diff options
author | Marc Kleine-Budde <mkl@pengutronix.de> | 2015-10-25 22:03:36 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2015-11-27 08:26:43 +0100 |
commit | 34cda8c23115b3ae3aeeeba7618d5d5654536494 (patch) | |
tree | 0891557d0c437a8de3af41dc3e8c7c0537a23b1a /Documentation/devicetree | |
parent | bf3cb63799f47697d460300c34e970589ea91671 (diff) | |
download | barebox-34cda8c23115b3ae3aeeeba7618d5d5654536494.tar.gz barebox-34cda8c23115b3ae3aeeeba7618d5d5654536494.tar.xz |
state: backend_raw: add hmac support
This patch adds hmac support to the raw backend.
With this patch, modifications of the header or data of a state partition can
be detected, as the hmac woudln't match anymore. The hmac relies on a shared
secret, which is requested from the keystore, with keystore_get_secret() using
the name of the state partition as the "name" of the secret.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'Documentation/devicetree')
-rw-r--r-- | Documentation/devicetree/bindings/barebox/barebox,state.rst | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/Documentation/devicetree/bindings/barebox/barebox,state.rst b/Documentation/devicetree/bindings/barebox/barebox,state.rst index 4c5b06db47..ef66029372 100644 --- a/Documentation/devicetree/bindings/barebox/barebox,state.rst +++ b/Documentation/devicetree/bindings/barebox/barebox,state.rst @@ -32,6 +32,12 @@ Required properties: * ``backend``: describes where the data for this state is stored * ``backend-type``: should be ``raw`` or ``dtb``. +Optional properties: + +* ``algo``: A HMAC algorithm used to detect manipulation of the data + or header, sensible values follow this pattern ``hmac(<HASH>)``, + e.g. ``hmac(sha256)``. + Variable nodes -------------- @@ -105,6 +111,19 @@ devicetree description of the state itself, but additionally contains the actual values of the variables. Unlike the raw state backend the dtb state backend can describe itself. +HMAC +---- + +With the optional property ``algo = "hmac(<HASH>)";`` a HMAC algorithm +can be defined to detect unauthorized modification of the state's +header and/or data. For this to work the HMAC and the selected hash +algorithm have to be compiled into barebox. + +The shared secret for the HMAC is requested via +``keystore_get_secret()``, using the state's name, from the barebox +simple keystore. It's up to the developer to populate the keystore via +``keystore_set_secret()`` in beforehand. + Frontend -------- |