FIT: Rename FIT_DISABLE_SHA256 to FIT_ENABLE_SHA256_SUPPORT
We rename CONFIG_FIT_DISABLE_SHA256 to CONFIG_FIT_ENABLE_SHA256_SUPPORT which
is enabled by default and now a positive option. Convert the handful of boards
that were disabling it before to save space.
Cc: Dirk Eibach <eibach@gdsys.de>
Cc: Lukasz Dalek <luk0104@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/Kconfig b/Kconfig
index 1cf990d..0a44531 100644
--- a/Kconfig
+++ b/Kconfig
@@ -157,6 +157,19 @@
if FIT
+config FIT_ENABLE_SHA256_SUPPORT
+ bool "Support SHA256 checksum of FIT image contents"
+ default y
+ help
+ Enable this to support SHA256 checksum of FIT image contents. A
+ SHA256 checksum is a 256-bit (32-byte) hash value used to check that
+ the image contents have not been corrupted. SHA256 is recommended
+ for use in secure applications since (as at 2016) there is no known
+ feasible attack that could produce a 'collision' with differing
+ input data. Use this for the highest security. Note that only the
+ SHA256 variant is supported: SHA512 and others are not currently
+ supported in U-Boot.
+
config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
diff --git a/README b/README
index 350b805..15ef469 100644
--- a/README
+++ b/README
@@ -2973,15 +2973,6 @@
This define is introduced, as the legacy image format is
enabled per default for backward compatibility.
-- FIT image support:
- CONFIG_FIT_DISABLE_SHA256
- Supporting SHA256 hashes has quite an impact on binary size.
- For constrained systems sha256 hash support can be disabled
- with this option.
-
- TODO(sjg@chromium.org): Adjust this option to be positive,
- and move it to Kconfig
-
- Standalone program support:
CONFIG_STANDALONE_LOAD_ADDR
diff --git a/configs/dlvision-10g_defconfig b/configs/dlvision-10g_defconfig
index c3574e1..44f7527 100644
--- a/configs/dlvision-10g_defconfig
+++ b/configs/dlvision-10g_defconfig
@@ -3,6 +3,7 @@
CONFIG_4xx=y
CONFIG_TARGET_DLVISION_10G=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/dlvision_defconfig b/configs/dlvision_defconfig
index f9f07ee..4dd09a2 100644
--- a/configs/dlvision_defconfig
+++ b/configs/dlvision_defconfig
@@ -3,6 +3,7 @@
CONFIG_4xx=y
CONFIG_TARGET_DLVISION=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/h2200_defconfig b/configs/h2200_defconfig
index b85ed59..9d3698c 100644
--- a/configs/h2200_defconfig
+++ b/configs/h2200_defconfig
@@ -1,6 +1,7 @@
CONFIG_ARM=y
CONFIG_TARGET_H2200=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_SYS_CONSOLE_IS_IN_ENV=y
# CONFIG_DISPLAY_CPUINFO is not set
# CONFIG_DISPLAY_BOARDINFO is not set
diff --git a/configs/io_defconfig b/configs/io_defconfig
index 5dca2b1..27edc59 100644
--- a/configs/io_defconfig
+++ b/configs/io_defconfig
@@ -3,6 +3,7 @@
CONFIG_4xx=y
CONFIG_TARGET_IO=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/configs/iocon_defconfig b/configs/iocon_defconfig
index c74df94..2529181 100644
--- a/configs/iocon_defconfig
+++ b/configs/iocon_defconfig
@@ -3,6 +3,7 @@
CONFIG_4xx=y
CONFIG_TARGET_IOCON=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
CONFIG_SYS_CONSOLE_INFO_QUIET=y
diff --git a/configs/neo_defconfig b/configs/neo_defconfig
index fbb2da4..1bf5151 100644
--- a/configs/neo_defconfig
+++ b/configs/neo_defconfig
@@ -3,6 +3,7 @@
CONFIG_4xx=y
CONFIG_TARGET_NEO=y
CONFIG_FIT=y
+# CONFIG_FIT_ENABLE_SHA256_SUPPORT is not set
CONFIG_FIT_VERBOSE=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_BOOTDELAY=5
diff --git a/include/configs/dlvision-10g.h b/include/configs/dlvision-10g.h
index e32651f..c5e2276 100644
--- a/include/configs/dlvision-10g.h
+++ b/include/configs/dlvision-10g.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/dlvision.h b/include/configs/dlvision.h
index 2b7d62b..f8d390b 100644
--- a/include/configs/dlvision.h
+++ b/include/configs/dlvision.h
@@ -29,9 +29,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66_33
#define PLLMR1_DEFAULT PLLMR1_266_133_66_33
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/h2200.h b/include/configs/h2200.h
index d8724f8..530a88e 100644
--- a/include/configs/h2200.h
+++ b/include/configs/h2200.h
@@ -109,7 +109,6 @@
#define CONFIG_SYS_BAUDRATE_TABLE { 9600, 38400, 115200 }
-#define CONFIG_FIT_DISABLE_SHA256
#define CONFIG_SETUP_MEMORY_TAGS
#define CONFIG_CMDLINE_TAG
#define CONFIG_INITRD_TAG
diff --git a/include/configs/io.h b/include/configs/io.h
index 3e44a8c..ee2b52a 100644
--- a/include/configs/io.h
+++ b/include/configs/io.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/iocon.h b/include/configs/iocon.h
index 9c3be78..afa6994 100644
--- a/include/configs/iocon.h
+++ b/include/configs/iocon.h
@@ -33,9 +33,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66
#define PLLMR1_DEFAULT PLLMR1_266_133_66
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/configs/neo.h b/include/configs/neo.h
index 9115e25..1d8e13f 100644
--- a/include/configs/neo.h
+++ b/include/configs/neo.h
@@ -31,9 +31,6 @@
#define PLLMR0_DEFAULT PLLMR0_266_133_66_33
#define PLLMR1_DEFAULT PLLMR1_266_133_66_33
-/* new uImage format support */
-#define CONFIG_FIT_DISABLE_SHA256
-
#define CONFIG_ENV_IS_IN_FLASH /* use FLASH for environment vars */
/*
diff --git a/include/image.h b/include/image.h
index 3f26f9b..800426d 100644
--- a/include/image.h
+++ b/include/image.h
@@ -29,6 +29,7 @@
#define IMAGE_ENABLE_FIT 1
#define IMAGE_ENABLE_OF_LIBFDT 1
#define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */
+#define CONFIG_FIT_ENABLE_SHA256_SUPPORT
#define IMAGE_ENABLE_IGNORE 0
#define IMAGE_INDENT_STRING ""
@@ -62,9 +63,6 @@
# ifdef CONFIG_SPL_SHA1_SUPPORT
# define IMAGE_ENABLE_SHA1 1
# endif
-# ifdef CONFIG_SPL_SHA256_SUPPORT
-# define IMAGE_ENABLE_SHA256 1
-# endif
# else
# define CONFIG_CRC32 /* FIT images need CRC32 support */
# define CONFIG_SHA1 /* and SHA1 */
@@ -72,14 +70,8 @@
# define IMAGE_ENABLE_CRC32 1
# define IMAGE_ENABLE_MD5 1
# define IMAGE_ENABLE_SHA1 1
-# define IMAGE_ENABLE_SHA256 1
# endif
-#ifdef CONFIG_FIT_DISABLE_SHA256
-#undef CONFIG_SHA256
-#undef IMAGE_ENABLE_SHA256
-#endif
-
#ifndef IMAGE_ENABLE_CRC32
#define IMAGE_ENABLE_CRC32 0
#endif
@@ -92,7 +84,11 @@
#define IMAGE_ENABLE_SHA1 0
#endif
-#ifndef IMAGE_ENABLE_SHA256
+#if defined(CONFIG_FIT_ENABLE_SHA256_SUPPORT) || \
+ defined(CONFIG_SPL_SHA256_SUPPORT)
+#define CONFIG_SHA256
+#define IMAGE_ENABLE_SHA256 1
+#else
#define IMAGE_ENABLE_SHA256 0
#endif
diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt
index fa9c3fc..4ed76f3 100644
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@@ -947,7 +947,6 @@
CONFIG_FILE
CONFIG_FIRMWARE_OFFSET
CONFIG_FIRMWARE_SIZE
-CONFIG_FIT_DISABLE_SHA256
CONFIG_FIXED_PHY
CONFIG_FIXED_PHY_ADDR
CONFIG_FIXED_SDHCI_ALIGNED_BUFFER