[PATCH v7 2/7] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

AKASHI Takahiro takahiro.akashi at linaro.org
Fri Feb 21 07:12:56 CET 2020

In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.

Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
Reviewed-by: Simon Glass <sjg at chromium.org>
 lib/rsa/Kconfig | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 18a075c17478..89697219db2d 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -28,6 +28,20 @@ config RSA_VERIFY
 	  Add RSA signature verification support.
+	bool "Execute RSA verification without key parameters from FDT"
+	select RSA_VERIFY
+	help
+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
+	  pre-calculated key properties, that are stored in fdt blob, in
+	  decrypting a signature.
+	  This does not suit the use case where there is no way defined to
+	  provide such additional key properties in standardized form,
+	  particularly UEFI secure boot.
+	  This options enables RSA signature verification with a public key
+	  directly specified in image_sign_info, where all the necessary
+	  key properties will be calculated on the fly in verification code.
 	bool "Enable driver for RSA Modular Exponentiation in software"
 	depends on DM

More information about the U-Boot mailing list