[PATCH u-boot v2019.04-aspeed-openbmc 5/7] Add support for SHA384 and SHA512

Klaus Heinrich Kiwi klaus at linux.vnet.ibm.com
Fri Jan 29 08:23:04 AEDT 2021



On 1/28/2021 7:53 AM, Joel Stanley wrote:
> From: Reuben Dowle <reubendowle0 at gmail.com>
> 
> The current recommendation for best security practice from the US government
> is to use SHA384 for TOP SECRET [1].
> 
> This patch adds support for SHA384 and SHA512 in the hash command, and also
> allows FIT images to be hashed with these algorithms, and signed with
> sha384,rsaXXXX and sha512,rsaXXXX
> 
> The SHA implementation is adapted from the linux kernel implementation.
> 
> [1] Commercial National Security Algorithm Suite
> http://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
> 
> Signed-off-by: Reuben Dowle <reuben.dowle at 4rf.com>
> (cherry picked from commit d16b38f42704fe3cc94fbee1601be96045013151)
> Signed-off-by: Joel Stanley <joel at jms.id.au>

This looks good from a u-boot point of view, but be aware that once
we enable sha512 on an openbmc (ast2600) build, we're going past the
SPL limit:

|   (cd spl && arm-openbmc-linux-gnueabi-ld.bfd   -T u-boot-spl.lds  --gc-sections -Bstatic --gc-sections -pie  --no-dynamic-linker -Ttext 0x00000000 arch/arm/cpu/armv7/start.o --start-group arch/arm/mach-aspeed/built-in.o arch/arm/cpu/armv7/built-in.o arch/arm/cpu/built-in.o arch/arm/lib/built-in.o board/aspeed/evb_ast2600a1/built-in.o common/spl/built-in.o common/init/built-in.o common/built-in.o cmd/built-in.o env/built-in.o lib/built-in.o disk/built-in.o drivers/built-in.o dts/built-in.o fs/built-in.o  --end-group arch/arm/lib/eabi_compat.o arch/arm/lib/lib.a -Map u-boot-spl.map -o u-boot-spl)
| arm-openbmc-linux-gnueabi-ld.bfd: u-boot-spl section `.u_boot_list' will not fit in region `flash'
| arm-openbmc-linux-gnueabi-ld.bfd: region `flash' overflowed by 1216 bytes

So perhaps when enabling this we will need another set of #if-defined's, perhaps
removing the other hashing algos?

Reviewed-by: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>



-- 
Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>


More information about the openbmc mailing list