From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [RFC 2/3] lib: rsa: generate additional parameters for public key
Date: Thu, 3 Oct 2019 10:34:33 +0300 [thread overview]
Message-ID: <20191003073433.GA15509@apalos.home> (raw)
In-Reply-To: <20190906070808.1198-3-takahiro.akashi@linaro.org>
On Fri, Sep 06, 2019 at 04:08:07PM +0900, AKASHI Takahiro wrote:
> In the current implementation of FIT_SIGNATURE, five parameters for
> a RSA public key are required while only two of them are essential.
> (See rsa-mod-exp.h and uImage.FIT/signature.txt)
> This is a result of considering relatively limited computer power
> and resources on embedded systems, while such a assumption may not
> be quite practical for other use cases.
>
> In this patch, added is a function, rsa_gen_key_prop(), which will
> generate additional parameters for other uses, in particular
> UEFI secure boot, on the fly.
>
> Note: the current code uses some "big number" routines from BearSSL
> for the calculation.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
> include/u-boot/rsa-mod-exp.h | 3 +
> lib/rsa/Makefile | 2 +-
> lib/rsa/rsa-keyprop.c | 631 +++++++++++++++++++++++++++++++++++
> 3 files changed, 635 insertions(+), 1 deletion(-)
> create mode 100644 lib/rsa/rsa-keyprop.c
>
> diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
> index 8a428c4b6a1a..ca189292d869 100644
> --- a/include/u-boot/rsa-mod-exp.h
> +++ b/include/u-boot/rsa-mod-exp.h
> @@ -26,6 +26,9 @@ struct key_prop {
> uint32_t exp_len; /* Exponent length in number of uint8_t */
> };
>
> +struct key_prop *rsa_gen_key_prop(const void *key, uint32_t keylen);
> +void rsa_free_key_prop(struct key_prop *prop);
> +
> /**
> * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
> *
> --- /dev/null
> +++ b/lib/rsa/rsa-keyprop.c
> @@ -0,0 +1,631 @@
> +
[...]
> +/* stripped version of src/inner.h */
> +
> +static inline unsigned
> +br_dec16be(const void *src)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + return ((const br_union_u16 *)src)->u;
> +#else
> + const unsigned char *buf;
> +
> + buf = src;
> + return ((unsigned)buf[0] << 8) | (unsigned)buf[1];
> +#endif
> +}
> +
> +static inline uint32_t
> +br_dec32be(const void *src)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + return ((const br_union_u32 *)src)->u;
> +#else
> + const unsigned char *buf;
> +
> + buf = src;
> + return ((uint32_t)buf[0] << 24)
> + | ((uint32_t)buf[1] << 16)
> + | ((uint32_t)buf[2] << 8)
> + | (uint32_t)buf[3];
> +#endif
> +}
> +
> +static inline void
> +br_enc32be(void *dst, uint32_t x)
> +{
> +#if 0 /* BR_BE_UNALIGNED */
> + ((br_union_u32 *)dst)->u = x;
> +#else
> + unsigned char *buf;
> +
> + buf = dst;
> + buf[0] = (unsigned char)(x >> 24);
> + buf[1] = (unsigned char)(x >> 16);
> + buf[2] = (unsigned char)(x >> 8);
> + buf[3] = (unsigned char)x;
> +#endif
> +}
> +
There's no U-Boot API for the above?
> +static inline uint32_t
> +NOT(uint32_t ctl)
> +{
> + return ctl ^ 1;
> +}
Ditto
> +
> +static inline uint32_t
> +MUX(uint32_t ctl, uint32_t x, uint32_t y)
> +{
> + return y ^ (-ctl & (x ^ y));
> +}
> +
> +static inline uint32_t
> +EQ(uint32_t x, uint32_t y)
> +{
> + uint32_t q;
> +
> + q = x ^ y;
> + return NOT((q | -q) >> 31);
> +}
> +
> +static inline uint32_t
> +NEQ(uint32_t x, uint32_t y)
> +{
> + uint32_t q;
> +
> + q = x ^ y;
> + return (q | -q) >> 31;
> +}
> +
> +static inline uint32_t
> +GT(uint32_t x, uint32_t y)
> +{
> + /*
> + * If both x < 2^31 and x < 2^31, then y-x will have its high
second one should be y^31
> + * bit set if x > y, cleared otherwise.
> + *
> +}
> +
> +struct key_prop *rsa_gen_key_prop(const void *key, uint32_t keylen)
> +{
> + struct key_prop *prop;
> + struct rsa_key rsa_key;
> +#define BR_MAX_RSA_SIZE 4096
> + uint32_t *n, *rr, *rrtmp;
> + int rlen, i, ret;
> + prop->n0inv = br_i32_ninv32(n[1]);
> --
> 2.21.0
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
Regards
/Ilias
next prev parent reply other threads:[~2019-10-03 7:34 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 7:08 [U-Boot] [RFC 0/3] rsa: extend rsa_verify() for UEFI secure boot AKASHI Takahiro
2019-09-06 7:08 ` [U-Boot] [RFC 1/3] lib: rsa: decouple rsa from FIT image verification AKASHI Takahiro
2019-09-06 7:39 ` Heinrich Schuchardt
2019-09-06 9:26 ` AKASHI Takahiro
2019-09-06 7:08 ` [U-Boot] [RFC 2/3] lib: rsa: generate additional parameters for public key AKASHI Takahiro
2019-09-17 5:48 ` Simon Glass
2019-09-18 2:35 ` AKASHI Takahiro
2019-10-03 7:34 ` Ilias Apalodimas [this message]
2019-10-03 8:58 ` AKASHI Takahiro
2019-10-03 13:37 ` Heinrich Schuchardt
2019-09-06 7:08 ` [U-Boot] [RFC 3/3] lib: rsa: add rsa_verify_with_pkey() AKASHI Takahiro
2019-09-17 5:48 ` Simon Glass
2019-09-18 3:03 ` AKASHI Takahiro
2019-10-03 5:48 ` AKASHI Takahiro
2019-10-22 13:50 ` Simon Glass
2019-10-23 5:44 ` AKASHI Takahiro
2019-10-27 16:31 ` Simon Glass
2019-10-28 0:43 ` AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191003073433.GA15509@apalos.home \
--to=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.