[PATCH v6 00/11] Add support for ECDSA image signing
Alexandru Gagniuc
mr.nuke.me at gmail.com
Fri Feb 19 19:45:09 CET 2021
## Purpose and intent
The purpose of this series is to enable ECDSA as an alternative to RSA
for FIT signing. As new chips have built-in support for ECDSA verified
boot, it makes sense to stick to one signing algorithm, instead of
resorting to RSA for u-boot images.
The focus of this series is signing an existing FIT image:
mkimage -F some-existing.fit -G some/key.pem
Signing while assembling a FIT is not a tested use case.
This concatenates two series:
* Add support for ECDSA image signing (with test)
* mkimage: Add a 'keyfile' argument for image signing
# Testing
test/py/tests/test_fit_ecdsa.py is implemented withe the goal to check
that the signing is done correctly, and that the signature is encoded
in the proper raw format. Verification is done with pyCryptodomex, so
this test will catch both coding errors and openssl bugs. This is the
only scope of testing proposed here.
Changes since v5:
- Include "mkimage: Add a 'keyfile' argument for image signing" series
- Update python test to use 'keyfile' (-G) mkinage argument
- document which strings can be null in image.h
- Fix typo in python test (invokations -> invocations)
Changes since v4:
- Fixed tools/ build issue with # FIT_SIGNATURE is not selected
Changes since v3:
- Don't use 'log_msg_ret()', as it's not available host-side
Changes since v1 and v2:
- Added lots of function comments
- Replaced hardcoded error numbers with more meaningful errno numbers
- Changed some error paths to use 'return log_msg_ret'
Alexandru Gagniuc (11):
lib: Rename rsa-checksum.c to hash-checksum.c
lib/rsa: Make fdt_add_bignum() available outside of RSA code
lib: Add support for ECDSA image signing
doc: signature.txt: Document devicetree format for ECDSA keys
test/py: Add pycryptodomex to list of required pakages
test/py: ecdsa: Add test for mkimage ECDSA signing
doc: signature.txt: Document the keydir and keyfile arguments
mkimage: Add a 'keyfile' argument for image signing
lib/rsa: Use the 'keyfile' argument from mkimage
lib/ecdsa: Use the 'keydir' argument from mkimage if appropriate
test/py: ecdsa: Use mkimage keyfile instead of keydir argument
common/image-fit-sig.c | 2 +-
common/image-sig.c | 13 +-
doc/uImage.FIT/signature.txt | 20 +-
include/image.h | 21 +-
include/u-boot/ecdsa.h | 94 ++++++
include/u-boot/fdt-libcrypto.h | 27 ++
.../{rsa-checksum.h => hash-checksum.h} | 0
lib/Makefile | 1 +
lib/crypto/pkcs7_verify.c | 2 +-
lib/crypto/x509_public_key.c | 2 +-
lib/ecdsa/ecdsa-libcrypto.c | 318 ++++++++++++++++++
lib/fdt-libcrypto.c | 72 ++++
lib/{rsa/rsa-checksum.c => hash-checksum.c} | 3 +-
lib/rsa/Makefile | 2 +-
lib/rsa/rsa-sign.c | 99 ++----
test/py/requirements.txt | 1 +
test/py/tests/test_fit_ecdsa.py | 111 ++++++
tools/Makefile | 11 +-
tools/fit_image.c | 3 +-
tools/image-host.c | 58 ++--
tools/imagetool.h | 1 +
tools/mkimage.c | 6 +-
22 files changed, 752 insertions(+), 115 deletions(-)
create mode 100644 include/u-boot/ecdsa.h
create mode 100644 include/u-boot/fdt-libcrypto.h
rename include/u-boot/{rsa-checksum.h => hash-checksum.h} (100%)
create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
create mode 100644 lib/fdt-libcrypto.c
rename lib/{rsa/rsa-checksum.c => hash-checksum.c} (96%)
create mode 100644 test/py/tests/test_fit_ecdsa.py
--
2.26.2
More information about the U-Boot
mailing list