summaryrefslogtreecommitdiff
path: root/include/image.h
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2020-01-17 13:23:32 -0500
committerTom Rini <trini@konsulko.com>2020-01-17 13:23:32 -0500
commit2d2f91a480f6849a8548414003d36fa030d434f1 (patch)
tree08667edb96f6a8efde767b10fabceafb746e3af7 /include/image.h
parentd7bb6aceb2e99a832efbb96f9bf480bf95602192 (diff)
parent4df3578119b043d76b86b50077b06898fc2a4f62 (diff)
Merge branch '2020-01-17-improve-aes-support'
- Add support and tests for AES192 and AES256
Diffstat (limited to 'include/image.h')
-rw-r--r--include/image.h75
1 files changed, 75 insertions, 0 deletions
diff --git a/include/image.h b/include/image.h
index 4a280b78e7..86ebaae4fe 100644
--- a/include/image.h
+++ b/include/image.h
@@ -930,6 +930,10 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size,
#define FIT_IGNORE_PROP "uboot-ignore"
#define FIT_SIG_NODENAME "signature"
+/* cipher node */
+#define FIT_CIPHER_NODENAME "cipher"
+#define FIT_ALGO_PROP "algo"
+
/* image node */
#define FIT_DATA_PROP "data"
#define FIT_DATA_POSITION_PROP "data-position"
@@ -1019,6 +1023,8 @@ int fit_image_get_data_offset(const void *fit, int noffset, int *data_offset);
int fit_image_get_data_position(const void *fit, int noffset,
int *data_position);
int fit_image_get_data_size(const void *fit, int noffset, int *data_size);
+int fit_image_get_data_size_unciphered(const void *fit, int noffset,
+ size_t *data_size);
int fit_image_get_data_and_size(const void *fit, int noffset,
const void **data, size_t *size);
@@ -1028,6 +1034,10 @@ int fit_image_hash_get_value(const void *fit, int noffset, uint8_t **value,
int fit_set_timestamp(void *fit, int noffset, time_t timestamp);
+int fit_cipher_data(const char *keydir, void *keydest, void *fit,
+ const char *comment, int require_keys,
+ const char *engine_id, const char *cmdname);
+
/**
* fit_add_verification_data() - add verification data to FIT image nodes
*
@@ -1058,6 +1068,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
int fit_image_verify(const void *fit, int noffset);
int fit_config_verify(const void *fit, int conf_noffset);
int fit_all_image_verify(const void *fit);
+int fit_config_decrypt(const void *fit, int conf_noffset);
int fit_image_check_os(const void *fit, int noffset, uint8_t os);
int fit_image_check_arch(const void *fit, int noffset, uint8_t arch);
int fit_image_check_type(const void *fit, int noffset, uint8_t type);
@@ -1138,6 +1149,7 @@ struct image_sign_info {
const char *require_keys; /* Value for 'required' property */
const char *engine_id; /* Engine to use for signing */
};
+
#endif /* Allow struct image_region to always be defined for rsa.h */
/* A part of an image, used for hashing */
@@ -1284,6 +1296,11 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
int fit_image_check_sig(const void *fit, int noffset, const void *data,
size_t size, int required_keynode, char **err_msgp);
+int fit_image_decrypt_data(const void *fit,
+ int image_noffset, int cipher_noffset,
+ const void *data, size_t size,
+ void **data_unciphered, size_t *size_unciphered);
+
/**
* fit_region_make_list() - Make a list of regions to hash
*
@@ -1310,6 +1327,64 @@ static inline int fit_image_check_target_arch(const void *fdt, int node)
#endif
}
+/*
+ * At present we only support ciphering on the host, and unciphering on the
+ * device
+ */
+#if defined(USE_HOSTCC)
+# if defined(CONFIG_FIT_CIPHER)
+# define IMAGE_ENABLE_ENCRYPT 1
+# define IMAGE_ENABLE_DECRYPT 1
+# include <openssl/evp.h>
+# else
+# define IMAGE_ENABLE_ENCRYPT 0
+# define IMAGE_ENABLE_DECRYPT 0
+# endif
+#else
+# define IMAGE_ENABLE_ENCRYPT 0
+# define IMAGE_ENABLE_DECRYPT CONFIG_IS_ENABLED(FIT_CIPHER)
+#endif
+
+/* Information passed to the ciphering routines */
+struct image_cipher_info {
+ const char *keydir; /* Directory containing keys */
+ const char *keyname; /* Name of key to use */
+ const char *ivname; /* Name of IV to use */
+ const void *fit; /* Pointer to FIT blob */
+ int node_noffset; /* Offset of the cipher node */
+ const char *name; /* Algorithm name */
+ struct cipher_algo *cipher; /* Cipher algorithm information */
+ const void *fdt_blob; /* FDT containing key and IV */
+ const void *key; /* Value of the key */
+ const void *iv; /* Value of the IV */
+ size_t size_unciphered; /* Size of the unciphered data */
+};
+
+struct cipher_algo {
+ const char *name; /* Name of algorithm */
+ int key_len; /* Length of the key */
+ int iv_len; /* Length of the IV */
+
+#if IMAGE_ENABLE_ENCRYPT
+ const EVP_CIPHER * (*calculate_type)(void);
+#endif
+
+ int (*encrypt)(struct image_cipher_info *info,
+ const unsigned char *data, int data_len,
+ unsigned char **cipher, int *cipher_len);
+
+ int (*add_cipher_data)(struct image_cipher_info *info,
+ void *keydest);
+
+ int (*decrypt)(struct image_cipher_info *info,
+ const void *cipher, size_t cipher_len,
+ void **data, size_t *data_len);
+};
+
+int fit_image_cipher_get_algo(const void *fit, int noffset, char **algo);
+
+struct cipher_algo *image_get_cipher_algo(const char *full_name);
+
#ifdef CONFIG_FIT_VERBOSE
#define fit_unsupported(msg) printf("! %s:%d " \
"FIT images not supported for '%s'\n", \