From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [RFC 2/3] lib: rsa: generate additional parameters for public key
Date: Thu, 3 Oct 2019 10:34:33 +0300 [thread overview]
Message-ID: <20191003073433.GA15509@apalos.home> (raw)
In-Reply-To: <20190906070808.1198-3-takahiro.akashi@linaro.org>
On Fri, Sep 06, 2019 at 04:08:07PM +0900, AKASHI Takahiro wrote:
> In the current implementation of FIT_SIGNATURE, five parameters for
> a RSA public key are required while only two of them are essential.
> (See rsa-mod-exp.h and uImage.FIT/signature.txt)
> This is a result of considering relatively limited computer power
> and resources on embedded systems, while such a assumption may not
> be quite practical for other use cases.
>
> In this patch, added is a function, rsa_gen_key_prop(), which will
> generate additional parameters for other uses, in particular
> UEFI secure boot, on the fly.
>
> Note: the current code uses some "big number" routines from BearSSL
> for the calculation.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
> include/u-boot/rsa-mod-exp.h | 3 +
> lib/rsa/Makefile | 2 +-
> lib/rsa/rsa-keyprop.c | 631 +++++++++++++++++++++++++++++++++++
> 3 files changed, 635 insertions(+), 1 deletion(-)
> create mode 100644 lib/rsa/rsa-keyprop.c
>
> diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
> index 8a428c4b6a1a..ca189292d869 100644
> --- a/include/u-boot/rsa-mod-exp.h
> +++ b/include/u-boot/rsa-mod-exp.h
> @@ -26,6 +26,9 @@ struct key_prop {
> uint32_t exp_len; /* Exponent length in number of uint8_t */
> };
>
> +struct key_prop *rsa_gen_key_prop(const void *key, uint32_t keylen);
> +void rsa_free_key_prop(struct key_prop *prop);
> +
> /**
> * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
> *
> --- /dev/null
> +++ b/lib/rsa/rsa-keyprop.c
> @@ -0,0 +1,631 @@
> +
[...]
> +/* stripped version of src/inner.h */
> +
> +static inline unsigned
> +br_dec16be(const void *src)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + return ((const br_union_u16 *)src)->u;
> +#else
> + const unsigned char *buf;
> +
> + buf = src;
> + return ((unsigned)buf[0] << 8) | (unsigned)buf[1];
> +#endif
> +}
> +
> +static inline uint32_t
> +br_dec32be(const void *src)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + return ((const br_union_u32 *)src)->u;
> +#else
> + const unsigned char *buf;
> +
> + buf = src;
> + return ((uint32_t)buf[0] << 24)
> + | ((uint32_t)buf[1] << 16)
> + | ((uint32_t)buf[2] << 8)
> + | (uint32_t)buf[3];
> +#endif
> +}
> +
> +static inline void
> +br_enc32be(void *dst, uint32_t x)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + ((br_union_u32 *)dst)->u = x;
> +#else
> + unsigned char *buf;
> +
> + buf = dst;
> + buf[0] = (unsigned char)(x >> 24);
> + buf[1] = (unsigned char)(x >> 16);
> + buf[2] = (unsigned char)(x >> 8);
> + buf[3] = (unsigned char)x;
> +#endif
> +}
> +
There's no U-Boot API for the above?
> +static inline uint32_t
> +NOT(uint32_t ctl)
> +{
> + return ctl ^ 1;
> +}
Ditto
> +
> +static inline uint32_t
> +MUX(uint32_t ctl, uint32_t x, uint32_t y)
> +{
> + return y ^ (-ctl & (x ^ y));
> +}
> +
> +static inline uint32_t
> +EQ(uint32_t x, uint32_t y)
> +{
> + uint32_t q;
> +
> + q = x ^ y;
> + return NOT((q | -q) >> 31);
> +}
> +
> +static inline uint32_t
> +NEQ(uint32_t x, uint32_t y)
> +{
> + uint32_t q;
> +
> + q = x ^ y;
> + return (q | -q) >> 31;
> +}
> +
> +static inline uint32_t
> +GT(uint32_t x, uint32_t y)
> +{
> + /*
> + * If both x < 2^31 and x < 2^31, then y-x will have its high
second one should be y^31
> + * bit set if x > y, cleared otherwise.
> + *
> +}
> +
> +struct key_prop *rsa_gen_key_prop(const void *key, uint32_t keylen)
> +{
> + struct key_prop *prop;
> + struct rsa_key rsa_key;
> +#define BR_MAX_RSA_SIZE 4096
> + uint32_t *n, *rr, *rrtmp;
> + int rlen, i, ret;
> + prop->n0inv = br_i32_ninv32(n[1]);
> --
> 2.21.0
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
Regards
/Ilias
next prev parent reply other threads:[~2019-10-03 7:34 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 7:08 [U-Boot] [RFC 0/3] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
2019-09-06 7:08 ` [U-Boot] [RFC 1/3] lib: rsa: decouple rsa from FIT image verification AKASHI Takahiro
2019-09-06 7:39 ` Heinrich Schuchardt
2019-09-06 9:26 ` AKASHI Takahiro
2019-09-06 7:08 ` [U-Boot] [RFC 2/3] lib: rsa: generate additional parameters for public key AKASHI Takahiro
2019-09-17 5:48 ` Simon Glass
2019-09-18 2:35 ` AKASHI Takahiro
2019-10-03 7:34 ` Ilias Apalodimas [this message]
2019-10-03 8:58 ` AKASHI Takahiro
2019-10-03 13:37 ` Heinrich Schuchardt
2019-09-06 7:08 ` [U-Boot] [RFC 3/3] lib: rsa: add rsa_verify_with_pkey() AKASHI Takahiro
2019-09-17 5:48 ` Simon Glass
2019-09-18 3:03 ` AKASHI Takahiro
2019-10-03 5:48 ` AKASHI Takahiro
2019-10-22 13:50 ` Simon Glass
2019-10-23 5:44 ` AKASHI Takahiro
2019-10-27 16:31 ` Simon Glass
2019-10-28 0:43 ` AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191003073433.GA15509@apalos.home \
--to=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox