Hi Alex, On Fri, 14 May 2021 at 14:38, Alex G. <mr.nuke...@gmail.com> wrote: > > > > On 5/6/21 9:24 AM, Simon Glass wrote: > > Add host Kconfigs for FIT_SIGN and RSA_VERIFY. With these we can use > > CONFIG_IS_ENABLED() directly in the host build, so drop the unnecessary > > indirections IMAGE_ENABLE_SIGN and HOST_RSA_VERIFY. Also drop > > FIT_IMAGE_ENABLE_VERIFY which is not actually used. > > > > Leave IMAGE_ENABLE_VERIFY_ECDSA along since this feature is incomplete > > and needs to be integrated with RSA. > > > > Signed-off-by: Simon Glass <s...@chromium.org> > > --- > > > > (no changes since v1) > > > > common/image-fit.c | 6 +++--- > > common/image-sig.c | 10 +++++----- > > include/image.h | 13 ++----------- > > include/u-boot/ecdsa.h | 2 +- > > include/u-boot/rsa.h | 4 ++-- > > tools/Kconfig | 10 ++++++++++ > > tools/image-host.c | 4 ++-- > > 7 files changed, 25 insertions(+), 24 deletions(-) > > > > diff --git a/common/image-fit.c b/common/image-fit.c > > index c13ff6bba24..e81a0858dc1 100644 > > --- a/common/image-fit.c > > +++ b/common/image-fit.c > > @@ -1301,7 +1301,7 @@ int fit_image_verify_with_data(const void *fit, int > > image_noffset, > > int ret; > > > > /* Verify all required signatures */ > > - if (FIT_IMAGE_ENABLE_VERIFY && > > + if (CONFIG_IS_ENABLED(RSA_VERIFY) && > > NAK. Having verification depend directly on CONFIG_RSA_VERIFY will make > adding ECDSA support that much more convoluted.
Let me counter-NAK. The ECDSA needs to be integrated into the RSA stuff, as we have done with hashing. E.g. CONFIG_VERIFY that enables the feature, with a driver to select which methods are supported. I think I mentioned that in the original review. Regards, Simon
