** Description changed: [Impact] The mkimage command is used to create images for use with the U-Boot boot loader. mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072. + + Here is the error message: + $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb + Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node + mkimage Can't add hashes to FIT blob: -1 Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support. The patch for adding RSA3072 support: https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050 [Test case] Test Case 1: 1. Install packages required for the sandbox test $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome 2. Run sandbox test to check if two new test cases for sha384 pass. $ ./test/py/test.py --bd sandbox --build test/py/tests/test_vboot.py @@ -45,6 +45,8 @@ TESTDATA = [ ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], ['sha256-pss-required', 'sha256', '-pss', None, True, False], ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha384-basic', 'sha384', '', None, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], ] https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest- suite Test Case 2: Create a test fitimage and sign with rsa3072 algorithm. $ sudo mkimage -F -k keydir -f fdt.its test.dtb [Where problems could occur] The regression risk should be low because this patch just adds RSA3072 support. [Other Info] The patch is already in Noble, so we only need to backport to Jammy
** Description changed: [Impact] The mkimage command is used to create images for use with the U-Boot boot loader. mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072. Here is the error message: $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node mkimage Can't add hashes to FIT blob: -1 Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support. The patch for adding RSA3072 support: https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050 [Test case] Test Case 1: 1. Install packages required for the sandbox test $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome 2. Run sandbox test to check if two new test cases for sha384 pass. $ ./test/py/test.py --bd sandbox --build test/py/tests/test_vboot.py @@ -45,6 +45,8 @@ TESTDATA = [ ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], ['sha256-pss-required', 'sha256', '-pss', None, True, False], ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha384-basic', 'sha384', '', None, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], ] https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest- suite Test Case 2: Create a test fitimage and sign with rsa3072 algorithm. - $ sudo mkimage -F -k keydir -f fdt.its test.dtb + $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb + FIT description: Flattened Device Tree blob + Created: Thu Sep 5 13:32:52 2024 + Image 0 (fdt-mediatek_genio-510-evk.dtb) + Description: Flattened Device Tree blob + ... + Sign algo: sha256,rsa3072:u-boot-img + Default Configuration: 'conf-mediatek_genio-510-evk.dtb' + Configuration 0 (conf-mediatek_genio-510-evk.dtb) + Description: FDT blob + Kernel: unavailable + FDT: fdt-mediatek_genio-510-evk.dtb + Hash algo: sha256 + Hash value: unavailable + Sign algo: sha256,rsa3072:u-boot + ... [Where problems could occur] The regression risk should be low because this patch just adds RSA3072 support. [Other Info] The patch is already in Noble, so we only need to backport to Jammy ** Description changed: [Impact] The mkimage command is used to create images for use with the U-Boot boot loader. mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072. Here is the error message: - $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb + $ mkimage -F -k /home/ethan/keys/ -f fdt.its fdt.its apusys.dtbo Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node mkimage Can't add hashes to FIT blob: -1 Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support. The patch for adding RSA3072 support: https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050 [Test case] Test Case 1: 1. Install packages required for the sandbox test $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome 2. Run sandbox test to check if two new test cases for sha384 pass. $ ./test/py/test.py --bd sandbox --build test/py/tests/test_vboot.py @@ -45,6 +45,8 @@ TESTDATA = [ ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], ['sha256-pss-required', 'sha256', '-pss', None, True, False], ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], + ['sha384-basic', 'sha384', '', None, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], ] https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest- suite Test Case 2: Create a test fitimage and sign with rsa3072 algorithm. $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb FIT description: Flattened Device Tree blob Created: Thu Sep 5 13:32:52 2024 - Image 0 (fdt-mediatek_genio-510-evk.dtb) - Description: Flattened Device Tree blob + Image 0 (fdt-mediatek_genio-510-evk.dtb) + Description: Flattened Device Tree blob ... - Sign algo: sha256,rsa3072:u-boot-img - Default Configuration: 'conf-mediatek_genio-510-evk.dtb' - Configuration 0 (conf-mediatek_genio-510-evk.dtb) - Description: FDT blob - Kernel: unavailable - FDT: fdt-mediatek_genio-510-evk.dtb - Hash algo: sha256 - Hash value: unavailable - Sign algo: sha256,rsa3072:u-boot + Sign algo: sha256,rsa3072:u-boot-img + Default Configuration: 'conf-mediatek_genio-510-evk.dtb' + Configuration 0 (conf-mediatek_genio-510-evk.dtb) + Description: FDT blob + Kernel: unavailable + FDT: fdt-mediatek_genio-510-evk.dtb + Hash algo: sha256 + Hash value: unavailable + Sign algo: sha256,rsa3072:u-boot ... [Where problems could occur] The regression risk should be low because this patch just adds RSA3072 support. [Other Info] The patch is already in Noble, so we only need to backport to Jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078395 Title: [SRU] Add RSA3072 support to jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
