This series adds the support of ecdsa with software
using mbedtls. So boards without ecdsa hardware may
also use signature with ecdsa.
To add the support of ecdsa with mbedtls, I have:
- enabled ecdsa in mbedtls
- add a function sw_ecdsa_verify that uses mbedtls
- add a driver sw_ecdsa that call sw_ecdsa_verify
I have tested this code with sandbox, and I have
followed those steps:
0) build u-boot using sandbox_defconfig and adding those options:
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
1) add a signature node to an its file
signature-256 {
algo = "sha256,ecdsa256";
key-name-hint = "private-key-256";
};
2) generate an ecdsa key
openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
3) create the itb file
./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
4) launch sandbox u-boot
./u-boot -d arch/sandbox/dts/test.dtb
5) on sandbox u-boot prompt, load the itb and launch bootm on it
=> host load hostfs - 1000000 uboot-ecdsa.itb
4628674 bytes read in 1 ms (4.3 GiB/s)
=> bootm 1000000
...
...
Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
Changes in v2:
- move ECDSA_MBEDTLS to MBEDTLS_LIB_X509
- rename lib/mbedtls/sw_ecdsa.c to lib/mbedtls/ecdsa.c
- enhance dependencies for ECDSA_MBEDTLS
- fix support of ecdsa521/secp521r1
- add vboot test using ecdsa
Changes in v3:
- do not use _MBEDTLS in mbedtls_def_config.h
- check returns and remove mem leak in lib/mbedtls/ecdsa.c
- remove useless field *k in struct ecdsa_test_vector_s
- check returns in test/lib/ecdsa.c
- fix third parameter when calling sha*_csum_wd()
- add support of ecdsa in pre-load header
Changes in v4:
- change some dependencies to enable ecc
- use ECDSA_MBEDTLS to build the ecdsa driver
- support ecdsa521 and secp521r1
- add a test calling ecdsa_verify for the ecdsa class
- merge patch 10 and 11 (support ecdsa pre-load for binman and tests)
- several code cleanup
Change in v5:
- fix ecdsa 521 in the first patch (instead of the 5th patch)
- mbedtls: ecdsa is only compiled when ECDSA_MBEDTLS is enabled
- fit_image_setup_sig: required_keynode is initiazed to -1 instead of 0
- avoid hardcoded value for ecdsa sig and point size
- check pointer before using them
- free ecdsa keys when key are not found/used
Change in v6:
- fix dependencies for ecdsa
- ecdsa is no more mandatory for tls
- remove include u-boot/ecdsa.h in ecdsa-sw.c
- do not use fdt_stderror with -1
-
Change in v7:
- change uint8_t to u8 in test/dm/ecdsa.c
- change info->required_keynode >= 0 in lib/ecdsa/ecdsa-verify.c
- set required_keynode to -1 in test/dm/ecdsa.c
Philippe Reynes (15):
ecdsa: fix support of secp521r1
mbedtls: enable support of ecc
ecdsa: initial support of ecdsa using mbedtls
test: lib: ecdsa: add initial test
drivers: crypto: add software ecdsa support
test: dm: ecdsa.c: clean this test as software ecdsa is now
implemented
test: py: vboot: prepare integration test for ecdsa
test: vboot: add test for ecdsa
tools: fit_image_setup_sig: set required_keynode to -1
tools: mkimage: pre-load: add support of ecdsa
tools: binman: pre-load: add support of ecdsa
boot: pre-load: add support of ecdsa
tools: preload_check_sign: add support of ecdsa
test: py: vboot: prepare test for global signature with ecdsa
test: py: vboot: add test for global signature with ecdsa
boot/image-pre-load.c | 53 +-
configs/sandbox_defconfig | 2 +
drivers/crypto/Makefile | 1 +
drivers/crypto/ecdsa/Makefile | 6 +
drivers/crypto/ecdsa/ecdsa-sw.c | 32 ++
include/crypto/ecdsa-uclass.h | 15 +-
include/crypto/internal/ecdsa.h | 39 ++
lib/ecdsa/Kconfig | 1 +
lib/ecdsa/ecdsa-libcrypto.c | 94 +++-
lib/ecdsa/ecdsa-verify.c | 67 ++-
lib/fdt-libcrypto.c | 2 +-
lib/mbedtls/Kconfig | 24 +
lib/mbedtls/Makefile | 20 +-
lib/mbedtls/ecdsa.c | 146 ++++++
lib/mbedtls/mbedtls_def_config.h | 41 +-
test/dm/ecdsa.c | 109 ++++-
test/lib/Makefile | 1 +
test/lib/ecdsa.c | 456 ++++++++++++++++++
test/py/tests/test_fit_ecdsa.py | 2 +-
test/py/tests/test_vboot.py | 143 +++---
.../tests/vboot/sandbox-binman-ecdsa256.dts | 24 +
.../tests/vboot/sandbox-binman-ecdsa384.dts | 24 +
.../tests/vboot/sandbox-binman-ecdsa521.dts | 24 +
...pss.dts => sandbox-binman-rsa2048-pss.dts} | 0
...-binman.dts => sandbox-binman-rsa2048.dts} | 0
.../vboot/sandbox-u-boot-global-ecdsa256.dts | 27 ++
.../vboot/sandbox-u-boot-global-ecdsa384.dts | 27 ++
.../vboot/sandbox-u-boot-global-ecdsa521.dts | 27 ++
... => sandbox-u-boot-global-rsa2048-pss.dts} | 0
....dts => sandbox-u-boot-global-rsa2048.dts} | 0
....its => sign-configs-sha1-rsa2048-pss.its} | 0
...sha1.its => sign-configs-sha1-rsa2048.its} | 0
.../vboot/sign-configs-sha256-ecdsa256.its | 45 ++
.../vboot/sign-configs-sha256-ecdsa384.its | 45 ++
.../vboot/sign-configs-sha256-ecdsa521.its | 45 ++
... sign-configs-sha256-rsa2048-pss-prod.its} | 0
...ts => sign-configs-sha256-rsa2048-pss.its} | 0
...56.its => sign-configs-sha256-rsa2048.its} | 0
...84.its => sign-configs-sha384-rsa3072.its} | 0
...s.its => sign-images-sha1-rsa2048-pss.its} | 0
...-sha1.its => sign-images-sha1-rsa2048.its} | 0
.../vboot/sign-images-sha256-ecdsa256.its | 42 ++
.../vboot/sign-images-sha256-ecdsa384.its | 42 ++
.../vboot/sign-images-sha256-ecdsa521.its | 42 ++
...its => sign-images-sha256-rsa2048-pss.its} | 0
...256.its => sign-images-sha256-rsa2048.its} | 0
...384.its => sign-images-sha384-rsa3072.its} | 0
tools/binman/etype/pre_load.py | 78 ++-
tools/binman/ftest.py | 50 ++
tools/binman/test/ecdsa521.pem | 7 +
tools/binman/test/security/pre_load_ecdsa.dts | 22 +
.../security/pre_load_ecdsa_invalid_algo.dts | 22 +
.../security/pre_load_ecdsa_invalid_key.dts | 22 +
.../security/pre_load_ecdsa_invalid_sha.dts | 22 +
tools/image-host.c | 93 +++-
tools/image-sig-host.c | 7 +
tools/preload_check_sign.c | 30 ++
57 files changed, 1873 insertions(+), 148 deletions(-)
create mode 100644 drivers/crypto/ecdsa/Makefile
create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
create mode 100644 include/crypto/internal/ecdsa.h
create mode 100644 lib/mbedtls/ecdsa.c
create mode 100644 test/lib/ecdsa.c
create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa256.dts
create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa384.dts
create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa521.dts
rename test/py/tests/vboot/{sandbox-binman-pss.dts =>
sandbox-binman-rsa2048-pss.dts} (100%)
rename test/py/tests/vboot/{sandbox-binman.dts => sandbox-binman-rsa2048.dts}
(100%)
create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa256.dts
create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa384.dts
create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa521.dts
rename test/py/tests/vboot/{sandbox-u-boot-global-pss.dts =>
sandbox-u-boot-global-rsa2048-pss.dts} (100%)
rename test/py/tests/vboot/{sandbox-u-boot-global.dts =>
sandbox-u-boot-global-rsa2048.dts} (100%)
rename test/py/tests/vboot/{sign-configs-sha1-pss.its =>
sign-configs-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha1.its =>
sign-configs-sha1-rsa2048.its} (100%)
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its =>
sign-configs-sha256-rsa2048-pss-prod.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256-pss.its =>
sign-configs-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256.its =>
sign-configs-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha384.its =>
sign-configs-sha384-rsa3072.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1-pss.its =>
sign-images-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1.its =>
sign-images-sha1-rsa2048.its} (100%)
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its
rename test/py/tests/vboot/{sign-images-sha256-pss.its =>
sign-images-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha256.its =>
sign-images-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-images-sha384.its =>
sign-images-sha384-rsa3072.its} (100%)
create mode 100644 tools/binman/test/ecdsa521.pem
create mode 100644 tools/binman/test/security/pre_load_ecdsa.dts
create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts
create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_key.dts
create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts
--
2.43.0
