On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote: > Add to support rsa 3072 bits algorithm in tools > for image sign at host side and adds rsa 3072 bits > verification in the image binary. > > Add test case in vboot for sha384 with rsa3072 algorithm testing. > > Signed-off-by: Jamin Lin <jamin_...@aspeedtech.com> > --- > include/u-boot/rsa.h | 1 + > lib/rsa/rsa-verify.c | 6 +++ > test/py/tests/test_vboot.py | 12 +++++- > test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++ > test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++ > tools/image-sig-host.c | 7 ++++ > 6 files changed, 111 insertions(+), 2 deletions(-) > create mode 100644 test/py/tests/vboot/sign-configs-sha384.its > create mode 100644 test/py/tests/vboot/sign-images-sha384.its > > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h > index 7556aa5b4b..bb56c2243c 100644 > --- a/include/u-boot/rsa.h > +++ b/include/u-boot/rsa.h > @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info, > #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" > > #define RSA2048_BYTES (2048 / 8) > +#define RSA3072_BYTES (3072 / 8) > #define RSA4096_BYTES (4096 / 8) > > /* This is the minimum/maximum key size we support, in bits */ > diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c > index 83f7564101..4fe487d7e5 100644 > --- a/lib/rsa/rsa-verify.c > +++ b/lib/rsa/rsa-verify.c > @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = { > .verify = rsa_verify, > }; > > +U_BOOT_CRYPTO_ALGO(rsa3072) = { > + .name = "rsa3072", > + .key_len = RSA3072_BYTES, > + .verify = rsa_verify, > +}; > + > U_BOOT_CRYPTO_ALGO(rsa4096) = { > .name = "rsa4096", > .key_len = RSA4096_BYTES, > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py > index 095e00cce3..b080d482af 100644 > --- a/test/py/tests/test_vboot.py > +++ b/test/py/tests/test_vboot.py > @@ -45,6 +45,8 @@ TESTDATA = [ > ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], > ['sha256-pss-required', 'sha256', '-pss', None, True, False], > ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, > True], > + ['sha384-basic', 'sha384', '', None, False, False], > + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], > ] > > @pytest.mark.boardspec('sandbox') > @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, > sign_options, required, > name: Name of of the key (e.g. 'dev') > """ > public_exponent = 65537 > + > + if sha_algo == "sha384": > + rsa_keygen_bits = 3072 > + else: > + rsa_keygen_bits = 2048 > + > util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key > ' > - '-pkeyopt rsa_keygen_bits:2048 ' > + '-pkeyopt rsa_keygen_bits:%d ' > '-pkeyopt rsa_keygen_pubexp:%d' % > - (tmpdir, name, public_exponent)) > + (tmpdir, name, rsa_keygen_bits, public_exponent)) > > # Create a certificate containing the public key > util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key ' > diff --git a/test/py/tests/vboot/sign-configs-sha384.its > b/test/py/tests/vboot/sign-configs-sha384.its > new file mode 100644 > index 0000000000..2869401991 > --- /dev/null > +++ b/test/py/tests/vboot/sign-configs-sha384.its > @@ -0,0 +1,45 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + hash-1 { > + algo = "sha384"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + hash-1 { > + algo = "sha384"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + signature { > + algo = "sha384,rsa3072"; > + key-name-hint = "dev"; > + sign-images = "fdt", "kernel"; > + }; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-images-sha384.its > b/test/py/tests/vboot/sign-images-sha384.its > new file mode 100644 > index 0000000000..be1a9a653c > --- /dev/null > +++ b/test/py/tests/vboot/sign-images-sha384.its > @@ -0,0 +1,42 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + signature { > + algo = "sha384,rsa3072"; > + key-name-hint = "dev"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + signature { > + algo = "sha384,rsa3072"; > + key-name-hint = "dev"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + }; > + }; > +}; > diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c > index 8ed6998dab..d0133aec4c 100644 > --- a/tools/image-sig-host.c > +++ b/tools/image-sig-host.c > @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = { > .add_verify_data = rsa_add_verify_data, > .verify = rsa_verify, > }, > + { > + .name = "rsa3072", > + .key_len = RSA3072_BYTES, > + .sign = rsa_sign, > + .add_verify_data = rsa_add_verify_data, > + .verify = rsa_verify, > + }, > { > .name = "rsa4096", > .key_len = RSA4096_BYTES,
With current master these tests run and fail: https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me when running locally), please re-check and resubmit, thanks. -- Tom
signature.asc
Description: PGP signature