diff mbox series

[U-Boot,v3,3/6] include: image.h: add key info to image_sign_info

Message ID 20191113004730.30139-4-takahiro.akashi@linaro.org
State Superseded
Delegated to: Tom Rini
Headers show
Series rsa: extend rsa_verify() for UEFI secure boot | expand

Commit Message

AKASHI Takahiro Nov. 13, 2019, 12:47 a.m. UTC
For FIT verification, all the properties of a public key come from
"control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other
hand, a public key is located and retrieved from dedicated signature
database stored as UEFI variables.

Added two fields may hold values of a public key if fdt_blob is NULL, and
will be used in rsa_verify_with_pkey() to verify a signature in UEFI
sub-system.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/image.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

Simon Glass Nov. 20, 2019, 2:59 a.m. UTC | #1
Hi Takahiro,

On Tue, 12 Nov 2019 at 16:47, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
>
> For FIT verification, all the properties of a public key come from
> "control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other
> hand, a public key is located and retrieved from dedicated signature
> database stored as UEFI variables.
>
> Added two fields may hold values of a public key if fdt_blob is NULL, and
> will be used in rsa_verify_with_pkey() to verify a signature in UEFI
> sub-system.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  include/image.h | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

> diff --git a/include/image.h b/include/image.h
> index 7eb0b4b53184..bff87f51f01b 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -1142,6 +1142,16 @@ struct image_sign_info {
>         int required_keynode;           /* Node offset of key to use: -1=any */
>         const char *require_keys;       /* Value for 'required' property */
>         const char *engine_id;          /* Engine to use for signing */
> +                                       /*
> +                                        * Note: the following two fields
> +                                        * are always valid even w/o
> +                                        * RSA_VERIFY_WITH_PKEY in order
> +                                        * to make sure this structure is
> +                                        * the same on target and host.
> +                                        * Otherwise, vboot test may fail.
> +                                        */

Can you please align this comment to one tab in (to line up with 'const' above)?

> +       const void *key;                /* Pointer to public key in DER */
> +       int keylen;                     /* Length of public key */
>  };
>
>  /* A part of an image, used for hashing */
> --
> 2.21.0
>

Regards,
Simon
AKASHI Takahiro Nov. 20, 2019, 5:47 a.m. UTC | #2
Simon,

Thank you for your review.

On Tue, Nov 19, 2019 at 06:59:54PM -0800, Simon Glass wrote:
> Hi Takahiro,
> 
> On Tue, 12 Nov 2019 at 16:47, AKASHI Takahiro
> <takahiro.akashi@linaro.org> wrote:
> >
> > For FIT verification, all the properties of a public key come from
> > "control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other
> > hand, a public key is located and retrieved from dedicated signature
> > database stored as UEFI variables.
> >
> > Added two fields may hold values of a public key if fdt_blob is NULL, and
> > will be used in rsa_verify_with_pkey() to verify a signature in UEFI
> > sub-system.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  include/image.h | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> >
> 
> Reviewed-by: Simon Glass <sjg@chromium.org>
> 
> > diff --git a/include/image.h b/include/image.h
> > index 7eb0b4b53184..bff87f51f01b 100644
> > --- a/include/image.h
> > +++ b/include/image.h
> > @@ -1142,6 +1142,16 @@ struct image_sign_info {
> >         int required_keynode;           /* Node offset of key to use: -1=any */
> >         const char *require_keys;       /* Value for 'required' property */
> >         const char *engine_id;          /* Engine to use for signing */
> > +                                       /*
> > +                                        * Note: the following two fields
> > +                                        * are always valid even w/o
> > +                                        * RSA_VERIFY_WITH_PKEY in order
> > +                                        * to make sure this structure is
> > +                                        * the same on target and host.
> > +                                        * Otherwise, vboot test may fail.
> > +                                        */
> 
> Can you please align this comment to one tab in (to line up with 'const' above)?

Sure.

-Takahiro Akashi


> > +       const void *key;                /* Pointer to public key in DER */
> > +       int keylen;                     /* Length of public key */
> >  };
> >
> >  /* A part of an image, used for hashing */
> > --
> > 2.21.0
> >
> 
> Regards,
> Simon
diff mbox series

Patch

diff --git a/include/image.h b/include/image.h
index 7eb0b4b53184..bff87f51f01b 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1142,6 +1142,16 @@  struct image_sign_info {
 	int required_keynode;		/* Node offset of key to use: -1=any */
 	const char *require_keys;	/* Value for 'required' property */
 	const char *engine_id;		/* Engine to use for signing */
+					/*
+					 * Note: the following two fields
+					 * are always valid even w/o
+					 * RSA_VERIFY_WITH_PKEY in order
+					 * to make sure this structure is
+					 * the same on target and host.
+					 * Otherwise, vboot test may fail.
+					 */
+	const void *key;		/* Pointer to public key in DER */
+	int keylen;			/* Length of public key */
 };
 
 /* A part of an image, used for hashing */