[PATCH v2 37/50] image: Drop IMAGE_ENABLE_SIGN/VERIFY defines

Simon Glass sjg at chromium.org
Fri May 14 22:44:35 CEST 2021


Hi Alex,

On Fri, 14 May 2021 at 14:38, Alex G. <mr.nuke.me at gmail.com> wrote:
>
>
>
> On 5/6/21 9:24 AM, Simon Glass wrote:
> > Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use
> > CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary
> > indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop
> > FIT_IMAGE_ENABLE_VERIFY which is not actually used.
> >
> > Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete
> > and needs to be integrated with RSA.
> >
> > Signed-off-by: Simon Glass <sjg at chromium.org>
> > ---
> >
> > (no changes since v1)
> >
> >   common/image-fit.c     |  6 +++---
> >   common/image-sig.c     | 10 +++++-----
> >   include/image.h        | 13 ++-----------
> >   include/u-boot/ecdsa.h |  2 +-
> >   include/u-boot/rsa.h   |  4 ++--
> >   tools/Kconfig          | 10 ++++++++++
> >   tools/image-host.c     |  4 ++--
> >   7 files changed, 25 insertions(+), 24 deletions(-)
> >
> > diff --git a/common/image-fit.c b/common/image-fit.c
> > index c13ff6bba24..e81a0858dc1 100644
> > --- a/common/image-fit.c
> > +++ b/common/image-fit.c
> > @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
> >       int ret;
> >
> >       /* Verify all required signatures */
> > -     if (FIT_IMAGE_ENABLE_VERIFY &&
> > +     if (CONFIG_IS_ENABLED(RSA_VERIFY) &&
>
> NAK. Having verification depend directly on CONFIG_RSA_VERIFY will make
> adding ECDSA support that much more convoluted.

Let me counter-NAK.

The ECDSA needs to be integrated into the RSA stuff, as we have done
with hashing. E.g. CONFIG_VERIFY that enables the feature, with a
driver to select which methods are supported.

I think I mentioned that in the original review.

Regards,
Simon


More information about the U-Boot mailing list