[PATCH v7 0/7] rsa: extend rsa_verify() for UEFI secure boot
Tom Rini
trini at konsulko.com
Fri Feb 21 18:18:41 CET 2020
On Fri, Feb 21, 2020 at 03:12:54PM +0900, AKASHI Takahiro wrote:
> # This patch set is a prerequisite for UEFI secure boot.
>
> The current rsa_verify() requires five parameters for a RSA public key
> for efficiency while RSA, in theory, requires only two. In addition,
> those parameters are expected to come from FIT image.
>
> So this function won't fit very well when we want to use it for the purpose
> of implementing UEFI secure boot, in particular, image authentication
> as well as variable authentication, where the essential two parameters
> are set to be retrieved from one of X509 certificates in signature
> database.
>
> So, in this patch, additional three parameters will be calculated
> on the fly when rsa_verify() is called without fdt which should contain
> parameters above.
>
> This calculation heavily relies on "big-number (or multi-precision)
> library." Therefore some routines from BearSSL[1] under MIT license are
> imported in this implementation. See Patch#4.
> # Please let me know if this is not appropriate.
>
> Prerequisite:
> * public key parser in my "import x509/pkcs7 parser" patch[2]
This has been applied a long while back.
And for the record, without http://patchwork.ozlabs.org/patch/1239098/
applied sandbox fails to build. I had said I would take care of that
specific issue, so I'm just noting it here. I'm kicking off a larger
test now.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200221/3593699f/attachment.sig>
More information about the U-Boot
mailing list