1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
| | From: Vagrant Cascadian <vagrant@debian.org>
Date: Fri, 22 Oct 2021 17:34:53 -0700
Subject: [PATCH] Revert "tools: kwbimage: Do not hide usage of secure header
under CONFIG_ARMADA_38X"
This reverts commit b4f3cc2c42d97967a3a3c8796c340f6b07ecccac.
Addendum 2022-12-08, Ricardo Wurmus: This patch has been updated to introduce
CONFIG_FIT_PRELOAD to remove fit_pre_load_data, which depends on openssl.
Addendum 2023-10-17, Herman Rimm: Update patch for u-boot v2023.10.
diff --git a/tools/kwbimage.c b/tools/kwbimage.c
index 4dce495ff0..976174ae77 100644
--- a/tools/kwbimage.c
+++ b/tools/kwbimage.c
@@ -19,6 +19,7 @@
#include <stdint.h>
#include "kwbimage.h"
+#ifdef CONFIG_KWB_SECURE
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
@@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
EVP_MD_CTX_reset(ctx);
}
#endif
+#endif
/* fls - find last (most-significant) bit set in 4-bit integer */
static inline int fls4(int num)
@@ -62,7 +64,9 @@ static inline int fls4(int num)
static struct image_cfg_element *image_cfg;
static int cfgn;
+#ifdef CONFIG_KWB_SECURE
static int verbose_mode;
+#endif
struct boot_mode {
unsigned int id;
@@ -281,6 +285,8 @@ image_count_options(unsigned int optiontype)
return count;
}
+#if defined(CONFIG_KWB_SECURE)
+
static int image_get_csk_index(void)
{
struct image_cfg_element *e;
@@ -291,6 +297,7 @@ static int image_get_csk_index(void)
return e->csk_idx;
}
+#endif
static bool image_get_spezialized_img(void)
{
@@ -435,6 +442,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
}
}
+#if defined(CONFIG_KWB_SECURE)
static void kwb_msg(const char *fmt, ...)
{
if (verbose_mode) {
@@ -929,6 +937,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
done:
return ret;
}
+#endif
static int image_fill_xip_header(void *image, struct image_tool_params *params)
{
@@ -1149,13 +1158,13 @@ static size_t image_headersz_v1(int *hasext)
int ret;
headersz = sizeof(struct main_hdr_v1);
-
+#if defined(CONFIG_KWB_SECURE)
if (image_get_csk_index() >= 0) {
headersz += sizeof(struct secure_hdr_v1);
if (hasext)
*hasext = 1;
}
-
+#endif
cpu_sheeva = image_is_cpu_sheeva();
count = 0;
@@ -1351,6 +1360,7 @@ err_close:
return -1;
}
+#if defined(CONFIG_KWB_SECURE)
static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
{
FILE *hashf;
@@ -1458,6 +1468,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *image
return 0;
}
+#endif
static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
struct register_set_hdr_v1 *register_set_hdr,
@@ -1481,7 +1492,9 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,
struct image_cfg_element *e;
struct main_hdr_v1 *main_hdr;
struct register_set_hdr_v1 *register_set_hdr;
+#if defined(CONFIG_KWB_SECURE)
struct secure_hdr_v1 *secure_hdr = NULL;
+#endif
size_t headersz;
uint8_t *image, *cur;
int hasext = 0;
@@ -1562,7 +1575,7 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,
}
*dataoff = le32_to_cpu(main_hdr->srcaddr);
}
-
+#if defined(CONFIG_KWB_SECURE)
if (image_get_csk_index() >= 0) {
/*
* only reserve the space here; we fill the header later since
@@ -1573,7 +1586,7 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,
*next_ext = 1;
next_ext = &secure_hdr->next;
}
-
+#endif
datai = 0;
for (cfgi = 0; cfgi < cfgn; cfgi++) {
e = &image_cfg[cfgi];
@@ -1624,9 +1637,11 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,
&datai, delay);
}
+#if defined(CONFIG_KWB_SECURE)
if (secure_hdr && add_secure_header_v1(params, ptr + *dataoff, payloadsz,
image, headersz, secure_hdr))
return NULL;
+#endif
/* Calculate and set the header checksum */
main_hdr->checksum = image_checksum8(main_hdr, headersz);
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -14,8 +14,10 @@
#include <image.h>
#include <version.h>
+#ifdef CONFIG_FIT_PRELOAD
#include <openssl/pem.h>
#include <openssl/evp.h>
+#endif
/**
* fit_set_hash_value - set hash value in requested has node
@@ -1119,6 +1121,7 @@ static int fit_config_add_verification_data(const char *keydir,
return 0;
}
+#ifdef CONFIG_FIT_PRELOAD
/*
* 0) open file (open)
* 1) read certificate (PEM_read_X509)
@@ -1227,6 +1230,7 @@ int fit_pre_load_data(const char *keydir, void *keydest, void *fit)
out:
return ret;
}
+#endif
int fit_cipher_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -61,9 +61,10 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
ret = fit_set_timestamp(ptr, 0, time);
}
+#ifdef CONFIG_FIT_PRELOAD
if (!ret)
ret = fit_pre_load_data(params->keydir, dest_blob, ptr);
-
+#endif
if (!ret) {
ret = fit_cipher_data(params->keydir, dest_blob, ptr,
params->comment,
--- a/include/image.h
+++ b/include/image.h
@@ -1182,6 +1182,7 @@ int fit_image_hash_get_value(const void *fit, int noffset, uint8_t **value,
int fit_set_timestamp(void *fit, int noffset, time_t timestamp);
+#ifdef CONFIG_FIT_PRELOAD
/**
* fit_pre_load_data() - add public key to fdt blob
*
@@ -1196,6 +1197,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp);
* < 0, on failure
*/
int fit_pre_load_data(const char *keydir, void *keydest, void *fit);
+#endif
int fit_cipher_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
|