| Message ID | 20210513144810.17261-2-masahisa.kojima@linaro.org |
|---|---|
| State | Superseded |
| Delegated to: | Heinrich Schuchardt |
| Headers | show |
| Series | PE/COFF measurement support | expand |
On 5/13/21 4:48 PM, Masahisa Kojima wrote: > Build error occurs when CONFIG_EFI_SECURE_BOOT or > CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled, > because hash-checksum.c is not compiled. > > Since hash_calculate() implemented in hash-checksum.c can be > commonly used aside from FIT image signature verification, > this commit itroduces HASH_CALCULATE option to decide > if hash-checksum.c shall be compiled. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > > Changes in v7: > - newly introduce HASH_CALCULATE option > > Changes in v6: > - update lib/Makefile to compile hash-checksum.c, instead of > selecting FIT_SIGNATURE in secure boot and capsule authentication. > > Changes in v5: > - Missing option for EFI_TCG2_PROTOROL already added in different commit. > This commit adds FIT_SIGNATURE only. > > Changes in v4: > - newly added in this patch series, due to rebasing > the base code. > > common/Kconfig.boot | 1 + > lib/Kconfig | 3 +++ > lib/Makefile | 2 +- > lib/efi_loader/Kconfig | 2 ++ > 4 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/common/Kconfig.boot b/common/Kconfig.boot > index 5a18d62d78..56608226cc 100644 > --- a/common/Kconfig.boot > +++ b/common/Kconfig.boot > @@ -80,6 +80,7 @@ config FIT_SIGNATURE > select RSA_VERIFY > select IMAGE_SIGN_INFO > select FIT_FULL_CHECK > + select HASH_CALCULATE > help > This option enables signature verification of FIT uImages, > using a hash signed and verified using RSA. If > diff --git a/lib/Kconfig b/lib/Kconfig > index 6d2d41de30..df67eb0503 100644 > --- a/lib/Kconfig > +++ b/lib/Kconfig > @@ -428,6 +428,9 @@ config CRC32C > config XXHASH > bool > > +config HASH_CALCULATE > + bool > + > endmenu > > menu "Compression Support" > diff --git a/lib/Makefile b/lib/Makefile > index 6825671955..0835ea292c 100644 > --- a/lib/Makefile > +++ b/lib/Makefile > @@ -61,7 +61,7 @@ endif > obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/ > obj-$(CONFIG_$(SPL_)MD5) += md5.o > obj-$(CONFIG_$(SPL_)RSA) += rsa/ > -obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o CONFIG_FIT_SIGNATURE has to select CONFIG_HASH_CALCULATE too? Best regards Heinrich > +obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o > obj-$(CONFIG_SHA1) += sha1.o > obj-$(CONFIG_SHA256) += sha256.o > obj-$(CONFIG_SHA512_ALGO) += sha512.o > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index c259abe033..eb5c4d6f29 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE > select PKCS7_MESSAGE_PARSER > select PKCS7_VERIFY > select IMAGE_SIGN_INFO > + select HASH_CALCULATE > default n > help > Select this option if you want to enable capsule > @@ -342,6 +343,7 @@ config EFI_SECURE_BOOT > select X509_CERTIFICATE_PARSER > select PKCS7_MESSAGE_PARSER > select PKCS7_VERIFY > + select HASH_CALCULATE > default n > help > Select this option to enable EFI secure boot support. >
On 5/13/21 4:48 PM, Masahisa Kojima wrote: > Build error occurs when CONFIG_EFI_SECURE_BOOT or > CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled, > because hash-checksum.c is not compiled. > > Since hash_calculate() implemented in hash-checksum.c can be > commonly used aside from FIT image signature verification, > this commit itroduces HASH_CALCULATE option to decide > if hash-checksum.c shall be compiled. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 5a18d62d78..56608226cc 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -80,6 +80,7 @@ config FIT_SIGNATURE select RSA_VERIFY select IMAGE_SIGN_INFO select FIT_FULL_CHECK + select HASH_CALCULATE help This option enables signature verification of FIT uImages, using a hash signed and verified using RSA. If diff --git a/lib/Kconfig b/lib/Kconfig index 6d2d41de30..df67eb0503 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -428,6 +428,9 @@ config CRC32C config XXHASH bool +config HASH_CALCULATE + bool + endmenu menu "Compression Support" diff --git a/lib/Makefile b/lib/Makefile index 6825671955..0835ea292c 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -61,7 +61,7 @@ endif obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/ obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_$(SPL_)RSA) += rsa/ -obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o +obj-$(CONFIG_HASH_CALCULATE) += hash-checksum.o obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o obj-$(CONFIG_SHA512_ALGO) += sha512.o diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index c259abe033..eb5c4d6f29 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -174,6 +174,7 @@ config EFI_CAPSULE_AUTHENTICATE select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY select IMAGE_SIGN_INFO + select HASH_CALCULATE default n help Select this option if you want to enable capsule @@ -342,6 +343,7 @@ config EFI_SECURE_BOOT select X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY + select HASH_CALCULATE default n help Select this option to enable EFI secure boot support.
Build error occurs when CONFIG_EFI_SECURE_BOOT or CONFIG_EFI_CAPSULE_AUTHENTICATE is enabled, because hash-checksum.c is not compiled. Since hash_calculate() implemented in hash-checksum.c can be commonly used aside from FIT image signature verification, this commit itroduces HASH_CALCULATE option to decide if hash-checksum.c shall be compiled. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- Changes in v7: - newly introduce HASH_CALCULATE option Changes in v6: - update lib/Makefile to compile hash-checksum.c, instead of selecting FIT_SIGNATURE in secure boot and capsule authentication. Changes in v5: - Missing option for EFI_TCG2_PROTOROL already added in different commit. This commit adds FIT_SIGNATURE only. Changes in v4: - newly added in this patch series, due to rebasing the base code. common/Kconfig.boot | 1 + lib/Kconfig | 3 +++ lib/Makefile | 2 +- lib/efi_loader/Kconfig | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-)