boot_fit: Create helper functions that can be used to select DTB out of FIT

Some platforms may append a FIT image to the U-boot image. This function
aids in parsing the FIT image and selecting the c

boot_fit: Create helper functions that can be used to select DTB out of FIT

Some platforms may append a FIT image to the U-boot image. This function
aids in parsing the FIT image and selecting the correct DTB at runtime.

Signed-off-by: Franklin S Cooper Jr <fcooper@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>

show more ...

spl: fit: Break out some functions into a common file

Some of the functions within spl_fit will be used for non spl purposes.
Instead of duplicating functions simply break the functions to be reused

spl: fit: Break out some functions into a common file

Some of the functions within spl_fit will be used for non spl purposes.
Instead of duplicating functions simply break the functions to be reused
into its own file.

Signed-off-by: Franklin S Cooper Jr <fcooper@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[trini: Only add the new define to image.h, otherwise we see breakage
due to massive include leakage into host tools in some cases]
Signed-off-by: Tom Rini <trini@konsulko.com>

show more ...

armv8: Support loading 32-bit OS which is not in the form of FIT

As only FIT image is supported now, this patch is to support loading
32-bit uImage, dtb and rootfs separately.

Signed-off-by: Alison

armv8: Support loading 32-bit OS which is not in the form of FIT

As only FIT image is supported now, this patch is to support loading
32-bit uImage, dtb and rootfs separately.

Signed-off-by: Alison Wang <alison.wang@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>

show more ...

lib: move hash CONFIG options to Kconfig

Commit 94e3c8c4fd7b ("crypto/fsl - Add progressive hashing support
using hardware acceleration.") created entries for CONFIG_SHA1,
CONFIG_SHA256, CONFIG_SHA_

lib: move hash CONFIG options to Kconfig

Commit 94e3c8c4fd7b ("crypto/fsl - Add progressive hashing support
using hardware acceleration.") created entries for CONFIG_SHA1,
CONFIG_SHA256, CONFIG_SHA_HW_ACCEL, and CONFIG_SHA_PROG_HW_ACCEL.
However, no defconfig has migrated to it. Complete the move by first
adding additional logic to various Kconfig files to select this when
required and then use the moveconfig tool. In many cases we can select
these because they are required to implement other drivers. We also
correct how we include the various hashing algorithms in SPL.

This commit was generated as follows (after Kconfig additions):

[1] tools/moveconfig.py -y SHA1 SHA256 SHA_HW_ACCEL
[2] tools/moveconfig.py -y SHA_PROG_HW_ACCEL

Note:
We cannot move SHA_HW_ACCEL and SHA_PROG_HW_ACCEL simultaneously
because there is dependency between them.

Cc: Poonam Aggrwal <poonam.aggrwal@freescale.com>
Cc: Naveen Burmi <NaveenBurmi@freescale.com>
Cc: Po Liu <po.liu@freescale.com>
Cc: Shengzhou Liu <Shengzhou.Liu@freescale.com>
Cc: Priyanka Jain <Priyanka.Jain@freescale.com>
Cc: Shaohui Xie <Shaohui.Xie@freescale.com>
Cc: Chunhe Lan <Chunhe.Lan@freescale.com>
Cc: Chander Kashyap <k.chander@samsung.com>
Cc: Steve Rae <steve.rae@raedomain.com>
Cc: Dirk Eibach <eibach@gdsys.de>
Cc: Feng Li <feng.li_2@nxp.com>
Cc: Alison Wang <alison.wang@freescale.com>
Cc: Sumit Garg <sumit.garg@nxp.com>
Cc: Mingkai Hu <Mingkai.Hu@freescale.com>
Cc: York Sun <york.sun@nxp.com>
Cc: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>
Cc: Jaehoon Chung <jh80.chung@samsung.com>
Cc: Akshay Saraswat <akshay.s@samsung.com>
Cc: Heiko Schocher <hs@denx.de>
Cc: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>

show more ...

FIT: Rename FIT_DISABLE_SHA256 to FIT_ENABLE_SHA256_SUPPORT

We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which
is enabled by default and now a positive option. Convert th

FIT: Rename FIT_DISABLE_SHA256 to FIT_ENABLE_SHA256_SUPPORT

We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which
is enabled by default and now a positive option. Convert the handful of boards
that were disabling it before to save space.

Cc: Dirk Eibach <eibach@gdsys.de>
Cc: Lukasz Dalek <luk0104@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

The function 'board_fit_image_post_process' is defined only when the
config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure

image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

The function 'board_fit_image_post_process' is defined only when the
config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
systems that do not use SPL but do use FIT kernel images, only
CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
implicit declaration of function 'board_fit_image_post_process' warning
while building u-boot. Fix this warning.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

show more ...

Kconfig: define MD5 dependency for FIT support

FIT images require MD5 support to verify image checksums. So far this
was expressed by defining a CPP symbol in image.h. Since MD5 is now a
first class

Kconfig: define MD5 dependency for FIT support

FIT images require MD5 support to verify image checksums. So far this
was expressed by defining a CPP symbol in image.h. Since MD5 is now a
first class Kconfig citizen, express that in Kconfig instead.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

bootm: relocate ramdisk if CONFIG_SYS_BOOT_RAMDISK_HIGH set

In 35fc84f, bootm was refactored so plain 'bootm' and
'bootm <subcommand>' shared a common implementation.
The 'bootm ramdisk' command imp

bootm: relocate ramdisk if CONFIG_SYS_BOOT_RAMDISK_HIGH set

In 35fc84f, bootm was refactored so plain 'bootm' and
'bootm <subcommand>' shared a common implementation.
The 'bootm ramdisk' command implementation is now part of the common
implementation but not invoke by plain 'bootm' since the original
implementation never did ramdisk relocation. Instead, ramdisk
relocation happened in image_setup_linux() which is typically called
during the OS portion of 'bootm'.

On ARM, parameters to the Linux kernel can either be passed by FDT or
ATAGS. When using FDT, image_setup_linux() is called which also triggers
ramdisk relocation. When using ATAGS, image_setup_linux() is _not_
called because it mostly does FDT setup.

Instead of calling image_setup_linux() in both FDT and ATAGS cases,
include BOOTM_STATE_RAMDISK in the requested states during a plain
'bootm' if CONFIG_SYS_BOOT_RAMDISK_HIGH is set and remove the ramdisk
relocation from image_setup_linux(). This causes ramdisk relocation to
happen on any system where CONFIG_SYS_BOOT_RAMDISK_HIGH regardless of
the OS being booted. Also remove IMAGE_ENABLE_RAMDISK_HIGH as it was
only used by the now-removed code from image_setup_linux().

Signed-off-by: Rick Altherr <raltherr@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>

show more ...

Merge branch 'master' of git://git.denx.de/u-boot-video

mkimage: Add support for signing with pkcs11

Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, e

mkimage: Add support for signing with pkcs11

Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>

show more ...

splash: add support for loading splash from a FIT image

Enable support for loading a splash image from within a FIT image.
The image is assumed to be generated with mkimage -E flag to hold
the data

splash: add support for loading splash from a FIT image

Enable support for loading a splash image from within a FIT image.
The image is assumed to be generated with mkimage -E flag to hold
the data external to the FIT.

Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
Acked-by: Igor Grinberg <grinberg@compulab.co.il>

show more ...

Merge branch 'master' of git://www.denx.de/git/u-boot-imx

tools: mkimage: add firmware-ivt image type for HAB verification

When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF

tools: mkimage: add firmware-ivt image type for HAB verification

When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF.
Images generated as firmware_ivt can directly be signed using the
Freescale code signing tool. For creation of a CSF, mkimage outputs
the correct HAB Blocks for the image.
The changes to the usual firmware image class are quite small,
that is why I implemented that directly into the default_image.

Cc: sbabic@denx.de

v2-Changes: None

Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>

show more ...

image: Add Trusted Execution Environment image type

Add a new image type representing Trusted Execution Environment (TEE)
image types. For example, an OP-TEE OS binary image.

Signed-off-by: Andrew

image: Add Trusted Execution Environment image type

Add a new image type representing Trusted Execution Environment (TEE)
image types. For example, an OP-TEE OS binary image.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

image: Add FIT image loadable section custom processing

To help automate the loading of custom image types we add the ability
to define custom handlers for the loadable section types. When we find
a

image: Add FIT image loadable section custom processing

To help automate the loading of custom image types we add the ability
to define custom handlers for the loadable section types. When we find
a compatible type while loading a "loadable" image from a FIT image we
run its associated handlers to perform any additional steps needed for
loading this image.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

Merge branch 'master' of git://git.denx.de/u-boot

Signed-off-by: Stefano Babic <sbabic@denx.de>

image: Combine image_sig_algo with image_sign_info

Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer th

image: Combine image_sig_algo with image_sign_info

Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.

Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.

Indirectly adds support for "sha1,rsa4096" signing/verification.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

image: Add crypto_algo struct for RSA info

Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checks

image: Add crypto_algo struct for RSA info

Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

rsa: Verify RSA padding programatically

Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SH

rsa: Verify RSA padding programatically

Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SHA/RSA pairings. The padding can be easily computed
according to PKCS#1v2.1 as:

EM = 0x00 || 0x01 || PS || 0x00 || T

where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding
of the hash.

Store DER prefix in checksum_algo and create rsa_verify_padding
function to handle verification of a message for any SHA/RSA pairing.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

rsa: cosmetic: rename pad_len to key_len

checksum_algo's pad_len field isn't actually used to store the length of
the padding but the total length of the RSA key (msg_len + pad_len)

Signed-off-by:

rsa: cosmetic: rename pad_len to key_len

checksum_algo's pad_len field isn't actually used to store the length of
the padding but the total length of the RSA key (msg_len + pad_len)

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

Merge branch 'master' of git://www.denx.de/git/u-boot-imx

tools: mkimage: add support for Vybrid image format

This format can be flashed directly at address 0 of
the NAND FLASH, as it contains all necessary headers.

Signed-off-by: Albert ARIBAUD (3ADEV) <

tools: mkimage: add support for Vybrid image format

This format can be flashed directly at address 0 of
the NAND FLASH, as it contains all necessary headers.

Signed-off-by: Albert ARIBAUD (3ADEV) <albert.aribaud@3adev.fr>

show more ...

xtensa: add support for the xtensa processor architecture [1/2]

The Xtensa processor architecture is a configurable, extensible,
and synthesizable 32-bit RISC processor core provided by Cadence.

Th

xtensa: add support for the xtensa processor architecture [1/2]

The Xtensa processor architecture is a configurable, extensible,
and synthesizable 32-bit RISC processor core provided by Cadence.

This is the first part of the basic architecture port with changes to
common files. The 'arch/xtensa' directory, and boards and additional
drivers will be in separate commits.

Signed-off-by: Chris Zankel <chris@zankel.net>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>

show more ...

image: fix IH_ARCH_... values for uImage compatibility

Commit 555f45d8f916 ("image: Convert the IH_... values to enums")
accidentally changed some IH_ARCH_... values.

Prior to that commit, there ex

image: fix IH_ARCH_... values for uImage compatibility

Commit 555f45d8f916 ("image: Convert the IH_... values to enums")
accidentally changed some IH_ARCH_... values.

Prior to that commit, there existed a gap between IH_ARCH_M68K and
IH_ARCH_MICROBLAZE, like follows.

#define IH_ARCH_SPARC64 11 /* Sparc 64 Bit */
#define IH_ARCH_M68K 12 /* M68K */
#define IH_ARCH_MICROBLAZE 14 /* MicroBlaze */
#define IH_ARCH_NIOS2 15 /* Nios-II */

The enum conversion broke the compatibility with existing uImage
files. Reverting 555f45d8f916 will cause build error unfortunately,
so here is a more easy fix.

I dug the git history and figured out the gap was introduced by
commit 1117cbf2adac ("nios: remove nios-32 arch"). So, I revived
IH_ARCH_NIOS just for filling the gap.

I added comments to each enum block. Once we assign a value to
IH_... it is not allowed to change it.

Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

show more ...

image: Add functions to obtain category information

Add generic functions which can look up information about a category:

- the number of items in the category
- the category description
- an item

image: Add functions to obtain category information

Add generic functions which can look up information about a category:

- the number of items in the category
- the category description
- an item long time
- an item short time

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>

show more ...