With upcoming ECDSA support RSA won't be the only option for FIT image verification anymore. Make CONFIG_CRYPTO_RSA visible so that the user can choose. CONFIG_CRYPTO_RSA defaults to yes when FITIMAGE_SIGNATURE is selected so that existing configs continue to work. Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> --- common/Kconfig | 1 - common/image-fit.c | 5 +++++ crypto/Kconfig | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/common/Kconfig b/common/Kconfig index 31360892ae..65850f68bd 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -59,7 +59,6 @@ config FITIMAGE select DIGEST config FITIMAGE_SIGNATURE - select CRYPTO_RSA bool config LOGBUF diff --git a/common/image-fit.c b/common/image-fit.c index 4a69049abc..6002440e7e 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -262,6 +262,11 @@ static int fit_check_rsa_signature(struct device_node *sig_node, const char *sig_value; int ret; + if (!IS_ENABLED(CONFIG_CRYPTO_RSA)) { + pr_err("RSA support is disabled, Cannot verify image\n"); + return -EOPNOTSUPP; + } + sig_value = of_get_property(sig_node, "value", &sig_len); if (!sig_value) { pr_err("signature value not found in %pOF\n", sig_node); diff --git a/crypto/Kconfig b/crypto/Kconfig index 32051d8d2b..b6214b229f 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -116,7 +116,8 @@ config CRYPTO_PBKDF2 bool config CRYPTO_RSA - bool + bool "RSA support" + default y if FITIMAGE_SIGNATURE config CRYPTO_RSA_BUILTIN_KEYS bool -- 2.39.2