diff options
| -rw-r--r-- | arch/arm/mach-socfpga/Kconfig | 2 | ||||
| -rw-r--r-- | common/Kconfig.boot | 32 | ||||
| -rw-r--r-- | common/Makefile | 3 | ||||
| -rw-r--r-- | common/image-fit.c | 45 | ||||
| -rw-r--r-- | common/spl/Kconfig | 54 | ||||
| -rw-r--r-- | configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig | 2 | ||||
| -rw-r--r-- | configs/ls1043ardb_nand_SECURE_BOOT_defconfig | 2 | ||||
| -rw-r--r-- | configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig | 2 | ||||
| -rw-r--r-- | configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig | 2 | ||||
| -rw-r--r-- | configs/ls1088ardb_sdcard_qspi_SECURE_BOOT_defconfig | 2 | ||||
| -rw-r--r-- | configs/mt8516_pumpkin_defconfig | 2 | ||||
| -rw-r--r-- | include/configs/xilinx_zynqmp.h | 2 | ||||
| -rw-r--r-- | include/image.h | 23 | ||||
| -rw-r--r-- | lib/Kconfig | 12 | ||||
| -rw-r--r-- | lib/Makefile | 2 | ||||
| -rw-r--r-- | lib/crypt/Kconfig | 2 | ||||
| -rw-r--r-- | lib/efi_loader/Kconfig | 2 | ||||
| -rw-r--r-- | lib/sha512.c | 2 |
18 files changed, 39 insertions, 154 deletions
diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig index f4791c1..bddfd44 100644 --- a/arch/arm/mach-socfpga/Kconfig +++ b/arch/arm/mach-socfpga/Kconfig @@ -11,7 +11,7 @@ config SOCFPGA_SECURE_VAB_AUTH depends on TARGET_SOCFPGA_AGILEX || TARGET_SOCFPGA_N5X select FIT_IMAGE_POST_PROCESS select SHA384 - select SHA512_ALGO + select SHA512 select SPL_FIT_IMAGE_POST_PROCESS help All images loaded from FIT will be authenticated by Secure Device diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 0d4c384..c2d6c89 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -13,6 +13,7 @@ config FIT bool "Support Flattened Image Tree" select MD5 select SHA1 + select HASH help This option allows you to boot the new uImage structure, Flattened Image Tree. FIT is formally a FDT, which can include @@ -35,34 +36,6 @@ config FIT_EXTERNAL_OFFSET could be put in the hole between data payload and fit image header, such as CSF data on i.MX platform. -config FIT_SHA256 - bool "Support SHA256 checksum of FIT image contents" - default y - select SHA256 - help - Enable this to support SHA256 checksum of FIT image contents. A - SHA256 checksum is a 256-bit (32-byte) hash value used to check that - the image contents have not been corrupted. - -config FIT_SHA384 - bool "Support SHA384 checksum of FIT image contents" - default n - select SHA384 - help - Enable this to support SHA384 checksum of FIT image contents. A - SHA384 checksum is a 384-bit (48-byte) hash value used to check that - the image contents have not been corrupted. Use this for the highest - security. - -config FIT_SHA512 - bool "Support SHA512 checksum of FIT image contents" - default n - select SHA512 - help - Enable this to support SHA512 checksum of FIT image contents. A - SHA512 checksum is a 512-bit (64-byte) hash value used to check that - the image contents have not been corrupted. - config FIT_FULL_CHECK bool "Do a full check of the FIT before using it" default y @@ -161,6 +134,7 @@ if SPL config SPL_FIT bool "Support Flattened Image Tree within SPL" depends on SPL + select SPL_HASH select SPL_OF_LIBFDT config SPL_FIT_PRINT @@ -185,7 +159,7 @@ config SPL_FIT_SIGNATURE select FIT_SIGNATURE select SPL_FIT select SPL_CRYPTO - select SPL_HASH_SUPPORT + select SPL_HASH imply SPL_RSA imply SPL_RSA_VERIFY select SPL_IMAGE_SIGN_INFO diff --git a/common/Makefile b/common/Makefile index 9063ed9..592f340 100644 --- a/common/Makefile +++ b/common/Makefile @@ -8,7 +8,7 @@ ifndef CONFIG_SPL_BUILD obj-y += init/ obj-y += main.o obj-y += exports.o -obj-$(CONFIG_HASH) += hash.o +obj-$(CONFIG_$(SPL_)HASH) += hash.o obj-$(CONFIG_HUSH_PARSER) += cli_hush.o obj-$(CONFIG_AUTOBOOT) += autoboot.o @@ -66,7 +66,6 @@ ifdef CONFIG_SPL_BUILD ifdef CONFIG_SPL_DFU obj-$(CONFIG_DFU_OVER_USB) += dfu.o endif -obj-$(CONFIG_SPL_HASH_SUPPORT) += hash.o obj-$(CONFIG_TPL_HASH_SUPPORT) += hash.o obj-$(CONFIG_SPL_LOAD_FIT) += common_fit.o obj-$(CONFIG_SPL_NET_SUPPORT) += miiphyutil.o diff --git a/common/image-fit.c b/common/image-fit.c index aff4670..92d9141 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1193,6 +1193,12 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp) return 0; } +static void crc32_uimage_fixup(void *value) +{ + /* TODO: In C, this type punning is undefined behavior: */ + *((uint32_t *)value) = cpu_to_uimage(*((uint32_t *)value)); +} + /** * calculate_hash - calculate and return hash for provided input data * @data: pointer to the input data @@ -1211,37 +1217,24 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp) * 0, on success * -1, when algo is unsupported */ -int calculate_hash(const void *data, int data_len, const char *algo, +int calculate_hash(const void *data, int data_len, const char *name, uint8_t *value, int *value_len) { - if (IMAGE_ENABLE_CRC32 && strcmp(algo, "crc32") == 0) { - *((uint32_t *)value) = crc32_wd(0, data, data_len, - CHUNKSZ_CRC32); - *((uint32_t *)value) = cpu_to_uimage(*((uint32_t *)value)); - *value_len = 4; - } else if (CONFIG_IS_ENABLED(SHA1) && strcmp(algo, "sha1") == 0) { - sha1_csum_wd((unsigned char *)data, data_len, - (unsigned char *)value, CHUNKSZ_SHA1); - *value_len = 20; - } else if (CONFIG_IS_ENABLED(SHA256) && strcmp(algo, "sha256") == 0) { - sha256_csum_wd((unsigned char *)data, data_len, - (unsigned char *)value, CHUNKSZ_SHA256); - *value_len = SHA256_SUM_LEN; - } else if (CONFIG_IS_ENABLED(SHA384) && strcmp(algo, "sha384") == 0) { - sha384_csum_wd((unsigned char *)data, data_len, - (unsigned char *)value, CHUNKSZ_SHA384); - *value_len = SHA384_SUM_LEN; - } else if (CONFIG_IS_ENABLED(SHA512) && strcmp(algo, "sha512") == 0) { - sha512_csum_wd((unsigned char *)data, data_len, - (unsigned char *)value, CHUNKSZ_SHA512); - *value_len = SHA512_SUM_LEN; - } else if (IMAGE_ENABLE_MD5 && strcmp(algo, "md5") == 0) { - md5_wd((unsigned char *)data, data_len, value, CHUNKSZ_MD5); - *value_len = 16; - } else { + struct hash_algo *algo; + int ret; + + ret = hash_lookup_algo(name, &algo); + if (ret < 0) { debug("Unsupported hash alogrithm\n"); return -1; } + + algo->hash_func_ws(data, data_len, value, algo->chunk_size); + *value_len = algo->digest_size; + + if (!strcmp(name, "crc32")) + crc32_uimage_fixup(value); + return 0; } diff --git a/common/spl/Kconfig b/common/spl/Kconfig index c155a3b..c75c8aa 100644 --- a/common/spl/Kconfig +++ b/common/spl/Kconfig @@ -439,48 +439,6 @@ config SPL_MD5 applications where images may be changed maliciously, you should consider SHA256 or SHA384. -config SPL_FIT_SHA1 - bool "Support SHA1" - depends on SPL_FIT - select SHA1 - help - Enable this to support SHA1 in FIT images within SPL. A SHA1 - checksum is a 160-bit (20-byte) hash value used to check that the - image contents have not been corrupted or maliciously altered. - While SHA1 is fairly secure it is coming to the end of its life - due to the expanding computing power available to brute-force - attacks. For more security, consider SHA256 or SHA384. - -config SPL_FIT_SHA256 - bool "Support SHA256" - depends on SPL_FIT - select SHA256 - help - Enable this to support SHA256 in FIT images within SPL. A SHA256 - checksum is a 256-bit (32-byte) hash value used to check that the - image contents have not been corrupted. - -config SPL_FIT_SHA384 - bool "Support SHA384" - depends on SPL_FIT - select SHA384 - select SHA512_ALGO - help - Enable this to support SHA384 in FIT images within SPL. A SHA384 - checksum is a 384-bit (48-byte) hash value used to check that the - image contents have not been corrupted. Use this for the highest - security. - -config SPL_FIT_SHA512 - bool "Support SHA512" - depends on SPL_FIT - select SHA512 - select SHA512_ALGO - help - Enable this to support SHA512 in FIT images within SPL. A SHA512 - checksum is a 512-bit (64-byte) hash value used to check that the - image contents have not been corrupted. - config SPL_FIT_IMAGE_TINY bool "Remove functionality from SPL FIT loading to reduce size" depends on SPL_FIT @@ -519,16 +477,6 @@ config SPL_CRYPTO this option to build the drivers in drivers/crypto as part of an SPL build. -config SPL_HASH_SUPPORT - bool "Support hashing drivers" - select SHA1 - select SHA256 - help - Enable hashing drivers in SPL. These drivers can be used to - accelerate secure boot processing in secure applications. Enable - this option to build system-specific drivers for hash acceleration - as part of an SPL build. - config TPL_HASH_SUPPORT bool "Support hashing drivers in TPL" depends on TPL @@ -1235,7 +1183,7 @@ config SPL_USB_ETHER config SPL_DFU bool "Support DFU (Device Firmware Upgrade)" - select SPL_HASH_SUPPORT + select SPL_HASH select SPL_DFU_NO_RESET depends on SPL_RAM_SUPPORT help diff --git a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig index 78196e6..c5a6819 100644 --- a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig +++ b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig @@ -31,7 +31,7 @@ CONFIG_SPL_FSL_PBL=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0xe8 CONFIG_SPL_CRYPTO=y -CONFIG_SPL_HASH_SUPPORT=y +CONFIG_SPL_HASH=y CONFIG_SPL_ENV_SUPPORT=y CONFIG_SPL_I2C=y CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y diff --git a/configs/ls1043ardb_nand_SECURE_BOOT_defconfig b/configs/ls1043ardb_nand_SECURE_BOOT_defconfig index 3736445..93f6b2a 100644 --- a/configs/ls1043ardb_nand_SECURE_BOOT_defconfig +++ b/configs/ls1043ardb_nand_SECURE_BOOT_defconfig @@ -27,7 +27,7 @@ CONFIG_SPL_FSL_PBL=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0xf0 CONFIG_SPL_CRYPTO=y -CONFIG_SPL_HASH_SUPPORT=y +CONFIG_SPL_HASH=y CONFIG_SPL_ENV_SUPPORT=y CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y CONFIG_SPL_NAND_SUPPORT=y diff --git a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig index b879a0c..71c33ca 100644 --- a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig +++ b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig @@ -27,7 +27,7 @@ CONFIG_SPL_FSL_PBL=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x110 CONFIG_SPL_CRYPTO=y -CONFIG_SPL_HASH_SUPPORT=y +CONFIG_SPL_HASH=y CONFIG_SPL_ENV_SUPPORT=y CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y CONFIG_SPL_WATCHDOG=y diff --git a/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig b/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig index c46d0db..9d7ff79 100644 --- a/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig +++ b/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig @@ -27,7 +27,7 @@ CONFIG_SPL_FSL_PBL=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x110 CONFIG_SPL_CRYPTO=y -CONFIG_SPL_HASH_SUPPORT=y +CONFIG_SPL_HASH=y CONFIG_SPL_ENV_SUPPORT=y CONFIG_SPL_I2C=y CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y diff --git a/configs/ls1088ardb_sdcard_qspi_SECURE_BOOT_defconfig b/configs/ls1088ardb_sdcard_qspi_SECURE_BOOT_defconfig index 96d4479..62da4ec 100644 --- a/configs/ls1088ardb_sdcard_qspi_SECURE_BOOT_defconfig +++ b/configs/ls1088ardb_sdcard_qspi_SECURE_BOOT_defconfig @@ -33,7 +33,7 @@ CONFIG_MISC_INIT_R=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x8b0 CONFIG_SPL_CRYPTO=y -CONFIG_SPL_HASH_SUPPORT=y +CONFIG_SPL_HASH=y CONFIG_SPL_ENV_SUPPORT=y CONFIG_SPL_I2C=y CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y diff --git a/configs/mt8516_pumpkin_defconfig b/configs/mt8516_pumpkin_defconfig index 0a6c1fc..1478b01 100644 --- a/configs/mt8516_pumpkin_defconfig +++ b/configs/mt8516_pumpkin_defconfig @@ -13,7 +13,7 @@ CONFIG_DEBUG_UART_CLOCK=26000000 # CONFIG_PSCI_RESET is not set CONFIG_DEBUG_UART=y CONFIG_FIT=y -# CONFIG_FIT_SHA256 is not set +# CONFIG_SHA256 is not set # CONFIG_ARCH_FIXUP_FDT_MEMORY is not set CONFIG_DEFAULT_FDT_FILE="mt8516-pumpkin" # CONFIG_DISPLAY_BOARDINFO is not set diff --git a/include/configs/xilinx_zynqmp.h b/include/configs/xilinx_zynqmp.h index 262154c..42758ba 100644 --- a/include/configs/xilinx_zynqmp.h +++ b/include/configs/xilinx_zynqmp.h @@ -258,7 +258,7 @@ #if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_DFU) # define CONFIG_SPL_ENV_SUPPORT -# define CONFIG_SPL_HASH_SUPPORT +# define CONFIG_SPL_HASH # define CONFIG_ENV_MAX_ENTRIES 10 #endif diff --git a/include/image.h b/include/image.h index e20f0b6..2d057d4 100644 --- a/include/image.h +++ b/include/image.h @@ -31,9 +31,6 @@ struct fdt_region; #define IMAGE_ENABLE_OF_LIBFDT 1 #define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */ #define CONFIG_FIT_RSASSA_PSS 1 -#define CONFIG_FIT_SHA256 -#define CONFIG_FIT_SHA384 -#define CONFIG_FIT_SHA512 #define CONFIG_SHA1 #define CONFIG_SHA256 #define CONFIG_SHA384 @@ -62,26 +59,6 @@ struct fdt_region; #include <hash.h> #include <linux/libfdt.h> #include <fdt_support.h> -# ifdef CONFIG_SPL_BUILD -# ifdef CONFIG_SPL_CRC32 -# define IMAGE_ENABLE_CRC32 1 -# endif -# ifdef CONFIG_SPL_MD5 -# define IMAGE_ENABLE_MD5 1 -# endif -# else -# define IMAGE_ENABLE_CRC32 1 -# define IMAGE_ENABLE_MD5 1 -# endif - -#ifndef IMAGE_ENABLE_CRC32 -#define IMAGE_ENABLE_CRC32 0 -#endif - -#ifndef IMAGE_ENABLE_MD5 -#define IMAGE_ENABLE_MD5 0 -#endif - #endif /* IMAGE_ENABLE_FIT */ #ifdef CONFIG_SYS_BOOT_GET_CMDLINE diff --git a/lib/Kconfig b/lib/Kconfig index c535147..48565a4 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -375,14 +375,9 @@ config SHA256 The SHA256 algorithm produces a 256-bit (32-byte) hash value (digest). -config SHA512_ALGO - bool "Enable SHA512 algorithm" - help - This option enables support of internal SHA512 algorithm. config SHA512 bool "Enable SHA512 support" - depends on SHA512_ALGO help This option enables support of hashing using SHA512 algorithm. The hash is calculated in software. @@ -391,10 +386,11 @@ config SHA512 config SHA384 bool "Enable SHA384 support" - depends on SHA512_ALGO + select SHA512 help This option enables support of hashing using SHA384 algorithm. - The hash is calculated in software. + The hash is calculated in software. This is also selects SHA512, + because these implementations share the bulk of the code.. The SHA384 algorithm produces a 384-bit (48-byte) hash value (digest). @@ -409,7 +405,7 @@ if SHA_HW_ACCEL config SHA512_HW_ACCEL bool "Enable hardware acceleration for SHA512" - depends on SHA512_ALGO + depends on SHA512 help This option enables hardware acceleration for the SHA384 and SHA512 hashing algorithms. This affects the 'hash' command and also the diff --git a/lib/Makefile b/lib/Makefile index 8ba745f..6aa48ca 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -65,7 +65,7 @@ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o -obj-$(CONFIG_SHA512_ALGO) += sha512.o +obj-$(CONFIG_SHA512) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ diff --git a/lib/crypt/Kconfig b/lib/crypt/Kconfig index 5495ae8..6a50029 100644 --- a/lib/crypt/Kconfig +++ b/lib/crypt/Kconfig @@ -20,7 +20,7 @@ config CRYPT_PW_SHA256 config CRYPT_PW_SHA512 bool "Provide sha512crypt" select SHA512 - select SHA512_ALGO + select SHA512 help Enables support for the sha512crypt password-hashing algorithm. The prefix is "$6$". diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index dacc3b5..0846325 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -323,7 +323,7 @@ config EFI_TCG2_PROTOCOL depends on TPM_V2 select SHA1 select SHA256 - select SHA512_ALGO + select SHA512 select SHA384 select SHA512 select HASH diff --git a/lib/sha512.c b/lib/sha512.c index 35f31e3..a421f24 100644 --- a/lib/sha512.c +++ b/lib/sha512.c @@ -320,7 +320,6 @@ void sha384_csum_wd(const unsigned char *input, unsigned int ilen, #endif -#if defined(CONFIG_SHA512) void sha512_starts(sha512_context * ctx) { ctx->state[0] = SHA512_H0; @@ -381,4 +380,3 @@ void sha512_csum_wd(const unsigned char *input, unsigned int ilen, sha512_finish(&ctx, output); } -#endif |