[PATCH v2 37/50] image: Drop IMAGE_ENABLE_SIGN/VERIFY defines

Alex G. mr.nuke.me at gmail.com
Fri May 14 22:38:29 CEST 2021



On 5/6/21 9:24 AM, Simon Glass wrote:
> Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use
> CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary
> indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop
> FIT_IMAGE_ENABLE_VERIFY which is not actually used.
> 
> Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete
> and needs to be integrated with RSA.
> 
> Signed-off-by: Simon Glass <sjg at chromium.org>
> ---
> 
> (no changes since v1)
> 
>   common/image-fit.c     |  6 +++---
>   common/image-sig.c     | 10 +++++-----
>   include/image.h        | 13 ++-----------
>   include/u-boot/ecdsa.h |  2 +-
>   include/u-boot/rsa.h   |  4 ++--
>   tools/Kconfig          | 10 ++++++++++
>   tools/image-host.c     |  4 ++--
>   7 files changed, 25 insertions(+), 24 deletions(-)
> 
> diff --git a/common/image-fit.c b/common/image-fit.c
> index c13ff6bba24..e81a0858dc1 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
>   	int ret;
>   
>   	/* Verify all required signatures */
> -	if (FIT_IMAGE_ENABLE_VERIFY &&
> +	if (CONFIG_IS_ENABLED(RSA_VERIFY) &&

NAK. Having verification depend directly on CONFIG_RSA_VERIFY will make 
adding ECDSA support that much more convoluted.


>   	    fit_image_verify_required_sigs(fit, image_noffset, data, size,
>   					   gd_fdt_blob(), &verify_all)) {
>   		err_msg = "Unable to verify required signature";
> @@ -1323,7 +1323,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
>   						 &err_msg))
>   				goto error;
>   			puts("+ ");
> -		} else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
> +		} else if (CONFIG_IS_ENABLED(RSA_VERIFY) && verify_all &&
>   				!strncmp(name, FIT_SIG_NODENAME,
>   					strlen(FIT_SIG_NODENAME))) {
>   			ret = fit_image_check_sig(fit, noffset, data,
> @@ -2045,7 +2045,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
>   		if (image_type == IH_TYPE_KERNEL)
>   			images->fit_uname_cfg = fit_base_uname_config;
>   
> -		if (FIT_IMAGE_ENABLE_VERIFY && images->verify) {
> +		if (CONFIG_IS_ENABLED(RSA_VERIFY) && images->verify) {
>   			puts("   Verifying Hash Integrity ... ");
>   			if (fit_config_verify(fit, cfg_noffset)) {
>   				puts("Bad Data Hash\n");
> diff --git a/common/image-sig.c b/common/image-sig.c
> index bbc6bb3b1e3..74ca96a39e9 100644
> --- a/common/image-sig.c
> +++ b/common/image-sig.c
> @@ -29,7 +29,7 @@ struct checksum_algo checksum_algos[] = {
>   		.checksum_len = SHA1_SUM_LEN,
>   		.der_len = SHA1_DER_LEN,
>   		.der_prefix = sha1_der_prefix,
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   		.calculate_sign = EVP_sha1,
>   #endif
>   		.calculate = hash_calculate,
> @@ -39,7 +39,7 @@ struct checksum_algo checksum_algos[] = {
>   		.checksum_len = SHA256_SUM_LEN,
>   		.der_len = SHA256_DER_LEN,
>   		.der_prefix = sha256_der_prefix,
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   		.calculate_sign = EVP_sha256,
>   #endif
>   		.calculate = hash_calculate,
> @@ -50,7 +50,7 @@ struct checksum_algo checksum_algos[] = {
>   		.checksum_len = SHA384_SUM_LEN,
>   		.der_len = SHA384_DER_LEN,
>   		.der_prefix = sha384_der_prefix,
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   		.calculate_sign = EVP_sha384,
>   #endif
>   		.calculate = hash_calculate,
> @@ -62,7 +62,7 @@ struct checksum_algo checksum_algos[] = {
>   		.checksum_len = SHA512_SUM_LEN,
>   		.der_len = SHA512_DER_LEN,
>   		.der_prefix = sha512_der_prefix,
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   		.calculate_sign = EVP_sha512,
>   #endif
>   		.calculate = hash_calculate,
> @@ -122,7 +122,7 @@ struct checksum_algo *image_get_checksum_algo(const char *full_name)
>   				struct checksum_algo *algo = &checksum_algos[i];
>   
>   				MANUAL_RELOC(algo->name);
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   				MANUAL_RELOC(algo->calculate_sign);
>   #endif
>   				MANUAL_RELOC(algo->calculate);
> diff --git a/include/image.h b/include/image.h
> index 64866c609f4..12043abd049 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -1139,22 +1139,13 @@ int calculate_hash(const void *data, int data_len, const char *algo,
>    */
>   #if defined(USE_HOSTCC)
>   # if defined(CONFIG_FIT_SIGNATURE)
> -#  define IMAGE_ENABLE_SIGN	1
> -#  define IMAGE_ENABLE_VERIFY	1
>   #  define IMAGE_ENABLE_VERIFY_ECDSA	1
> -#  define FIT_IMAGE_ENABLE_VERIFY	1
>   #  include <openssl/evp.h>
>   # else
> -#  define IMAGE_ENABLE_SIGN	0
> -#  define IMAGE_ENABLE_VERIFY	0
>   # define IMAGE_ENABLE_VERIFY_ECDSA	0
> -#  define FIT_IMAGE_ENABLE_VERIFY	0
>   # endif
>   #else
> -# define IMAGE_ENABLE_SIGN	0
> -# define IMAGE_ENABLE_VERIFY		CONFIG_IS_ENABLED(RSA_VERIFY)
>   # define IMAGE_ENABLE_VERIFY_ECDSA	0
> -# define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
>   #endif
>   
>   #if CONFIG_IS_ENABLED(FIT)
> @@ -1209,7 +1200,7 @@ struct image_region {
>   	int size;
>   };
>   
> -#if IMAGE_ENABLE_VERIFY
> +#if CONFIG_IS_ENABLED(RSA_VERIFY)
>   # include <u-boot/hash-checksum.h>
>   #endif
>   struct checksum_algo {
> @@ -1217,7 +1208,7 @@ struct checksum_algo {
>   	const int checksum_len;
>   	const int der_len;
>   	const uint8_t *der_prefix;
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   	const EVP_MD *(*calculate_sign)(void);
>   #endif
>   	int (*calculate)(const char *name,
> diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h
> index 979690d9660..a446b656a29 100644
> --- a/include/u-boot/ecdsa.h
> +++ b/include/u-boot/ecdsa.h
> @@ -15,7 +15,7 @@
>    * @see "struct crypto_algo"
>    * @{
>    */
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   /**
>    * sign() - calculate and return signature for given input data
>    *
> diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> index 45fe3509093..84cefbab442 100644
> --- a/include/u-boot/rsa.h
> +++ b/include/u-boot/rsa.h
> @@ -31,7 +31,7 @@ struct rsa_public_key {
>   
>   struct image_sign_info;
>   
> -#if IMAGE_ENABLE_SIGN
> +#if CONFIG_IS_ENABLED(FIT_SIGN)
>   /**
>    * sign() - calculate and return signature for given input data
>    *
> @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
>   }
>   #endif
>   
> -#if IMAGE_ENABLE_VERIFY
> +#if CONFIG_IS_ENABLED(RSA_VERIFY)
>   /**
>    * rsa_verify_hash() - Verify a signature against a hash
>    *
> diff --git a/tools/Kconfig b/tools/Kconfig
> index bbd6e8b9d79..13f923c7ac7 100644
> --- a/tools/Kconfig
> +++ b/tools/Kconfig
> @@ -59,6 +59,11 @@ config HOST_FIT_SIGNATURE
>   	help
>   	  Enable signature verification of FIT uImages in the host build
>   
> +config HOST_FIT_SIGN
> +	def_bool y
> +	help
> +	  Enable signing FIT uImages in the host build
> +
>   config HOST_FIT_SIGNATURE_MAX_SIZE
>   	hex
>   	depends on HOST_FIT_SIGNATURE
> @@ -79,6 +84,11 @@ config HOST_OF_LIBFDT
>   	help
>   	  Enable libfdt support in the host build.
>   
> +config HOST_RSA_VERIFY
> +	def_bool y
> +	help
> +	  Enable RSA verification support in the host build.
> +
>   config HOST_SHA1
>   	def_bool y
>   	help
> diff --git a/tools/image-host.c b/tools/image-host.c
> index 270d36fe451..2be897db943 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -636,7 +636,7 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile,
>   			     strlen(FIT_HASH_NODENAME))) {
>   			ret = fit_image_process_hash(fit, image_name, noffset,
>   						data, size);
> -		} else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) &&
> +		} else if (CONFIG_IS_ENABLED(FIT_SIGN) && (keydir || keyfile) &&
>   			   !strncmp(node_name, FIT_SIG_NODENAME,
>   				strlen(FIT_SIG_NODENAME))) {
>   			ret = fit_image_process_sig(keydir, keyfile, keydest,
> @@ -1086,7 +1086,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile,
>   	}
>   
>   	/* If there are no keys, we can't sign configurations */
> -	if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile))
> +	if (!CONFIG_IS_ENABLED(FIT_SIGN) || !(keydir || keyfile))
>   		return 0;
>   
>   	/* Find configurations parent node offset */
> 


More information about the U-Boot mailing list