u-boot.git/lib/rsa, branch v2020.01 Unnamed repository; edit this file 'description' to name the repository. rsa: Return immediately if required-key verification fails 2019-10-15T14:40:03+00:00 Daniele Alessandrelli daniele.alessandrelli@gmail.com 2019-09-18T14:04:54+00:00 0772a1f4973031d6a30482cf7610f691b6bc1e6d Currently, if image verification with a required key fails, rsa_verify() code tries to find another key to verify the FIT image. This however, is not the intended behavior as the documentation says that required keys "must be verified for the image / configuration to be considered valid". This patch fixes the issue by making rsa_verify() return immediately if the verification of a required key fails. Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> 
Currently, if image verification with a required key fails, rsa_verify()
code tries to find another key to verify the FIT image. This however, is
not the intended behavior as the documentation says that required keys
"must be verified for the image / configuration to be considered valid".

This patch fixes the issue by making rsa_verify() return immediately if
the verification of a required key fails.

Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com>
lib: rsa: add support to other openssl engine types than pkcs11 2019-07-18T15:31:23+00:00 Vesa Jääskeläinen vesa.jaaskelainen@vaisala.com 2019-06-16T17:53:38+00:00 5b123e010954d8f6ef24dd0cb1a8cbe1d7d53851 There are multiple other openssl engines used by HSMs that can be used to sign FIT images instead of forcing users to use pkcs11 type of service. Relax engine selection so that other openssl engines can be specified and use generic key id definition formula. Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Cc: Tom Rini <trini@konsulko.com> 
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.

Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
rsa: check that pointer checksum isn't NULL before using it 2019-03-25T15:44:12+00:00 Philippe Reynes philippe.reynes@softathome.com 2019-03-19T09:55:40+00:00 b02f2e79c6272d97bf0bd191e6ec8e748a39ad58 The pointer checksum were used before checking that it isn't NULL. We move the code that use it after the check. Reported-by: Coverity (CID: 185835) Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The pointer checksum were used before checking that it
isn't NULL. We move the code that use it after the check.

Reported-by: Coverity (CID: 185835)
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: add support of padding pss 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:51:01+00:00 061daa0b61f0fbeb214c566f3adb23da05545320 We add the support of the padding pss for rsa signature. This new padding is often recommended instead of pkcs-1.5. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: add a structure for the padding 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:51:00+00:00 20031567e12bb312bff95b70767f6275e20f0346 The rsa signature use a padding algorithm. By default, we use the padding pkcs-1.5. In order to add some new padding algorithm, we add a padding framework to manage several padding algorithm. The choice of the padding is done in the file .its. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: use new openssl API to create signature 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:50:59+00:00 3b5d6979fcb80ffae3b140be6edc04cbde1a0b72 Previous implementation of the rsa signature was using the openssl API EVP_Sign*, but the new openssl API EVP_DigestSign* is more flexible. So we move to this new API. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Previous implementation of the rsa signature was using
the openssl API EVP_Sign*, but the new openssl API
EVP_DigestSign* is more flexible. So we move to this
new API.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: Fix LibreSSL before v2.7.0 2018-08-13T18:03:57+00:00 Caliph Nomble nomble@palism.com 2018-07-26T02:13:03+00:00 7ac1a432a1373c887f6bf7b38ec238c641728479 Fix LibreSSL compilation for versions before v2.7.0. Signed-off-by: Caliph Nomble <nomble@palism.com> Reviewed-by: Jonathan Gray <jsg@jsg.id.au> 
Fix LibreSSL compilation for versions before v2.7.0.

Signed-off-by: Caliph Nomble <nomble@palism.com>
Reviewed-by: Jonathan Gray <jsg@jsg.id.au>
xilinx: zynq: Add support to secure images 2018-07-19T08:49:54+00:00 Siva Durga Prasad Paladugu siva.durga.paladugu@xilinx.com 2018-06-26T09:32:19+00:00 37e3a36a54755d15e36b52ee47caaf1cdfdc37aa This patch basically adds two new commands for loadig secure images. 1. zynq rsa adds support to load secure image which can be both authenticated or encrypted or both authenticated and encrypted image in xilinx bootimage(BOOT.bin) format. 2. zynq aes command adds support to decrypt and load encrypted image back to DDR as per destination address. The image has to be encrypted using xilinx bootgen tool and to get only the encrypted image from tool use -split option while invoking bootgen. Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com> 
This patch basically adds two new commands for loadig secure
images.
1. zynq rsa adds support to load secure image which can be both
   authenticated or encrypted or both authenticated and encrypted
   image in xilinx bootimage(BOOT.bin) format.
2. zynq aes command adds support to decrypt and load encrypted
   image back to DDR as per destination address. The image has
   to be encrypted using xilinx bootgen tool and to get only the
   encrypted image from tool use -split option while invoking
   bootgen.

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
rsa: Fix missing memory leak on error in fdt_add_bignum() 2018-06-19T11:31:44+00:00 Simon Glass sjg@chromium.org 2018-06-12T06:05:00+00:00 8a682e03d7d18b3d20810ea83fcec69f8d09c909 Thsi function can fail without freeing all its memory. Fix it. Reported-by: Coverity (CID: 131217) Signed-off-by: Simon Glass <sjg@chromium.org> 
Thsi function can fail without freeing all its memory. Fix it.

Reported-by: Coverity (CID: 131217)
Signed-off-by: Simon Glass <sjg@chromium.org>
SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07T13:34:12+00:00 Tom Rini trini@konsulko.com 2018-05-06T21:58:06+00:00 83d290c56fab2d38cd1ab4c4cc7099559c1d5046 When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com> 
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>