FIT: Rename FIT_DISABLE_SHA256 to FIT_ENABLE_SHA256_SUPPORT

We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which is enabled by default and now a positive option. Convert the handful of boards that were disabling it before to save space. Cc: Dirk Eibach <eibach@gdsys.de> Cc: Lukasz Dalek <luk0104@gmail.com> Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Simon Glass <sjg@chromium.org>

FIT: Rename FIT_DISABLE_SHA256 to FIT_ENABLE_SHA256_SUPPORT
We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which is enabled by default and now a positive option. Convert the handful of boards that were disabling it before to save space. Cc: Dirk Eibach <eibach@gdsys.de> Cc: Lukasz Dalek <luk0104@gmail.com> Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Simon Glass <sjg@chromium.org>
Tom Rini
1 parent 6b83c38d7a
Showing 16 changed files with 25 additions and 36 deletions Side-by-side Diff
Kconfig
README
configs/dlvision-10g_defconfig
configs/dlvision_defconfig
configs/h2200_defconfig
configs/io_defconfig
configs/iocon_defconfig
configs/neo_defconfig
include/configs/dlvision-10g.h
include/configs/dlvision.h
include/configs/h2200.h
include/configs/io.h
include/configs/iocon.h
include/configs/neo.h
include/image.h
scripts/config_whitelist.txt
@@ -157,6 +157,19 @@
  
 if FIT
  
+config FIT_ENABLE_SHA256_SUPPORT
+	bool "Support SHA256 checksum of FIT image contents"
+	default y
+	help
+	  Enable this to support SHA256 checksum of FIT image contents. A
+	  SHA256 checksum is a 256-bit (32-byte) hash value used to check that
+	  the image contents have not been corrupted. SHA256 is recommended
+	  for use in secure applications since (as at 2016) there is no known
+	  feasible attack that could produce a 'collision' with differing
+	  input data. Use this for the highest security. Note that only the
+	  SHA256 variant is supported: SHA512 and others are not currently
+	  supported in U-Boot.
+
 config FIT_SIGNATURE
 	bool "Enable signature verification of FIT uImages"
 	depends on DM
@@ -2973,15 +2973,6 @@
 		This define is introduced, as the legacy image format is
 		enabled per default for backward compatibility.
  
-- FIT image support:
-		CONFIG_FIT_DISABLE_SHA256
-		Supporting SHA256 hashes has quite an impact on binary size.
-		For constrained systems sha256 hash support can be disabled
-		with this option.
-
-		TODO(sjg@chromium.org): Adjust this option to be positive,
-		and move it to Kconfig
-
 - Standalone program support:
 		CONFIG_STANDALONE_LOAD_ADDR
  
@@ -3,6 +3,7 @@
 CONFIG_4xx=y
 CONFIG_TARGET_DLVISION_10G=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_FIT_VERBOSE=y
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_BOOTDELAY=5
@@ -3,6 +3,7 @@
 CONFIG_4xx=y
 CONFIG_TARGET_DLVISION=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_FIT_VERBOSE=y
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_BOOTDELAY=5
 CONFIG_ARM=y
 CONFIG_TARGET_H2200=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_SYS_CONSOLE_IS_IN_ENV=y
 # CONFIG_DISPLAY_CPUINFO is not set
 # CONFIG_DISPLAY_BOARDINFO is not set
@@ -3,6 +3,7 @@
 CONFIG_4xx=y
 CONFIG_TARGET_IO=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_FIT_VERBOSE=y
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_BOOTDELAY=5
@@ -3,6 +3,7 @@
 CONFIG_4xx=y
 CONFIG_TARGET_IOCON=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_BOOTDELAY=5
 CONFIG_SYS_CONSOLE_INFO_QUIET=y
@@ -3,6 +3,7 @@
 CONFIG_4xx=y
 CONFIG_TARGET_NEO=y
 CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
 CONFIG_FIT_VERBOSE=y
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_BOOTDELAY=5
@@ -31,9 +31,6 @@
 #define PLLMR0_DEFAULT PLLMR0_266_133_66
 #define PLLMR1_DEFAULT PLLMR1_266_133_66
  
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
 #define CONFIG_ENV_IS_IN_FLASH	/* use FLASH for environment vars */
  
 /*
@@ -29,9 +29,6 @@
 #define PLLMR0_DEFAULT PLLMR0_266_133_66_33
 #define PLLMR1_DEFAULT PLLMR1_266_133_66_33
  
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
 #define CONFIG_ENV_IS_IN_FLASH	/* use FLASH for environment vars */
  
 /*
@@ -109,7 +109,6 @@
  
 #define CONFIG_SYS_BAUDRATE_TABLE	{ 9600, 38400, 115200 }
  
-#define CONFIG_FIT_DISABLE_SHA256
 #define CONFIG_SETUP_MEMORY_TAGS
 #define CONFIG_CMDLINE_TAG
 #define CONFIG_INITRD_TAG
@@ -31,9 +31,6 @@
 #define PLLMR0_DEFAULT PLLMR0_266_133_66
 #define PLLMR1_DEFAULT PLLMR1_266_133_66
  
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
 #define CONFIG_ENV_IS_IN_FLASH	/* use FLASH for environment vars */
  
 /*
@@ -33,9 +33,6 @@
 #define PLLMR0_DEFAULT PLLMR0_266_133_66
 #define PLLMR1_DEFAULT PLLMR1_266_133_66
  
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
 #define CONFIG_ENV_IS_IN_FLASH	/* use FLASH for environment vars */
  
 /*
@@ -31,9 +31,6 @@
 #define PLLMR0_DEFAULT PLLMR0_266_133_66_33
 #define PLLMR1_DEFAULT PLLMR1_266_133_66_33
  
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
 #define CONFIG_ENV_IS_IN_FLASH	/* use FLASH for environment vars */
  
 /*
@@ -29,6 +29,7 @@
 #define IMAGE_ENABLE_FIT	1
 #define IMAGE_ENABLE_OF_LIBFDT	1
 #define CONFIG_FIT_VERBOSE	1 /* enable fit_format_{error,warning}() */
+#define CONFIG_FIT_ENABLE_SHA256_SUPPORT
  
 #define IMAGE_ENABLE_IGNORE	0
 #define IMAGE_INDENT_STRING	""
@@ -62,9 +63,6 @@
 #  ifdef CONFIG_SPL_SHA1_SUPPORT
 #   define IMAGE_ENABLE_SHA1	1
 #  endif
-#  ifdef CONFIG_SPL_SHA256_SUPPORT
-#   define IMAGE_ENABLE_SHA256	1
-#  endif
 # else
 #  define CONFIG_CRC32		/* FIT images need CRC32 support */
 #  define CONFIG_SHA1		/* and SHA1 */
  
@@ -72,14 +70,8 @@
 #  define IMAGE_ENABLE_CRC32	1
 #  define IMAGE_ENABLE_MD5	1
 #  define IMAGE_ENABLE_SHA1	1
-#  define IMAGE_ENABLE_SHA256	1
 # endif
  
-#ifdef CONFIG_FIT_DISABLE_SHA256
-#undef CONFIG_SHA256
-#undef IMAGE_ENABLE_SHA256
-#endif
-
 #ifndef IMAGE_ENABLE_CRC32
 #define IMAGE_ENABLE_CRC32	0
 #endif
@@ -92,7 +84,11 @@
 #define IMAGE_ENABLE_SHA1	0
 #endif
  
-#ifndef IMAGE_ENABLE_SHA256
+#if defined(CONFIG_FIT_ENABLE_SHA256_SUPPORT) || \
+	defined(CONFIG_SPL_SHA256_SUPPORT)
+#define CONFIG_SHA256
+#define IMAGE_ENABLE_SHA256	1
+#else
 #define IMAGE_ENABLE_SHA256	0
 #endif
  
@@ -947,7 +947,6 @@
 CONFIG_FILE
 CONFIG_FIRMWARE_OFFSET
 CONFIG_FIRMWARE_SIZE
-CONFIG_FIT_DISABLE_SHA256
 CONFIG_FIXED_PHY
 CONFIG_FIXED_PHY_ADDR
 CONFIG_FIXED_SDHCI_ALIGNED_BUFFER
...	...	@@ -157,6 +157,19 @@
157	157
158	158	if FIT
159	159
	160	+config FIT_ENABLE_SHA256_SUPPORT
	161	+ bool "Support SHA256 checksum of FIT image contents"
	162	+ default y
	163	+ help
	164	+ Enable this to support SHA256 checksum of FIT image contents. A
	165	+ SHA256 checksum is a 256-bit (32-byte) hash value used to check that
	166	+ the image contents have not been corrupted. SHA256 is recommended
	167	+ for use in secure applications since (as at 2016) there is no known
	168	+ feasible attack that could produce a 'collision' with differing
	169	+ input data. Use this for the highest security. Note that only the
	170	+ SHA256 variant is supported: SHA512 and others are not currently
	171	+ supported in U-Boot.
	172	+
160	173	config FIT_SIGNATURE
161	174	bool "Enable signature verification of FIT uImages"
162	175	depends on DM
...	...	@@ -2973,15 +2973,6 @@
2973	2973	This define is introduced, as the legacy image format is
2974	2974	enabled per default for backward compatibility.
2975	2975
2976		-- FIT image support:
2977		- CONFIG_FIT_DISABLE_SHA256
2978		- Supporting SHA256 hashes has quite an impact on binary size.
2979		- For constrained systems sha256 hash support can be disabled
2980		- with this option.
2981		-
2982		- TODO(sjg@chromium.org): Adjust this option to be positive,
2983		- and move it to Kconfig
2984		-
2985	2976	- Standalone program support:
2986	2977	CONFIG_STANDALONE_LOAD_ADDR
2987	2978
...	...	@@ -3,6 +3,7 @@
3	3	CONFIG_4xx=y
4	4	CONFIG_TARGET_DLVISION_10G=y
5	5	CONFIG_FIT=y
	6	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
6	7	CONFIG_FIT_VERBOSE=y
7	8	CONFIG_OF_BOARD_SETUP=y
8	9	CONFIG_BOOTDELAY=5
...	...	@@ -3,6 +3,7 @@
3	3	CONFIG_4xx=y
4	4	CONFIG_TARGET_DLVISION=y
5	5	CONFIG_FIT=y
	6	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
6	7	CONFIG_FIT_VERBOSE=y
7	8	CONFIG_OF_BOARD_SETUP=y
8	9	CONFIG_BOOTDELAY=5
1	1	CONFIG_ARM=y
2	2	CONFIG_TARGET_H2200=y
3	3	CONFIG_FIT=y
	4	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
4	5	CONFIG_SYS_CONSOLE_IS_IN_ENV=y
5	6	# CONFIG_DISPLAY_CPUINFO is not set
6	7	# CONFIG_DISPLAY_BOARDINFO is not set
...	...	@@ -3,6 +3,7 @@
3	3	CONFIG_4xx=y
4	4	CONFIG_TARGET_IO=y
5	5	CONFIG_FIT=y
	6	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
6	7	CONFIG_FIT_VERBOSE=y
7	8	CONFIG_OF_BOARD_SETUP=y
8	9	CONFIG_BOOTDELAY=5
...	...	@@ -3,6 +3,7 @@
3	3	CONFIG_4xx=y
4	4	CONFIG_TARGET_IOCON=y
5	5	CONFIG_FIT=y
	6	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
6	7	CONFIG_OF_BOARD_SETUP=y
7	8	CONFIG_BOOTDELAY=5
8	9	CONFIG_SYS_CONSOLE_INFO_QUIET=y
...	...	@@ -3,6 +3,7 @@
3	3	CONFIG_4xx=y
4	4	CONFIG_TARGET_NEO=y
5	5	CONFIG_FIT=y
	6	+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
6	7	CONFIG_FIT_VERBOSE=y
7	8	CONFIG_OF_BOARD_SETUP=y
8	9	CONFIG_BOOTDELAY=5
...	...	@@ -31,9 +31,6 @@
31	31	#define PLLMR0_DEFAULT PLLMR0_266_133_66
32	32	#define PLLMR1_DEFAULT PLLMR1_266_133_66
33	33
34		-/* new uImage format support */
35		-#define CONFIG_FIT_DISABLE_SHA256
36		-
37	34	#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
38	35
39	36	/*
...	...	@@ -29,9 +29,6 @@
29	29	#define PLLMR0_DEFAULT PLLMR0_266_133_66_33
30	30	#define PLLMR1_DEFAULT PLLMR1_266_133_66_33
31	31
32		-/* new uImage format support */
33		-#define CONFIG_FIT_DISABLE_SHA256
34		-
35	32	#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
36	33
37	34	/*