u-boot.git/lib/rsa, branch v2025.01 Unnamed repository; edit this file 'description' to name the repository. lib: rsa: Set conventional salt length RSA-PSS parameter 2024-11-15T00:14:05+00:00 Loic Poulain loic.poulain@linaro.org 2024-10-31T09:15:31+00:00 1b99c15d73c10a7f5953e7cd69264754f5f604ba RFC 3447 says that Typical salt length are either 0 or the length of the output of the digest algorithm, RFC 4055 also recommends hash value length as the salt length. Moreover, By convention, most of the signing infrastructures/libraries use the length of the digest algorithm (such as google cloud kms: https://cloud.google.com/kms/docs/algorithms). If the salt-length parameter is not set, openssl default to the maximum allowed value, which is a openssl 'specificity', so this works well for local signing, but restricts compatibility with other engines (e.g pkcs11/libkmsp11): ``` returning 0x71 from C_SignInit due to status INVALID_ARGUMENT: at rsassa_pss.cc:53: expected salt length for key XX is 32, but 478 was supplied in the parameters Could not obtain signature: error:41000070:PKCS#11 module::Mechanism invalid ``` To improve compatibility, we set the default RSA-PSS salt-length value to the conventional one. A further improvement could consist in making it configurable as signature FIT node attribute. rfc3447: https://datatracker.ietf.org/doc/html/rfc3447 rfc4055: https://datatracker.ietf.org/doc/html/rfc4055 Signed-off-by: Loic Poulain <loic.poulain@linaro.org> 
RFC 3447 says that Typical salt length are either 0 or the length
of the output of the digest algorithm, RFC 4055 also recommends
hash value length as the salt length. Moreover, By convention,
most of the signing infrastructures/libraries use the length of
the digest algorithm (such as google cloud kms:
                      https://cloud.google.com/kms/docs/algorithms).

If the salt-length parameter is not set, openssl default to the
maximum allowed value, which is a openssl 'specificity', so this
works well for local signing, but restricts compatibility with
other engines (e.g pkcs11/libkmsp11):

```
returning 0x71 from C_SignInit due to status INVALID_ARGUMENT:
    at rsassa_pss.cc:53: expected salt length for key XX is 32,
    but 478 was supplied in the parameters
Could not obtain signature: error:41000070:PKCS#11 module::Mechanism invalid
```

To improve compatibility, we set the default RSA-PSS salt-length
value to the conventional one. A further improvement could consist
in making it configurable as signature FIT node attribute.

rfc3447: https://datatracker.ietf.org/doc/html/rfc3447
rfc4055: https://datatracker.ietf.org/doc/html/rfc4055

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
global: Rename SPL_TPL_ to PHASE_ 2024-10-11T17:44:48+00:00 Simon Glass sjg@chromium.org 2024-09-30T01:49:54+00:00 5c10c8badf8233cac1593cd2bef4d0379ac9e5bd Use PHASE_ as the symbol to select a particular XPL build. This means that SPL_TPL_ is no-longer set. Update the comment in bootstage to refer to this symbol, instead of SPL_ Signed-off-by: Simon Glass <sjg@chromium.org> 
Use PHASE_ as the symbol to select a particular XPL build. This means
that SPL_TPL_ is no-longer set.

Update the comment in bootstage to refer to this symbol, instead of
SPL_

Signed-off-by: Simon Glass <sjg@chromium.org>
lib: add missing line breaks in debug messages 2024-04-10T15:34:53+00:00 Maxim Moskalets maximmosk4@gmail.com 2024-03-30T11:11:21+00:00 0ceb1f4cb7e4cab060da29215773d12dca1332ec Add missing line breaks to improve debug log readability. Signed-off-by: Maxim Moskalets <maximmosk4@gmail.com> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Add missing line breaks to improve debug log readability.

Signed-off-by: Maxim Moskalets <maximmosk4@gmail.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib: rsa: Allow legacy URI specification without "pkcs11:" 2024-01-18T22:50:27+00:00 Csókás Bence csokas.bence@prolan.hu 2024-01-05T14:08:04+00:00 f055d6e8f0d63a80d72ab5b092a26bedc652ac3b But emit a warning for it. Then we can remove support when everyone had time to update their scripts, docs, CI etc. Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512 Signed-off-by: Csókás Bence <csokas.bence@prolan.hu> 
But emit a warning for it. Then we can remove support when
everyone had time to update their scripts, docs, CI etc.

Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512

Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
lib: rsa: Fix PKCS11 URI if one is not given in `keydir` 2024-01-18T22:50:27+00:00 Csókás Bence csokas.bence@prolan.hu 2024-01-05T14:08:03+00:00 11ad2bbfa2d83501a3d7b9fdbd567f55214fde0d If `keydir` is not present, we need to build a PKCS11 URI from just the key name. In this case, we *do* need 'pkcs11:' Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512 Signed-off-by: Csókás Bence <csokas.bence@prolan.hu> 
If `keydir` is not present, we need to build a PKCS11 URI
from just the key name. In this case, we *do* need 'pkcs11:'

Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512

Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
lib: rsa: Print detailed error info in rsa_engine_init() on engine resolution failure 2023-12-21T16:59:49+00:00 Csókás Bence csokas.bence@prolan.hu 2023-12-14T16:54:17+00:00 fa78301a986f4c7daf31bac2ba0e9216e76acd31 Signed-off-by: Csókás Bence <csokas.bence@prolan.hu> Reviewed-by: Tom Rini <trini@konsulko.com> 
Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
Reviewed-by: Tom Rini <trini@konsulko.com>
lib: Remove <common.h> inclusion from these files 2023-12-21T13:54:37+00:00 Tom Rini trini@konsulko.com 2023-12-14T18:16:58+00:00 467382ca03758e4f3f13107e3a83669e93a7461e After some header file cleanups to add missing include files, remove common.h from all files in the lib directory. This primarily means just dropping the line but in a few cases we need to add in other header files now. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Tom Rini <trini@konsulko.com> 
After some header file cleanups to add missing include files, remove
common.h from all files in the lib directory. This primarily means just
dropping the line but in a few cases we need to add in other header
files now.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
global: Restrict use of '#include <linux/kconfig.h>' 2023-12-21T13:54:05+00:00 Tom Rini trini@konsulko.com 2023-12-14T12:16:54+00:00 b106961c2e4e7f339485a401ebb06c936fc432ee In general terms, we -include include/linux/kconfig.h and so normal U-Boot code does not need to also #include it. However, for code which is shared with userspace we may need to add it so that either our full config is available or so that macros such as CONFIG_IS_ENABLED() can be evaluated. In this case make sure that we guard these includes with a test for USE_HOSTCC so that it clear as to why we're doing this. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Tom Rini <trini@konsulko.com> 
In general terms, we -include include/linux/kconfig.h and so normal
U-Boot code does not need to also #include it. However, for code which
is shared with userspace we may need to add it so that either our full
config is available or so that macros such as CONFIG_IS_ENABLED() can be
evaluated. In this case make sure that we guard these includes with a
test for USE_HOSTCC so that it clear as to why we're doing this.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
rsa: use pkcs11 uri as defined in rfc7512 2023-12-20T14:48:17+00:00 Ayoub Zaki ayoub.zaki@embetrix.com 2023-08-26T11:53:29+00:00 ece85cc0202717ee8eaf5acb0772c0912b7f8e9d pkcs11 : change engine uri to use full pk11-URI as defined in: https://www.rfc-editor.org/rfc/rfc7512.html Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com> 
pkcs11 : change engine uri to use full pk11-URI as defined in:

https://www.rfc-editor.org/rfc/rfc7512.html
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
lib: rsa: cosmetic: fix building warning 2023-01-11T16:54:50+00:00 Haijun Qin qinhaijun@eswincomputing.com 2022-12-06T07:41:37+00:00 dd02c667906d89ff46b79898de12ae8db9aceb6f add initialization of variable 'node',this can aviod the building warning: 'node' may be used uninitialized [-Wmaybe-uninitialized] Signed-off-by: Haijun Qin <qinhaijun@eswincomputing.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
add initialization of variable 'node',this can aviod the building
warning:

    'node' may be used uninitialized [-Wmaybe-uninitialized]

Signed-off-by: Haijun Qin <qinhaijun@eswincomputing.com>
Reviewed-by: Simon Glass <sjg@chromium.org>