Message ID | 20191113004730.30139-4-takahiro.akashi@linaro.org |
---|---|
State | Superseded |
Delegated to: | Tom Rini |
Headers | show |
Series | rsa: extend rsa_verify() for UEFI secure boot | expand |
Hi Takahiro, On Tue, 12 Nov 2019 at 16:47, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote: > > For FIT verification, all the properties of a public key come from > "control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other > hand, a public key is located and retrieved from dedicated signature > database stored as UEFI variables. > > Added two fields may hold values of a public key if fdt_blob is NULL, and > will be used in rsa_verify_with_pkey() to verify a signature in UEFI > sub-system. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > include/image.h | 10 ++++++++++ > 1 file changed, 10 insertions(+) > Reviewed-by: Simon Glass <sjg@chromium.org> > diff --git a/include/image.h b/include/image.h > index 7eb0b4b53184..bff87f51f01b 100644 > --- a/include/image.h > +++ b/include/image.h > @@ -1142,6 +1142,16 @@ struct image_sign_info { > int required_keynode; /* Node offset of key to use: -1=any */ > const char *require_keys; /* Value for 'required' property */ > const char *engine_id; /* Engine to use for signing */ > + /* > + * Note: the following two fields > + * are always valid even w/o > + * RSA_VERIFY_WITH_PKEY in order > + * to make sure this structure is > + * the same on target and host. > + * Otherwise, vboot test may fail. > + */ Can you please align this comment to one tab in (to line up with 'const' above)? > + const void *key; /* Pointer to public key in DER */ > + int keylen; /* Length of public key */ > }; > > /* A part of an image, used for hashing */ > -- > 2.21.0 > Regards, Simon
Simon, Thank you for your review. On Tue, Nov 19, 2019 at 06:59:54PM -0800, Simon Glass wrote: > Hi Takahiro, > > On Tue, 12 Nov 2019 at 16:47, AKASHI Takahiro > <takahiro.akashi@linaro.org> wrote: > > > > For FIT verification, all the properties of a public key come from > > "control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other > > hand, a public key is located and retrieved from dedicated signature > > database stored as UEFI variables. > > > > Added two fields may hold values of a public key if fdt_blob is NULL, and > > will be used in rsa_verify_with_pkey() to verify a signature in UEFI > > sub-system. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > --- > > include/image.h | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > diff --git a/include/image.h b/include/image.h > > index 7eb0b4b53184..bff87f51f01b 100644 > > --- a/include/image.h > > +++ b/include/image.h > > @@ -1142,6 +1142,16 @@ struct image_sign_info { > > int required_keynode; /* Node offset of key to use: -1=any */ > > const char *require_keys; /* Value for 'required' property */ > > const char *engine_id; /* Engine to use for signing */ > > + /* > > + * Note: the following two fields > > + * are always valid even w/o > > + * RSA_VERIFY_WITH_PKEY in order > > + * to make sure this structure is > > + * the same on target and host. > > + * Otherwise, vboot test may fail. > > + */ > > Can you please align this comment to one tab in (to line up with 'const' above)? Sure. -Takahiro Akashi > > + const void *key; /* Pointer to public key in DER */ > > + int keylen; /* Length of public key */ > > }; > > > > /* A part of an image, used for hashing */ > > -- > > 2.21.0 > > > > Regards, > Simon
diff --git a/include/image.h b/include/image.h index 7eb0b4b53184..bff87f51f01b 100644 --- a/include/image.h +++ b/include/image.h @@ -1142,6 +1142,16 @@ struct image_sign_info { int required_keynode; /* Node offset of key to use: -1=any */ const char *require_keys; /* Value for 'required' property */ const char *engine_id; /* Engine to use for signing */ + /* + * Note: the following two fields + * are always valid even w/o + * RSA_VERIFY_WITH_PKEY in order + * to make sure this structure is + * the same on target and host. + * Otherwise, vboot test may fail. + */ + const void *key; /* Pointer to public key in DER */ + int keylen; /* Length of public key */ }; /* A part of an image, used for hashing */
For FIT verification, all the properties of a public key come from "control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other hand, a public key is located and retrieved from dedicated signature database stored as UEFI variables. Added two fields may hold values of a public key if fdt_blob is NULL, and will be used in rsa_verify_with_pkey() to verify a signature in UEFI sub-system. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- include/image.h | 10 ++++++++++ 1 file changed, 10 insertions(+)