From mboxrd@z Thu Jan 1 00:00:00 1970 From: AKASHI Takahiro Date: Thu, 12 Dec 2019 19:10:34 +0900 Subject: [U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification In-Reply-To: <20191207002547.GA3484@bill-the-cat> References: <20191121001121.21854-1-takahiro.akashi@linaro.org> <20191121001121.21854-2-takahiro.akashi@linaro.org> <20191207002547.GA3484@bill-the-cat> Message-ID: <20191212101033.GE22427@linaro.org> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Tom, Simon, On Fri, Dec 06, 2019 at 07:25:47PM -0500, Tom Rini wrote: > On Thu, Nov 21, 2019 at 09:11:16AM +0900, AKASHI Takahiro wrote: > > > Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building > > RSA functions from FIT verification and allow for adding a RSA-based > > signature verification for other file formats, in particular PE file > > for UEFI secure boot. > > > > Signed-off-by: AKASHI Takahiro > > Reviewed-by: Simon Glass > > --- > > Kconfig | 1 + > > common/Makefile | 3 +- > > common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++ > > common/image-fit.c | 6 +- > > common/image-sig.c | 396 -------------------------------------- > > include/image.h | 13 +- > > lib/rsa/Kconfig | 12 ++ > > lib/rsa/Makefile | 2 +- > > lib/rsa/rsa-verify.c | 78 +++++--- > > tools/Makefile | 2 +- > > 10 files changed, 493 insertions(+), 437 deletions(-) > > create mode 100644 common/image-fit-sig.c > > OK, the way this works today we see things like: > T1042RDB_PI_NAND_SECURE_BOOT: all +706 data +88 rodata +58 spl/u-boot-spl:all +704 spl/u-boot-spl:data +144 spl/u-boot-spl:text +560 text +560 > u-boot: add: 8/0, grow: 0/0 bytes: 584/0 (584) > function old new delta > hash_calculate - 192 +192 > padding_pkcs_15_verify - 184 +184 > rsa_verify - 104 +104 > crypto_algos - 40 +40 > checksum_algos - 40 +40 > rsa_sign - 8 +8 > rsa_add_verify_data - 8 +8 > padding_algos - 8 +8 > spl-u-boot-spl: add: 10/0, grow: 0/0 bytes: 618/0 (618) > function old new delta > hash_calculate - 192 +192 > padding_pkcs_15_verify - 184 +184 > rsa_verify - 104 +104 > crypto_algos - 40 +40 > checksum_algos - 40 +40 > sha256_der_prefix - 19 +19 > sha1_der_prefix - 15 +15 > rsa_sign - 8 +8 > rsa_add_verify_data - 8 +8 > padding_algos - 8 +8 > > Which seems wrong, we should be making any changes here opt-in, yes? Thanks! Okay, I found out what was wrong with my patch. *But*, it seems to me that lib/rsa/Kconfig, in particular RSA_FREESCALE_EXP, is weird because CONFIG_RSA as well as RSA_FREESCALE_EXP is enabled in T1042RDB_PI_NAND_SECURE_BOOT_defconfig, and yet rsa_verify(), which is the heart of CONFIG_RSA (library), is NOT enabled in the configuration (for T1042RDB). So the generated code will have no real user of this crypto driver, i.e. drivers/crypto/fsl/fsl_rsa.c. Anyway, I will post a fixed version early next week. Thanks, -Takahiro Akashi > -- > Tom