[U-Boot] RSA in U-Boot

[AKASHI, Takahiro <takahiro.akashi@linaro.org>]

Hi,

I'd like to discuss this topic in public.
I will appreciate your comments here.
# FYI, I now started to experimentally port linux's pkcs7/x509
# parser.

Thanks,
-Takahiro Akashi

----- Forwarded message from Simon Glass <sjg@chromium.org> -----

Date: Thu, 7 Mar 2019 19:56:10 -0700
From: Simon Glass <sjg@chromium.org>
To: "AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: RSA in U-Boot

Hi Takahiro,

On Thu, 7 Mar 2019 at 17:27, AKASHI, Takahiro
<takahiro.akashi@linaro.org> wrote:
>
> Hi Simon,
>
> Before I start discussions publicly, I'd like to hear
> your opinion first.

I do think it is better to discuss this in public since there will be
other opinions.

>
> I'm now working on implementing "secure boot"
> for UEFI U-Boot.
>
> As you might know, there are a couple of features
> required to achieve "secure boot":
> (I won't discuss about secure storage here though.)
> - x509 certificate decoder
> - pkcs7 decoder (for PE file's signature)
> - RSA verification
> - (hash digest, sha256)
>
> The original code, which was written by some other guy,
> Patrick, uses BearSSL for x509 and RSA and
> I'm now wondering what is the best solution.
> Obviously, I can think of several options here:
> 1. use BearSSL
>   1.a just import minimum set of files akin lib/libfdt
>   1.b link whole BearSSL as a library, merging the code
>         as git submodule
> 2. use openssl
> 3. import linux kernel code, particularly x509 & pkcs7 parser
> 4. write our own code
>
> I suppose that you weighed similar choices when you implemented
> "FIT image signing".
> Can you share your opinion with me?

I think if you can do 3 then it keeps U-Boot self-contained and
perhaps provides for simple code. That said, if the amount of code is
large and has an upstream there is clear precident for 1a, as you say.

I am not sure about 4. If it is a relatively small amount of code,
then maybe, but surely it makes sense to use the linux code where
possible. That is what I did with the U-Boot livetree code.

1b sounds painful to me.

>
> Regarding your lib/rsa code, you intentionally avoided to
> add formula of inverse-mod and power-mod of R. Do you still
> believe that the assumption is appropriate?
> (BearSSL implements its own montgomery.

If you look at a talk I gave on this, you can see that one of the
goals was to implement it efficiently, with minimal extra code at
run-time, and minimal memory usage. So unpacking complex key
structures did not seem like a good idea. From memory you can do
verified boot in about 7KB of extra code in U-Boot and it runs in a
small number of milliseconds.

UEFI is obviously pretty big, so perhaps efficiency concerns are less
important. More important probably is wide compatibility, supporting
all possible options, etc.

I hope this is helpful.

Regards,
Simon

----- End forwarded message -----