We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which
is enabled by default and now a positive option. Convert the handful of boards
that were disabling it before to save space.
Cc: Dirk Eibach <eib...@gdsys.de>
Cc: Lukasz Dalek <luk0...@gmail.com>
Signed-off-by: Tom Rini <tr...@konsulko.com>
Reviewed-by: Simon Glass <s...@chromium.org>
---
Changes in v3:
include/image.h was missing #include additions so that we would be able
to tell if CONFIG_FIT_ENABLE_SHA256_SUPPORT is enabled or not, breaking
verified boot.
Kconfig | 13 +++++++++++++
README | 9 ---------
configs/dlvision-10g_defconfig | 1 +
configs/dlvision_defconfig | 1 +
configs/h2200_defconfig | 1 +
configs/io_defconfig | 1 +
configs/iocon_defconfig | 1 +
configs/neo_defconfig | 1 +
include/configs/dlvision-10g.h | 3 ---
include/configs/dlvision.h | 3 ---
include/configs/h2200.h | 1 -
include/configs/io.h | 3 ---
include/configs/iocon.h | 3 ---
include/configs/neo.h | 3 ---
include/image.h | 17 +++++++----------
scripts/config_whitelist.txt | 1 -
16 files changed, 26 insertions(+), 36 deletions(-)
diff --git a/Kconfig b/Kconfig
index 81b4226463ae..d565e7adb76d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -156,6 +156,19 @@ config FIT
if FIT
+config FIT_ENABLE_SHA256_SUPPORT
+ bool "Support SHA256 checksum of FIT image contents"
+ default y
+ help
+ Enable this to support SHA256 checksum of FIT image contents. A
+ SHA256 checksum is a 256-bit (32-byte) hash value used to check that
+ the image contents have not been corrupted. SHA256 is recommended
+ for use in secure applications since (as at 2016) there is no known
+ feasible attack that could produce a 'collision' with differing
+ input data. Use this for the highest security. Note that only the
+ SHA256 variant is supported: SHA512 and others are not currently
+ supported in U-Boot.
+
config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
diff --git a/README b/README
index 4f0dbd4fca6d..daa39a5a92f8 100644
--- a/README
+++ b/README
@@ -3091,15 +3091,6 @@ FIT uImage format:
This define is introduced, as the legacy image format is
enabled per default for backward compatibility.
-- FIT image support:
- CONFIG_FIT_DISABLE_SHA256
- Supporting SHA256 hashes has quite an impact on binary size.
- For constrained systems sha256 hash support can be disabled
- with this option.
-
- TODO(s...@chromium.org): Adjust this option to be positive,
- and move it to Kconfig
-
- Standalone program support:
CONFIG_STANDALONE_LOAD_ADDR
diff --git a/configs/dlvision-10g_defconfig b/configs/dlvision-10g_defconfig
index edafe73e7ca8..b976e6099968 100644
--- a/configs/dlvision-10g_defconfig
+++ b/configs/dlvision-10g_defconfig
@@ -4,6 +4,7 @@ CONFIG_IDENT_STRING=" dlvision-10g 0.06"
CONFIG_4xx=y
CONFIG_TARGET_DLVISION_10G=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/dlvision_defconfig b/configs/dlvision_defconfig
index 2ceb057ab5f3..16a199a99e2d 100644
--- a/configs/dlvision_defconfig
+++ b/configs/dlvision_defconfig
@@ -4,6 +4,7 @@ CONFIG_IDENT_STRING=" dlvision 0.02"
CONFIG_4xx=y
CONFIG_TARGET_DLVISION=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/h2200_defconfig b/configs/h2200_defconfig
index e7afd81007c1..74f157db56e4 100644
--- a/configs/h2200_defconfig
+++ b/configs/h2200_defconfig
@@ -2,6 +2,7 @@ CONFIG_ARM=y
CONFIG_TARGET_H2200=y
# CONFIG_MMC is not set
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_SYS_CONSOLE_IS_IN_ENV=y
# CONFIG_DISPLAY_CPUINFO is not set
# CONFIG_DISPLAY_BOARDINFO is not set
diff --git a/configs/io_defconfig b/configs/io_defconfig
index 422d09002405..442f4dfaab0e 100644
--- a/configs/io_defconfig
+++ b/configs/io_defconfig
@@ -4,6 +4,7 @@ CONFIG_IDENT_STRING=" io 0.06"
CONFIG_4xx=y
CONFIG_TARGET_IO=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/iocon_defconfig b/configs/iocon_defconfig
index 23704e4421c2..d2d0116e0355 100644
--- a/configs/iocon_defconfig
+++ b/configs/iocon_defconfig
@@ -4,6 +4,7 @@ CONFIG_IDENT_STRING=" iocon 0.06"
CONFIG_4xx=y
CONFIG_TARGET_IOCON=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
CONFIG_SYS_CONSOLE_INFO_QUIET=y
diff --git a/configs/neo_defconfig b/configs/neo_defconfig
index 666a22679022..cc6dffe3a1ef 100644
--- a/configs/neo_defconfig
+++ b/configs/neo_defconfig
@@ -4,6 +4,7 @@ CONFIG_IDENT_STRING=" neo 0.02"
CONFIG_4xx=y
CONFIG_TARGET_NEO=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/include/configs/dlvision-10g.h b/include/configs/dlvision-10g.h
index 6b3cd15cb65d..575a75e66b96 100644
--- a/include/configs/dlvision-10g.h
+++ b/include/configs/dlvision-10g.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/dlvision.h b/include/configs/dlvision.h
index 6269768df1af..b0df7e183324 100644
--- a/include/configs/dlvision.h
+++ b/include/configs/dlvision.h
@@ -29,9 +29,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66_33
#define PLLMR1_DEFAULT PLLMR1_266_133_66_33
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/h2200.h b/include/configs/h2200.h
index 0891b02d3522..220679fa7f11 100644
--- a/include/configs/h2200.h
+++ b/include/configs/h2200.h
@@ -110,7 +110,6 @@
#define CONFIG_BAUDRATE 115200
#define CONFIG_SYS_BAUDRATE_TABLE { 9600, 38400, 115200 }
-#define CONFIG_FIT_DISABLE_SHA256
#define CONFIG_SETUP_MEMORY_TAGS
#define CONFIG_CMDLINE_TAG
#define CONFIG_INITRD_TAG
diff --git a/include/configs/io.h b/include/configs/io.h
index 8a21b3f60f75..c105921978c3 100644
--- a/include/configs/io.h
+++ b/include/configs/io.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/iocon.h b/include/configs/iocon.h
index 9c3be78bc73b..afa69942e84a 100644
--- a/include/configs/iocon.h
+++ b/include/configs/iocon.h
@@ -33,9 +33,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/neo.h b/include/configs/neo.h
index f6b4cc01c288..094b4fbc010e 100644
--- a/include/configs/neo.h
+++ b/include/configs/neo.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66_33
#define PLLMR1_DEFAULT PLLMR1_266_133_66_33
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/image.h b/include/image.h
index 1e686b76d3eb..3e18e78eb740 100644
--- a/include/image.h
+++ b/include/image.h
@@ -29,12 +29,14 @@ struct lmb;
#define IMAGE_ENABLE_FIT 1
#define IMAGE_ENABLE_OF_LIBFDT 1
#define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */
+#define CONFIG_FIT_ENABLE_SHA256_SUPPORT 1
#define IMAGE_ENABLE_IGNORE 0
#define IMAGE_INDENT_STRING ""
#else
+#include <config.h>
#include <lmb.h>
#include <asm/u-boot.h>
#include <command.h>
@@ -62,9 +64,6 @@ struct lmb;
# ifdef CONFIG_SPL_SHA1_SUPPORT
# define IMAGE_ENABLE_SHA1 1
# endif
-# ifdef CONFIG_SPL_SHA256_SUPPORT
-# define IMAGE_ENABLE_SHA256 1
-# endif
# else
# define CONFIG_CRC32 /* FIT images need CRC32 support */
# define CONFIG_MD5 /* and MD5 */
@@ -73,14 +72,8 @@ struct lmb;
# define IMAGE_ENABLE_CRC32 1
# define IMAGE_ENABLE_MD5 1
# define IMAGE_ENABLE_SHA1 1
-# define IMAGE_ENABLE_SHA256 1
# endif
-#ifdef CONFIG_FIT_DISABLE_SHA256
-#undef CONFIG_SHA256
-#undef IMAGE_ENABLE_SHA256
-#endif
-
#ifndef IMAGE_ENABLE_CRC32
#define IMAGE_ENABLE_CRC32 0
#endif
@@ -93,7 +86,11 @@ struct lmb;
#define IMAGE_ENABLE_SHA1 0
#endif
-#ifndef IMAGE_ENABLE_SHA256
+#if defined(CONFIG_FIT_ENABLE_SHA256_SUPPORT) || \
+ defined(CONFIG_SPL_SHA256_SUPPORT)
+#define CONFIG_SHA256
+#define IMAGE_ENABLE_SHA256 1
+#else
#define IMAGE_ENABLE_SHA256 0
#endif
diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt
index f6c9101e9573..dc7782e58e23 100644
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@@ -1129,7 +1129,6 @@ CONFIG_FFUART
CONFIG_FILE
CONFIG_FIRMWARE_OFFSET
CONFIG_FIRMWARE_SIZE
-CONFIG_FIT_DISABLE_SHA256
CONFIG_FIXED_PHY
CONFIG_FIXED_PHY_ADDR
CONFIG_FIXED_SDHCI_ALIGNED_BUFFER
--
1.9.1
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
