summaryrefslogtreecommitdiff
path: root/common/image-sig.c
AgeCommit message (Collapse)Author
2016-11-21image: Combine image_sig_algo with image_sign_infoAndrew Duda
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA pairings will still fail on verify operations when the hash length is longer than the key length. Follow the same naming scheme "checksum,crytpo" without explicitly defining the string. Indirectly adds support for "sha1,rsa4096" signing/verification. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21image: Add crypto_algo struct for RSA infoAndrew Duda
Cut down on the repetition of algorithm information by defining separate checksum and crypto structs. image_sig_algos are now simply pairs of unique checksum and crypto algos. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21rsa: Verify RSA padding programaticallyAndrew Duda
Padding verification was done against static SHA/RSA pair arrays which take up a lot of static memory, are mostly 0xff, and cannot be reused for additional SHA/RSA pairings. The padding can be easily computed according to PKCS#1v2.1 as: EM = 0x00 || 0x01 || PS || 0x00 || T where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding of the hash. Store DER prefix in checksum_algo and create rsa_verify_padding function to handle verification of a message for any SHA/RSA pairing. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-10-13libfdt: Sync fdt_for_each_subnode() with upstreamSimon Glass
The signature for this macro has changed. Bring in the upstream version and adjust U-Boot's usages to suit. Signed-off-by: Simon Glass <sjg@chromium.org> Update to drivers/power/pmic/palmas.c: Signed-off-by: Keerthy <j-keerthy@ti.com> Change-Id: I6cc9021339bfe686f9df21d61a1095ca2b3776e8
2015-02-16image: Convert to use fdt_for_each_subnode macroAxel Lin
Use fdt_for_each_subnode macro to simplify the code a bit. Signed-off-by: Axel Lin <axel.lin@ingics.com> Acked-by: Simon Glass <sjg@chromium.org>
2015-01-29rsa: Use checksum algorithms from struct hash_algoRuchika Gupta
Currently the hash functions used in RSA are called directly from the sha1 and sha256 libraries. Change the RSA checksum library to use the progressive hash API's registered with struct hash_algo. This will allow the checksum library to use the hardware accelerated progressive hash API's once available. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> (Fixed build error in am335x_boneblack_vboot due to duplicate CONFIG_DM) Change-Id: Ic44279432f88d4e8594c6e94feb1cfcae2443a54
2014-06-19includes: move openssl headers to include/u-bootJeroen Hofstee
commit 18b06652cd "tools: include u-boot version of sha256.h" unconditionally forced the sha256.h from u-boot to be used for tools instead of the host version. This is fragile though as it will also include the host version. Therefore move it to include/u-boot to join u-boot/md5.h etc which were renamed for the same reason. cc: Simon Glass <sjg@chromium.org> Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
2014-06-19Reverse the meaning of the fit_config_verify() return codeSimon Glass
It is more common to have 0 mean OK, and -ve mean error. Change this function to work the same way to avoid confusion. Signed-off-by: Simon Glass <sjg@chromium.org>
2014-03-21tools, fit_check_sign: verify a signed fit imageHeiko Schocher
add host tool "fit_check_sign" which verifies, if a fit image is signed correct. Signed-off-by: Heiko Schocher <hs@denx.de> Cc: Simon Glass <sjg@chromium.org>
2014-03-21rsa: add sha256,rsa4096 algorithmHeiko Schocher
Add support for sha256,rsa4096 signatures in u-boot. Signed-off-by: Heiko Schocher <hs@denx.de> Acked-by: Simon Glass <sjg@chromium.org> Cc: andreas@oetken.name
2014-03-21rsa: add sha256-rsa2048 algorithmHeiko Schocher
based on patch from andreas@oetken.name: http://patchwork.ozlabs.org/patch/294318/ commit message: I currently need support for rsa-sha256 signatures in u-boot and found out that the code for signatures is not very generic. Thus adding of different hash-algorithms for rsa-signatures is not easy to do without copy-pasting the rsa-code. I attached a patch for how I think it could be better and included support for rsa-sha256. This is a fast first shot. aditionally work: - removed checkpatch warnings - removed compiler warnings - rebased against current head Signed-off-by: Heiko Schocher <hs@denx.de> Cc: andreas@oetken.name Cc: Simon Glass <sjg@chromium.org>
2013-07-24Add GPL-2.0+ SPDX-License-Identifier to source filesWolfgang Denk
Signed-off-by: Wolfgang Denk <wd@denx.de> [trini: Fixup common/cmd_io.c] Signed-off-by: Tom Rini <trini@ti.com>
2013-06-26image: Add support for signing of FIT configurationsSimon Glass
While signing images is useful, it does not provide complete protection against several types of attack. For example, it it possible to create a FIT with the same signed images, but with the configuration changed such that a different one is selected (mix and match attack). It is also possible to substitute a signed image from an older FIT version into a newer FIT (roll-back attack). Add support for signing of FIT configurations using the libfdt's region support. Please see doc/uImage.FIT/signature.txt for more information. Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26image: Add RSA support for image signingSimon Glass
RSA provides a public key encryption facility which is ideal for image signing and verification. Images are signed using a private key by mkimage. Then at run-time, the images are verified using a private key. This implementation uses openssl for the host part (mkimage). To avoid bringing large libraries into the U-Boot binary, the RSA public key is encoded using a simple numeric representation in the device tree. Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26image: Support signing of imagesSimon Glass
Add support for signing images using a new signature node. The process is handled by fdt_add_verification_data() which now takes parameters to provide the keys and related information. Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26image: Add signing infrastructureSimon Glass
Add a structure to describe an algorithm which can sign and (later) verify images. Signed-off-by: Simon Glass <sjg@chromium.org>