state: backend_raw: add hmac support

This patch adds hmac support to the raw backend.

With this patch, modifications of the header or data of a state partition can
be detected, as the hmac woudln't match anymore. The hmac relies on a shared
secret, which is requested from the keystore, with keystore_get_secret() using
the name of the state partition as the "name" of the secret.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

1 files changed, 19 insertions, 0 deletions

diff --git a/Documentation/devicetree/bindings/barebox/barebox,state.rst b/Documentation/devicetree/bindings/barebox/barebox,state.rst
index 4c5b06db47..ef66029372 100644
--- a/Documentation/devicetree/bindings/barebox/barebox,state.rst
+++ b/Documentation/devicetree/bindings/barebox/barebox,state.rst
@@ -32,6 +32,12 @@ Required properties:
 * ``backend``: describes where the data for this state is stored
 * ``backend-type``: should be ``raw`` or ``dtb``.
 
+Optional properties:
+
+* ``algo``: A HMAC algorithm used to detect manipulation of the data
+  or header, sensible values follow this pattern ``hmac(<HASH>)``,
+  e.g. ``hmac(sha256)``.
+
 Variable nodes
 --------------
 
@@ -105,6 +111,19 @@ devicetree description of the state itself, but additionally contains
 the actual values of the variables. Unlike the raw state backend the
 dtb state backend can describe itself.
 
+HMAC
+----
+
+With the optional property ``algo = "hmac(<HASH>)";`` a HMAC algorithm
+can be defined to detect unauthorized modification of the state's
+header and/or data. For this to work the HMAC and the selected hash
+algorithm have to be compiled into barebox.
+
+The shared secret for the HMAC is requested via
+``keystore_get_secret()``, using the state's name, from the barebox
+simple keystore. It's up to the developer to populate the keystore via
+``keystore_set_secret()`` in beforehand.
+
 Frontend
 --------