image: Add RSA support for image signing
RSA provides a public key encryption facility which is ideal for image
signing and verification.
Images are signed using a private key by mkimage. Then at run-time, the
images are verified using a private key.
This implementation uses openssl for the host part (mkimage). To avoid
bringing large libraries into the U-Boot binary, the RSA public key
is encoded using a simple numeric representation in the device tree.
Signed-off-by: Simon Glass <sjg@chromium.org>
diff --git a/tools/Makefile b/tools/Makefile
index e3cb3bf..cc912fb 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -125,6 +125,9 @@
LIBFDT_OBJ_FILES-y += fdt_strerror.o
LIBFDT_OBJ_FILES-y += fdt_wip.o
+# RSA objects
+RSA_OBJ_FILES-y += rsa-sign.o
+
# Generated LCD/video logo
LOGO_H = $(OBJTREE)/include/bmp_logo.h
LOGO_DATA_H = $(OBJTREE)/include/bmp_logo_data.h
@@ -152,8 +155,10 @@
HOSTSRCS += $(addprefix $(SRCTREE)/,$(EXT_OBJ_FILES-y:.o=.c))
HOSTSRCS += $(addprefix $(SRCTREE)/tools/,$(OBJ_FILES-y:.o=.c))
HOSTSRCS += $(addprefix $(SRCTREE)/lib/libfdt/,$(LIBFDT_OBJ_FILES-y:.o=.c))
+HOSTSRCS += $(addprefix $(SRCTREE)/lib/rsa/,$(RSA_OBJ_FILES-y:.o=.c))
BINS := $(addprefix $(obj),$(sort $(BIN_FILES-y)))
LIBFDT_OBJS := $(addprefix $(obj),$(LIBFDT_OBJ_FILES-y))
+RSA_OBJS := $(addprefix $(obj),$(RSA_OBJ_FILES-y))
# We cannot check CONFIG_FIT_SIGNATURE here since it is not set on the host
FIT_SIG_OBJ_FILES := image-sig.o
@@ -228,8 +233,9 @@
$(obj)omapimage.o \
$(obj)sha1.o \
$(obj)ublimage.o \
- $(LIBFDT_OBJS)
- $(HOSTCC) $(HOSTCFLAGS) $(HOSTLDFLAGS) -o $@ $^
+ $(LIBFDT_OBJS) \
+ $(RSA_OBJS)
+ $(HOSTCC) $(HOSTCFLAGS) $(HOSTLDFLAGS) -o $@ $^ $(HOSTLIBS)
$(HOSTSTRIP) $@
$(obj)mk$(BOARD)spl$(SFX): $(obj)mkexynosspl.o
@@ -265,6 +271,9 @@
$(obj)%.o: $(SRCTREE)/lib/libfdt/%.c
$(HOSTCC) -g $(HOSTCFLAGS_NOPED) -c -o $@ $<
+$(obj)%.o: $(SRCTREE)/lib/rsa/%.c
+ $(HOSTCC) -g $(HOSTCFLAGS_NOPED) -c -o $@ $<
+
subdirs:
ifeq ($(TOOLSUBDIRS),)
@: