[PATCH u-boot v2019.04-aspeed-openbmc 11/11] configs/openbmc: Enable hw accelerated sha

Klaus Heinrich Kiwi klaus at linux.vnet.ibm.com
Thu Apr 15 07:03:14 AEST 2021 


On 4/13/2021 5:42 PM, Klaus Heinrich Kiwi wrote:
> 
> 
> On 4/13/2021 5:07 AM, Joel Stanley wrote:
>> SHA512 will be used by the openbmc secure boot implementation when
>> verifying FIT images of both u-boot proper and the kernel.
>>
>> The hash command is useful, and adds only a small amount of binary size
>> given the algorithms are already included in the image.
>>
>> Using hardware acceleration instead of a software implementation saves a
>> significant amount of binary size (approx. 12KB for the SPL).
>>
>> Note that the hardware implementation is only useful when booting from a
>> payload in memory, as is the case with MMC or network boot. It cannot be
>> used when booting from SPI NOR.
>>
>> Signed-off-by: Joel Stanley <joel at jms.id.au>
> Reviewed-by: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>
>> ---
>>   configs/ast2600_openbmc_spl_emmc_defconfig | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig
>> index e59d3595ebf0..05069084cbc5 100644
>> --- a/configs/ast2600_openbmc_spl_emmc_defconfig
>> +++ b/configs/ast2600_openbmc_spl_emmc_defconfig
>> @@ -36,6 +36,7 @@ CONFIG_ARMV7_BOOT_SEC_DEFAULT=y
>>   CONFIG_ARMV7_PSCI_NR_CPUS=2
>>   CONFIG_NR_DRAM_BANKS=1
>>   CONFIG_FIT=y
>> +CONFIG_FIT_ENABLE_SHA512_SUPPORT=y
>>   CONFIG_FIT_SIGNATURE=y
>>   CONFIG_SPL_FIT_SIGNATURE=y
>>   CONFIG_SPL_LOAD_FIT=y
>> @@ -53,6 +54,8 @@ CONFIG_SPL_STACK_R=y
>>   CONFIG_SPL_SEPARATE_BSS=y
>>   CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y
>>   CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x80
>> +CONFIG_SPL_SHA256_SUPPORT=y
>> +CONFIG_SPL_SHA512_SUPPORT=y
>>   CONFIG_SPL_FIT_IMAGE_TINY=y
>>   CONFIG_SPL_DM_RESET=y
>>   CONFIG_SPL_RAM_SUPPORT=y
>> @@ -80,6 +83,7 @@ CONFIG_CMD_DHCP=y
>>   CONFIG_CMD_MII=y
>>   CONFIG_CMD_PING=y
>>   CONFIG_CMD_NCSI=y
>> +CONFIG_CMD_HASH=y
>>   CONFIG_CMD_EXT2=y
>>   CONFIG_CMD_EXT4=y
>>   CONFIG_CMD_EXT4_WRITE=y
>> @@ -97,6 +101,7 @@ CONFIG_SYSCON=y
>>   CONFIG_SPL_OF_TRANSLATE=y
>>   CONFIG_CLK=y
>>   CONFIG_SPL_CLK=y
>> +CONFIG_ASPEED_HACE=y
>>   CONFIG_DM_GPIO=y
>>   CONFIG_ASPEED_GPIO=y
>>   CONFIG_DM_I2C=y
>> @@ -135,4 +140,6 @@ CONFIG_USE_TINY_PRINTF=y
>>   CONFIG_SPL_TINY_MEMSET=y
>>   CONFIG_TPM=y
>>   CONFIG_SPL_TPM=y
>> +CONFIG_SHA_HW_ACCEL=y
>> +CONFIG_SHA_PROG_HW_ACCEL=y

Doesn't invalidate my reviewed-by-tag, but I just noted that these are redundant
due to CONFIG_ASPEED_HACE=y.

But I'm fine if you want yo keep them explicit as well.

  -Klaus

>>   # CONFIG_EFI_LOADER is not set
>>
> 

-- 
Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>

More information about the openbmc mailing list