u-boot.git/tools, branch v2013.07-rc3 Unnamed repository; edit this file 'description' to name the repository. Merge branch 'master' of git://git.denx.de/u-boot-arm 2013-07-12T14:36:48+00:00 Tom Rini trini@ti.com 2013-07-12T14:36:48+00:00 fbbbc86e8ebac4f42f4ca39ceba80cea27c983bc Fix a trivial conflict in arch/arm/dts/exynos5250.dtsi about gpio and serial. Conflicts: arch/arm/dts/exynos5250.dtsi Signed-off-by: Tom Rini <trini@ti.com> 
Fix a trivial conflict in arch/arm/dts/exynos5250.dtsi about gpio and
serial.

Conflicts:
	arch/arm/dts/exynos5250.dtsi

Signed-off-by: Tom Rini <trini@ti.com>
tools/proftool: remove REG_NOERROR 2013-07-03T13:35:37+00:00 Andreas Bießmann andreas.devel@googlemail.com 2013-07-02T06:37:36+00:00 d4125ebc8dae28e8ade858ba519bca7fbeb6ccae Remove non portable usage of REG_NOERROR. BSD (like OS X) variants of regex.h do not declare REG_NOERROR, even GNU regex(3) does not mention REG_NOERROR, just remove it. Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com> Acked-by: Jeroen Hofstee <jeroen@myspectrum.nl> 
Remove non portable usage of REG_NOERROR.
BSD (like OS X) variants of regex.h do not declare REG_NOERROR, even GNU
regex(3) does not mention REG_NOERROR, just remove it.

Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com>
Acked-by: Jeroen Hofstee <jeroen@myspectrum.nl>
mkimage: Build signing only if board has CONFIG_FIT_SIGNATURE 2013-06-28T20:26:52+00:00 Simon Glass sjg@chromium.org 2013-06-27T17:43:18+00:00 29ce737d6f4a8e19cbc8c54451e72e059e4d56e7 At present mkimage is set up to always build with image signing support. This means that the SSL libraries (e.g. libssl-dev) are always required. Adjust things so that mkimage can be built with and without image signing, controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file. If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning that signing is not supported. If the option is enabled, but libraries are not available, then a build error similar to this will be shown: lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory Signed-off-by: Simon Glass <sjg@chromium.org> 
At present mkimage is set up to always build with image signing support.
This means that the SSL libraries (e.g. libssl-dev) are always required.

Adjust things so that mkimage can be built with and without image signing,
controlled by the presence of CONFIG_FIT_SIGNATURE in the board config file.

If CONFIG_FIT_SIGNATURE is not enabled, then mkimage will report a warning
that signing is not supported. If the option is enabled, but libraries are
not available, then a build error similar to this will be shown:

lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No such file or directory

Signed-off-by: Simon Glass <sjg@chromium.org>
image: Add support for signing of FIT configurations 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:09+00:00 4d0985295bbb50a952f4312c0a818cd89b8ee7aa While signing images is useful, it does not provide complete protection against several types of attack. For example, it it possible to create a FIT with the same signed images, but with the configuration changed such that a different one is selected (mix and match attack). It is also possible to substitute a signed image from an older FIT version into a newer FIT (roll-back attack). Add support for signing of FIT configurations using the libfdt's region support. Please see doc/uImage.FIT/signature.txt for more information. Signed-off-by: Simon Glass <sjg@chromium.org> 
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).

Add support for signing of FIT configurations using the libfdt's region
support.

Please see doc/uImage.FIT/signature.txt for more information.

Signed-off-by: Simon Glass <sjg@chromium.org>
mkimage: Add -r option to specify keys that must be verified 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:07+00:00 399c744b22459585dc2dda2cb7353b3026e28e18 Normally, multiple public keys can be provided and U-Boot is not required to use all of them for verification. This is because some images may not be signed, or may be optionally signed. But we still need a mechanism to determine when a key must be used. This feature cannot be implemented in the FIT itself, since anyone could change it to mark a key as optional. The requirement for key verification must go in with the public keys, in a place that is protected from modification. Add a -r option which tells mkimage to mark all keys that it uses for signing as 'required'. If some keys are optional and some are required, run mkimage several times (perhaps with different key directories if some keys are very secret) using the -F flag to update an existing FIT. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de> 
Normally, multiple public keys can be provided and U-Boot is not
required to use all of them for verification. This is because some
images may not be signed, or may be optionally signed.

But we still need a mechanism to determine when a key must be used.
This feature cannot be implemented in the FIT itself, since anyone
could change it to mark a key as optional. The requirement for
key verification must go in with the public keys, in a place that
is protected from modification.

Add a -r option which tells mkimage to mark all keys that it uses
for signing as 'required'.

If some keys are optional and some are required, run mkimage several
times (perhaps with different key directories if some keys are very
secret) using the -F flag to update an existing FIT.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
mkimage: Add -c option to specify a comment for key signing 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:06+00:00 4f6104270146c76fcaf46e951f84cdc1612a04b7 When signing an image, it is useful to add some details about which tool or person is authorising the signing. Add a comment field which can take care of miscellaneous requirements. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de> 
When signing an image, it is useful to add some details about which tool
or person is authorising the signing. Add a comment field which can take
care of miscellaneous requirements.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
mkimage: Add -F option to modify an existing .fit file 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:05+00:00 95d77b4479f9d07aea114fd4253cd665bb48ea10 When signing images it is sometimes necessary to sign with different keys at different times, or make the signer entirely separate from the FIT creation to avoid needing the private keys to be publicly available in the system. Add a -F option so that key signing can be a separate step, and possibly done multiple times as different keys are avaiable. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de> 
When signing images it is sometimes necessary to sign with different keys
at different times, or make the signer entirely separate from the FIT
creation to avoid needing the private keys to be publicly available in
the system.

Add a -F option so that key signing can be a separate step, and possibly
done multiple times as different keys are avaiable.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
mkimage: Add -K to write public keys to an FDT blob 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:04+00:00 e29495d37f7c0533d365004ca475218250351c93 FIT image verification requires public keys. Add a convenient option to mkimage to write the public keys to an FDT blob when it uses then for signing an image. This allows us to use: mkimage -f test.its -K dest.dtb -k keys test.fit and have the signatures written to test.fit and the corresponding public keys written to dest.dtb. Then dest.dtb can be used as the control FDT for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the public keys it needs. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de> 
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:

   mkimage -f test.its -K dest.dtb -k keys test.fit

and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
mkimage: Add -k option to specify key directory 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:03+00:00 80e4df8ac661ada5308f3bffebe4e6fae1f8e990 Keys required for signing images will be in a specific directory. Add a -k option to specify that directory. Also update the mkimage man page with this information and a clearer list of available commands. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de> (v1) 
Keys required for signing images will be in a specific directory. Add a
-k option to specify that directory.

Also update the mkimage man page with this information and a clearer list
of available commands.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)
image: Add RSA support for image signing 2013-06-26T14:18:56+00:00 Simon Glass sjg@chromium.org 2013-06-13T22:10:02+00:00 19c402afa2e1190f596f35a84ac049b10d814f1f RSA provides a public key encryption facility which is ideal for image signing and verification. Images are signed using a private key by mkimage. Then at run-time, the images are verified using a private key. This implementation uses openssl for the host part (mkimage). To avoid bringing large libraries into the U-Boot binary, the RSA public key is encoded using a simple numeric representation in the device tree. Signed-off-by: Simon Glass <sjg@chromium.org> 
RSA provides a public key encryption facility which is ideal for image
signing and verification.

Images are signed using a private key by mkimage. Then at run-time, the
images are verified using a private key.

This implementation uses openssl for the host part (mkimage). To avoid
bringing large libraries into the U-Boot binary, the RSA public key
is encoded using a simple numeric representation in the device tree.

Signed-off-by: Simon Glass <sjg@chromium.org>