Commit graph

355 commits

Author SHA1 Message Date
Safae Ouajih
636da2039a android: boot: support boot image header version 3 and 4
Enable the support for boot image header version 3 and 4
using abootimg command.

In order to use version 3 or 4:

1- Vendor boot image address should be given to abootimg cmd.

	abootimg addr $1 $vendor_boot_load_addr

2- "ramdisk_addr_r" env variable (ramdisk address) should be set to host
the ramdisk : generic ramdisk + vendor ramdisk

Replace "struct andr_boot_img_hdr_v0*" by "void *" in
some functions since v3 and v4 are now supported as well.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:47 -04:00
Safae Ouajih
c79a2e6823 android: boot: ramdisk: support vendor ramdisk
Version 3 and 4 of boot image header introduced
vendor boot ramdisk: Please check include/android_image.h
for details.

The ramdisk is now split into a generic ramdisk in boot image
and a vendor ramdisk in vendor boot image.

Support the new vendor ramdisk.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:47 -04:00
Safae Ouajih
1115027d2f android: boot: update android_image_get_data to support v3, v4
Since boot image header version 3 and 4 introduced vendor boot image,
use the following functions to fill the generic android
structure : andr_image_data:

 - android_boot_image_v3_v4_parse_hdr()
 - android_vendor_boot_image_v3_v4_parse_hdr()

Update android_image_get_data() to support v3 and v4

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:47 -04:00
Safae Ouajih
e058176be3 android: boot: add vendor boot image to prepare for v3, v4 support
Introduce vendor boot image for version 3 and 4 of boot image header.
The vendor boot image will hold extra information about kernel, dtb
and ramdisk.

This is done to prepare for boot image version 3 and 4 support.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:47 -04:00
Safae Ouajih
f48efa0edb android: boot: kcomp: support andr_image_data
andr_image_data structure is used as a global representation of
boot image header structure. Introduce this new structure to
support all boot header versions : v0,v1.v2.v3.v4 and to support
v3 and v4 while maitaining support for v0,v1,v2.
The need of using andr_image_data comes from the change of header
structure in both version 3 and 4.

Rework android_image_get_kcomp()  to support this new struct.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:46 -04:00
Safae Ouajih
734cb47d6d android: boot: replace android_image_check_header
With the new vendor boot image introduced in versions 3 and 4
of boot image header, the header check must be done for both boot
image and vendor boot image. Thus, replace android_image_check_header()
by is_android_boot_image_header() to only refer to boot image header check.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:46 -04:00
Safae Ouajih
d71a732af4 android: boot: rename andr_img_hdr -> andr_boot_img_hdr_v0
Android introduced boot header version 3 or 4.
The header structure change with version 3 and 4 to support
the new updates such as:
- Introducing Vendor boot image: with a vendor ramdisk
- Bootconfig feature (v4)

Change andr_img_hdr struct name to maintain support for version v0,
v1 and v2 while introducing version 3 and 4.

Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
2023-04-04 14:50:46 -04:00
Simon Glass
30f3333d88 image: Move common image code to image_board and command
We should use the cmd/ directory for commands rather than for common code
used elsewhere in U-Boot. Move the common 'source' code into
image-board.c to achieve this.

The image_source_script() function needs to call run_command_list()  so
seems to belong better in the command library. Move and rename it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-01-16 18:26:50 -05:00
Simon Glass
858fefd5fc image: Add a function to find a script in an image
Split this functionality out of the 'source' command so it can be used
from another place. For now leave it where it is, but a future patch will
move it out of cmd/

Signed-off-by: Simon Glass <sjg@chromium.org>
2023-01-16 18:24:24 -05:00
Sean Anderson
bcc85b96b5 cmd: source: Support specifying config name
As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.

To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).

[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-12-31 13:35:19 -05:00
Sean Anderson
b5fd7b4a31 image: Add fallback for fit_config_verify
Add a fallback for this function so it can be used without regard to
whether FIT_SIGNATURE is enabled or not.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-12-31 13:35:19 -05:00
Marc Kleine-Budde
28f924f265 tools: mkimage: add new image type "fdt_legacy"
If the user select the image type "flat_dt" a FIT image will be build.
This breaks the legacy use case of putting a Flat Device Tree into a
legacy u-boot image.

Add a new image type "fdt_legacy" to build a legacy u-boot image
with a "flat_dt" type.

Link: https://lore.kernel.org/all/20221028155205.ojw6tcso2fofgnhm@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
2022-12-08 09:29:02 -05:00
Simon Glass
88ff7cb1c8 image: Correct strncpy() warning with image_set_name()
gcc 12 seems to warn on strncpy() as a matter of course. Rewrite the code
a different way to do the same thing, to avoid the warning.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-11-22 15:13:34 -07:00
Simon Glass
bbe285c305 image: Allow loading a FIT image for a particular phase
Add support for filtering out FIT images by phase. Rather than adding yet
another argument to this already overloaded function, use a composite
value, where the phase is only added in if needed.

The FIT config is still selected (and verified) as normal, but the images
are selected based on the phase.

Tests for this come in a little later, as part of the updated VPL test.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-10-31 11:02:45 -04:00
Simon Glass
44ad35a0f6 image: Add the concept of a phase to FIT
We want to be able to mark an image as related to a phase, so we can
easily load all the images for SPL or for U-Boot proper.

Add this to the FIT specification, along with some access functions.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-10-31 11:02:44 -04:00
Simon Glass
494e66d3a9 image: Move comment for fit_conf_find_compat()
Move this comment to the header file, where the APIs should be defined.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-10-31 11:02:44 -04:00
Steven Lawrance
7c5eeb8309 image-pre-load: Move macros/definitions to image.h
Putting these definitions in a header will allow signatures to be
validated independently of bootm.

Signed-off-by: Steven Lawrance <steven.lawrance@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-10-11 15:40:48 -04:00
Simon Glass
f3543e6944 treewide: Drop image_header_t typedef
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-09-29 16:07:57 -04:00
Simon Glass
da79b2f25e treewide: Drop image_info_t typedef
This is not needed and we should avoid typedefs. Use the struct instead.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-09-29 16:07:57 -04:00
Simon Glass
d9d7c20b73 treewide: Drop bootm_headers_t typedef
This is not needed and we should avoid typedefs. Use the struct instead.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-09-29 16:07:57 -04:00
Simon Glass
c56b2bb9b9 image: Fix BOOTM_STATE values
Tidy up the code style for these.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-09-29 16:07:57 -04:00
Tom Rini
e9a1ff9724 Merge branch 'master' into next
Signed-off-by: Tom Rini <trini@konsulko.com>
2022-09-19 16:07:12 -04:00
Simon Glass
9c2e9128f3 image: Drop some other #ifdefs in image-board.c
Remove all but a few that are difficult, relying on legacy CONFIG options
or optional global_data fields.

Drop the duplicate function name in the comment for boot_get_cmdline().

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-09-14 09:03:07 -04:00
Sean Anderson
37feaf2f72 image: fit: Add some helpers for getting data
Several different firmware users have repetitive code to extract the
firmware data from a FIT. Add some helper functions to reduce the amount
of repetition. fit_conf_get_prop_node (eventually) calls
fdt_check_node_offset_, so we can avoid an explicit if. In general, this
version avoids printing on error because the callers are typically
library functions, and because the FIT code generally has (debug)
prints of its own. One difference in these helpers is that they use
fit_image_get_data_and_size instead of fit_image_get_data, as the former
handles external data correctly.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2022-09-07 13:40:44 +08:00
SESA644425
c755aa8a1d lib: rsa: Fix const-correctness of rsassa_pss functions
Prior to introduction of modifications in rsassa_pss functions
related to padding verification, doing a pass to update
const-correctness in targeted functions to comply with
coding-rules and avoid const-cast

Signed-off-by: SESA644425 <gioja.hermann@non.se.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-04-11 11:39:19 -04:00
Tom Rini
4de720e98d Merge branch 'master' of https://source.denx.de/u-boot/custodians/u-boot-sunxi
A big part is the DM pinctrl driver, which allows us to get rid of quite
some custom pinmux code and make the whole port much more robust. Many
thanks to Samuel for that nice contribution! There are some more or less
cosmetic warnings about missing clocks right now, I will send the trivial
fixes for that later.
Another big chunk is the mkimage upgrade, which adds RISC-V and TOC0
(secure images) support. Both features are unused at the moment, but I
have an always-secure board that will use that once the DT lands in the
kernel.
On top of those big things we have some smaller fixes, improving the
I2C DM support, fixing some H6/H616 early clock setup and improving the
eMMC boot partition support.

The gitlab CI completed successfully, including the build test for all
161 sunxi boards. I also boot tested on a A64, A20, H3, H6, and F1C100
board. USB, SD card, eMMC, and Ethernet all work there (where applicable).
2022-04-05 08:33:32 -04:00
Samuel Holland
e9e87ec47c tools: mkimage: Add Allwinner TOC0 support
Most Allwinner sunxi SoCs have separate boot ROMs in non-secure and
secure mode. The "non-secure" or "normal" boot ROM (NBROM) uses the
existing sunxi_egon image type. The secure boot ROM (SBROM) uses a
completely different image type, known as TOC0.

A TOC0 image is composed of a header and two or more items. One item
is the firmware binary. The others form a chain linking the firmware
signature to the root-of-trust public key (ROTPK), which has its hash
burned in the SoC's eFuses. Signatures are made using RSA-2048 + SHA256.

The pseudo-ASN.1 structure is manually assembled; this is done to work
around bugs/quirks in the boot ROM, which vary between SoCs. This TOC0
implementation has been verified to work with the A50, A64, H5, H6,
and H616 SBROMs, and it may work with other SoCs.

Signed-off-by: Samuel Holland <samuel@sholland.org>
Acked-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-04-04 23:24:17 +01:00
Philippe Reynes
6e052d1cba mkimage: add public key for image pre-load stage
This commit enhances mkimage to update the node
/image/pre-load/sig with the public key.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2022-03-31 14:12:01 -04:00
Philippe Reynes
9d46e63d97 cmd: bootm: add a stage pre-load
Add a stage pre-load to the command bootm.
Right now, this stage may be used to read a
header and check the signature of the full
image.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2022-03-31 14:12:01 -04:00
Philippe Reynes
982207435a boot: image: add a stage pre-load
Add a stage pre-load that could
check or modify an image.

For the moment, only a header with a signature is
supported. This header has the following format:
- magic : 4 bytes
- version : 4 bytes
- header size : 4 bytes
- image size : 4 bytes
- offset image signature : 4 bytes
- flags : 4 bytes
- reserved0 : 4 bytes
- reserved1 : 4 bytes
- sha256 of the image signature : 32 bytes
- signature of the first 64 bytes : n bytes
- image signature : n bytes
- padding : up to header size

The stage uses a node /image/pre-load/sig to
get some informations:
- algo-name (mandatory) : name of the algo used to sign
- padding-name : name of padding used to sign
- signature-size : size of the signature (in the header)
- mandatory : set to yes if this sig is mandatory
- public-key (madatory) : value of the public key

Before running the image, the stage pre-load checks
the signature provided in the header.

This is an initial support, later we could add the
support of:
- ciphering
- uncompressing
- ...

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2022-03-31 14:12:01 -04:00
Simon Glass
2d2384bbaf tools: mkimage: Show where signatures/keys are written
At present mkimage displays the node information but it is not clear what
signing action was taken. Add a message that shows it. For now it only
supports showing a single signing action, since that is the common case.

Sample:

   Signature written to 'sha1-basic/test.fit',
       node '/configurations/conf-1/signature'
   Public key written to 'sha1-basic/sandbox-u-boot.dtb',
       node '/signature/key-dev'

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26 08:50:44 -07:00
Simon Glass
c033dc8c0c image: Return destination node for add_verify_data() method
It is useful to know where the verification data was written. Update the
API to return this.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26 08:50:44 -07:00
Simon Glass
99f844ba3a tools: Pass the key blob around
At present we rely on the key blob being in the global_data fdt_blob
pointer. This is true in U-Boot but not with tools. For clarity, pass the
parameter around.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26 08:50:44 -07:00
Simon Glass
70e6bcc43f tools: Improve comments in signing functions
Add some more comments to explain what is going on in the signing
functions. Fix two repeated typos.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26 08:50:43 -07:00
Jan Kiszka
5902a397d0 mkimage: Allow to specify the signature algorithm on the command line
This permits to prepare FIT image description that do not hard-code the
final choice of the signature algorithm, possibly requiring the user to
patch the sources.

When -o <algo> is specified, this information is used in favor of the
'algo' property in the signature node. Furthermore, that property is set
accordingly when writing the image.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2022-01-24 10:35:10 -05:00
Jan Kiszka
4550ce9be0 image-fit: Make string of algo parameter constant
Modifications would be invalid.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-01-24 10:35:10 -05:00
Heinrich Schuchardt
185f812c41 doc: replace @return by Return:
Sphinx expects Return: and not @return to indicate a return value.

find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-19 18:11:34 +01:00
Hannu Lounento
2289629f27 image.h: make image_sign_info.fit point to const
The data blob apparently does not need to be modified through the fit
field of the image_sign_info struct so make it point to const to avoid
the need to cast away constness in functions that assign a pointer to
const data to the field.

fit_image_setup_verify already had to cast away constness as it assigned
a const void * argument to the field. The cast can now be removed.

Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-10-31 12:26:44 -06:00
Simon Glass
1df654a6af image: Drop most #ifdefs in image-board.c
Remove ifdefs in this file, so far as possible without too much
refactoring.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-10-08 15:53:27 -04:00
Simon Glass
13c133b995 image: Drop unnecessary #ifdefs from image.h
This file has a lot of conditional code and much of it is unnecessary.
Clean this up to reduce the number of build combinations.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-10-08 15:53:27 -04:00
Simon Glass
0ab5e02704 image: Tidy up fit_unsupported_reset()
This function is only used in one place and does not need to use the
preprocessor. Move it to the C file and convert it to a normal function.

Drop fit_unsupported() since it is not used.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-10-08 15:53:27 -04:00
Simon Glass
fa13940740 image: Drop IMAGE_ENABLE_IGNORE
We can use the new host_build() function for this, so drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:27 -04:00
Simon Glass
3ac0f50412 image: Drop IMAGE_OF_SYSTEM_SETUP
This is not needed with Kconfig, since we can use IS_ENABLED() easily
enough. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
30ba282865 image: Drop IMAGE_OF_BOARD_SETUP
This is not needed with Kconfig, since we can use IS_ENABLED() easily
enough. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
806d1ff37b image: Drop IMAGE_BOOT_GET_CMDLINE
This is not needed with Kconfig, since we can use IS_ENABLED() easily
enough and the board code is now in a separate file. Update the only place
where this is used and drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
2bbed3ff8c image: Use Kconfig to enable FIT_RSASSA_PSS on host
Add a host Kconfig for FIT_RSASSA_PSS. With this we can use
CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the
forcing of this in the image.h header.

Drop the #ifdef around padding_pss_verify() too since it is not needed.
Use the compiler to check the config where possible, instead of the
preprocessor.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
e059157f0d image: Use Kconfig to enable CONFIG_FIT_VERBOSE on host
Add a host Kconfig for FIT_VERBOSE. With this we can use
CONFIG_IS_ENABLED(FIT_VERBOSE) directly in the tools build, so drop the
forcing of this in the image.h header.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
0c303f9a66 image: Drop IMAGE_ENABLE_OF_LIBFDT
Add a host Kconfig for OF_LIBFDT. With this we can use
CONFIG_IS_ENABLED(OF_LIBFDT) directly in the tools build, so drop the
unnecessary indirection.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
bf371b4cf5 image: Drop IMAGE_ENABLE_FIT
Make use of the host Kconfig for FIT. With this we can use
CONFIG_IS_ENABLED(FIT) directly in the host build, so drop the unnecessary
indirection.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Simon Glass
2c21256b27 hash: Use Kconfig to enable hashing in host tools and SPL
At present when building host tools, we force CONFIG_SHAxxx to be enabled
regardless of the board Kconfig setting. This is done in the image.h
header file.

For SPL we currently just assume the algorithm is desired if U-Boot proper
enables it.

Clean this up by adding new Kconfig options to enable hashing on the host,
relying on CONFIG_IS_ENABLED() to deal with the different builds.

Add new SPL Kconfigs for hardware-accelerated hashing, to maintain the
current settings.

This allows us to drop the image.h code and the I_WANT_MD5 hack.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00