From: Alex G. <mr.nuke.me@gmail.com>
To: u-boot@lists.denx.de
Subject: [PATCH RFC v2 5/5] test/py: ecdsa: Add test for mkimage ECDSA signing
Date: Thu, 7 Jan 2021 12:44:17 -0600 [thread overview]
Message-ID: <85673082-07b8-79b1-9e8e-6a0f61bf94be@gmail.com> (raw)
In-Reply-To: <CAPnjgZ35k-1AmhjbjM6UquPuE+FoMkMZMN9rdNb1J_HDEQFqFA@mail.gmail.com>
On 1/7/21 11:31 AM, Simon Glass wrote:
> Hi Alex,
>
> On Thu, 7 Jan 2021 at 09:44, Alex G. <mr.nuke.me@gmail.com> wrote:
>>
>>
>>
>> On 1/7/21 6:35 AM, Simon Glass wrote:
>>> Hi Alexandru,
>>>
>>> On Wed, 30 Dec 2020 at 14:00, Alexandru Gagniuc <mr.nuke.me@gmail.com> wrote:
>>>>
>>>> Add a test to make sure that the ECDSA signatures generated by
>>>> mkimage can be verified successfully. pyCryptodomex was chosen as the
>>>> crypto library because it integrates much better with python code.
>>>> Using openssl would have been unnecessarily painful.
>>>>
>>>> Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
>>>> ---
>>>> test/py/tests/test_fit_ecdsa.py | 111 ++++++++++++++++++++++++++++++++
>>>> 1 file changed, 111 insertions(+)
>>>> create mode 100644 test/py/tests/test_fit_ecdsa.py
>>>>
>>>
>>> This test looks fine but the functions need full comments. I do think
>>> it might be worth putting the code in test_vboot, particularly when
>>> you get to the sandbox implementation.
>>
>> test_vboot seems to be testing the bootm command, while with this test
>
> It also runs fit_check_sign to check the signature.
Hmm, it backends on tools/check_fit_sign. Would be an interesting
execrise to extend it ecdsa signatures, but that would take
significantly more effort than the simple test I am proposing here.
>> I'm only looking to test the host-side (mkimage). In the next series, I
>> won't have a software implementation of ECDSA, like RSA_MOD_EXP. I will
>> use the ROM on the stm32mp. So there won't be somthing testable in the
>> sandbox.
>
> I'm not sure that is a good idea. With driver model you'll end up
> creating a ECDSA driver I suppose, so implementing it for sandbox
> should be possible. Is it a complicated algorithm?
A software implementation of ECDSA is outside the scope of my project.
> Without that, I'm not even sure how fit_check_sign could work?
It uses the ops->verify in ecdsa-libcrypto, does it not?
>
> [..]
>
> Regards,
> Simon
>
prev parent reply other threads:[~2021-01-07 18:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 21:00 [PATCH RFC v2 0/5] Add support for ECDSA image signing (with test) Alexandru Gagniuc
2020-12-30 21:00 ` [PATCH RFC v2 1/5] lib: Rename rsa-checksum.c to hash-checksum.c Alexandru Gagniuc
2021-01-07 12:35 ` Simon Glass
2020-12-30 21:00 ` [PATCH RFC v2 2/5] lib/rsa: Make fdt_add_bignum() available outside of RSA code Alexandru Gagniuc
2021-01-07 12:35 ` Simon Glass
2020-12-30 21:00 ` [PATCH RFC v2 3/5] lib: Add support for ECDSA image signing Alexandru Gagniuc
2021-01-07 12:35 ` Simon Glass
2021-01-07 16:27 ` Alex G.
2021-01-07 17:25 ` Tom Rini
2021-01-07 22:24 ` Alex G.
2021-01-07 17:29 ` Simon Glass
2021-01-07 19:56 ` Alex G.
2020-12-30 21:00 ` [PATCH RFC v2 4/5] doc: signature.txt: Document devicetree format for ECDSA keys Alexandru Gagniuc
2021-01-07 12:35 ` Simon Glass
2020-12-30 21:00 ` [PATCH RFC v2 5/5] test/py: ecdsa: Add test for mkimage ECDSA signing Alexandru Gagniuc
2021-01-07 12:35 ` Simon Glass
2021-01-07 16:44 ` Alex G.
2021-01-07 17:31 ` Simon Glass
2021-01-07 18:44 ` Alex G. [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85673082-07b8-79b1-9e8e-6a0f61bf94be@gmail.com \
--to=mr.nuke.me@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox