state: backend_raw: add hmac support

This patch adds hmac support to the raw backend.

With this patch, modifications of the header or data of a state partition can
be detected, as the hmac woudln't match anymore. The hmac relies on a shared
secret, which is requested from the keystore, with keystore_get_secret() using
the name of the state partition as the "name" of the secret.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

1 files changed, 18 insertions, 0 deletions

diff --git a/common/Kconfig b/common/Kconfig
index 877d3855a2..8e7950968c 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -751,6 +751,24 @@ config STATE
 	select OFTREE
 	select PARAMETER
 
+config STATE_CRYPTO
+	bool "HMAC based authentication support"
+	depends on STATE
+	select CRYPTO_KEYSTORE
+	select DIGEST
+	select DIGEST_HMAC_GENERIC
+	help
+	  This options enables HMAC based authentication support for
+	  the state's header and data. This means the state framework
+	  can verify both the data integrity and the authentication of
+	  the state's header and data.
+
+	  Don't forget to select a hash algorithm in the
+	  crypto/digests menu.
+
+	  See Documentation/devicetree/bindings/barebox/barebox,state.rst
+	  for more information.
+
 config RESET_SOURCE
 	bool "detect Reset cause"
 	depends on GLOBALVAR