u-boot.git/lib/rsa/Kconfig, branch next Unnamed repository; edit this file 'description' to name the repository. Merge patch series "rsa: fix dependency, rename and relocate RSASSA PSS symbols" 2025-11-11T20:53:33+00:00 Tom Rini trini@konsulko.com 2025-11-11T20:53:33+00:00 62e89de7698a637c673b08ec129941d8079a5405 Quentin Schulz <foss+uboot@0leil.net> says: While historically signature verification is mostly done for FIT such FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't the only kind of file we can verify signatures of. It can also be done manually with rsa_verify_hash() with an embedded public key. Considering the impacted code is guarded by RSA_VERIFY, let's make the symbol depend on that otherwise selecting it without RSA_VERIFY won't do anything. The FIT_SIGNATURE dependency wasn't also enough before as it only implied RSA_VERIFY. Then, simply relocate the RSA SSA PSS padding with the other RSA symbols in lib/rsa instead of in boot/ and rename it to remove the mention to FIT. Finally, add the PSS padding wherever PKCS1.5 padding is specified as one or the other can be used. Link: https://lore.kernel.org/r/20251031-rsa-pss-always-v2-0-a29184ea064d@cherry.de 
Quentin Schulz <foss+uboot@0leil.net> says:

While historically signature verification is mostly done for FIT such
FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't
the only kind of file we can verify signatures of. It can also be done
manually with rsa_verify_hash() with an embedded public key.

Considering the impacted code is guarded by RSA_VERIFY, let's make the
symbol depend on that otherwise selecting it without RSA_VERIFY won't do
anything. The FIT_SIGNATURE dependency wasn't also enough before as it
only implied RSA_VERIFY.

Then, simply relocate the RSA SSA PSS padding with the other RSA symbols
in lib/rsa instead of in boot/ and rename it to remove the mention to
FIT.

Finally, add the PSS padding wherever PKCS1.5 padding is specified as
one or the other can be used.

Link: https://lore.kernel.org/r/20251031-rsa-pss-always-v2-0-a29184ea064d@cherry.de
rsa: rename FIT_RSASSA_PSS to RSASSA_PSS and move symbols under lib/rsa 2025-11-11T20:53:25+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-31T17:08:23+00:00 360dd89b361dde2a0bbad65763538e1eea7d3c94 This renames FIT_RSASSA_PSS symbols to drop the FIT_ prefix to avoid potential confusion since there's nothing FIT specific to those symbols. It also isn't really related to booting, so boot/Kconfig is an odd place for them to live. Since they make sense only in relation with RSA, simply move them to lib/rsa where it makes more sense for them to reside. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This renames FIT_RSASSA_PSS symbols to drop the FIT_ prefix to avoid
potential confusion since there's nothing FIT specific to those symbols.

It also isn't really related to booting, so boot/Kconfig is an odd place
for them to live. Since they make sense only in relation with RSA,
simply move them to lib/rsa where it makes more sense for them to
reside.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
rsa: fix typo in $(PHASE_)RSA_VERIFY_WITH_PKEY help text 2025-11-06T23:32:33+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-29T11:20:27+00:00 64ba0aa9f48cd3c2bba92c1f15a9da4c21000d2e Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
spl: Ensure all SPL symbols in Kconfig have some SPL dependency 2022-07-07T13:29:08+00:00 Tom Rini trini@konsulko.com 2022-06-11T03:03:09+00:00 b340199f828e7d57945785b698ff97469972d1ca Tighten up symbol dependencies in a number of places. Ensure that a SPL specific option has at least a direct dependency on SPL. In places where it's clear that we depend on something more specific, use that dependency instead. This means in a very small number of places we can drop redundant dependencies. Reported-by: Pali Rohár <pali@kernel.org> Signed-off-by: Tom Rini <trini@konsulko.com> 
Tighten up symbol dependencies in a number of places.  Ensure that a SPL
specific option has at least a direct dependency on SPL.  In places
where it's clear that we depend on something more specific, use that
dependency instead.  This means in a very small number of places we can
drop redundant dependencies.

Reported-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
lib: rsa: allow rsa verify with pkey in SPL 2022-03-31T18:12:01+00:00 Philippe Reynes philippe.reynes@softathome.com 2022-03-28T20:56:58+00:00 f6bacf1d489090c8fca1d442cedd8902d8f5acec This commit adds the option SPL_RSA_VERIFY_WITH_PKEY. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> 
This commit adds the option SPL_RSA_VERIFY_WITH_PKEY.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
crypto: aspeed: Add AST2600 ACRY support 2021-11-17T22:05:00+00:00 Chia-Wei Wang chiawei_wang@aspeedtech.com 2021-10-27T06:17:30+00:00 89c36cca0b697d80a6ed063b945d66cc59a761a8 ACRY is designed to accelerate ECC/RSA digital signature generation and verification. Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com> 
ACRY is designed to accelerate ECC/RSA digital signature
generation and verification.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Kconfig: Don't use RSA_FREESCALE_EXP on MX7ULP 2021-10-07T14:53:50+00:00 Ricardo Salveti ricardo@foundries.io 2021-08-28T07:41:22+00:00 7ce83854f2af53dfdd2ca2cdaab98933c6eaf56b The CAAM on IMX7ULP doesn't support public key hardware acceleration (PKHA), as in other NXP parts. Disable RSA_FREESCALE_EXP for IMX7ULP too. Fixed: f4e9ff7135 ("Kconfig: Don't use RSA_FREESCALE_EXP on IMX") Signed-off-by: Ricardo Salveti <ricardo@foundries.io> Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> 
The CAAM on IMX7ULP doesn't support public key hardware acceleration
(PKHA), as in other NXP parts. Disable RSA_FREESCALE_EXP for IMX7ULP
too.

Fixed: f4e9ff7135 ("Kconfig: Don't use RSA_FREESCALE_EXP on IMX")
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
lib: rsa: fix dependency for SPL_RSA_VERIFY 2021-10-06T13:15:14+00:00 Oleksandr Suvorov oleksandr.suvorov@foundries.io 2021-09-16T12:03:36+00:00 d4f05b3198b68bc6e2c42b8d7e53d36a2fc9d52c SPL_RSA_VERIFY requires SPL_RSA to be enabled. Add correct dependency. Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> 
SPL_RSA_VERIFY requires SPL_RSA to be enabled. Add correct
dependency.

Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
lib: rsa: generate additional parameters for public key 2020-03-12T12:20:39+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-02-21T06:12:58+00:00 e0d310b098b1e3dd2ad4e0e4efbbb81b90ae4bc7 In the current implementation of FIT_SIGNATURE, five parameters for a RSA public key are required while only two of them are essential. (See rsa-mod-exp.h and uImage.FIT/signature.txt) This is a result of considering relatively limited computer power and resources on embedded systems, while such a assumption may not be quite practical for other use cases. In this patch, added is a function, rsa_gen_key_prop(), which will generate additional parameters for other uses, in particular UEFI secure boot, on the fly. Note: the current code uses some "big number" routines from BearSSL for the calculation. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In the current implementation of FIT_SIGNATURE, five parameters for
a RSA public key are required while only two of them are essential.
(See rsa-mod-exp.h and uImage.FIT/signature.txt)
This is a result of considering relatively limited computer power
and resources on embedded systems, while such a assumption may not
be quite practical for other use cases.

In this patch, added is a function, rsa_gen_key_prop(), which will
generate additional parameters for other uses, in particular
UEFI secure boot, on the fly.

Note: the current code uses some "big number" routines from BearSSL
for the calculation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config 2020-03-12T12:20:39+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-02-21T06:12:56+00:00 dd89f5b0fde7f23afffc69f92eedc7f7c5caef36 In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY, rsa_verify() will be extended to be able to perform RSA decryption without additional RSA key properties from FIT image, i.e. rr and n0inv. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> 
In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>