This serie adds a stage pre-load before launching an image. This stage is used to read a header before the image and this header contains the signature of the full image. So u-boot may check the full image before using any data of the image.
The support of this header is added to binman, and a command verify checks the signature of a blob and set the u-boot env variable "loadaddr_verified" to the beginning of the "real" image.
The support of this header is only added to binman, but it may also be added to mkimage.
Changelog: v7: - rename command verify to pre_load_verify - add usage doc for command pre_load_verify - some cleanup in support of pre-load in binman - rename variable key-path to pre-load-key-path - some cleanup in test vboot for pre-load v6: - set values in big endian in the pre-load header - binman: etypes: pre-load: read image from other entry instead of directly from a file - binman: etypes: pre-load: add test unit - lib: Makefile: no longer add -I$(obj) for SPL It was to fix build when oid is built on spl but not on u-boot. It is not longer possible. v5: - replace config SANDBOX_BINMAN by an imply v4: - add a config SANDBOX_BIN - enhance help for asn1 and oid - change the format of the pre-load header - add the support of pre-load header in binman - add py test for pre-load header - add a command verify v3: - move image-pre-load.c to /boot - update mkimage to add public key in u-boot device tree - add script gen_pre_load_header.sh v2: - move the code to image-pre-load - add support of stage pre-load for spl - add support of stage pre-load on spl_ram
Philippe Reynes (16): arch: Kconfig: imply BINMAN for SANDBOX lib: Kconfig: enhance help for ASN1 lib: Kconfig: enhance the help of OID_REGISTRY lib: allow to build asn1 decoder and oid registry in SPL lib: crypto: allow to build crypyo in SPL lib: rsa: allow rsa verify with pkey in SPL boot: image: add a stage pre-load cmd: bootm: add a stage pre-load common: spl: fit_ram: allow to use image pre load mkimage: add public key for image pre-load stage Makefile: provide sah-key to binman tools: binman: add support for pre-load header configs: sandbox_defconfig: enable stage pre-load in bootm test: py: vboot: add test for global image signature cmd: pre_load_verify: initial import configs: sandbox_defconfig: enable config CMD_PRE_LOAD_VERIFY
Makefile | 1 + arch/Kconfig | 1 + arch/sandbox/dts/sandbox.dtsi | 3 + arch/sandbox/dts/test.dts | 3 + boot/Kconfig | 55 +++ boot/Makefile | 1 + boot/bootm.c | 33 ++ boot/image-pre-load.c | 416 ++++++++++++++++++ cmd/Kconfig | 18 + cmd/Makefile | 2 + cmd/bootm.c | 2 +- cmd/pre-load-verify.c | 53 +++ common/spl/spl_ram.c | 21 +- configs/sandbox_defconfig | 4 + doc/usage/index.rst | 1 + doc/usage/pre-load-verify.rst | 44 ++ include/image.h | 30 ++ lib/Kconfig | 37 +- lib/Makefile | 7 +- lib/crypto/Kconfig | 29 ++ lib/crypto/Makefile | 19 +- lib/rsa/Kconfig | 19 + test/py/tests/test_fit.py | 3 + test/py/tests/test_vboot.py | 145 +++++- test/py/tests/vboot/sandbox-binman-pss.dts | 25 ++ test/py/tests/vboot/sandbox-binman.dts | 24 + .../tests/vboot/sandbox-u-boot-global-pss.dts | 28 ++ test/py/tests/vboot/sandbox-u-boot-global.dts | 27 ++ test/py/tests/vboot/sandbox-u-boot.dts | 3 + test/py/tests/vboot/simple-images.its | 36 ++ tools/binman/entries.rst | 38 ++ tools/binman/etype/pre_load.py | 162 +++++++ tools/binman/ftest.py | 51 +++ tools/binman/test/225_dev.key | 28 ++ tools/binman/test/225_pre_load.dts | 22 + tools/binman/test/226_pre_load_pkcs.dts | 23 + tools/binman/test/227_pre_load_pss.dts | 23 + .../test/228_pre_load_invalid_padding.dts | 23 + .../binman/test/229_pre_load_invalid_sha.dts | 23 + .../binman/test/230_pre_load_invalid_algo.dts | 23 + .../binman/test/231_pre_load_invalid_key.dts | 23 + tools/fit_image.c | 3 + tools/image-host.c | 114 +++++ 43 files changed, 1618 insertions(+), 28 deletions(-) create mode 100644 boot/image-pre-load.c create mode 100644 cmd/pre-load-verify.c create mode 100644 doc/usage/pre-load-verify.rst create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts create mode 100644 test/py/tests/vboot/sandbox-binman.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts create mode 100644 test/py/tests/vboot/simple-images.its create mode 100644 tools/binman/etype/pre_load.py create mode 100644 tools/binman/test/225_dev.key create mode 100644 tools/binman/test/225_pre_load.dts create mode 100644 tools/binman/test/226_pre_load_pkcs.dts create mode 100644 tools/binman/test/227_pre_load_pss.dts create mode 100644 tools/binman/test/228_pre_load_invalid_padding.dts create mode 100644 tools/binman/test/229_pre_load_invalid_sha.dts create mode 100644 tools/binman/test/230_pre_load_invalid_algo.dts create mode 100644 tools/binman/test/231_pre_load_invalid_key.dts