[PATCH v3 1/1] rsa: adds rsa3072 algorithm

Tom Rini trini at konsulko.com
Fri Jan 14 19:14:00 CET 2022 

On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote:

> Add to support rsa 3072 bits algorithm in tools
> for image sign at host side and adds rsa 3072 bits
> verification in the image binary.
> 
> Add test case in vboot for sha384 with rsa3072 algorithm testing.
> 
> Signed-off-by: Jamin Lin <jamin_lin at aspeedtech.com>
> ---
>  include/u-boot/rsa.h                        |  1 +
>  lib/rsa/rsa-verify.c                        |  6 +++
>  test/py/tests/test_vboot.py                 | 12 +++++-
>  test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
>  test/py/tests/vboot/sign-images-sha384.its  | 42 +++++++++++++++++++
>  tools/image-sig-host.c                      |  7 ++++
>  6 files changed, 111 insertions(+), 2 deletions(-)
>  create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
>  create mode 100644 test/py/tests/vboot/sign-images-sha384.its
> 
> diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> index 7556aa5b4b..bb56c2243c 100644
> --- a/include/u-boot/rsa.h
> +++ b/include/u-boot/rsa.h
> @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
>  #define RSA_DEFAULT_PADDING_NAME		"pkcs-1.5"
>  
>  #define RSA2048_BYTES	(2048 / 8)
> +#define RSA3072_BYTES	(3072 / 8)
>  #define RSA4096_BYTES	(4096 / 8)
>  
>  /* This is the minimum/maximum key size we support, in bits */
> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> index 83f7564101..4fe487d7e5 100644
> --- a/lib/rsa/rsa-verify.c
> +++ b/lib/rsa/rsa-verify.c
> @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
>  	.verify = rsa_verify,
>  };
>  
> +U_BOOT_CRYPTO_ALGO(rsa3072) = {
> +	.name = "rsa3072",
> +	.key_len = RSA3072_BYTES,
> +	.verify = rsa_verify,
> +};
> +
>  U_BOOT_CRYPTO_ALGO(rsa4096) = {
>  	.name = "rsa4096",
>  	.key_len = RSA4096_BYTES,
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index 095e00cce3..b080d482af 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -45,6 +45,8 @@ TESTDATA = [
>      ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
>      ['sha256-pss-required', 'sha256', '-pss', None, True, False],
>      ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
> +    ['sha384-basic', 'sha384', '', None, False, False],
> +    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
>  ]
>  
>  @pytest.mark.boardspec('sandbox')
> @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
>              name: Name of of the key (e.g. 'dev')
>          """
>          public_exponent = 65537
> +
> +        if sha_algo == "sha384":
> +            rsa_keygen_bits = 3072
> +        else:
> +            rsa_keygen_bits = 2048
> +
>          util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
> -                     '-pkeyopt rsa_keygen_bits:2048 '
> +                     '-pkeyopt rsa_keygen_bits:%d '
>                       '-pkeyopt rsa_keygen_pubexp:%d' %
> -                     (tmpdir, name, public_exponent))
> +                     (tmpdir, name, rsa_keygen_bits, public_exponent))
>  
>          # Create a certificate containing the public key
>          util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
> diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
> new file mode 100644
> index 0000000000..2869401991
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-configs-sha384.its
> @@ -0,0 +1,45 @@
> +/dts-v1/;
> +
> +/ {
> +	description = "Chrome OS kernel image with one or more FDT blobs";
> +	#address-cells = <1>;
> +
> +	images {
> +		kernel {
> +			data = /incbin/("test-kernel.bin");
> +			type = "kernel_noload";
> +			arch = "sandbox";
> +			os = "linux";
> +			compression = "none";
> +			load = <0x4>;
> +			entry = <0x8>;
> +			kernel-version = <1>;
> +			hash-1 {
> +				algo = "sha384";
> +			};
> +		};
> +		fdt-1 {
> +			description = "snow";
> +			data = /incbin/("sandbox-kernel.dtb");
> +			type = "flat_dt";
> +			arch = "sandbox";
> +			compression = "none";
> +			fdt-version = <1>;
> +			hash-1 {
> +				algo = "sha384";
> +			};
> +		};
> +	};
> +	configurations {
> +		default = "conf-1";
> +		conf-1 {
> +			kernel = "kernel";
> +			fdt = "fdt-1";
> +			signature {
> +				algo = "sha384,rsa3072";
> +				key-name-hint = "dev";
> +				sign-images = "fdt", "kernel";
> +			};
> +		};
> +	};
> +};
> diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
> new file mode 100644
> index 0000000000..be1a9a653c
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-images-sha384.its
> @@ -0,0 +1,42 @@
> +/dts-v1/;
> +
> +/ {
> +	description = "Chrome OS kernel image with one or more FDT blobs";
> +	#address-cells = <1>;
> +
> +	images {
> +		kernel {
> +			data = /incbin/("test-kernel.bin");
> +			type = "kernel_noload";
> +			arch = "sandbox";
> +			os = "linux";
> +			compression = "none";
> +			load = <0x4>;
> +			entry = <0x8>;
> +			kernel-version = <1>;
> +			signature {
> +				algo = "sha384,rsa3072";
> +				key-name-hint = "dev";
> +			};
> +		};
> +		fdt-1 {
> +			description = "snow";
> +			data = /incbin/("sandbox-kernel.dtb");
> +			type = "flat_dt";
> +			arch = "sandbox";
> +			compression = "none";
> +			fdt-version = <1>;
> +			signature {
> +				algo = "sha384,rsa3072";
> +				key-name-hint = "dev";
> +			};
> +		};
> +	};
> +	configurations {
> +		default = "conf-1";
> +		conf-1 {
> +			kernel = "kernel";
> +			fdt = "fdt-1";
> +		};
> +	};
> +};
> diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
> index 8ed6998dab..d0133aec4c 100644
> --- a/tools/image-sig-host.c
> +++ b/tools/image-sig-host.c
> @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
>  		.add_verify_data = rsa_add_verify_data,
>  		.verify = rsa_verify,
>  	},
> +	{
> +		.name = "rsa3072",
> +		.key_len = RSA3072_BYTES,
> +		.sign = rsa_sign,
> +		.add_verify_data = rsa_add_verify_data,
> +		.verify = rsa_verify,
> +	},
>  	{
>  		.name = "rsa4096",
>  		.key_len = RSA4096_BYTES,

With current master these tests run and fail:
https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me
when running locally), please re-check and resubmit, thanks.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220114/3a2e1b97/attachment.sig>

More information about the U-Boot mailing list