Hi Alex,
On Fri, 14 May 2021 at 14:38, Alex G. mr.nuke.me@gmail.com wrote:
On 5/6/21 9:24 AM, Simon Glass wrote:
Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop FIT_IMAGE_ENABLE_VERIFY which is not actually used.
Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete and needs to be integrated with RSA.
Signed-off-by: Simon Glass sjg@chromium.org
(no changes since v1)
common/image-fit.c | 6 +++--- common/image-sig.c | 10 +++++----- include/image.h | 13 ++----------- include/u-boot/ecdsa.h | 2 +- include/u-boot/rsa.h | 4 ++-- tools/Kconfig | 10 ++++++++++ tools/image-host.c | 4 ++-- 7 files changed, 25 insertions(+), 24 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c index c13ff6bba24..e81a0858dc1 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset, int ret;
/* Verify all required signatures */
if (FIT_IMAGE_ENABLE_VERIFY &&
if (CONFIG_IS_ENABLED(RSA_VERIFY) &&NAK. Having verification depend directly on CONFIG_RSA_VERIFY will make adding ECDSA support that much more convoluted.
Let me counter-NAK.
The ECDSA needs to be integrated into the RSA stuff, as we have done with hashing. E.g. CONFIG_VERIFY that enables the feature, with a driver to select which methods are supported.
I think I mentioned that in the original review.
Regards, Simon