From patchwork Tue Mar 16 00:24:28 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexandru Gagniuc <mr.nuke.me@gmail.com>
X-Patchwork-Id: 1453636
X-Patchwork-Delegate: patrice.chotard@st.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=Js4EQiNk;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DzvFQ5nwtz9s1l
	for <incoming@patchwork.ozlabs.org>; Tue, 16 Mar 2021 11:25:14 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 82E3A825BF;
	Tue, 16 Mar 2021 01:24:55 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.b="Js4EQiNk";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id EF98582654; Tue, 16 Mar 2021 01:24:46 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com
 [IPv6:2607:f8b0:4864:20::230])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id C149A80A51
 for <u-boot@lists.denx.de>; Tue, 16 Mar 2021 01:24:37 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=mr.nuke.me@gmail.com
Received: by mail-oi1-x230.google.com with SMTP id u198so31409478oia.4
 for <u-boot@lists.denx.de>; Mon, 15 Mar 2021 17:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=4BkfunOdHwQCC8k1cEvRxSiQYclNVzMH2U0QOMRs5F4=;
 b=Js4EQiNkTX9A913CkHCwlJiQX5OW6q8iACNGx4IBsWg/ciMMysKUMEdh9v16MelI0t
 D/cOgIYzkM71ByiMNrrNsuLOIfU6iJpjHSeOlunuYHk2wN6llCa8zjLOUOqAnr3qSrx1
 E2VBLzGLwVHvFxjSWmfW9qjlgNBGsGIepD4hu2u45h8I78ysWPiUQWgmkF73TcEODV85
 TIS/VomSExJlodhbPzPjZSnEUU+8VMCVi1eL/ZBuCCw6Gf+UBHy5OMM8TP0s0tK5jFYy
 KCDSL7jtvE5/vsaYJreMNQEVynhNCtO4MUixHFTBQ54jY+5BBxjhtDhbCNT7K+U4wMM6
 26yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=4BkfunOdHwQCC8k1cEvRxSiQYclNVzMH2U0QOMRs5F4=;
 b=oF3u7IgbB5wL6l8ojMmfrH++LaEdEbuRHpmMo844lT2DL4CX5nTpYj5fqSJhpvFZ6g
 kMtACZOggLNmdp2HadC9som8S+T/i2uXwJJw6/ijlGjQbecQjo/Gxcf/L08IAXyzeiKR
 HZFHXEnCIPW+M9+gtgWprS6M3le4pISO/REWgTK4fDnrROgoLAoG36pPN4yie0waWelF
 9i5wl7zZjnTKlZa7UdaH2AKFi6Wonyl6x/JaBunS3EmSBUsB7wI/iG2rBpfNboAHE0kJ
 ptXis1F+mz8Ciww6kM2up/Oie3nTlu0GjIaZToe9Bq1Sfpjqp+u2PFgae7Iw4ThJ2Rcr
 iuQg==
X-Gm-Message-State: AOAM531e+XIU9z1+u8DVD40ZFDscHFWCy8nAL43AsL+FEynwLjCzuhZl
 lIg01NS2swfY3KKyXajJXOOR+WTzMV4=
X-Google-Smtp-Source: 
 ABdhPJx7P9kBNlccXAceQ0t4XW7Zk5wBtd/kGtq5PPXGB5RyL5B9ogOWoSfUASDUh4OmxAnRGx5Wng==
X-Received: by 2002:aca:1e16:: with SMTP id m22mr1274418oic.153.1615854276087;
 Mon, 15 Mar 2021 17:24:36 -0700 (PDT)
Received: from nuclearis2-1.lan (c-98-195-139-126.hsd1.tx.comcast.net.
 [98.195.139.126])
 by smtp.gmail.com with ESMTPSA id i11sm7106690otp.76.2021.03.15.17.24.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 15 Mar 2021 17:24:35 -0700 (PDT)
From: Alexandru Gagniuc <mr.nuke.me@gmail.com>
To: u-boot@lists.denx.de
Cc: Alexandru Gagniuc <mr.nuke.me@gmail.com>, trini@konsulko.com,
 sjg@chromium.org
Subject: [PATCH v2 2/6] lib: ecdsa: Add skeleton to implement ecdsa
 verification in u-boot
Date: Mon, 15 Mar 2021 19:24:28 -0500
Message-Id: <20210316002432.2581891-3-mr.nuke.me@gmail.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20210316002432.2581891-1-mr.nuke.me@gmail.com>
References: <20210316002432.2581891-1-mr.nuke.me@gmail.com>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de
X-Virus-Status: Clean

Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
 include/image.h          | 10 +++++-----
 include/u-boot/rsa.h     |  2 +-
 lib/Kconfig              |  1 +
 lib/Makefile             |  1 +
 lib/ecdsa/Kconfig        | 23 +++++++++++++++++++++++
 lib/ecdsa/Makefile       |  1 +
 lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
 7 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 lib/ecdsa/Kconfig
 create mode 100644 lib/ecdsa/Makefile
 create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index b5bcf08e61..800d981f03 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1219,20 +1219,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 #if defined(USE_HOSTCC)
 # if defined(CONFIG_FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN	1
-#  define IMAGE_ENABLE_VERIFY	1
+#  define IMAGE_ENABLE_VERIFY_RSA	1
 #  define IMAGE_ENABLE_VERIFY_ECDSA	1
 #  define FIT_IMAGE_ENABLE_VERIFY	1
 #  include <openssl/evp.h>
 # else
 #  define IMAGE_ENABLE_SIGN	0
-#  define IMAGE_ENABLE_VERIFY	0
+#  define IMAGE_ENABLE_VERIFY_RSA	0
 # define IMAGE_ENABLE_VERIFY_ECDSA	0
 #  define FIT_IMAGE_ENABLE_VERIFY	0
 # endif
 #else
 # define IMAGE_ENABLE_SIGN	0
-# define IMAGE_ENABLE_VERIFY		CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA	0
+# define IMAGE_ENABLE_VERIFY_RSA	CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA	CONFIG_IS_ENABLED(ECDSA_VERIFY)
 # define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #endif
 
@@ -1288,7 +1288,7 @@ struct image_region {
 	int size;
 };
 
-#if IMAGE_ENABLE_VERIFY
+#if FIT_IMAGE_ENABLE_VERIFY
 # include <u-boot/hash-checksum.h>
 #endif
 struct checksum_algo {
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index bed1c097c2..eb258fca4c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
 }
 #endif
 
-#if IMAGE_ENABLE_VERIFY
+#if IMAGE_ENABLE_VERIFY_RSA
 /**
  * rsa_verify_hash() - Verify a signature against a hash
  *
diff --git a/lib/Kconfig b/lib/Kconfig
index 7288340614..48895e4e4f 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -295,6 +295,7 @@ config AES
 	  supported by the algorithm but only a 128-bit key is supported at
 	  present.
 
+source lib/ecdsa/Kconfig
 source lib/rsa/Kconfig
 source lib/crypto/Kconfig
 
diff --git a/lib/Makefile b/lib/Makefile
index 1d4b7d3aad..de55914f52 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif
 
 obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
 obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/
 obj-$(CONFIG_$(SPL_)RSA) += rsa/
 obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
 obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 0000000000..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA
+	bool "Enable ECDSA support"
+	depends on DM
+	help
+	  This enables the ECDSA algorithm for FIT image verification in U-Boot.
+	  See doc/uImage.FIT/signature.txt for more details.
+	  The ECDSA algorithm is implemented using the driver model. So
+	  CONFIG_DM is required by this library.
+	  ECDSA is enabled for mkimage regardless of this  option.
+
+if ECDSA
+
+config ECDSA_VERIFY
+	bool "Enable ECDSA verification support in U-Boot."
+	help
+	  Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+	bool "Enable ECDSA verification support in SPL"
+	help
+	  Allow ECDSA signatures to be recognized and verified in SPL.
+
+endif
diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
new file mode 100644
index 0000000000..771d6d3135
--- /dev/null
+++ b/lib/ecdsa/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
new file mode 100644
index 0000000000..d2e6a40f4a
--- /dev/null
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me@gmail.com>
+ */
+
+#include <u-boot/ecdsa.h>
+
+int ecdsa_verify(struct image_sign_info *info,
+		 const struct image_region region[], int region_count,
+		 uint8_t *sig, uint sig_len)
+{
+	return -EOPNOTSUPP;
+}