From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CAF78C433EF for ; Fri, 10 Dec 2021 06:01:50 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BC26A82DA1; Fri, 10 Dec 2021 07:01:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=aspeedtech.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 2B70D8203C; Fri, 10 Dec 2021 07:01:33 +0100 (CET) Received: from twspam01.aspeedtech.com (twspam01.aspeedtech.com [211.20.114.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 17D048296F for ; Fri, 10 Dec 2021 07:01:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=aspeedtech.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jamin_lin@aspeedtech.com Received: from mail.aspeedtech.com ([192.168.0.24]) by twspam01.aspeedtech.com with ESMTP id 1BA5a0Ug075643; Fri, 10 Dec 2021 13:36:00 +0800 (GMT-8) (envelope-from jamin_lin@aspeedtech.com) Received: from localhost.localdomain (118.99.190.129) by TWMBX02.aspeed.com (192.168.0.24) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Dec 2021 14:01:04 +0800 From: Jamin Lin To: Alexandru Gagniuc , Simon Glass , Philippe Reynes , Sean Anderson , Thomas Perrot , "open list" CC: , Subject: [PATCH v3 1/1] rsa: adds rsa3072 algorithm Date: Fri, 10 Dec 2021 14:00:55 +0800 Message-ID: <20211210060100.16521-2-jamin_lin@aspeedtech.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211210060100.16521-1-jamin_lin@aspeedtech.com> References: <20211210060100.16521-1-jamin_lin@aspeedtech.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [118.99.190.129] X-ClientProxiedBy: TWMBX02.aspeed.com (192.168.0.24) To TWMBX02.aspeed.com (192.168.0.24) X-DNSRBL: X-MAIL: twspam01.aspeedtech.com 1BA5a0Ug075643 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.38 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Add to support rsa 3072 bits algorithm in tools for image sign at host side and adds rsa 3072 bits verification in the image binary. Add test case in vboot for sha384 with rsa3072 algorithm testing. Signed-off-by: Jamin Lin --- include/u-boot/rsa.h | 1 + lib/rsa/rsa-verify.c | 6 +++ test/py/tests/test_vboot.py | 12 +++++- test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++ test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++ tools/image-sig-host.c | 7 ++++ 6 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 test/py/tests/vboot/sign-configs-sha384.its create mode 100644 test/py/tests/vboot/sign-images-sha384.its diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index 7556aa5b4b..bb56c2243c 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info, #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" #define RSA2048_BYTES (2048 / 8) +#define RSA3072_BYTES (3072 / 8) #define RSA4096_BYTES (4096 / 8) /* This is the minimum/maximum key size we support, in bits */ diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 83f7564101..4fe487d7e5 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = { .verify = rsa_verify, }; +U_BOOT_CRYPTO_ALGO(rsa3072) = { + .name = "rsa3072", + .key_len = RSA3072_BYTES, + .verify = rsa_verify, +}; + U_BOOT_CRYPTO_ALGO(rsa4096) = { .name = "rsa4096", .key_len = RSA4096_BYTES, diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 095e00cce3..b080d482af 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -45,6 +45,8 @@ TESTDATA = [ ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], ['sha256-pss-required', 'sha256', '-pss', None, True, False], ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha384-basic', 'sha384', '', None, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], ] @pytest.mark.boardspec('sandbox') @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, name: Name of of the key (e.g. 'dev') """ public_exponent = 65537 + + if sha_algo == "sha384": + rsa_keygen_bits = 3072 + else: + rsa_keygen_bits = 2048 + util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key ' - '-pkeyopt rsa_keygen_bits:2048 ' + '-pkeyopt rsa_keygen_bits:%d ' '-pkeyopt rsa_keygen_pubexp:%d' % - (tmpdir, name, public_exponent)) + (tmpdir, name, rsa_keygen_bits, public_exponent)) # Create a certificate containing the public key util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key ' diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its new file mode 100644 index 0000000000..2869401991 --- /dev/null +++ b/test/py/tests/vboot/sign-configs-sha384.its @@ -0,0 +1,45 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash-1 { + algo = "sha384"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash-1 { + algo = "sha384"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + signature { + algo = "sha384,rsa3072"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its new file mode 100644 index 0000000000..be1a9a653c --- /dev/null +++ b/test/py/tests/vboot/sign-images-sha384.its @@ -0,0 +1,42 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + signature { + algo = "sha384,rsa3072"; + key-name-hint = "dev"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + signature { + algo = "sha384,rsa3072"; + key-name-hint = "dev"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +}; diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c index 8ed6998dab..d0133aec4c 100644 --- a/tools/image-sig-host.c +++ b/tools/image-sig-host.c @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = { .add_verify_data = rsa_add_verify_data, .verify = rsa_verify, }, + { + .name = "rsa3072", + .key_len = RSA3072_BYTES, + .sign = rsa_sign, + .add_verify_data = rsa_add_verify_data, + .verify = rsa_verify, + }, { .name = "rsa4096", .key_len = RSA4096_BYTES, -- 2.17.1