| Age | Commit message (Collapse) | Author |
|---|
|
Some FIT image properties have their string represented in
include/image.h via constants. FIT_ALGO_PROP does exist and would fit the
bill so let's use it instead of using a hardcoded string.
Signed-off-by: Quentin Schulz <[email protected]>
|
|
While the verification step originally only supported PKCS1.5 as padding
algorithm for the signature, it was later extended to add support for
PSS but the doxygen doc wasn't updated to reflect that so let's fix
that oversight.
Fixes: 061daa0b61f0 ("rsa: add support of padding pss")
Signed-off-by: Quentin Schulz <[email protected]>
|
|
This renames FIT_RSASSA_PSS symbols to drop the FIT_ prefix to avoid
potential confusion since there's nothing FIT specific to those symbols.
It also isn't really related to booting, so boot/Kconfig is an odd place
for them to live. Since they make sense only in relation with RSA,
simply move them to lib/rsa where it makes more sense for them to
reside.
Signed-off-by: Quentin Schulz <[email protected]>
|
|
The symbol TOOLS_IMAGE_PRE_LOAD doesn't depend on TOOLS_LIBCRYPTO.
If we choose to build tools without openssl, rsa_verify_openssl()
will attempt to call the unavailable openssl library functions.
Fixes: 942c8c8e6697 ("rsa: Add rsa_verify_openssl() to use openssl for host builds")
Signed-off-by: Shiji Yang <[email protected]>
|
|
- Check return value of fdt_getprop for NULL.
- Return -EFAULT if 'algo' property is missing.
- Prevent NULL pointer dereference in strcmp."
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <[email protected]>
|
|
rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data
when building host tools.
Signed-off-by: Paul HENRYS <[email protected]>
|
|
Add missing line breaks to improve debug log readability.
Signed-off-by: Maxim Moskalets <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
After some header file cleanups to add missing include files, remove
common.h from all files in the lib directory. This primarily means just
dropping the line but in a few cases we need to add in other header
files now.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
In general terms, we -include include/linux/kconfig.h and so normal
U-Boot code does not need to also #include it. However, for code which
is shared with userspace we may need to add it so that either our full
config is available or so that macros such as CONFIG_IS_ENABLED() can be
evaluated. In this case make sure that we guard these includes with a
test for USE_HOSTCC so that it clear as to why we're doing this.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
While we do not want to use CONFIG_RSA_VERIFY_WITH_PKEY on the host, we
cannot undef the symbol in this manner. As this ends up being a test
within another function we can use !tools_build() as a test here.
Cc: AKASHI Takahiro <[email protected]>
Cc: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Check the that the hash length is shorter than the message length. This
avoids:
./tools/../lib/rsa/rsa-verify.c:275:11: warning:
‘*db’ may be used uninitialized [-Wmaybe-uninitialized]
275 | db[0] &= 0xff >> leftmost_bits;
Fixes: 061daa0b61f0 ("rsa: add support of padding pss")
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Modify function to support any salt length instead of max
length only. Function now detects salt length by parsing
the content of db buffer. Note that it works with (but is
not limited to) zero-length, digest-length and max-length
Signed-off-by: SESA644425 <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Prior to introduction of modifications in rsassa_pss functions
related to padding verification, doing a pass to reduce memory
consumption of function by replacing memory copies of parts of
const buffer by pointers to the original buffer (masked_db and
h are subparts of msg buffer which is declared const, salt is a
subpart of db which is a working buffer, unmodified after being
filled). New pointers scope is limited to the function where
they are declared (not returned to caller by any mean), zeroing
risk of memory fault related to the change.
Signed-off-by: SESA644425 <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Prior to introduction of modifications in rsassa_pss functions
related to padding verification, doing a pass to update
const-correctness in targeted functions to comply with
coding-rules and avoid const-cast
Signed-off-by: SESA644425 <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.
Add test case in vboot for sha384 with rsa3072 algorithm testing.
Signed-off-by: Jamin Lin <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add some more debugging to make it easier to see what is being tried and
what fails. Fix a few comment styles while here.
Signed-off-by: Simon Glass <[email protected]>
|
|
Sphinx expects Return: and not @return to indicate a return value.
find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
This commit adds a check on the padding in the function rsa_verify_key
to avoid using a NULL pointer.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add a host Kconfig for FIT_RSASSA_PSS. With this we can use
CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the
forcing of this in the image.h header.
Drop the #ifdef around padding_pss_verify() too since it is not needed.
Use the compiler to check the config where possible, instead of the
preprocessor.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Alexandru Gagniuc <[email protected]>
|
|
We are not guaranteed to have the padding_pkcs_15_verify symbol since
commit 92c960bc1d ("lib: rsa: Remove #ifdefs from rsa.h"), and
commit 61416fe9df ("Kconfig: FIT_SIGNATURE should not select RSA_VERIFY")
The padding_algos only make sense with RSA verification, which can now
be disabled in lieu of ECDSA. In fact this will lead to build failures
because of the missing symbol mentioned earlier.
To resolve this, move the padding_algos to a linker list, with
declarations moved to rsa_verify.c. This is consistent with commit
6909edb4ce ("image: rsa: Move verification algorithm to a linker list")
One could argue that the added #ifdef USE_HOSTCC is ugly, and should
be hidden within the U_BOOT_PADDING_ALGO() macro. However, this would
be inconsistent with the "cryptos" list. This logic for was not
previously explored:
Without knowledge of the U_BOOT_PADDING_ALGO() macro, its use is
similar to something being declared. However, should #ifndef
USE_HOSTCC be part of the macro, it would not be obvious that it
behaves differently on host code and target code. Having the #ifndef
outside the macro makes this obvious.
Also, the #ifdef is not always necessary. For example ecda-verify
makes use of U_BOOT_CRYPTO_ALGO() without any accompanying #ifdefs.
The fundamental issue is a lack of separation of host and target code
in rsa_verify. Therefore, the declaration of a padding algo with the
external #ifdef is more readable and consistent.
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
Signed-off-by: Thomas Perrot <[email protected]>
|
|
Move the RSA verification crytpo_algo structure out of the
crypto_algos array, and into a linker list.
Although it appears we are adding an #ifdef to rsa-verify.c, the gains
outweigh this small inconvenience. This is because rsa_verify() is
defined differently based on #ifdefs. This change allows us to have
a single definition of rsa_verify().
Signed-off-by: Alexandru Gagniuc <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Drop the ENABLE and SUPPORT parts of this, which are redundant.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Alexandru Gagniuc <[email protected]>
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
Currently we fail silently if there is an algorithm mismatch. To help
distinguish this failure condition.
Signed-off-by: Sean Anderson <[email protected]>
|
|
In the function rsa_verify_hash, if the "main" key doesn't
work, u-boot try others keys. But it searches those keys
in the FIT image instead of the u-boot device tree.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Remove initialization of ret with unused value.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The algo name should match between the FIT's signature node and the
U-Boot's control FDT.
If we do not check it, U-Boot's control FDT can expect sha512 hash but
nothing will prevent to accept image with sha1 hash if the signature is correct.
Signed-off-by: Matthieu CASTET <[email protected]>
|
|
This function will be used to implement public_key_verify_signature()
in a later patch. rsa_verify() is not suitable here because calculation
of message digest is not necessary.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
rsa_verify() expects a memory region and wants to do the hashing itself,
but there may be cases where the hashing is done via other means,
like hashing a squashfs rootfs.
So add rsa_verify_hash() to allow verifiying a signature against
an existing hash. As this entails the same verification routines
we can just move the relevant code over from rsa_verify() and also
call rsa_verify_hash() from there.
Signed-off-by: Heiko Stuebner <[email protected]>
|
|
padding_pss_verify only works with the default pss salt setting of -2
(length to be automatically determined based on the PSS block structure)
not -1 (salt length set to the maximum permissible value), which makes
verifications of signatures with that saltlen fail.
Until this gets implemented at least document this behaviour.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Right now in multiple places there are only checks for the full
CONFIG_RSA_VERIFY_WITH_PKEY option, not split into main,spl,tpl variants.
This breaks when the rsa functions get enabled for SPL, for example to
verify u-boot proper from spl.
So fix this by using the existing helpers to distinguis between
build-steps.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Move this header out of the common header.
Signed-off-by: Simon Glass <[email protected]>
|
|
Better than crashing later if it is missing.
Signed-off-by: Jan Kiszka <[email protected]>
|
|
This function, and hence rsa_verify(), will perform RSA verification
with two essential parameters for a RSA public key in contract of
rsa_verify_with_keynode(), which requires additional three parameters
stored in FIT image.
It will be used in implementing UEFI secure boot, i.e. image authentication
and variable authentication.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.
Signed-off-by: AKASHI Takahiro <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.
Move the compatibility features into a separate header file.
Signed-off-by: Simon Glass <[email protected]>
|
|
Currently, if image verification with a required key fails, rsa_verify()
code tries to find another key to verify the FIT image. This however, is
not the intended behavior as the documentation says that required keys
"must be verified for the image / configuration to be considered valid".
This patch fixes the issue by making rsa_verify() return immediately if
the verification of a required key fails.
Signed-off-by: Daniele Alessandrelli <[email protected]>
|
|
The pointer checksum were used before checking that it
isn't NULL. We move the code that use it after the check.
Reported-by: Coverity (CID: 185835)
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <[email protected]>
|
|
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.
Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.
Indirectly adds support for "sha1,rsa4096" signing/verification.
Signed-off-by: Andrew Duda <[email protected]>
Signed-off-by: aduda <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.
Signed-off-by: Andrew Duda <[email protected]>
Signed-off-by: aduda <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Padding verification was done against static SHA/RSA pair arrays which
take up a lot of static memory, are mostly 0xff, and cannot be reused
for additional SHA/RSA pairings. The padding can be easily computed
according to PKCS#1v2.1 as:
EM = 0x00 || 0x01 || PS || 0x00 || T
where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding
of the hash.
Store DER prefix in checksum_algo and create rsa_verify_padding
function to handle verification of a message for any SHA/RSA pairing.
Signed-off-by: Andrew Duda <[email protected]>
Signed-off-by: aduda <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
checksum_algo's pad_len field isn't actually used to store the length of
the padding but the total length of the RSA key (msg_len + pad_len)
Signed-off-by: Andrew Duda <[email protected]>
Signed-off-by: aduda <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Now, arch/${ARCH}/include/asm/errno.h and include/linux/errno.h have
the same content. (both just wrap <asm-generic/errno.h>)
Replace all include directives for <asm/errno.h> with <linux/errno.h>.
Signed-off-by: Masahiro Yamada <[email protected]>
[trini: Fixup include/clk.]
Signed-off-by: Tom Rini <[email protected]>
|
|
Currently the hash functions used in RSA are called directly from the sha1
and sha256 libraries. Change the RSA checksum library to use the progressive
hash API's registered with struct hash_algo. This will allow the checksum
library to use the hardware accelerated progressive hash API's once available.
Signed-off-by: Ruchika Gupta <[email protected]>
CC: Simon Glass <[email protected]>
Acked-by: Simon Glass <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
(Fixed build error in am335x_boneblack_vboot due to duplicate CONFIG_DM)
Change-Id: Ic44279432f88d4e8594c6e94feb1cfcae2443a54
|
|
Modify rsa_verify to use the rsa driver of DM library .The tools
will continue to use the same RSA sw library.
CONFIG_RSA is now dependent on CONFIG_DM. All configurations which
enable FIT based signatures have been modified to enable CONFIG_DM
by default.
Signed-off-by: Ruchika Gupta <[email protected]>
CC: Simon Glass <[email protected]>
Acked-by: Simon Glass <[email protected]>
|
|
Public exponentiation which is required in rsa verify functionality is
tightly integrated with verification code in rsa_verify.c. The patch
splits the file into twp separating the modular exponentiation.
1. rsa-verify.c
- The file parses device tree keys node to fill a keyprop structure.
The keyprop structure can then be converted to implementation specific
format.
(struct rsa_pub_key for sw implementation)
- The parsed device tree node is then passed to a generic rsa_mod_exp
function.
2. rsa-mod-exp.c
Move the software specific functions related to modular exponentiation
from rsa-verify.c to this file.
Signed-off-by: Ruchika Gupta <[email protected]>
CC: Simon Glass <[email protected]>
Acked-by: Simon Glass <[email protected]>
|
|
1. Failure to set the return code correctly
2. Failure to detect the loop end condition when the value is equal to
the modulus.
Reported-by: Jeroen Hofstee <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
