u-boot.git/lib/rsa, branch v2020.04 Unnamed repository; edit this file 'description' to name the repository. image: Use constants for 'required' and 'key-name-hint' 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:06+00:00 72188f546291cfadea99e9383c133d6aaa37d87d These are used in multiple places so update them to use a shared #define. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com> 
These are used in multiple places so update them to use a shared #define.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
dm: core: Create a new header file for 'compat' features 2020-02-06T02:33:46+00:00 Simon Glass sjg@chromium.org 2020-02-03T14:36:16+00:00 336d4615f8fa774557d14f9b3245daa9e5fe3dbc At present dm/device.h includes the linux-compatible features. This requires including linux/compat.h which in turn includes a lot of headers. One of these is malloc.h which we thus end up including in every file in U-Boot. Apart from the inefficiency of this, it is problematic for sandbox which needs to use the system malloc() in some files. Move the compatibility features into a separate header file. Signed-off-by: Simon Glass <sjg@chromium.org> 
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.

Move the compatibility features into a separate header file.

Signed-off-by: Simon Glass <sjg@chromium.org>
rsa: Return immediately if required-key verification fails 2019-10-15T14:40:03+00:00 Daniele Alessandrelli daniele.alessandrelli@gmail.com 2019-09-18T14:04:54+00:00 0772a1f4973031d6a30482cf7610f691b6bc1e6d Currently, if image verification with a required key fails, rsa_verify() code tries to find another key to verify the FIT image. This however, is not the intended behavior as the documentation says that required keys "must be verified for the image / configuration to be considered valid". This patch fixes the issue by making rsa_verify() return immediately if the verification of a required key fails. Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> 
Currently, if image verification with a required key fails, rsa_verify()
code tries to find another key to verify the FIT image. This however, is
not the intended behavior as the documentation says that required keys
"must be verified for the image / configuration to be considered valid".

This patch fixes the issue by making rsa_verify() return immediately if
the verification of a required key fails.

Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com>
lib: rsa: add support to other openssl engine types than pkcs11 2019-07-18T15:31:23+00:00 Vesa Jääskeläinen vesa.jaaskelainen@vaisala.com 2019-06-16T17:53:38+00:00 5b123e010954d8f6ef24dd0cb1a8cbe1d7d53851 There are multiple other openssl engines used by HSMs that can be used to sign FIT images instead of forcing users to use pkcs11 type of service. Relax engine selection so that other openssl engines can be specified and use generic key id definition formula. Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Cc: Tom Rini <trini@konsulko.com> 
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.

Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
rsa: check that pointer checksum isn't NULL before using it 2019-03-25T15:44:12+00:00 Philippe Reynes philippe.reynes@softathome.com 2019-03-19T09:55:40+00:00 b02f2e79c6272d97bf0bd191e6ec8e748a39ad58 The pointer checksum were used before checking that it isn't NULL. We move the code that use it after the check. Reported-by: Coverity (CID: 185835) Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The pointer checksum were used before checking that it
isn't NULL. We move the code that use it after the check.

Reported-by: Coverity (CID: 185835)
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: add support of padding pss 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:51:01+00:00 061daa0b61f0fbeb214c566f3adb23da05545320 We add the support of the padding pss for rsa signature. This new padding is often recommended instead of pkcs-1.5. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: add a structure for the padding 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:51:00+00:00 20031567e12bb312bff95b70767f6275e20f0346 The rsa signature use a padding algorithm. By default, we use the padding pkcs-1.5. In order to add some new padding algorithm, we add a padding framework to manage several padding algorithm. The choice of the padding is done in the file .its. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: use new openssl API to create signature 2018-12-03T15:44:10+00:00 Philippe Reynes philippe.reynes@softathome.com 2018-11-14T12:50:59+00:00 3b5d6979fcb80ffae3b140be6edc04cbde1a0b72 Previous implementation of the rsa signature was using the openssl API EVP_Sign*, but the new openssl API EVP_DigestSign* is more flexible. So we move to this new API. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Previous implementation of the rsa signature was using
the openssl API EVP_Sign*, but the new openssl API
EVP_DigestSign* is more flexible. So we move to this
new API.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa: Fix LibreSSL before v2.7.0 2018-08-13T18:03:57+00:00 Caliph Nomble nomble@palism.com 2018-07-26T02:13:03+00:00 7ac1a432a1373c887f6bf7b38ec238c641728479 Fix LibreSSL compilation for versions before v2.7.0. Signed-off-by: Caliph Nomble <nomble@palism.com> Reviewed-by: Jonathan Gray <jsg@jsg.id.au> 
Fix LibreSSL compilation for versions before v2.7.0.

Signed-off-by: Caliph Nomble <nomble@palism.com>
Reviewed-by: Jonathan Gray <jsg@jsg.id.au>
xilinx: zynq: Add support to secure images 2018-07-19T08:49:54+00:00 Siva Durga Prasad Paladugu siva.durga.paladugu@xilinx.com 2018-06-26T09:32:19+00:00 37e3a36a54755d15e36b52ee47caaf1cdfdc37aa This patch basically adds two new commands for loadig secure images. 1. zynq rsa adds support to load secure image which can be both authenticated or encrypted or both authenticated and encrypted image in xilinx bootimage(BOOT.bin) format. 2. zynq aes command adds support to decrypt and load encrypted image back to DDR as per destination address. The image has to be encrypted using xilinx bootgen tool and to get only the encrypted image from tool use -split option while invoking bootgen. Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com> 
This patch basically adds two new commands for loadig secure
images.
1. zynq rsa adds support to load secure image which can be both
   authenticated or encrypted or both authenticated and encrypted
   image in xilinx bootimage(BOOT.bin) format.
2. zynq aes command adds support to decrypt and load encrypted
   image back to DDR as per destination address. The image has
   to be encrypted using xilinx bootgen tool and to get only the
   encrypted image from tool use -split option while invoking
   bootgen.

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>