[PATCH 0/6] crypto: keys: Some work for public keys

[PATCH 0/6] crypto: keys: Some work for public keys

[Sascha Hauer]

Traditionally we included public keys in form of dts snippets generated
by U-Boot mkImage and compiled into the barebox device trees. We can now
include public keys directly as C structs from the public key PEM files
or PKCS#11 uris which is easier to integrate. Nevertheless the dts
snippet way is still present which makes the configuration slightly
confusing. Remove this old way for good to make configuration easier
and to get rid of some maintenance burden.

Another point tackled in this series is that we can compile multiple
keys into the binary, but the user is left without a clue which key
is finally used. This series adds a sha256 hash over the public keys
to struct public_key which can be printed along the key to identify it.

Finally Pengutronix created a set of well known development keys for
convenient testing of secure boot chains. This series adds a new option
to compile the public key parts into the barebox binary with a single
knob. With this images signed with these keys can esaily be tested
without the need of a BSP or adding the paths to the keys into Kconfig.

Finally the output of the FIT image code is improved. It has become very
verbose when used with FIT images containing multiple device tree
overlays. The information is now hidden behind the verbose option which
can be activated with bootm -v or global.bootm.verbose=1.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (6):
      crypto: drop BOOTM_FITIMAGE_PUBKEY
      crypto: Allow to include development keys in build
      crypto: include public key hashes
      commands: add keys command
      fit: consistently pass around fit_handle
      fit: improve diagnostics

 Documentation/user/security.rst                    |  5 ++
 arch/arm/dts/imx6dl-phytec-pbab01.dts              |  3 --
 arch/arm/dts/imx6dl-phytec-phyboard-subra.dts      |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts    |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6q-phytec-pbab01.dts               |  3 --
 arch/arm/dts/imx6q-phytec-phyboard-alcor.dts       |  3 --
 arch/arm/dts/imx6q-phytec-phyboard-subra.dts       |  3 --
 arch/arm/dts/imx6q-phytec-phycard.dts              |  4 --
 arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts     |  3 --
 arch/arm/dts/imx6q-phytec-phycore-som-nand.dts     |  3 --
 arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6s-phytec-pbab01.dts               |  3 --
 arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts    |  3 --
 arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6ul-tqma6ul-common.dtsi            |  4 --
 arch/arm/dts/imx6ul-webasto-ccbv2.dts              |  4 --
 arch/arm/dts/imx6ul-webasto-marvel.dts             |  4 --
 arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts   |  3 --
 .../arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts |  3 --
 arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts   |  3 --
 arch/arm/dts/stm32mp133c-mect1s.dts                |  4 --
 arch/arm/dts/stm32mp133c-prihmb.dts                |  4 --
 arch/arm/dts/stm32mp151c-plyaqm.dts                |  4 --
 commands/Kconfig                                   |  7 +++
 commands/Makefile                                  |  1 +
 commands/keys.c                                    | 30 +++++++++++
 common/Kconfig                                     | 32 ------------
 common/boards/qemu-virt/fitimage-pubkey.dts        |  4 --
 common/image-fit.c                                 | 40 ++++++++++-----
 crypto/Kconfig                                     |  7 +--
 crypto/Makefile                                    |  9 ++++
 crypto/fit-4096-development.crt                    | 33 ++++++++++++
 crypto/fit-ecdsa-development.crt                   | 13 +++++
 crypto/public-keys.c                               |  6 ++-
 include/crypto/public_key.h                        |  2 +
 scripts/Makefile.lib                               | 12 -----
 scripts/keytoc.c                                   | 59 ++++++++++++++++++++++
 40 files changed, 194 insertions(+), 148 deletions(-)
---
base-commit: 525ccfb5ac381c06898e6403e12ec8c34c42c0f8
change-id: 20250821-keynames-95b43a99e8c5

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH 1/6] crypto: drop BOOTM_FITIMAGE_PUBKEY

[Sascha Hauer]

With CONFIG_CRYPTO_PUBLIC_KEYS we have a convenient way to specify
builtin keys which works both with PEM files and PKCS#11 uris. Drop
the possibility to compile in public keys using dts snippets to reduce
the complexity a bit.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/dts/imx6dl-phytec-pbab01.dts              |  3 --
 arch/arm/dts/imx6dl-phytec-phyboard-subra.dts      |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts    |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts |  3 --
 arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6q-phytec-pbab01.dts               |  3 --
 arch/arm/dts/imx6q-phytec-phyboard-alcor.dts       |  3 --
 arch/arm/dts/imx6q-phytec-phyboard-subra.dts       |  3 --
 arch/arm/dts/imx6q-phytec-phycard.dts              |  4 ---
 arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts     |  3 --
 arch/arm/dts/imx6q-phytec-phycore-som-nand.dts     |  3 --
 arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6s-phytec-pbab01.dts               |  3 --
 arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts    |  3 --
 arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts    |  3 --
 arch/arm/dts/imx6ul-tqma6ul-common.dtsi            |  4 ---
 arch/arm/dts/imx6ul-webasto-ccbv2.dts              |  4 ---
 arch/arm/dts/imx6ul-webasto-marvel.dts             |  4 ---
 arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts   |  3 --
 .../arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts |  3 --
 arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts   |  3 --
 arch/arm/dts/stm32mp133c-mect1s.dts                |  4 ---
 arch/arm/dts/stm32mp133c-prihmb.dts                |  4 ---
 arch/arm/dts/stm32mp151c-plyaqm.dts                |  4 ---
 common/Kconfig                                     | 32 ----------------------
 common/boards/qemu-virt/fitimage-pubkey.dts        |  4 ---
 crypto/Kconfig                                     |  3 --
 scripts/Makefile.lib                               | 12 --------
 29 files changed, 133 deletions(-)

diff --git a/arch/arm/dts/imx6dl-phytec-pbab01.dts b/arch/arm/dts/imx6dl-phytec-pbab01.dts
index b524a0cc7a294582a5ca6a7c5410c35b59d56352..f83920f915f73442fc9683ab7adedf1625f7aed4 100644
--- a/arch/arm/dts/imx6dl-phytec-pbab01.dts
+++ b/arch/arm/dts/imx6dl-phytec-pbab01.dts
@@ -10,9 +10,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6dl-phytec-pfla02.dtsi"
 #include "imx6qdl-phytec-pbab01.dtsi"
 
diff --git a/arch/arm/dts/imx6dl-phytec-phyboard-subra.dts b/arch/arm/dts/imx6dl-phytec-phyboard-subra.dts
index efed30651ae63a446418b190693aab58a6d28fe2..c71180ddd0b4cda9d8ee2f53212c858ceaf42133 100644
--- a/arch/arm/dts/imx6dl-phytec-phyboard-subra.dts
+++ b/arch/arm/dts/imx6dl-phytec-phyboard-subra.dts
@@ -10,9 +10,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6s-phytec-pfla02.dtsi"
 #include "imx6qdl-phytec-phyboard-subra.dtsi"
 
diff --git a/arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts b/arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts
index 133b75f5a781167ed9de6c3cb6f2cc7601540d88..f2d0b4de789a09e12638a32aeee956b06b73c17c 100644
--- a/arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts
+++ b/arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6dl.dtsi>
 #include "imx6dl.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts b/arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts
index c94489146545876e9c15c69cab5a427fc31fd842..1e0a333c05a0a46bbc6216a3e339f79594e57773 100644
--- a/arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts
+++ b/arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6dl.dtsi>
 #include "imx6dl.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts b/arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts
index 6add67264429e35c729e1681b9aa88a8b4ff76d4..3504298b99243447e160f5b9045a87b884f29749 100644
--- a/arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts
+++ b/arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6dl.dtsi>
 #include "imx6dl.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts b/arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts
index ddecfbc2b2b84ea520b2d39b7d51daccf988d1df..0f2706c25c5c6e1535352708f88d9ef92ee6e477 100644
--- a/arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts
+++ b/arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6dl.dtsi>
 #include "imx6dl.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6q-phytec-pbab01.dts b/arch/arm/dts/imx6q-phytec-pbab01.dts
index 91562a2ffeb21f57f1bc590a720a5ef4026d6b5f..2f816dd1ac350e0e063556f0790d6cdd7bb6066b 100644
--- a/arch/arm/dts/imx6q-phytec-pbab01.dts
+++ b/arch/arm/dts/imx6q-phytec-pbab01.dts
@@ -10,9 +10,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6q-phytec-pfla02.dtsi"
 #include "imx6qdl-phytec-pbab01.dtsi"
 
diff --git a/arch/arm/dts/imx6q-phytec-phyboard-alcor.dts b/arch/arm/dts/imx6q-phytec-phyboard-alcor.dts
index d97c7f15c9264a6acd046bc37999df4d96cac3db..1c4a78552d89e257a5a3145a3c6d6e82945c009d 100644
--- a/arch/arm/dts/imx6q-phytec-phyboard-alcor.dts
+++ b/arch/arm/dts/imx6q-phytec-phyboard-alcor.dts
@@ -10,9 +10,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6q-phytec-pfla02.dtsi"
 
 / {
diff --git a/arch/arm/dts/imx6q-phytec-phyboard-subra.dts b/arch/arm/dts/imx6q-phytec-phyboard-subra.dts
index 498611103670e085ce060cabad6307da6acb25aa..561e9856046bcd611e0bad01495d3e5fd02da956 100644
--- a/arch/arm/dts/imx6q-phytec-phyboard-subra.dts
+++ b/arch/arm/dts/imx6q-phytec-phyboard-subra.dts
@@ -11,9 +11,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6q-phytec-pfla02.dtsi"
 #include "imx6qdl-phytec-phyboard-subra.dtsi"
 
diff --git a/arch/arm/dts/imx6q-phytec-phycard.dts b/arch/arm/dts/imx6q-phytec-phycard.dts
index 9e1bbbe15dc49bd70dd9ca938533b66353231476..5b5fb6718f3f14d266a014411821a0bdd755445b 100644
--- a/arch/arm/dts/imx6q-phytec-phycard.dts
+++ b/arch/arm/dts/imx6q-phytec-phycard.dts
@@ -6,10 +6,6 @@
 
 /dts-v1/;
 
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
-
 #include <arm/nxp/imx/imx6q.dtsi>
 #include "imx6q.dtsi"
 #include "imx6qdl-phytec-phycard-som.dtsi"
diff --git a/arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts b/arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts
index 574e31c4761ffbb8495868a338371f0abd948efc..5d654b5eba692bcfa562e95db855baddba3b7222 100644
--- a/arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts
+++ b/arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6q.dtsi>
 #include "imx6q.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6q-phytec-phycore-som-nand.dts b/arch/arm/dts/imx6q-phytec-phycore-som-nand.dts
index 70b8cfca8bc42b5f00b313170c27792abdad0934..aafaa7767501f7894e7230020dd06a5806b4c5ca 100644
--- a/arch/arm/dts/imx6q-phytec-phycore-som-nand.dts
+++ b/arch/arm/dts/imx6q-phytec-phycore-som-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6q.dtsi>
 #include "imx6q.dtsi"
 #include "imx6qdl-phytec-phycore-som.dtsi"
diff --git a/arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts b/arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts
index 76d0ac0847b3f32e979902022c9588c0fe86f57a..1caa0a944d499a8c9cbbbc57c3c427b9656af561 100644
--- a/arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts
+++ b/arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6qp.dtsi>
 #include "imx6qdl-phytec-phycore-som.dtsi"
 #include "imx6qdl-phytec-mira.dtsi"
diff --git a/arch/arm/dts/imx6s-phytec-pbab01.dts b/arch/arm/dts/imx6s-phytec-pbab01.dts
index 516d20f77607568069642419b42673f3d595c1e0..b939f058067fcc66570d2c28b3fa0ce8c21dfbfe 100644
--- a/arch/arm/dts/imx6s-phytec-pbab01.dts
+++ b/arch/arm/dts/imx6s-phytec-pbab01.dts
@@ -10,9 +10,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include "imx6s-phytec-pfla02.dtsi"
 #include "imx6qdl-phytec-pbab01.dtsi"
 
diff --git a/arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts b/arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts
index 0faa17198b54854fe2a7cb8d6f78f5c479513f03..7a09279df27060c5f7f3efc4b98bfe07e90e7096 100644
--- a/arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts
+++ b/arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6ul.dtsi>
 #include "imx6ul-phytec-phycore-som.dtsi"
 #include "imx6ul-phytec-state.dtsi"
diff --git a/arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts b/arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts
index 39020efd2586a697afb9426e1651bfef917b2ce5..b4f421807a7bd97eecdcba807003289dd36acb8d 100644
--- a/arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts
+++ b/arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6ul.dtsi>
 #include "imx6ul-phytec-phycore-som.dtsi"
 #include "imx6ul-phytec-state.dtsi"
diff --git a/arch/arm/dts/imx6ul-tqma6ul-common.dtsi b/arch/arm/dts/imx6ul-tqma6ul-common.dtsi
index c2f8d79ec3610b6577f6ec91ff9297e7157f4984..3e5350450d1ee1e69b2f1e05ab3e73a1170f106e 100644
--- a/arch/arm/dts/imx6ul-tqma6ul-common.dtsi
+++ b/arch/arm/dts/imx6ul-tqma6ul-common.dtsi
@@ -58,7 +58,3 @@ &ocotp {
 	barebox,provide-mac-address = <&fec1 0x620 &fec2 0x632>;
 };
 
-/* include the FIT public key for verifying on demand */
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
diff --git a/arch/arm/dts/imx6ul-webasto-ccbv2.dts b/arch/arm/dts/imx6ul-webasto-ccbv2.dts
index 8628eefc9730e168d224bd3930f59a7ab30a29ca..6b67530169e14a422214a1b2ffab745a7641bc2f 100644
--- a/arch/arm/dts/imx6ul-webasto-ccbv2.dts
+++ b/arch/arm/dts/imx6ul-webasto-ccbv2.dts
@@ -114,7 +114,3 @@ &ocotp {
 	barebox,provide-mac-address = <&fec1 0x620>;
 };
 
-/* include the FIT public key for verifying on demand */
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
diff --git a/arch/arm/dts/imx6ul-webasto-marvel.dts b/arch/arm/dts/imx6ul-webasto-marvel.dts
index 533829d47767444195cc9c80ad38a770c6db6632..58117de62c3069576f3e89d578f611a8d935f9b9 100644
--- a/arch/arm/dts/imx6ul-webasto-marvel.dts
+++ b/arch/arm/dts/imx6ul-webasto-marvel.dts
@@ -579,7 +579,3 @@ &wdog1 {
 	status = "okay";
 };
 
-/* include the FIT public key for verifying on demand */
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
diff --git a/arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts b/arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts
index 7df04e2c694fb654eb046e388c232c6ecb18bfc2..297bc760de50be87ba269ab746158823133a3d69 100644
--- a/arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts
+++ b/arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6ull.dtsi>
 #include "imx6ul-phytec-phycore-som.dtsi"
 #include "imx6ul-phytec-state.dtsi"
diff --git a/arch/arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts b/arch/arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts
index e833b7218575280570b9732c4f93fe8923f9b813..be52668be11cb30e9715edec38e5fd024c9d89ca 100644
--- a/arch/arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts
+++ b/arch/arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6ull.dtsi>
 #include "imx6ul-phytec-phycore-som.dtsi"
 
diff --git a/arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts b/arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts
index d9b60c1b71f8bf095df211e5e0c7f37ce9dad400..527d9b5bda3f778d60b5cd9b88dbedb83bb1b846 100644
--- a/arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts
+++ b/arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts
@@ -5,9 +5,6 @@
  */
 
 /dts-v1/;
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
 #include <arm/nxp/imx/imx6ull.dtsi>
 #include "imx6ul-phytec-phycore-som.dtsi"
 #include "imx6ul-phytec-state.dtsi"
diff --git a/arch/arm/dts/stm32mp133c-mect1s.dts b/arch/arm/dts/stm32mp133c-mect1s.dts
index 273253bf0d331dbeeb587b7846a7b18b4244d595..f58565cf342149d7aa63fdf7e660d76d2ddcc970 100644
--- a/arch/arm/dts/stm32mp133c-mect1s.dts
+++ b/arch/arm/dts/stm32mp133c-mect1s.dts
@@ -5,10 +5,6 @@
 #include "stm32mp133c-mect1s.dtsi"
 #include "stm32mp131.dtsi"
 
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
-
 / {
 	barebox,deep-probe;
 
diff --git a/arch/arm/dts/stm32mp133c-prihmb.dts b/arch/arm/dts/stm32mp133c-prihmb.dts
index e91055505b092c3c7cdff8411ad4ee5c7d8187b9..36db3b809fc0757ea911c3909f319331c0aadc0d 100644
--- a/arch/arm/dts/stm32mp133c-prihmb.dts
+++ b/arch/arm/dts/stm32mp133c-prihmb.dts
@@ -5,10 +5,6 @@
 #include "stm32mp133c-prihmb.dtsi"
 #include "stm32mp131.dtsi"
 
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
-
 / {
 	barebox,deep-probe;
 
diff --git a/arch/arm/dts/stm32mp151c-plyaqm.dts b/arch/arm/dts/stm32mp151c-plyaqm.dts
index 229032e9866f6e0c75c1b995a1ca3ba5f2d15e51..c0a270f6b3754d04ee4558789bde2e5df06cb587 100644
--- a/arch/arm/dts/stm32mp151c-plyaqm.dts
+++ b/arch/arm/dts/stm32mp151c-plyaqm.dts
@@ -4,10 +4,6 @@
 #include "stm32mp151c-plyaqm.dtsi"
 #include "stm32mp151.dtsi"
 
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
-
 / {
 	barebox,deep-probe;
 
diff --git a/common/Kconfig b/common/Kconfig
index b2449207eff9533fc54cf15a17d136fe20a3fc26..9bb4630df9e293a70174e09de12c933af9812731 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -722,38 +722,6 @@ config BOOTM_FITIMAGE_SIGNATURE
 	  Additionally the barebox device tree needs a /signature node with the
 	  public key needed to approve the image's signature.
 
-config BOOTM_FITIMAGE_PUBKEY_ENV
-	bool "Specify path to public key in environment"
-	depends on BOOTM_FITIMAGE_SIGNATURE
-	help
-	  If this option is enabled the path to the device tree snippet
-	  containing the public key for verifying FIT images signature is taken
-	  from make's build-time environment, which can allow for better
-	  integration with some build systems.
-
-	  The environment variable has the same name as the corresponding
-	  Kconfig variable:
-
-	  CONFIG_BOOTM_FITIMAGE_PUBKEY
-
-if BOOTM_FITIMAGE_SIGNATURE && !BOOTM_FITIMAGE_PUBKEY_ENV
-
-config BOOTM_FITIMAGE_PUBKEY
-	string "Path to dtsi containing pubkey"
-	default "../fit/pubkey.dtsi"
-	depends on BOOTM_FITIMAGE_SIGNATURE
-	help
-	  Set Path to a dts snippet which holds the public keys for FIT images. The
-	  snippet can then be included in a device tree with
-	  "#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
-
-	  This snippet is usually generated by decompiling a device tree produced
-	  by mkimage. An alternative is CONFIG_CRYPTO_PUBLIC_KEYS, which takes a list
-	  of PEM files or PKCS#11 URIs (with optional key name hints, see its help
-	  text).
-
-endif
-
 config BOOTM_FORCE_SIGNED_IMAGES
 	bool
 	prompt "Force booting of signed images"
diff --git a/common/boards/qemu-virt/fitimage-pubkey.dts b/common/boards/qemu-virt/fitimage-pubkey.dts
index 497799fa4b60870b14ae7597900ad43ab37086d0..1419fa0da5d5d5d7c337490b2533ac1acc0340f6 100644
--- a/common/boards/qemu-virt/fitimage-pubkey.dts
+++ b/common/boards/qemu-virt/fitimage-pubkey.dts
@@ -1,7 +1,3 @@
 /dts-v1/;
 
-#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-#include CONFIG_BOOTM_FITIMAGE_PUBKEY
-#endif
-
 /{ };
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 14728be4aa91a12fd542a39e4bdaa73f9f01ab2c..4f9cc3e6a560b653225efd70246ad1d79a451f78 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -141,9 +141,6 @@ config CRYPTO_PUBLIC_KEYS
 	  prefix, <hint> is used as a key name hint to find a key without
 	  iterating over all keys.
 
-	  This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
-	  at the cost of an openssl build-time dependency.
-
 	  Placeholders such as __ENV__VAR_NAME can be used to look up the
 	  corresponding value in the environment variable VAR_NAME for both
 	  public key paths/URIs as well as key name hints.
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index e6f0e254960a69b7aa3273bdc5469e75c39db977..2128361b3ae327082c278ff9b7ec055d07849810 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -231,12 +231,6 @@ dtc_cpp_flags  = -Wp,-MD,$(depfile).pre -nostdinc                        \
 		 $(DTC_CPP_FLAGS_$(basetarget)$(suffix $@))              \
 		 -undef -D__DTS__
 
-ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
-ifneq ($(CONFIG_BOOTM_FITIMAGE_PUBKEY),"")
-dtc_cpp_flags += -DCONFIG_BOOTM_FITIMAGE_PUBKEY=\"$(CONFIG_BOOTM_FITIMAGE_PUBKEY)\"
-endif
-endif
-
 # Finds the multi-part object the current object will be linked into
 modname-multi = $(sort $(foreach m,$(multi-used),\
 		$(if $(filter $(subst $(obj)/,,$*.o), $($(m:.o=-objs)) $($(m:.o=-y))),$(m:.o=))))
@@ -583,11 +577,6 @@ overwrite-hab-env = $(shell set -e; \
       test -n "$$$(1)"; \
       echo -D$(1)=\''"$($(1))"'\')
 
-overwrite-fit-env = $(shell set -e; \
-      test -n "$(CONFIG_BOOTM_FITIMAGE_PUBKEY_ENV)"; \
-      test -n "$$$(1)"; \
-      echo -D$(1)=\\\"$(shell echo $$$(1))\\\")
-
 imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       -I $(srctree)/include -I $(srctree)/arch/arm/mach-imx/include \
       -include include/generated/autoconf.h \
@@ -598,7 +587,6 @@ imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_CRT_PEM) \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_UNLOCK_UID) \
       $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM) \
-      $(call overwrite-fit-env,CONFIG_BOOTM_FITIMAGE_PUBKEY) \
 
 dcd-tmp = $(subst $(comma),_,$(dot-target).dcd.tmp)
 

-- 
2.39.5

[PATCH 2/6] crypto: Allow to include development keys in build

[Sascha Hauer]

Pengutronix has published well known RSA and ECDSA keys for development
purposes. This adds the public keys to the tree and adds
CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS. By enabling this option these
keys will be built into the barebox binary to allow for easy signing
tests.

As these keys obviously should not show up in a production build this
option selects HAS_INSECURE_DEFAULTS.

The private keys for the well known development keys can be found at
[1].

[1] https://git.pengutronix.de/cgit/ptx-code-signing-dev/

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 Documentation/user/security.rst  |  5 +++++
 crypto/Kconfig                   |  4 ++++
 crypto/Makefile                  |  9 +++++++++
 crypto/fit-4096-development.crt  | 33 +++++++++++++++++++++++++++++++++
 crypto/fit-ecdsa-development.crt | 13 +++++++++++++
 5 files changed, 64 insertions(+)

diff --git a/Documentation/user/security.rst b/Documentation/user/security.rst
index cc15c8b512b277dc4480b67d5e378958ac916a1a..357ea86a1d9abcc49b0d01ad24981e90d1e3fc45 100644
--- a/Documentation/user/security.rst
+++ b/Documentation/user/security.rst
@@ -81,6 +81,11 @@ be allowed to boot any images that have not been signed by the correct key.
 This can be enforced by setting ``CONFIG_BOOTM_FORCE_SIGNED_IMAGES=y``
 and disabling any ways that could use used to override this.
 
+For development convenience ``CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS`` keys
+can be used to compile in well known development keys into the barebox binary.
+The private keys for these keys can be found
+`[here] <https://git.pengutronix.de/cgit/ptx-code-signing-dev>`__
+
 Disabling the shell
 ^^^^^^^^^^^^^^^^^^^
 
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4f9cc3e6a560b653225efd70246ad1d79a451f78..f1f9b9bb80cfc88836c6b6b384bd8b089108b412 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -145,6 +145,10 @@ config CRYPTO_PUBLIC_KEYS
 	  corresponding value in the environment variable VAR_NAME for both
 	  public key paths/URIs as well as key name hints.
 
+config CRYPTO_BUILTIN_DEVELOPMENT_KEYS
+	select HAS_INSECURE_DEFAULTS
+	bool "Include development keys in build"
+
 config CRYPTO_KEYSTORE
 	bool "Keystore"
 	help
diff --git a/crypto/Makefile b/crypto/Makefile
index 7148aecb4a8e2275a62b25c834b1743c156a7f91..481bbec81bb2da3fbaea20c6e4eb32d6c79be4b0 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -33,6 +33,15 @@ $(obj)/public-keys.o: $(obj)/public-keys.h
 CONFIG_CRYPTO_PUBLIC_KEYS := $(shell echo $(CONFIG_CRYPTO_PUBLIC_KEYS))
 CONFIG_CRYPTO_PUBLIC_KEYS := $(foreach d,$(CONFIG_CRYPTO_PUBLIC_KEYS),"$(d)")
 
+ifdef CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS
+ifdef CONFIG_CRYPTO_RSA
+CONFIG_CRYPTO_PUBLIC_KEYS += rsa-devel:$(srctree)/crypto/fit-4096-development.crt
+endif
+ifdef CONFIG_CRYPTO_ECDSA
+CONFIG_CRYPTO_PUBLIC_KEYS += ecdsa-devel:$(srctree)/crypto/fit-ecdsa-development.crt
+endif
+endif
+
 filechk_public_keys_dummy = echo
 
 $(obj)/public-keys.h: FORCE
diff --git a/crypto/fit-4096-development.crt b/crypto/fit-4096-development.crt
new file mode 100644
index 0000000000000000000000000000000000000000..dffba216b9c671899bb7c12fb1560e2431b9aa6e
--- /dev/null
+++ b/crypto/fit-4096-development.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpzCCA4+gAwIBAgIUFUQCZBUFYriH8+8jb1A9eJv5N30wDQYJKoZIhvcNAQEL
+BQAwXTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50
+IHNpZ25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5k
+ZTAgFw0xOTEwMDExMzA1MThaGA8yMTE5MDkwNzEzMDUxOFowXTEUMBIGA1UECgwL
+UGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMw
+IQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAMmR5Io1H6qALxBC2sUi548qoU6axIpZ3+yar0gj
+A1FF79nRJZNa+EcIgaMCaf+Ft7DseIAEhBzNsZQ1sj2GVEf9W7WXlSbziET1n8PC
+aC097W20kziMNOAZOjFIdy24AbcW2yhhpBXsKtzm9V0DlnGN2QM3yxbqKD1iUOl/
+iInM5KwNKxp8KboR5W/LTnUGUYw3ryFVbxJEY0YqqwMOaSk8vzLf0iSf8gu6iabS
+ELJEONst0ah3glZj+mRelVdbHDZh6/PpEQ9fQ4QqLOgy1qtqQhT8J0poDOE9BVnC
+bDIjbWvq7UavpBu0YzjmG26r7pN75DK0E0UHgGH3Z7jhophkGMYlYfarjjFRujSd
+ocpU2tEvxDykFELyvQPG5w7pedtlz5jFRzrS11RrcCsfcUFMf9g+2qKpZlSUhkHg
+DDYtDRBYam7hnV7if9nCsLaGwpZM9Fm2zJSOFATO1eKj9yUpMYqI0SobTR7XRNyr
+Rd66J0SWlPsg4IDaG1i4ieE7UNDgAtURBCRqu7PZPAEovurPlV+8lbZRljCI2wRg
+JfJaoF17AKa0a5raH2kIBD1b3EgCG7nIfyaqR4bPLxwYlm/ymXTnv7zImEBP3ffy
+mPK8m2Wtw4Sr8ze1+fcpjmCyCxwe918YuW0AOtQ2nmBOCpz4iWhA61HHK5RYzASM
+Bq6LAgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQW
+BBRscfq3jG3UfwhRTQyiWoStdF/WFzAfBgNVHSMEGDAWgBRscfq3jG3UfwhRTQyi
+WoStdF/WFzANBgkqhkiG9w0BAQsFAAOCAgEAp6suTnOCSormgkuhopR5Sk0nl1ME
++DSxB56E6HVOgP2lXfNAYtfjdZwPtD2cCMyZD9m0w5usXUb+XFzW4L4AFsBnwbuu
+3/082u/qF21v7sEhdi83p3ordHnevc5HTTN0mfUNlqsCG+sCL+w+IQEWvHii4Hnc
+MPv6xbEhxU0ahTpByFwj0+YFPMq4nwQi6pqZCCP7qm0UV+T5+W8CnCivDq9laX+g
+RyJIPgH67ZFQlnnhjSqNq+7yF3Ac0U3IcMKSMaCOCIxuh+QfgHqE9jP62pRblpJx
+UPX5WF9/tBQ7757UEj+nHRKpgnJQzQ6Ks8/7FVmvbY9g9KWEIfeULsT8M1qMdW1E
+bZqleKhEySQbqUyIM29SpIfqd8unBecKFELfVf47TTEbWQRSExRMDGs31MXnvsiP
+jCSW7+BZNBwRXAyR3jB2ludw7DpZJk/VzTf2tja/FPl0sGSG0ggdmGHDnvHApQn5
+RidvJEyQSv+hfn6x+wE0nWpY2/+bV9RvOPwZnLsYkb9falnLwBlTpwa2uX6o4LP1
+8orfuQn3SrfRRKuaVwzjRvkb2fw15745mmOWK/VVtrHD8B3kA6cmTW3JEace+wma
+qCeFbwawz4vZpYCV4hQm06YefDRwZ4zBnkPnkN8i0Wqnb2kJUk5YrWKMZyFagAFU
+Yu8PytQLFKL1pZU=
+-----END CERTIFICATE-----
diff --git a/crypto/fit-ecdsa-development.crt b/crypto/fit-ecdsa-development.crt
new file mode 100644
index 0000000000000000000000000000000000000000..490d48b93a094ca5ed6fe507193a19eeb35683ae
--- /dev/null
+++ b/crypto/fit-ecdsa-development.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAaCgAwIBAgIUPWGk8K75jmaLrLI7VkbZQwbJuU4wCgYIKoZIzj0EAwIw
+XTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTAg
+Fw0yNDA3MjYwOTM5NTZaGA8yMTI0MDcwMjA5Mzk1NlowXTEUMBIGA1UECgwLUGVu
+Z3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMwIQYJ
+KoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABKMAmtjmHz3Rka9SaUmDjTgNzdo8CYxmz23xurgcyoNVajjpNGv1
+XwXxG0Hr+l/ehwnes77wtrYwYLyAlvFAdE2jPDA6MAwGA1UdEwEB/wQCMAAwCwYD
+VR0PBAQDAgeAMB0GA1UdDgQWBBQ5gyCsUddXXclJHHRUH+w2+R0N2jAKBggqhkjO
+PQQDAgNIADBFAiAfMkyM1n7JYCYqvYq4YdbWD8q2kZvVYhRK7gKIRZNUjAIhAKng
+1plXACT2UcKDQV9+o3qbve9LDV3aASRmZz47DX+0
+-----END CERTIFICATE-----

-- 
2.39.5

[PATCH 3/6] crypto: include public key hashes

[Sascha Hauer]

The keys built into the barebox binary are not identifiable. They might
have a key name hint, but this is optional. This adds a sha256 hash
to struct public_key which can be printed when a key is used. The
hash can be obtained on the host from the certificate files or public
key PEM files with openssl commands:

openssl x509 -in crypto/fit-ecdsa-development.crt -pubkey -noout | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256
cat ~/git/ptx-code-signing-dev/fit/fit-ecdsa-development.public-key | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 crypto/public-keys.c        |  2 ++
 include/crypto/public_key.h |  2 ++
 scripts/keytoc.c            | 59 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)

diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index fba963db4eb875196daf0e3a4e3fb3cac844796a..3b691ffd6aa536084aefca90933b4bb74b724423 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -46,6 +46,8 @@ static struct public_key *public_key_dup(const struct public_key *key)
 	k->type = key->type;
 	if (key->key_name_hint)
 		k->key_name_hint = xstrdup(key->key_name_hint);
+	k->hash = xmemdup(key->hash, key->hashlen);
+	k->hashlen = key->hashlen;
 
 	switch (key->type) {
 	case PUBLIC_KEY_TYPE_RSA:
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index d4e75981738ba9651145b9a03527525ae63d6c39..7edea2d69190cb30f328510f905bab3054ad5845 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,6 +15,8 @@ struct public_key {
 	enum public_key_type type;
 	struct list_head list;
 	char *key_name_hint;
+	unsigned char *hash;
+	unsigned int hashlen;
 
 	union {
 		struct rsa_public_key *rsa;
diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index c92465707f65950e95b04afe58fb10161178998c..4e5ef72cfc9a82be6fa2a74b94a663136dd703b6 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -452,6 +452,45 @@ static EVP_PKEY *reimport_key(EVP_PKEY *pkey)
 	return pkey_out;
 }
 
+static int print_hash(EVP_PKEY *key)
+{
+	int i, ret;
+	BIO *mem;
+	BUF_MEM *p;
+	unsigned char hash[SHA256_DIGEST_LENGTH];
+	SHA256_CTX sha256;
+	mem = BIO_new(BIO_s_mem());
+
+	ret = i2d_PUBKEY_bio(mem, key);
+	if (ret != 1)
+		goto err;
+
+	BIO_get_mem_ptr(mem, &p);
+
+	ret = SHA256_Init(&sha256);
+	if (ret != 1)
+		goto err;
+
+	ret = SHA256_Update(&sha256, p->data, p->length);
+	if (ret != 1)
+		goto err;
+
+	ret = SHA256_Final(hash, &sha256);
+	if (ret != 1)
+		goto err;
+
+	for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
+		fprintf(outfilep, "0x%02x, ", hash[i]);
+
+	fprintf(outfilep, "\n");
+
+	ret = 0;
+err:
+	BIO_free(mem);
+
+	return ret ? -EINVAL : 0;
+}
+
 static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_name_c)
 {
 	char group[128];
@@ -482,6 +521,14 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
 		fprintf(stderr, "ERROR: generating a dts snippet for ECDSA keys is not yet supported\n");
 		return -EOPNOTSUPP;
 	} else {
+		fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c);
+
+		ret = print_hash(key);
+		if (ret)
+			return ret;
+
+		fprintf(outfilep, "\n};\n\n");
+
 		fprintf(outfilep, "\nstatic uint64_t %s_x[] = {", key_name_c);
 		ret = print_bignum(key_x, bits, 64);
 		if (ret)
@@ -506,6 +553,8 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
 			fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c);
 			fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_ECDSA,\n");
 			fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+			fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
+			fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
 			fprintf(outfilep, "\t.ecdsa = &%s,\n", key_name_c);
 			fprintf(outfilep, "};\n");
 		}
@@ -568,6 +617,14 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
 		fprintf(outfilep, "\t\t\tkey-name-hint = \"%s\";\n", key_name_c);
 		fprintf(outfilep, "\t\t};\n");
 	} else {
+		fprintf(outfilep, "\nstatic unsigned char %s_hash[] = {\n\t", key_name_c);
+
+		ret = print_hash(key);
+		if (ret)
+			return ret;
+
+		fprintf(outfilep, "\n};\n\n");
+
 		fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
 		ret = print_bignum(modulus, bits, 32);
 		if (ret)
@@ -600,6 +657,8 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
 			fprintf(outfilep, "\nstruct public_key __attribute__((section(\".public_keys.rodata.%s\"))) %s_public_key = {\n", key_name_c, key_name_c);
 			fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_RSA,\n");
 			fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+			fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
+			fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
 			fprintf(outfilep, "\t.rsa = &%s,\n", key_name_c);
 			fprintf(outfilep, "};\n");
 		}

-- 
2.39.5

[PATCH 4/6] commands: add keys command

[Sascha Hauer]

Currently there is no way to show the keys built into the barebox
binary. The new keys command does exactly that. For each key it will
show the key name hint if exists and a sha256 hash over the public key.

The sha256 hash can be retrieved from the certificates or public key PEM
files with openssl commands:

openssl x509 -in crypto/fit-ecdsa-development.crt -pubkey -noout | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256
cat ~/git/ptx-code-signing-dev/fit/fit-ecdsa-development.public-key | openssl ec -pubin -inform PEM -outform DER | openssl dgst -sha256

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 commands/Kconfig  |  7 +++++++
 commands/Makefile |  1 +
 commands/keys.c   | 30 ++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/commands/Kconfig b/commands/Kconfig
index 6c61bff1cd1220107f658a89bfade4cef7b5af23..34235865bdf5035f581ea82f4a4f9c174a80adce 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -2354,6 +2354,13 @@ config CMD_KEYSTORE
 	help
 	  keystore provides access to the barebox keystore.
 
+config CMD_KEYS
+	depends on CRYPTO_BUILTIN_KEYS
+	bool
+	prompt "keys"
+	help
+	  The keys command provides information about builtin public keys
+
 # end Security commands
 endmenu
 
diff --git a/commands/Makefile b/commands/Makefile
index 9247287ed53aa3bf06692744bf409e80bc832e7a..3222a02aac85ee7996ea7b52dd58dcb36bb71926 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -116,6 +116,7 @@ obj-$(CONFIG_CMD_LN)		+= ln.o
 obj-$(CONFIG_CMD_CLK)		+= clk.o
 obj-$(CONFIG_CMD_KALLSYMS)	+= kallsyms.o
 obj-$(CONFIG_CMD_KEYSTORE)	+= keystore.o
+obj-$(CONFIG_CMD_KEYS)		+= keys.o
 obj-$(CONFIG_CMD_TFTP)		+= tftp.o
 obj-$(CONFIG_CMD_FILETYPE)	+= filetype.o
 obj-$(CONFIG_CMD_BAREBOX_UPDATE)+= barebox-update.o
diff --git a/commands/keys.c b/commands/keys.c
new file mode 100644
index 0000000000000000000000000000000000000000..2d85e8124ff57ecc8ef7364f083b3439e3b958e4
--- /dev/null
+++ b/commands/keys.c
@@ -0,0 +1,30 @@
+#include <command.h>
+#include <stdio.h>
+#include <crypto/public_key.h>
+
+static int do_keys(int argc, char *argv[])
+{
+	const struct public_key *key;
+
+	for_each_public_key(key) {
+		printf("KEY: %*phN", key->hashlen, key->hash);
+
+		if (key->key_name_hint)
+			printf(" (%s)\n", key->key_name_hint);
+		else
+			printf("\n");
+	}
+
+	return 0;
+}
+
+BAREBOX_CMD_HELP_START(keys)
+BAREBOX_CMD_HELP_TEXT("Print informations about public keys")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(keys)
+        .cmd            = do_keys,
+        BAREBOX_CMD_DESC("Print informations about public keys")
+        BAREBOX_CMD_GROUP(CMD_GRP_CONSOLE)
+        BAREBOX_CMD_HELP(cmd_keys_help)
+BAREBOX_CMD_END

-- 
2.39.5

[PATCH 5/6] fit: consistently pass around fit_handle

[Sascha Hauer]

Some functions in the FIT code use the image buffer as context pointer,
other do not have any context pointer at all. Consistently pass around
the struct fit_handle * as context pointer.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/image-fit.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 5006394eb7bbd0873a37a0102d5a0d89ea7c6b9f..1fe5aaf9bb186ae2407818b7824deea3f182e3e0 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -64,11 +64,12 @@ static int of_read_string_list(struct device_node *np, const char *name, struct
 	return prop ? 0 : -EINVAL;
 }
 
-static int fit_digest(const void *fit, struct digest *digest,
+static int fit_digest(struct fit_handle *handle, struct digest *digest,
 		      struct string_list *inc_nodes, struct string_list *exc_props,
 		      uint32_t hashed_strings_start, uint32_t hashed_strings_size)
 {
-	const struct fdt_header *fdt = fit;
+	const struct fdt_header *fdt = handle->fit;
+	const void *fit = handle->fit;
 	uint32_t dt_struct;
 	void *dt_strings;
 	struct fdt_header f = {};
@@ -254,7 +255,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
 	return digest;
 }
 
-static int fit_check_signature(struct device_node *sig_node,
+static int fit_check_signature(struct fit_handle *handle, struct device_node *sig_node,
 			       enum hash_algo algo, void *hash)
 {
 	const struct public_key *key;
@@ -300,7 +301,7 @@ static int fit_check_signature(struct device_node *sig_node,
 /*
  * The consistency of the FTD structure was already checked by of_unflatten_dtb()
  */
-static int fit_verify_signature(struct device_node *sig_node, const void *fit)
+static int fit_verify_signature(struct fit_handle *handle, struct device_node *sig_node)
 {
 	uint32_t hashed_strings_start, hashed_strings_size;
 	struct string_list inc_nodes, exc_props;
@@ -337,7 +338,7 @@ static int fit_verify_signature(struct device_node *sig_node, const void *fit)
 		goto out_sl;
 	}
 
-	ret = fit_digest(fit, digest, &inc_nodes, &exc_props, hashed_strings_start,
+	ret = fit_digest(handle, digest, &inc_nodes, &exc_props, hashed_strings_start,
 			 hashed_strings_size);
 	if (ret)
 		goto out_sl;
@@ -345,7 +346,7 @@ static int fit_verify_signature(struct device_node *sig_node, const void *fit)
 	hash = xzalloc(digest_length(digest));
 	digest_final(digest, hash);
 
-	ret = fit_check_signature(sig_node, algo, hash);
+	ret = fit_check_signature(handle, sig_node, algo, hash);
 	if (ret)
 		goto out_free_hash;
 
@@ -468,7 +469,7 @@ static int fit_image_verify_signature(struct fit_handle *handle,
 	hash = xzalloc(digest_length(digest));
 	digest_final(digest, hash);
 
-	ret = fit_check_signature(sig_node, algo, hash);
+	ret = fit_check_signature(handle, sig_node, algo, hash);
 
 	free(hash);
 
@@ -721,7 +722,7 @@ static int fit_config_verify_signature(struct fit_handle *handle, struct device_
 		if (handle->verbose)
 			of_print_nodes(sig_node, 0, ~0);
 
-		ret = fit_verify_signature(sig_node, handle->fit);
+		ret = fit_verify_signature(handle, sig_node);
 		if (ret < 0)
 			return ret;
 	}

-- 
2.39.5

[PATCH 6/6] fit: improve diagnostics

[Sascha Hauer]

FIT image output can become very verbose when a FIT image with multiple
device tree overlays is used. This hides several messages from normal
output and only prints them in verbose mode, (i.e. called via bootm -v)

Also from the output we could not see if all available keys fail to
verify the image or if no key is available at all. This patch improves
this by printing it clearly that no keys are available.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/image-fit.c   | 23 +++++++++++++++++------
 crypto/public-keys.c |  4 +++-
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 1fe5aaf9bb186ae2407818b7824deea3f182e3e0..46e687bf91412f6957a8ba61c4b81648a8346b1d 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -258,6 +258,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
 static int fit_check_signature(struct fit_handle *handle, struct device_node *sig_node,
 			       enum hash_algo algo, void *hash)
 {
+	const char *fail_reason = "no built-in keys";
 	const struct public_key *key;
 	const char *key_name = NULL;
 	int sig_len;
@@ -275,26 +276,34 @@ static int fit_check_signature(struct fit_handle *handle, struct device_node *si
 		key = public_key_get(key_name);
 		if (key) {
 			ret = public_key_verify(key, sig_value, sig_len, hash, algo);
+			if (handle->verbose)
+				pr_info("Key %*phN (%s) -> signature %s\n", key->hashlen,
+					key->hash, key_name, ret ? "BAD" : "OK");
 			if (!ret)
 				goto ok;
 		}
 	}
 
 	for_each_public_key(key) {
+		fail_reason = "verification failed";
+
 		if (key_name && !strcmp(key->key_name_hint, key_name))
 			continue;
 
 		ret = public_key_verify(key, sig_value, sig_len, hash, algo);
+
+		if (handle->verbose)
+			pr_info("Key %*phN -> signature %s\n", key->hashlen, key->hash,
+				ret ? "BAD" : "OK");
+
 		if (!ret)
 			goto ok;
 	}
 
-	pr_err("image signature BAD\n");
+	pr_err("image signature BAD: %s\n", fail_reason);
 
 	return -EBADMSG;
 ok:
-	pr_info("image signature OK\n");
-
 	return 0;
 }
 
@@ -417,10 +426,11 @@ static int fit_verify_hash(struct fit_handle *handle, struct device_node *image,
 	digest_update(d, data, data_len);
 
 	if (digest_verify(d, value_read)) {
-		pr_info("%pOF: hash BAD\n", hash);
+		pr_err("%pOF: hash BAD\n", hash);
 		ret =  -EBADMSG;
 	} else {
-		pr_info("%pOF: hash OK\n", hash);
+		if (handle->verbose)
+			pr_info("%pOF: hash OK\n", hash);
 		ret = 0;
 	}
 
@@ -663,7 +673,8 @@ int fit_open_image(struct fit_handle *handle, void *configuration,
 		return ret;
 
 	of_property_read_string(image, "description", &desc);
-	pr_info("image '%s': '%s'\n", unit, desc);
+	if (handle->verbose)
+		pr_info("image '%s': '%s'\n", unit, desc);
 
 	of_property_read_string(image, "type", &type);
 	if (!type) {
diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index 3b691ffd6aa536084aefca90933b4bb74b724423..05ea6e76d212e9a37a6691647ce9e6350141c18d 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -96,8 +96,10 @@ static int init_public_keys(void)
 	for (iter = __public_keys_start; iter != __public_keys_end; iter++) {
 		struct public_key *key = public_key_dup(iter);
 
-		if (!key)
+		if (!key) {
+			pr_warn("error while adding key\n");
 			continue;
+		}
 
 		public_key_add(key);
 	}

-- 
2.39.5