[PATCH v2 37/50] image: Drop IMAGE_ENABLE_SIGN/VERIFY defines
Simon Glass
sjg at chromium.org
Thu May 6 16:24:25 CEST 2021
Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use
CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary
indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop
FIT_IMAGE_ENABLE_VERIFY which is not actually used.
Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete
and needs to be integrated with RSA.
Signed-off-by: Simon Glass <sjg at chromium.org>
---
(no changes since v1)
common/image-fit.c | 6 +++---
common/image-sig.c | 10 +++++-----
include/image.h | 13 ++-----------
include/u-boot/ecdsa.h | 2 +-
include/u-boot/rsa.h | 4 ++--
tools/Kconfig | 10 ++++++++++
tools/image-host.c | 4 ++--
7 files changed, 25 insertions(+), 24 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index c13ff6bba24..e81a0858dc1 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
int ret;
/* Verify all required signatures */
- if (FIT_IMAGE_ENABLE_VERIFY &&
+ if (CONFIG_IS_ENABLED(RSA_VERIFY) &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
gd_fdt_blob(), &verify_all)) {
err_msg = "Unable to verify required signature";
@@ -1323,7 +1323,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
&err_msg))
goto error;
puts("+ ");
- } else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
+ } else if (CONFIG_IS_ENABLED(RSA_VERIFY) && verify_all &&
!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_check_sig(fit, noffset, data,
@@ -2045,7 +2045,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
if (image_type == IH_TYPE_KERNEL)
images->fit_uname_cfg = fit_base_uname_config;
- if (FIT_IMAGE_ENABLE_VERIFY && images->verify) {
+ if (CONFIG_IS_ENABLED(RSA_VERIFY) && images->verify) {
puts(" Verifying Hash Integrity ... ");
if (fit_config_verify(fit, cfg_noffset)) {
puts("Bad Data Hash\n");
diff --git a/common/image-sig.c b/common/image-sig.c
index bbc6bb3b1e3..74ca96a39e9 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -29,7 +29,7 @@ struct checksum_algo checksum_algos[] = {
.checksum_len = SHA1_SUM_LEN,
.der_len = SHA1_DER_LEN,
.der_prefix = sha1_der_prefix,
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
.calculate_sign = EVP_sha1,
#endif
.calculate = hash_calculate,
@@ -39,7 +39,7 @@ struct checksum_algo checksum_algos[] = {
.checksum_len = SHA256_SUM_LEN,
.der_len = SHA256_DER_LEN,
.der_prefix = sha256_der_prefix,
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
.calculate_sign = EVP_sha256,
#endif
.calculate = hash_calculate,
@@ -50,7 +50,7 @@ struct checksum_algo checksum_algos[] = {
.checksum_len = SHA384_SUM_LEN,
.der_len = SHA384_DER_LEN,
.der_prefix = sha384_der_prefix,
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
.calculate_sign = EVP_sha384,
#endif
.calculate = hash_calculate,
@@ -62,7 +62,7 @@ struct checksum_algo checksum_algos[] = {
.checksum_len = SHA512_SUM_LEN,
.der_len = SHA512_DER_LEN,
.der_prefix = sha512_der_prefix,
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
.calculate_sign = EVP_sha512,
#endif
.calculate = hash_calculate,
@@ -122,7 +122,7 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name)
struct checksum_algo *algo = &checksum_algos[i];
MANUAL_RELOC(algo->name);
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
MANUAL_RELOC(algo->calculate_sign);
#endif
MANUAL_RELOC(algo->calculate);
diff --git a/include/image.h b/include/image.h
index 64866c609f4..12043abd049 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1139,22 +1139,13 @@ int calculate_hash(const void *data, int data_len, const char *algo,
*/
#if defined(USE_HOSTCC)
# if defined(CONFIG_FIT_SIGNATURE)
-# define IMAGE_ENABLE_SIGN 1
-# define IMAGE_ENABLE_VERIFY 1
# define IMAGE_ENABLE_VERIFY_ECDSA 1
-# define FIT_IMAGE_ENABLE_VERIFY 1
# include <openssl/evp.h>
# else
-# define IMAGE_ENABLE_SIGN 0
-# define IMAGE_ENABLE_VERIFY 0
# define IMAGE_ENABLE_VERIFY_ECDSA 0
-# define FIT_IMAGE_ENABLE_VERIFY 0
# endif
#else
-# define IMAGE_ENABLE_SIGN 0
-# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY)
# define IMAGE_ENABLE_VERIFY_ECDSA 0
-# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE)
#endif
#if CONFIG_IS_ENABLED(FIT)
@@ -1209,7 +1200,7 @@ struct image_region {
int size;
};
-#if IMAGE_ENABLE_VERIFY
+#if CONFIG_IS_ENABLED(RSA_VERIFY)
# include <u-boot/hash-checksum.h>
#endif
struct checksum_algo {
@@ -1217,7 +1208,7 @@ struct checksum_algo {
const int checksum_len;
const int der_len;
const uint8_t *der_prefix;
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
const EVP_MD *(*calculate_sign)(void);
#endif
int (*calculate)(const char *name,
diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h
index 979690d9660..a446b656a29 100644
--- a/include/u-boot/ecdsa.h
+++ b/include/u-boot/ecdsa.h
@@ -15,7 +15,7 @@
* @see "struct crypto_algo"
* @{
*/
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
/**
* sign() - calculate and return signature for given input data
*
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index 45fe3509093..84cefbab442 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -31,7 +31,7 @@ struct rsa_public_key {
struct image_sign_info;
-#if IMAGE_ENABLE_SIGN
+#if CONFIG_IS_ENABLED(FIT_SIGN)
/**
* sign() - calculate and return signature for given input data
*
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
}
#endif
-#if IMAGE_ENABLE_VERIFY
+#if CONFIG_IS_ENABLED(RSA_VERIFY)
/**
* rsa_verify_hash() - Verify a signature against a hash
*
diff --git a/tools/Kconfig b/tools/Kconfig
index bbd6e8b9d79..13f923c7ac7 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -59,6 +59,11 @@ config HOST_FIT_SIGNATURE
help
Enable signature verification of FIT uImages in the host build
+config HOST_FIT_SIGN
+ def_bool y
+ help
+ Enable signing FIT uImages in the host build
+
config HOST_FIT_SIGNATURE_MAX_SIZE
hex
depends on HOST_FIT_SIGNATURE
@@ -79,6 +84,11 @@ config HOST_OF_LIBFDT
help
Enable libfdt support in the host build.
+config HOST_RSA_VERIFY
+ def_bool y
+ help
+ Enable RSA verification support in the host build.
+
config HOST_SHA1
def_bool y
help
diff --git a/tools/image-host.c b/tools/image-host.c
index 270d36fe451..2be897db943 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -636,7 +636,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile,
strlen(FIT_HASH_NODENAME))) {
ret = fit_image_process_hash(fit, image_name, noffset,
data, size);
- } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) &&
+ } else if (CONFIG_IS_ENABLED(FIT_SIGN) && (keydir || keyfile) &&
!strncmp(node_name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keyfile, keydest,
@@ -1086,7 +1086,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile,
}
/* If there are no keys, we can't sign configurations */
- if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile))
+ if (!CONFIG_IS_ENABLED(FIT_SIGN) || !(keydir || keyfile))
return 0;
/* Find configurations parent node offset */
--
2.31.1.607.g51e8a6a459-goog
More information about the U-Boot
mailing list