diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/aes.h | 49 | ||||
| -rw-r--r-- | include/configs/gr_cpci_ax2000.h | 2 | ||||
| -rw-r--r-- | include/configs/gr_ep2s60.h | 2 | ||||
| -rw-r--r-- | include/configs/gr_xc3s_1500.h | 2 | ||||
| -rw-r--r-- | include/configs/grsim.h | 2 | ||||
| -rw-r--r-- | include/configs/grsim_leon2.h | 2 | ||||
| -rw-r--r-- | include/environment.h | 15 | ||||
| -rw-r--r-- | include/fdt_support.h | 5 | ||||
| -rw-r--r-- | include/hash.h | 48 | ||||
| -rw-r--r-- | include/image.h | 38 | ||||
| -rw-r--r-- | include/rsa-checksum.h | 24 | ||||
| -rw-r--r-- | include/rsa.h | 24 |
12 files changed, 190 insertions, 23 deletions
diff --git a/include/aes.h b/include/aes.h index ea06308..ee0e6c2 100644 --- a/include/aes.h +++ b/include/aes.h @@ -8,6 +8,13 @@ #ifndef _AES_REF_H_ #define _AES_REF_H_ +#ifdef USE_HOSTCC +/* Define compat stuff for use in fw_* tools. */ +typedef unsigned char u8; +typedef unsigned int u32; +#define debug(...) do {} while (0) +#endif + /* * AES encryption library, with small code size, supporting only 128-bit AES * @@ -25,30 +32,52 @@ enum { }; /** + * aes_expand_key() - Expand the AES key + * * Expand a key into a key schedule, which is then used for the other * operations. * - * \param key Key, of length AES_KEY_LENGTH bytes - * \param expkey Buffer to place expanded key, AES_EXPAND_KEY_LENGTH + * @key Key, of length AES_KEY_LENGTH bytes + * @expkey Buffer to place expanded key, AES_EXPAND_KEY_LENGTH */ void aes_expand_key(u8 *key, u8 *expkey); /** - * Encrypt a single block of data + * aes_encrypt() - Encrypt single block of data with AES 128 * - * in Input data - * expkey Expanded key to use for encryption (from aes_expand_key()) - * out Output data + * @in Input data + * @expkey Expanded key to use for encryption (from aes_expand_key()) + * @out Output data */ void aes_encrypt(u8 *in, u8 *expkey, u8 *out); /** - * Decrypt a single block of data + * aes_decrypt() - Decrypt single block of data with AES 128 * - * in Input data - * expkey Expanded key to use for decryption (from aes_expand_key()) - * out Output data + * @in Input data + * @expkey Expanded key to use for decryption (from aes_expand_key()) + * @out Output data */ void aes_decrypt(u8 *in, u8 *expkey, u8 *out); +/** + * aes_cbc_encrypt_blocks() - Encrypt multiple blocks of data with AES CBC. + * + * @key_exp Expanded key to use + * @src Source data to encrypt + * @dst Destination buffer + * @num_aes_blocks Number of AES blocks to encrypt + */ +void aes_cbc_encrypt_blocks(u8 *key_exp, u8 *src, u8 *dst, u32 num_aes_blocks); + +/** + * Decrypt multiple blocks of data with AES CBC. + * + * @key_exp Expanded key to use + * @src Source data to decrypt + * @dst Destination buffer + * @num_aes_blocks Number of AES blocks to decrypt + */ +void aes_cbc_decrypt_blocks(u8 *key_exp, u8 *src, u8 *dst, u32 num_aes_blocks); + #endif /* _AES_REF_H_ */ diff --git a/include/configs/gr_cpci_ax2000.h b/include/configs/gr_cpci_ax2000.h index 2437b4b..854807d 100644 --- a/include/configs/gr_cpci_ax2000.h +++ b/include/configs/gr_cpci_ax2000.h @@ -19,8 +19,6 @@ * (easy to change) */ -#define CONFIG_LEON3 /* This is an LEON3 CPU */ -#define CONFIG_LEON 1 /* This is an LEON CPU */ #define CONFIG_CPCI_AX2000 1 /* ... on GR-CPCI-AX2000 board */ #define CONFIG_LEON_RAM_SRAM 1 diff --git a/include/configs/gr_ep2s60.h b/include/configs/gr_ep2s60.h index 2cd6eae..ed2dd2a 100644 --- a/include/configs/gr_ep2s60.h +++ b/include/configs/gr_ep2s60.h @@ -20,8 +20,6 @@ * (easy to change) */ -#define CONFIG_LEON3 /* This is an LEON3 CPU */ -#define CONFIG_LEON 1 /* This is an LEON CPU */ /* Altera NIOS Development board, Stratix II board */ #define CONFIG_GR_EP2S60 1 diff --git a/include/configs/gr_xc3s_1500.h b/include/configs/gr_xc3s_1500.h index 39036cd..e3cbb6f 100644 --- a/include/configs/gr_xc3s_1500.h +++ b/include/configs/gr_xc3s_1500.h @@ -18,8 +18,6 @@ * (easy to change) */ -#define CONFIG_LEON3 /* This is an LEON3 CPU */ -#define CONFIG_LEON 1 /* This is an LEON CPU */ #define CONFIG_GRXC3S1500 1 /* ... on GR-XC3S-1500 board */ /* CPU / AMBA BUS configuration */ diff --git a/include/configs/grsim.h b/include/configs/grsim.h index 2d977ce..556c749 100644 --- a/include/configs/grsim.h +++ b/include/configs/grsim.h @@ -24,8 +24,6 @@ * */ -#define CONFIG_LEON3 /* This is an LEON3 CPU */ -#define CONFIG_LEON 1 /* This is an LEON CPU */ #define CONFIG_GRSIM 0 /* ... not running on GRSIM */ #define CONFIG_TSIM 1 /* ... running on TSIM */ diff --git a/include/configs/grsim_leon2.h b/include/configs/grsim_leon2.h index 36ebaf7..8be9898 100644 --- a/include/configs/grsim_leon2.h +++ b/include/configs/grsim_leon2.h @@ -23,8 +23,6 @@ * */ -#define CONFIG_LEON2 /* This is an LEON2 CPU */ -#define CONFIG_LEON 1 /* This is an LEON CPU */ #define CONFIG_GRSIM 0 /* ... not running on GRSIM */ #define CONFIG_TSIM 1 /* ... running on TSIM */ diff --git a/include/environment.h b/include/environment.h index 46a3554..08679ae 100644 --- a/include/environment.h +++ b/include/environment.h @@ -146,7 +146,12 @@ extern unsigned long nand_env_oob_offset; extern char *env_name_spec; #endif +#ifdef CONFIG_ENV_AES +/* Make sure the payload is multiple of AES block size */ +#define ENV_SIZE ((CONFIG_ENV_SIZE - ENV_HEADER_SIZE) & ~(16 - 1)) +#else #define ENV_SIZE (CONFIG_ENV_SIZE - ENV_HEADER_SIZE) +#endif typedef struct environment_s { uint32_t crc; /* CRC32 over data bytes */ @@ -154,7 +159,12 @@ typedef struct environment_s { unsigned char flags; /* active/obsolete flags */ #endif unsigned char data[ENV_SIZE]; /* Environment data */ -} env_t; +} env_t +#ifdef CONFIG_ENV_AES +/* Make sure the env is aligned to block size. */ +__attribute__((aligned(16))) +#endif +; #ifdef ENV_IS_EMBEDDED extern env_t environment; @@ -201,6 +211,9 @@ int set_default_vars(int nvars, char * const vars[]); /* Import from binary representation into hash table */ int env_import(const char *buf, int check); +/* Export from hash table into binary representation */ +int env_export(env_t *env_out); + #endif /* DO_DEPS_ONLY */ #endif /* _ENVIRONMENT_H_ */ diff --git a/include/fdt_support.h b/include/fdt_support.h index 9871e2f..76c9b2e 100644 --- a/include/fdt_support.h +++ b/include/fdt_support.h @@ -115,4 +115,9 @@ static inline int fdt_status_disabled_by_alias(void *fdt, const char* alias) } #endif /* ifdef CONFIG_OF_LIBFDT */ + +#ifdef USE_HOSTCC +int fdtdec_get_int(const void *blob, int node, const char *prop_name, + int default_val); +#endif #endif /* ifndef __FDT_SUPPORT_H */ diff --git a/include/hash.h b/include/hash.h index e92d272..dc21678 100644 --- a/include/hash.h +++ b/include/hash.h @@ -27,6 +27,42 @@ struct hash_algo { void (*hash_func_ws)(const unsigned char *input, unsigned int ilen, unsigned char *output, unsigned int chunk_sz); int chunk_size; /* Watchdog chunk size */ + /* + * hash_init: Create the context for progressive hashing + * + * @algo: Pointer to the hash_algo struct + * @ctxp: Pointer to the pointer of the context for hashing + * @return 0 if ok, -1 on error + */ + int (*hash_init)(struct hash_algo *algo, void **ctxp); + /* + * hash_update: Perform hashing on the given buffer + * + * The context is freed by this function if an error occurs. + * + * @algo: Pointer to the hash_algo struct + * @ctx: Pointer to the context for hashing + * @buf: Pointer to the buffer being hashed + * @size: Size of the buffer being hashed + * @is_last: 1 if this is the last update; 0 otherwise + * @return 0 if ok, -1 on error + */ + int (*hash_update)(struct hash_algo *algo, void *ctx, const void *buf, + unsigned int size, int is_last); + /* + * hash_finish: Write the hash result to the given buffer + * + * The context is freed by this function. + * + * @algo: Pointer to the hash_algo struct + * @ctx: Pointer to the context for hashing + * @dest_buf: Pointer to the buffer for the result + * @size: Size of the buffer for the result + * @return 0 if ok, -ENOSPC if size of the result buffer is too small + * or -1 on other errors + */ + int (*hash_finish)(struct hash_algo *algo, void *ctx, void *dest_buf, + int size); }; /* @@ -77,4 +113,16 @@ int hash_command(const char *algo_name, int flags, cmd_tbl_t *cmdtp, int flag, int hash_block(const char *algo_name, const void *data, unsigned int len, uint8_t *output, int *output_size); +/** + * hash_lookup_algo() - Look up the hash_algo struct for an algorithm + * + * The function returns the pointer to the struct or -EPROTONOSUPPORT if the + * algorithm is not available. + * + * @algo_name: Hash algorithm to look up + * @algop: Pointer to the hash_algo struct if found + * + * @return 0 if ok, -EPROTONOSUPPORT for an unknown algorithm. + */ +int hash_lookup_algo(const char *algo_name, struct hash_algo **algop); #endif diff --git a/include/image.h b/include/image.h index 6afd57b..2508d7d 100644 --- a/include/image.h +++ b/include/image.h @@ -57,13 +57,18 @@ struct lmb; # ifdef CONFIG_SPL_SHA1_SUPPORT # define IMAGE_ENABLE_SHA1 1 # endif +# ifdef CONFIG_SPL_SHA256_SUPPORT +# define IMAGE_ENABLE_SHA256 1 +# endif # else # define CONFIG_CRC32 /* FIT images need CRC32 support */ # define CONFIG_MD5 /* and MD5 */ # define CONFIG_SHA1 /* and SHA1 */ +# define CONFIG_SHA256 /* and SHA256 */ # define IMAGE_ENABLE_CRC32 1 # define IMAGE_ENABLE_MD5 1 # define IMAGE_ENABLE_SHA1 1 +# define IMAGE_ENABLE_SHA256 1 # endif #ifndef IMAGE_ENABLE_CRC32 @@ -78,6 +83,10 @@ struct lmb; #define IMAGE_ENABLE_SHA1 0 #endif +#ifndef IMAGE_ENABLE_SHA256 +#define IMAGE_ENABLE_SHA256 0 +#endif + #endif /* CONFIG_FIT */ #ifdef CONFIG_SYS_BOOT_RAMDISK_HIGH @@ -823,7 +832,8 @@ int calculate_hash(const void *data, int data_len, const char *algo, #if defined(CONFIG_FIT_SIGNATURE) # ifdef USE_HOSTCC # define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY 0 +# define IMAGE_ENABLE_VERIFY 1 +# include <openssl/evp.h> #else # define IMAGE_ENABLE_SIGN 0 # define IMAGE_ENABLE_VERIFY 1 @@ -834,7 +844,9 @@ int calculate_hash(const void *data, int data_len, const char *algo, #endif #ifdef USE_HOSTCC -# define gd_fdt_blob() NULL +void *image_get_host_blob(void); +void image_set_host_blob(void *host_blob); +# define gd_fdt_blob() image_get_host_blob() #else # define gd_fdt_blob() (gd->fdt_blob) #endif @@ -863,6 +875,21 @@ struct image_region { int size; }; +#if IMAGE_ENABLE_VERIFY +# include <rsa-checksum.h> +#endif +struct checksum_algo { + const char *name; + const int checksum_len; + const int pad_len; +#if IMAGE_ENABLE_SIGN + const EVP_MD *(*calculate_sign)(void); +#endif + void (*calculate)(const struct image_region region[], + int region_count, uint8_t *checksum); + const uint8_t *rsa_padding; +}; + struct image_sig_algo { const char *name; /* Name of algorithm */ @@ -913,6 +940,9 @@ struct image_sig_algo { int (*verify)(struct image_sign_info *info, const struct image_region region[], int region_count, uint8_t *sig, uint sig_len); + + /* pointer to checksum algorithm */ + struct checksum_algo *checksum; }; /** @@ -978,7 +1008,11 @@ struct image_region *fit_region_make_list(const void *fit, static inline int fit_image_check_target_arch(const void *fdt, int node) { +#ifndef USE_HOSTCC return fit_image_check_arch(fdt, node, IH_ARCH_DEFAULT); +#else + return 0; +#endif } #ifdef CONFIG_FIT_VERBOSE diff --git a/include/rsa-checksum.h b/include/rsa-checksum.h new file mode 100644 index 0000000..612db85 --- /dev/null +++ b/include/rsa-checksum.h @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2013, Andreas Oetken. + * + * SPDX-License-Identifier: GPL-2.0+ +*/ + +#ifndef _RSA_CHECKSUM_H +#define _RSA_CHECKSUM_H + +#include <errno.h> +#include <image.h> +#include <sha1.h> +#include <sha256.h> + +extern const uint8_t padding_sha256_rsa4096[]; +extern const uint8_t padding_sha256_rsa2048[]; +extern const uint8_t padding_sha1_rsa2048[]; + +void sha256_calculate(const struct image_region region[], int region_count, + uint8_t *checksum); +void sha1_calculate(const struct image_region region[], int region_count, + uint8_t *checksum); + +#endif diff --git a/include/rsa.h b/include/rsa.h index add4c78..a5680ab 100644 --- a/include/rsa.h +++ b/include/rsa.h @@ -15,6 +15,20 @@ #include <errno.h> #include <image.h> +/** + * struct rsa_public_key - holder for a public key + * + * An RSA public key consists of a modulus (typically called N), the inverse + * and R^2, where R is 2^(# key bits). + */ + +struct rsa_public_key { + uint len; /* len of modulus[] in number of uint32_t */ + uint32_t n0inv; /* -1 / modulus[0] mod 2^32 */ + uint32_t *modulus; /* modulus as little endian array */ + uint32_t *rr; /* R^2 as little endian array */ +}; + #if IMAGE_ENABLE_SIGN /** * sign() - calculate and return signature for given input data @@ -89,4 +103,14 @@ static inline int rsa_verify(struct image_sign_info *info, } #endif +#define RSA2048_BYTES (2048 / 8) +#define RSA4096_BYTES (4096 / 8) + +/* This is the minimum/maximum key size we support, in bits */ +#define RSA_MIN_KEY_BITS 2048 +#define RSA_MAX_KEY_BITS 4096 + +/* This is the maximum signature length that we support, in bits */ +#define RSA_MAX_SIG_BITS 4096 + #endif |