u-boot.git/lib/rsa/Kconfig, branch master Unnamed repository; edit this file 'description' to name the repository. lib: rsa: generate additional parameters for public key 2020-03-12T12:20:39+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-02-21T06:12:58+00:00 e0d310b098b1e3dd2ad4e0e4efbbb81b90ae4bc7 In the current implementation of FIT_SIGNATURE, five parameters for a RSA public key are required while only two of them are essential. (See rsa-mod-exp.h and uImage.FIT/signature.txt) This is a result of considering relatively limited computer power and resources on embedded systems, while such a assumption may not be quite practical for other use cases. In this patch, added is a function, rsa_gen_key_prop(), which will generate additional parameters for other uses, in particular UEFI secure boot, on the fly. Note: the current code uses some "big number" routines from BearSSL for the calculation. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In the current implementation of FIT_SIGNATURE, five parameters for
a RSA public key are required while only two of them are essential.
(See rsa-mod-exp.h and uImage.FIT/signature.txt)
This is a result of considering relatively limited computer power
and resources on embedded systems, while such a assumption may not
be quite practical for other use cases.

In this patch, added is a function, rsa_gen_key_prop(), which will
generate additional parameters for other uses, in particular
UEFI secure boot, on the fly.

Note: the current code uses some "big number" routines from BearSSL
for the calculation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config 2020-03-12T12:20:39+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-02-21T06:12:56+00:00 dd89f5b0fde7f23afffc69f92eedc7f7c5caef36 In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY, rsa_verify() will be extended to be able to perform RSA decryption without additional RSA key properties from FIT image, i.e. rr and n0inv. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> 
In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: decouple rsa from FIT image verification 2020-03-12T12:20:38+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-02-21T06:12:55+00:00 b983cc2da0bafd73a4dfc069eb3c3a98677e2d92 Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building RSA functions from FIT verification and allow for adding a RSA-based signature verification for other file formats, in particular PE file for UEFI secure boot. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> 
Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib/rsa: Kconfig: Remove superfluous 'depends on RSA' 2018-04-28T14:42:35+00:00 Eugeniu Rosca roscaeugeniu@gmail.com 2018-04-21T12:00:10+00:00 39883af3f0a8e3e481752026fa7f3cfa2f506e4e RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside: if RSA ... endif So, remove the redundant "depends on RSA" from their depends expression. In addition, move SPL_RSA into the same "if RSA ... endif" block, since its only direct dependeny is CONFIG_RSA. This tidies up and simplifies reading of lib/rsa/Kconfig. No functional change intended. Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside:

if RSA
	...
endif

So, remove the redundant "depends on RSA" from their depends expression.
In addition, move SPL_RSA into the same "if RSA ... endif" block, since
its only direct dependeny is CONFIG_RSA. This tidies up and simplifies
reading of lib/rsa/Kconfig.

No functional change intended.

Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Kconfig: Don't use RSA_FREESCALE_EXP on IMX 2017-03-20T22:04:42+00:00 George McCollister george.mccollister@gmail.com 2017-03-16T21:17:06+00:00 f4e9ff71356aceab5bd212e528c123353c531a48 The CAAM in IMX parts doesn't support public key hardware acceleration (PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX (assuming you have the clocks enabled first) you will get back an "Invalid KEY Command" error since PKHA isn't a valid key destination for these parts. Signed-off-by: George McCollister <george.mccollister@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
The CAAM in IMX parts doesn't support public key hardware acceleration
(PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX
(assuming you have the clocks enabled first) you will get back an
"Invalid KEY Command" error since PKHA isn't a valid key destination for
these parts.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
verified-boot: Minimal support for booting U-Boot proper from SPL 2016-06-12T17:14:58+00:00 Teddy Reed teddy.reed@gmail.com 2016-06-10T02:18:44+00:00 51c14cd128f4355514397dc3c8647fb14f7d8ff4 This allows a board to configure verified boot within the SPL using a FIT or FIT with external data. It also allows the SPL to perform signature verification without needing relocation. The board configuration will need to add the following feature defines: CONFIG_SPL_CRYPTO_SUPPORT CONFIG_SPL_HASH_SUPPORT CONFIG_SPL_SHA256 In this example, SHA256 is the only selected hashing algorithm. And the following booleans: CONFIG_SPL=y CONFIG_SPL_DM=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_FIT=y CONFIG_SPL_OF_CONTROL=y CONFIG_SPL_OF_LIBFDT=y CONFIG_SPL_FIT_SIGNATURE=y Signed-off-by: Teddy Reed <teddy.reed@gmail.com> Acked-by: Simon Glass <sjg@chromium.org> Acked-by: Andreas Dannenberg <dannenberg@ti.com> Acked-by: Sumit Garg <sumit.garg@nxp.com> 
This allows a board to configure verified boot within the SPL using
a FIT or FIT with external data. It also allows the SPL to perform
signature verification without needing relocation.

The board configuration will need to add the following feature defines:
CONFIG_SPL_CRYPTO_SUPPORT
CONFIG_SPL_HASH_SUPPORT
CONFIG_SPL_SHA256

In this example, SHA256 is the only selected hashing algorithm.

And the following booleans:
CONFIG_SPL=y
CONFIG_SPL_DM=y
CONFIG_SPL_LOAD_FIT=y
CONFIG_SPL_FIT=y
CONFIG_SPL_OF_CONTROL=y
CONFIG_SPL_OF_LIBFDT=y
CONFIG_SPL_FIT_SIGNATURE=y

Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Acked-by: Simon Glass <sjg@chromium.org>
Acked-by: Andreas Dannenberg <dannenberg@ti.com>
Acked-by: Sumit Garg <sumit.garg@nxp.com>
Kconfig: Move CONFIG_FIT and related options to Kconfig 2016-03-14T23:18:07+00:00 Simon Glass sjg@chromium.org 2016-02-23T05:55:43+00:00 73223f0e1bd0e37925ae1b7f21b51733145571dc There are already two FIT options in Kconfig but the CONFIG options are still in the header files. We need to do a proper move to fix this. Move these options to Kconfig and tidy up board configuration: CONFIG_FIT CONFIG_OF_BOARD_SETUP CONFIG_OF_SYSTEM_SETUP CONFIG_FIT_SIGNATURE CONFIG_FIT_BEST_MATCH CONFIG_FIT_VERBOSE CONFIG_OF_STDOUT_VIA_ALIAS CONFIG_RSA Unfortunately the first one is a little complicated. We need to make sure this option is not enabled in SPL by this change. Also this option is enabled automatically in the host builds by defining CONFIG_FIT in the image.h file. To solve this, add a new IMAGE_USE_FIT #define which can be used in files that are built on the host but must also build for U-Boot and SPL. Note: Masahiro's moveconfig.py script is amazing. Signed-off-by: Simon Glass <sjg@chromium.org> [trini: Add microblaze change, various configs/ re-applies] Signed-off-by: Tom Rini <trini@konsulko.com> 
There are already two FIT options in Kconfig but the CONFIG options are
still in the header files. We need to do a proper move to fix this.

Move these options to Kconfig and tidy up board configuration:

   CONFIG_FIT
   CONFIG_OF_BOARD_SETUP
   CONFIG_OF_SYSTEM_SETUP
   CONFIG_FIT_SIGNATURE
   CONFIG_FIT_BEST_MATCH
   CONFIG_FIT_VERBOSE
   CONFIG_OF_STDOUT_VIA_ALIAS
   CONFIG_RSA

Unfortunately the first one is a little complicated. We need to make sure
this option is not enabled in SPL by this change. Also this option is
enabled automatically in the host builds by defining CONFIG_FIT in the
image.h file. To solve this, add a new IMAGE_USE_FIT #define which can
be used in files that are built on the host but must also build for U-Boot
and SPL.

Note: Masahiro's moveconfig.py script is amazing.

Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Add microblaze change, various configs/ re-applies]
Signed-off-by: Tom Rini <trini@konsulko.com>
lib/rsa: Add Kconfig for devices supporting RSA Modular Exponentiation 2015-01-30T00:09:59+00:00 Ruchika Gupta ruchika.gupta@freescale.com 2015-01-23T10:31:56+00:00 d9f23c7fe20fced0a84713d5084a6d2896463257 Kconfig option added for devices which support RSA Verification. 1. RSA_SOFTWARE_EXP Enables driver for supporting RSA Modular Exponentiation in Software 2. RSA_FREESCALE_EXP Enables driver for supporting RSA Modular Exponentiation using Freescale specific driver The above drivers use RSA uclass Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> (Removed duplicate line in Kconfig comment) Change-Id: I7663c4d5350e2bfc3dfa2696f70ef777d6ccc6f6 
Kconfig option added for devices which support RSA Verification.
1. RSA_SOFTWARE_EXP
Enables driver for supporting RSA Modular Exponentiation in Software
2. RSA_FREESCALE_EXP
Enables driver for supporting RSA Modular Exponentiation using Freescale specific
driver

The above drivers use RSA uclass

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
CC: Simon Glass <sjg@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
(Removed duplicate line in Kconfig comment)

Change-Id: I7663c4d5350e2bfc3dfa2696f70ef777d6ccc6f6