[PATCH v7 0/7] rsa: extend rsa_verify() for UEFI secure boot
AKASHI Takahiro
takahiro.akashi at linaro.org
Tue Feb 25 05:55:12 CET 2020
On Fri, Feb 21, 2020 at 12:18:41PM -0500, Tom Rini wrote:
> On Fri, Feb 21, 2020 at 03:12:54PM +0900, AKASHI Takahiro wrote:
>
> > # This patch set is a prerequisite for UEFI secure boot.
> >
> > The current rsa_verify() requires five parameters for a RSA public key
> > for efficiency while RSA, in theory, requires only two. In addition,
> > those parameters are expected to come from FIT image.
> >
> > So this function won't fit very well when we want to use it for the purpose
> > of implementing UEFI secure boot, in particular, image authentication
> > as well as variable authentication, where the essential two parameters
> > are set to be retrieved from one of X509 certificates in signature
> > database.
> >
> > So, in this patch, additional three parameters will be calculated
> > on the fly when rsa_verify() is called without fdt which should contain
> > parameters above.
> >
> > This calculation heavily relies on "big-number (or multi-precision)
> > library." Therefore some routines from BearSSL[1] under MIT license are
> > imported in this implementation. See Patch#4.
> > # Please let me know if this is not appropriate.
> >
> > Prerequisite:
> > * public key parser in my "import x509/pkcs7 parser" patch[2]
>
> This has been applied a long while back.
Yes, I forgot to remove this line.
> And for the record, without http://patchwork.ozlabs.org/patch/1239098/
> applied sandbox fails to build. I had said I would take care of that
> specific issue, so I'm just noting it here. I'm kicking off a larger
> test now.
Thank you!
-Takahiro Akashi
> --
> Tom
More information about the U-Boot
mailing list