# Please note that this patch set is based on v2 of my "importing # x509/pkcs7 parsers from linux" patch[2] and will have to be updated # due to remval of test/lib/Kconfig once v3 or later is submitted. # The needed change is trivial, though.
The current rsa_verify() requires five parameters for a RSA public key for efficiency while RSA, in theory, requires only two. In addition, those parameters are expected to come from FIT image. So this function won't fit very well when we want to use it for the purpose of implementing UEFI secure boot, in particular, image authentication as well as variable authentication, where the essential two parameters are set to be retrieved from one of X509 certificates in signature database. So, in this patch, additional three parameters will be calculated on the fly when rsa_verify() is called without fdt which should contain parameters above. This calculation heavily relies on "big-number (or multi-precision) library." Therefore some routines from BearSSL[1] under MIT license are imported in this implementation. See Patch#4. # Please let me know if this is not appropriate. # Checkpatch will complain with lots of warnings/errors, but # I intentionally don't fix them for maximum maintainability. [1] https://bearssl.org/ [2] https://lists.denx.de/pipermail/u-boot/2019-October/388263.html Changes in v2 (Oct 29, 2019) * fix build errors at Travis CI * not include linux/kconfig.h (patch#1) * add a separate patch for adding CONFIG_RSA_VERIFY_WITH_PKEY (patch#2) * take a prerequisite patch from my "secure boot patch" (patch#3) * add a dependency on RSA_PUBLIC_KEY_PARSER (patch#4) * remove "inline" directives (patch#4) * add function descriptions, which mostly come from BearSSL's src/inner.h (patch#4) * improve Kconfig help text after Simon's comment (patch#5) * add function description of rsa_verify_with_pkey() (patch#5) * modify rsa_verify() to use "if (CONFIG_IS_ENABLED(...) " style rather than "#ifdef CONFIG_..." (patch#5) * add function tests (patch#6) Changes in v1 (Oct 9, 2019) * fix a build error on pine64-lts_defconfig (reported by Heinrich) by defining FIT_IMAGE_ENABLE_VERIFY flag and adding SPL_RSA_VERIFY config (patch#1) * remove FIT-specific code from image-sig.c and put them to new image-fit-sig.c to allow us to disable CONFIG_FIT_SIGNATURE (patch#1) * compile rsa-keyprop.c only if necessary (i.e. if CONFIG_RSA_VERIFY_WITH_PKEY) (patch#2) * add SPDX license identifier in rsa-keyprop.c (patch#2) * include <common.h> instead of <stdio.h> (patch#2) * use U-Boot's byteorder helper functions instead of BearSSL's (patch#2) AKASHI Takahiro (6): lib: rsa: decouple rsa from FIT image verification rsa: add RSA_VERIFY_WITH_PKEY include: image.h: add key info to image_sign_info lib: rsa: generate additional parameters for public key lib: rsa: add rsa_verify_with_pkey() test: add rsa_verify() unit test Kconfig | 1 + common/Makefile | 3 +- common/image-fit-sig.c | 417 ++++++++++++++++++++ common/image-fit.c | 6 +- common/image-sig.c | 396 ------------------- include/image.h | 23 +- include/u-boot/rsa-mod-exp.h | 21 + lib/rsa/Kconfig | 27 ++ lib/rsa/Makefile | 3 +- lib/rsa/rsa-keyprop.c | 717 +++++++++++++++++++++++++++++++++++ lib/rsa/rsa-verify.c | 131 +++++-- test/lib/Kconfig | 12 + test/lib/Makefile | 1 + test/lib/rsa.c | 207 ++++++++++ tools/Makefile | 2 +- 15 files changed, 1531 insertions(+), 436 deletions(-) create mode 100644 common/image-fit-sig.c create mode 100644 lib/rsa/rsa-keyprop.c create mode 100644 test/lib/rsa.c -- 2.21.0 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
