[PATCH v2 2/6] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Simon Glass sjg at chromium.org
Mon Mar 29 09:43:09 CEST 2021 

Hi Alexandru,

On Tue, 16 Mar 2021 at 13:24, Alexandru Gagniuc <mr.nuke.me at gmail.com> wrote:
>
> Prepare the source tree for accepting implementations of the ECDSA
> algorithm. This patch deals with the boring aspects of Makefiles and
> Kconfig files.
>
> Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
> ---
>  include/image.h          | 10 +++++-----
>  include/u-boot/rsa.h     |  2 +-
>  lib/Kconfig              |  1 +
>  lib/Makefile             |  1 +
>  lib/ecdsa/Kconfig        | 23 +++++++++++++++++++++++
>  lib/ecdsa/Makefile       |  1 +
>  lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
>  7 files changed, 45 insertions(+), 6 deletions(-)
>  create mode 100644 lib/ecdsa/Kconfig
>  create mode 100644 lib/ecdsa/Makefile
>  create mode 100644 lib/ecdsa/ecdsa-verify.c
>
> diff --git a/include/image.h b/include/image.h
> index b5bcf08e61..800d981f03 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -1219,20 +1219,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
>  #if defined(USE_HOSTCC)
>  # if defined(CONFIG_FIT_SIGNATURE)
>  #  define IMAGE_ENABLE_SIGN    1
> -#  define IMAGE_ENABLE_VERIFY  1
> +#  define IMAGE_ENABLE_VERIFY_RSA      1
>  #  define IMAGE_ENABLE_VERIFY_ECDSA    1
>  #  define FIT_IMAGE_ENABLE_VERIFY      1
>  #  include <openssl/evp.h>
>  # else
>  #  define IMAGE_ENABLE_SIGN    0
> -#  define IMAGE_ENABLE_VERIFY  0
> +#  define IMAGE_ENABLE_VERIFY_RSA      0
>  # define IMAGE_ENABLE_VERIFY_ECDSA     0
>  #  define FIT_IMAGE_ENABLE_VERIFY      0
>  # endif
>  #else
>  # define IMAGE_ENABLE_SIGN     0
> -# define IMAGE_ENABLE_VERIFY           CONFIG_IS_ENABLED(RSA_VERIFY)
> -# define IMAGE_ENABLE_VERIFY_ECDSA     0
> +# define IMAGE_ENABLE_VERIFY_RSA       CONFIG_IS_ENABLED(RSA_VERIFY)
> +# define IMAGE_ENABLE_VERIFY_ECDSA     CONFIG_IS_ENABLED(ECDSA_VERIFY)
>  # define FIT_IMAGE_ENABLE_VERIFY       CONFIG_IS_ENABLED(FIT_SIGNATURE)
>  #endif
>
> @@ -1288,7 +1288,7 @@ struct image_region {
>         int size;
>  };
>
> -#if IMAGE_ENABLE_VERIFY
> +#if FIT_IMAGE_ENABLE_VERIFY
>  # include <u-boot/hash-checksum.h>
>  #endif
>  struct checksum_algo {
> diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> index bed1c097c2..eb258fca4c 100644
> --- a/include/u-boot/rsa.h
> +++ b/include/u-boot/rsa.h
> @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
>  }
>  #endif
>
> -#if IMAGE_ENABLE_VERIFY
> +#if IMAGE_ENABLE_VERIFY_RSA
>  /**
>   * rsa_verify_hash() - Verify a signature against a hash
>   *
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 7288340614..48895e4e4f 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -295,6 +295,7 @@ config AES
>           supported by the algorithm but only a 128-bit key is supported at
>           present.
>
> +source lib/ecdsa/Kconfig
>  source lib/rsa/Kconfig
>  source lib/crypto/Kconfig
>
> diff --git a/lib/Makefile b/lib/Makefile
> index 1d4b7d3aad..de55914f52 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -59,6 +59,7 @@ endif
>
>  obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
>  obj-$(CONFIG_$(SPL_)MD5) += md5.o
> +obj-$(CONFIG_ECDSA) += ecdsa/
>  obj-$(CONFIG_$(SPL_)RSA) += rsa/
>  obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
>  obj-$(CONFIG_SHA1) += sha1.o
> diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
> new file mode 100644
> index 0000000000..1244d6b6ea
> --- /dev/null
> +++ b/lib/ecdsa/Kconfig
> @@ -0,0 +1,23 @@
> +config ECDSA
> +       bool "Enable ECDSA support"
> +       depends on DM
> +       help
> +         This enables the ECDSA algorithm for FIT image verification in U-Boot.
> +         See doc/uImage.FIT/signature.txt for more details.
> +         The ECDSA algorithm is implemented using the driver model. So
> +         CONFIG_DM is required by this library.
> +         ECDSA is enabled for mkimage regardless of this  option.

drop extra space before option

Can you write out ECDSA in full once, briefly mention what it is and
perhaps a link to more info?

> +
> +if ECDSA
> +
> +config ECDSA_VERIFY
> +       bool "Enable ECDSA verification support in U-Boot."
> +       help
> +         Allow ECDSA signatures to be recognized and verified in U-Boot.
> +
> +config SPL_ECDSA_VERIFY
> +       bool "Enable ECDSA verification support in SPL"
> +       help
> +         Allow ECDSA signatures to be recognized and verified in SPL.
> +
> +endif
> diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
> new file mode 100644
> index 0000000000..771d6d3135
> --- /dev/null
> +++ b/lib/ecdsa/Makefile
> @@ -0,0 +1 @@
> +obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
> new file mode 100644
> index 0000000000..d2e6a40f4a
> --- /dev/null
> +++ b/lib/ecdsa/ecdsa-verify.c
> @@ -0,0 +1,13 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me at gmail.com>
> + */
> +
> +#include <u-boot/ecdsa.h>
> +
> +int ecdsa_verify(struct image_sign_info *info,
> +                const struct image_region region[], int region_count,
> +                uint8_t *sig, uint sig_len)
> +{
> +       return -EOPNOTSUPP;
> +}
> --
> 2.26.2
>

Regards,Simon

More information about the U-Boot mailing list