From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: [PATCH v7 0/7] rsa: extend rsa_verify() for UEFI secure boot
Date: Fri, 21 Feb 2020 12:18:41 -0500 [thread overview]
Message-ID: <20200221171841.GO18302@bill-the-cat> (raw)
In-Reply-To: <20200221061301.19660-1-takahiro.akashi@linaro.org>
On Fri, Feb 21, 2020 at 03:12:54PM +0900, AKASHI Takahiro wrote:
> # This patch set is a prerequisite for UEFI secure boot.
>
> The current rsa_verify() requires five parameters for a RSA public key
> for efficiency while RSA, in theory, requires only two. In addition,
> those parameters are expected to come from FIT image.
>
> So this function won't fit very well when we want to use it for the purpose
> of implementing UEFI secure boot, in particular, image authentication
> as well as variable authentication, where the essential two parameters
> are set to be retrieved from one of X509 certificates in signature
> database.
>
> So, in this patch, additional three parameters will be calculated
> on the fly when rsa_verify() is called without fdt which should contain
> parameters above.
>
> This calculation heavily relies on "big-number (or multi-precision)
> library." Therefore some routines from BearSSL[1] under MIT license are
> imported in this implementation. See Patch#4.
> # Please let me know if this is not appropriate.
>
> Prerequisite:
> * public key parser in my "import x509/pkcs7 parser" patch[2]
This has been applied a long while back.
And for the record, without http://patchwork.ozlabs.org/patch/1239098/
applied sandbox fails to build. I had said I would take care of that
specific issue, so I'm just noting it here. I'm kicking off a larger
test now.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200221/3593699f/attachment.sig>
next prev parent reply other threads:[~2020-02-21 17:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-21 6:12 [PATCH v7 0/7] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
2020-02-21 6:12 ` [PATCH v7 1/7] lib: rsa: decouple rsa from FIT image verification AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:12 ` [PATCH v7 2/7] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:12 ` [PATCH v7 3/7] include: image.h: add key info to image_sign_info AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:12 ` [PATCH v7 4/7] lib: rsa: generate additional parameters for public key AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:12 ` [PATCH v7 5/7] lib: rsa: add rsa_verify_with_pkey() AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:13 ` [PATCH v7 6/7] test: add rsa_verify() unit test AKASHI Takahiro
2020-03-12 16:48 ` Tom Rini
2020-02-21 6:13 ` [PATCH v7 7/7] test: enable RSA library test on sandbox AKASHI Takahiro
2020-03-12 16:49 ` Tom Rini
2020-02-21 17:18 ` Tom Rini [this message]
2020-02-25 4:55 ` [PATCH v7 0/7] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200221171841.GO18302@bill-the-cat \
--to=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox