[PATCH v7 00/16] image: add a stage pre-load
Philippe Reynes
philippe.reynes at softathome.com
Mon Mar 14 15:57:29 CET 2022
This serie adds a stage pre-load before launching an image.
This stage is used to read a header before the image and
this header contains the signature of the full image.
So u-boot may check the full image before using any
data of the image.
The support of this header is added to binman, and
a command verify checks the signature of a blob and
set the u-boot env variable "loadaddr_verified" to
the beginning of the "real" image.
The support of this header is only added to binman,
but it may also be added to mkimage.
Changelog:
v7:
- rename command verify to pre_load_verify
- add usage doc for command pre_load_verify
- some cleanup in support of pre-load in binman
- rename variable key-path to pre-load-key-path
- some cleanup in test vboot for pre-load
v6:
- set values in big endian in the pre-load header
- binman: etypes: pre-load: read image from other entry
instead of directly from a file
- binman: etypes: pre-load: add test unit
- lib: Makefile: no longer add -I$(obj) for SPL
It was to fix build when oid is built on spl but not
on u-boot. It is not longer possible.
v5:
- replace config SANDBOX_BINMAN by an imply
v4:
- add a config SANDBOX_BIN
- enhance help for asn1 and oid
- change the format of the pre-load header
- add the support of pre-load header in binman
- add py test for pre-load header
- add a command verify
v3:
- move image-pre-load.c to /boot
- update mkimage to add public key in u-boot device tree
- add script gen_pre_load_header.sh
v2:
- move the code to image-pre-load
- add support of stage pre-load for spl
- add support of stage pre-load on spl_ram
Philippe Reynes (16):
arch: Kconfig: imply BINMAN for SANDBOX
lib: Kconfig: enhance help for ASN1
lib: Kconfig: enhance the help of OID_REGISTRY
lib: allow to build asn1 decoder and oid registry in SPL
lib: crypto: allow to build crypyo in SPL
lib: rsa: allow rsa verify with pkey in SPL
boot: image: add a stage pre-load
cmd: bootm: add a stage pre-load
common: spl: fit_ram: allow to use image pre load
mkimage: add public key for image pre-load stage
Makefile: provide sah-key to binman
tools: binman: add support for pre-load header
configs: sandbox_defconfig: enable stage pre-load in bootm
test: py: vboot: add test for global image signature
cmd: pre_load_verify: initial import
configs: sandbox_defconfig: enable config CMD_PRE_LOAD_VERIFY
Makefile | 1 +
arch/Kconfig | 1 +
arch/sandbox/dts/sandbox.dtsi | 3 +
arch/sandbox/dts/test.dts | 3 +
boot/Kconfig | 55 +++
boot/Makefile | 1 +
boot/bootm.c | 33 ++
boot/image-pre-load.c | 416 ++++++++++++++++++
cmd/Kconfig | 18 +
cmd/Makefile | 2 +
cmd/bootm.c | 2 +-
cmd/pre-load-verify.c | 53 +++
common/spl/spl_ram.c | 21 +-
configs/sandbox_defconfig | 4 +
doc/usage/index.rst | 1 +
doc/usage/pre-load-verify.rst | 44 ++
include/image.h | 30 ++
lib/Kconfig | 37 +-
lib/Makefile | 7 +-
lib/crypto/Kconfig | 29 ++
lib/crypto/Makefile | 19 +-
lib/rsa/Kconfig | 19 +
test/py/tests/test_fit.py | 3 +
test/py/tests/test_vboot.py | 145 +++++-
test/py/tests/vboot/sandbox-binman-pss.dts | 25 ++
test/py/tests/vboot/sandbox-binman.dts | 24 +
.../tests/vboot/sandbox-u-boot-global-pss.dts | 28 ++
test/py/tests/vboot/sandbox-u-boot-global.dts | 27 ++
test/py/tests/vboot/sandbox-u-boot.dts | 3 +
test/py/tests/vboot/simple-images.its | 36 ++
tools/binman/entries.rst | 38 ++
tools/binman/etype/pre_load.py | 162 +++++++
tools/binman/ftest.py | 51 +++
tools/binman/test/225_dev.key | 28 ++
tools/binman/test/225_pre_load.dts | 22 +
tools/binman/test/226_pre_load_pkcs.dts | 23 +
tools/binman/test/227_pre_load_pss.dts | 23 +
.../test/228_pre_load_invalid_padding.dts | 23 +
.../binman/test/229_pre_load_invalid_sha.dts | 23 +
.../binman/test/230_pre_load_invalid_algo.dts | 23 +
.../binman/test/231_pre_load_invalid_key.dts | 23 +
tools/fit_image.c | 3 +
tools/image-host.c | 114 +++++
43 files changed, 1618 insertions(+), 28 deletions(-)
create mode 100644 boot/image-pre-load.c
create mode 100644 cmd/pre-load-verify.c
create mode 100644 doc/usage/pre-load-verify.rst
create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts
create mode 100644 test/py/tests/vboot/sandbox-binman.dts
create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts
create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts
create mode 100644 test/py/tests/vboot/simple-images.its
create mode 100644 tools/binman/etype/pre_load.py
create mode 100644 tools/binman/test/225_dev.key
create mode 100644 tools/binman/test/225_pre_load.dts
create mode 100644 tools/binman/test/226_pre_load_pkcs.dts
create mode 100644 tools/binman/test/227_pre_load_pss.dts
create mode 100644 tools/binman/test/228_pre_load_invalid_padding.dts
create mode 100644 tools/binman/test/229_pre_load_invalid_sha.dts
create mode 100644 tools/binman/test/230_pre_load_invalid_algo.dts
create mode 100644 tools/binman/test/231_pre_load_invalid_key.dts
--
2.17.1
More information about the U-Boot
mailing list