Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hi Heiko,
On 26 January 2014 22:45, Heiko Schocher wrote:
> Hello Simon,
>
> Am 26.01.2014 22:10, schrieb Simon Glass:
>
>> Hi Heiko,
>>
>> On 24 January 2014 23:44, Heiko Schocher wrote:
>>>
>>> based on patch from andr...@oetken.name:
>>>
>>> http://patchwork.ozlabs.org/patch/294318/
>>
>>
>> Should probably add the full commit message in here.
>
>
> Ok, do this in v2.
>
>
>>> - removed checkpatch warnings
>>> - removed compiler warnings
>>> - rebased against current head
>>>
>>> Signed-off-by: Heiko Schocher
>>> Cc: Simon Glass
>>> Cc: andr...@oetken.name
>>> ---
>>> common/image-sig.c | 33 +
>>> include/image.h| 21 +++
>>> include/rsa-checksum.h | 25 +
>>> include/rsa.h | 25 +
>>> lib/rsa/Makefile | 2 +-
>>> lib/rsa/rsa-checksum.c | 98
>>> ++
>>> lib/rsa/rsa-sign.c | 10 +++---
>>> lib/rsa/rsa-verify.c | 83 +-
>>> 8 files changed, 233 insertions(+), 64 deletions(-)
>>> create mode 100644 include/rsa-checksum.h
>>> create mode 100644 lib/rsa/rsa-checksum.c
>
> [...]
>
>>> diff --git a/include/rsa.h b/include/rsa.h
>>> index add4c78..adf809b 100644
>>> --- a/include/rsa.h
>>> +++ b/include/rsa.h
>>> @@ -15,6 +15,20 @@
>>> #include
>>> #include
>>>
>>> +/**
>>> + * struct rsa_public_key - holder for a public key
>>> + *
>>> + * An RSA public key consists of a modulus (typically called N), the
>>> inverse
>>> + * and R^2, where R is 2^(# key bits).
>>> + */
>>> +
>>> +struct rsa_public_key {
>>> + uint len;/* Length of modulus[] in number of uint32_t */
>>> + uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */
>>> + uint32_t *modulus;/* modulus as little endian array */
>>> + uint32_t *rr;/* R^2 as little endian array */
>>> +};
>>> +
>>> #if IMAGE_ENABLE_SIGN
>>> /**
>>>* sign() - calculate and return signature for given input data
>>> @@ -80,6 +94,10 @@ static inline int rsa_add_verify_data(struct
>>> image_sign_info *info,
>>> int rsa_verify(struct image_sign_info *info,
>>> const struct image_region region[], int region_count,
>>> uint8_t *sig, uint sig_len);
>>> +
>>> +int rsa_verify_256(struct image_sign_info *info,
>>> + const struct image_region region[], int region_count,
>>> + uint8_t *sig, uint sig_len);
>>
>>
>> Do we need to create this as a separate function? It seems a bit icky.
>> Can rsa_verify() not handle both?
>
>
> Good catch! I never defined rsa_verify_256(), remove this in v2.
>
>
>>> #else
>>> static inline int rsa_verify(struct image_sign_info *info,
>>> const struct image_region region[], int region_count,
>>> @@ -87,6 +105,13 @@ static inline int rsa_verify(struct image_sign_info
>>> *info,
>>> {
>>> return -ENXIO;
>>> }
>>> +
>>> +static inline int rsa_verify_256(struct image_sign_info *info,
>>> + const struct image_region region[], int region_count,
>>> + uint8_t *sig, uint sig_len)
>>> +{
>>> + return -ENXIO;
>>> +}
>>> #endif
>>>
>>> #endif
>
> [...]
>
>> Also can you please update the tests to include a sha256 test?
>
>
> You mean the "test/vboot/vboot_test.sh" ?
Yes, you could expand this, or convert to Python if you prefer.
Regards,
Simon
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hello Simon,
Am 26.01.2014 22:10, schrieb Simon Glass:
Hi Heiko,
On 24 January 2014 23:44, Heiko Schocher wrote:
based on patch from andr...@oetken.name:
http://patchwork.ozlabs.org/patch/294318/
Should probably add the full commit message in here.
Ok, do this in v2.
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: Heiko Schocher
Cc: Simon Glass
Cc: andr...@oetken.name
---
common/image-sig.c | 33 +
include/image.h| 21 +++
include/rsa-checksum.h | 25 +
include/rsa.h | 25 +
lib/rsa/Makefile | 2 +-
lib/rsa/rsa-checksum.c | 98 ++
lib/rsa/rsa-sign.c | 10 +++---
lib/rsa/rsa-verify.c | 83 +-
8 files changed, 233 insertions(+), 64 deletions(-)
create mode 100644 include/rsa-checksum.h
create mode 100644 lib/rsa/rsa-checksum.c
[...]
diff --git a/include/rsa.h b/include/rsa.h
index add4c78..adf809b 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -15,6 +15,20 @@
#include
#include
+/**
+ * struct rsa_public_key - holder for a public key
+ *
+ * An RSA public key consists of a modulus (typically called N), the inverse
+ * and R^2, where R is 2^(# key bits).
+ */
+
+struct rsa_public_key {
+ uint len;/* Length of modulus[] in number of uint32_t */
+ uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */
+ uint32_t *modulus;/* modulus as little endian array */
+ uint32_t *rr;/* R^2 as little endian array */
+};
+
#if IMAGE_ENABLE_SIGN
/**
* sign() - calculate and return signature for given input data
@@ -80,6 +94,10 @@ static inline int rsa_add_verify_data(struct image_sign_info
*info,
int rsa_verify(struct image_sign_info *info,
const struct image_region region[], int region_count,
uint8_t *sig, uint sig_len);
+
+int rsa_verify_256(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len);
Do we need to create this as a separate function? It seems a bit icky.
Can rsa_verify() not handle both?
Good catch! I never defined rsa_verify_256(), remove this in v2.
#else
static inline int rsa_verify(struct image_sign_info *info,
const struct image_region region[], int region_count,
@@ -87,6 +105,13 @@ static inline int rsa_verify(struct image_sign_info *info,
{
return -ENXIO;
}
+
+static inline int rsa_verify_256(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len)
+{
+ return -ENXIO;
+}
#endif
#endif
[...]
Also can you please update the tests to include a sha256 test?
You mean the "test/vboot/vboot_test.sh" ?
bye,
Heiko
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hi Heiko,
On 24 January 2014 23:44, Heiko Schocher wrote:
> based on patch from andr...@oetken.name:
>
> http://patchwork.ozlabs.org/patch/294318/
Should probably add the full commit message in here.
>
> - removed checkpatch warnings
> - removed compiler warnings
> - rebased against current head
>
> Signed-off-by: Heiko Schocher
> Cc: Simon Glass
> Cc: andr...@oetken.name
> ---
> common/image-sig.c | 33 +
> include/image.h| 21 +++
> include/rsa-checksum.h | 25 +
> include/rsa.h | 25 +
> lib/rsa/Makefile | 2 +-
> lib/rsa/rsa-checksum.c | 98
> ++
> lib/rsa/rsa-sign.c | 10 +++---
> lib/rsa/rsa-verify.c | 83 +-
> 8 files changed, 233 insertions(+), 64 deletions(-)
> create mode 100644 include/rsa-checksum.h
> create mode 100644 lib/rsa/rsa-checksum.c
>
> diff --git a/common/image-sig.c b/common/image-sig.c
> index 973b06d..8b212a7 100644
> --- a/common/image-sig.c
> +++ b/common/image-sig.c
> @@ -14,15 +14,47 @@ DECLARE_GLOBAL_DATA_PTR;
> #endif /* !USE_HOSTCC*/
> #include
> #include
> +#include
>
> #define IMAGE_MAX_HASHED_NODES 100
>
> +#if defined(CONFIG_FIT_SIGNATURE)
> +struct checksum_algo checksum_algos[] = {
> + {
> + "sha1",
> + SHA1_SUM_LEN,
> +#if IMAGE_ENABLE_SIGN
> + EVP_sha1,
> +#else
> + sha1_calculate,
> + padding_sha1_rsa2048,
> +#endif
> + },
> + {
> + "sha256",
> + SHA256_SUM_LEN,
> +#if IMAGE_ENABLE_SIGN
> + EVP_sha256,
> +#else
> + sha256_calculate,
> + padding_sha256_rsa2048,
> +#endif
> + }
> +};
> struct image_sig_algo image_sig_algos[] = {
> {
> "sha1,rsa2048",
> rsa_sign,
> rsa_add_verify_data,
> rsa_verify,
> + &checksum_algos[0],
> + },
> + {
> + "sha256,rsa2048",
> + rsa_sign,
> + rsa_add_verify_data,
> + rsa_verify,
> + &checksum_algos[1],
> }
> };
>
> @@ -407,3 +439,4 @@ int fit_config_verify(const void *fit, int conf_noffset)
> return !fit_config_verify_required_sigs(fit, conf_noffset,
> gd_fdt_blob());
> }
> +#endif
> diff --git a/include/image.h b/include/image.h
> index f001a5f..eb3429f 100644
> --- a/include/image.h
> +++ b/include/image.h
> @@ -832,6 +832,7 @@ int calculate_hash(const void *data, int data_len, const
> char *algo,
> # ifdef USE_HOSTCC
> # define IMAGE_ENABLE_SIGN1
> # define IMAGE_ENABLE_VERIFY 0
> +# include
> #else
> # define IMAGE_ENABLE_SIGN0
> # define IMAGE_ENABLE_VERIFY 1
> @@ -871,6 +872,23 @@ struct image_region {
> int size;
> };
>
> +#if IMAGE_ENABLE_VERIFY
> +# include
> +#endif
> +struct checksum_algo {
> + const char *name;
> + const int checksum_len;
> +#if IMAGE_ENABLE_SIGN
> + const EVP_MD *(*calculate)(void);
> +#else
> +#if IMAGE_ENABLE_VERIFY
> + void (*calculate)(const struct image_region region[],
> + int region_count, uint8_t *checksum);
> + const uint8_t *rsa_padding;
> +#endif
> +#endif
> +};
> +
> struct image_sig_algo {
> const char *name; /* Name of algorithm */
>
> @@ -921,6 +939,9 @@ struct image_sig_algo {
> int (*verify)(struct image_sign_info *info,
> const struct image_region region[], int region_count,
> uint8_t *sig, uint sig_len);
> +
> + /* pointer to checksum algorithm */
> + struct checksum_algo *checksum;
> };
>
> /**
> diff --git a/include/rsa-checksum.h b/include/rsa-checksum.h
> new file mode 100644
> index 000..12494a6
> --- /dev/null
> +++ b/include/rsa-checksum.h
> @@ -0,0 +1,25 @@
> +/*
> + * Copyright (c) 2013, Andreas Oetken.
> + *
> + * SPDX-License-Identifier:GPL-2.0+
> +*/
> +
> +#ifndef _RSA_CHECKSUM_H
> +#define _RSA_CHECKSUM_H
> +
> +#include
> +#include
> +#include
> +#include
> +
> +#if IMAGE_ENABLE_VERIFY
> +extern const uint8_t padding_sha256_rsa2048[];
> +extern const uint8_t padding_sha1_rsa2048[];
> +
> +void sha256_calculate(const struct image_region region[], int region_count,
> + uint8_t *checksum);
> +void sha1_calculate(const struct image_region region[], int region_count,
> + uint8_t *checksum);
> +#endif
> +
> +#endif
> diff --git a/include/rsa.h b/include/rsa.h
> index add4c78..adf809b 100644
> --- a/include/rsa.h
> +++ b/include/rsa.h
> @@ -15,6 +15,20 @@
> #include
> #include
>
> +/**
> + * struct rsa_public_key - holder for a public key
> + *
> + * An RSA public key consists of a modulus (typically called N), the inverse
> + * and R^2, where R is 2^(# key bits).
> + */
[U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
based on patch from andr...@oetken.name:
http://patchwork.ozlabs.org/patch/294318/
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: Heiko Schocher
Cc: Simon Glass
Cc: andr...@oetken.name
---
common/image-sig.c | 33 +
include/image.h| 21 +++
include/rsa-checksum.h | 25 +
include/rsa.h | 25 +
lib/rsa/Makefile | 2 +-
lib/rsa/rsa-checksum.c | 98 ++
lib/rsa/rsa-sign.c | 10 +++---
lib/rsa/rsa-verify.c | 83 +-
8 files changed, 233 insertions(+), 64 deletions(-)
create mode 100644 include/rsa-checksum.h
create mode 100644 lib/rsa/rsa-checksum.c
diff --git a/common/image-sig.c b/common/image-sig.c
index 973b06d..8b212a7 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -14,15 +14,47 @@ DECLARE_GLOBAL_DATA_PTR;
#endif /* !USE_HOSTCC*/
#include
#include
+#include
#define IMAGE_MAX_HASHED_NODES 100
+#if defined(CONFIG_FIT_SIGNATURE)
+struct checksum_algo checksum_algos[] = {
+ {
+ "sha1",
+ SHA1_SUM_LEN,
+#if IMAGE_ENABLE_SIGN
+ EVP_sha1,
+#else
+ sha1_calculate,
+ padding_sha1_rsa2048,
+#endif
+ },
+ {
+ "sha256",
+ SHA256_SUM_LEN,
+#if IMAGE_ENABLE_SIGN
+ EVP_sha256,
+#else
+ sha256_calculate,
+ padding_sha256_rsa2048,
+#endif
+ }
+};
struct image_sig_algo image_sig_algos[] = {
{
"sha1,rsa2048",
rsa_sign,
rsa_add_verify_data,
rsa_verify,
+ &checksum_algos[0],
+ },
+ {
+ "sha256,rsa2048",
+ rsa_sign,
+ rsa_add_verify_data,
+ rsa_verify,
+ &checksum_algos[1],
}
};
@@ -407,3 +439,4 @@ int fit_config_verify(const void *fit, int conf_noffset)
return !fit_config_verify_required_sigs(fit, conf_noffset,
gd_fdt_blob());
}
+#endif
diff --git a/include/image.h b/include/image.h
index f001a5f..eb3429f 100644
--- a/include/image.h
+++ b/include/image.h
@@ -832,6 +832,7 @@ int calculate_hash(const void *data, int data_len, const
char *algo,
# ifdef USE_HOSTCC
# define IMAGE_ENABLE_SIGN1
# define IMAGE_ENABLE_VERIFY 0
+# include
#else
# define IMAGE_ENABLE_SIGN0
# define IMAGE_ENABLE_VERIFY 1
@@ -871,6 +872,23 @@ struct image_region {
int size;
};
+#if IMAGE_ENABLE_VERIFY
+# include
+#endif
+struct checksum_algo {
+ const char *name;
+ const int checksum_len;
+#if IMAGE_ENABLE_SIGN
+ const EVP_MD *(*calculate)(void);
+#else
+#if IMAGE_ENABLE_VERIFY
+ void (*calculate)(const struct image_region region[],
+ int region_count, uint8_t *checksum);
+ const uint8_t *rsa_padding;
+#endif
+#endif
+};
+
struct image_sig_algo {
const char *name; /* Name of algorithm */
@@ -921,6 +939,9 @@ struct image_sig_algo {
int (*verify)(struct image_sign_info *info,
const struct image_region region[], int region_count,
uint8_t *sig, uint sig_len);
+
+ /* pointer to checksum algorithm */
+ struct checksum_algo *checksum;
};
/**
diff --git a/include/rsa-checksum.h b/include/rsa-checksum.h
new file mode 100644
index 000..12494a6
--- /dev/null
+++ b/include/rsa-checksum.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2013, Andreas Oetken.
+ *
+ * SPDX-License-Identifier:GPL-2.0+
+*/
+
+#ifndef _RSA_CHECKSUM_H
+#define _RSA_CHECKSUM_H
+
+#include
+#include
+#include
+#include
+
+#if IMAGE_ENABLE_VERIFY
+extern const uint8_t padding_sha256_rsa2048[];
+extern const uint8_t padding_sha1_rsa2048[];
+
+void sha256_calculate(const struct image_region region[], int region_count,
+ uint8_t *checksum);
+void sha1_calculate(const struct image_region region[], int region_count,
+ uint8_t *checksum);
+#endif
+
+#endif
diff --git a/include/rsa.h b/include/rsa.h
index add4c78..adf809b 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -15,6 +15,20 @@
#include
#include
+/**
+ * struct rsa_public_key - holder for a public key
+ *
+ * An RSA public key consists of a modulus (typically called N), the inverse
+ * and R^2, where R is 2^(# key bits).
+ */
+
+struct rsa_public_key {
+ uint len;/* Length of modulus[] in number of uint32_t */
+ uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */
+ uint32_t *modulus;/* modulus as little endian array */
+ uint32_t *rr;/* R^2 as little endian array */
+};
+
#if IMAGE_ENABLE_SIGN
/**
* sign() - calculate and return signature for given input data
@@ -80,6 +94,10 @@ static inline int rsa_add_verify_data
