From 20031567e12bb312bff95b70767f6275e20f0346 Mon Sep 17 00:00:00 2001 From: Philippe Reynes Date: Wed, 14 Nov 2018 13:51:00 +0100 Subject: rsa: add a structure for the padding The rsa signature use a padding algorithm. By default, we use the padding pkcs-1.5. In order to add some new padding algorithm, we add a padding framework to manage several padding algorithm. The choice of the padding is done in the file .its. Signed-off-by: Philippe Reynes Reviewed-by: Simon Glass --- common/image-fit.c | 5 +++++ common/image-sig.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) (limited to 'common') diff --git a/common/image-fit.c b/common/image-fit.c index 8d39a243f8d..ac901e131ca 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -165,6 +165,7 @@ static void fit_image_print_data(const void *fit, int noffset, const char *p, uint8_t *value; int value_len; char *algo; + const char *padding; int required; int ret, i; @@ -184,6 +185,10 @@ static void fit_image_print_data(const void *fit, int noffset, const char *p, printf(" (required)"); printf("\n"); + padding = fdt_getprop(fit, noffset, "padding", NULL); + if (padding) + printf("%s %s padding: %s\n", p, type, padding); + ret = fit_image_hash_get_value(fit, noffset, &value, &value_len); printf("%s %s value: ", p, type); diff --git a/common/image-sig.c b/common/image-sig.c index 5d860e12663..3d8281f2faa 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -71,6 +71,13 @@ struct crypto_algo crypto_algos[] = { }; +struct padding_algo padding_algos[] = { + { + .name = "pkcs-1.5", + .verify = padding_pkcs_15_verify, + }, +}; + struct checksum_algo *image_get_checksum_algo(const char *full_name) { int i; @@ -106,6 +113,21 @@ struct crypto_algo *image_get_crypto_algo(const char *full_name) return NULL; } +struct padding_algo *image_get_padding_algo(const char *name) +{ + int i; + + if (!name) + return NULL; + + for (i = 0; i < ARRAY_SIZE(padding_algos); i++) { + if (!strcmp(padding_algos[i].name, name)) + return &padding_algos[i]; + } + + return NULL; +} + /** * fit_region_make_list() - Make a list of image regions * @@ -155,6 +177,7 @@ static int fit_image_setup_verify(struct image_sign_info *info, char **err_msgp) { char *algo_name; + const char *padding_name; if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) { *err_msgp = "Total size too large"; @@ -165,6 +188,11 @@ static int fit_image_setup_verify(struct image_sign_info *info, *err_msgp = "Can't get hash algo property"; return -1; } + + padding_name = fdt_getprop(fit, noffset, "padding", NULL); + if (!padding_name) + padding_name = RSA_DEFAULT_PADDING_NAME; + memset(info, '\0', sizeof(*info)); info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL); info->fit = (void *)fit; @@ -172,6 +200,7 @@ static int fit_image_setup_verify(struct image_sign_info *info, info->name = algo_name; info->checksum = image_get_checksum_algo(algo_name); info->crypto = image_get_crypto_algo(algo_name); + info->padding = image_get_padding_algo(padding_name); info->fdt_blob = gd_fdt_blob(); info->required_keynode = required_keynode; printf("%s:%s", algo_name, info->keyname); -- cgit v1.3.1 From 061daa0b61f0fbeb214c566f3adb23da05545320 Mon Sep 17 00:00:00 2001 From: Philippe Reynes Date: Wed, 14 Nov 2018 13:51:01 +0100 Subject: rsa: add support of padding pss We add the support of the padding pss for rsa signature. This new padding is often recommended instead of pkcs-1.5. Signed-off-by: Philippe Reynes Reviewed-by: Simon Glass --- Kconfig | 8 +++ common/image-sig.c | 6 ++ include/image.h | 1 + include/u-boot/rsa.h | 15 ++++ lib/rsa/rsa-sign.c | 10 +++ lib/rsa/rsa-verify.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 230 insertions(+) (limited to 'common') diff --git a/Kconfig b/Kconfig index dca9bb4e432..31205534941 100644 --- a/Kconfig +++ b/Kconfig @@ -290,6 +290,14 @@ config FIT_SIGNATURE_MAX_SIZE device memory. Assure this size does not extend past expected storage space. +config FIT_ENABLE_RSASSA_PSS_SUPPORT + bool "Support rsassa-pss signature scheme of FIT image contents" + depends on FIT_SIGNATURE + default n + help + Enable this to support the pss padding algorithm as described + in the rfc8017 (https://tools.ietf.org/html/rfc8017). + config FIT_VERBOSE bool "Show verbose messages when FIT images fail" help diff --git a/common/image-sig.c b/common/image-sig.c index 3d8281f2faa..4f6b4ec412c 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -76,6 +76,12 @@ struct padding_algo padding_algos[] = { .name = "pkcs-1.5", .verify = padding_pkcs_15_verify, }, +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT + { + .name = "pss", + .verify = padding_pss_verify, + } +#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ }; struct checksum_algo *image_get_checksum_algo(const char *full_name) diff --git a/include/image.h b/include/image.h index e75d1763b58..83a2d412c9f 100644 --- a/include/image.h +++ b/include/image.h @@ -30,6 +30,7 @@ struct fdt_region; #define IMAGE_ENABLE_FIT 1 #define IMAGE_ENABLE_OF_LIBFDT 1 #define CONFIG_FIT_VERBOSE 1 /* enable fit_format_{error,warning}() */ +#define CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT 1 #define CONFIG_FIT_ENABLE_SHA256_SUPPORT #define CONFIG_SHA1 #define CONFIG_SHA256 diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index 16b4c4caeea..2d3024d8b71 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -101,6 +101,12 @@ int rsa_verify(struct image_sign_info *info, int padding_pkcs_15_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len); + +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +int padding_pss_verify(struct image_sign_info *info, + uint8_t *msg, int msg_len, + const uint8_t *hash, int hash_len); +#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ #else static inline int rsa_verify(struct image_sign_info *info, const struct image_region region[], int region_count, @@ -115,6 +121,15 @@ static inline int padding_pkcs_15_verify(struct image_sign_info *info, { return -ENXIO; } + +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +static inline int padding_pss_verify(struct image_sign_info *info, + uint8_t *msg, int msg_len, + const uint8_t *hash, int hash_len) +{ + return -ENXIO; +} +#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ #endif #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 6aa0e2ab5df..fb5e07b56d8 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -438,6 +438,16 @@ static int rsa_sign_with_key(RSA *rsa, struct padding_algo *padding_algo, goto err_sign; } +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT + if (padding_algo && !strcmp(padding_algo->name, "pss")) { + if (EVP_PKEY_CTX_set_rsa_padding(ckey, + RSA_PKCS1_PSS_PADDING) <= 0) { + ret = rsa_err("Signer padding setup failed"); + goto err_sign; + } + } +#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ + for (i = 0; i < region_count; i++) { if (!EVP_DigestSignUpdate(context, region[i].data, region[i].size)) { diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 279a9ba4562..9734f6d3bd6 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -80,6 +80,196 @@ int padding_pkcs_15_verify(struct image_sign_info *info, return 0; } +#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT +static void u32_i2osp(uint32_t val, uint8_t *buf) +{ + buf[0] = (uint8_t)((val >> 24) & 0xff); + buf[1] = (uint8_t)((val >> 16) & 0xff); + buf[2] = (uint8_t)((val >> 8) & 0xff); + buf[3] = (uint8_t)((val >> 0) & 0xff); +} + +/** + * mask_generation_function1() - generate an octet string + * + * Generate an octet string used to check rsa signature. + * It use an input octet string and a hash function. + * + * @checksum: A Hash function + * @seed: Specifies an input variable octet string + * @seed_len: Size of the input octet string + * @output: Specifies the output octet string + * @output_len: Size of the output octet string + * @return 0 if the octet string was correctly generated, others on error + */ +static int mask_generation_function1(struct checksum_algo *checksum, + uint8_t *seed, int seed_len, + uint8_t *output, int output_len) +{ + struct image_region region[2]; + int ret = 0, i, i_output = 0, region_count = 2; + uint32_t counter = 0; + uint8_t buf_counter[4], *tmp; + int hash_len = checksum->checksum_len; + + memset(output, 0, output_len); + + region[0].data = seed; + region[0].size = seed_len; + region[1].data = &buf_counter[0]; + region[1].size = 4; + + tmp = malloc(hash_len); + if (!tmp) { + debug("%s: can't allocate array tmp\n", __func__); + ret = -ENOMEM; + goto out; + } + + while (i_output < output_len) { + u32_i2osp(counter, &buf_counter[0]); + + ret = checksum->calculate(checksum->name, + region, region_count, + tmp); + if (ret < 0) { + debug("%s: Error in checksum calculation\n", __func__); + goto out; + } + + i = 0; + while ((i_output < output_len) && (i < hash_len)) { + output[i_output] = tmp[i]; + i_output++; + i++; + } + + counter++; + } + +out: + free(tmp); + + return ret; +} + +static int compute_hash_prime(struct checksum_algo *checksum, + uint8_t *pad, int pad_len, + uint8_t *hash, int hash_len, + uint8_t *salt, int salt_len, + uint8_t *hprime) +{ + struct image_region region[3]; + int ret, region_count = 3; + + region[0].data = pad; + region[0].size = pad_len; + region[1].data = hash; + region[1].size = hash_len; + region[2].data = salt; + region[2].size = salt_len; + + ret = checksum->calculate(checksum->name, region, region_count, hprime); + if (ret < 0) { + debug("%s: Error in checksum calculation\n", __func__); + goto out; + } + +out: + return ret; +} + +int padding_pss_verify(struct image_sign_info *info, + uint8_t *msg, int msg_len, + const uint8_t *hash, int hash_len) +{ + uint8_t *masked_db = NULL; + int masked_db_len = msg_len - hash_len - 1; + uint8_t *h = NULL, *hprime = NULL; + int h_len = hash_len; + uint8_t *db_mask = NULL; + int db_mask_len = masked_db_len; + uint8_t *db = NULL, *salt = NULL; + int db_len = masked_db_len, salt_len = msg_len - hash_len - 2; + uint8_t pad_zero[8] = { 0 }; + int ret, i, leftmost_bits = 1; + uint8_t leftmost_mask; + struct checksum_algo *checksum = info->checksum; + + /* first, allocate everything */ + masked_db = malloc(masked_db_len); + h = malloc(h_len); + db_mask = malloc(db_mask_len); + db = malloc(db_len); + salt = malloc(salt_len); + hprime = malloc(hash_len); + if (!masked_db || !h || !db_mask || !db || !salt || !hprime) { + printf("%s: can't allocate some buffer\n", __func__); + ret = -ENOMEM; + goto out; + } + + /* step 4: check if the last byte is 0xbc */ + if (msg[msg_len - 1] != 0xbc) { + printf("%s: invalid pss padding (0xbc is missing)\n", __func__); + ret = -EINVAL; + goto out; + } + + /* step 5 */ + memcpy(masked_db, msg, masked_db_len); + memcpy(h, msg + masked_db_len, h_len); + + /* step 6 */ + leftmost_mask = (0xff >> (8 - leftmost_bits)) << (8 - leftmost_bits); + if (masked_db[0] & leftmost_mask) { + printf("%s: invalid pss padding ", __func__); + printf("(leftmost bit of maskedDB not zero)\n"); + ret = -EINVAL; + goto out; + } + + /* step 7 */ + mask_generation_function1(checksum, h, h_len, db_mask, db_mask_len); + + /* step 8 */ + for (i = 0; i < db_len; i++) + db[i] = masked_db[i] ^ db_mask[i]; + + /* step 9 */ + db[0] &= 0xff >> leftmost_bits; + + /* step 10 */ + if (db[0] != 0x01) { + printf("%s: invalid pss padding ", __func__); + printf("(leftmost byte of db isn't 0x01)\n"); + ret = EINVAL; + goto out; + } + + /* step 11 */ + memcpy(salt, &db[1], salt_len); + + /* step 12 & 13 */ + compute_hash_prime(checksum, pad_zero, 8, + (uint8_t *)hash, hash_len, + salt, salt_len, hprime); + + /* step 14 */ + ret = memcmp(h, hprime, hash_len); + +out: + free(hprime); + free(salt); + free(db); + free(db_mask); + free(h); + free(masked_db); + + return ret; +} +#endif + /** * rsa_verify_key() - Verify a signature against some data using RSA Key * -- cgit v1.3.1 From c1cd921b7552114293e2490aaca2a667f9d1c723 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Wed, 21 Nov 2018 08:51:55 +0000 Subject: board_r: fix build with DM_SPI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC common/board_r.o common/board_r.c:747:2: error: ‘initr_spi’ undeclared here (not in a function) initr_spi, ^ make[1]: *** [common/board_r.o] Error 1 Fixes: ebe76a2df9f6 ("dm: Remove spi_init() from board_r.c when using driver model") Signed-off-by: Christophe Leroy --- common/board_r.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'common') diff --git a/common/board_r.c b/common/board_r.c index c55e33eec27..0c2129b8ceb 100644 --- a/common/board_r.c +++ b/common/board_r.c @@ -743,7 +743,7 @@ static init_fnc_t init_sequence_r[] = { /* initialize higher level parts of CPU like time base and timers */ cpu_init_r, #endif -#ifdef CONFIG_PPC +#if defined(CONFIG_PPC) && !defined(CONFIG_DM_SPI) initr_spi, #endif #ifdef CONFIG_CMD_NAND -- cgit v1.3.1