[PATCH] rsa: always build pss padding

Quentin Schulz quentin.schulz at cherry.de
Thu Oct 30 11:21:19 CET 2025 

Hi Tom.

On 10/29/25 11:20 PM, Tom Rini wrote:
> On Wed, Oct 29, 2025 at 12:28:53PM +0100, Quentin Schulz wrote:
> 
>> From: Quentin Schulz <quentin.schulz at cherry.de>
>>
>> One could very well want to verify signed files which aren't a FIT
>> image (e.g. via rsa_verify_hash() when $(PHASE_)RSA_VERIFY_WITH_PKEY=y)
>> but that is currently only possible if the FIT_SIGNATURE symbol is
>> enabled for the stage this signed file needs to be verified.
>>
>> While we could remove the dependency on FIT_SIGNATURE and find a better
>> name for the symbol, let's simply always build support for PSS padding
>> when RSA is enabled, like we currently do for pkcs-1.5 padding.
>>
>> When $(PHASE_)RSA_VERIFY is enabled on PX30 Ringneck, the difference is
>> an additional 904B for the SPL (spl/u-boot-spl.bin) and 1000B for U-Boot
>> proper (u-boot-nodtb.bin).
>>
>> Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
>> ---
>> Another option is to remove the FIT_SIGNATURE dependency. For context, I
>> have a system where U-Boot proper verifies the signature of a few
>> binaries thanks to rsa_verify_hash() (see CONFIG_RSA_VERIFY_WITH_PKEY)
>> with an embedded public key. We do not use FIT images in proper and I
>> would like to avoid building code we don't use to limit the attack
>> surface, so I was looking at ways to remove the FIT support in proper
>> and this dependency makes it impossible as we use PSS padding.
>>
>> The cost of always building all RSA paddings may be too high though, I
>> don't know where we should draw the line.
> 
> I think the cost of ~900 bytes in SPL for 120 platforms is on the high
> side. How about a different symbol? Or would you want this enabled by

Yeah that was my assumption as well.

I think will go with renaming the symbol to RSASSA_PSS (and 
SPL_RSASSA_PSS) and only make it depend on RSA (and SPL_RSA), then move 
the symbol to lib/rsa/Kconfig.

How does that sound?

I'm not sure to understand why we made PSS padding an option for the 
tools though... I'm thinking about removing the TOOLS_RSASSA_PSS symbol 
and simply always build its support (that is remove the ifdef in 
lib/rsa/rsa-sign.c which is only built for the tools AFAICT). Or maybe 
the intention was to not allow padding with PSS when signing if the 
authentication part cannot validate it (i.e. padding = PSS, tools uses 
the padding, but FIT_RSASSA_PSS=n so cannot authenticate it)?

> default on rockhip and so changing those 120 platforms anyways?

Nothing Rockchip-specific here so not something I'm looking to do :)

Cheers,
Quentin

More information about the U-Boot mailing list