In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.

Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
Reviewed-by: Simon Glass <s...@chromium.org>
---
 lib/rsa/Kconfig | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 03ffa2969048..71e4c06bf883 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -30,6 +30,20 @@ config RSA_VERIFY
        help
          Add RSA signature verification support.
 
+config RSA_VERIFY_WITH_PKEY
+       bool "Execute RSA verification without key parameters from FDT"
+       depends on RSA
+       help
+         The standard RSA-signature verification code (FIT_SIGNATURE) uses
+         pre-calculated key properties, that are stored in fdt blob, in
+         decrypting a signature.
+         This does not suit the use case where there is no way defined to
+         provide such additional key properties in standardized form,
+         particularly UEFI secure boot.
+         This options enables RSA signature verification with a public key
+         directly specified in image_sign_info, where all the necessary
+         key properties will be calculated on the fly in verification code.
+
 config RSA_SOFTWARE_EXP
        bool "Enable driver for RSA Modular Exponentiation in software"
        depends on DM
-- 
2.21.0

_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

Reply via email to