[U-Boot] [PATCH v1 0/3] rsa: extend rsa_verify() for UEFI secure boot
AKASHI Takahiro
takahiro.akashi at linaro.org
Wed Oct 9 05:30:41 UTC 2019
The current rsa_verify() requires five parameters for a RSA public key
for efficiency while RSA, in theory, requires only two. In addition,
those parameters are expected to come from FIT image.
So this function won't fit very well when we want to use it for the purpose
of implementing UEFI secure boot, in particular, image authentication
as well as variable authentication, where the essential two parameters
are set to be retrieved from one of X509 certificates in signature
database.
So, in this patch, additional three parameters will be calculated
on the fly when rsa_verify() is called without fdt which should contain
parameters above.
This calculation heavily relies on "big-number (or multi-precision)
library." Therefore some routines from BearSSL[1] under MIT license are
imported in this implementation. See Patch#2.
# Please let me know if this is not appropriate.
# Checkpatch will complain with lots of warnings/errors, but
# I intentionally don't fix them for maximum maintainability.
[1] https://bearssl.org/
Changes in v1 (Oct 9, 2019)
* fix a build error on pine64-lts_defconfig (reported by Heinrich)
by defining FIT_IMAGE_ENABLE_VERIFY flag and adding
SPL_RSA_VERIFY config (patch#1)
* remove FIT-specific code from image-sig.c and put them to new
image-fit-sig.c to allow us to disable CONFIG_FIT_SIGNATURE (patch#1)
* compile rsa-keyprop.c only if necessary (i.e. if
CONFIG_RSA_VERIFY_WITH_PKEY) (patch#2)
* add SPDX license identifier in rsa-keyprop.c (patch#2)
* include <common.h> instead of <stdio.h> (patch#2)
* use U-Boot's byteorder helper functions instead of BearSSL's (patch#2)
AKASHI Takahiro (3):
lib: rsa: decouple rsa from FIT image verification
lib: rsa: generate additional parameters for public key
lib: rsa: add rsa_verify_with_pkey()
Kconfig | 1 +
common/Makefile | 3 +-
common/image-fit-sig.c | 417 +++++++++++++++++++++++++
common/image-fit.c | 6 +-
common/image-sig.c | 396 ------------------------
include/image.h | 14 +-
include/u-boot/rsa-mod-exp.h | 3 +
lib/rsa/Kconfig | 12 +
lib/rsa/Makefile | 2 +-
lib/rsa/rsa-keyprop.c | 585 +++++++++++++++++++++++++++++++++++
lib/rsa/rsa-verify.c | 65 +++-
tools/Makefile | 2 +-
12 files changed, 1095 insertions(+), 411 deletions(-)
create mode 100644 common/image-fit-sig.c
create mode 100644 lib/rsa/rsa-keyprop.c
--
2.21.0
More information about the U-Boot
mailing list