diff options
| author | Reuben Dowle <reubendowle0@gmail.com> | 2020-04-16 17:36:52 +1200 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2020-06-12 13:14:07 -0400 |
| commit | d16b38f42704fe3cc94fbee1601be96045013151 (patch) | |
| tree | abd95e88387701d92c5319565ed4a6aaf9c02a1b /common/spl/Kconfig | |
| parent | f191f3a1027ede56e2501920e3e8a8acd7033e77 (diff) | |
| download | u-boot-d16b38f42704fe3cc94fbee1601be96045013151.zip u-boot-d16b38f42704fe3cc94fbee1601be96045013151.tar.gz u-boot-d16b38f42704fe3cc94fbee1601be96045013151.tar.bz2 | |
Add support for SHA384 and SHA512
The current recommendation for best security practice from the US government
is to use SHA384 for TOP SECRET [1].
This patch adds support for SHA384 and SHA512 in the hash command, and also
allows FIT images to be hashed with these algorithms, and signed with
sha384,rsaXXXX and sha512,rsaXXXX
The SHA implementation is adapted from the linux kernel implementation.
[1] Commercial National Security Algorithm Suite
http://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Diffstat (limited to 'common/spl/Kconfig')
| -rw-r--r-- | common/spl/Kconfig | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/common/spl/Kconfig b/common/spl/Kconfig index 8ece905..3eae65e 100644 --- a/common/spl/Kconfig +++ b/common/spl/Kconfig @@ -412,7 +412,7 @@ config SPL_MD5_SUPPORT secure as it is possible (with a brute-force attack) to adjust the image while still retaining the same MD5 hash value. For secure applications where images may be changed maliciously, you should - consider SHA1 or SHA256. + consider SHA256 or SHA384. config SPL_SHA1_SUPPORT bool "Support SHA1" @@ -424,7 +424,7 @@ config SPL_SHA1_SUPPORT image contents have not been corrupted or maliciously altered. While SHA1 is fairly secure it is coming to the end of its life due to the expanding computing power available to brute-force - attacks. For more security, consider SHA256. + attacks. For more security, consider SHA256 or SHA384. config SPL_SHA256_SUPPORT bool "Support SHA256" @@ -433,12 +433,28 @@ config SPL_SHA256_SUPPORT help Enable this to support SHA256 in FIT images within SPL. A SHA256 checksum is a 256-bit (32-byte) hash value used to check that the - image contents have not been corrupted. SHA256 is recommended for - use in secure applications since (as at 2016) there is no known - feasible attack that could produce a 'collision' with differing - input data. Use this for the highest security. Note that only the - SHA256 variant is supported: SHA512 and others are not currently - supported in U-Boot. + image contents have not been corrupted. + +config SPL_SHA384_SUPPORT + bool "Support SHA384" + depends on SPL_FIT + select SHA384 + select SHA512_ALGO + help + Enable this to support SHA384 in FIT images within SPL. A SHA384 + checksum is a 384-bit (48-byte) hash value used to check that the + image contents have not been corrupted. Use this for the highest + security. + +config SPL_SHA512_SUPPORT + bool "Support SHA512" + depends on SPL_FIT + select SHA512 + select SHA512_ALGO + help + Enable this to support SHA512 in FIT images within SPL. A SHA512 + checksum is a 512-bit (64-byte) hash value used to check that the + image contents have not been corrupted. config SPL_FIT_IMAGE_TINY bool "Remove functionality from SPL FIT loading to reduce size" |