* MicroBlaze */
#define IH_ARCH_NIOS2 15 /* Nios-II */
The enum conversion broke the compatibility with existing uImage
files. Reverting 555f45d8f9 will cause build error unfortunately,
so here is a more easy fix.
I dug the git history and figured out the gap was introduced by
commit 1117cbf2ad ("nios: remove nios-32 arch"). So, I revived
IH_ARCH_NIOS just for filling the gap.
I added comments to each enum block. Once we assign a value to
IH_... it is not allowed to change it.
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add generic functions which can look up information about a category:
- the number of items in the category
- the category description
- an item long time
- an item short time
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Add a table that contains the category name, the number of items in each
category and a pointer to the table of items. This will allow us to use
generic code to deal with the categories.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
We need to know the number of values of each category (architecture,
compression, OS and image type). To make this value easier to maintain,
convert all values to enums. The count is then automatic.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
The next stage boot loader image and the selected FDT can be post-
processed by board/platform/device-specific code, which can include
modifying the size and altering the starting source address before
copying these binary blobs to their final destination. This might be
desired to do things like strip headers or footers attached to the
images before they were packaged into the FIT, or to perform operations
such as decryption or authentication. Introduce new configuration
option CONFIG_SPL_FIT_IMAGE_POST_PROCESS to allow controlling this
feature. If enabled, a platform-specific post-process function must
be provided.
Signed-off-by: Daniel Allred <d-allred@ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We already support iminfo for other images. The idea
of this patch is start to have a minimal support for
android image format. We still need to print id[] array
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This reverts commit 56adbb3872.
Since commit 56adbb3872 ("image.h: Tighten up content using handy
CONFIG_IS_ENABLED() macro."), I found my boards fail to boot Linux
because the commit changed the logic of macros it touched. Now,
IMAGE_ENABLE_RAMDISK_HIGH and IMAGE_BOOT_GET_CMDLINE are 0 for all
the boards.
As you can see in include/linux/kconfig.h, CONFIG_IS_ENABLE() (and
IS_ENABLED() as well) can only take a macro that is either defined
as 1 or undefined. This is met for boolean options defined in
Kconfig. On the other hand, CONFIG_SYS_BOOT_RAMDISK_HIGH and
CONFIG_SYS_BOOT_GET_CMDLINE are defined without any value in
arch/*/include/asm/config.h . This kind of clean-up is welcome,
but the options should be moved to Kconfig beforehand.
Moreover, CONFIG_IS_ENABLED(SPL_CRC32_SUPPORT) looks weird.
It should be either CONFIG_IS_ENABLED(CRC32_SUPPORT) or
IS_ENABLED(CONFIG_SPL_CRC32_SUPPORT). But, I see no define for
CONFIG_SPL_CRC32_SUPPORT anywhere. Likewise for the other three.
The logic of IMAGE_OF_BOARD_SETUP and IMAGE_OF_SYSTEM_SETUP were
also changed for SPL. This can be a problem for boards defining
CONFIG_SPL_OF_LIBFDT. I guess it should have been changed to
IS_ENABLED(CONFIG_OF_BOARD_SETUP).
In the first place, if we replace the references in C code,
the macros IMAGE_* will go away.
if (IS_ENABLED(CONFIG_OF_BOARD_SETUP) {
...
}
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
In order for CONFIG_IS_ENABLED(FOO) to work we need to move the changes
that CONFIG_FIT_DISABLE_SHA256 makes to be prior to the evaluation by
CONFIG_IS_ENABLED(foo)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
[trini: Move CONFIG_FIT_DISABLE_SHA256 parts to fix build breakage]
Signed-off-by: Tom Rini <trini@konsulko.com>
Add function boot_get_fpga() which find and load bitstream to
programmable logic if fpga entry is present.
Function is supported on Xilinx devices for full and partial bitstreams
in BIN and BIT format.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Remove additional blankline in image.h
Add FIT_FPGA_PROP that user can identify an optional
entry for fpga.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add support for the zynqmpimage to mkimage.
Only basic functionality is supported without encryption and register
initialization with one partition which is filled by U-Boot SPL.
For more detail information look at Xilinx ZynqMP TRM.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This provides a way to load a FIT containing U-Boot and a selection of device
tree files. The board can select the correct device tree by probing the
hardware. Then U-Boot is started with the selected device tree.
Signed-off-by: Simon Glass <sjg@chromium.org>
SPL calls this function with each device tree it can find in the FIT. The
board should implement this function, using whatever hardware detection it
can muster to determine the correct device tree.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sometimes it is useful to obtain the short name for an Operating System,
architecture or compression mechanism. Provide functions for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add an option to enable libfdt in SPL. This can be useful when decoding
FIT files in SPL.
We need to make sure this option is not enabled in SPL by this change.
Also this option needs to be enabled in host builds. Si add a new
IMAGE_USE_LIBFDT #define which can be used in files that are built on the
host but must also build for U-Boot and SPL.
Signed-off-by: Simon Glass <sjg@chromium.org>
There are already two FIT options in Kconfig but the CONFIG options are
still in the header files. We need to do a proper move to fix this.
Move these options to Kconfig and tidy up board configuration:
CONFIG_FIT
CONFIG_OF_BOARD_SETUP
CONFIG_OF_SYSTEM_SETUP
CONFIG_FIT_SIGNATURE
CONFIG_FIT_BEST_MATCH
CONFIG_FIT_VERBOSE
CONFIG_OF_STDOUT_VIA_ALIAS
CONFIG_RSA
Unfortunately the first one is a little complicated. We need to make sure
this option is not enabled in SPL by this change. Also this option is
enabled automatically in the host builds by defining CONFIG_FIT in the
image.h file. To solve this, add a new IMAGE_USE_FIT #define which can
be used in files that are built on the host but must also build for U-Boot
and SPL.
Note: Masahiro's moveconfig.py script is amazing.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Add microblaze change, various configs/ re-applies]
Signed-off-by: Tom Rini <trini@konsulko.com>
A recent change broke the 'bootm' command on sandbox. The root cause is
using a pointer as an address. Conversion from pointer to address needs to
use map_to_sysmem() so that sandbox can do the right thing. The problem was
pre-existing but uncovered by a recent commit.
Fix this. Also move fit_get_end() to the C file to avoid needing to include
mapmem.h (and thus asm/io.h) everywhere.
Fixes: 1fec3c5d (common/image.c: Make boot_get_ramdisk() perform a check for Android images)
Signed-off-by: Simon Glass <sjg@chromium.org>
As with other platforms vendors love to create their own boot header
formats. Xilinx is no different and for the Zynq platform/SoC there
exists the "boot.bin" which is read by the platforms bootrom. This
format is described to a useful extent within the Xilinx Zynq TRM.
This implementation adds support for the 'zynqimage' to mkimage. The
implementation only considers the most common boot header which is
un-encrypted and packed directly after the boot header itself (no
XIP, etc.). However this implementation does take into consideration the
other fields of the header for image dumping use cases (vector table and
register initialization).
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
This patch adds support for LZ4-compressed FIT image contents. This
algorithm has a slightly worse compression ration than LZO while being
nearly twice as fast to decompress. When loading images from a fast
storage medium this usually results in a boot time win.
Sandbox-tested only since I don't have a U-Boot development system set
up right now. The code was imported unchanged from coreboot where it's
proven to work, though. I'm mostly interested in getting this recognized
by mkImage for use in a downstream project.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
The Rockchip boot ROM requires a particular file format for booting from SPI.
It consists of a 512-byte header encoded with RC4, some padding and then up
to 32KB of executable code in 2KB blocks, separated by 2KB empty blocks.
Add support to mkimage so that an SPL image (u-boot-spl-dtb.bin) can be
converted to this format. This allows booting from SPI flash on supported
machines.
Signed-off-by: Simon Glass <sjg@chromium.org>
The Rockchip boot ROM requires a particular file format. It consists of
64KB of zeroes, a 512-byte header encoded with RC4, and then some executable
code.
Add support to mkimage so that an SPL image (u-boot-spl-dtb.bin) can be
converted to this format.
Signed-off-by: Simon Glass <sjg@chromium.org>
Rockchip SoCs require certain formats for code that they execute, The
simplest format is a 4-byte header at the start of a binary file. Add
support for this so that we can create images that the boot ROM understands.
Signed-off-by: Simon Glass <sjg@chromium.org>
Offer to display the available image types in help. Also, rather than
hacking the genimg_get_type_id() function to display a list of types,
do this in the tool. Also, sort the list.
The list of image types is quite long, and hard to discover. Print it out
when we show help information.
Signed-off-by: Simon Glass <sjg@chromium.org>
Added a trimmed down instance of boot_get_<thing>() to satisfy the
minimum requierments of the added feature. The function follows the
normal patterns set by other boot_get<thing>'s, which should make it a
bit easier to combine them all together into one boot_get_image()
function in a later refactor.
Documentation for the new function can be found in source:
include/image.h
Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Added FIT_LOADABLE_PROP, so the user can identify an optional entry
named "loadables" in their .its configuration. "loadables" is a comma
separated list in the .its
Documentation can be found in doc/uImage.FIT/source_file_format.txt and
doc/uImage.Fit/multi-with-loadables.its
Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This patch fixes cross-compiling U-Boot tools with the musl C library:
* including <sys/types.h> is needed for ulong
* defining _GNU_SOURCE is needed for loff_t
Tested for target at91sam9261ek_dataflash_cs3.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Cc: Tom Rini <trini@konsulko.com>
Currently the hash functions used in RSA are called directly from the sha1
and sha256 libraries. Change the RSA checksum library to use the progressive
hash API's registered with struct hash_algo. This will allow the checksum
library to use the hardware accelerated progressive hash API's once available.
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
CC: Simon Glass <sjg@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
(Fixed build error in am335x_boneblack_vboot due to duplicate CONFIG_DM)
Change-Id: Ic44279432f88d4e8594c6e94feb1cfcae2443a54
The dumpimage is able to extract components contained in a FIT image:
$ ./dumpimage -T flat_dt -i CONTAINER.ITB -p INDEX FILE
The CONTAINER.ITB is a regular FIT container file. The INDEX is the poisition
of the sub-image to be retrieved, and FILE is the file (path+name) to save the
extracted sub-image.
For example, given the following kernel.its to build a kernel.itb:
/dts-v1/;
/ {
...
images {
kernel@1 {
description = "Kernel 2.6.32-34";
data = /incbin/("/boot/vmlinuz-2.6.32-34-generic");
type = "kernel";
arch = "ppc";
os = "linux";
compression = "gzip";
load = <00000000>;
entry = <00000000>;
hash@1 {
algo = "md5";
};
};
...
};
...
};
The dumpimage can extract the 'kernel@1' node through the following command:
$ ./dumpimage -T flat_dt -i kernel.itb -p 0 kernel
Extracted:
Image 0 (kernel@1)
Description: Kernel 2.6.32-34
Created: Wed Oct 22 15:50:26 2014
Type: Kernel Image
Compression: gzip compressed
Data Size: 4040128 Bytes = 3945.44 kB = 3.85 MB
Architecture: PowerPC
OS: Linux
Load Address: 0x00000000
Entry Point: 0x00000000
Hash algo: md5
Hash value: 22352ad39bdc03e2e50f9cc28c1c3652
Which results in the file 'kernel' being exactly the same as '/boot/vmlinuz-2.6.32-34-generic'.
Signed-off-by: Guilherme Maciel Ferreira <guilherme.maciel.ferreira@gmail.com>
Add separate image type for the Wittenstein OpenRTOS .
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add an additional function for adding information to the device tree before
booting. This permits additions which are not board-specific.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Anatolij Gustschin <agust@denx.de>
Reviewed-by: Tom Rini <trini@ti.com>
This is a bit odd in that we are permitted to boot images for either, even
though they are separate architectures.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a new setup@ section to the FIT which can be used to provide a setup
binary for booting Linux on x86. This makes it possible to boot x86 from
a FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
Like many platforms, the Altera socfpga platform requires that the
preloader be "signed" in a certain way or the built-in boot ROM will
not boot the code.
This change automatically creates an appropriately signed preloader
from an SPL image.
The signed image includes a CRC which must, of course, be generated
with a CRC generator that the SoCFPGA boot ROM agrees with otherwise
the boot ROM will reject the image.
Unfortunately the CRC used in this boot ROM is not the same as the
Adler CRC in lib/crc32.c. Indeed the Adler code is not technically a
CRC but is more correctly described as a checksum.
Thus, the appropriate CRC generator is added to lib/ as crc32_alt.c.
Signed-off-by: Charles Manning <cdhmanning@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Chin Liang See <clsee@altera.com>
Cc: Dinh Nguyen <dinguyen@altera.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Tom Rini <trini@ti.com>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Pavel Machek <pavel@denx.de>
Acked-by: Pavel Machek <pavel@denx.de>
V2: - Zap unused constant
- Explicitly print an error message in case of error
- Rework the hdr_checksum() function to take the *header directly
instead of a plan buffer pointer
Commit e3a5bbce broke the FIT image tests by not loading a ramdisk even if
a load address is provided in the FIT. The rationale was that a load address
of 0 should be considered to mean 'do not load'.
Add a new load operation which supports this feature, so that the ramdisk
will be loaded if a non-zero load address is provided.
Signed-off-by: Simon Glass <sjg@chromium.org>
Commit b3dd64f5d5 "bootm: use genimg_get_kernel_addr()" introduced
a bug for booting FIT image. It's because calling fit_parse_config()
twice will give us wrong value in img_addr.
Add a new function genimg_get_kernel_addr_fit() whichl will always
return fit_uname_config and fit_uname_kernel for CONFIG_FIT.
genimg_get_kernel_addr() will ignore those to parameters.
Reported-by: York Sun <yorksun@freescale.com>
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Kernel address is normally stored as a string argument of bootm or bootz.
This function is taken out from boot_get_kernel() of bootm.c, which can be
reused by others.
Signed-off-by: Bryan Wu <pengw@nvidia.com>
[trini: Fix warnings with CONFIG_FIT]
Signed-off-by: Tom Rini <trini@ti.com>
commit 18b06652cd "tools: include u-boot version of sha256.h"
unconditionally forced the sha256.h from u-boot to be used
for tools instead of the host version. This is fragile though
as it will also include the host version. Therefore move it
to include/u-boot to join u-boot/md5.h etc which were renamed
for the same reason.
cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
At present this tool only checks the configuration signing. Have it also
look at each of the images in the configuration and confirm that they
verify.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Heiko Schocher <hs@denx.de> (v1)
This can be obtained by looking up the image type, so is redundant. It is
better to centralise this lookup to avoid errors.
Signed-off-by: Simon Glass <sjg@chromium.org>
Due to the FIT_MAX_HASH_LEN constant not having been updated
to support SHA256 signatures one will always see a buffer
overflow in fit_image_process_hash when signing images that
use this larger hash. This is exposed by vboot_test.sh.
Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com>
Acked-by: Simon Glass <sjg@chromium.org>
[trini: Rework a bit so move the exportable parts of hash.h outside of
!USE_HOSTCC and only need that as a new include to image.h]
Signed-off-by: Tom Rini <trini@ti.com>
make the use of legacy image format configurable through
the config define CONFIG_IMAGE_FORMAT_LEGACY.
When relying on signed FIT images with required signature check
the legacy image format should be disabled. Therefore introduce
this new define and enable legacy image format if CONFIG_FIT_SIGNATURE
is not set. If CONFIG_FIT_SIGNATURE is set disable per default
the legacy image format.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Lars Steubesand <lars.steubesand@philips.com>
Cc: Mike Pearce <mike@kaew.be>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Michal Simek <monstr@monstr.eu>
Acked-by: Simon Glass <sjg@chromium.org>
The new atmelimage converts a machine code BLOB to bootable ROM image. Atmel
ROM has no sophisticated image format, it only checks the first 7 ARM vectors.
The vectors can contain valid B or LDR opcodes, the 6'th vector contains the
image size to load.
Additionally the PMECC header can be written by the atmelimage target. The
parameters must be given via the -n switch as a coma separated list. For
example:
mkimage -T atmelimage \
-n usePmecc=1,sectorPerPage=4,sectorSize=512,spareSize=64,eccBits=4,eccOffset=36 \
-d spl/u-boot-spl.bin boot.bin
A provided image can be checked for correct header setup. It prints out the
PMECC header parameters if it has one and the 6'th interrupt vector content.
---8<---
Image Type: ATMEL ROM-Boot Image with PMECC Header
PMECC header
====================
eccOffset: 36
sectorSize: 512
eccBitReq: 4
spareSize: 64
nbSectorPerPage: 4
usePmecc: 1
====================
6'th vector has 17044 set
--->8---
A SPL binary modified with the atmelimage mkimage target was succesfully
booted on a sama5d34ek via MMC and NAND.
Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com>
Cc: Bo Shen <voice.shen@atmel.com>
Cc: Heiko Schocher <hs@denx.de>
Tested-by: Bo Shen <voice.shen@atmel.com>
This patch adds support for the Android boot-image format. The header
file is from the Android project and got slightly alterted so the struct +
its defines are not generic but have something like a namespace. The
header file is from bootloader/legacy/include/boot/bootimg.h. The header
parsing has been written from scratch and I looked at
bootloader/legacy/usbloader/usbloader.c for some details.
The image contains the physical address (load address) of the kernel and
ramdisk. This address is considered only for the kernel image.
The "second image" defined in the image header is currently not
supported. I haven't found anything that is creating this.
v3 (Rob Herring):
This is based on http://patchwork.ozlabs.org/patch/126797/ with the
following changes:
- Rebased to current mainline
- Moved android image handling to separate functions in
common/image-android.c
- s/u8/char/ in header to fix string function warnings
- Use SPDX identifiers for licenses
- Cleaned-up file source information:
android_image.h is from file include/boot/bootimg.h in repository:
https://android.googlesource.com/platform/bootable/bootloader/legacy
The git commit hash is 4205b865141ff2e255fe1d3bd16de18e217ef06a
usbloader.c would be from the same commit, but it does not appear
to have been used for any actual code.
v4:
- s/andriod/android/
- Use a separate flag ep_found to track if the entry point has been set
rather than using a magic value.
Cc: Wolfgang Denk <wd@denx.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
Reviewed-by: Tom Rini <trini@ti.com>
Reviewed-by: Lukasz Majewski <l.majewski@samsung.com>
This patch add support for gpimage format as a preparatory
patch for porting u-boot for keystone2 devices and is
based on omapimage format. It re-uses gph header to store the
size and loadaddr as done in omapimage.c
Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
Acked-by: Tom Rini <trini@ti.com>
add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Add support for sha256,rsa4096 signatures in u-boot.
Signed-off-by: Heiko Schocher <hs@denx.de>
Acked-by: Simon Glass <sjg@chromium.org>
Cc: andreas@oetken.name
based on patch from andreas@oetken.name:
http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.
aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>
Relocation code based on a patch by Scott Wood, which is:
Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: David Feng <fenghua@phytium.com.cn>
Add mkimage support for generating and verifying MXS bootstream.
The implementation here is mostly a glue code between MXSSB v0.4
and mkimage, but the long-term goal is to rectify this and merge
MXSSB with mkimage more tightly. Once this code is properly in
U-Boot, MXSSB shall be deprecated in favor of mkimage-mxsimage
support.
Note that the mxsimage generator needs libcrypto from OpenSSL, I
therefore enabled the libcrypto/libssl unconditionally.
MXSSB: http://git.denx.de/?p=mxssb.git;a=summary
The code is based on research presented at:
http://www.rockbox.org/wiki/SbFileFormat
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Fabio Estevam <fabio.estevam@freescale.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Otavio Salvador <otavio@ossystems.com.br>
If a specific configuraion is selected by the bootm command, e.g. with
'bootm 84000000#recoveryconf' we must honour this for not just the kernel,
but also the ramdisk and FDT.
In the conversion to using a common fit_image_load() function for loading
images from FITs (commits a51ec63 and 53f375f) this feature was lost.
Reinstate it by passing the selected configuration back from
fit_image_load() to boot_get_kernel(), then use this configuration
(which is stored in images->fit_uname_cfg) in both boot_get_ramdisk()
and boot_get_fdt().
Signed-off-by: Simon Glass <sjg@chromium.org>
This function has no prototype in the headers and passes void * around, thus
requiring several casts. Tidy this up.
- Add new patch to clean up bootz_setup() function
Signed-off-by: Simon Glass <sjg@chromium.org>
At present mkimage is set up to always build with image signing support.
This means that the SSL libraries (e.g. libssl-dev) are always required.
Adjust things so that mkimage can be built with and without image signing,
controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file.
If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
that signing is not supported. If the option is enabled, but libraries are
not available, then a build error similar to this will be shown:
lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory
Signed-off-by: Simon Glass <sjg@chromium.org>
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).
Add support for signing of FIT configurations using the libfdt's region
support.
Please see doc/uImage.FIT/signature.txt for more information.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add support for signing images using a new signature node. The process
is handled by fdt_add_verification_data() which now takes parameters to
provide the keys and related information.
Signed-off-by: Simon Glass <sjg@chromium.org>
For tracing it is useful to run as much of U-Boot as possible so as to get
a complete picture. Quite a bit of work happens in bootm, and we don't want
to have to stop tracing before bootm starts.
Add a way of doing a 'fake' boot of the OS - which does everything up to
the point where U-Boot is about to jump to the OS image. This allows
tracing to record right until the end.
This requires arch support to work.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present the bootm code is mostly duplicated for the plain 'bootm'
command and its sub-command variant. This makes the code harder to
maintain and means that changes must be made to several places.
Introduce do_bootm_states() which performs selected portions of the bootm
work, so that both plain 'bootm' and 'bootm <sub_command>' can use the
same code.
Additional duplication exists in bootz, so tidy that up as well. This
is not intended to change behaviour, apart from minor fixes where the
previously-duplicated code missed some chunks of code.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use the new common code to load a flat device tree. Also fix up a few casts
so that this code works with sandbox. Other than that the functionality
should not change.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present code to load an image from a FIT is duplicated in the three
places where it is needed (kernel, fdt, ramdisk).
The differences between these different code copies is fairly minor.
Create a new function in the fit code which can handle any of the
requirements of those cases.
Signed-off-by: Simon Glass <sjg@chromium.org>
This seems to be a common function for several architectures, so create
a common function rather than duplicating the code in each arch.
Also make an attempt to avoid introducing #ifdefs in the new code, partly
by removing useless #ifdefs around function declarations in the image.h
header.
Signed-off-by: Simon Glass <sjg@chromium.org>
This code is very large, and in SPL it isn't always useful to print
out image information (in fact there might not even be a console
active). So disable this feature unless this option is set.
Signed-off-by: Simon Glass <sjg@chromium.org>
Much of the image code uses addresses as ulongs and pointers interchangeably,
casting between the two forms as needed.
This doesn't work with sandbox, which has a U-Boot RAM buffer which is
separate from the host machine's memory.
Adjust the cost so that translating from a U-Boot address to a pointer uses
map_sysmem(). This allows bootm to work correctly on sandbox.
Note that there are no exhaustive tests for this code on sandbox, so it is
possible that some dark corners remain.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)
This function will be used to print signatures as well as hashes, so rename
it. Also make it static since it is not used outside this file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
We intend to add signatures to FITs also, so rename this function so that
it is not specific to hashing. Also rename fit_image_set_hashes() and
make it static since it is not used outside this file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
The existing function is long and most of the code is indented a long
way. Before adding yet more code, split this out into its own function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)
This is the main entry point to the FIT image verification code. We will
be using it to handle image verification with signatures, so rename the
function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
This function doesn't need to be exported, and with verification
we want to use it for setting the 'value' property in any node,
so rename it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
This code is never compiled into U-Boot, so move it into a separate
file in tools/ to avoid the large #ifdef.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
One we split out the FIT code from image.c we will need this function.
Export it in the header.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
Rather than repeat the line
#if defined(CONFIG_TIMESTAMP) || defined(CONFIG_CMD_DATE) || \
defined(USE_HOSTCC)
everywhere, put this in a header file and #define IMAGE_ENABLE_TIMESTAMP
to either 1 or 0. Then we can use a plain if() in most code and avoid
the #ifdefs.
The compiler's dead code elimination ensures that the result is the same.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Marek Vasut <marex@denx.de>