In their respective makefiles, cert_create, encrypt_fw and fiptool
depend on the --openssl phony target as a prerequisite. This forces
those tools to be re-linked each time.
Move the dependencies on the --openssl target from the tools to their
makefiles all targets, to avoid unnecessary linking while preserving the
OpenSSL version printing done in the --openssl targets when in debug.
Fixes: cf2dd17ddd ("refactor(security): add OpenSSL 1.x compatibility")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Change-Id: I98a3ab30f36dffc253cecaaf3a57d2712522135d
When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fact that 1.x APIs became deprecated in 3.0 and
therefore their use cause compiling errors. In addition, updating
for a newer version of OpenSSL meant improving the stability
against security threats. However, although version 1.1.1 is
now deprecated, it still receives security updates, so it would
not imply major security issues to keep compatibility with it too.
This patch adds backwards compatibility with OpenSSL 1.x versions
by adding back 1.x API code. It defines a macro USING_OPENSSL3,
which will select the appropriate OpenSSL API version depending on
the OpenSSL library path chosen (which is determined by the
already-existing OPENSSL_DIR variable).
In addition, cleanup items were packed in functions and moved to
the proper modules in order to make the code more maintainable and
legible.
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I8deceb5e419edc73277792861882404790ccd33c
Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.
Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6
Don't depend on clean when building, as the user is capable of cleaning
if required and this introduces a race where "all" depends on both the
compile and the clean in parallel. It's quite possible for some of the
compile to happen in parallel with the clean, which results in the link
failing as objects just built are missing.
Change-Id: I710711eea7483cafa13251c5d94ec693148bd001
Signed-off-by: Ross Burton <ross.burton@arm.com>
This patch: fafd3ec9c assumes that tools must build from
the main makefile folder.
This assumption leads to the error when somebody wants to
build a tool from the tool's folder.
Hence changes are done to provide the default binary name
in the tool's makefile.
Change-Id: Iae570a7f8d322151376b6feb19e739300eecc3fc
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Currently, the tool's makefile override the tool's binary name
which is already been defined in the main makefile.
Hence fix is provided so that the tool's makefile get the tool's
binary name from the main makefile instead of overriding it.
Change-Id: I8af2bd391a96bba2dbcddef711338a94ebf5f038
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Add firmware authenticated encryption tool which utilizes OpenSSL
library to encrypt firmwares using a key provided via cmdline. Currently
this tool supports AES-GCM as an authenticated encryption algorithm.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I60e296af1b98f1912a19d5f91066be7ea85836e4
Vincent Stehlé
Juan Pablo Conde
Ross Burton
Manish V Badarkhe
Sumit Garg