u-boot.git/lib/rsa, branch v2018.09 Unnamed repository; edit this file 'description' to name the repository. rsa: Fix LibreSSL before v2.7.0 2018-08-13T18:03:57+00:00 Caliph Nomble nomble@palism.com 2018-07-26T02:13:03+00:00 7ac1a432a1373c887f6bf7b38ec238c641728479 Fix LibreSSL compilation for versions before v2.7.0. Signed-off-by: Caliph Nomble <nomble@palism.com> Reviewed-by: Jonathan Gray <jsg@jsg.id.au> 
Fix LibreSSL compilation for versions before v2.7.0.

Signed-off-by: Caliph Nomble <nomble@palism.com>
Reviewed-by: Jonathan Gray <jsg@jsg.id.au>
xilinx: zynq: Add support to secure images 2018-07-19T08:49:54+00:00 Siva Durga Prasad Paladugu siva.durga.paladugu@xilinx.com 2018-06-26T09:32:19+00:00 37e3a36a54755d15e36b52ee47caaf1cdfdc37aa This patch basically adds two new commands for loadig secure images. 1. zynq rsa adds support to load secure image which can be both authenticated or encrypted or both authenticated and encrypted image in xilinx bootimage(BOOT.bin) format. 2. zynq aes command adds support to decrypt and load encrypted image back to DDR as per destination address. The image has to be encrypted using xilinx bootgen tool and to get only the encrypted image from tool use -split option while invoking bootgen. Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com> 
This patch basically adds two new commands for loadig secure
images.
1. zynq rsa adds support to load secure image which can be both
   authenticated or encrypted or both authenticated and encrypted
   image in xilinx bootimage(BOOT.bin) format.
2. zynq aes command adds support to decrypt and load encrypted
   image back to DDR as per destination address. The image has
   to be encrypted using xilinx bootgen tool and to get only the
   encrypted image from tool use -split option while invoking
   bootgen.

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
rsa: Fix missing memory leak on error in fdt_add_bignum() 2018-06-19T11:31:44+00:00 Simon Glass sjg@chromium.org 2018-06-12T06:05:00+00:00 8a682e03d7d18b3d20810ea83fcec69f8d09c909 Thsi function can fail without freeing all its memory. Fix it. Reported-by: Coverity (CID: 131217) Signed-off-by: Simon Glass <sjg@chromium.org> 
Thsi function can fail without freeing all its memory. Fix it.

Reported-by: Coverity (CID: 131217)
Signed-off-by: Simon Glass <sjg@chromium.org>
SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07T13:34:12+00:00 Tom Rini trini@konsulko.com 2018-05-06T21:58:06+00:00 83d290c56fab2d38cd1ab4c4cc7099559c1d5046 When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com> 
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
lib/rsa: Kconfig: Remove superfluous 'depends on RSA' 2018-04-28T14:42:35+00:00 Eugeniu Rosca roscaeugeniu@gmail.com 2018-04-21T12:00:10+00:00 39883af3f0a8e3e481752026fa7f3cfa2f506e4e RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside: if RSA ... endif So, remove the redundant "depends on RSA" from their depends expression. In addition, move SPL_RSA into the same "if RSA ... endif" block, since its only direct dependeny is CONFIG_RSA. This tidies up and simplifies reading of lib/rsa/Kconfig. No functional change intended. Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside:

if RSA
	...
endif

So, remove the redundant "depends on RSA" from their depends expression.
In addition, move SPL_RSA into the same "if RSA ... endif" block, since
its only direct dependeny is CONFIG_RSA. This tidies up and simplifies
reading of lib/rsa/Kconfig.

No functional change intended.

Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: Fix build with OpenSSL 1.1.x 2017-05-12T12:37:19+00:00 Jelle van der Waa jelle@vdwaa.nl 2017-05-08T19:31:19+00:00 c3b4328166b03d6749b86eb0fbb21a10e4395cfd The rsa_st struct has been made opaque in 1.1.x, add forward compatible code to access the n, e, d members of rsa_struct. EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be called to reinitialise an already created structure. 
The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be
called to reinitialise an already created structure.
Kconfig: Don't use RSA_FREESCALE_EXP on IMX 2017-03-20T22:04:42+00:00 George McCollister george.mccollister@gmail.com 2017-03-16T21:17:06+00:00 f4e9ff71356aceab5bd212e528c123353c531a48 The CAAM in IMX parts doesn't support public key hardware acceleration (PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX (assuming you have the clocks enabled first) you will get back an "Invalid KEY Command" error since PKHA isn't a valid key destination for these parts. Signed-off-by: George McCollister <george.mccollister@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
The CAAM in IMX parts doesn't support public key hardware acceleration
(PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX
(assuming you have the clocks enabled first) you will get back an
"Invalid KEY Command" error since PKHA isn't a valid key destination for
these parts.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
mkimage: Add support for signing with pkcs11 2017-01-14T21:47:13+00:00 George McCollister george.mccollister@gmail.com 2017-01-06T19:14:17+00:00 f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com> 
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
image: Combine image_sig_algo with image_sign_info 2016-11-21T19:07:31+00:00 Andrew Duda aduda@meraki.com 2016-11-08T18:53:41+00:00 83dd98e012b55b494ac2bf1f9a5d66f684bfbbe8 Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA pairings will still fail on verify operations when the hash length is longer than the key length. Follow the same naming scheme "checksum,crytpo" without explicitly defining the string. Indirectly adds support for "sha1,rsa4096" signing/verification. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.

Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.

Indirectly adds support for "sha1,rsa4096" signing/verification.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
image: Add crypto_algo struct for RSA info 2016-11-21T19:07:31+00:00 Andrew Duda aduda@meraki.com 2016-11-08T18:53:41+00:00 0c1d74fda7c0063eeca4d8d9fa8674e6ec2ef685 Cut down on the repetition of algorithm information by defining separate checksum and crypto structs. image_sig_algos are now simply pairs of unique checksum and crypto algos. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>