From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rini Date: Tue, 18 Feb 2020 14:57:33 -0500 Subject: [PATCH v6 0/7] rsa: extend rsa_verify() for UEFI secure boot In-Reply-To: <20200217014240.GC22953@linaro.org> References: <20200127102740.26831-1-takahiro.akashi@linaro.org> <20200214122937.GA27143@bill-the-cat> <20200217014240.GC22953@linaro.org> Message-ID: <20200218195733.GS18302@bill-the-cat> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Mon, Feb 17, 2020 at 10:42:41AM +0900, AKASHI Takahiro wrote: > Hi Tom, > > On Fri, Feb 14, 2020 at 07:29:37AM -0500, Tom Rini wrote: > > On Mon, Jan 27, 2020 at 07:27:33PM +0900, AKASHI Takahiro wrote: > > > > > # This patch set is a prerequisite for UEFI secure boot. > > > > > > The current rsa_verify() requires five parameters for a RSA public key > > > for efficiency while RSA, in theory, requires only two. In addition, > > > those parameters are expected to come from FIT image. > > > > > > So this function won't fit very well when we want to use it for the purpose > > > of implementing UEFI secure boot, in particular, image authentication > > > as well as variable authentication, where the essential two parameters > > > are set to be retrieved from one of X509 certificates in signature > > > database. > > > > > > So, in this patch, additional three parameters will be calculated > > > on the fly when rsa_verify() is called without fdt which should contain > > > parameters above. > > > > > > This calculation heavily relies on "big-number (or multi-precision) > > > library." Therefore some routines from BearSSL[1] under MIT license are > > > imported in this implementation. See Patch#4. > > > # Please let me know if this is not appropriate. > > > > > > Prerequisite: > > > * public key parser in my "import x509/pkcs7 parser" patch[2] > > > > > > # Checkpatch will complain with lots of warnings/errors, but > > > # I intentionally don't fix them for maximum maintainability. > > > > > > [1] https://bearssl.org/ > > > [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html > > > > At this point it needs to be rebased again. There's a ton of failures > > in https://gitlab.denx.de/u-boot/u-boot/pipelines/2198 which is after I > > I think that you have wrongly merged my rsa extension patch here. > Looking at your modified commit, > https://gitlab.denx.de/u-boot/u-boot/commit/13fb61ce20dcd65cd4ccba1554eca6343c92ed6b > there is one missing hunk from my original. > Please revert the change in include/image.h and then apply a diff attached below. Please rebase and repost the series. > > did > > https://gitlab.denx.de/u-boot/u-boot/commit/7db0379f85995d8c7673db7b04eb36d96546c9c8 > > and I'll put a proper commit message on that later today and post it and > > CC relevant parties. > > I believe that your commit above has nothing to do with my patch > (and test failures). I'll re-confirm things then with the next post. > > It's otherwise looking good. I do want to confirm > > that on boards like minnowmax the slight growth in fit_image_check_sig > > is expected. It's only 6 bytes so it probably is and we get a larger > > reduction in rsa_verify all-around. > > Growth due to my patch?? Unless it's something else I mis-merged, yes. But given the area this series works on, it's not unexpected growth. Thanks! -- Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: