[v4,1/1] rsa: adds rsa3072 algorithm

Message ID	20220119082323.4567-2-jamin_lin@aspeedtech.com
State	Accepted
Commit	2a4b0d5890deb0c973f8db7bb03adad96aff1050
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Jamin Lin <jamin_lin@aspeedtech.com> To: Simon Glass <sjg@chromium.org>, Alexandru Gagniuc <mr.nuke.me@gmail.com>, Philippe Reynes <philippe.reynes@softathome.com>, Thomas Perrot <thomas.perrot@bootlin.com>, Sean Anderson <sean.anderson@seco.com>, "open list" <u-boot@lists.denx.de> CC: <troy_lee@aspeedtech.com>, <steven_lee@aspeedtech.com> Subject: [PATCH v4 1/1] rsa: adds rsa3072 algorithm Date: Wed, 19 Jan 2022 16:23:21 +0800 Message-ID: <20220119082323.4567-2-jamin_lin@aspeedtech.com> In-Reply-To: <20220119082323.4567-1-jamin_lin@aspeedtech.com> References: <20220119082323.4567-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	rsa: adds rsa3072 algorithm \| expand [v4,0/1] rsa: adds rsa3072 algorithm [v4,1/1] rsa: adds rsa3072 algorithm

Message ID

20220119082323.4567-2-jamin_lin@aspeedtech.com

State

Accepted

Commit

2a4b0d5890deb0c973f8db7bb03adad96aff1050

Delegated to:

Tom Rini

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JdzFS6krHz9tB1
	for <incoming@patchwork.ozlabs.org>; Wed, 19 Jan 2022 19:24:12 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id D68218366F;
	Wed, 19 Jan 2022 09:24:00 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=aspeedtech.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id 7C419830B3; Wed, 19 Jan 2022 09:23:56 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from twspam01.aspeedtech.com (twspam01.aspeedtech.com
 [211.20.114.71])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 7CE478319C
 for <u-boot@lists.denx.de>; Wed, 19 Jan 2022 09:23:51 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none)
 header.from=aspeedtech.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=jamin_lin@aspeedtech.com
Received: from mail.aspeedtech.com ([192.168.0.24])
 by twspam01.aspeedtech.com with ESMTP id 20J8GYPN049288;
 Wed, 19 Jan 2022 16:16:34 +0800 (GMT-8)
 (envelope-from jamin_lin@aspeedtech.com)
Received: from localhost.localdomain (118.99.190.129) by TWMBX02.aspeed.com
 (192.168.0.24) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 19 Jan
 2022 16:23:34 +0800
From: Jamin Lin <jamin_lin@aspeedtech.com>
To: Simon Glass <sjg@chromium.org>, Alexandru Gagniuc <mr.nuke.me@gmail.com>,
 Philippe Reynes <philippe.reynes@softathome.com>, Thomas Perrot
 <thomas.perrot@bootlin.com>, Sean Anderson <sean.anderson@seco.com>, "open
 list" <u-boot@lists.denx.de>
CC: <troy_lee@aspeedtech.com>, <steven_lee@aspeedtech.com>
Subject: [PATCH v4 1/1] rsa: adds rsa3072 algorithm
Date: Wed, 19 Jan 2022 16:23:21 +0800
Message-ID: <20220119082323.4567-2-jamin_lin@aspeedtech.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220119082323.4567-1-jamin_lin@aspeedtech.com>
References: <20220119082323.4567-1-jamin_lin@aspeedtech.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [118.99.190.129]
X-ClientProxiedBy: TWMBX02.aspeed.com (192.168.0.24) To TWMBX02.aspeed.com
 (192.168.0.24)
X-DNSRBL: 
X-MAIL: twspam01.aspeedtech.com 20J8GYPN049288
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Series

rsa: adds rsa3072 algorithm | expand

Commit Message

Jamin Lin Jan. 19, 2022, 8:23 a.m. UTC

Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.

Add test case in vboot for sha384 with rsa3072 algorithm testing.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 configs/sandbox_defconfig                   |  1 +
 include/u-boot/rsa.h                        |  1 +
 lib/rsa/rsa-verify.c                        |  6 +++
 test/py/tests/test_vboot.py                 | 12 +++++-
 test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
 test/py/tests/vboot/sign-images-sha384.its  | 42 +++++++++++++++++++
 tools/image-sig-host.c                      |  7 ++++
 7 files changed, 112 insertions(+), 2 deletions(-)
 create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
 create mode 100644 test/py/tests/vboot/sign-images-sha384.its

Comments

Simon Glass Jan. 27, 2022, 3:05 p.m. UTC | #1

On Wed, 19 Jan 2022 at 01:23, Jamin Lin <jamin_lin@aspeedtech.com> wrote:
>
> Add to support rsa 3072 bits algorithm in tools
> for image sign at host side and adds rsa 3072 bits
> verification in the image binary.
>
> Add test case in vboot for sha384 with rsa3072 algorithm testing.
>
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> ---
>  configs/sandbox_defconfig                   |  1 +
>  include/u-boot/rsa.h                        |  1 +
>  lib/rsa/rsa-verify.c                        |  6 +++
>  test/py/tests/test_vboot.py                 | 12 +++++-
>  test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
>  test/py/tests/vboot/sign-images-sha384.its  | 42 +++++++++++++++++++
>  tools/image-sig-host.c                      |  7 ++++
>  7 files changed, 112 insertions(+), 2 deletions(-)
>  create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
>  create mode 100644 test/py/tests/vboot/sign-images-sha384.its

Reviewed-by: Simon Glass <sjg@chromium.org>

Tom Rini Jan. 29, 2022, 6:49 p.m. UTC | #2

On Wed, Jan 19, 2022 at 04:23:21PM +0800, Jamin Lin wrote:

> Add to support rsa 3072 bits algorithm in tools
> for image sign at host side and adds rsa 3072 bits
> verification in the image binary.
> 
> Add test case in vboot for sha384 with rsa3072 algorithm testing.
> 
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 4f413582fb..6686085d2c 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -312,3 +312,4 @@  CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y
+CONFIG_SHA384=y
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index 7556aa5b4b..bb56c2243c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -110,6 +110,7 @@  int padding_pss_verify(struct image_sign_info *info,
 #define RSA_DEFAULT_PADDING_NAME		"pkcs-1.5"
 
 #define RSA2048_BYTES	(2048 / 8)
+#define RSA3072_BYTES	(3072 / 8)
 #define RSA4096_BYTES	(4096 / 8)
 
 /* This is the minimum/maximum key size we support, in bits */
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 83f7564101..4fe487d7e5 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -588,6 +588,12 @@  U_BOOT_CRYPTO_ALGO(rsa2048) = {
 	.verify = rsa_verify,
 };
 
+U_BOOT_CRYPTO_ALGO(rsa3072) = {
+	.name = "rsa3072",
+	.key_len = RSA3072_BYTES,
+	.verify = rsa_verify,
+};
+
 U_BOOT_CRYPTO_ALGO(rsa4096) = {
 	.name = "rsa4096",
 	.key_len = RSA4096_BYTES,
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 095e00cce3..b080d482af 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@  TESTDATA = [
     ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
     ['sha256-pss-required', 'sha256', '-pss', None, True, False],
     ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+    ['sha384-basic', 'sha384', '', None, False, False],
+    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
 ]
 
 @pytest.mark.boardspec('sandbox')
@@ -180,10 +182,16 @@  def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
             name: Name of of the key (e.g. 'dev')
         """
         public_exponent = 65537
+
+        if sha_algo == "sha384":
+            rsa_keygen_bits = 3072
+        else:
+            rsa_keygen_bits = 2048
+
         util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
-                     '-pkeyopt rsa_keygen_bits:2048 '
+                     '-pkeyopt rsa_keygen_bits:%d '
                      '-pkeyopt rsa_keygen_pubexp:%d' %
-                     (tmpdir, name, public_exponent))
+                     (tmpdir, name, rsa_keygen_bits, public_exponent))
 
         # Create a certificate containing the public key
         util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
new file mode 100644
index 0000000000..2869401991
--- /dev/null
+++ b/test/py/tests/vboot/sign-configs-sha384.its
@@ -0,0 +1,45 @@ 
+/dts-v1/;
+
+/ {
+	description = "Chrome OS kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+
+	images {
+		kernel {
+			data = /incbin/("test-kernel.bin");
+			type = "kernel_noload";
+			arch = "sandbox";
+			os = "linux";
+			compression = "none";
+			load = <0x4>;
+			entry = <0x8>;
+			kernel-version = <1>;
+			hash-1 {
+				algo = "sha384";
+			};
+		};
+		fdt-1 {
+			description = "snow";
+			data = /incbin/("sandbox-kernel.dtb");
+			type = "flat_dt";
+			arch = "sandbox";
+			compression = "none";
+			fdt-version = <1>;
+			hash-1 {
+				algo = "sha384";
+			};
+		};
+	};
+	configurations {
+		default = "conf-1";
+		conf-1 {
+			kernel = "kernel";
+			fdt = "fdt-1";
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+				sign-images = "fdt", "kernel";
+			};
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
new file mode 100644
index 0000000000..be1a9a653c
--- /dev/null
+++ b/test/py/tests/vboot/sign-images-sha384.its
@@ -0,0 +1,42 @@ 
+/dts-v1/;
+
+/ {
+	description = "Chrome OS kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+
+	images {
+		kernel {
+			data = /incbin/("test-kernel.bin");
+			type = "kernel_noload";
+			arch = "sandbox";
+			os = "linux";
+			compression = "none";
+			load = <0x4>;
+			entry = <0x8>;
+			kernel-version = <1>;
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+			};
+		};
+		fdt-1 {
+			description = "snow";
+			data = /incbin/("sandbox-kernel.dtb");
+			type = "flat_dt";
+			arch = "sandbox";
+			compression = "none";
+			fdt-version = <1>;
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+			};
+		};
+	};
+	configurations {
+		default = "conf-1";
+		conf-1 {
+			kernel = "kernel";
+			fdt = "fdt-1";
+		};
+	};
+};
diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
index 8ed6998dab..d0133aec4c 100644
--- a/tools/image-sig-host.c
+++ b/tools/image-sig-host.c
@@ -55,6 +55,13 @@  struct crypto_algo crypto_algos[] = {
 		.add_verify_data = rsa_add_verify_data,
 		.verify = rsa_verify,
 	},
+	{
+		.name = "rsa3072",
+		.key_len = RSA3072_BYTES,
+		.sign = rsa_sign,
+		.add_verify_data = rsa_add_verify_data,
+		.verify = rsa_verify,
+	},
 	{
 		.name = "rsa4096",
 		.key_len = RSA4096_BYTES,

[v4,1/1] rsa: adds rsa3072 algorithm

Commit Message

Comments

Patch