mbox series

[v6,00/11] Add support for ECDSA image signing

Message ID 20210219184520.616270-1-mr.nuke.me@gmail.com
Headers show
Series Add support for ECDSA image signing | expand


Alex G. Feb. 19, 2021, 6:45 p.m. UTC
## Purpose and intent

The purpose of this series is to enable ECDSA as an alternative to RSA
for FIT signing. As new chips have built-in support for ECDSA verified
boot, it makes sense to stick to one signing algorithm, instead of
resorting to RSA for u-boot images.

The focus of this series is signing an existing FIT image:

	mkimage -F some-existing.fit -G some/key.pem

Signing while assembling a FIT is not a tested use case.
This concatenates two series:

  * Add support for ECDSA image signing (with test)
  * mkimage: Add a 'keyfile' argument for image signing

# Testing

test/py/tests/test_fit_ecdsa.py is implemented withe the goal to check
that the signing is done correctly, and that the signature is encoded
in the proper raw format. Verification is done with pyCryptodomex, so
this test will catch both coding errors and openssl bugs. This is the
only scope of testing proposed here.

Changes since v5:
 - Include "mkimage: Add a 'keyfile' argument for image signing" series
 - Update python test to use 'keyfile' (-G) mkinage argument
 - document which strings can be null in image.h
 - Fix typo in python test (invokations -> invocations)

Changes since v4:
 - Fixed tools/ build issue with # FIT_SIGNATURE is not selected

Changes since v3:
 - Don't use 'log_msg_ret()', as it's not available host-side

Changes since v1 and v2:
 - Added lots of function comments
 - Replaced hardcoded error numbers with more meaningful errno numbers
 - Changed some error paths to use 'return log_msg_ret'

Alexandru Gagniuc (11):
  lib: Rename rsa-checksum.c to hash-checksum.c
  lib/rsa: Make fdt_add_bignum() available outside of RSA code
  lib: Add support for ECDSA image signing
  doc: signature.txt: Document devicetree format for ECDSA keys
  test/py: Add pycryptodomex to list of required pakages
  test/py: ecdsa: Add test for mkimage ECDSA signing
  doc: signature.txt: Document the keydir and keyfile arguments
  mkimage: Add a 'keyfile' argument for image signing
  lib/rsa: Use the 'keyfile' argument from mkimage
  lib/ecdsa: Use the 'keydir' argument from mkimage if appropriate
  test/py: ecdsa: Use mkimage keyfile instead of keydir argument

 common/image-fit-sig.c                        |   2 +-
 common/image-sig.c                            |  13 +-
 doc/uImage.FIT/signature.txt                  |  20 +-
 include/image.h                               |  21 +-
 include/u-boot/ecdsa.h                        |  94 ++++++
 include/u-boot/fdt-libcrypto.h                |  27 ++
 .../{rsa-checksum.h => hash-checksum.h}       |   0
 lib/Makefile                                  |   1 +
 lib/crypto/pkcs7_verify.c                     |   2 +-
 lib/crypto/x509_public_key.c                  |   2 +-
 lib/ecdsa/ecdsa-libcrypto.c                   | 318 ++++++++++++++++++
 lib/fdt-libcrypto.c                           |  72 ++++
 lib/{rsa/rsa-checksum.c => hash-checksum.c}   |   3 +-
 lib/rsa/Makefile                              |   2 +-
 lib/rsa/rsa-sign.c                            |  99 ++----
 test/py/requirements.txt                      |   1 +
 test/py/tests/test_fit_ecdsa.py               | 111 ++++++
 tools/Makefile                                |  11 +-
 tools/fit_image.c                             |   3 +-
 tools/image-host.c                            |  58 ++--
 tools/imagetool.h                             |   1 +
 tools/mkimage.c                               |   6 +-
 22 files changed, 752 insertions(+), 115 deletions(-)
 create mode 100644 include/u-boot/ecdsa.h
 create mode 100644 include/u-boot/fdt-libcrypto.h
 rename include/u-boot/{rsa-checksum.h => hash-checksum.h} (100%)
 create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
 create mode 100644 lib/fdt-libcrypto.c
 rename lib/{rsa/rsa-checksum.c => hash-checksum.c} (96%)
 create mode 100644 test/py/tests/test_fit_ecdsa.py