Hi Robie, >> mkimage on jammy doesn't support RSA3072. > This does not explain the impact on users. Please explain why the regression > risk of changing a stable release is justified. Users cannot sign the fitimage with RSA3072.
Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support. https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050 >> Create a test fitimage and sign with rsa3072 algorithm. > How? Please see test cases in the bug description. 1. Test case 1 Two new sandbox tests are added for verifying algo "sha384,rsa3072". 2. Test case 2 $ sudo mkimage -F -k keydir -f fdt.its test.dtb I'll sign the test fitimage with rsa3072. For fdt.its, please see the attached file. ** Attachment added: "fdt.its" https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+attachment/5813558/+files/fdt.its ** Description changed: [Impact] The mkimage command is used to create images for use with the U-Boot boot loader. - mkimage on jammy doesn't support RSA3072. + mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072. - The patch for adding RSA3072 support + Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support. + The patch for adding RSA3072 support: https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050 [Test case] Test Case 1: 1. Install packages required for the sandbox test $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome 2. Run sandbox test to check if two new test cases for sha384 pass. $ ./test/py/test.py --bd sandbox --build test/py/tests/test_vboot.py @@ -45,6 +45,8 @@ TESTDATA = [ - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], - ['sha256-pss-required', 'sha256', '-pss', None, True, False], - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], + ['sha256-pss-required', 'sha256', '-pss', None, True, False], + ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha384-basic', 'sha384', '', None, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], - ] + ] https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest- suite Test Case 2: Create a test fitimage and sign with rsa3072 algorithm. $ sudo mkimage -F -k keydir -f fdt.its test.dtb [Where problems could occur] The regression risk should be low because this patch just adds RSA3072 support. [Other Info] The patch is already in Noble, so we only need to backport to Jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078395 Title: [SRU] Add RSA3072 support to jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
