Public exponentiation which is required in rsa verify
functionality is currently tightly integrated with
verification code in rsa_verify.c. Currently this
implementation is software based. Some platforms
having support of the exponentiation in hardware.
To enable the rsa verify functionality to use the
Modular exponentiation if present in hardware, the
patch-set splits the file into two files:
1. rsa-verify.c
- The file parses device tree keys node to fill a keyprop
structure. The keyprop structure can then be converted
to implementation specific formal (struct rsa_pub_key
for sw implementation).
- The parsed device tree node is then passed to a generic
rsa_mod_exp function.
2. rsa-mod-exp.c
Move the software specific functions related to exponentiation
from rsa-verify.c to this file. The file is compiled if
CONFIG_RSA_MOD_EXP_SW is defined. In general if both
CONFIG_FIT_SIGNATURE and CONFIG_RSA are defined,
CONFIG_RSA_MOD_EXP_SW gets automatically defined.
Platforms having hardware implementation for rsa_mod_exp can
add a define CONFIG_RSA_MOD_EXP_HW to their config files.
Adding this defined, undefs the CONFIG_RSA_MOD_EXP_SW and
hardware implementation of mod_exp gets compiled.
Signed-off-by: Ruchika Gupta ruchika.gu...@freescale.com
CC: Simon Glass s...@chromium.org
---
Changes in v2:
Addressed few of Simon Glass's comments:
- Kconfig option added for RSA
- Comments added for new keyprop struct
Kconfig | 2 +
include/config_fallbacks.h | 8 ++
include/u-boot/rsa-mod-exp.h | 34 +
lib/Kconfig | 15 +++
lib/rsa/Makefile | 1 +
lib/rsa/rsa-mod-exp.c| 308 +++
lib/rsa/rsa-verify.c | 307 +-
tools/Makefile | 2 +-
8 files changed, 399 insertions(+), 278 deletions(-)
create mode 100644 include/u-boot/rsa-mod-exp.h
create mode 100644 lib/rsa/rsa-mod-exp.c
diff --git a/Kconfig b/Kconfig
index 153ee2b..82b14bd 100644
--- a/Kconfig
+++ b/Kconfig
@@ -101,6 +101,7 @@ config TPL
help
If you want to build TPL as well as the normal image and SPL, say Y.
+
config FIT
bool Support Flattened Image Tree
depends on !SPL_BUILD
@@ -118,6 +119,7 @@ config FIT_VERBOSE
config FIT_SIGNATURE
bool Enabel signature verification of FIT uImages
depends on FIT
+ select RSA
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA.
diff --git a/include/config_fallbacks.h b/include/config_fallbacks.h
index ddfe045..b46bef9 100644
--- a/include/config_fallbacks.h
+++ b/include/config_fallbacks.h
@@ -83,6 +83,14 @@
#define CONFIG_SYS_PBSIZE (CONFIG_SYS_CBSIZE + 128)
#endif
+/* This can be removed once all platforms move to defconfig
+ * option to enable FIT_SIGNATURE
+ */
+#if defined(CONFIG_FIT_SIGNATURE) defined(CONFIG_RSA) \
+ !defined(CONFIG_RSA_MOD_EXP_HW) !defined(CONFIG_RSA_MOD_EXP_SW)
+#define CONFIG_RSA_MOD_EXP_SW
+#endif
+
#ifndef CONFIG_FIT_SIGNATURE
#define CONFIG_IMAGE_FORMAT_LEGACY
#endif
diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
new file mode 100644
index 000..0d2ccd6
--- /dev/null
+++ b/include/u-boot/rsa-mod-exp.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, Ruchika Gupta.
+ *
+ * SPDX-License-Identifier:GPL-2.0+
+*/
+
+#ifndef _RSA_MOD_EXP_H
+#define _RSA_MOD_EXP_H
+
+#include errno.h
+#include image.h
+
+/**
+ * struct key_prop - holder for a public key properties
+ *
+ * The struct has pointers to modulus (Typically called N),
+ * The inverse, R^2, exponent. These can be typecasted and
+ * used as byte arrays or converted to the required format
+ * as per requirement of RSA implementation.
+ *
+ */
+struct key_prop {
+ const void *rr; /* R^2 can be treated as byte array */
+ const void *modulus;/* modulus as byte array */
+ const void *public_exponent; /* public exponent as byte array */
+ uint32_t n0inv; /* -1 / modulus[0] mod 2^32 */
+ int num_bits; /* Key length in bits */
+ uint32_t exp_len; /* Exponent length in number of uint8_t */
+};
+
+int rsa_mod_exp(const uint8_t *sig, uint32_t sig_len,
+ struct key_prop *node, uint8_t *out);
+
+#endif
diff --git a/lib/Kconfig b/lib/Kconfig
index 8460439..a921bb3 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -27,4 +27,19 @@ config SYS_HZ
get_timer() must operate in milliseconds and this option must be
set to 1000.
+config RSA
+ bool Use RSA Library
+ help
+ RSA support
+
+if RSA
+
+config RSA_MOD_EXP_SW
+ depends on RSA
+ bool Implement RSA Modular Exponentiation in software
+ default y
+ help
+ Modular Exponentiation support in SW
+
+endif
endmenu
diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
index a5a96cb6..ccc6060 100644
---