U-Boot ECDSA Implementation Question
Alex G.
mr.nuke.me at gmail.com
Fri Feb 5 17:08:46 CET 2021
Hi Tim,
On 2/5/21 8:35 AM, Simon Glass wrote:
>> I’m a current intern at Microsoft, and one of my priorities is to enable ECDSA for U-Boot image signing/verification. Simon mentioned someone is already working on ECC, it would be great to get synced up with related progress. For signing, I will likely replicate the existing approach of using the openssl library. I’m aware that signing happens on a host machine and verification happens during boot, which implies verification should have a custom implementation to avoid the openssl overhead in the U-Boot binary. My thoughts are to copy an ECC verification implementation from a well-tested widely-used open source project. I was wondering, is U-Boot’s current RSA verification copied from another project? If so, how are security patches between the two copies of code usually handled? I’m thinking of deriving from the ECDSA implementation currently in the Linux kernel, though I’d also appreciate suggestions if there’s a better/more widely tested & used implementation.
>
[snip]
>
> Alexandru Gagniuc, on cc, has been looking at implementing the signing
> side of this recently and has sent some patches that you could look
> at.
I hope I can save you some effort on the signing side. Generally, you
have two types of signed images. The first is the signed bootloader (BL2
or FSBL in ARM terms). The other one is the signed Flattened Image Tree
(FIT) that we use in u-boot. The first one is vendor-specific, so you'd
usually use vendor tools or write your own. We use mkimage to deal with
the latter.
I've implemented the signing part [1] for mkimage. mkimage has the
ability to use hardware signing via the PKCS11 engine of openssl, which
I did not implement. You can read more about it here [3].
The verification part is still being defined [4][5]. The idea is to
define a UCLASS which abstracts the underlying implementation. For RSA,
it's defined here [6].
My goal with ECDSA verification was to use the ROM API of the STM32MP1.
This meant I don't have to write a software implementation of ECDSA.
This would be useful in two ways. It would enable ECDSA verification on
devices that don't support it in hardware, and would also allow us to
add some unit tests for ECDSA.
I suspect what you could do from here, is try to build my branch with
ECDSA signing, play around with mkimage, and let us know how we can
point you to the correct documentation. There's a lot of it in doc/, but
it's not always easy to find.
Alex
[1] https://github.com/mrnuke/u-boot/commits/patch-mkimage-keyfile-v1
[2]
https://github.com/mrnuke/u-boot/commit/a2ae016f2f80579962d4ab058137c8e1a4f4741f
[3]
https://github.com/mrnuke/u-boot/blob/3f447efcf8ad98d0eea349994810a66b453ac188/doc/uImage.FIT/signature.txt#L488
[4]
https://github.com/mrnuke/u-boot/commit/31caceb0e28959881e96ea49a0b28fd44d13a947
[5] https://github.com/mrnuke/u-boot/commits/patch-stm32-ecdsa-v1
[6]
https://github.com/mrnuke/u-boot/blob/7d7ce8d70287568071a5d24acb6dc74b923fe7e0/include/u-boot/rsa-mod-exp.h#L79
More information about the U-Boot
mailing list