[PATCH v6 0/7] rsa: extend rsa_verify() for UEFI secure boot

[Tom Rini <trini@konsulko.com>]

On Mon, Feb 17, 2020 at 10:42:41AM +0900, AKASHI Takahiro wrote:
> Hi Tom,
> 
> On Fri, Feb 14, 2020 at 07:29:37AM -0500, Tom Rini wrote:
> > On Mon, Jan 27, 2020 at 07:27:33PM +0900, AKASHI Takahiro wrote:
> > 
> > > # This patch set is a prerequisite for UEFI secure boot.
> > > 
> > > The current rsa_verify() requires five parameters for a RSA public key
> > > for efficiency while RSA, in theory, requires only two. In addition,
> > > those parameters are expected to come from FIT image.
> > > 
> > > So this function won't fit very well when we want to use it for the purpose
> > > of implementing UEFI secure boot, in particular, image authentication
> > > as well as variable authentication, where the essential two parameters
> > > are set to be retrieved from one of X509 certificates in signature
> > > database.
> > > 
> > > So, in this patch, additional three parameters will be calculated
> > > on the fly when rsa_verify() is called without fdt which should contain
> > > parameters above.
> > > 
> > > This calculation heavily relies on "big-number (or multi-precision)
> > > library." Therefore some routines from BearSSL[1] under MIT license are
> > > imported in this implementation. See Patch#4.
> > > # Please let me know if this is not appropriate.
> > > 
> > > Prerequisite:
> > > * public key parser in my "import x509/pkcs7 parser" patch[2]
> > > 
> > > # Checkpatch will complain with lots of warnings/errors, but
> > > # I intentionally don't fix them for maximum maintainability.
> > > 
> > >   [1] https://bearssl.org/
> > >   [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
> > 
> > At this point it needs to be rebased again.  There's a ton of failures
> > in https://gitlab.denx.de/u-boot/u-boot/pipelines/2198 which is after I
> 
> I think that you have wrongly merged my rsa extension patch here.
> Looking at your modified commit,
> https://gitlab.denx.de/u-boot/u-boot/commit/13fb61ce20dcd65cd4ccba1554eca6343c92ed6b
> there is one missing hunk from my original.
> Please revert the change in include/image.h and then apply a diff attached below.

Please rebase and repost the series.

> > did
> > https://gitlab.denx.de/u-boot/u-boot/commit/7db0379f85995d8c7673db7b04eb36d96546c9c8
> > and I'll put a proper commit message on that later today and post it and
> > CC relevant parties.
> 
> I believe that your commit above has nothing to do with my patch
> (and test failures).

I'll re-confirm things then with the next post.

> > It's otherwise looking good.  I do want to confirm
> > that on boards like minnowmax the slight growth in fit_image_check_sig
> > is expected.  It's only 6 bytes so it probably is and we get a larger
> > reduction in rsa_verify all-around.
> 
> Growth due to my patch??

Unless it's something else I mis-merged, yes.  But given the area this
series works on, it's not unexpected growth.

Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200218/5ff2238a/attachment.sig>