* [PATCH v3 0/1] rsa: adds rsa3072 algorithm
@ 2021-12-10 6:00 Jamin Lin
2021-12-10 6:00 ` [PATCH v3 1/1] " Jamin Lin
0 siblings, 1 reply; 6+ messages in thread
From: Jamin Lin @ 2021-12-10 6:00 UTC (permalink / raw)
To: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Thomas Perrot,
Sean Anderson, open list
Cc: troy_lee, steven_lee
Add to support rsa 3072 bits algorithm in tools
for make-image signing at host side and add rsa 3072
bits verification in the image binary.
v3:
- Fix typo
- Add test case in vboot for rsa3072 testing
v2:
- update to send a single patch
Jamin Lin (1):
rsa: adds rsa3072 algorithm
include/u-boot/rsa.h | 1 +
lib/rsa/rsa-verify.c | 6 +++
test/py/tests/test_vboot.py | 12 +++++-
test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
tools/image-sig-host.c | 7 ++++
6 files changed, 111 insertions(+), 2 deletions(-)
create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
create mode 100644 test/py/tests/vboot/sign-images-sha384.its
--
2.17.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3 1/1] rsa: adds rsa3072 algorithm
2021-12-10 6:00 [PATCH v3 0/1] rsa: adds rsa3072 algorithm Jamin Lin
@ 2021-12-10 6:00 ` Jamin Lin
2022-01-14 18:14 ` Tom Rini
0 siblings, 1 reply; 6+ messages in thread
From: Jamin Lin @ 2021-12-10 6:00 UTC (permalink / raw)
To: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Sean Anderson,
Thomas Perrot, open list
Cc: troy_lee, steven_lee
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.
Add test case in vboot for sha384 with rsa3072 algorithm testing.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
include/u-boot/rsa.h | 1 +
lib/rsa/rsa-verify.c | 6 +++
test/py/tests/test_vboot.py | 12 +++++-
test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
tools/image-sig-host.c | 7 ++++
6 files changed, 111 insertions(+), 2 deletions(-)
create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
create mode 100644 test/py/tests/vboot/sign-images-sha384.its
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index 7556aa5b4b..bb56c2243c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
#define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
#define RSA2048_BYTES (2048 / 8)
+#define RSA3072_BYTES (3072 / 8)
#define RSA4096_BYTES (4096 / 8)
/* This is the minimum/maximum key size we support, in bits */
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 83f7564101..4fe487d7e5 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
.verify = rsa_verify,
};
+U_BOOT_CRYPTO_ALGO(rsa3072) = {
+ .name = "rsa3072",
+ .key_len = RSA3072_BYTES,
+ .verify = rsa_verify,
+};
+
U_BOOT_CRYPTO_ALGO(rsa4096) = {
.name = "rsa4096",
.key_len = RSA4096_BYTES,
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 095e00cce3..b080d482af 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha384-basic', 'sha384', '', None, False, False],
+ ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
@pytest.mark.boardspec('sandbox')
@@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
name: Name of of the key (e.g. 'dev')
"""
public_exponent = 65537
+
+ if sha_algo == "sha384":
+ rsa_keygen_bits = 3072
+ else:
+ rsa_keygen_bits = 2048
+
util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
- '-pkeyopt rsa_keygen_bits:2048 '
+ '-pkeyopt rsa_keygen_bits:%d '
'-pkeyopt rsa_keygen_pubexp:%d' %
- (tmpdir, name, public_exponent))
+ (tmpdir, name, rsa_keygen_bits, public_exponent))
# Create a certificate containing the public key
util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
new file mode 100644
index 0000000000..2869401991
--- /dev/null
+++ b/test/py/tests/vboot/sign-configs-sha384.its
@@ -0,0 +1,45 @@
+/dts-v1/;
+
+/ {
+ description = "Chrome OS kernel image with one or more FDT blobs";
+ #address-cells = <1>;
+
+ images {
+ kernel {
+ data = /incbin/("test-kernel.bin");
+ type = "kernel_noload";
+ arch = "sandbox";
+ os = "linux";
+ compression = "none";
+ load = <0x4>;
+ entry = <0x8>;
+ kernel-version = <1>;
+ hash-1 {
+ algo = "sha384";
+ };
+ };
+ fdt-1 {
+ description = "snow";
+ data = /incbin/("sandbox-kernel.dtb");
+ type = "flat_dt";
+ arch = "sandbox";
+ compression = "none";
+ fdt-version = <1>;
+ hash-1 {
+ algo = "sha384";
+ };
+ };
+ };
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ kernel = "kernel";
+ fdt = "fdt-1";
+ signature {
+ algo = "sha384,rsa3072";
+ key-name-hint = "dev";
+ sign-images = "fdt", "kernel";
+ };
+ };
+ };
+};
diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
new file mode 100644
index 0000000000..be1a9a653c
--- /dev/null
+++ b/test/py/tests/vboot/sign-images-sha384.its
@@ -0,0 +1,42 @@
+/dts-v1/;
+
+/ {
+ description = "Chrome OS kernel image with one or more FDT blobs";
+ #address-cells = <1>;
+
+ images {
+ kernel {
+ data = /incbin/("test-kernel.bin");
+ type = "kernel_noload";
+ arch = "sandbox";
+ os = "linux";
+ compression = "none";
+ load = <0x4>;
+ entry = <0x8>;
+ kernel-version = <1>;
+ signature {
+ algo = "sha384,rsa3072";
+ key-name-hint = "dev";
+ };
+ };
+ fdt-1 {
+ description = "snow";
+ data = /incbin/("sandbox-kernel.dtb");
+ type = "flat_dt";
+ arch = "sandbox";
+ compression = "none";
+ fdt-version = <1>;
+ signature {
+ algo = "sha384,rsa3072";
+ key-name-hint = "dev";
+ };
+ };
+ };
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ kernel = "kernel";
+ fdt = "fdt-1";
+ };
+ };
+};
diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
index 8ed6998dab..d0133aec4c 100644
--- a/tools/image-sig-host.c
+++ b/tools/image-sig-host.c
@@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
},
+ {
+ .name = "rsa3072",
+ .key_len = RSA3072_BYTES,
+ .sign = rsa_sign,
+ .add_verify_data = rsa_add_verify_data,
+ .verify = rsa_verify,
+ },
{
.name = "rsa4096",
.key_len = RSA4096_BYTES,
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/1] rsa: adds rsa3072 algorithm
2021-12-10 6:00 ` [PATCH v3 1/1] " Jamin Lin
@ 2022-01-14 18:14 ` Tom Rini
2022-01-18 7:02 ` Jamin Lin
0 siblings, 1 reply; 6+ messages in thread
From: Tom Rini @ 2022-01-14 18:14 UTC (permalink / raw)
To: Jamin Lin
Cc: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Sean Anderson,
Thomas Perrot, open list, troy_lee, steven_lee
[-- Attachment #1: Type: text/plain, Size: 6514 bytes --]
On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote:
> Add to support rsa 3072 bits algorithm in tools
> for image sign at host side and adds rsa 3072 bits
> verification in the image binary.
>
> Add test case in vboot for sha384 with rsa3072 algorithm testing.
>
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> ---
> include/u-boot/rsa.h | 1 +
> lib/rsa/rsa-verify.c | 6 +++
> test/py/tests/test_vboot.py | 12 +++++-
> test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
> test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
> tools/image-sig-host.c | 7 ++++
> 6 files changed, 111 insertions(+), 2 deletions(-)
> create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
> create mode 100644 test/py/tests/vboot/sign-images-sha384.its
>
> diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> index 7556aa5b4b..bb56c2243c 100644
> --- a/include/u-boot/rsa.h
> +++ b/include/u-boot/rsa.h
> @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
> #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
>
> #define RSA2048_BYTES (2048 / 8)
> +#define RSA3072_BYTES (3072 / 8)
> #define RSA4096_BYTES (4096 / 8)
>
> /* This is the minimum/maximum key size we support, in bits */
> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> index 83f7564101..4fe487d7e5 100644
> --- a/lib/rsa/rsa-verify.c
> +++ b/lib/rsa/rsa-verify.c
> @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
> .verify = rsa_verify,
> };
>
> +U_BOOT_CRYPTO_ALGO(rsa3072) = {
> + .name = "rsa3072",
> + .key_len = RSA3072_BYTES,
> + .verify = rsa_verify,
> +};
> +
> U_BOOT_CRYPTO_ALGO(rsa4096) = {
> .name = "rsa4096",
> .key_len = RSA4096_BYTES,
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index 095e00cce3..b080d482af 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -45,6 +45,8 @@ TESTDATA = [
> ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
> ['sha256-pss-required', 'sha256', '-pss', None, True, False],
> ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
> + ['sha384-basic', 'sha384', '', None, False, False],
> + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
> ]
>
> @pytest.mark.boardspec('sandbox')
> @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
> name: Name of of the key (e.g. 'dev')
> """
> public_exponent = 65537
> +
> + if sha_algo == "sha384":
> + rsa_keygen_bits = 3072
> + else:
> + rsa_keygen_bits = 2048
> +
> util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
> - '-pkeyopt rsa_keygen_bits:2048 '
> + '-pkeyopt rsa_keygen_bits:%d '
> '-pkeyopt rsa_keygen_pubexp:%d' %
> - (tmpdir, name, public_exponent))
> + (tmpdir, name, rsa_keygen_bits, public_exponent))
>
> # Create a certificate containing the public key
> util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
> diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
> new file mode 100644
> index 0000000000..2869401991
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-configs-sha384.its
> @@ -0,0 +1,45 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + hash-1 {
> + algo = "sha384";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + hash-1 {
> + algo = "sha384";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + signature {
> + algo = "sha384,rsa3072";
> + key-name-hint = "dev";
> + sign-images = "fdt", "kernel";
> + };
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
> new file mode 100644
> index 0000000000..be1a9a653c
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-images-sha384.its
> @@ -0,0 +1,42 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + signature {
> + algo = "sha384,rsa3072";
> + key-name-hint = "dev";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + signature {
> + algo = "sha384,rsa3072";
> + key-name-hint = "dev";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + };
> + };
> +};
> diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
> index 8ed6998dab..d0133aec4c 100644
> --- a/tools/image-sig-host.c
> +++ b/tools/image-sig-host.c
> @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
> .add_verify_data = rsa_add_verify_data,
> .verify = rsa_verify,
> },
> + {
> + .name = "rsa3072",
> + .key_len = RSA3072_BYTES,
> + .sign = rsa_sign,
> + .add_verify_data = rsa_add_verify_data,
> + .verify = rsa_verify,
> + },
> {
> .name = "rsa4096",
> .key_len = RSA4096_BYTES,
With current master these tests run and fail:
https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me
when running locally), please re-check and resubmit, thanks.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/1] rsa: adds rsa3072 algorithm
2022-01-14 18:14 ` Tom Rini
@ 2022-01-18 7:02 ` Jamin Lin
2022-01-18 7:09 ` Jamin Lin
0 siblings, 1 reply; 6+ messages in thread
From: Jamin Lin @ 2022-01-18 7:02 UTC (permalink / raw)
To: Tom Rini
Cc: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Sean Anderson,
Thomas Perrot, open list, Troy Lee, Steven Lee
The 01/14/2022 18:14, Tom Rini wrote:
> On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote:
>
> > Add to support rsa 3072 bits algorithm in tools
> > for image sign at host side and adds rsa 3072 bits
> > verification in the image binary.
> >
> > Add test case in vboot for sha384 with rsa3072 algorithm testing.
> >
> > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> > ---
> > include/u-boot/rsa.h | 1 +
> > lib/rsa/rsa-verify.c | 6 +++
> > test/py/tests/test_vboot.py | 12 +++++-
> > test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
> > test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
> > tools/image-sig-host.c | 7 ++++
> > 6 files changed, 111 insertions(+), 2 deletions(-)
> > create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
> > create mode 100644 test/py/tests/vboot/sign-images-sha384.its
> >
> > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> > index 7556aa5b4b..bb56c2243c 100644
> > --- a/include/u-boot/rsa.h
> > +++ b/include/u-boot/rsa.h
> > @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
> > #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
> >
> > #define RSA2048_BYTES (2048 / 8)
> > +#define RSA3072_BYTES (3072 / 8)
> > #define RSA4096_BYTES (4096 / 8)
> >
> > /* This is the minimum/maximum key size we support, in bits */
> > diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> > index 83f7564101..4fe487d7e5 100644
> > --- a/lib/rsa/rsa-verify.c
> > +++ b/lib/rsa/rsa-verify.c
> > @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
> > .verify = rsa_verify,
> > };
> >
> > +U_BOOT_CRYPTO_ALGO(rsa3072) = {
> > + .name = "rsa3072",
> > + .key_len = RSA3072_BYTES,
> > + .verify = rsa_verify,
> > +};
> > +
> > U_BOOT_CRYPTO_ALGO(rsa4096) = {
> > .name = "rsa4096",
> > .key_len = RSA4096_BYTES,
> > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> > index 095e00cce3..b080d482af 100644
> > --- a/test/py/tests/test_vboot.py
> > +++ b/test/py/tests/test_vboot.py
> > @@ -45,6 +45,8 @@ TESTDATA = [
> > ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
> > ['sha256-pss-required', 'sha256', '-pss', None, True, False],
> > ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
> > + ['sha384-basic', 'sha384', '', None, False, False],
> > + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
> > ]
> >
> > @pytest.mark.boardspec('sandbox')
> > @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
> > name: Name of of the key (e.g. 'dev')
> > """
> > public_exponent = 65537
> > +
> > + if sha_algo == "sha384":
> > + rsa_keygen_bits = 3072
> > + else:
> > + rsa_keygen_bits = 2048
> > +
> > util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
> > - '-pkeyopt rsa_keygen_bits:2048 '
> > + '-pkeyopt rsa_keygen_bits:%d '
> > '-pkeyopt rsa_keygen_pubexp:%d' %
> > - (tmpdir, name, public_exponent))
> > + (tmpdir, name, rsa_keygen_bits, public_exponent))
> >
> > # Create a certificate containing the public key
> > util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
> > diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
> > new file mode 100644
> > index 0000000000..2869401991
> > --- /dev/null
> > +++ b/test/py/tests/vboot/sign-configs-sha384.its
> > @@ -0,0 +1,45 @@
> > +/dts-v1/;
> > +
> > +/ {
> > + description = "Chrome OS kernel image with one or more FDT blobs";
> > + #address-cells = <1>;
> > +
> > + images {
> > + kernel {
> > + data = /incbin/("test-kernel.bin");
> > + type = "kernel_noload";
> > + arch = "sandbox";
> > + os = "linux";
> > + compression = "none";
> > + load = <0x4>;
> > + entry = <0x8>;
> > + kernel-version = <1>;
> > + hash-1 {
> > + algo = "sha384";
> > + };
> > + };
> > + fdt-1 {
> > + description = "snow";
> > + data = /incbin/("sandbox-kernel.dtb");
> > + type = "flat_dt";
> > + arch = "sandbox";
> > + compression = "none";
> > + fdt-version = <1>;
> > + hash-1 {
> > + algo = "sha384";
> > + };
> > + };
> > + };
> > + configurations {
> > + default = "conf-1";
> > + conf-1 {
> > + kernel = "kernel";
> > + fdt = "fdt-1";
> > + signature {
> > + algo = "sha384,rsa3072";
> > + key-name-hint = "dev";
> > + sign-images = "fdt", "kernel";
> > + };
> > + };
> > + };
> > +};
> > diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
> > new file mode 100644
> > index 0000000000..be1a9a653c
> > --- /dev/null
> > +++ b/test/py/tests/vboot/sign-images-sha384.its
> > @@ -0,0 +1,42 @@
> > +/dts-v1/;
> > +
> > +/ {
> > + description = "Chrome OS kernel image with one or more FDT blobs";
> > + #address-cells = <1>;
> > +
> > + images {
> > + kernel {
> > + data = /incbin/("test-kernel.bin");
> > + type = "kernel_noload";
> > + arch = "sandbox";
> > + os = "linux";
> > + compression = "none";
> > + load = <0x4>;
> > + entry = <0x8>;
> > + kernel-version = <1>;
> > + signature {
> > + algo = "sha384,rsa3072";
> > + key-name-hint = "dev";
> > + };
> > + };
> > + fdt-1 {
> > + description = "snow";
> > + data = /incbin/("sandbox-kernel.dtb");
> > + type = "flat_dt";
> > + arch = "sandbox";
> > + compression = "none";
> > + fdt-version = <1>;
> > + signature {
> > + algo = "sha384,rsa3072";
> > + key-name-hint = "dev";
> > + };
> > + };
> > + };
> > + configurations {
> > + default = "conf-1";
> > + conf-1 {
> > + kernel = "kernel";
> > + fdt = "fdt-1";
> > + };
> > + };
> > +};
> > diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
> > index 8ed6998dab..d0133aec4c 100644
> > --- a/tools/image-sig-host.c
> > +++ b/tools/image-sig-host.c
> > @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
> > .add_verify_data = rsa_add_verify_data,
> > .verify = rsa_verify,
> > },
> > + {
> > + .name = "rsa3072",
> > + .key_len = RSA3072_BYTES,
> > + .sign = rsa_sign,
> > + .add_verify_data = rsa_add_verify_data,
> > + .verify = rsa_verify,
> > + },
> > {
> > .name = "rsa4096",
> > .key_len = RSA4096_BYTES,
>
> With current master these tests run and fail:
> https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me
> when running locally), please re-check and resubmit, thanks.
>
> --
> Tom
Hi Tom,
Thanks for review.
I noticed that the latest version of u-boot test vboot failed for sha384.
So far, u-boot support sha256, sha384 and sha512 for hash algorithm.
And supports RSA 2048 and 4096 bits.
I tried to add test cases in test_vboot.py but I encountered verified failed issue
only if hash algorithm was "sha384"
For example:
I created two test files which were sign-images-sha384.its and sign-configs-sha384.its and
placed them here, https://source.denx.de/u-boot/u-boot/-/tree/master/test/py/tests/vboot
The contents of both files were very similar sign-images-sha256.its and sign-images-sha256.its.
The difference was that I modified to use sha384 with RSA 2048.
I tested sha256/rsa2048, sha256/rsa512 pass but failed in sha384.
Do you have any idea or could you please give any suggestion?
Could you please help me to check this issue?
https://source.denx.de/u-boot/u-boot/-/jobs/376757
The CI showed incorrect hash data for sha384.
My local got the same test result
Thanks-Jamin
## Loading kernel from FIT Image at 00000100 ...
Using 'conf-1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: unavailable
Created: 2022-01-18 6:39:31 UTC
Type: Kernel Image (no loading done)
Compression: uncompressed
Data Start: 0x000001c4
Data Size: 500 Bytes = 500 Bytes
Sign algo: sha384,rsa2048:dev
Sign value: 2cf3105d0f3d455f3c234b817279af7091a89e7f4f33df0acb03ebb04405606d2bd8bd612cf17d1932c8fe142a8f7ccdd952245497c5b98cbaa4b7ffda06a5802db5da8d32b9111c9a3ed6587b5bb1eb9eb4665af5da317d19fefa471c6a5ee596340921923102f622b850738061aeab11fdf8387312e610b41a7b62e491c30e22a64177020a7df0f09e08211a66b61fb04763cd447d08459b82f19baa226b3e6f40f29ee28edd001d2d5a23549834aaf83160a0cd73285836d3e2fe039b22371bd313989e5a47329d046054c043944a451bf2b5046ff14869121c2bcc1f7e3029d7bdfc5f488e76584234631c91627a1203834051e7e6dc11f5d210501a5467
Timestamp: 2022-01-18 6:39:32 UTC
Verifying Hash Integrity ... sha384,rsa2048:dev- Failed to verify required signature 'key-dev'
error!
Unable to verify required signature for '' hash node in 'kernel' image node
Bad Data Hash
ERROR: can't get kernel image!
My test data:
/dts-v1/;
/ {
description = "Chrome OS kernel image with one or more FDT blobs";
#address-cells = <1>;
images {
kernel {
data = /incbin/("test-kernel.bin");
type = "kernel_noload";
arch = "sandbox";
os = "linux";
compression = "none";
load = <0x4>;
entry = <0x8>;
kernel-version = <1>;
signature {
algo = "sha384,rsa2048";
key-name-hint = "dev";
};
};
fdt-1 {
description = "snow";
data = /incbin/("sandbox-kernel.dtb");
type = "flat_dt";
arch = "sandbox";
compression = "none";
fdt-version = <1>;
signature {
algo = "sha384,rsa2048";
key-name-hint = "dev";
};
};
};
configurations {
default = "conf-1";
conf-1 {
kernel = "kernel";
fdt = "fdt-1";
};
};
};
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/1] rsa: adds rsa3072 algorithm
2022-01-18 7:02 ` Jamin Lin
@ 2022-01-18 7:09 ` Jamin Lin
2022-01-19 8:28 ` Jamin Lin
0 siblings, 1 reply; 6+ messages in thread
From: Jamin Lin @ 2022-01-18 7:09 UTC (permalink / raw)
To: Tom Rini
Cc: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Sean Anderson,
Thomas Perrot, open list, Troy Lee, Steven Lee
The 01/18/2022 07:02, Jamin Lin wrote:
> The 01/14/2022 18:14, Tom Rini wrote:
> > On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote:
> >
> > > Add to support rsa 3072 bits algorithm in tools
> > > for image sign at host side and adds rsa 3072 bits
> > > verification in the image binary.
> > >
> > > Add test case in vboot for sha384 with rsa3072 algorithm testing.
> > >
> > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> > > ---
> > > include/u-boot/rsa.h | 1 +
> > > lib/rsa/rsa-verify.c | 6 +++
> > > test/py/tests/test_vboot.py | 12 +++++-
> > > test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
> > > test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
> > > tools/image-sig-host.c | 7 ++++
> > > 6 files changed, 111 insertions(+), 2 deletions(-)
> > > create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
> > > create mode 100644 test/py/tests/vboot/sign-images-sha384.its
> > >
> > > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> > > index 7556aa5b4b..bb56c2243c 100644
> > > --- a/include/u-boot/rsa.h
> > > +++ b/include/u-boot/rsa.h
> > > @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
> > > #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
> > >
> > > #define RSA2048_BYTES (2048 / 8)
> > > +#define RSA3072_BYTES (3072 / 8)
> > > #define RSA4096_BYTES (4096 / 8)
> > >
> > > /* This is the minimum/maximum key size we support, in bits */
> > > diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> > > index 83f7564101..4fe487d7e5 100644
> > > --- a/lib/rsa/rsa-verify.c
> > > +++ b/lib/rsa/rsa-verify.c
> > > @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
> > > .verify = rsa_verify,
> > > };
> > >
> > > +U_BOOT_CRYPTO_ALGO(rsa3072) = {
> > > + .name = "rsa3072",
> > > + .key_len = RSA3072_BYTES,
> > > + .verify = rsa_verify,
> > > +};
> > > +
> > > U_BOOT_CRYPTO_ALGO(rsa4096) = {
> > > .name = "rsa4096",
> > > .key_len = RSA4096_BYTES,
> > > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> > > index 095e00cce3..b080d482af 100644
> > > --- a/test/py/tests/test_vboot.py
> > > +++ b/test/py/tests/test_vboot.py
> > > @@ -45,6 +45,8 @@ TESTDATA = [
> > > ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
> > > ['sha256-pss-required', 'sha256', '-pss', None, True, False],
> > > ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
> > > + ['sha384-basic', 'sha384', '', None, False, False],
> > > + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
> > > ]
> > >
> > > @pytest.mark.boardspec('sandbox')
> > > @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
> > > name: Name of of the key (e.g. 'dev')
> > > """
> > > public_exponent = 65537
> > > +
> > > + if sha_algo == "sha384":
> > > + rsa_keygen_bits = 3072
> > > + else:
> > > + rsa_keygen_bits = 2048
> > > +
> > > util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
> > > - '-pkeyopt rsa_keygen_bits:2048 '
> > > + '-pkeyopt rsa_keygen_bits:%d '
> > > '-pkeyopt rsa_keygen_pubexp:%d' %
> > > - (tmpdir, name, public_exponent))
> > > + (tmpdir, name, rsa_keygen_bits, public_exponent))
> > >
> > > # Create a certificate containing the public key
> > > util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
> > > diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
> > > new file mode 100644
> > > index 0000000000..2869401991
> > > --- /dev/null
> > > +++ b/test/py/tests/vboot/sign-configs-sha384.its
> > > @@ -0,0 +1,45 @@
> > > +/dts-v1/;
> > > +
> > > +/ {
> > > + description = "Chrome OS kernel image with one or more FDT blobs";
> > > + #address-cells = <1>;
> > > +
> > > + images {
> > > + kernel {
> > > + data = /incbin/("test-kernel.bin");
> > > + type = "kernel_noload";
> > > + arch = "sandbox";
> > > + os = "linux";
> > > + compression = "none";
> > > + load = <0x4>;
> > > + entry = <0x8>;
> > > + kernel-version = <1>;
> > > + hash-1 {
> > > + algo = "sha384";
> > > + };
> > > + };
> > > + fdt-1 {
> > > + description = "snow";
> > > + data = /incbin/("sandbox-kernel.dtb");
> > > + type = "flat_dt";
> > > + arch = "sandbox";
> > > + compression = "none";
> > > + fdt-version = <1>;
> > > + hash-1 {
> > > + algo = "sha384";
> > > + };
> > > + };
> > > + };
> > > + configurations {
> > > + default = "conf-1";
> > > + conf-1 {
> > > + kernel = "kernel";
> > > + fdt = "fdt-1";
> > > + signature {
> > > + algo = "sha384,rsa3072";
> > > + key-name-hint = "dev";
> > > + sign-images = "fdt", "kernel";
> > > + };
> > > + };
> > > + };
> > > +};
> > > diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
> > > new file mode 100644
> > > index 0000000000..be1a9a653c
> > > --- /dev/null
> > > +++ b/test/py/tests/vboot/sign-images-sha384.its
> > > @@ -0,0 +1,42 @@
> > > +/dts-v1/;
> > > +
> > > +/ {
> > > + description = "Chrome OS kernel image with one or more FDT blobs";
> > > + #address-cells = <1>;
> > > +
> > > + images {
> > > + kernel {
> > > + data = /incbin/("test-kernel.bin");
> > > + type = "kernel_noload";
> > > + arch = "sandbox";
> > > + os = "linux";
> > > + compression = "none";
> > > + load = <0x4>;
> > > + entry = <0x8>;
> > > + kernel-version = <1>;
> > > + signature {
> > > + algo = "sha384,rsa3072";
> > > + key-name-hint = "dev";
> > > + };
> > > + };
> > > + fdt-1 {
> > > + description = "snow";
> > > + data = /incbin/("sandbox-kernel.dtb");
> > > + type = "flat_dt";
> > > + arch = "sandbox";
> > > + compression = "none";
> > > + fdt-version = <1>;
> > > + signature {
> > > + algo = "sha384,rsa3072";
> > > + key-name-hint = "dev";
> > > + };
> > > + };
> > > + };
> > > + configurations {
> > > + default = "conf-1";
> > > + conf-1 {
> > > + kernel = "kernel";
> > > + fdt = "fdt-1";
> > > + };
> > > + };
> > > +};
> > > diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
> > > index 8ed6998dab..d0133aec4c 100644
> > > --- a/tools/image-sig-host.c
> > > +++ b/tools/image-sig-host.c
> > > @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
> > > .add_verify_data = rsa_add_verify_data,
> > > .verify = rsa_verify,
> > > },
> > > + {
> > > + .name = "rsa3072",
> > > + .key_len = RSA3072_BYTES,
> > > + .sign = rsa_sign,
> > > + .add_verify_data = rsa_add_verify_data,
> > > + .verify = rsa_verify,
> > > + },
> > > {
> > > .name = "rsa4096",
> > > .key_len = RSA4096_BYTES,
> >
> > With current master these tests run and fail:
> > https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me
> > when running locally), please re-check and resubmit, thanks.
> >
> > --
> > Tom
>
> Hi Tom,
> Thanks for review.
> I noticed that the latest version of u-boot test vboot failed for sha384.
> So far, u-boot support sha256, sha384 and sha512 for hash algorithm.
> And supports RSA 2048 and 4096 bits.
>
> I tried to add test cases in test_vboot.py but I encountered verified failed issue
> only if hash algorithm was "sha384"
>
> For example:
> I created two test files which were sign-images-sha384.its and sign-configs-sha384.its and
> placed them here, https://source.denx.de/u-boot/u-boot/-/tree/master/test/py/tests/vboot
> The contents of both files were very similar sign-images-sha256.its and sign-images-sha256.its.
> The difference was that I modified to use sha384 with RSA 2048.
> I tested sha256/rsa2048, sha256/rsa512 pass but failed in sha384.
Sorry for typo, sha512/rsa4096
> Do you have any idea or could you please give any suggestion?
> Could you please help me to check this issue?
>
> https://source.denx.de/u-boot/u-boot/-/jobs/376757
> The CI showed incorrect hash data for sha384.
> My local got the same test result
> Thanks-Jamin
>
> ## Loading kernel from FIT Image at 00000100 ...
> Using 'conf-1' configuration
> Verifying Hash Integrity ... OK
> Trying 'kernel' kernel subimage
> Description: unavailable
> Created: 2022-01-18 6:39:31 UTC
> Type: Kernel Image (no loading done)
> Compression: uncompressed
> Data Start: 0x000001c4
> Data Size: 500 Bytes = 500 Bytes
> Sign algo: sha384,rsa2048:dev
> Sign value: 2cf3105d0f3d455f3c234b817279af7091a89e7f4f33df0acb03ebb04405606d2bd8bd612cf17d1932c8fe142a8f7ccdd952245497c5b98cbaa4b7ffda06a5802db5da8d32b9111c9a3ed6587b5bb1eb9eb4665af5da317d19fefa471c6a5ee596340921923102f622b850738061aeab11fdf8387312e610b41a7b62e491c30e22a64177020a7df0f09e08211a66b61fb04763cd447d08459b82f19baa226b3e6f40f29ee28edd001d2d5a23549834aaf83160a0cd73285836d3e2fe039b22371bd313989e5a47329d046054c043944a451bf2b5046ff14869121c2bcc1f7e3029d7bdfc5f488e76584234631c91627a1203834051e7e6dc11f5d210501a5467
> Timestamp: 2022-01-18 6:39:32 UTC
> Verifying Hash Integrity ... sha384,rsa2048:dev- Failed to verify required signature 'key-dev'
> error!
> Unable to verify required signature for '' hash node in 'kernel' image node
> Bad Data Hash
> ERROR: can't get kernel image!
>
>
> My test data:
> /dts-v1/;
>
> / {
> description = "Chrome OS kernel image with one or more FDT blobs";
> #address-cells = <1>;
>
> images {
> kernel {
> data = /incbin/("test-kernel.bin");
> type = "kernel_noload";
> arch = "sandbox";
> os = "linux";
> compression = "none";
> load = <0x4>;
> entry = <0x8>;
> kernel-version = <1>;
> signature {
> algo = "sha384,rsa2048";
> key-name-hint = "dev";
> };
> };
> fdt-1 {
> description = "snow";
> data = /incbin/("sandbox-kernel.dtb");
> type = "flat_dt";
> arch = "sandbox";
> compression = "none";
> fdt-version = <1>;
> signature {
> algo = "sha384,rsa2048";
> key-name-hint = "dev";
> };
> };
> };
> configurations {
> default = "conf-1";
> conf-1 {
> kernel = "kernel";
> fdt = "fdt-1";
> };
> };
> };
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/1] rsa: adds rsa3072 algorithm
2022-01-18 7:09 ` Jamin Lin
@ 2022-01-19 8:28 ` Jamin Lin
0 siblings, 0 replies; 6+ messages in thread
From: Jamin Lin @ 2022-01-19 8:28 UTC (permalink / raw)
To: Tom Rini
Cc: Alexandru Gagniuc, Simon Glass, Philippe Reynes, Sean Anderson,
Thomas Perrot, open list, Troy Lee, Steven Lee
The 01/18/2022 07:09, Jamin Lin wrote:
> The 01/18/2022 07:02, Jamin Lin wrote:
> > The 01/14/2022 18:14, Tom Rini wrote:
> > > On Fri, Dec 10, 2021 at 02:00:55PM +0800, Jamin Lin wrote:
> > >
> > > > Add to support rsa 3072 bits algorithm in tools
> > > > for image sign at host side and adds rsa 3072 bits
> > > > verification in the image binary.
> > > >
> > > > Add test case in vboot for sha384 with rsa3072 algorithm testing.
> > > >
> > > > Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> > > > ---
> > > > include/u-boot/rsa.h | 1 +
> > > > lib/rsa/rsa-verify.c | 6 +++
> > > > test/py/tests/test_vboot.py | 12 +++++-
> > > > test/py/tests/vboot/sign-configs-sha384.its | 45 +++++++++++++++++++++
> > > > test/py/tests/vboot/sign-images-sha384.its | 42 +++++++++++++++++++
> > > > tools/image-sig-host.c | 7 ++++
> > > > 6 files changed, 111 insertions(+), 2 deletions(-)
> > > > create mode 100644 test/py/tests/vboot/sign-configs-sha384.its
> > > > create mode 100644 test/py/tests/vboot/sign-images-sha384.its
> > > >
> > > > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
> > > > index 7556aa5b4b..bb56c2243c 100644
> > > > --- a/include/u-boot/rsa.h
> > > > +++ b/include/u-boot/rsa.h
> > > > @@ -110,6 +110,7 @@ int padding_pss_verify(struct image_sign_info *info,
> > > > #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
> > > >
> > > > #define RSA2048_BYTES (2048 / 8)
> > > > +#define RSA3072_BYTES (3072 / 8)
> > > > #define RSA4096_BYTES (4096 / 8)
> > > >
> > > > /* This is the minimum/maximum key size we support, in bits */
> > > > diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> > > > index 83f7564101..4fe487d7e5 100644
> > > > --- a/lib/rsa/rsa-verify.c
> > > > +++ b/lib/rsa/rsa-verify.c
> > > > @@ -588,6 +588,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
> > > > .verify = rsa_verify,
> > > > };
> > > >
> > > > +U_BOOT_CRYPTO_ALGO(rsa3072) = {
> > > > + .name = "rsa3072",
> > > > + .key_len = RSA3072_BYTES,
> > > > + .verify = rsa_verify,
> > > > +};
> > > > +
> > > > U_BOOT_CRYPTO_ALGO(rsa4096) = {
> > > > .name = "rsa4096",
> > > > .key_len = RSA4096_BYTES,
> > > > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> > > > index 095e00cce3..b080d482af 100644
> > > > --- a/test/py/tests/test_vboot.py
> > > > +++ b/test/py/tests/test_vboot.py
> > > > @@ -45,6 +45,8 @@ TESTDATA = [
> > > > ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
> > > > ['sha256-pss-required', 'sha256', '-pss', None, True, False],
> > > > ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
> > > > + ['sha384-basic', 'sha384', '', None, False, False],
> > > > + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
> > > > ]
> > > >
> > > > @pytest.mark.boardspec('sandbox')
> > > > @@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
> > > > name: Name of of the key (e.g. 'dev')
> > > > """
> > > > public_exponent = 65537
> > > > +
> > > > + if sha_algo == "sha384":
> > > > + rsa_keygen_bits = 3072
> > > > + else:
> > > > + rsa_keygen_bits = 2048
> > > > +
> > > > util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
> > > > - '-pkeyopt rsa_keygen_bits:2048 '
> > > > + '-pkeyopt rsa_keygen_bits:%d '
> > > > '-pkeyopt rsa_keygen_pubexp:%d' %
> > > > - (tmpdir, name, public_exponent))
> > > > + (tmpdir, name, rsa_keygen_bits, public_exponent))
> > > >
> > > > # Create a certificate containing the public key
> > > > util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
> > > > diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
> > > > new file mode 100644
> > > > index 0000000000..2869401991
> > > > --- /dev/null
> > > > +++ b/test/py/tests/vboot/sign-configs-sha384.its
> > > > @@ -0,0 +1,45 @@
> > > > +/dts-v1/;
> > > > +
> > > > +/ {
> > > > + description = "Chrome OS kernel image with one or more FDT blobs";
> > > > + #address-cells = <1>;
> > > > +
> > > > + images {
> > > > + kernel {
> > > > + data = /incbin/("test-kernel.bin");
> > > > + type = "kernel_noload";
> > > > + arch = "sandbox";
> > > > + os = "linux";
> > > > + compression = "none";
> > > > + load = <0x4>;
> > > > + entry = <0x8>;
> > > > + kernel-version = <1>;
> > > > + hash-1 {
> > > > + algo = "sha384";
> > > > + };
> > > > + };
> > > > + fdt-1 {
> > > > + description = "snow";
> > > > + data = /incbin/("sandbox-kernel.dtb");
> > > > + type = "flat_dt";
> > > > + arch = "sandbox";
> > > > + compression = "none";
> > > > + fdt-version = <1>;
> > > > + hash-1 {
> > > > + algo = "sha384";
> > > > + };
> > > > + };
> > > > + };
> > > > + configurations {
> > > > + default = "conf-1";
> > > > + conf-1 {
> > > > + kernel = "kernel";
> > > > + fdt = "fdt-1";
> > > > + signature {
> > > > + algo = "sha384,rsa3072";
> > > > + key-name-hint = "dev";
> > > > + sign-images = "fdt", "kernel";
> > > > + };
> > > > + };
> > > > + };
> > > > +};
> > > > diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
> > > > new file mode 100644
> > > > index 0000000000..be1a9a653c
> > > > --- /dev/null
> > > > +++ b/test/py/tests/vboot/sign-images-sha384.its
> > > > @@ -0,0 +1,42 @@
> > > > +/dts-v1/;
> > > > +
> > > > +/ {
> > > > + description = "Chrome OS kernel image with one or more FDT blobs";
> > > > + #address-cells = <1>;
> > > > +
> > > > + images {
> > > > + kernel {
> > > > + data = /incbin/("test-kernel.bin");
> > > > + type = "kernel_noload";
> > > > + arch = "sandbox";
> > > > + os = "linux";
> > > > + compression = "none";
> > > > + load = <0x4>;
> > > > + entry = <0x8>;
> > > > + kernel-version = <1>;
> > > > + signature {
> > > > + algo = "sha384,rsa3072";
> > > > + key-name-hint = "dev";
> > > > + };
> > > > + };
> > > > + fdt-1 {
> > > > + description = "snow";
> > > > + data = /incbin/("sandbox-kernel.dtb");
> > > > + type = "flat_dt";
> > > > + arch = "sandbox";
> > > > + compression = "none";
> > > > + fdt-version = <1>;
> > > > + signature {
> > > > + algo = "sha384,rsa3072";
> > > > + key-name-hint = "dev";
> > > > + };
> > > > + };
> > > > + };
> > > > + configurations {
> > > > + default = "conf-1";
> > > > + conf-1 {
> > > > + kernel = "kernel";
> > > > + fdt = "fdt-1";
> > > > + };
> > > > + };
> > > > +};
> > > > diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
> > > > index 8ed6998dab..d0133aec4c 100644
> > > > --- a/tools/image-sig-host.c
> > > > +++ b/tools/image-sig-host.c
> > > > @@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
> > > > .add_verify_data = rsa_add_verify_data,
> > > > .verify = rsa_verify,
> > > > },
> > > > + {
> > > > + .name = "rsa3072",
> > > > + .key_len = RSA3072_BYTES,
> > > > + .sign = rsa_sign,
> > > > + .add_verify_data = rsa_add_verify_data,
> > > > + .verify = rsa_verify,
> > > > + },
> > > > {
> > > > .name = "rsa4096",
> > > > .key_len = RSA4096_BYTES,
> > >
> > > With current master these tests run and fail:
> > > https://source.denx.de/u-boot/u-boot/-/jobs/376757 (and also fail for me
> > > when running locally), please re-check and resubmit, thanks.
> > >
> > > --
> > > Tom
> >
> > Hi Tom,
> > Thanks for review.
> > I noticed that the latest version of u-boot test vboot failed for sha384.
> > So far, u-boot support sha256, sha384 and sha512 for hash algorithm.
> > And supports RSA 2048 and 4096 bits.
> >
> > I tried to add test cases in test_vboot.py but I encountered verified failed issue
> > only if hash algorithm was "sha384"
> >
> > For example:
> > I created two test files which were sign-images-sha384.its and sign-configs-sha384.its and
> > placed them here, https://source.denx.de/u-boot/u-boot/-/tree/master/test/py/tests/vboot
> > The contents of both files were very similar sign-images-sha256.its and sign-images-sha256.its.
> > The difference was that I modified to use sha384 with RSA 2048.
> > I tested sha256/rsa2048, sha256/rsa512 pass but failed in sha384.
> Sorry for typo, sha512/rsa4096
> > Do you have any idea or could you please give any suggestion?
> > Could you please help me to check this issue?
> >
> > https://source.denx.de/u-boot/u-boot/-/jobs/376757
> > The CI showed incorrect hash data for sha384.
> > My local got the same test result
> > Thanks-Jamin
> >
> > ## Loading kernel from FIT Image at 00000100 ...
> > Using 'conf-1' configuration
> > Verifying Hash Integrity ... OK
> > Trying 'kernel' kernel subimage
> > Description: unavailable
> > Created: 2022-01-18 6:39:31 UTC
> > Type: Kernel Image (no loading done)
> > Compression: uncompressed
> > Data Start: 0x000001c4
> > Data Size: 500 Bytes = 500 Bytes
> > Sign algo: sha384,rsa2048:dev
> > Sign value: 2cf3105d0f3d455f3c234b817279af7091a89e7f4f33df0acb03ebb04405606d2bd8bd612cf17d1932c8fe142a8f7ccdd952245497c5b98cbaa4b7ffda06a5802db5da8d32b9111c9a3ed6587b5bb1eb9eb4665af5da317d19fefa471c6a5ee596340921923102f622b850738061aeab11fdf8387312e610b41a7b62e491c30e22a64177020a7df0f09e08211a66b61fb04763cd447d08459b82f19baa226b3e6f40f29ee28edd001d2d5a23549834aaf83160a0cd73285836d3e2fe039b22371bd313989e5a47329d046054c043944a451bf2b5046ff14869121c2bcc1f7e3029d7bdfc5f488e76584234631c91627a1203834051e7e6dc11f5d210501a5467
> > Timestamp: 2022-01-18 6:39:32 UTC
> > Verifying Hash Integrity ... sha384,rsa2048:dev- Failed to verify required signature 'key-dev'
> > error!
> > Unable to verify required signature for '' hash node in 'kernel' image node
> > Bad Data Hash
> > ERROR: can't get kernel image!
> >
> >
> > My test data:
> > /dts-v1/;
> >
> > / {
> > description = "Chrome OS kernel image with one or more FDT blobs";
> > #address-cells = <1>;
> >
> > images {
> > kernel {
> > data = /incbin/("test-kernel.bin");
> > type = "kernel_noload";
> > arch = "sandbox";
> > os = "linux";
> > compression = "none";
> > load = <0x4>;
> > entry = <0x8>;
> > kernel-version = <1>;
> > signature {
> > algo = "sha384,rsa2048";
> > key-name-hint = "dev";
> > };
> > };
> > fdt-1 {
> > description = "snow";
> > data = /incbin/("sandbox-kernel.dtb");
> > type = "flat_dt";
> > arch = "sandbox";
> > compression = "none";
> > fdt-version = <1>;
> > signature {
> > algo = "sha384,rsa2048";
> > key-name-hint = "dev";
> > };
> > };
> > };
> > configurations {
> > default = "conf-1";
> > conf-1 {
> > kernel = "kernel";
> > fdt = "fdt-1";
> > };
> > };
> > };
> >
Hi Tom,
I fixed the problem. Please ignore all my comments about v3 patch.
Root cause was that I lost to added "CONFIG_SHA384" in sandbox config file.
Updated and sent v4 patch.
Waiting for review.
http://patchwork.ozlabs.org/project/uboot/patch/20220119082323.4567-2-jamin_lin@aspeedtech.com/
Thanks-Jamin
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-19 8:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-10 6:00 [PATCH v3 0/1] rsa: adds rsa3072 algorithm Jamin Lin
2021-12-10 6:00 ` [PATCH v3 1/1] " Jamin Lin
2022-01-14 18:14 ` Tom Rini
2022-01-18 7:02 ` Jamin Lin
2022-01-18 7:09 ` Jamin Lin
2022-01-19 8:28 ` Jamin Lin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.