[PATCH RFC v1 0/4] Add support for ECDSA image signing
Alexandru Gagniuc
mr.nuke.me at gmail.com
Mon Dec 28 20:17:33 CET 2020
# Introduction
This series is part of a larger effort to implement verified boot
on STM32MP1. The ROM code on this chip requires an ECDSA-signed SSBL.
Maintaining verified boot through FIT images would require switching
to an RSA key after SPL. This would be stupid, so this series is
focused on enabling ECDSA signing. The purpose of this series is to
let people know I'm looking into ECDSA
## Purpose and intent
The use case that I am focused on is signing an existing FIT image.
mkimage -F some-existing.fit --signing-key some/key.pem
I don't care about signing while assembling the FIT. The reason is
that I want the machine that builds things to be separate from the
machine that has access to the super-secret-key.pem.
Astute readers may have noticed the lack of a device-side
implementation, and thus have the audacity to call this series
"useless". I don't plan to write out the algorithm for ECDSA, but
instead use the CRYPTO engine of the stm32mp. This is a matter for
another series.
# Implementation
I initially tried to model this after the RSA implementation, but that
didn't go well for a few reasons:
(a) The openssl/libcrypto API is a pain in the ass
(b) The RSA path doesn't have a way to pass a specific key file.
On point (a), I don't want to spend too much time battling a C API for
crypto. I'd much rather be using pyCryptodomex, but that is not
available for mkimage. I am thus focusing on the simple case of
key in, signature out.
On point (b), the RSA path takes the FDT property 'key-name-hint' to
decide which key file to read from disk. In the context of "which fdt
node describes my signing key", this makes sense. On the other hand,
'key-name-hint' is also used as th basename of where the key is on the
filesystem. This leads to some funny search paths, such as
"some/dir/(null).key"
So I am using the -K option to mkimage as the _full_ path to the key
file. It doesn't have to be named .key, it doesn't have to be named
.crt, and it doesn't have to exist in a particular directory (as is
the case for the RSA path). Take that as is for here -- we can discuss
the merits of this in a separate thread.
A bonus point is that I have decided to keep signin/verifying in the
same source file. This allows me to reuse some helper functions. I'm
only adding 300 lines of code, so I don't see the point in splitting
it up.
# Testing
The only test I've run is to take the binary signature and has, feed
them back to libcrypto, and check that it verifies. This is already
done automatically for each image signed. I see some tests for RSA
under test/. I have not looked into adding tests for the ECDSA path.
I do think it's a great idea, and I intend to look into it.
Beyond the scope of this series (for now).
Alexandru Gagniuc (4):
lib: Rename rsa-checksum.c to hash-checksum.c
lib/rsa: Make fdt_add_bignum() available outside of RSA code
lib: Add support for ECDSA image signing
doc: signature.txt: Document devicetree format for ECDSA keys
common/image-fit-sig.c | 2 +-
common/image-sig.c | 16 +-
doc/uImage.FIT/signature.txt | 7 +-
include/image.h | 2 +-
include/u-boot/ecdsa.h | 27 ++
include/u-boot/fdt-libcrypto.h | 15 +
.../{rsa-checksum.h => hash-checksum.h} | 0
lib/crypto/pkcs7_verify.c | 2 +-
lib/crypto/x509_public_key.c | 2 +-
lib/ecdsa/ecdsa-libcrypto.c | 300 ++++++++++++++++++
lib/fdt-libcrypto.c | 72 +++++
lib/{rsa/rsa-checksum.c => hash-checksum.c} | 3 +-
lib/rsa/rsa-sign.c | 65 +---
tools/Makefile | 7 +-
14 files changed, 446 insertions(+), 74 deletions(-)
create mode 100644 include/u-boot/ecdsa.h
create mode 100644 include/u-boot/fdt-libcrypto.h
rename include/u-boot/{rsa-checksum.h => hash-checksum.h} (100%)
create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
create mode 100644 lib/fdt-libcrypto.c
rename lib/{rsa/rsa-checksum.c => hash-checksum.c} (96%)
--
2.26.2
More information about the U-Boot
mailing list