summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2020-01-17 13:23:32 -0500
committerTom Rini <trini@konsulko.com>2020-01-17 13:23:32 -0500
commit2d2f91a480f6849a8548414003d36fa030d434f1 (patch)
tree08667edb96f6a8efde767b10fabceafb746e3af7 /include
parentd7bb6aceb2e99a832efbb96f9bf480bf95602192 (diff)
parent4df3578119b043d76b86b50077b06898fc2a4f62 (diff)
Merge branch '2020-01-17-improve-aes-support'
- Add support and tests for AES192 and AES256
Diffstat (limited to 'include')
-rw-r--r--include/image.h75
-rw-r--r--include/u-boot/aes.h44
-rw-r--r--include/uboot_aes.h39
3 files changed, 145 insertions, 13 deletions
diff --git a/include/image.h b/include/image.h
index 4a280b78e7..86ebaae4fe 100644
--- a/include/image.h
+++ b/include/image.h
@@ -930,6 +930,10 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size,
#define FIT_IGNORE_PROP "uboot-ignore"
#define FIT_SIG_NODENAME "signature"
+/* cipher node */
+#define FIT_CIPHER_NODENAME "cipher"
+#define FIT_ALGO_PROP "algo"
+
/* image node */
#define FIT_DATA_PROP "data"
#define FIT_DATA_POSITION_PROP "data-position"
@@ -1019,6 +1023,8 @@ int fit_image_get_data_offset(const void *fit, int noffset, int *data_offset);
int fit_image_get_data_position(const void *fit, int noffset,
int *data_position);
int fit_image_get_data_size(const void *fit, int noffset, int *data_size);
+int fit_image_get_data_size_unciphered(const void *fit, int noffset,
+ size_t *data_size);
int fit_image_get_data_and_size(const void *fit, int noffset,
const void **data, size_t *size);
@@ -1028,6 +1034,10 @@ int fit_image_hash_get_value(const void *fit, int noffset, uint8_t **value,
int fit_set_timestamp(void *fit, int noffset, time_t timestamp);
+int fit_cipher_data(const char *keydir, void *keydest, void *fit,
+ const char *comment, int require_keys,
+ const char *engine_id, const char *cmdname);
+
/**
* fit_add_verification_data() - add verification data to FIT image nodes
*
@@ -1058,6 +1068,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
int fit_image_verify(const void *fit, int noffset);
int fit_config_verify(const void *fit, int conf_noffset);
int fit_all_image_verify(const void *fit);
+int fit_config_decrypt(const void *fit, int conf_noffset);
int fit_image_check_os(const void *fit, int noffset, uint8_t os);
int fit_image_check_arch(const void *fit, int noffset, uint8_t arch);
int fit_image_check_type(const void *fit, int noffset, uint8_t type);
@@ -1138,6 +1149,7 @@ struct image_sign_info {
const char *require_keys; /* Value for 'required' property */
const char *engine_id; /* Engine to use for signing */
};
+
#endif /* Allow struct image_region to always be defined for rsa.h */
/* A part of an image, used for hashing */
@@ -1284,6 +1296,11 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
int fit_image_check_sig(const void *fit, int noffset, const void *data,
size_t size, int required_keynode, char **err_msgp);
+int fit_image_decrypt_data(const void *fit,
+ int image_noffset, int cipher_noffset,
+ const void *data, size_t size,
+ void **data_unciphered, size_t *size_unciphered);
+
/**
* fit_region_make_list() - Make a list of regions to hash
*
@@ -1310,6 +1327,64 @@ static inline int fit_image_check_target_arch(const void *fdt, int node)
#endif
}
+/*
+ * At present we only support ciphering on the host, and unciphering on the
+ * device
+ */
+#if defined(USE_HOSTCC)
+# if defined(CONFIG_FIT_CIPHER)
+# define IMAGE_ENABLE_ENCRYPT 1
+# define IMAGE_ENABLE_DECRYPT 1
+# include <openssl/evp.h>
+# else
+# define IMAGE_ENABLE_ENCRYPT 0
+# define IMAGE_ENABLE_DECRYPT 0
+# endif
+#else
+# define IMAGE_ENABLE_ENCRYPT 0
+# define IMAGE_ENABLE_DECRYPT CONFIG_IS_ENABLED(FIT_CIPHER)
+#endif
+
+/* Information passed to the ciphering routines */
+struct image_cipher_info {
+ const char *keydir; /* Directory containing keys */
+ const char *keyname; /* Name of key to use */
+ const char *ivname; /* Name of IV to use */
+ const void *fit; /* Pointer to FIT blob */
+ int node_noffset; /* Offset of the cipher node */
+ const char *name; /* Algorithm name */
+ struct cipher_algo *cipher; /* Cipher algorithm information */
+ const void *fdt_blob; /* FDT containing key and IV */
+ const void *key; /* Value of the key */
+ const void *iv; /* Value of the IV */
+ size_t size_unciphered; /* Size of the unciphered data */
+};
+
+struct cipher_algo {
+ const char *name; /* Name of algorithm */
+ int key_len; /* Length of the key */
+ int iv_len; /* Length of the IV */
+
+#if IMAGE_ENABLE_ENCRYPT
+ const EVP_CIPHER * (*calculate_type)(void);
+#endif
+
+ int (*encrypt)(struct image_cipher_info *info,
+ const unsigned char *data, int data_len,
+ unsigned char **cipher, int *cipher_len);
+
+ int (*add_cipher_data)(struct image_cipher_info *info,
+ void *keydest);
+
+ int (*decrypt)(struct image_cipher_info *info,
+ const void *cipher, size_t cipher_len,
+ void **data, size_t *data_len);
+};
+
+int fit_image_cipher_get_algo(const void *fit, int noffset, char **algo);
+
+struct cipher_algo *image_get_cipher_algo(const char *full_name);
+
#ifdef CONFIG_FIT_VERBOSE
#define fit_unsupported(msg) printf("! %s:%d " \
"FIT images not supported for '%s'\n", \
diff --git a/include/u-boot/aes.h b/include/u-boot/aes.h
new file mode 100644
index 0000000000..32281041de
--- /dev/null
+++ b/include/u-boot/aes.h
@@ -0,0 +1,44 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2019, Softathome
+ */
+
+#ifndef _AES_H
+#define _AES_H
+
+#include <errno.h>
+#include <image.h>
+
+#if IMAGE_ENABLE_ENCRYPT
+int image_aes_encrypt(struct image_cipher_info *info,
+ const unsigned char *data, int size,
+ unsigned char **cipher, int *cipher_len);
+int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest);
+#else
+int image_aes_encrypt(struct image_cipher_info *info,
+ const unsigned char *data, int size,
+ unsigned char **cipher, int *cipher_len)
+{
+ return -ENXIO;
+}
+
+int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
+{
+ return -ENXIO;
+}
+#endif /* IMAGE_ENABLE_ENCRYPT */
+
+#if IMAGE_ENABLE_DECRYPT
+int image_aes_decrypt(struct image_cipher_info *info,
+ const void *cipher, size_t cipher_len,
+ void **data, size_t *size);
+#else
+int image_aes_decrypt(struct image_cipher_info *info,
+ const void *cipher, size_t cipher_len,
+ void **data, size_t *size)
+{
+ return -ENXIO;
+}
+#endif /* IMAGE_ENABLE_DECRYPT */
+
+#endif
diff --git a/include/uboot_aes.h b/include/uboot_aes.h
index 2fda384e3b..d2583bed99 100644
--- a/include/uboot_aes.h
+++ b/include/uboot_aes.h
@@ -18,16 +18,24 @@ typedef unsigned int u32;
* AES encryption library, with small code size, supporting only 128-bit AES
*
* AES is a stream cipher which works a block at a time, with each block
- * in this case being AES_KEY_LENGTH bytes.
+ * in this case being AES_BLOCK_LENGTH bytes.
*/
enum {
AES_STATECOLS = 4, /* columns in the state & expanded key */
- AES_KEYCOLS = 4, /* columns in a key */
- AES_ROUNDS = 10, /* rounds in encryption */
-
- AES_KEY_LENGTH = 128 / 8,
- AES_EXPAND_KEY_LENGTH = 4 * AES_STATECOLS * (AES_ROUNDS + 1),
+ AES128_KEYCOLS = 4, /* columns in a key for aes128 */
+ AES192_KEYCOLS = 6, /* columns in a key for aes128 */
+ AES256_KEYCOLS = 8, /* columns in a key for aes128 */
+ AES128_ROUNDS = 10, /* rounds in encryption for aes128 */
+ AES192_ROUNDS = 12, /* rounds in encryption for aes192 */
+ AES256_ROUNDS = 14, /* rounds in encryption for aes256 */
+ AES128_KEY_LENGTH = 128 / 8,
+ AES192_KEY_LENGTH = 192 / 8,
+ AES256_KEY_LENGTH = 256 / 8,
+ AES128_EXPAND_KEY_LENGTH = 4 * AES_STATECOLS * (AES128_ROUNDS + 1),
+ AES192_EXPAND_KEY_LENGTH = 4 * AES_STATECOLS * (AES192_ROUNDS + 1),
+ AES256_EXPAND_KEY_LENGTH = 4 * AES_STATECOLS * (AES256_ROUNDS + 1),
+ AES_BLOCK_LENGTH = 128 / 8,
};
/**
@@ -36,33 +44,36 @@ enum {
* Expand a key into a key schedule, which is then used for the other
* operations.
*
- * @key Key, of length AES_KEY_LENGTH bytes
+ * @key Key
+ * @key_size Size of the key (in bits)
* @expkey Buffer to place expanded key, AES_EXPAND_KEY_LENGTH
*/
-void aes_expand_key(u8 *key, u8 *expkey);
+void aes_expand_key(u8 *key, u32 key_size, u8 *expkey);
/**
* aes_encrypt() - Encrypt single block of data with AES 128
*
+ * @key_size Size of the aes key (in bits)
* @in Input data
* @expkey Expanded key to use for encryption (from aes_expand_key())
* @out Output data
*/
-void aes_encrypt(u8 *in, u8 *expkey, u8 *out);
+void aes_encrypt(u32 key_size, u8 *in, u8 *expkey, u8 *out);
/**
* aes_decrypt() - Decrypt single block of data with AES 128
*
+ * @key_size Size of the aes key (in bits)
* @in Input data
* @expkey Expanded key to use for decryption (from aes_expand_key())
* @out Output data
*/
-void aes_decrypt(u8 *in, u8 *expkey, u8 *out);
+void aes_decrypt(u32 key_size, u8 *in, u8 *expkey, u8 *out);
/**
* Apply chain data to the destination using EOR
*
- * Each array is of length AES_KEY_LENGTH.
+ * Each array is of length AES_BLOCK_LENGTH.
*
* @cbc_chain_data Chain data
* @src Source data
@@ -73,25 +84,27 @@ void aes_apply_cbc_chain_data(u8 *cbc_chain_data, u8 *src, u8 *dst);
/**
* aes_cbc_encrypt_blocks() - Encrypt multiple blocks of data with AES CBC.
*
+ * @key_size Size of the aes key (in bits)
* @key_exp Expanded key to use
* @iv Initialization vector
* @src Source data to encrypt
* @dst Destination buffer
* @num_aes_blocks Number of AES blocks to encrypt
*/
-void aes_cbc_encrypt_blocks(u8 *key_exp, u8 *iv, u8 *src, u8 *dst,
+void aes_cbc_encrypt_blocks(u32 key_size, u8 *key_exp, u8 *iv, u8 *src, u8 *dst,
u32 num_aes_blocks);
/**
* Decrypt multiple blocks of data with AES CBC.
*
+ * @key_size Size of the aes key (in bits)
* @key_exp Expanded key to use
* @iv Initialization vector
* @src Source data to decrypt
* @dst Destination buffer
* @num_aes_blocks Number of AES blocks to decrypt
*/
-void aes_cbc_decrypt_blocks(u8 *key_exp, u8 *iv, u8 *src, u8 *dst,
+void aes_cbc_decrypt_blocks(u32 key_size, u8 *key_exp, u8 *iv, u8 *src, u8 *dst,
u32 num_aes_blocks);
#endif /* _AES_REF_H_ */