@@ -1219,20 +1219,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
#if defined(USE_HOSTCC)
# if defined(CONFIG_FIT_SIGNATURE)
# define IMAGE_ENABLE_SIGN 1
-# define IMAGE_ENABLE_VERIFY 1
+# define IMAGE_ENABLE_VERIFY_RSA 1
# define IMAGE_ENABLE_VERIFY_ECDSA 1
# define FIT_IMAGE_ENABLE_VERIFY 1
# include <openssl/evp.h>
# else
# define IMAGE_ENABLE_SIGN 0
-# define IMAGE_ENABLE_VERIFY 0
+# define IMAGE_ENABLE_VERIFY_RSA 0
# define IMAGE_ENABLE_VERIFY_ECDSA 0
# define FIT_IMAGE_ENABLE_VERIFY 0
# endif
#else
# define IMAGE_ENABLE_SIGN 0
-# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA 0
+# define IMAGE_ENABLE_VERIFY_RSA CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA CONFIG_IS_ENABLED(ECDSA_VERIFY)
# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE)
#endif
@@ -1288,7 +1288,7 @@ struct image_region {
int size;
};
-#if IMAGE_ENABLE_VERIFY
+#if FIT_IMAGE_ENABLE_VERIFY
# include <u-boot/hash-checksum.h>
#endif
struct checksum_algo {
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
}
#endif
-#if IMAGE_ENABLE_VERIFY
+#if IMAGE_ENABLE_VERIFY_RSA
/**
* rsa_verify_hash() - Verify a signature against a hash
*
@@ -295,6 +295,7 @@ config AES
supported by the algorithm but only a 128-bit key is supported at
present.
+source lib/ecdsa/Kconfig
source lib/rsa/Kconfig
source lib/crypto/Kconfig
@@ -59,6 +59,7 @@ endif
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/
obj-$(CONFIG_$(SPL_)RSA) += rsa/
obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
obj-$(CONFIG_SHA1) += sha1.o
new file mode 100644
@@ -0,0 +1,23 @@
+config ECDSA
+ bool "Enable ECDSA support"
+ depends on DM
+ help
+ This enables the ECDSA (elliptic curve signature) algorithm for FIT
+ image verification in U-Boot. The ECDSA algorithm is implemented
+ using the driver model, so CONFIG_DM is required by this library.
+ See doc/uImage.FIT/signature.txt for more details.
+ ECDSA is enabled for mkimage regardless of this option.
+
+if ECDSA
+
+config ECDSA_VERIFY
+ bool "Enable ECDSA verification support in U-Boot."
+ help
+ Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+ bool "Enable ECDSA verification support in SPL"
+ help
+ Allow ECDSA signatures to be recognized and verified in SPL.
+
+endif
new file mode 100644
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
new file mode 100644
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me@gmail.com>
+ */
+
+#include <u-boot/ecdsa.h>
+
+int ecdsa_verify(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len)
+{
+ return -EOPNOTSUPP;
+}
Prepare the source tree for accepting implementations of the ECDSA algorithm. This patch deals with the boring aspects of Makefiles and Kconfig files. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> --- include/image.h | 10 +++++----- include/u-boot/rsa.h | 2 +- lib/Kconfig | 1 + lib/Makefile | 1 + lib/ecdsa/Kconfig | 23 +++++++++++++++++++++++ lib/ecdsa/Makefile | 1 + lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++ 7 files changed, 45 insertions(+), 6 deletions(-) create mode 100644 lib/ecdsa/Kconfig create mode 100644 lib/ecdsa/Makefile create mode 100644 lib/ecdsa/ecdsa-verify.c