From: Andre Wolokita <andre.wolokita@analog.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] Hardware hashing on unsigned fitImage nodes.
Date: Wed, 8 Jul 2015 11:22:13 +1000 [thread overview]
Message-ID: <559C7B45.4050201@analog.com> (raw)
Hi Simon,
Hopefully you're the right person to be contacting about this; if not, please point me in the right direction.
We've recently had a contractor write a hash driver for our crypto accelerator, intended to accelerate fitImage verification. They noticed that the hardware hashing API would only be called for the signed nodes (we are only signing the config node) while the unsigned nodes were still being processed in software. Their proposed solution was to add logic to fit_image_check_hash() in common/fit-image.c:
diff --git a/common/image-fit.c b/common/image-fit.c
index 4ffc5aa..1cb26cc 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -906,7 +906,10 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
uint8_t *fit_value;
int fit_value_len;
int ignore;
-
+#ifdef CONFIG_ADI_HASH
+ struct image_region region;
+ int i;
+#endif
*err_msgp = NULL;
if (fit_image_hash_get_algo(fit, noffset, &algo)) {
@@ -928,12 +931,28 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
*err_msgp = "Can't get hash value property";
return -1;
}
+#ifdef CONFIG_ADI_HASH
+ region.data = data;
+ region.size = size;
+ memset(value, '\0', FIT_MAX_HASH_LEN);
+ /* h/w acceleration */
+ if(hash_calculate(algo, ®ion, 1, value)){
+ *err_msgp = "Unsupported hash algorithm";
+ return -1;
+ }
+
+ if(strcmp(algo, "sha1")==0)
+ value_len = SHA1_SUM_LEN;
+ else
+ value_len = FIT_MAX_HASH_LEN;
+#else
if (calculate_hash(data, size, algo, value, &value_len)) {
*err_msgp = "Unsupported hash algorithm";
return -1;
}
I realise that adding to common code is probably discouraged. Is there any other solutions that do not involve doing so? Thank you in advance.
Regards,
Andre.
--
Andre Wolokita (andre.wolokita at analog.com)
Design Engineer, Analog Devices Australia Pty Ltd
Unit 3, 97 Lewis Road, Wantirna, Victoria, 3152, AUSTRALIA
Direct: +61 3 9881 9933 Main: +61 3 9881 9999
Fax: +61 3 9881 9988 Web: www.analog.com/au
Embedded & Digital Signal Processing Software.
This communication is proprietary and confidential.
next reply other threads:[~2015-07-08 1:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-08 1:22 Andre Wolokita [this message]
2015-07-09 18:52 ` [U-Boot] Hardware hashing on unsigned fitImage nodes Simon Glass
2015-07-14 3:35 ` Andre Wolokita
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559C7B45.4050201@analog.com \
--to=andre.wolokita@analog.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox