Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hi Heiko, On 26 January 2014 22:45, Heiko Schocher wrote: > Hello Simon, > > Am 26.01.2014 22:10, schrieb Simon Glass: > >> Hi Heiko, >> >> On 24 January 2014 23:44, Heiko Schocher wrote: >>> >>> based on patch from andr...@oetken.name: >>> >>> http://patchwork.ozlabs.org/patch/294318/ >> >> >> Should probably add the full commit message in here. > > > Ok, do this in v2. > > >>> - removed checkpatch warnings >>> - removed compiler warnings >>> - rebased against current head >>> >>> Signed-off-by: Heiko Schocher >>> Cc: Simon Glass >>> Cc: andr...@oetken.name >>> --- >>> common/image-sig.c | 33 + >>> include/image.h| 21 +++ >>> include/rsa-checksum.h | 25 + >>> include/rsa.h | 25 + >>> lib/rsa/Makefile | 2 +- >>> lib/rsa/rsa-checksum.c | 98 >>> ++ >>> lib/rsa/rsa-sign.c | 10 +++--- >>> lib/rsa/rsa-verify.c | 83 +- >>> 8 files changed, 233 insertions(+), 64 deletions(-) >>> create mode 100644 include/rsa-checksum.h >>> create mode 100644 lib/rsa/rsa-checksum.c > > [...] > >>> diff --git a/include/rsa.h b/include/rsa.h >>> index add4c78..adf809b 100644 >>> --- a/include/rsa.h >>> +++ b/include/rsa.h >>> @@ -15,6 +15,20 @@ >>> #include >>> #include >>> >>> +/** >>> + * struct rsa_public_key - holder for a public key >>> + * >>> + * An RSA public key consists of a modulus (typically called N), the >>> inverse >>> + * and R^2, where R is 2^(# key bits). >>> + */ >>> + >>> +struct rsa_public_key { >>> + uint len;/* Length of modulus[] in number of uint32_t */ >>> + uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */ >>> + uint32_t *modulus;/* modulus as little endian array */ >>> + uint32_t *rr;/* R^2 as little endian array */ >>> +}; >>> + >>> #if IMAGE_ENABLE_SIGN >>> /** >>>* sign() - calculate and return signature for given input data >>> @@ -80,6 +94,10 @@ static inline int rsa_add_verify_data(struct >>> image_sign_info *info, >>> int rsa_verify(struct image_sign_info *info, >>> const struct image_region region[], int region_count, >>> uint8_t *sig, uint sig_len); >>> + >>> +int rsa_verify_256(struct image_sign_info *info, >>> + const struct image_region region[], int region_count, >>> + uint8_t *sig, uint sig_len); >> >> >> Do we need to create this as a separate function? It seems a bit icky. >> Can rsa_verify() not handle both? > > > Good catch! I never defined rsa_verify_256(), remove this in v2. > > >>> #else >>> static inline int rsa_verify(struct image_sign_info *info, >>> const struct image_region region[], int region_count, >>> @@ -87,6 +105,13 @@ static inline int rsa_verify(struct image_sign_info >>> *info, >>> { >>> return -ENXIO; >>> } >>> + >>> +static inline int rsa_verify_256(struct image_sign_info *info, >>> + const struct image_region region[], int region_count, >>> + uint8_t *sig, uint sig_len) >>> +{ >>> + return -ENXIO; >>> +} >>> #endif >>> >>> #endif > > [...] > >> Also can you please update the tests to include a sha256 test? > > > You mean the "test/vboot/vboot_test.sh" ? Yes, you could expand this, or convert to Python if you prefer. Regards, Simon ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hello Simon, Am 26.01.2014 22:10, schrieb Simon Glass: Hi Heiko, On 24 January 2014 23:44, Heiko Schocher wrote: based on patch from andr...@oetken.name: http://patchwork.ozlabs.org/patch/294318/ Should probably add the full commit message in here. Ok, do this in v2. - removed checkpatch warnings - removed compiler warnings - rebased against current head Signed-off-by: Heiko Schocher Cc: Simon Glass Cc: andr...@oetken.name --- common/image-sig.c | 33 + include/image.h| 21 +++ include/rsa-checksum.h | 25 + include/rsa.h | 25 + lib/rsa/Makefile | 2 +- lib/rsa/rsa-checksum.c | 98 ++ lib/rsa/rsa-sign.c | 10 +++--- lib/rsa/rsa-verify.c | 83 +- 8 files changed, 233 insertions(+), 64 deletions(-) create mode 100644 include/rsa-checksum.h create mode 100644 lib/rsa/rsa-checksum.c [...] diff --git a/include/rsa.h b/include/rsa.h index add4c78..adf809b 100644 --- a/include/rsa.h +++ b/include/rsa.h @@ -15,6 +15,20 @@ #include #include +/** + * struct rsa_public_key - holder for a public key + * + * An RSA public key consists of a modulus (typically called N), the inverse + * and R^2, where R is 2^(# key bits). + */ + +struct rsa_public_key { + uint len;/* Length of modulus[] in number of uint32_t */ + uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */ + uint32_t *modulus;/* modulus as little endian array */ + uint32_t *rr;/* R^2 as little endian array */ +}; + #if IMAGE_ENABLE_SIGN /** * sign() - calculate and return signature for given input data @@ -80,6 +94,10 @@ static inline int rsa_add_verify_data(struct image_sign_info *info, int rsa_verify(struct image_sign_info *info, const struct image_region region[], int region_count, uint8_t *sig, uint sig_len); + +int rsa_verify_256(struct image_sign_info *info, + const struct image_region region[], int region_count, + uint8_t *sig, uint sig_len); Do we need to create this as a separate function? It seems a bit icky. Can rsa_verify() not handle both? Good catch! I never defined rsa_verify_256(), remove this in v2. #else static inline int rsa_verify(struct image_sign_info *info, const struct image_region region[], int region_count, @@ -87,6 +105,13 @@ static inline int rsa_verify(struct image_sign_info *info, { return -ENXIO; } + +static inline int rsa_verify_256(struct image_sign_info *info, + const struct image_region region[], int region_count, + uint8_t *sig, uint sig_len) +{ + return -ENXIO; +} #endif #endif [...] Also can you please update the tests to include a sha256 test? You mean the "test/vboot/vboot_test.sh" ? bye, Heiko -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
Hi Heiko, On 24 January 2014 23:44, Heiko Schocher wrote: > based on patch from andr...@oetken.name: > > http://patchwork.ozlabs.org/patch/294318/ Should probably add the full commit message in here. > > - removed checkpatch warnings > - removed compiler warnings > - rebased against current head > > Signed-off-by: Heiko Schocher > Cc: Simon Glass > Cc: andr...@oetken.name > --- > common/image-sig.c | 33 + > include/image.h| 21 +++ > include/rsa-checksum.h | 25 + > include/rsa.h | 25 + > lib/rsa/Makefile | 2 +- > lib/rsa/rsa-checksum.c | 98 > ++ > lib/rsa/rsa-sign.c | 10 +++--- > lib/rsa/rsa-verify.c | 83 +- > 8 files changed, 233 insertions(+), 64 deletions(-) > create mode 100644 include/rsa-checksum.h > create mode 100644 lib/rsa/rsa-checksum.c > > diff --git a/common/image-sig.c b/common/image-sig.c > index 973b06d..8b212a7 100644 > --- a/common/image-sig.c > +++ b/common/image-sig.c > @@ -14,15 +14,47 @@ DECLARE_GLOBAL_DATA_PTR; > #endif /* !USE_HOSTCC*/ > #include > #include > +#include > > #define IMAGE_MAX_HASHED_NODES 100 > > +#if defined(CONFIG_FIT_SIGNATURE) > +struct checksum_algo checksum_algos[] = { > + { > + "sha1", > + SHA1_SUM_LEN, > +#if IMAGE_ENABLE_SIGN > + EVP_sha1, > +#else > + sha1_calculate, > + padding_sha1_rsa2048, > +#endif > + }, > + { > + "sha256", > + SHA256_SUM_LEN, > +#if IMAGE_ENABLE_SIGN > + EVP_sha256, > +#else > + sha256_calculate, > + padding_sha256_rsa2048, > +#endif > + } > +}; > struct image_sig_algo image_sig_algos[] = { > { > "sha1,rsa2048", > rsa_sign, > rsa_add_verify_data, > rsa_verify, > + &checksum_algos[0], > + }, > + { > + "sha256,rsa2048", > + rsa_sign, > + rsa_add_verify_data, > + rsa_verify, > + &checksum_algos[1], > } > }; > > @@ -407,3 +439,4 @@ int fit_config_verify(const void *fit, int conf_noffset) > return !fit_config_verify_required_sigs(fit, conf_noffset, > gd_fdt_blob()); > } > +#endif > diff --git a/include/image.h b/include/image.h > index f001a5f..eb3429f 100644 > --- a/include/image.h > +++ b/include/image.h > @@ -832,6 +832,7 @@ int calculate_hash(const void *data, int data_len, const > char *algo, > # ifdef USE_HOSTCC > # define IMAGE_ENABLE_SIGN1 > # define IMAGE_ENABLE_VERIFY 0 > +# include > #else > # define IMAGE_ENABLE_SIGN0 > # define IMAGE_ENABLE_VERIFY 1 > @@ -871,6 +872,23 @@ struct image_region { > int size; > }; > > +#if IMAGE_ENABLE_VERIFY > +# include > +#endif > +struct checksum_algo { > + const char *name; > + const int checksum_len; > +#if IMAGE_ENABLE_SIGN > + const EVP_MD *(*calculate)(void); > +#else > +#if IMAGE_ENABLE_VERIFY > + void (*calculate)(const struct image_region region[], > + int region_count, uint8_t *checksum); > + const uint8_t *rsa_padding; > +#endif > +#endif > +}; > + > struct image_sig_algo { > const char *name; /* Name of algorithm */ > > @@ -921,6 +939,9 @@ struct image_sig_algo { > int (*verify)(struct image_sign_info *info, > const struct image_region region[], int region_count, > uint8_t *sig, uint sig_len); > + > + /* pointer to checksum algorithm */ > + struct checksum_algo *checksum; > }; > > /** > diff --git a/include/rsa-checksum.h b/include/rsa-checksum.h > new file mode 100644 > index 000..12494a6 > --- /dev/null > +++ b/include/rsa-checksum.h > @@ -0,0 +1,25 @@ > +/* > + * Copyright (c) 2013, Andreas Oetken. > + * > + * SPDX-License-Identifier:GPL-2.0+ > +*/ > + > +#ifndef _RSA_CHECKSUM_H > +#define _RSA_CHECKSUM_H > + > +#include > +#include > +#include > +#include > + > +#if IMAGE_ENABLE_VERIFY > +extern const uint8_t padding_sha256_rsa2048[]; > +extern const uint8_t padding_sha1_rsa2048[]; > + > +void sha256_calculate(const struct image_region region[], int region_count, > + uint8_t *checksum); > +void sha1_calculate(const struct image_region region[], int region_count, > + uint8_t *checksum); > +#endif > + > +#endif > diff --git a/include/rsa.h b/include/rsa.h > index add4c78..adf809b 100644 > --- a/include/rsa.h > +++ b/include/rsa.h > @@ -15,6 +15,20 @@ > #include > #include > > +/** > + * struct rsa_public_key - holder for a public key > + * > + * An RSA public key consists of a modulus (typically called N), the inverse > + * and R^2, where R is 2^(# key bits). > + */
[U-Boot] [PATCH 4/7] rsa: add sha256-rsa2048 algorithm
based on patch from andr...@oetken.name: http://patchwork.ozlabs.org/patch/294318/ - removed checkpatch warnings - removed compiler warnings - rebased against current head Signed-off-by: Heiko Schocher Cc: Simon Glass Cc: andr...@oetken.name --- common/image-sig.c | 33 + include/image.h| 21 +++ include/rsa-checksum.h | 25 + include/rsa.h | 25 + lib/rsa/Makefile | 2 +- lib/rsa/rsa-checksum.c | 98 ++ lib/rsa/rsa-sign.c | 10 +++--- lib/rsa/rsa-verify.c | 83 +- 8 files changed, 233 insertions(+), 64 deletions(-) create mode 100644 include/rsa-checksum.h create mode 100644 lib/rsa/rsa-checksum.c diff --git a/common/image-sig.c b/common/image-sig.c index 973b06d..8b212a7 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -14,15 +14,47 @@ DECLARE_GLOBAL_DATA_PTR; #endif /* !USE_HOSTCC*/ #include #include +#include #define IMAGE_MAX_HASHED_NODES 100 +#if defined(CONFIG_FIT_SIGNATURE) +struct checksum_algo checksum_algos[] = { + { + "sha1", + SHA1_SUM_LEN, +#if IMAGE_ENABLE_SIGN + EVP_sha1, +#else + sha1_calculate, + padding_sha1_rsa2048, +#endif + }, + { + "sha256", + SHA256_SUM_LEN, +#if IMAGE_ENABLE_SIGN + EVP_sha256, +#else + sha256_calculate, + padding_sha256_rsa2048, +#endif + } +}; struct image_sig_algo image_sig_algos[] = { { "sha1,rsa2048", rsa_sign, rsa_add_verify_data, rsa_verify, + &checksum_algos[0], + }, + { + "sha256,rsa2048", + rsa_sign, + rsa_add_verify_data, + rsa_verify, + &checksum_algos[1], } }; @@ -407,3 +439,4 @@ int fit_config_verify(const void *fit, int conf_noffset) return !fit_config_verify_required_sigs(fit, conf_noffset, gd_fdt_blob()); } +#endif diff --git a/include/image.h b/include/image.h index f001a5f..eb3429f 100644 --- a/include/image.h +++ b/include/image.h @@ -832,6 +832,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, # ifdef USE_HOSTCC # define IMAGE_ENABLE_SIGN1 # define IMAGE_ENABLE_VERIFY 0 +# include #else # define IMAGE_ENABLE_SIGN0 # define IMAGE_ENABLE_VERIFY 1 @@ -871,6 +872,23 @@ struct image_region { int size; }; +#if IMAGE_ENABLE_VERIFY +# include +#endif +struct checksum_algo { + const char *name; + const int checksum_len; +#if IMAGE_ENABLE_SIGN + const EVP_MD *(*calculate)(void); +#else +#if IMAGE_ENABLE_VERIFY + void (*calculate)(const struct image_region region[], + int region_count, uint8_t *checksum); + const uint8_t *rsa_padding; +#endif +#endif +}; + struct image_sig_algo { const char *name; /* Name of algorithm */ @@ -921,6 +939,9 @@ struct image_sig_algo { int (*verify)(struct image_sign_info *info, const struct image_region region[], int region_count, uint8_t *sig, uint sig_len); + + /* pointer to checksum algorithm */ + struct checksum_algo *checksum; }; /** diff --git a/include/rsa-checksum.h b/include/rsa-checksum.h new file mode 100644 index 000..12494a6 --- /dev/null +++ b/include/rsa-checksum.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2013, Andreas Oetken. + * + * SPDX-License-Identifier:GPL-2.0+ +*/ + +#ifndef _RSA_CHECKSUM_H +#define _RSA_CHECKSUM_H + +#include +#include +#include +#include + +#if IMAGE_ENABLE_VERIFY +extern const uint8_t padding_sha256_rsa2048[]; +extern const uint8_t padding_sha1_rsa2048[]; + +void sha256_calculate(const struct image_region region[], int region_count, + uint8_t *checksum); +void sha1_calculate(const struct image_region region[], int region_count, + uint8_t *checksum); +#endif + +#endif diff --git a/include/rsa.h b/include/rsa.h index add4c78..adf809b 100644 --- a/include/rsa.h +++ b/include/rsa.h @@ -15,6 +15,20 @@ #include #include +/** + * struct rsa_public_key - holder for a public key + * + * An RSA public key consists of a modulus (typically called N), the inverse + * and R^2, where R is 2^(# key bits). + */ + +struct rsa_public_key { + uint len;/* Length of modulus[] in number of uint32_t */ + uint32_t n0inv;/* -1 / modulus[0] mod 2^32 */ + uint32_t *modulus;/* modulus as little endian array */ + uint32_t *rr;/* R^2 as little endian array */ +}; + #if IMAGE_ENABLE_SIGN /** * sign() - calculate and return signature for given input data @@ -80,6 +94,10 @@ static inline int rsa_add_verify_data