From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification
Date: Thu, 12 Dec 2019 19:10:34 +0900 [thread overview]
Message-ID: <20191212101033.GE22427@linaro.org> (raw)
In-Reply-To: <20191207002547.GA3484@bill-the-cat>
Tom, Simon,
On Fri, Dec 06, 2019 at 07:25:47PM -0500, Tom Rini wrote:
> On Thu, Nov 21, 2019 at 09:11:16AM +0900, AKASHI Takahiro wrote:
>
> > Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
> > RSA functions from FIT verification and allow for adding a RSA-based
> > signature verification for other file formats, in particular PE file
> > for UEFI secure boot.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > ---
> > Kconfig | 1 +
> > common/Makefile | 3 +-
> > common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++
> > common/image-fit.c | 6 +-
> > common/image-sig.c | 396 --------------------------------------
> > include/image.h | 13 +-
> > lib/rsa/Kconfig | 12 ++
> > lib/rsa/Makefile | 2 +-
> > lib/rsa/rsa-verify.c | 78 +++++---
> > tools/Makefile | 2 +-
> > 10 files changed, 493 insertions(+), 437 deletions(-)
> > create mode 100644 common/image-fit-sig.c
>
> OK, the way this works today we see things like:
> T1042RDB_PI_NAND_SECURE_BOOT: all +706 data +88 rodata +58 spl/u-boot-spl:all +704 spl/u-boot-spl:data +144 spl/u-boot-spl:text +560 text +560
> u-boot: add: 8/0, grow: 0/0 bytes: 584/0 (584)
> function old new delta
> hash_calculate - 192 +192
> padding_pkcs_15_verify - 184 +184
> rsa_verify - 104 +104
> crypto_algos - 40 +40
> checksum_algos - 40 +40
> rsa_sign - 8 +8
> rsa_add_verify_data - 8 +8
> padding_algos - 8 +8
> spl-u-boot-spl: add: 10/0, grow: 0/0 bytes: 618/0 (618)
> function old new delta
> hash_calculate - 192 +192
> padding_pkcs_15_verify - 184 +184
> rsa_verify - 104 +104
> crypto_algos - 40 +40
> checksum_algos - 40 +40
> sha256_der_prefix - 19 +19
> sha1_der_prefix - 15 +15
> rsa_sign - 8 +8
> rsa_add_verify_data - 8 +8
> padding_algos - 8 +8
>
> Which seems wrong, we should be making any changes here opt-in, yes? Thanks!
Okay, I found out what was wrong with my patch.
*But*, it seems to me that lib/rsa/Kconfig, in particular
RSA_FREESCALE_EXP, is weird because CONFIG_RSA as well as
RSA_FREESCALE_EXP is enabled in T1042RDB_PI_NAND_SECURE_BOOT_defconfig,
and yet rsa_verify(), which is the heart of CONFIG_RSA (library),
is NOT enabled in the configuration (for T1042RDB).
So the generated code will have no real user of this crypto driver,
i.e. drivers/crypto/fsl/fsl_rsa.c.
Anyway, I will post a fixed version early next week.
Thanks,
-Takahiro Akashi
> --
> Tom
next prev parent reply other threads:[~2019-12-12 10:10 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 0:11 [U-Boot] [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
2019-11-21 0:11 ` [U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification AKASHI Takahiro
2019-12-07 0:25 ` Tom Rini
2019-12-12 10:10 ` AKASHI Takahiro [this message]
2019-11-21 0:11 ` [U-Boot] [PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config AKASHI Takahiro
2020-01-08 12:35 ` Heinrich Schuchardt
2020-01-14 7:45 ` AKASHI Takahiro
2020-01-14 11:43 ` Heinrich Schuchardt
2020-01-17 2:24 ` AKASHI Takahiro
2020-01-17 5:59 ` Heinrich Schuchardt
2020-01-21 4:29 ` AKASHI Takahiro
2020-01-21 15:34 ` Tom Rini
2019-11-21 0:11 ` [U-Boot] [PATCH v4 3/6] include: image.h: add key info to image_sign_info AKASHI Takahiro
2019-11-21 0:11 ` [U-Boot] [PATCH v4 4/6] lib: rsa: generate additional parameters for public key AKASHI Takahiro
2020-01-08 18:07 ` Heinrich Schuchardt
2020-01-08 18:16 ` Heinrich Schuchardt
2020-01-14 7:15 ` AKASHI Takahiro
2019-11-21 0:11 ` [U-Boot] [PATCH v4 5/6] lib: rsa: add rsa_verify_with_pkey() AKASHI Takahiro
2019-11-21 0:11 ` [U-Boot] [PATCH v4 6/6] test: add rsa_verify() unit test AKASHI Takahiro
2020-01-08 17:43 ` Heinrich Schuchardt
2020-01-08 22:25 ` Heinrich Schuchardt
2020-01-14 7:33 ` AKASHI Takahiro
2020-01-14 12:04 ` Heinrich Schuchardt
2020-01-17 1:53 ` AKASHI Takahiro
2020-01-17 5:26 ` Heinrich Schuchardt
2020-01-21 5:48 ` AKASHI Takahiro
2020-01-21 15:40 ` Tom Rini
2020-01-22 0:22 ` AKASHI Takahiro
2020-01-22 0:26 ` Tom Rini
2020-01-18 20:20 ` [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191212101033.GE22427@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.