On 01.08.24 07:57, Sascha Hauer wrote:
> With upcoming ECDSA support RSA won't be the only option for FIT image
> verification anymore. Make CONFIG_CRYPTO_RSA visible so that the user
> can choose. CONFIG_CRYPTO_RSA defaults to yes when FITIMAGE_SIGNATURE
> is selected so that existing configs continue to work.
>
> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
Reviewed-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
> ---
> common/Kconfig | 1 -
> common/image-fit.c | 5 +++++
> crypto/Kconfig | 3 ++-
> 3 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/common/Kconfig b/common/Kconfig
> index 31360892ae..65850f68bd 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -59,7 +59,6 @@ config FITIMAGE
> select DIGEST
>
> config FITIMAGE_SIGNATURE
> - select CRYPTO_RSA
> bool
>
> config LOGBUF
> diff --git a/common/image-fit.c b/common/image-fit.c
> index 4a69049abc..6002440e7e 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -262,6 +262,11 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
> const char *sig_value;
> int ret;
>
> + if (!IS_ENABLED(CONFIG_CRYPTO_RSA)) {
> + pr_err("RSA support is disabled, Cannot verify image\n");
> + return -EOPNOTSUPP;
> + }
> +
> sig_value = of_get_property(sig_node, "value", &sig_len);
> if (!sig_value) {
> pr_err("signature value not found in %pOF\n", sig_node);
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index eeacd9ffb7..22faff5100 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -116,7 +116,8 @@ config CRYPTO_PBKDF2
> bool
>
> config CRYPTO_RSA
> - bool
> + bool "RSA support"
> + default y if FITIMAGE_SIGNATURE
>
> config CRYPTO_RSA_BUILTIN_KEYS
> bool
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
