This serie adds a stage pre-load before launching an image. This stage is used to read a header before the image and this header contains the signature of the full image. So u-boot may check the full image before using any data of the image.
The support of this header is added to binman, and a command verify checks the signature of a blob and set the u-boot env variable "loadaddr_verified" to the beginning of the "real" image.
The support of this header is only added to binman, but it may also be added to mkimage.
Changelog: v4: - add a config SANDBOX_BIN - enhance help for asn1 and oid - change the format of the pre-load header - add the support of pre-load header in binman - add py test for pre-load header - add a command verify v3: - move image-pre-load.c to /boot - update mkimage to add public key in u-boot device tree - add script gen_pre_load_header.sh v2: - move the code to image-pre-load - add support of stage pre-load for spl - add support of stage pre-load on spl_ram
Philippe Reynes (18): arch: sandbox: add an config SANDBOX_BINMAN arch: sandbox: dts: sandbox.dts: add empty binman node configs: sandbox_defconfig: enable SANDBOX_BINMAN lib: Kconfig: enhance help for ASN1 lib: Kconfig: enhance the help of OID_REGISTRY lib: allow to build asn1 decoder and oid registry in SPL lib: crypto: allow to build crypyo in SPL lib: rsa: allow rsa verify with pkey in SPL boot: image: add a stage pre-load cmd: bootm: add a stage pre-load common: spl: fit_ram: allow to use image pre load mkimage: add public key for image pre-load stage Makefile: provide sah-key to binman tools: binman: add support for pre-load header configs: sandbox_defconfig: enable stage pre-load in bootm test: py: vboot: add test for global image signature cmd: verify: initial import configs: sandbox_defconfig: enable config CMD_VERIFY
Makefile | 1 + arch/sandbox/Kconfig | 7 + arch/sandbox/dts/sandbox.dts | 3 + boot/Kconfig | 55 +++ boot/Makefile | 1 + boot/bootm.c | 33 ++ boot/image-pre-load.c | 408 ++++++++++++++++++ cmd/Kconfig | 17 + cmd/Makefile | 1 + cmd/bootm.c | 2 +- cmd/verify.c | 53 +++ common/spl/spl_ram.c | 21 +- configs/sandbox_defconfig | 6 + include/image.h | 30 ++ lib/Kconfig | 37 +- lib/Makefile | 10 +- lib/crypto/Kconfig | 29 ++ lib/crypto/Makefile | 19 +- lib/rsa/Kconfig | 19 + test/py/tests/test_vboot.py | 119 ++++- test/py/tests/vboot/sandbox-binman-pss.dts | 25 ++ test/py/tests/vboot/sandbox-binman.dts | 24 ++ .../tests/vboot/sandbox-u-boot-global-pss.dts | 25 ++ test/py/tests/vboot/sandbox-u-boot-global.dts | 24 ++ test/py/tests/vboot/simple-images.its | 36 ++ tools/binman/etype/pre_load.py | 156 +++++++ tools/fit_image.c | 3 + tools/image-host.c | 114 +++++ 28 files changed, 1253 insertions(+), 25 deletions(-) create mode 100644 boot/image-pre-load.c create mode 100644 cmd/verify.c create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts create mode 100644 test/py/tests/vboot/sandbox-binman.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts create mode 100644 test/py/tests/vboot/simple-images.its create mode 100644 tools/binman/etype/pre_load.py