1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
From: Vagrant Cascadian <vagrant@debian.org>
Date: Fri, 22 Oct 2021 17:34:53 -0700
Subject: [PATCH] Revert "tools: kwbimage: Do not hide usage of secure header
under CONFIG_ARMADA_38X"
This reverts commit b4f3cc2c42d97967a3a3c8796c340f6b07ecccac.
Addendum 2022-12-08, Ricardo Wurmus: This patch has been updated to introduce
CONFIG_FIT_PRELOAD to remove fit_pre_load_data, which depends on openssl.
diff --git a/tools/kwbimage.c b/tools/kwbimage.c
index 94b7685392..eec599b0ee 100644
--- a/tools/kwbimage.c
+++ b/tools/kwbimage.c
@@ -19,6 +19,7 @@
#include <stdint.h>
#include "kwbimage.h"
+#ifdef CONFIG_KWB_SECURE
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
@@ -44,6 +45,7 @@ void EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
EVP_MD_CTX_reset(ctx);
}
#endif
+#endif
/* fls - find last (most-significant) bit set in 4-bit integer */
static inline int fls4(int num)
@@ -62,7 +64,9 @@ static inline int fls4(int num)
static struct image_cfg_element *image_cfg;
static int cfgn;
+#ifdef CONFIG_KWB_SECURE
static int verbose_mode;
+#endif
struct boot_mode {
unsigned int id;
@@ -278,6 +282,8 @@ image_count_options(unsigned int optiontype)
return count;
}
+#if defined(CONFIG_KWB_SECURE)
+
static int image_get_csk_index(void)
{
struct image_cfg_element *e;
@@ -288,6 +294,7 @@ static int image_get_csk_index(void)
return e->csk_idx;
}
+#endif
static bool image_get_spezialized_img(void)
{
@@ -432,6 +439,7 @@ static uint8_t baudrate_to_option(unsigned int baudrate)
}
}
+#if defined(CONFIG_KWB_SECURE)
static void kwb_msg(const char *fmt, ...)
{
if (verbose_mode) {
@@ -926,6 +934,7 @@ static int kwb_dump_fuse_cmds(struct secure_hdr_v1 *sec_hdr)
done:
return ret;
}
+#endif
static size_t image_headersz_align(size_t headersz, uint8_t blockid)
{
@@ -1079,11 +1088,13 @@ static size_t image_headersz_v1(int *hasext)
*/
headersz = sizeof(struct main_hdr_v1);
+#if defined(CONFIG_KWB_SECURE)
if (image_get_csk_index() >= 0) {
headersz += sizeof(struct secure_hdr_v1);
if (hasext)
*hasext = 1;
}
+#endif
cpu_sheeva = image_is_cpu_sheeva();
@@ -1270,6 +1281,7 @@ err_close:
return -1;
}
+#if defined(CONFIG_KWB_SECURE)
static int export_pub_kak_hash(RSA *kak, struct secure_hdr_v1 *secure_hdr)
{
FILE *hashf;
@@ -1382,6 +1394,7 @@ static int add_secure_header_v1(struct image_tool_params *params, uint8_t *ptr,
return 0;
}
+#endif
static void finish_register_set_header_v1(uint8_t **cur, uint8_t **next_ext,
struct register_set_hdr_v1 *register_set_hdr,
@@ -1406,7 +1419,9 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
struct main_hdr_v1 *main_hdr;
struct opt_hdr_v1 *ohdr;
struct register_set_hdr_v1 *register_set_hdr;
+#if defined(CONFIG_KWB_SECURE)
struct secure_hdr_v1 *secure_hdr = NULL;
+#endif
size_t headersz;
uint8_t *image, *cur;
int hasext = 0;
@@ -1491,6 +1506,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
if (main_hdr->blockid == IBR_HDR_PEX_ID)
main_hdr->srcaddr = cpu_to_le32(0xFFFFFFFF);
+#if defined(CONFIG_KWB_SECURE)
if (image_get_csk_index() >= 0) {
/*
* only reserve the space here; we fill the header later since
@@ -1501,7 +1517,7 @@ static void *image_create_v1(size_t *imagesz, struct image_tool_params *params,
*next_ext = 1;
next_ext = &secure_hdr->next;
}
-
+#endif
datai = 0;
for (cfgi = 0; cfgi < cfgn; cfgi++) {
e = &image_cfg[cfgi];
@@ -1624,10 +1640,12 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,
&datai, delay);
}
+#if defined(CONFIG_KWB_SECURE)
if (secure_hdr && add_secure_header_v1(params, ptr + *dataoff, payloadsz,
image, headersz, secure_hdr))
return NULL;
+#endif
/* Calculate and set the header checksum */
main_hdr->checksum = image_checksum8(main_hdr, headersz);
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -14,8 +14,10 @@
#include <image.h>
#include <version.h>
+#ifdef CONFIG_FIT_PRELOAD
#include <openssl/pem.h>
#include <openssl/evp.h>
+#endif
/**
* fit_set_hash_value - set hash value in requested has node
@@ -1116,6 +1118,7 @@
return 0;
}
+#ifdef CONFIG_FIT_PRELOAD
/*
* 0) open file (open)
* 1) read certificate (PEM_read_X509)
@@ -1224,6 +1227,7 @@
out:
return ret;
}
+#endif
int fit_cipher_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -59,9 +59,10 @@
ret = fit_set_timestamp(ptr, 0, time);
}
+#ifdef CONFIG_FIT_PRELOAD
if (!ret)
ret = fit_pre_load_data(params->keydir, dest_blob, ptr);
-
+#endif
if (!ret) {
ret = fit_cipher_data(params->keydir, dest_blob, ptr,
params->comment,
--- a/include/image.h
+++ b/include/image.h
@@ -1090,6 +1090,7 @@
int fit_set_timestamp(void *fit, int noffset, time_t timestamp);
+#ifdef CONFIG_FIT_PRELOAD
/**
* fit_pre_load_data() - add public key to fdt blob
*
@@ -1104,6 +1105,7 @@
* < 0, on failure
*/
int fit_pre_load_data(const char *keydir, void *keydest, void *fit);
+#endif
int fit_cipher_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
|