On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote: > On 11/21/19 1:11 AM, AKASHI Takahiro wrote: > >In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY, > >rsa_verify() will be extended to be able to perform RSA decryption without > >additional RSA key properties from FIT image, i.e. rr and n0inv. > > > >Signed-off-by: AKASHI Takahiro <[email protected]> > >Reviewed-by: Simon Glass <[email protected]> > > The patch series does not build for some configurations. > > >--- > > lib/rsa/Kconfig | 14 ++++++++++++++ > > 1 file changed, 14 insertions(+) > > > >diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig > >index 03ffa2969048..71e4c06bf883 100644 > >--- a/lib/rsa/Kconfig > >+++ b/lib/rsa/Kconfig > >@@ -30,6 +30,20 @@ config RSA_VERIFY > > help > > Add RSA signature verification support. > > > >+config RSA_VERIFY_WITH_PKEY > > For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n > I get an error:
This error is inevitable as both RSA_VERIFY_WITH_PKEY and RSA_PUBLIC_KEY_PARSER are "select"able configurations with visible prompts and then we should generally avoid potential illegal configurations; The one should NOT forcibly select the other as the kernel kconfig document suggests. # Note: # select should be used with care. select will force # a symbol to a value without visiting the dependencies. # By abusing select you are able to select a symbol FOO even # if FOO depends on BAR that is not set. # In general use select only for non-visible symbols # (no prompts anywhere) and for symbols with no dependencies. # That will limit the usefulness but on the other hand avoid # the illegal configurations all over. -Takahiro Akashi > lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key' > > RSA_PUBLIC_KEY_PARSER depends on > ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n] > > Please, fix the dependencies. > > Best regards > > Heinrich > > >+ bool "Execute RSA verification without key parameters from FDT" > >+ depends on RSA > >+ help > >+ The standard RSA-signature verification code (FIT_SIGNATURE) uses > >+ pre-calculated key properties, that are stored in fdt blob, in > >+ decrypting a signature. > >+ This does not suit the use case where there is no way defined to > >+ provide such additional key properties in standardized form, > >+ particularly UEFI secure boot. > >+ This options enables RSA signature verification with a public key > >+ directly specified in image_sign_info, where all the necessary > >+ key properties will be calculated on the fly in verification code. > >+ > > config RSA_SOFTWARE_EXP > > bool "Enable driver for RSA Modular Exponentiation in software" > > depends on DM > >
