[PATCH v7 00/16] image: add a stage pre-load

Philippe Reynes philippe.reynes at softathome.com
Mon Mar 14 15:57:29 CET 2022


This serie adds a stage pre-load before launching an image.
This stage is used to read a header before the image and
this header contains the signature of the full image.
So u-boot may check the full image before using any
data of the image.

The support of this header is added to binman, and
a command verify checks the signature of a blob and
set the u-boot env variable "loadaddr_verified" to 
the beginning of the "real" image.

The support of this header is only added to binman,
but it may also be added to mkimage. 


Changelog:
v7:
- rename command verify to pre_load_verify
- add usage doc for command pre_load_verify
- some cleanup in support of pre-load in binman
- rename variable key-path to pre-load-key-path
- some cleanup in test vboot for pre-load
v6:
- set values in big endian in the pre-load header
- binman: etypes: pre-load: read image from other entry
                  instead of directly from a file
- binman: etypes: pre-load: add test unit
- lib: Makefile: no longer add -I$(obj) for SPL
       It was to fix build when oid is built on spl but not
       on u-boot. It is not longer possible.
v5:
- replace config SANDBOX_BINMAN by an imply
v4:
- add a config SANDBOX_BIN
- enhance help for asn1 and oid
- change the format of the pre-load header
- add the support of pre-load header in binman
- add py test for pre-load header
- add a command verify
v3:
- move image-pre-load.c to /boot
- update mkimage to add public key in u-boot device tree
- add script gen_pre_load_header.sh
v2:
- move the code to image-pre-load
- add support of stage pre-load for spl
- add support of stage pre-load on spl_ram

Philippe Reynes (16):
  arch: Kconfig: imply BINMAN for SANDBOX
  lib: Kconfig: enhance help for ASN1
  lib: Kconfig: enhance the help of OID_REGISTRY
  lib: allow to build asn1 decoder and oid registry in SPL
  lib: crypto: allow to build crypyo in SPL
  lib: rsa: allow rsa verify with pkey in SPL
  boot: image: add a stage pre-load
  cmd: bootm: add a stage pre-load
  common: spl: fit_ram: allow to use image pre load
  mkimage: add public key for image pre-load stage
  Makefile: provide sah-key to binman
  tools: binman: add support for pre-load header
  configs: sandbox_defconfig: enable stage pre-load in bootm
  test: py: vboot: add test for global image signature
  cmd: pre_load_verify: initial import
  configs: sandbox_defconfig: enable config CMD_PRE_LOAD_VERIFY

 Makefile                                      |   1 +
 arch/Kconfig                                  |   1 +
 arch/sandbox/dts/sandbox.dtsi                 |   3 +
 arch/sandbox/dts/test.dts                     |   3 +
 boot/Kconfig                                  |  55 +++
 boot/Makefile                                 |   1 +
 boot/bootm.c                                  |  33 ++
 boot/image-pre-load.c                         | 416 ++++++++++++++++++
 cmd/Kconfig                                   |  18 +
 cmd/Makefile                                  |   2 +
 cmd/bootm.c                                   |   2 +-
 cmd/pre-load-verify.c                         |  53 +++
 common/spl/spl_ram.c                          |  21 +-
 configs/sandbox_defconfig                     |   4 +
 doc/usage/index.rst                           |   1 +
 doc/usage/pre-load-verify.rst                 |  44 ++
 include/image.h                               |  30 ++
 lib/Kconfig                                   |  37 +-
 lib/Makefile                                  |   7 +-
 lib/crypto/Kconfig                            |  29 ++
 lib/crypto/Makefile                           |  19 +-
 lib/rsa/Kconfig                               |  19 +
 test/py/tests/test_fit.py                     |   3 +
 test/py/tests/test_vboot.py                   | 145 +++++-
 test/py/tests/vboot/sandbox-binman-pss.dts    |  25 ++
 test/py/tests/vboot/sandbox-binman.dts        |  24 +
 .../tests/vboot/sandbox-u-boot-global-pss.dts |  28 ++
 test/py/tests/vboot/sandbox-u-boot-global.dts |  27 ++
 test/py/tests/vboot/sandbox-u-boot.dts        |   3 +
 test/py/tests/vboot/simple-images.its         |  36 ++
 tools/binman/entries.rst                      |  38 ++
 tools/binman/etype/pre_load.py                | 162 +++++++
 tools/binman/ftest.py                         |  51 +++
 tools/binman/test/225_dev.key                 |  28 ++
 tools/binman/test/225_pre_load.dts            |  22 +
 tools/binman/test/226_pre_load_pkcs.dts       |  23 +
 tools/binman/test/227_pre_load_pss.dts        |  23 +
 .../test/228_pre_load_invalid_padding.dts     |  23 +
 .../binman/test/229_pre_load_invalid_sha.dts  |  23 +
 .../binman/test/230_pre_load_invalid_algo.dts |  23 +
 .../binman/test/231_pre_load_invalid_key.dts  |  23 +
 tools/fit_image.c                             |   3 +
 tools/image-host.c                            | 114 +++++
 43 files changed, 1618 insertions(+), 28 deletions(-)
 create mode 100644 boot/image-pre-load.c
 create mode 100644 cmd/pre-load-verify.c
 create mode 100644 doc/usage/pre-load-verify.rst
 create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts
 create mode 100644 test/py/tests/vboot/sandbox-binman.dts
 create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts
 create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts
 create mode 100644 test/py/tests/vboot/simple-images.its
 create mode 100644 tools/binman/etype/pre_load.py
 create mode 100644 tools/binman/test/225_dev.key
 create mode 100644 tools/binman/test/225_pre_load.dts
 create mode 100644 tools/binman/test/226_pre_load_pkcs.dts
 create mode 100644 tools/binman/test/227_pre_load_pss.dts
 create mode 100644 tools/binman/test/228_pre_load_invalid_padding.dts
 create mode 100644 tools/binman/test/229_pre_load_invalid_sha.dts
 create mode 100644 tools/binman/test/230_pre_load_invalid_algo.dts
 create mode 100644 tools/binman/test/231_pre_load_invalid_key.dts

-- 
2.17.1



More information about the U-Boot mailing list