From patchwork Mon Jan 11 15:41:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexandru Gagniuc X-Patchwork-Id: 1424694 X-Patchwork-Delegate: patrick.delaunay73@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=B/X35hwW; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DDydc5BsCz9srZ for ; Tue, 12 Jan 2021 02:42:44 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0D77A82896; Mon, 11 Jan 2021 16:42:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="B/X35hwW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E33268271C; Mon, 11 Jan 2021 16:41:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A34B2826FF for ; Mon, 11 Jan 2021 16:41:42 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=mr.nuke.me@gmail.com Received: by mail-ot1-x336.google.com with SMTP id r9so21778otk.11 for ; Mon, 11 Jan 2021 07:41:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c3u9GNCZtwlEgtZtS/4PBL/CBv0gV+8HCUniYeOWszE=; b=B/X35hwWKahp/xduTeQwklyZipMx5X+Xj34bLvsKe0X+TIIN9w9AEuzduKJLplqi/f kXeBTeKZUB0amJAmmZlyLsuo+9cI5auiTON5TMBuauCM8L6akUZvIfR3fJ4DzJWhhtZ0 MSip5oUbbA0R+2IJ8N1m1wPsFijQjufvPUzRBWYOh+bbB7k9/gd+o11PSQzLTh0HcpKb sALu7oaUGJkf9UbejxS8Qa94OEjGxLxb8qN9Fr0LNofqgqr+v09QkZlm5UM4OK089HzV wf9dDE3DpCBa9mt4d5Z3EYb1bFpeGSSbW/Q6y/qyMkWRt9JQuzAktMi7xK1h7s/eXtNE OuqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c3u9GNCZtwlEgtZtS/4PBL/CBv0gV+8HCUniYeOWszE=; b=k9NRg2H0U6SNwp3XakzoOITs3zbRY+JqVniGlFpf0NL/kRlzWIiR+b1ljqSMkVlbyG TFkDNgf0vgHDHZHXyDNJbryv/4s+R9NgcyA6CS2B0CRqr0p9wVPlsxUGFzknWH7doSHI 6eihNBYQ2zWapelsBc+XMAO60vnR6YLvk12GEVJ3oTw15cV6FYjkYvyjquFa7GsGOynd RtxcMWGr9+dz4y2s48VmHvVwXg6P5lyumBglAt416JwpUTk0M8bHIl6pFtoHkTuybW/G Vxdq6p+nqtElZh3tpybmQwRm4SbEIY1AR/VXecT6sPQwuxcDk0p7zFKzTEB/q5fCTr5T vYnw== X-Gm-Message-State: AOAM530gdFmbvhThd+k6Sl0RqOj2nbUmP7n28pF7ijWrxdR72rFHYpYR Ttop0gFpHmEh5C2ciRitfPXnRy7YzcF5gw== X-Google-Smtp-Source: ABdhPJxe9HLhEcJ2o20/7Q9Rk8rY64yxX1mXmwnS8rYfUqSmRHM6YRXdLJvqv2P5n7Tr7GdsvHeUMw== X-Received: by 2002:a05:6830:1ad4:: with SMTP id r20mr10954075otc.354.1610379701046; Mon, 11 Jan 2021 07:41:41 -0800 (PST) Received: from nuclearis2-1.lan (c-98-195-139-126.hsd1.tx.comcast.net. [98.195.139.126]) by smtp.gmail.com with ESMTPSA id k10sm16690otn.71.2021.01.11.07.41.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 07:41:40 -0800 (PST) From: Alexandru Gagniuc To: u-boot@lists.denx.de, sjg@chromium.org Cc: Alexandru Gagniuc , trini@konsulko.com, marex@denx.de Subject: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot Date: Mon, 11 Jan 2021 09:41:34 -0600 Message-Id: <20210111154137.621732-3-mr.nuke.me@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210111154137.621732-1-mr.nuke.me@gmail.com> References: <20210111154137.621732-1-mr.nuke.me@gmail.com> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Prepare the source tree for accepting implementations of the ECDSA algorithm. This patch deals with the boring aspects of Makefiles and Kconfig files. Signed-off-by: Alexandru Gagniuc --- include/image.h | 10 +++++----- include/u-boot/rsa.h | 2 +- lib/Kconfig | 1 + lib/Makefile | 1 + lib/ecdsa/Kconfig | 23 +++++++++++++++++++++++ lib/ecdsa/Makefile | 1 + lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++ 7 files changed, 45 insertions(+), 6 deletions(-) create mode 100644 lib/ecdsa/Kconfig create mode 100644 lib/ecdsa/Makefile create mode 100644 lib/ecdsa/ecdsa-verify.c diff --git a/include/image.h b/include/image.h index 6628173dca..1d70ba0ece 100644 --- a/include/image.h +++ b/include/image.h @@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int data_len, const char *algo, #if defined(USE_HOSTCC) # if defined(CONFIG_FIT_SIGNATURE) # define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY 1 +# define IMAGE_ENABLE_VERIFY_RSA 1 # define IMAGE_ENABLE_VERIFY_ECDSA 1 # define FIT_IMAGE_ENABLE_VERIFY 1 # include # else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY 0 +# define IMAGE_ENABLE_VERIFY_RSA 0 # define IMAGE_ENABLE_VERIFY_ECDSA 0 # define FIT_IMAGE_ENABLE_VERIFY 0 # endif #else # define IMAGE_ENABLE_SIGN 0 -# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY) -# define IMAGE_ENABLE_VERIFY_ECDSA 0 +# define IMAGE_ENABLE_VERIFY_RSA CONFIG_IS_ENABLED(RSA_VERIFY) +# define IMAGE_ENABLE_VERIFY_ECDSA CONFIG_IS_ENABLED(ECDSA_VERIFY) # define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE) #endif @@ -1260,7 +1260,7 @@ struct image_region { int size; }; -#if IMAGE_ENABLE_VERIFY +#if FIT_IMAGE_ENABLE_VERIFY # include #endif struct checksum_algo { diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index bed1c097c2..eb258fca4c 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info, } #endif -#if IMAGE_ENABLE_VERIFY +#if IMAGE_ENABLE_VERIFY_RSA /** * rsa_verify_hash() - Verify a signature against a hash * diff --git a/lib/Kconfig b/lib/Kconfig index 7673d2e4e0..e2cb846fc0 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -292,6 +292,7 @@ config AES supported by the algorithm but only a 128-bit key is supported at present. +source lib/ecdsa/Kconfig source lib/rsa/Kconfig source lib/crypto/Kconfig diff --git a/lib/Makefile b/lib/Makefile index cf64188ba5..ab86be2678 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -59,6 +59,7 @@ endif obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/ obj-$(CONFIG_$(SPL_)MD5) += md5.o +obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o obj-$(CONFIG_SHA1) += sha1.o diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig new file mode 100644 index 0000000000..1244d6b6ea --- /dev/null +++ b/lib/ecdsa/Kconfig @@ -0,0 +1,23 @@ +config ECDSA + bool "Enable ECDSA support" + depends on DM + help + This enables the ECDSA algorithm for FIT image verification in U-Boot. + See doc/uImage.FIT/signature.txt for more details. + The ECDSA algorithm is implemented using the driver model. So + CONFIG_DM is required by this library. + ECDSA is enabled for mkimage regardless of this option. + +if ECDSA + +config ECDSA_VERIFY + bool "Enable ECDSA verification support in U-Boot." + help + Allow ECDSA signatures to be recognized and verified in U-Boot. + +config SPL_ECDSA_VERIFY + bool "Enable ECDSA verification support in SPL" + help + Allow ECDSA signatures to be recognized and verified in SPL. + +endif diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile new file mode 100644 index 0000000000..771d6d3135 --- /dev/null +++ b/lib/ecdsa/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c new file mode 100644 index 0000000000..d2e6a40f4a --- /dev/null +++ b/lib/ecdsa/ecdsa-verify.c @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020, Alexandru Gagniuc + */ + +#include + +int ecdsa_verify(struct image_sign_info *info, + const struct image_region region[], int region_count, + uint8_t *sig, uint sig_len) +{ + return -EOPNOTSUPP; +}