Tighten up symbol dependencies in a number of places. Ensure that a SPL
specific option has at least a direct dependency on SPL. In places
where it's clear that we depend on something more specific, use that
dependency instead. This means in a very small number of places we can
drop redundant dependencies.
Reported-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
This commit adds the option SPL_RSA_VERIFY_WITH_PKEY.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
The CAAM on IMX7ULP doesn't support public key hardware acceleration
(PKHA), as in other NXP parts. Disable RSA_FREESCALE_EXP for IMX7ULP
too.
Fixed: f4e9ff7135 ("Kconfig: Don't use RSA_FREESCALE_EXP on IMX")
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
In the current implementation of FIT_SIGNATURE, five parameters for
a RSA public key are required while only two of them are essential.
(See rsa-mod-exp.h and uImage.FIT/signature.txt)
This is a result of considering relatively limited computer power
and resources on embedded systems, while such a assumption may not
be quite practical for other use cases.
In this patch, added is a function, rsa_gen_key_prop(), which will
generate additional parameters for other uses, in particular
UEFI secure boot, on the fly.
Note: the current code uses some "big number" routines from BearSSL
for the calculation.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside:
if RSA
...
endif
So, remove the redundant "depends on RSA" from their depends expression.
In addition, move SPL_RSA into the same "if RSA ... endif" block, since
its only direct dependeny is CONFIG_RSA. This tidies up and simplifies
reading of lib/rsa/Kconfig.
No functional change intended.
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The CAAM in IMX parts doesn't support public key hardware acceleration
(PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX
(assuming you have the clocks enabled first) you will get back an
"Invalid KEY Command" error since PKHA isn't a valid key destination for
these parts.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
This allows a board to configure verified boot within the SPL using
a FIT or FIT with external data. It also allows the SPL to perform
signature verification without needing relocation.
The board configuration will need to add the following feature defines:
CONFIG_SPL_CRYPTO_SUPPORT
CONFIG_SPL_HASH_SUPPORT
CONFIG_SPL_SHA256
In this example, SHA256 is the only selected hashing algorithm.
And the following booleans:
CONFIG_SPL=y
CONFIG_SPL_DM=y
CONFIG_SPL_LOAD_FIT=y
CONFIG_SPL_FIT=y
CONFIG_SPL_OF_CONTROL=y
CONFIG_SPL_OF_LIBFDT=y
CONFIG_SPL_FIT_SIGNATURE=y
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Acked-by: Simon Glass <sjg@chromium.org>
Acked-by: Andreas Dannenberg <dannenberg@ti.com>
Acked-by: Sumit Garg <sumit.garg@nxp.com>
There are already two FIT options in Kconfig but the CONFIG options are
still in the header files. We need to do a proper move to fix this.
Move these options to Kconfig and tidy up board configuration:
CONFIG_FIT
CONFIG_OF_BOARD_SETUP
CONFIG_OF_SYSTEM_SETUP
CONFIG_FIT_SIGNATURE
CONFIG_FIT_BEST_MATCH
CONFIG_FIT_VERBOSE
CONFIG_OF_STDOUT_VIA_ALIAS
CONFIG_RSA
Unfortunately the first one is a little complicated. We need to make sure
this option is not enabled in SPL by this change. Also this option is
enabled automatically in the host builds by defining CONFIG_FIT in the
image.h file. To solve this, add a new IMAGE_USE_FIT #define which can
be used in files that are built on the host but must also build for U-Boot
and SPL.
Note: Masahiro's moveconfig.py script is amazing.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Add microblaze change, various configs/ re-applies]
Signed-off-by: Tom Rini <trini@konsulko.com>
Kconfig option added for devices which support RSA Verification.
1. RSA_SOFTWARE_EXP
Enables driver for supporting RSA Modular Exponentiation in Software
2. RSA_FREESCALE_EXP
Enables driver for supporting RSA Modular Exponentiation using Freescale specific
driver
The above drivers use RSA uclass
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
CC: Simon Glass <sjg@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
(Removed duplicate line in Kconfig comment)
Change-Id: I7663c4d5350e2bfc3dfa2696f70ef777d6ccc6f6