Commit graph

62 commits

Author SHA1 Message Date
Cristian Ciocaltea
b533386dc1 doc: Add sample uefi.its image description file
This patch adds an example FIT image description file demonstrating
the usage of bootm command to securely launch UEFI binaries.

Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07 18:08:21 +01:00
Heinrich Schuchardt
97fd36933c doc: fitImage: example of a signature node
Describe that a signature node can be added to a binary device tree using
the mkimage tool.

Provide an example device tree node.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2019-12-13 13:01:53 -05:00
Thomas Hebb
32f2ca2a7e cosmetic: Fix spelling and whitespace errors
Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
2019-12-03 08:43:23 -05:00
Julius Werner
18cfa612a9 fit: Support compat string property in configuration node
This patch adds support for an optional optimization to compatible
string matching where the compatible string property from the root node
of the kernel FDT can be copied into the configuration node of the FIT
image. This is most useful when using compressed FDTs or when using FDT
overlays, where the traditional extraction of the compatible string from
the kernel FDT itself is not easily possible.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2019-07-29 09:32:08 -04:00
Mickaël Tansorier
57a51123f1 doc: fitImage: Cosmetics break lines
Add missing newline before title and subtitle.

Signed-off-by: Mickaël Tansorier <mickael.tansorier@smile.fr>
2019-07-24 14:15:37 -04:00
Mickaël Tansorier
15958c74a9 doc: fitImage: Fix conf number incrementation
Increment conf id to avoid to have two same conf name
into one configuration description.

Signed-off-by: Mickaël Tansorier <mickael.tansorier@smile.fr>
2019-07-24 14:15:37 -04:00
Vesa Jääskeläinen
5b123e0109 lib: rsa: add support to other openssl engine types than pkcs11
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.

Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
2019-07-18 11:31:23 -04:00
Tom Rini
c76c93a3d5 configs: Rename CONFIG_IMAGE_FORMAT_LEGACY to CONFIG_LEGACY_IMAGE_FORMAT
The name CONFIG_LEGACY_IMAGE_FORMAT reads slightly better along with
allowing us to avoid a rather nasty Kbuild/Kconfig issue down the line
with CONFIG_IS_ENABLED(IMAGE_FORMAT_LEGACY).  In a few places outside of
cmd/ switch to using CONFIG_IS_ENABLED() to test what is set.

Signed-off-by: Tom Rini <trini@konsulko.com>
2019-07-11 14:11:18 -04:00
Philippe Reynes
e83cf2fbfc doc: uImage.FIT: signature.txt: add option padding
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03 10:44:10 -05:00
Pierre-Jean Texier
612e99123b doc: FIT image: fix typo
Fix typo in beaglebone verified boot documentation.

Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
2018-08-20 07:21:29 -04:00
Simon Goldschmidt
fd15a9e256 doc: FIT image: clarify usage of "compression" property
Compressed images should have their compression property
set to "none" if U-Boot should leave them compressed.

This is especially the case for compressed ramdisks that
should be uncompressed by the kernel only.

Signed-off-by: Simon Goldschmidt <sgoldschmidt@de.pepperl-fuchs.com>
2018-08-10 13:45:33 -04:00
Sumit Garg
8044900a5b armv8: sec_firmware: Add support for multiple loadables
Enable support for multiple loadable images in SEC firmware FIT image.
Also add example "sec_firmware_ppa.its" file.

Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
2018-05-09 09:17:51 -05:00
Andre Przywara
b8790ebeec doc: FIT image: fix incorrect examples of DT node unit address
The DT spec demands a unit-address of a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the FIT image example files where this was not
observed, to not give bad examples to the reader.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2018-01-15 18:29:21 -07:00
Andre Przywara
838404054e doc: FIT image: fix incorrect description of DT node unit address
The DT spec demands a unit-address in a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the FIT image documentation files where this was not
observed, to not give bad examples to the reader.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2018-01-15 18:29:21 -07:00
Peng Fan
a1be94b654 SPL: Add FIT data-position property support
For external data, FIT has a optional property "data-position" which
can set the external data to a fixed offset to FIT beginning.
Add the support for this property in SPL FIT.

Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tomas Melin <tomas.melin@vaisala.com>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: "Andrew F. Davis" <afd@ti.com>
Cc: Igor Grinberg <grinberg@compulab.co.il>
Cc: "tomas.melin@vaisala.com" <tomas.melin@vaisala.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: York Sun <york.sun@nxp.com>
Cc: Lokesh Vutla <lokeshvutla@ti.com>
Cc: "Cooper Jr., Franklin" <fcooper@ti.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Cc: Jean-Jacques Hiblot <jjhiblot@ti.com>
Cc: Rick Altherr <raltherr@google.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
Reviewed-by: York Sun <york.sun@nxp.com>
2017-12-12 21:33:38 -05:00
Masahiro Yamada
6af5520fe1 doc: verified-boot: fix crypto algorithm examples
As you see in crypto_algos in common/image-sig.c, the algorithm
should be either "rsa2048" or "rsa4096".  "rs2048" is a typo.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2017-10-23 17:28:18 -04:00
Franklin S Cooper Jr
56fc7032e1 doc: overlays: Tweak documentation regarding overlays
Pull some information regarding overlays from commit messages and
put them directly within the documentation. Also add some information
regarding required dtc version to properly use overlays.

Signed-off-by: Franklin S Cooper Jr <fcooper@ti.com>
Acked-by: Simon Glass <sjg@chromium.org>
2017-09-15 05:27:49 -06:00
Pantelis Antoniou
6b54e50b5a fit: fdt overlays doc
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Reviewed-by: Łukasz Majewski
Acked-by: Simon Glass <sjg@chromium.org>
2017-09-15 05:27:49 -06:00
York Sun
c8bc3c0c9f spl: fit: Add booting OS first
If CONFIG_SPL_OS_BOOT is enabled, boot OS if kernel image is found
in FIT structure.

Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2017-09-11 07:55:36 -07:00
York Sun
5fd13d9736 spl: fit: Support both external and embedded data
SPL supports U-Boot image in FIT format which has data outside of
FIT structure. This adds support for embedded data for normal FIT
images.

Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2017-09-11 07:55:36 -07:00
Masahiro Yamada
e43f74ac0b doc: verified-boot: fix typos
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2017-08-26 14:56:14 -04:00
Tom Rini
25fa0b930f FIT: List kernel_noload in the list of types
In the source_file_format.txt file we talk about how to construct a
valid FIT image.  While it already says to look at the source for the
full list, add kernel_noload to the explicit list of types.  This is
arguably the most important type to use as most often we are including a
kernel that will run from wherever it is loaded into memory and execute.

This for example, allows you to create a single FIT image for Linux that
can be used on both OMAP and i.MX devices as the kernel will not need to
be moved in memory.

Signed-off-by: Tom Rini <trini@konsulko.com>
2017-07-26 11:29:15 -04:00
Andre Przywara
411cf32d20 SPL: FIT: allow loading multiple images
So far we were not using the FIT image format to its full potential:
The SPL FIT loader was just loading the first image from the /images
node plus one of the listed DTBs.
Now with the refactored loader code it's easy to load an arbitrary
number of images in addition to the two mentioned above.
As described in the FIT image source file format description, iterate
over all images listed at the "loadables" property in the configuration
node and load every image at its desired location.
This allows to load any kind of images:
- firmware images to execute before U-Boot proper (for instance
  ARM Trusted Firmware (ATF))
- firmware images for management processors (SCP, arisc, ...)
- firmware images for devices like WiFi controllers
- bit files for FPGAs
- additional configuration data
- kernels and/or ramdisks
The actual usage of this feature would be platform and/or board specific.

Also update the FIT documentation to mention the new SPL feature and
provide an example .its file to demonstrate its features.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Lokesh Vutla <lokeshvuta@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
2017-05-17 23:15:43 +05:30
George McCollister
f1ca1fdebf mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
2017-01-14 16:47:13 -05:00
Andrew F. Davis
d7be50921e image: Add FIT image loadable section custom processing
To help automate the loading of custom image types we add the ability
to define custom handlers for the loadable section types. When we find
a compatible type while loading a "loadable" image from a FIT image we
run its associated handlers to perform any additional steps needed for
loading this image.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2016-12-03 13:21:19 -05:00
Simon Glass
dc396210d9 x86: Mention how to boot a 64-bit kernel from U-Boot
The README indicates that this is not supported, but this is no-longer true.
Update the text to indicate this and describe the FIT changes required.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2016-08-16 11:44:09 +08:00
Teddy Reed
f8f9107d97 mkimage: fit: spl: Add an optional static offset for external data
When building a FIT with external data (-E), U-Boot proper may require
absolute positioning for executing the external firmware. To acheive this
use the (-p) switch, which will replace the amended 'data-offset' with
'data-position' indicating the absolute position of external data.

It is considered an error if the requested absolute position overlaps with the
initial data required for the compact FIT.

Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
2016-06-24 17:23:06 -04:00
Michal Simek
ed0cea7c52 mkimage: Report information about fpga
Add FIT_FPGA_PROP that user can identify an optional
entry for fpga.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2016-05-24 11:15:02 +02:00
Andreas Dannenberg
4c1d5c29b5 doc: clarify openssl-based key and certificate generation process
Add some basic clarification that the dev.key file generated by OpenSSL
contains both the public and private key, and further highlight that
the certificate generated here contains the public key only.

Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
2016-04-01 17:17:41 -04:00
Andreas Dannenberg
486c39c2e9 doc: fix file extension for flattened image tree blob
Different sections in the document suggest flattened image tree blob
files have a file name extension of .itb. Fix the list of file extensions
to reflect that.

Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
2016-04-01 17:17:41 -04:00
Simon Glass
722ebc8f84 mkimage: Support placing data outside the FIT
One limitation of FIT is that all the data is 'inline' within it, using a
'data' property in each image node. This means that to find out what is in
the FIT it is necessary to scan the entire file. Once loaded it can be
scanned and then the images can be copied to the correct place in memory.

In SPL it can take a significant amount of time to copy images around in
memory. Also loading data that does not end up being used is wasteful. It
would be useful if the FIT were small, acting as a directory, with the
actual data stored elsewhere.

This allows SPL to load the entire FIT, without the images, then load the
images it wants later.

Add a -E option to mkimage to request that it output an 'external' FIT.

Signed-off-by: Simon Glass <sjg@chromium.org>
2016-03-14 19:18:29 -04:00
Bin Meng
a187559e3d Use correct spelling of "U-Boot"
Correct spelling of "U-Boot" shall be used in all written text
(documentation, comments in source files etc.).

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Minkyu Kang <mk7.kang@samsung.com>
2016-02-06 12:00:59 +01:00
Karl Apsite
ecf8cd6535 mkimage will now report information about loadable
Added FIT_LOADABLE_PROP, so the user can identify an optional entry
named "loadables" in their .its configuration. "loadables" is a comma
separated list in the .its

Documentation can be found in doc/uImage.FIT/source_file_format.txt and
                              doc/uImage.Fit/multi-with-loadables.its

Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2015-05-28 08:18:20 -04:00
Guilherme Maciel Ferreira
a724b7e0ab doc: fix misspellings
Signed-off-by: Guilherme Maciel Ferreira <guilherme.maciel.ferreira@gmail.com>
2015-01-29 13:38:40 -05:00
Guilherme Maciel Ferreira
5cde9d8e94 doc: "os" is also mandatory for "ramdisk" FIT image components
According to fit_image_print(), the "os" property from "image" node is required
also when "type=ramdisk".

Signed-off-by: Guilherme Maciel Ferreira <guilherme.maciel.ferreira@gmail.com>
2015-01-29 13:38:40 -05:00
Simon Glass
90268b878b x86: Support loading kernel setup from a FIT
Add a new setup@ section to the FIT which can be used to provide a setup
binary for booting Linux on x86. This makes it possible to boot x86 from
a FIT.

Signed-off-by: Simon Glass <sjg@chromium.org>
2014-10-22 09:03:06 -06:00
Simon Glass
381197788d doc: Tidy up and update part of the FIT documentation
This uses cfg instead of conf, and img instead of image. Fix these and
update in a few other places.

Signed-off-by: Simon Glass <sjg@chromium.org>
2014-10-22 09:03:06 -06:00
Michael van der Westhuizen
e0f2f15534 Implement generalised RSA public exponents for verified boot
Remove the verified boot limitation that only allows a single
RSA public exponent of 65537 (F4).  This change allows use with
existing PKI infrastructure and has been tested with HSM-based
PKI.

Change the configuration OF tree format to store the RSA public
exponent as a 64 bit integer and implement backward compatibility
for verified boot configuration trees without this extra field.

Parameterise vboot_test.sh to test different public exponents.

Mathematics and other hard work by Andrew Bott.

Tested with the following public exponents: 3, 5, 17, 257, 39981,
50457, 65537 and 4294967297.

Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com>
Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com>
Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com>
Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com>
Cc: Simon Glass <sjg@chromium.org>
2014-08-09 11:17:01 -04:00
Simon Glass
c7320ed52f Add documentation for verified boot on Beaglebone Black
As an example of an end-to-end process for using verified boot in U-Boot,
add a detailed description of the steps to be used for a Beaglebone
Black.

Signed-off-by: Simon Glass <sjg@chromium.org>
2014-06-19 11:19:03 -04:00
Simon Glass
ce1400f694 Enhance fit_check_sign to check all images
At present this tool only checks the configuration signing. Have it also
look at each of the images in the configuration and confirm that they
verify.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Heiko Schocher <hs@denx.de> (v1)
2014-06-19 11:19:02 -04:00
Heiko Schocher
21d29f7f9f bootm: make use of legacy image format configurable
make the use of legacy image format configurable through
the config define CONFIG_IMAGE_FORMAT_LEGACY.

When relying on signed FIT images with required signature check
the legacy image format should be disabled. Therefore introduce
this new define and enable legacy image format if CONFIG_FIT_SIGNATURE
is not set. If CONFIG_FIT_SIGNATURE is set disable per default
the legacy image format.

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Lars Steubesand <lars.steubesand@philips.com>
Cc: Mike Pearce <mike@kaew.be>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Michal Simek <monstr@monstr.eu>
Acked-by: Simon Glass <sjg@chromium.org>
2014-06-05 14:44:56 -04:00
Jon Loeliger
5f65826b1b FDT: Fix DTC repository references
The Device Tree Compiler (DTC) used to have its master
repository located on jdl.com.  While it is still there,
its official, new, shiny location is on kernel.org here:

    git://git.kernel.org/pub/scm/utils/dtc/dtc.git

Update a few references to point there instead.

Signed-off-by: Jon Loeliger <jdl@jdl.com>
Acked-by: Simon Glass <sjg@chromium.org>
2014-06-05 14:44:56 -04:00
Heiko Schocher
29a23f9d6c tools, fit_check_sign: verify a signed fit image
add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
2014-03-21 16:40:38 -04:00
Heiko Schocher
646257d1f4 rsa: add sha256-rsa2048 algorithm
based on patch from andreas@oetken.name:

http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.

aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>
2014-03-21 16:39:34 -04:00
Masahiro Yamada
09b72d692f cosmetic: uImage.FIT: fix documents
- Fix the path to source_file_format.txt
  - Fix a minor typo
  - Fix the type for FIT blob: it must be "flat_dt"

Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
2014-01-17 08:04:32 -05:00
Masahiro Yamada
61ffc17aeb cosmetic: doc: uImage.FIT: fix typos
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
Acked-by: Simon Glass <sjg@chromium.org>
2013-09-20 10:30:53 -04:00
Simon Glass
041bca5ba3 Add verified boot information and test
Add a description of how to implement verified boot using signed FIT images,
and a simple test which verifies operation on sandbox.

The test signs a FIT image and verifies it, then signs a FIT configuration
and verifies it. Then it corrupts the signature to check that this is
detected.

Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26 10:18:57 -04:00
Simon Glass
4d0985295b image: Add support for signing of FIT configurations
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).

Add support for signing of FIT configurations using the libfdt's region
support.

Please see doc/uImage.FIT/signature.txt for more information.

Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26 10:18:56 -04:00
Simon Glass
56518e7104 image: Support signing of images
Add support for signing images using a new signature node. The process
is handled by fdt_add_verification_data() which now takes parameters to
provide the keys and related information.

Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26 10:18:56 -04:00
Simon Glass
3e569a6b1e image: Add signing infrastructure
Add a structure to describe an algorithm which can sign and (later) verify
images.

Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26 10:18:56 -04:00