How to use ECDSA for signature verification?

["Marko Mäkelä" <marko.makela@iki.fi>]

Hi all,

Yesterday, I successfully built the u-boot master branch with 
CONFIG_FIT_SIGNATURE=y and CONFIG_RSA=y and got the signature 
verification working with sha256,rsa2048.

Today, I wanted to try out CONFIG_ECDSA=y, but I am facing some trouble.  
I am generating the key and trying to add its public part to the device 
tree blob as with fdt_add_pubkey as follows:

openssl ecparam -name secp521r1 -genkey -noout -out dev-private.pem
openssl ec -in dev-private.pem -pubout -out dev.pem
cd u-boot
make ...
cp u-boot.dtb u-pubkey.dtb
tools/fdt_add_pubkey -a sha512,secp521r1 -n dev -k .. -r conf u-pubkey.dtb

The next step would be to run make EXT_DTB=u-pubkey.dtb ... so that the 
public key will be embedded and the signature verification will be 
enabled in the final u-boot.img.

Alas, the fdt_add_pubkey command would crash in SIGSEGV in alloc_ctx().  
I figured out that the hash algorithm is not being looked up and 
assigned. Maybe this is not necessary for the -a sha256,rsa2048 which I 
was successfully using previously. The following patch fixes the 
SIGSEGV:

diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
index 5582d7a8efe..4f7028cc15c 100644
--- a/tools/fdt_add_pubkey.c
+++ b/tools/fdt_add_pubkey.c
@@ -73,9 +73,10 @@ static void reset_info(struct image_sign_info *info)
  	info->keyname = keyname;
  	info->name = algo_name;
  	info->require_keys = require_keys;
+	info->checksum = image_get_checksum_algo(algo_name);
  	info->crypto = image_get_crypto_algo(algo_name);
  
-	if (!info->crypto) {
+	if (!info->checksum || !info->crypto) {
  		fprintf(stderr, "Unsupported signature algorithm '%s'\n",
  			algo_name);
  		exit(EXIT_FAILURE);

However, with the above patch applied, I am facing the next trouble:
tools/fdt_add_pubkey -a sha512,secp521r1 -n dev -k .. -r conf u-boot-key.dtb
Can not read key from '../dev.pem'
tools/fdt_add_pubkey: Cannot add public key to FIT blob: Unknown error -5

In GDB, I can see that read_key() in lib/ecdsa/ecdsa-libcrypto.c would 
invoke PEM_read_PrivateKey(), which I assume will fail, because 
../dev.pem only contains a public key. In the planned deployment, the 
private key would be private to a HSM or an external service. Moreover, 
I do not understand why fdt_add_pubkey would attempt to access a private 
key in the first place; that should only be needed for signing the 
fitImage. Both prepare_ctx() and ecdsa_add_verify_data() would return 
-5, which main() is reporting to stderr.

Has some way of using ECDSA based signature verification been tested?  
The reason why I would like to avoid RSA is that it is not thought to be 
quantum-secure, or secure against a cryptalalytic attack by a quantum 
computer.

With best regards,

	Marko Mäkelä