Message ID | 20210413080755.73572-12-joel@jms.id.au |
---|---|
State | New |
Headers | show |
Series | Use HACE to | expand |
On 4/13/2021 5:07 AM, Joel Stanley wrote: > SHA512 will be used by the openbmc secure boot implementation when > verifying FIT images of both u-boot proper and the kernel. > > The hash command is useful, and adds only a small amount of binary size > given the algorithms are already included in the image. > > Using hardware acceleration instead of a software implementation saves a > significant amount of binary size (approx. 12KB for the SPL). > > Note that the hardware implementation is only useful when booting from a > payload in memory, as is the case with MMC or network boot. It cannot be > used when booting from SPI NOR. > > Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> > --- > configs/ast2600_openbmc_spl_emmc_defconfig | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig > index e59d3595ebf0..05069084cbc5 100644 > --- a/configs/ast2600_openbmc_spl_emmc_defconfig > +++ b/configs/ast2600_openbmc_spl_emmc_defconfig > @@ -36,6 +36,7 @@ CONFIG_ARMV7_BOOT_SEC_DEFAULT=y > CONFIG_ARMV7_PSCI_NR_CPUS=2 > CONFIG_NR_DRAM_BANKS=1 > CONFIG_FIT=y > +CONFIG_FIT_ENABLE_SHA512_SUPPORT=y > CONFIG_FIT_SIGNATURE=y > CONFIG_SPL_FIT_SIGNATURE=y > CONFIG_SPL_LOAD_FIT=y > @@ -53,6 +54,8 @@ CONFIG_SPL_STACK_R=y > CONFIG_SPL_SEPARATE_BSS=y > CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y > CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x80 > +CONFIG_SPL_SHA256_SUPPORT=y > +CONFIG_SPL_SHA512_SUPPORT=y > CONFIG_SPL_FIT_IMAGE_TINY=y > CONFIG_SPL_DM_RESET=y > CONFIG_SPL_RAM_SUPPORT=y > @@ -80,6 +83,7 @@ CONFIG_CMD_DHCP=y > CONFIG_CMD_MII=y > CONFIG_CMD_PING=y > CONFIG_CMD_NCSI=y > +CONFIG_CMD_HASH=y > CONFIG_CMD_EXT2=y > CONFIG_CMD_EXT4=y > CONFIG_CMD_EXT4_WRITE=y > @@ -97,6 +101,7 @@ CONFIG_SYSCON=y > CONFIG_SPL_OF_TRANSLATE=y > CONFIG_CLK=y > CONFIG_SPL_CLK=y > +CONFIG_ASPEED_HACE=y > CONFIG_DM_GPIO=y > CONFIG_ASPEED_GPIO=y > CONFIG_DM_I2C=y > @@ -135,4 +140,6 @@ CONFIG_USE_TINY_PRINTF=y > CONFIG_SPL_TINY_MEMSET=y > CONFIG_TPM=y > CONFIG_SPL_TPM=y > +CONFIG_SHA_HW_ACCEL=y > +CONFIG_SHA_PROG_HW_ACCEL=y > # CONFIG_EFI_LOADER is not set >
On 4/13/2021 5:42 PM, Klaus Heinrich Kiwi wrote: > > > On 4/13/2021 5:07 AM, Joel Stanley wrote: >> SHA512 will be used by the openbmc secure boot implementation when >> verifying FIT images of both u-boot proper and the kernel. >> >> The hash command is useful, and adds only a small amount of binary size >> given the algorithms are already included in the image. >> >> Using hardware acceleration instead of a software implementation saves a >> significant amount of binary size (approx. 12KB for the SPL). >> >> Note that the hardware implementation is only useful when booting from a >> payload in memory, as is the case with MMC or network boot. It cannot be >> used when booting from SPI NOR. >> >> Signed-off-by: Joel Stanley <joel@jms.id.au> > Reviewed-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> >> --- >> configs/ast2600_openbmc_spl_emmc_defconfig | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig >> index e59d3595ebf0..05069084cbc5 100644 >> --- a/configs/ast2600_openbmc_spl_emmc_defconfig >> +++ b/configs/ast2600_openbmc_spl_emmc_defconfig >> @@ -36,6 +36,7 @@ CONFIG_ARMV7_BOOT_SEC_DEFAULT=y >> CONFIG_ARMV7_PSCI_NR_CPUS=2 >> CONFIG_NR_DRAM_BANKS=1 >> CONFIG_FIT=y >> +CONFIG_FIT_ENABLE_SHA512_SUPPORT=y >> CONFIG_FIT_SIGNATURE=y >> CONFIG_SPL_FIT_SIGNATURE=y >> CONFIG_SPL_LOAD_FIT=y >> @@ -53,6 +54,8 @@ CONFIG_SPL_STACK_R=y >> CONFIG_SPL_SEPARATE_BSS=y >> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y >> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x80 >> +CONFIG_SPL_SHA256_SUPPORT=y >> +CONFIG_SPL_SHA512_SUPPORT=y >> CONFIG_SPL_FIT_IMAGE_TINY=y >> CONFIG_SPL_DM_RESET=y >> CONFIG_SPL_RAM_SUPPORT=y >> @@ -80,6 +83,7 @@ CONFIG_CMD_DHCP=y >> CONFIG_CMD_MII=y >> CONFIG_CMD_PING=y >> CONFIG_CMD_NCSI=y >> +CONFIG_CMD_HASH=y >> CONFIG_CMD_EXT2=y >> CONFIG_CMD_EXT4=y >> CONFIG_CMD_EXT4_WRITE=y >> @@ -97,6 +101,7 @@ CONFIG_SYSCON=y >> CONFIG_SPL_OF_TRANSLATE=y >> CONFIG_CLK=y >> CONFIG_SPL_CLK=y >> +CONFIG_ASPEED_HACE=y >> CONFIG_DM_GPIO=y >> CONFIG_ASPEED_GPIO=y >> CONFIG_DM_I2C=y >> @@ -135,4 +140,6 @@ CONFIG_USE_TINY_PRINTF=y >> CONFIG_SPL_TINY_MEMSET=y >> CONFIG_TPM=y >> CONFIG_SPL_TPM=y >> +CONFIG_SHA_HW_ACCEL=y >> +CONFIG_SHA_PROG_HW_ACCEL=y Doesn't invalidate my reviewed-by-tag, but I just noted that these are redundant due to CONFIG_ASPEED_HACE=y. But I'm fine if you want yo keep them explicit as well. -Klaus >> # CONFIG_EFI_LOADER is not set >> >
diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig index e59d3595ebf0..05069084cbc5 100644 --- a/configs/ast2600_openbmc_spl_emmc_defconfig +++ b/configs/ast2600_openbmc_spl_emmc_defconfig @@ -36,6 +36,7 @@ CONFIG_ARMV7_BOOT_SEC_DEFAULT=y CONFIG_ARMV7_PSCI_NR_CPUS=2 CONFIG_NR_DRAM_BANKS=1 CONFIG_FIT=y +CONFIG_FIT_ENABLE_SHA512_SUPPORT=y CONFIG_FIT_SIGNATURE=y CONFIG_SPL_FIT_SIGNATURE=y CONFIG_SPL_LOAD_FIT=y @@ -53,6 +54,8 @@ CONFIG_SPL_STACK_R=y CONFIG_SPL_SEPARATE_BSS=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x80 +CONFIG_SPL_SHA256_SUPPORT=y +CONFIG_SPL_SHA512_SUPPORT=y CONFIG_SPL_FIT_IMAGE_TINY=y CONFIG_SPL_DM_RESET=y CONFIG_SPL_RAM_SUPPORT=y @@ -80,6 +83,7 @@ CONFIG_CMD_DHCP=y CONFIG_CMD_MII=y CONFIG_CMD_PING=y CONFIG_CMD_NCSI=y +CONFIG_CMD_HASH=y CONFIG_CMD_EXT2=y CONFIG_CMD_EXT4=y CONFIG_CMD_EXT4_WRITE=y @@ -97,6 +101,7 @@ CONFIG_SYSCON=y CONFIG_SPL_OF_TRANSLATE=y CONFIG_CLK=y CONFIG_SPL_CLK=y +CONFIG_ASPEED_HACE=y CONFIG_DM_GPIO=y CONFIG_ASPEED_GPIO=y CONFIG_DM_I2C=y @@ -135,4 +140,6 @@ CONFIG_USE_TINY_PRINTF=y CONFIG_SPL_TINY_MEMSET=y CONFIG_TPM=y CONFIG_SPL_TPM=y +CONFIG_SHA_HW_ACCEL=y +CONFIG_SHA_PROG_HW_ACCEL=y # CONFIG_EFI_LOADER is not set
SHA512 will be used by the openbmc secure boot implementation when verifying FIT images of both u-boot proper and the kernel. The hash command is useful, and adds only a small amount of binary size given the algorithms are already included in the image. Using hardware acceleration instead of a software implementation saves a significant amount of binary size (approx. 12KB for the SPL). Note that the hardware implementation is only useful when booting from a payload in memory, as is the case with MMC or network boot. It cannot be used when booting from SPI NOR. Signed-off-by: Joel Stanley <joel@jms.id.au> --- configs/ast2600_openbmc_spl_emmc_defconfig | 7 +++++++ 1 file changed, 7 insertions(+)