[PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Patrick DELAUNAY patrick.delaunay at foss.st.com
Tue Feb 9 16:11:02 CET 2021 

Hi,

On 1/11/21 4:41 PM, Alexandru Gagniuc wrote:
> Prepare the source tree for accepting implementations of the ECDSA
> algorithm. This patch deals with the boring aspects of Makefiles and
> Kconfig files.
>
> Signed-off-by: Alexandru Gagniuc<mr.nuke.me at gmail.com>
> ---
>   include/image.h          | 10 +++++-----
>   include/u-boot/rsa.h     |  2 +-
>   lib/Kconfig              |  1 +
>   lib/Makefile             |  1 +
>   lib/ecdsa/Kconfig        | 23 +++++++++++++++++++++++
>   lib/ecdsa/Makefile       |  1 +
>   lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
>   7 files changed, 45 insertions(+), 6 deletions(-)
>   create mode 100644 lib/ecdsa/Kconfig
>   create mode 100644 lib/ecdsa/Makefile
>   create mode 100644 lib/ecdsa/ecdsa-verify.c
>
> diff --git a/include/image.h b/include/image.h
> index 6628173dca..1d70ba0ece 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
>   #if defined(USE_HOSTCC)
>   # if defined(CONFIG_FIT_SIGNATURE)
>   #  define IMAGE_ENABLE_SIGN	1
> -#  define IMAGE_ENABLE_VERIFY	1
> +#  define IMAGE_ENABLE_VERIFY_RSA	1
>   #  define IMAGE_ENABLE_VERIFY_ECDSA	1
>   #  define FIT_IMAGE_ENABLE_VERIFY	1
>   #  include <openssl/evp.h>
>   # else
>   #  define IMAGE_ENABLE_SIGN	0
> -#  define IMAGE_ENABLE_VERIFY	0
> +#  define IMAGE_ENABLE_VERIFY_RSA	0
>   # define IMAGE_ENABLE_VERIFY_ECDSA	0
>   #  define FIT_IMAGE_ENABLE_VERIFY	0
>   # endif
>   #else
>   # define IMAGE_ENABLE_SIGN	0
> -# define IMAGE_ENABLE_VERIFY		CONFIG_IS_ENABLED(RSA_VERIFY)
> -# define IMAGE_ENABLE_VERIFY_ECDSA	0
> +# define IMAGE_ENABLE_VERIFY_RSA	CONFIG_IS_ENABLED(RSA_VERIFY)
> +# define IMAGE_ENABLE_VERIFY_ECDSA	CONFIG_IS_ENABLED(ECDSA_VERIFY)

here you are using CONFIG_IS_ENABLED.

This macro imply to test CONFIG_ECDSA_VERIFY or CONFIG_SPL_ECDSA_VERIFY (for SPL build)

=> but CONFIG_SPL_ECDSA_VERIFY is missing, I think you need to add it, as RSA
  

>   # define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
>   #endif
>   
> @@ -1260,7 +1260,7 @@ struct image_region {
>   	int size;
>   };
>   
> -#if IMAGE_ENABLE_VERIFY
> +#if FIT_IMAGE_ENABLE_VERIFY
>   # include <u-boot/hash-checksum.h>
>   #endif
>   struct checksum_algo {
> diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> index bed1c097c2..eb258fca4c 100644
> --- a/include/u-boot/rsa.h
> +++ b/include/u-boot/rsa.h
> @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
>   }
>   #endif
>   
> -#if IMAGE_ENABLE_VERIFY
> +#if IMAGE_ENABLE_VERIFY_RSA
>   /**
>    * rsa_verify_hash() - Verify a signature against a hash
>    *
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 7673d2e4e0..e2cb846fc0 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -292,6 +292,7 @@ config AES
>   	  supported by the algorithm but only a 128-bit key is supported at
>   	  present.
>   
> +source lib/ecdsa/Kconfig
>   source lib/rsa/Kconfig
>   source lib/crypto/Kconfig
>   
> diff --git a/lib/Makefile b/lib/Makefile
> index cf64188ba5..ab86be2678 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -59,6 +59,7 @@ endif
>   
>   obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
>   obj-$(CONFIG_$(SPL_)MD5) += md5.o
> +obj-$(CONFIG_ECDSA) += ecdsa/

obj-$(CONFIG_$(SPL_)ECDSA) += ecdsa/


>   obj-$(CONFIG_$(SPL_)RSA) += rsa/
>   obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
>   obj-$(CONFIG_SHA1) += sha1.o
> diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
> new file mode 100644
> index 0000000000..1244d6b6ea
> --- /dev/null
> +++ b/lib/ecdsa/Kconfig
> @@ -0,0 +1,23 @@
> +config ECDSA
> +	bool "Enable ECDSA support"
> +	depends on DM
> +	help
> +	  This enables the ECDSA algorithm for FIT image verification in U-Boot.
> +	  See doc/uImage.FIT/signature.txt for more details.
> +	  The ECDSA algorithm is implemented using the driver model. So
> +	  CONFIG_DM is required by this library.
> +	  ECDSA is enabled for mkimage regardless of this  option.
> +
> +if ECDSA
> +

Add CONFIG_SPL_ECDSA to select independently support in SPL et/or in U-Boot

as it is done for RSA

+ config SPL_ECDSA
+	bool "Use ECDSA library within in SPL"

  

> +config ECDSA_VERIFY
> +	bool "Enable ECDSA verification support in U-Boot."


+ select SPL_ECDSA


> +	help
> +	  Allow ECDSA signatures to be recognized and verified in U-Boot.
> +
> +config SPL_ECDSA_VERIFY
> +	bool "Enable ECDSA verification support in SPL"
> +	help
> +	  Allow ECDSA signatures to be recognized and verified in SPL.
> +
> +endif
> diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
> new file mode 100644
> index 0000000000..771d6d3135
> --- /dev/null
> +++ b/lib/ecdsa/Makefile
> @@ -0,0 +1 @@
> +obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
> new file mode 100644
> index 0000000000..d2e6a40f4a
> --- /dev/null
> +++ b/lib/ecdsa/ecdsa-verify.c
> @@ -0,0 +1,13 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (c) 2020, Alexandru Gagniuc<mr.nuke.me at gmail.com>
> + */
> +
> +#include <u-boot/ecdsa.h>
> +
> +int ecdsa_verify(struct image_sign_info *info,
> +		 const struct image_region region[], int region_count,
> +		 uint8_t *sig, uint sig_len)
> +{
> +	return -EOPNOTSUPP;
> +}


Regards,

Patrick

More information about the U-Boot mailing list