[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config
Date: Tue, 21 Jan 2020 13:29:58 +0900	[thread overview]
Message-ID: <20200121042957.GB8146@linaro.org> (raw)
In-Reply-To: <5aa66a6d-64ae-1e6b-8c62-2e8273799c3e@gmx.de>

Tom, Simon,

On Fri, Jan 17, 2020 at 06:59:44AM +0100, Heinrich Schuchardt wrote:
> On 1/17/20 3:24 AM, AKASHI Takahiro wrote:
> >On Tue, Jan 14, 2020 at 12:43:40PM +0100, Heinrich Schuchardt wrote:
> >>On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
> >>>On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
> >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >>>>>In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> >>>>>rsa_verify() will be extended to be able to perform RSA decryption without
> >>>>>additional RSA key properties from FIT image, i.e. rr and n0inv.
> >>>>>
> >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>>>Reviewed-by: Simon Glass <sjg@chromium.org>
> >>>>
> >>>>The patch series does not build for some configurations.
> >>>>
> >>>>>---
> >>>>>  lib/rsa/Kconfig | 14 ++++++++++++++
> >>>>>  1 file changed, 14 insertions(+)
> >>>>>
> >>>>>diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> >>>>>index 03ffa2969048..71e4c06bf883 100644
> >>>>>--- a/lib/rsa/Kconfig
> >>>>>+++ b/lib/rsa/Kconfig
> >>>>>@@ -30,6 +30,20 @@ config RSA_VERIFY
> >>>>>  	help
> >>>>>  	  Add RSA signature verification support.
> >>>>>
> >>>>>+config RSA_VERIFY_WITH_PKEY
> >>>>
> >>>>For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
> >>>>I get an error:
> >>>
> >>>This error is inevitable as both RSA_VERIFY_WITH_PKEY and
> >>>RSA_PUBLIC_KEY_PARSER are "select"able configurations with
> >>>visible prompts and then
> >>
> >>No, it is not inevitbable. Just ensure that in the Makefiles all modules
> >>are selected that you need for your configuration.
> >
> >How?
> >Can you please show me a simple solution?
> 

Which is your choice as a maintainer/author of lib/rsa?

In my opinion,

> ifneq($(CONFIG_RSA_VERIFY_WITH_PKEY)$(CONFIG_RSA_PUBLIC_KEY_PARSER),)
> obj-y += foo.o
> endif

I will take this by a process of elimination.

> or
> 
> config RSA_VERIFY_WITH_PKEY
> 	depends on RSA_PUBLIC_KEY_PARSER

I normally use "depends on" to select a subset feature of the target.

> or
> 
> config RSA_VERIFY_WITH_PKEY
> 	select RSA_PUBLIC_KEY_PARSER

Nak, as I said, because RSA_PUBLIC_KEY_PARSER is a visible configuration symbol.

Thanks,
-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> >
> >Thanks,
> >-Takahiro Akashi
> >
> >
> >>>we should generally avoid potential illegal configurations;
> >>
> >>Yes, we want to avoid potentially illegal configurations everywhere.
> >>This is why we have a randconfig build target.
> >>
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>The one should NOT forcibly select the other as the kernel kconfig
> >>>document suggests.
> >>>
> >>>#  Note:
> >>>#        select should be used with care. select will force
> >>>#        a symbol to a value without visiting the dependencies.
> >>>#        By abusing select you are able to select a symbol FOO even
> >>>#        if FOO depends on BAR that is not set.
> >>>#        In general use select only for non-visible symbols
> >>>#        (no prompts anywhere) and for symbols with no dependencies.
> >>>#        That will limit the usefulness but on the other hand avoid
> >>>#        the illegal configurations all over.
> >>>
> >>>-Takahiro Akashi
> >>>
> >>>
> >>>>lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
> >>>>
> >>>>RSA_PUBLIC_KEY_PARSER depends on
> >>>>ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
> >>>>
> >>>>Please, fix the dependencies.
> >>>>
> >>>>Best regards
> >>>>
> >>>>Heinrich
> >>>>
> >>>>>+	bool "Execute RSA verification without key parameters from FDT"
> >>>>>+	depends on RSA
> >>>>>+	help
> >>>>>+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> >>>>>+	  pre-calculated key properties, that are stored in fdt blob, in
> >>>>>+	  decrypting a signature.
> >>>>>+	  This does not suit the use case where there is no way defined to
> >>>>>+	  provide such additional key properties in standardized form,
> >>>>>+	  particularly UEFI secure boot.
> >>>>>+	  This options enables RSA signature verification with a public key
> >>>>>+	  directly specified in image_sign_info, where all the necessary
> >>>>>+	  key properties will be calculated on the fly in verification code.
> >>>>>+
> >>>>>  config RSA_SOFTWARE_EXP
> >>>>>  	bool "Enable driver for RSA Modular Exponentiation in software"
> >>>>>  	depends on DM
> >>>>>
> >>>
> >>
> >
>

next prev parent reply	other threads:[~2020-01-21  4:29 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-21  0:11 [U-Boot] [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
2019-11-21  0:11 ` [U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification AKASHI Takahiro
2019-12-07  0:25   ` Tom Rini
2019-12-12 10:10     ` AKASHI Takahiro
2019-11-21  0:11 ` [U-Boot] [PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config AKASHI Takahiro
2020-01-08 12:35   ` Heinrich Schuchardt
2020-01-14  7:45     ` AKASHI Takahiro
2020-01-14 11:43       ` Heinrich Schuchardt
2020-01-17  2:24         ` AKASHI Takahiro
2020-01-17  5:59           ` Heinrich Schuchardt
2020-01-21  4:29             ` AKASHI Takahiro [this message]
2020-01-21 15:34               ` Tom Rini
2019-11-21  0:11 ` [U-Boot] [PATCH v4 3/6] include: image.h: add key info to image_sign_info AKASHI Takahiro
2019-11-21  0:11 ` [U-Boot] [PATCH v4 4/6] lib: rsa: generate additional parameters for public key AKASHI Takahiro
2020-01-08 18:07   ` Heinrich Schuchardt
2020-01-08 18:16     ` Heinrich Schuchardt
2020-01-14  7:15     ` AKASHI Takahiro
2019-11-21  0:11 ` [U-Boot] [PATCH v4 5/6] lib: rsa: add rsa_verify_with_pkey() AKASHI Takahiro
2019-11-21  0:11 ` [U-Boot] [PATCH v4 6/6] test: add rsa_verify() unit test AKASHI Takahiro
2020-01-08 17:43   ` Heinrich Schuchardt
2020-01-08 22:25     ` Heinrich Schuchardt
2020-01-14  7:33     ` AKASHI Takahiro
2020-01-14 12:04       ` Heinrich Schuchardt
2020-01-17  1:53         ` AKASHI Takahiro
2020-01-17  5:26           ` Heinrich Schuchardt
2020-01-21  5:48             ` AKASHI Takahiro
2020-01-21 15:40               ` Tom Rini
2020-01-22  0:22                 ` AKASHI Takahiro
2020-01-22  0:26                   ` Tom Rini
2020-01-18 20:20 ` [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot Heinrich Schuchardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200121042957.GB8146@linaro.org \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox