Currently FIT image must be signed by all required conf keys. This means
Verified Boot fails if there is a signature verification failure
using any required key in U-Boot DTB.

This patch introduces a new policy in DTB that can be set to any required
conf key. This means if verified boot passes with one of the required
keys, U-Boot will continue the OS hand off.

There were prior attempts to address this:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".
https://lists.denx.de/pipermail/u-boot/2020-January/396629.htmlSigned-off-by: NThirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

Move this header out of the common header.
Signed-off-by: NSimon Glass <sjg@chromium.org>

The signature check on config node is broken on fit with padding.
To compute the signature for config node, U-Boot compute the
signature on all properties of requested node for this config,
except for the property "data". But, when padding is used for
binary in a fit, there isn't a property "data" but two properties:
"data-offset" and "data-size". So to fix the check of signature,
we also don't use the properties "data-offset" and "data-size"
when checking the signature on config node.
Reviewed-by: NSimon Glass <sjg@chromium.org>
Signed-off-by: NPhilippe Reynes <philippe.reynes@softathome.com>

fdt_region APIs are not part of libfdt. They are U-Boot extension
for the verified boot. Split the declarations related to fdt_region
out of <fdt_region.h>. This allows <linux/libfdt.h> to become a
simple wrapper file, like Linux does.
Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>

Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.
Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: NSimon Glass <sjg@chromium.org>

This patch adds manual relocation for struct checksum_algo & struct
crypto_algo structures.
Signed-off-by: NT Karthik Reddy <t.karthik.reddy@xilinx.com>
Signed-off-by: NSiva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: NMichal Simek <michal.simek@xilinx.com>

Previously we would store NULL in info->padding and jump to an illegal
instruction if an unknown value for "padding" was specified in the
device tree.
Signed-off-by: NPatrick Doyle <pdoyle@irobot.com>

We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.
Signed-off-by: NPhilippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.
Signed-off-by: NPhilippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

A specially crafted FIT image leads to memory corruption in the stack
when using the verified boot feature. The function fit_config_check_sig
has a logic error that makes it possible to write past the end of the
stack allocated array node_inc. This could potentially be used to bypass
the signature check when using verified boot.

This change ensures that the number of strings is correct when counted.
Signed-off-by: NKonrad Beckmann <konrad.beckmann@gmail.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

The hashed-strings signature property includes two uint32_t values.
The first is unneeded as there should never be a start offset into the
strings region. The second, the size, is needed because the added
signature node appends to this region.

See tools/image-host.c, where a static 0 value is used for the offset.
Signed-off-by: NTeddy Reed <teddy.reed@gmail.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
max size of a FIT header's totalsize field. The field is checked before
signature checks are applied to protect from reading past the intended
FIT regions.

This field is not part of the vboot signature so it should be sanity
checked. If the field is corrupted then the structure or string region
reads may have unintended behavior, such as reading from device memory.
A default value of 256MB is set and intended to support most max storage
sizes.
Suggested-by: NSimon Glass <sjg@chromium.org>
Signed-off-by: NTeddy Reed <teddy.reed@gmail.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: NTom Rini <trini@konsulko.com>

The DT spec demands a unit-address in a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the tree where node names were mentioned in
comments, to not give bad examples to the reader.
Signed-off-by: NAndre Przywara <andre.przywara@arm.com>

Designated initializers are more readable because we do not
have to check the order in the struct definitions.
Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.

Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.

Indirectly adds support for "sha1,rsa4096" signing/verification.
Signed-off-by: NAndrew Duda <aduda@meraki.com>
Signed-off-by: Naduda <aduda@meraki.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.
Signed-off-by: NAndrew Duda <aduda@meraki.com>
Signed-off-by: Naduda <aduda@meraki.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SHA/RSA pairings. The padding can be easily computed
according to PKCS#1v2.1 as:

  EM = 0x00 || 0x01 || PS || 0x00 || T

where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding
of the hash.

Store DER prefix in checksum_algo and create rsa_verify_padding
function to handle verification of a message for any SHA/RSA pairing.
Signed-off-by: NAndrew Duda <aduda@meraki.com>
Signed-off-by: Naduda <aduda@meraki.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>

The signature for this macro has changed. Bring in the upstream version and
adjust U-Boot's usages to suit.
Signed-off-by: NSimon Glass <sjg@chromium.org>
Update to drivers/power/pmic/palmas.c:
Signed-off-by: NKeerthy <j-keerthy@ti.com>

Change-Id: I6cc9021339bfe686f9df21d61a1095ca2b3776e8

Use fdt_for_each_subnode macro to simplify the code a bit.
Signed-off-by: NAxel Lin <axel.lin@ingics.com>
Acked-by: NSimon Glass <sjg@chromium.org>

Currently the hash functions used in RSA are called directly from the sha1
and sha256 libraries. Change the RSA checksum library to use the progressive
hash API's registered with struct hash_algo. This will allow the checksum
library to use the hardware accelerated progressive hash API's once available.
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
CC: Simon Glass <sjg@chromium.org>
Acked-by: NSimon Glass <sjg@chromium.org>
Signed-off-by: NSimon Glass <sjg@chromium.org>
(Fixed build error in am335x_boneblack_vboot due to duplicate CONFIG_DM)

Change-Id: Ic44279432f88d4e8594c6e94feb1cfcae2443a54

commit 18b06652 "tools: include u-boot version of sha256.h"
unconditionally forced the sha256.h from u-boot to be used
for tools instead of the host version. This is fragile though
as it will also include the host version. Therefore move it
to include/u-boot to join u-boot/md5.h etc which were renamed
for the same reason.

cc: Simon Glass <sjg@chromium.org>
Signed-off-by: NJeroen Hofstee <jeroen@myspectrum.nl>

It is more common to have 0 mean OK, and -ve mean error. Change this
function to work the same way to avoid confusion.
Signed-off-by: NSimon Glass <sjg@chromium.org>

add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.
Signed-off-by: NHeiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>

Add support for sha256,rsa4096 signatures in u-boot.
Signed-off-by: NHeiko Schocher <hs@denx.de>
Acked-by: NSimon Glass <sjg@chromium.org>
Cc: andreas@oetken.name

based on patch from andreas@oetken.name:

http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.

aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: NHeiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>

Signed-off-by: NWolfgang Denk <wd@denx.de>
[trini: Fixup common/cmd_io.c]
Signed-off-by: NTom Rini <trini@ti.com>

While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).

Add support for signing of FIT configurations using the libfdt's region
support.

Please see doc/uImage.FIT/signature.txt for more information.
Signed-off-by: NSimon Glass <sjg@chromium.org>

RSA provides a public key encryption facility which is ideal for image
signing and verification.

Images are signed using a private key by mkimage. Then at run-time, the
images are verified using a private key.

This implementation uses openssl for the host part (mkimage). To avoid
bringing large libraries into the U-Boot binary, the RSA public key
is encoded using a simple numeric representation in the device tree.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Add support for signing images using a new signature node. The process
is handled by fdt_add_verification_data() which now takes parameters to
provide the keys and related information.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Add a structure to describe an algorithm which can sign and (later) verify
images.
Signed-off-by: NSimon Glass <sjg@chromium.org>

This stuff has been rotting in the tree for a while now. Remove it.
Signed-off-by: NMarek Vasut <marex@denx.de>

Signed-off-by: NWolfgang Denk <wd@denx.de>
Cc: Albert ARIBAUD <albert.u.boot@aribaud.net>
Cc: Marius Gröger <mag@sysgo.de>

Signed-off-by: NWolfgang Denk <wd@denx.de>
Cc: Albert ARIBAUD <albert.u.boot@aribaud.net>
Cc: Marius Gröger <mag@sysgo.de>

This helps to clean up the include/ directory so that it only contains
non-architecture-specific headers and also matches Linux's directory
layout which many U-Boot developers are already familiar with.
Signed-off-by: NPeter Tyser <ptyser@xes-inc.com>

The appropriate include/asm-$ARCH directory should already by symlinked
to include/asm so using the whole "asm-$ARCH" path is unnecessary.

This change should also allow us to move the include/asm-$ARCH
directories into their appropriate lib/$ARCH/ directories.
Signed-off-by: NPeter Tyser <ptyser@xes-inc.com>

Signed-off-by: NJean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>

Use lowlevel_init() instead of platformsetup() [rename].
Patch by Peter Pearse, 06 Oct 2005