u-boot.git/lib/rsa, branch v2020.10 Unnamed repository; edit this file 'description' to name the repository. rsa: crash in br_i32_decode() called from rsa_gen_key_prop() 2020-09-14T21:28:52+00:00 Robert Reither robert.reither@external.thalesgroup.com 2020-09-14T11:12:02+00:00 8479333ce7f44ff8cd9f00fbcb8ffa2a5b5763f9 Fixes problem for unaligned 32bit big-endian access in lib/rsa/rsa-keyprop.c. Exchanges br_i32_decode() with get_unaligned_be32(). This will keep the unaligned access for architectures capable and will do some byte-shift magic for the not so capable ones. Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-by: Robert Reither <robert.reither@external.thalesgroup.com> Remove unused include. Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Fixes problem for unaligned 32bit big-endian access in
lib/rsa/rsa-keyprop.c.

Exchanges br_i32_decode() with get_unaligned_be32().

This will keep the unaligned access for architectures capable and will do
some byte-shift magic for the not so capable ones.

Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-by: Robert Reither <robert.reither@external.thalesgroup.com>
Remove unused include.
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib/rsa: correct check after allocation in fdt_add_bignum() 2020-08-27T15:26:58+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-20T19:11:17+00:00 de95930946f5de3b5f43aaf4153a334d841d4f3c After allocating to pointer ctx we should check that pointer and not another pointer already checked above. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
After allocating to pointer ctx we should check that pointer and not
another pointer already checked above.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: export rsa_verify_with_pkey() 2020-07-11T21:14:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-06-16T05:26:48+00:00 491bfe86062464b892386e8c8dfe0069975ecedc This function will be used to implement public_key_verify_signature() in a later patch. rsa_verify() is not suitable here because calculation of message digest is not necessary. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
This function will be used to implement public_key_verify_signature()
in a later patch. rsa_verify() is not suitable here because calculation
of message digest is not necessary.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib: rsa: function to verify a signature against a hash 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-05-22T14:20:33+00:00 c89b41b4db4a746647c4f0e6d33c6f4edfe96e38 rsa_verify() expects a memory region and wants to do the hashing itself, but there may be cases where the hashing is done via other means, like hashing a squashfs rootfs. So add rsa_verify_hash() to allow verifiying a signature against an existing hash. As this entails the same verification routines we can just move the relevant code over from rsa_verify() and also call rsa_verify_hash() from there. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> 
rsa_verify() expects a memory region and wants to do the hashing itself,
but there may be cases where the hashing is done via other means,
like hashing a squashfs rootfs.

So add rsa_verify_hash() to allow verifiying a signature against
an existing hash. As this entails the same verification routines
we can just move the relevant code over from rsa_verify() and also
call rsa_verify_hash() from there.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
lib: rsa: add documentation to padding_pss_verify to document limitations 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-06-18T14:23:26+00:00 1a62c23ecf1f38d999f7d94d8d27fbc97483b35d padding_pss_verify only works with the default pss salt setting of -2 (length to be automatically determined based on the PSS block structure) not -1 (salt length set to the maximum permissible value), which makes verifications of signatures with that saltlen fail. Until this gets implemented at least document this behaviour. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
padding_pss_verify only works with the default pss salt setting of -2
(length to be automatically determined based on the PSS block structure)
not -1 (salt length set to the maximum permissible value), which makes
verifications of signatures with that saltlen fail.

Until this gets implemented at least document this behaviour.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: free local arrays after use in rsa_gen_key_prop() 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-06-18T14:23:25+00:00 eda753be8a33d9cadf2c41ea614069a31e314ba3 n, rr and rrtmp are used for internal calculations, but in the end the results are copied into separately allocated elements of the actual key_prop, so the n, rr and rrtmp elements are not used anymore when returning from the function and should of course be freed. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
n, rr and rrtmp are used for internal calculations, but in the end
the results are copied into separately allocated elements of the
actual key_prop, so the n, rr and rrtmp elements are not used anymore
when returning from the function and should of course be freed.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: fix allocated size for rr and rrtmp in rsa_gen_key_prop() 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-07-07T20:57:26+00:00 49d0ea3746cae267b4f3c60c0e2e73dcac3d3213 When calculating rrtmp/rr rsa_gen_key_prop() tries to make (((rlen + 31) >> 5) + 1) steps in the rr uint32_t array and (((rlen + 7) >> 3) + 1) / 4 steps in uint32_t rrtmp[] with rlen being num_bits * 2 On a 4096bit key this comes down to to 257 uint32_t elements in rr and 256 elements in rrtmp but with the current allocation rr and rrtmp only have 129 uint32_t elements. On 2048bit keys this works by chance as the defined max_rsa_size=4096 allocates a suitable number of elements, but with an actual 4096bit key this results in other memory parts getting overwritten. So as suggested by Heinrich Schuchardt just use the actual bit-size of the key as base for the size calculation, in turn making the code compatible to any future keysizes. Suggested-by: Heinrich Schuchardt <xypron.debian@gmx.de> Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> rrtmp needs 2 + (((*prop)->num_bits * 2) >> 5) array elements. Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
When calculating rrtmp/rr rsa_gen_key_prop() tries to make
(((rlen + 31) >> 5) + 1) steps in the rr uint32_t array and
(((rlen + 7) >> 3) + 1) / 4 steps in uint32_t rrtmp[]
with rlen being num_bits * 2

On a 4096bit key this comes down to to 257 uint32_t elements
in rr and 256 elements in rrtmp but with the current allocation
rr and rrtmp only have 129 uint32_t elements.

On 2048bit keys this works by chance as the defined max_rsa_size=4096
allocates a suitable number of elements, but with an actual 4096bit key
this results in other memory parts getting overwritten.

So as suggested by Heinrich Schuchardt just use the actual bit-size
of the key as base for the size calculation, in turn making the code
compatible to any future keysizes.

Suggested-by: Heinrich Schuchardt <xypron.debian@gmx.de>
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

rrtmp needs 2 + (((*prop)->num_bits * 2) >> 5) array elements.

Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib: rsa: bring exp_len in line when generating a key_prop 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-06-18T14:23:23+00:00 8434b4373058018ee5b79f06f2cafd6b7c0c15e1 The exponent field of struct key_prop gets allocated an uint64_t, and the contents are positioned from the back, so an exponent of "0x01 0x00 0x01" becomes 0x0 0x0 0x0 0x0 0x0 0x1 0x0 0x1" Right now rsa_gen_key_prop() allocates a uint64_t but sets exp_len to the size returned from the parser, while on the other hand the when getting the key from the devicetree exp_len always gets set to sizeof(uint64_t). So bring that in line with the established code. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The exponent field of struct key_prop gets allocated an uint64_t,
and the contents are positioned from the back, so an exponent of
"0x01 0x00 0x01" becomes 0x0 0x0 0x0 0x0 0x0 0x1 0x0 0x1"

Right now rsa_gen_key_prop() allocates a uint64_t but sets exp_len
to the size returned from the parser, while on the other hand the
when getting the key from the devicetree exp_len always gets set to
sizeof(uint64_t).

So bring that in line with the established code.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: take spl/non-spl into account when building rsa_verify_with_pkey() 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-06-18T14:23:22+00:00 447b1d7580868273c426feb0985e966572755bc7 Right now in multiple places there are only checks for the full CONFIG_RSA_VERIFY_WITH_PKEY option, not split into main,spl,tpl variants. This breaks when the rsa functions get enabled for SPL, for example to verify u-boot proper from spl. So fix this by using the existing helpers to distinguis between build-steps. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Right now in multiple places there are only checks for the full
CONFIG_RSA_VERIFY_WITH_PKEY option, not split into main,spl,tpl variants.

This breaks when the rsa functions get enabled for SPL, for example to
verify u-boot proper from spl.

So fix this by using the existing helpers to distinguis between
build-steps.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: rsa: distinguish between tpl and spl for CONFIG_RSA_VERIFY 2020-07-08T21:21:46+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2020-06-18T14:23:21+00:00 3075eb70c912f7f1569117da719023fb1caf6275 While the SPL may want to do signature checking this won't be the case for TPL in all cases, as TPL is mostly used when the amount of initial memory is not enough for a full SPL. So on a system where SPL uses DM but TPL does not we currently end up with a TPL compile error of: lib/rsa/rsa-verify.c:48:25: error: dereferencing pointer to incomplete type ‘struct checksum_algo’ To prevent that change the $(SPL_) to $(SPL_TPL_) to distinguish between both. If someone really needs FIT signature checking in TPL as well, a new TPL_RSA_VERIFY config symbol needs to be added. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
While the SPL may want to do signature checking this won't be
the case for TPL in all cases, as TPL is mostly used when the
amount of initial memory is not enough for a full SPL.

So on a system where SPL uses DM but TPL does not we currently
end up with a TPL compile error of:

    lib/rsa/rsa-verify.c:48:25: error: dereferencing pointer to incomplete type ‘struct checksum_algo’

To prevent that change the $(SPL_) to $(SPL_TPL_) to distinguish
between both. If someone really needs FIT signature checking in
TPL as well, a new TPL_RSA_VERIFY config symbol needs to be added.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>