From: Alex G. <mr.nuke.me@gmail.com>
To: u-boot@lists.denx.de
Subject: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot
Date: Tue, 9 Feb 2021 16:37:04 -0600 [thread overview]
Message-ID: <62e348a0-eeb0-a93e-1df0-bf58bf0af1d6@gmail.com> (raw)
In-Reply-To: <53cae06a-ba47-31fb-89b1-88f807d78a4d@foss.st.com>
Hi Patrick,
On 2/9/21 9:11 AM, Patrick DELAUNAY wrote:
> Hi,
>
> On 1/11/21 4:41 PM, Alexandru Gagniuc wrote:
>> Prepare the source tree for accepting implementations of the ECDSA
>> algorithm. This patch deals with the boring aspects of Makefiles and
>> Kconfig files.
>>
>> Signed-off-by: Alexandru Gagniuc<mr.nuke.me@gmail.com>
>> ---
>> ? include/image.h????????? | 10 +++++-----
>> ? include/u-boot/rsa.h???? |? 2 +-
>> ? lib/Kconfig????????????? |? 1 +
>> ? lib/Makefile???????????? |? 1 +
>> ? lib/ecdsa/Kconfig??????? | 23 +++++++++++++++++++++++
>> ? lib/ecdsa/Makefile?????? |? 1 +
>> ? lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
>> ? 7 files changed, 45 insertions(+), 6 deletions(-)
>> ? create mode 100644 lib/ecdsa/Kconfig
>> ? create mode 100644 lib/ecdsa/Makefile
>> ? create mode 100644 lib/ecdsa/ecdsa-verify.c
>>
>> diff --git a/include/image.h b/include/image.h
>> index 6628173dca..1d70ba0ece 100644
>> --- a/include/image.h
>> +++ b/include/image.h
>> @@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int
>> data_len, const char *algo,
>> ? #if defined(USE_HOSTCC)
>> ? # if defined(CONFIG_FIT_SIGNATURE)
>> ? #? define IMAGE_ENABLE_SIGN??? 1
>> -#? define IMAGE_ENABLE_VERIFY??? 1
>> +#? define IMAGE_ENABLE_VERIFY_RSA??? 1
>> ? #? define IMAGE_ENABLE_VERIFY_ECDSA??? 1
>> ? #? define FIT_IMAGE_ENABLE_VERIFY??? 1
>> ? #? include <openssl/evp.h>
>> ? # else
>> ? #? define IMAGE_ENABLE_SIGN??? 0
>> -#? define IMAGE_ENABLE_VERIFY??? 0
>> +#? define IMAGE_ENABLE_VERIFY_RSA??? 0
>> ? # define IMAGE_ENABLE_VERIFY_ECDSA??? 0
>> ? #? define FIT_IMAGE_ENABLE_VERIFY??? 0
>> ? # endif
>> ? #else
>> ? # define IMAGE_ENABLE_SIGN??? 0
>> -# define IMAGE_ENABLE_VERIFY??????? CONFIG_IS_ENABLED(RSA_VERIFY)
>> -# define IMAGE_ENABLE_VERIFY_ECDSA??? 0
>> +# define IMAGE_ENABLE_VERIFY_RSA??? CONFIG_IS_ENABLED(RSA_VERIFY)
>> +# define IMAGE_ENABLE_VERIFY_ECDSA??? CONFIG_IS_ENABLED(ECDSA_VERIFY)
>
> here you are using CONFIG_IS_ENABLED.
>
> This macro imply to test CONFIG_ECDSA_VERIFY or CONFIG_SPL_ECDSA_VERIFY
> (for SPL build)
>
> => but CONFIG_SPL_ECDSA_VERIFY is missing, I think you need to add it,
> as RSA
This patch adds both "config ECDSA_VERIFY" and "config SPL_ECDSA_VERIFY"
see @lib/ecdsa/Kconfig. I believe this achieves what you need.
[snip]
>> diff --git a/lib/Makefile b/lib/Makefile
>> index cf64188ba5..ab86be2678 100644
>> --- a/lib/Makefile
>> +++ b/lib/Makefile
>> @@ -59,6 +59,7 @@ endif
>> ? obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
>> ? obj-$(CONFIG_$(SPL_)MD5) += md5.o
>> +obj-$(CONFIG_ECDSA) += ecdsa/
>
> obj-$(CONFIG_$(SPL_)ECDSA) += ecdsa/
The intent here is to use CONFIG_ECDSA to denote ECDSA support.
CONFIG_ECDSA_VERIFY and CONFIG_SPL_ECDSA_VERIFY are used to enable the
code in u-boot and SPL respectively. Only verification is supported on
the target, so these are the only switches that enable or disable code.
>
>> ? obj-$(CONFIG_$(SPL_)RSA) += rsa/
>> ? obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
>> ? obj-$(CONFIG_SHA1) += sha1.o
>> diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
>> new file mode 100644
>> index 0000000000..1244d6b6ea
>> --- /dev/null
>> +++ b/lib/ecdsa/Kconfig
>> @@ -0,0 +1,23 @@
>> +config ECDSA
>> +??? bool "Enable ECDSA support"
>> +??? depends on DM
>> +??? help
>> +????? This enables the ECDSA algorithm for FIT image verification in
>> U-Boot.
>> +????? See doc/uImage.FIT/signature.txt for more details.
>> +????? The ECDSA algorithm is implemented using the driver model. So
>> +????? CONFIG_DM is required by this library.
>> +????? ECDSA is enabled for mkimage regardless of this? option.
>> +
>> +if ECDSA
>> +
>
> Add CONFIG_SPL_ECDSA to select independently support in SPL et/or in U-Boot
> as it is done for RSA
>
> + config SPL_ECDSA
> +??? bool "Use ECDSA library within in SPL"
>
I though about an SPL_ECDSA kconfig. As mentioned above, we have
independent switches to enable the code for u-boot/SPL. We can enable
ECDSA support in u-boot, SPL, neither or both. What would this switch add?
>
>> +config ECDSA_VERIFY
>> +??? bool "Enable ECDSA verification support in U-Boot."
>
>
> + select SPL_ECDSA
>
>
>> +??? help
>> +????? Allow ECDSA signatures to be recognized and verified in U-Boot.
>> +
>> +config SPL_ECDSA_VERIFY
>> +??? bool "Enable ECDSA verification support in SPL"
>> +??? help
>> +????? Allow ECDSA signatures to be recognized and verified in SPL.
This is the switch for SPL (@mentioned earlier).
Alex
next prev parent reply other threads:[~2021-02-09 22:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-11 15:41 [PATCH 0/5] Enable ECDSA FIT verification for stm32mp Alexandru Gagniuc
2021-01-11 15:41 ` [PATCH 1/5] dm: crypto: Define UCLASS API for ECDSA signature verification Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
2021-01-14 16:09 ` Alex G.
2021-01-14 19:16 ` Simon Glass
2021-01-11 15:41 ` [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot Alexandru Gagniuc
2021-02-09 15:11 ` Patrick DELAUNAY
2021-02-09 22:37 ` Alex G. [this message]
2021-01-11 15:41 ` [PATCH 3/5] lib: ecdsa: Implement signature verification for crypto_algo API Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
2021-02-09 15:56 ` Patrick DELAUNAY
2021-02-09 22:58 ` Alex G.
2021-01-11 15:41 ` [PATCH 4/5] arm: stm32mp1: Implement ECDSA signature verification Alexandru Gagniuc
2021-01-11 15:41 ` [PATCH 5/5] Kconfig: FIT_SIGNATURE should not select RSA_VERIFY Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
2021-02-09 15:08 ` [PATCH 0/5] Enable ECDSA FIT verification for stm32mp Patrick DELAUNAY
2021-02-09 21:28 ` Alex G.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62e348a0-eeb0-a93e-1df0-bf58bf0af1d6@gmail.com \
--to=mr.nuke.me@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox