From patchwork Fri Apr 17 22:07:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272486 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qxb4XFSz9sSd for ; Sat, 18 Apr 2020 08:09:07 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B66B281D26; Sat, 18 Apr 2020 00:08:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id F41E881D12; Sat, 18 Apr 2020 00:07:52 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4310E81D0E for ; Sat, 18 Apr 2020 00:07:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ96-0006YZ-8q; Sat, 18 Apr 2020 00:07:36 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 1/7] spl: fit: select SPL_HASH_SUPPORT for SPL_FIT_SIGNATURE Date: Sat, 18 Apr 2020 00:07:10 +0200 Message-Id: <20200417220716.3670302-2-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner rsa-checsum needs support for hash functions or else will run into compile errors like: u-boot/lib/rsa/rsa-checksum.c:28: undefined reference to `hash_progressive_lookup_algo' So similar to the main FIT_SIGNATURE entry selects HASH, select SPL_HASH_SUPPORT for SPL_FIT_SIGNATURE. Cc: Heinrich Schuchardt Signed-off-by: Heiko Stuebner Reviewed-by: Philipp Tomsich --- Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/Kconfig b/Kconfig index 1b0b6999d8..2b84402baa 100644 --- a/Kconfig +++ b/Kconfig @@ -445,6 +445,7 @@ config SPL_FIT_SIGNATURE bool "Enable signature verification of FIT firmware within SPL" depends on SPL_DM select SPL_FIT + select SPL_HASH_SUPPORT select SPL_RSA select SPL_RSA_VERIFY select IMAGE_SIGN_INFO From patchwork Fri Apr 17 22:07:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272484 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qwy426cz9sSg for ; Sat, 18 Apr 2020 08:08:34 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 805D581D01; Sat, 18 Apr 2020 00:08:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7EB0D81D09; Sat, 18 Apr 2020 00:07:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A279981CF5 for ; Sat, 18 Apr 2020 00:07:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ96-0006YZ-Jd; Sat, 18 Apr 2020 00:07:36 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 2/7] spl: fit: select SPL_CRYPTO_SUPPORT for SPL_FIT_SIGNATURE Date: Sat, 18 Apr 2020 00:07:11 +0200 Message-Id: <20200417220716.3670302-3-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner Verifying FIT images obviously needs the rsa parts of crypto support and while main uboot always compiles crypto support, it's optional for SPL and we should thus select the necessary option to not end up in compile errors like: u-boot/lib/rsa/rsa-verify.c:328: undefined reference to `rsa_mod_exp' So select SPL_CRYPTO_SUPPORT in SPL_FIT_SIGNATURE. Signed-off-by: Heiko Stuebner Reviewed-by: Philipp Tomsich --- Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/Kconfig b/Kconfig index 2b84402baa..4051746319 100644 --- a/Kconfig +++ b/Kconfig @@ -445,6 +445,7 @@ config SPL_FIT_SIGNATURE bool "Enable signature verification of FIT firmware within SPL" depends on SPL_DM select SPL_FIT + select SPL_CRYPTO_SUPPORT select SPL_HASH_SUPPORT select SPL_RSA select SPL_RSA_VERIFY From patchwork Fri Apr 17 22:07:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272485 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qxB6psNz9sSd for ; Sat, 18 Apr 2020 08:08:46 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C904281D12; Sat, 18 Apr 2020 00:08:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 6D48E81CF5; Sat, 18 Apr 2020 00:07:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E7D6281CF4 for ; Sat, 18 Apr 2020 00:07:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ96-0006YZ-Uf; Sat, 18 Apr 2020 00:07:36 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 3/7] lib: rsa: distinguish between tpl and spl for CONFIG_RSA_VERIFY Date: Sat, 18 Apr 2020 00:07:12 +0200 Message-Id: <20200417220716.3670302-4-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner While the SPL may want to do signature checking this won't be the case for TPL in all cases, as TPL is mostly used when the amound of initial memory is not enough for a full SPL. So on a system where SPL uses DM but TPL does not we currently end up with a TPL compile error of: lib/rsa/rsa-verify.c:48:25: error: dereferencing pointer to incomplete type ‘struct checksum_algo’ To prevent that change the $(SPL_) to $(SPL_TPL_) to distinguis between both. If someone really needs FIT signature checking in TPL as well, a new TPL_RSA_VERIFY config symbol needs to be added. Signed-off-by: Heiko Stuebner Reviewed-by: Philipp Tomsich --- lib/rsa/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile index 14ed3cb401..c61ebfd79e 100644 --- a/lib/rsa/Makefile +++ b/lib/rsa/Makefile @@ -5,6 +5,6 @@ # (C) Copyright 2000-2007 # Wolfgang Denk, DENX Software Engineering, wd@denx.de. -obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o +obj-$(CONFIG_$(SPL_TPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o From patchwork Fri Apr 17 22:07:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272487 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qxn2QGdz9sSd for ; Sat, 18 Apr 2020 08:09:17 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6292B81CEA; Sat, 18 Apr 2020 00:08:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 98B5781D02; Sat, 18 Apr 2020 00:07:51 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EC2EB81CF6 for ; Sat, 18 Apr 2020 00:07:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ97-0006YZ-9P; Sat, 18 Apr 2020 00:07:37 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 4/7] mkimage: fit_image: handle multiple errors when writing signatures Date: Sat, 18 Apr 2020 00:07:13 +0200 Message-Id: <20200417220716.3670302-5-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner fit_image_write_sig() contains mostly functions from libfdt that return FDT_ERR_foo errors but also a call to fit_set_timestamp() which returns a regular error. When handling the size increase via multiple iterations, check for both -FDT_ERR_NOSPACE but also for -ENOSPC. There is no real conflict, as FDT_ERR_NOSPACE = 3 = ESRCH (No such process) and ENOSPC = 28 which is above any FDT_ERR_*. Signed-off-by: Heiko Stuebner Reviewed-by: Simon Glass --- tools/image-host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/image-host.c b/tools/image-host.c index 4e57ddea96..355ceb4591 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -240,7 +240,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest, ret = fit_image_write_sig(fit, noffset, value, value_len, comment, NULL, 0, cmdname); if (ret) { - if (ret == -FDT_ERR_NOSPACE) + if (ret == -FDT_ERR_NOSPACE || ret == -ENOSPC) return -ENOSPC; printf("Can't write signature for '%s' signature node in '%s' conf node: %s\n", node_name, image_name, fdt_strerror(ret)); From patchwork Fri Apr 17 22:07:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272489 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qyW2fDrz9sSd for ; Sat, 18 Apr 2020 08:09:55 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6C95B81D1B; Sat, 18 Apr 2020 00:09:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id ABD8681D09; Sat, 18 Apr 2020 00:07:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2EF6B81D01 for ; Sat, 18 Apr 2020 00:07:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ97-0006YZ-KD; Sat, 18 Apr 2020 00:07:37 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 5/7] spl: fit: enable signing a generated u-boot.itb Date: Sat, 18 Apr 2020 00:07:14 +0200 Message-Id: <20200417220716.3670302-6-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner With SPL_FIT_SIGNATURE enabled we will likely want a generated u-boot.itb to be signed and the key stores so that the spl can reach it. So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks into the Makefile to have mkimage sign the .itb and store the used key into the spl dtb file. The added dependencies should make sure that the u-boot.itb gets generated before the spl-binary gets build, so that there is the necessary space for the key to get included. Signed-off-by: Heiko Stuebner Reviewed-by: Philipp Tomsich --- Kconfig | 8 ++++++++ Makefile | 11 ++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Kconfig b/Kconfig index 4051746319..15a783a67d 100644 --- a/Kconfig +++ b/Kconfig @@ -451,6 +451,14 @@ config SPL_FIT_SIGNATURE select SPL_RSA_VERIFY select IMAGE_SIGN_INFO +config SPL_FIT_SIGNATURE_KEY_DIR + string "key directory for signing U-Boot FIT image" + depends on SPL_FIT_SIGNATURE + default "keys" + help + The directory to give to mkimage to retrieve keys from when + generating a signed U-Boot FIT image. + config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" select SPL_FIT diff --git a/Makefile b/Makefile index 26307fd4a6..8e7a7cb50e 100644 --- a/Makefile +++ b/Makefile @@ -1394,6 +1394,14 @@ MKIMAGEFLAGS_u-boot.itb = else MKIMAGEFLAGS_u-boot.itb = -E endif +ifdef CONFIG_SPL_FIT_SIGNATURE +ifdef CONFIG_SPL_OF_CONTROL +MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r +ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"") +MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR) +endif +endif +endif u-boot.itb: u-boot-nodtb.bin \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \ @@ -1913,7 +1921,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl spl/u-boot-spl: tools prepare \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \ - $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) + $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \ + $(if $(CONFIG_SPL_FIT_GENERATOR),u-boot.itb FORCE) $(Q)$(MAKE) obj=spl -f $(srctree)/scripts/Makefile.spl all spl/sunxi-spl.bin: spl/u-boot-spl From patchwork Fri Apr 17 22:07:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272488 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qy21g7Xz9sSd for ; Sat, 18 Apr 2020 08:09:30 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4E0DD81D33; Sat, 18 Apr 2020 00:08:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C8BAC81D0D; Sat, 18 Apr 2020 00:07:50 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6046E81D02 for ; Sat, 18 Apr 2020 00:07:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ97-0006YZ-VG; Sat, 18 Apr 2020 00:07:38 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 6/7] spl: fit: add Kconfig option to specify key-hint for fit_generator Date: Sat, 18 Apr 2020 00:07:15 +0200 Message-Id: <20200417220716.3670302-7-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner The u-boot.itb can be generated either from a static .its that can simply include the needed signature nodes with key-hints or from a fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR. In the script-case it will need to know what key to include for the key-hint and specified algorithm, so add an option for that key-name. Signed-off-by: Heiko Stuebner Reviewed-by: Philipp Tomsich --- Kconfig | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Kconfig b/Kconfig index 15a783a67d..703762d740 100644 --- a/Kconfig +++ b/Kconfig @@ -534,6 +534,14 @@ config SPL_FIT_GENERATOR passed a list of supported device tree file stub names to include in the generated image. +config SPL_FIT_GENERATOR_KEY_HINT + string "key hint for signing U-Boot FIT image" + depends on SPL_FIT_SIGNATURE + default "dev" + help + The key hint to store in both the generated .its file as well as + u-boot-key.dtb generated separately and embedded into the SPL. + endif # SPL endif # FIT From patchwork Fri Apr 17 22:07:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Stuebner X-Patchwork-Id: 1272490 X-Patchwork-Delegate: ykai007@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sntech.de Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 493qyp4b0Qz9sSd for ; Sat, 18 Apr 2020 08:10:10 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 565B081D4A; Sat, 18 Apr 2020 00:09:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C9EC481CFF; Sat, 18 Apr 2020 00:08:02 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6554F81D08 for ; Sat, 18 Apr 2020 00:07:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=sntech.de Authentication-Results: phobos.denx.de; spf=none smtp.mailfrom=heiko@sntech.de Received: from p57b77c7a.dip0.t-ipconnect.de ([87.183.124.122] helo=phil.sntech) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jPZ98-0006YZ-9v; Sat, 18 Apr 2020 00:07:38 +0200 From: Heiko Stuebner To: u-boot@lists.denx.de Cc: sjg@chromium.org, philipp.tomsich@theobroma-systems.com, kever.yang@rock-chips.com, xypron.glpk@gmx.de, takahiro.akashi@linaro.org, philippe.reynes@softathome.com, christoph.muellner@theobroma-systems.com, heiko@sntech.de, miquel.raynal@bootlin.com, Heiko Stuebner Subject: [PATCH 7/7] rockchip: make_fit_atf: add signature handling Date: Sat, 18 Apr 2020 00:07:16 +0200 Message-Id: <20200417220716.3670302-8-heiko@sntech.de> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200417220716.3670302-1-heiko@sntech.de> References: <20200417220716.3670302-1-heiko@sntech.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean From: Heiko Stuebner If the newly added fit-generator key-options are found, append needed signature nodes to all generated image blocks, so that they can get signed when mkimage later compiles the .itb from the generated .its. Signed-off-by: Heiko Stuebner --- arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py index d15c32b303..5b353f9d0a 100755 --- a/arch/arm/mach-rockchip/make_fit_atf.py +++ b/arch/arm/mach-rockchip/make_fit_atf.py @@ -14,6 +14,8 @@ import sys import getopt import logging import struct +import Crypto +from Crypto.PublicKey import RSA DT_HEADER = """ /* @@ -37,7 +39,9 @@ DT_UBOOT = """ arch = "arm64"; compression = "none"; load = <0x%08x>; - }; +""" + +DT_UBOOT_NODE_END = """ }; """ @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; DT_END = "};" +def append_signature(file): + if not os.path.exists("u-boot.cfg"): + return + + config = {} + with open("u-boot.cfg") as fd: + for line in fd: + line = line.strip() + values = line[8:].split(' ', 1) + if len(values) > 1: + key, value = values + value = value.strip('"') + else: + key = values[0] + value = '1' + if not key.startswith('CONFIG_'): + continue + config[key] = value + + try: + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] + except KeyError: + return + + try: + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) + except KeyError: + keyfile = keyhint + + if not os.path.exists('%s.key' % keyfile): + return + + f = open('%s.key' % keyfile,'r') + key = RSA.importKey(f.read()) + + file.write('\t\t\tsignature {\n') + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) + file.write('\t\t\t};\n') + def append_bl31_node(file, atf_index, phy_addr, elf_entry): # Append BL31 DT node to input FIT dts file. data = 'bl31_0x%08x.bin' % phy_addr @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) if atf_index == 1: file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tcompression = "none";\n') file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) file.write('\t\t\ttype = "flat_dt";\n') file.write('\t\t\tcompression = "none";\n') + append_signature(file); file.write('\t\t};\n') file.write('\n') cnt = cnt + 1 @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) index, entry, p_paddr, data = segments[0] fit_file.write(DT_UBOOT % p_paddr) + append_signature(fit_file) + fit_file.write(DT_UBOOT_NODE_END) def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): segments = unpack_elf(bl31_file_name)