[U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification

AKASHI Takahiro takahiro.akashi at linaro.org
Thu Dec 12 11:10:34 CET 2019 

Tom, Simon,

On Fri, Dec 06, 2019 at 07:25:47PM -0500, Tom Rini wrote:
> On Thu, Nov 21, 2019 at 09:11:16AM +0900, AKASHI Takahiro wrote:
> 
> > Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
> > RSA functions from FIT verification and allow for adding a RSA-based
> > signature verification for other file formats, in particular PE file
> > for UEFI secure boot.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> > Reviewed-by: Simon Glass <sjg at chromium.org>
> > ---
> >  Kconfig                |   1 +
> >  common/Makefile        |   3 +-
> >  common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++
> >  common/image-fit.c     |   6 +-
> >  common/image-sig.c     | 396 --------------------------------------
> >  include/image.h        |  13 +-
> >  lib/rsa/Kconfig        |  12 ++
> >  lib/rsa/Makefile       |   2 +-
> >  lib/rsa/rsa-verify.c   |  78 +++++---
> >  tools/Makefile         |   2 +-
> >  10 files changed, 493 insertions(+), 437 deletions(-)
> >  create mode 100644 common/image-fit-sig.c
> 
> OK, the way this works today we see things like:
>             T1042RDB_PI_NAND_SECURE_BOOT: all +706 data +88 rodata +58 spl/u-boot-spl:all +704 spl/u-boot-spl:data +144 spl/u-boot-spl:text +560 text +560
>                u-boot: add: 8/0, grow: 0/0 bytes: 584/0 (584)
>                  function                                   old     new   delta
>                  hash_calculate                               -     192    +192
>                  padding_pkcs_15_verify                       -     184    +184
>                  rsa_verify                                   -     104    +104
>                  crypto_algos                                 -      40     +40
>                  checksum_algos                               -      40     +40
>                  rsa_sign                                     -       8      +8
>                  rsa_add_verify_data                          -       8      +8
>                  padding_algos                                -       8      +8
>                spl-u-boot-spl: add: 10/0, grow: 0/0 bytes: 618/0 (618)
>                  function                                   old     new   delta
>                  hash_calculate                               -     192    +192
>                  padding_pkcs_15_verify                       -     184    +184
>                  rsa_verify                                   -     104    +104
>                  crypto_algos                                 -      40     +40
>                  checksum_algos                               -      40     +40
>                  sha256_der_prefix                            -      19     +19
>                  sha1_der_prefix                              -      15     +15
>                  rsa_sign                                     -       8      +8
>                  rsa_add_verify_data                          -       8      +8
>                  padding_algos                                -       8      +8
> 
> Which seems wrong, we should be making any changes here opt-in, yes?  Thanks!

Okay, I found out what was wrong with my patch.

*But*, it seems to me that lib/rsa/Kconfig, in particular
RSA_FREESCALE_EXP, is weird because CONFIG_RSA as well as
RSA_FREESCALE_EXP is enabled in T1042RDB_PI_NAND_SECURE_BOOT_defconfig,
and yet rsa_verify(), which is the heart of CONFIG_RSA (library),
is NOT enabled in the configuration (for T1042RDB).
So the generated code will have no real user of this crypto driver,
i.e. drivers/crypto/fsl/fsl_rsa.c.

Anyway, I will post a fixed version early next week.

Thanks,
-Takahiro Akashi

> -- 
> Tom

More information about the U-Boot mailing list