From patchwork Fri Jan 8 19:17:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Alex G." X-Patchwork-Id: 1423942 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=GAsy/Ee4; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DCCYV0rDKz9sWK for ; Sat, 9 Jan 2021 06:17:58 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 825368295B; Fri, 8 Jan 2021 20:17:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="GAsy/Ee4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 472D68295B; Fri, 8 Jan 2021 20:17:48 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7DE118295B for ; Fri, 8 Jan 2021 20:17:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=mr.nuke.me@gmail.com Received: by mail-ot1-x330.google.com with SMTP id a109so10737365otc.1 for ; Fri, 08 Jan 2021 11:17:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5QiBwfgwAWGX48yv/2NkVCX9bc32GVxqVNWnpHBxXPk=; b=GAsy/Ee4mS+rvwurqFC5e0IEeAxGkxMUlEbWE3DXCw7ED6nMzGUyCGCwd22i52Xmix qfge/r2/z7AarrJ7rmXoCvak3/YKNcX+kd45gvWZapozKCQDaa/Ld/vDLyeAIpoO2Vip tdOZINMuJQ/RZoZtGHDGFZcIMs5hSAdWfmJGIJ9zkXWdqkANCzs9yZsUhE+i80uWAj5h Hszw66m10yTL80yLdmyTSzVHDu7a1QRLByBrnoYBL68402+vuCjFOl1E38KJY3PWJQ/+ jo7Y+W24KP27ynSeMhYNgMxT/Ci+ska3+7JXZYgS5YQLF9JLKzGebjjen1n99JsPsWLB 9hpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5QiBwfgwAWGX48yv/2NkVCX9bc32GVxqVNWnpHBxXPk=; b=Df8GCaQYsHu+GUC53KhJvXoiiFWSSVNDEFCiYf1+vhvoNjjEPsIn44iMlGDlLON2+b zfH0IGs9xwJVmwBzRfrezPCnKlqaneCYuPTMVFLod7W9S6X1AHv9NIlRSzPICUkaY7OR u+gzKMCDhYPeExxtIZR0UggtBpDw7xyQF4Cwa+pwrZHFgfL4WVvpQcYzSwbrzwthJDYc /BgH8W61xc+U3g+wJFXKPJmLg8Kr/ZpLDk5EjbMhLgIY4Y11JTeUlzAp2aTde+qcLStB 5i++5V1LLmXlpCAVaje84qdBT+Gn0wGYz1gY61DPGgStwxTiDrMuluwoE59CsLSEf8X5 +0wg== X-Gm-Message-State: AOAM530cPBd1TpFmmYO1b04CCXAcDoA6yWYC65F2w7Rs8isopGNuq21a tWdlw7sGHthfNvLN01swAwgAqGURmvLCaXHl X-Google-Smtp-Source: ABdhPJyrShptTbRKu7vr77a8GnpNwObF7a5arJZFOXoBGfgGdoQObMqLHzMMAujCCY8RpQrAvEeP7A== X-Received: by 2002:a9d:19cb:: with SMTP id k69mr3691715otk.75.1610133463875; Fri, 08 Jan 2021 11:17:43 -0800 (PST) Received: from nuclearis2-1.lan (c-98-195-139-126.hsd1.tx.comcast.net. [98.195.139.126]) by smtp.gmail.com with ESMTPSA id g200sm2131617oib.19.2021.01.08.11.17.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Jan 2021 11:17:43 -0800 (PST) From: Alexandru Gagniuc To: u-boot@lists.denx.de, sjg@chromium.org Cc: Alexandru Gagniuc , trini@konsulko.com, marex@denx.de Subject: [PATCH v4 0/6] Add support for ECDSA image signing (with test) Date: Fri, 8 Jan 2021 13:17:31 -0600 Message-Id: <20210108191737.615022-1-mr.nuke.me@gmail.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean ## Purpose and intent The purpose of this series is to enable ECDSA as an alternative to RSA for FIT signing. As new chips have built-in support for ECDSA verified boot, it makes sense to stick to one signing algorithm, instead of resorting to RSA for u-boot images. The focus of this series is signing an existing FIT image: mkimage -F some-existing.fit --signing-key some/key.pem Signing while assembling a FIT is not a tested use case. # Implementation ## Code organization Unlike the RSA path, which mixes host and firmware code in the same, source files, this series keeps a very clear distinction. ecdsa-libcrypto.c is intended to be used for host code and only for host code. There is more opportunity for code reuse this way. ## Signing There is one major difference from the RSA path. The 'key-name-hint' property is ignored in the ECDSA path. There are two reasons: (1) The intent of 'key-name-hint' is not clear (2) Initial implementation is much easier to review There is an intentional side-effect. The RSA path takes 'key-name-hint' to decide which key file to read from disk. In the context of "which fdt node describes my signing key", this makes sense. On the other hand, 'key-name-hint' is also used as the basename of where the key is on the filesystem. This leads to some funny search paths, such as "some/dir/(null).key" So I am using the -K option to mkimage as the _full_ path to the key file. It doesn't have to be named .key, it doesn't have to be named .crt, and it doesn't have to exist in a particular directory (as is the case for the RSA path). I understand and recognize that this discrepancy must be resolved, but resolving it right now would make the initial implementation much harder and longer. # Testing test/py/tests/test_fit_ecdsa.py is implemented withe the goal to check that the signing is done correctly, and that the signature is encoded in the proper raw format. Verification is done with pyCryptodomex, so this test will catch both coding errors and openssl bugs. This is the only scope of testing proposed here. # Things not yet resolved: - is mkimage '-k' supposed to be a directory or file path I'm hoping I can postpone answering this question pending further discussion. Changes since v3: - Don't use 'log_msg_ret()', as it's not available host-side Changes since v1 and v2: - Added lots of function comments - Replaced hardcoded error numbers with more meaningful errno numbers - Changed some error paths to use 'return log_msg_ret' Alexandru Gagniuc (6): lib: Rename rsa-checksum.c to hash-checksum.c lib/rsa: Make fdt_add_bignum() available outside of RSA code lib: Add support for ECDSA image signing doc: signature.txt: Document devicetree format for ECDSA keys test/py: Add pycryptodomex to list of required pakages test/py: ecdsa: Add test for mkimage ECDSA signing common/image-fit-sig.c | 2 +- common/image-sig.c | 13 +- doc/uImage.FIT/signature.txt | 7 +- include/image.h | 5 +- include/u-boot/ecdsa.h | 94 ++++++ include/u-boot/fdt-libcrypto.h | 27 ++ .../{rsa-checksum.h => hash-checksum.h} | 0 lib/Makefile | 1 + lib/crypto/pkcs7_verify.c | 2 +- lib/crypto/x509_public_key.c | 2 +- lib/ecdsa/ecdsa-libcrypto.c | 306 ++++++++++++++++++ lib/fdt-libcrypto.c | 72 +++++ lib/{rsa/rsa-checksum.c => hash-checksum.c} | 3 +- lib/rsa/Makefile | 2 +- lib/rsa/rsa-sign.c | 65 +--- test/py/requirements.txt | 1 + test/py/tests/test_fit_ecdsa.py | 111 +++++++ tools/Makefile | 7 +- 18 files changed, 645 insertions(+), 75 deletions(-) create mode 100644 include/u-boot/ecdsa.h create mode 100644 include/u-boot/fdt-libcrypto.h rename include/u-boot/{rsa-checksum.h => hash-checksum.h} (100%) create mode 100644 lib/ecdsa/ecdsa-libcrypto.c create mode 100644 lib/fdt-libcrypto.c rename lib/{rsa/rsa-checksum.c => hash-checksum.c} (96%) create mode 100644 test/py/tests/test_fit_ecdsa.py