* [PATCH v3 2/6] lib/rsa: Make fdt_add_bignum() available outside of RSA code
2021-01-07 22:33 [PATCH v3 0/6] Add support for ECDSA image signing (with test) Alexandru Gagniuc
2021-01-07 22:33 ` [PATCH v3 1/6] lib: Rename rsa-checksum.c to hash-checksum.c Alexandru Gagniuc
@ 2021-01-07 22:33 ` Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
2021-01-07 22:33 ` [PATCH v3 3/6] lib: Add support for ECDSA image signing Alexandru Gagniuc
` (3 subsequent siblings)
5 siblings, 1 reply; 14+ messages in thread
From: Alexandru Gagniuc @ 2021-01-07 22:33 UTC (permalink / raw)
To: u-boot
fdt_add_bignum() is useful for algorithms other than just RSA. To
allow its use for ECDSA, move it to a common file under lib/.
The new file is suffixed with '-libcrypto' because it has a direct
dependency on openssl. This is due to the use of the "BIGNUM *" type.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
include/u-boot/fdt-libcrypto.h | 27 +++++++++++++
lib/fdt-libcrypto.c | 72 ++++++++++++++++++++++++++++++++++
lib/rsa/rsa-sign.c | 65 +-----------------------------
tools/Makefile | 1 +
4 files changed, 101 insertions(+), 64 deletions(-)
create mode 100644 include/u-boot/fdt-libcrypto.h
create mode 100644 lib/fdt-libcrypto.c
diff --git a/include/u-boot/fdt-libcrypto.h b/include/u-boot/fdt-libcrypto.h
new file mode 100644
index 0000000000..5142f37039
--- /dev/null
+++ b/include/u-boot/fdt-libcrypto.h
@@ -0,0 +1,27 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me@gmail.com>
+ * Copyright (c) 2013, Google Inc.
+ */
+
+#ifndef _FDT_LIBCRYPTO_H
+#define _FDT_LIBCRYPTO_H
+
+#include <openssl/bn.h>
+
+/**
+ * fdt_add_bignum() - Write a libcrypto BIGNUM as an FDT property
+ *
+ * Convert a libcrypto BIGNUM * into a big endian array of integers.
+ *
+ * @blob: FDT blob to modify
+ * @noffset: Offset of the FDT node
+ * @prop_name: What to call the property in the FDT
+ * @num: pointer to a libcrypto big number
+ * @num_bits: How big is 'num' in bits?
+ * @return 0 if all good all working, -ve on horror
+ */
+int fdt_add_bignum(void *blob, int noffset, const char *prop_name,
+ BIGNUM *num, int num_bits);
+
+#endif /* _FDT_LIBCRYPTO_H */
diff --git a/lib/fdt-libcrypto.c b/lib/fdt-libcrypto.c
new file mode 100644
index 0000000000..ecb0344c8f
--- /dev/null
+++ b/lib/fdt-libcrypto.c
@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me@gmail.com>
+ * Copyright (c) 2013, Google Inc.
+ */
+
+#include <libfdt.h>
+#include <u-boot/fdt-libcrypto.h>
+
+int fdt_add_bignum(void *blob, int noffset, const char *prop_name,
+ BIGNUM *num, int num_bits)
+{
+ int nwords = num_bits / 32;
+ int size;
+ uint32_t *buf, *ptr;
+ BIGNUM *tmp, *big2, *big32, *big2_32;
+ BN_CTX *ctx;
+ int ret;
+
+ tmp = BN_new();
+ big2 = BN_new();
+ big32 = BN_new();
+ big2_32 = BN_new();
+
+ /*
+ * Note: This code assumes that all of the above succeed, or all fail.
+ * In practice memory allocations generally do not fail (unless the
+ * process is killed), so it does not seem worth handling each of these
+ * as a separate case. Technicaly this could leak memory on failure,
+ * but a) it won't happen in practice, and b) it doesn't matter as we
+ * will immediately exit with a failure code.
+ */
+ if (!tmp || !big2 || !big32 || !big2_32) {
+ fprintf(stderr, "Out of memory (bignum)\n");
+ return -ENOMEM;
+ }
+ ctx = BN_CTX_new();
+ if (!ctx) {
+ fprintf(stderr, "Out of memory (bignum context)\n");
+ return -ENOMEM;
+ }
+ BN_set_word(big2, 2L);
+ BN_set_word(big32, 32L);
+ BN_exp(big2_32, big2, big32, ctx); /* B = 2^32 */
+
+ size = nwords * sizeof(uint32_t);
+ buf = malloc(size);
+ if (!buf) {
+ fprintf(stderr, "Out of memory (%d bytes)\n", size);
+ return -ENOMEM;
+ }
+
+ /* Write out modulus as big endian array of integers */
+ for (ptr = buf + nwords - 1; ptr >= buf; ptr--) {
+ BN_mod(tmp, num, big2_32, ctx); /* n = N mod B */
+ *ptr = cpu_to_fdt32(BN_get_word(tmp));
+ BN_rshift(num, num, 32); /* N = N/B */
+ }
+
+ /*
+ * We try signing with successively increasing size values, so this
+ * might fail several times
+ */
+ ret = fdt_setprop(blob, noffset, prop_name, buf, size);
+ free(buf);
+ BN_free(tmp);
+ BN_free(big2);
+ BN_free(big32);
+ BN_free(big2_32);
+
+ return ret ? -FDT_ERR_NOSPACE : 0;
+}
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 1f0d81bd7a..557c690a6d 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -9,6 +9,7 @@
#include <string.h>
#include <image.h>
#include <time.h>
+#include <u-boot/fdt-libcrypto.h>
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
@@ -680,70 +681,6 @@ int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
return ret;
}
-static int fdt_add_bignum(void *blob, int noffset, const char *prop_name,
- BIGNUM *num, int num_bits)
-{
- int nwords = num_bits / 32;
- int size;
- uint32_t *buf, *ptr;
- BIGNUM *tmp, *big2, *big32, *big2_32;
- BN_CTX *ctx;
- int ret;
-
- tmp = BN_new();
- big2 = BN_new();
- big32 = BN_new();
- big2_32 = BN_new();
-
- /*
- * Note: This code assumes that all of the above succeed, or all fail.
- * In practice memory allocations generally do not fail (unless the
- * process is killed), so it does not seem worth handling each of these
- * as a separate case. Technicaly this could leak memory on failure,
- * but a) it won't happen in practice, and b) it doesn't matter as we
- * will immediately exit with a failure code.
- */
- if (!tmp || !big2 || !big32 || !big2_32) {
- fprintf(stderr, "Out of memory (bignum)\n");
- return -ENOMEM;
- }
- ctx = BN_CTX_new();
- if (!ctx) {
- fprintf(stderr, "Out of memory (bignum context)\n");
- return -ENOMEM;
- }
- BN_set_word(big2, 2L);
- BN_set_word(big32, 32L);
- BN_exp(big2_32, big2, big32, ctx); /* B = 2^32 */
-
- size = nwords * sizeof(uint32_t);
- buf = malloc(size);
- if (!buf) {
- fprintf(stderr, "Out of memory (%d bytes)\n", size);
- return -ENOMEM;
- }
-
- /* Write out modulus as big endian array of integers */
- for (ptr = buf + nwords - 1; ptr >= buf; ptr--) {
- BN_mod(tmp, num, big2_32, ctx); /* n = N mod B */
- *ptr = cpu_to_fdt32(BN_get_word(tmp));
- BN_rshift(num, num, 32); /* N = N/B */
- }
-
- /*
- * We try signing with successively increasing size values, so this
- * might fail several times
- */
- ret = fdt_setprop(blob, noffset, prop_name, buf, size);
- free(buf);
- BN_free(tmp);
- BN_free(big2);
- BN_free(big32);
- BN_free(big2_32);
-
- return ret ? -FDT_ERR_NOSPACE : 0;
-}
-
int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
{
BIGNUM *modulus, *r_squared;
diff --git a/tools/Makefile b/tools/Makefile
index b1595ad814..af7698fd01 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -106,6 +106,7 @@ dumpimage-mkimage-objs := aisimage.o \
socfpgaimage.o \
lib/crc16.o \
lib/hash-checksum.o \
+ lib/fdt-libcrypto.o \
lib/sha1.o \
lib/sha256.o \
lib/sha512.o \
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 3/6] lib: Add support for ECDSA image signing
2021-01-07 22:33 [PATCH v3 0/6] Add support for ECDSA image signing (with test) Alexandru Gagniuc
2021-01-07 22:33 ` [PATCH v3 1/6] lib: Rename rsa-checksum.c to hash-checksum.c Alexandru Gagniuc
2021-01-07 22:33 ` [PATCH v3 2/6] lib/rsa: Make fdt_add_bignum() available outside of RSA code Alexandru Gagniuc
@ 2021-01-07 22:33 ` Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
2021-01-07 22:33 ` [PATCH v3 4/6] doc: signature.txt: Document devicetree format for ECDSA keys Alexandru Gagniuc
` (2 subsequent siblings)
5 siblings, 1 reply; 14+ messages in thread
From: Alexandru Gagniuc @ 2021-01-07 22:33 UTC (permalink / raw)
To: u-boot
mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
now supporting hardware-accelerated ECDSA, it makes sense to expand
signing support to elliptic curves.
Implement host-side ECDSA signing and verification with libcrypto.
Device-side implementation of signature verification is beyond the
scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
common/image-sig.c | 11 +-
include/image.h | 3 +
include/u-boot/ecdsa.h | 94 +++++++++++
lib/ecdsa/ecdsa-libcrypto.c | 306 ++++++++++++++++++++++++++++++++++++
tools/Makefile | 3 +
5 files changed, 415 insertions(+), 2 deletions(-)
create mode 100644 include/u-boot/ecdsa.h
create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
diff --git a/common/image-sig.c b/common/image-sig.c
index 21dafe6b91..4b7d01f6c2 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -15,6 +15,7 @@
DECLARE_GLOBAL_DATA_PTR;
#endif /* !USE_HOSTCC*/
#include <image.h>
+#include <u-boot/ecdsa.h>
#include <u-boot/rsa.h>
#include <u-boot/hash-checksum.h>
@@ -82,8 +83,14 @@ struct crypto_algo crypto_algos[] = {
.sign = rsa_sign,
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
- }
-
+ },
+ {
+ .name = "ecdsa256",
+ .key_len = ECDSA256_BYTES,
+ .sign = ecdsa_sign,
+ .add_verify_data = ecdsa_add_verify_data,
+ .verify = ecdsa_verify,
+ },
};
struct padding_algo padding_algos[] = {
diff --git a/include/image.h b/include/image.h
index a55b11b3ae..6628173dca 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1199,16 +1199,19 @@ int calculate_hash(const void *data, int data_len, const char *algo,
# if defined(CONFIG_FIT_SIGNATURE)
# define IMAGE_ENABLE_SIGN 1
# define IMAGE_ENABLE_VERIFY 1
+# define IMAGE_ENABLE_VERIFY_ECDSA 1
# define FIT_IMAGE_ENABLE_VERIFY 1
# include <openssl/evp.h>
# else
# define IMAGE_ENABLE_SIGN 0
# define IMAGE_ENABLE_VERIFY 0
+# define IMAGE_ENABLE_VERIFY_ECDSA 0
# define FIT_IMAGE_ENABLE_VERIFY 0
# endif
#else
# define IMAGE_ENABLE_SIGN 0
# define IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA 0
# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE)
#endif
diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h
new file mode 100644
index 0000000000..979690d966
--- /dev/null
+++ b/include/u-boot/ecdsa.h
@@ -0,0 +1,94 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc <mr.nuke.me@gmail.com>.
+ */
+
+#ifndef _ECDSA_H
+#define _ECDSA_H
+
+#include <errno.h>
+#include <image.h>
+#include <linux/kconfig.h>
+
+/**
+ * crypto_algo API impementation for ECDSA;
+ * @see "struct crypto_algo"
+ * @{
+ */
+#if IMAGE_ENABLE_SIGN
+/**
+ * sign() - calculate and return signature for given input data
+ *
+ * @info: Specifies key and FIT information
+ * @data: Pointer to the input data
+ * @data_len: Data length
+ * @sigp: Set to an allocated buffer holding the signature
+ * @sig_len: Set to length of the calculated hash
+ *
+ * This computes input data signature according to selected algorithm.
+ * Resulting signature value is placed in an allocated buffer, the
+ * pointer is returned as *sigp. The length of the calculated
+ * signature is returned via the sig_len pointer argument. The caller
+ * should free *sigp.
+ *
+ * @return: 0, on success, -ve on error
+ */
+int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
+ int region_count, uint8_t **sigp, uint *sig_len);
+
+/**
+ * add_verify_data() - Add verification information to FDT
+ *
+ * Add public key information to the FDT node, suitable for
+ * verification at run-time. The information added depends on the
+ * algorithm being used. I just copypasted this from rsa.h.
+ *
+ * @info: Specifies key and FIT information
+ * @keydest: Destination FDT blob for public key data
+ * @return: 0, on success, -ENOSPC if the keydest FDT blob ran out of space,
+ * other -ve value on error
+ */
+int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest);
+#else
+static inline
+int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
+ int region_count, uint8_t **sigp, uint *sig_len)
+{
+ return -ENXIO;
+}
+
+static inline
+int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest)
+{
+ return -ENXIO;
+}
+#endif
+
+#if IMAGE_ENABLE_VERIFY_ECDSA
+/**
+ * verify() - Verify a signature against some data
+ *
+ * @info: Specifies key and FIT information
+ * @data: Pointer to the input data
+ * @data_len: Data length
+ * @sig: Signature
+ * @sig_len: Number of bytes in signature
+ * @return 0 if verified, -ve on error
+ */
+int ecdsa_verify(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len);
+#else
+static inline
+int ecdsa_verify(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len)
+{
+ return -ENXIO;
+}
+#endif
+/** @} */
+
+#define ECDSA256_BYTES (256 / 8)
+
+#endif
diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c
new file mode 100644
index 0000000000..c8076896d8
--- /dev/null
+++ b/lib/ecdsa/ecdsa-libcrypto.c
@@ -0,0 +1,306 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * ECDSA image signing implementation using libcrypto backend
+ *
+ * The signature is a binary representation of the (R, S) points, padded to the
+ * key size. The signature will be (2 * key_size_bits) / 8 bytes.
+ *
+ * Deviations from behavior of RSA equivalent:
+ * - Verification uses private key. This is not technically required, but a
+ * limitation on how clumsy the openssl API is to use.
+ * - Handling of keys and key paths:
+ * - The '-K' key directory option must contain path to the key file,
+ * instead of the key directory.
+ * - No assumptions are made about the file extension of the key
+ * - The 'key-name-hint' property is only used for naming devicetree nodes,
+ * but is not used for looking up keys on the filesystem.
+ *
+ * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com>
+ */
+
+#include <u-boot/ecdsa.h>
+#include <u-boot/fdt-libcrypto.h>
+#include <openssl/ssl.h>
+#include <openssl/ec.h>
+#include <openssl/bn.h>
+
+/* Image signing context for openssl-libcrypto */
+struct signer {
+ EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */
+ EC_KEY *ecdsa_key; /* Pointer to EC_KEY object */
+ void *hash; /* Pointer to hash used for verification */
+ void *signature; /* Pointer to output signature. Do not free()!*/
+};
+
+static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info)
+{
+ memset(ctx, 0, sizeof(*ctx));
+
+ if (!OPENSSL_init_ssl(0, NULL)) {
+ fprintf(stderr, "Failure to init SSL library\n");
+ return -1;
+ }
+
+ ctx->hash = malloc(info->checksum->checksum_len);
+ ctx->signature = malloc(info->crypto->key_len * 2);
+
+ if (!ctx->hash || !ctx->signature)
+ return -ENOMEM;
+
+ return 0;
+}
+
+static void free_ctx(struct signer *ctx)
+{
+ if (ctx->ecdsa_key)
+ EC_KEY_free(ctx->ecdsa_key);
+
+ if (ctx->evp_key)
+ EVP_PKEY_free(ctx->evp_key);
+
+ if (ctx->hash)
+ free(ctx->hash);
+}
+
+/*
+ * Convert an ECDSA signature to raw format
+ *
+ * openssl DER-encodes 'binary' signatures. We want the signature in a raw
+ * (R, S) point pair. So we have to dance a bit.
+ */
+static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order)
+{
+ int point_bytes = order;
+ const BIGNUM *r, *s;
+ uintptr_t s_buf;
+
+ ECDSA_SIG_get0(sig, &r, &s);
+ s_buf = (uintptr_t)buf + point_bytes;
+ BN_bn2binpad(r, buf, point_bytes);
+ BN_bn2binpad(s, (void *)s_buf, point_bytes);
+}
+
+/* Get a signature from a raw encoding */
+static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order)
+{
+ int point_bytes = order;
+ uintptr_t s_buf;
+ ECDSA_SIG *sig;
+ BIGNUM *r, *s;
+
+ sig = ECDSA_SIG_new();
+ if (!sig)
+ return NULL;
+
+ s_buf = (uintptr_t)buf + point_bytes;
+ r = BN_bin2bn(buf, point_bytes, NULL);
+ s = BN_bin2bn((void *)s_buf, point_bytes, NULL);
+ ECDSA_SIG_set0(sig, r, s);
+
+ return sig;
+}
+
+/* ECDSA key size in bytes */
+static size_t ecdsa_key_size_bytes(const EC_KEY *key)
+{
+ const EC_GROUP *group;
+
+ group = EC_KEY_get0_group(key);
+ return EC_GROUP_order_bits(group) / 8;
+}
+
+static int read_key(struct signer *ctx, const char *key_name)
+{
+ FILE *f = fopen(key_name, "r");
+
+ if (!f) {
+ fprintf(stderr, "Can not get key file '%s'\n", key_name);
+ return -ENOENT;
+ }
+
+ ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
+ fclose(f);
+ if (!ctx->evp_key) {
+ fprintf(stderr, "Can not read key from '%s'\n", key_name);
+ return -EIO;
+ }
+
+ if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) {
+ fprintf(stderr, "'%s' is not an ECDSA key\n", key_name);
+ return -EINVAL;
+ }
+
+ ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key);
+ if (!ctx->ecdsa_key)
+ fprintf(stderr, "Can not extract ECDSA key\n");
+
+ return (ctx->ecdsa_key) ? 0 : -EINVAL;
+}
+
+/* Prepare a 'signer' context that's ready to sign and verify. */
+static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info)
+{
+ const char *kname = info->keydir;
+ int key_len_bytes, ret;
+
+ ret = alloc_ctx(ctx, info);
+ if (ret)
+ return log_msg_ret("alloc", ret);
+
+ ret = read_key(ctx, kname);
+ if (ret)
+ return log_msg_ret("read", ret);
+
+ key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key);
+ if (key_len_bytes != info->crypto->key_len) {
+ fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n",
+ info->crypto->key_len * 8, key_len_bytes * 8);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int do_sign(struct signer *ctx, struct image_sign_info *info,
+ const struct image_region region[], int region_count)
+{
+ const struct checksum_algo *algo = info->checksum;
+ ECDSA_SIG *sig;
+
+ algo->calculate(algo->name, region, region_count, ctx->hash);
+ sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key);
+
+ ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len);
+
+ return 0;
+}
+
+static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info)
+{
+ ECDSA_SIG *sig;
+ int okay;
+
+ sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len);
+ if (!sig)
+ return -ENOMEM;
+
+ okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len,
+ sig, ctx->ecdsa_key);
+ if (!okay)
+ fprintf(stderr, "WARNING: Signature is fake news!\n");
+
+ ECDSA_SIG_free(sig);
+ return !okay;
+}
+
+static int do_verify(struct signer *ctx, struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *raw_sig, uint sig_len)
+{
+ const struct checksum_algo *algo = info->checksum;
+
+ if (sig_len != info->crypto->key_len * 2) {
+ fprintf(stderr, "Signature has wrong length\n");
+ return -EINVAL;
+ }
+
+ memcpy(ctx->signature, raw_sig, sig_len);
+ algo->calculate(algo->name, region, region_count, ctx->hash);
+
+ return ecdsa_check_signature(ctx, info);
+}
+
+int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
+ int region_count, uint8_t **sigp, uint *sig_len)
+{
+ struct signer ctx;
+ int ret;
+
+ ret = prepare_ctx(&ctx, info);
+ if (ret >= 0) {
+ do_sign(&ctx, info, region, region_count);
+ *sigp = ctx.signature;
+ *sig_len = info->crypto->key_len * 2;
+
+ ret = ecdsa_check_signature(&ctx, info);
+ }
+
+ free_ctx(&ctx);
+ return ret;
+}
+
+int ecdsa_verify(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len)
+{
+ struct signer ctx;
+ int ret;
+
+ ret = prepare_ctx(&ctx, info);
+ if (ret >= 0)
+ ret = do_verify(&ctx, info, region, region_count, sig, sig_len);
+
+ free_ctx(&ctx);
+ return ret;
+}
+
+static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
+{
+ int signature_node, key_node, ret, key_bits;
+ const char *curve_name;
+ const EC_GROUP *group;
+ const EC_POINT *point;
+ BIGNUM *x, *y;
+
+ signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME);
+ if (signature_node < 0) {
+ fprintf(stderr, "Could not find 'signature node: %s\n",
+ fdt_strerror(signature_node));
+ return signature_node;
+ }
+
+ key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
+ if (key_node < 0) {
+ fprintf(stderr, "Could not create '%s' node: %s\n",
+ key_node_name, fdt_strerror(key_node));
+ return key_node;
+ }
+
+ group = EC_KEY_get0_group(ctx->ecdsa_key);
+ key_bits = EC_GROUP_order_bits(group);
+ curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group));
+ /* Let 'x' and 'y' memory leak by not BN_free()'ing them. */
+ x = BN_new();
+ y = BN_new();
+ point = EC_KEY_get0_public_key(ctx->ecdsa_key);
+ EC_POINT_get_affine_coordinates(group, point, x, y, NULL);
+
+ ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name);
+ if (ret < 0)
+ return ret;
+
+ ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits);
+ if (ret < 0)
+ return ret;
+
+ ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits);
+ if (ret < 0)
+ return ret;
+
+ return 0;
+}
+
+int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt)
+{
+ const char *fdt_key_name;
+ struct signer ctx;
+ int ret;
+
+ fdt_key_name = info->keyname ? info->keyname : "default-key";
+ ret = prepare_ctx(&ctx, info);
+ if (ret >= 0)
+ do_add(&ctx, fdt, fdt_key_name);
+
+ free_ctx(&ctx);
+ return ret;
+}
diff --git a/tools/Makefile b/tools/Makefile
index af7698fd01..a4f7b7e80c 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -70,6 +70,8 @@ RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/rsa/, \
rsa-sign.o rsa-verify.o \
rsa-mod-exp.o)
+ECDSA_OBJS-$(CONFIG_FIT_SIGNATURE) := $(addprefix lib/ecdsa/, ecdsa-libcrypto.o)
+
AES_OBJS-$(CONFIG_FIT_CIPHER) := $(addprefix lib/aes/, \
aes-encrypt.o aes-decrypt.o)
@@ -119,6 +121,7 @@ dumpimage-mkimage-objs := aisimage.o \
gpimage.o \
gpimage-common.o \
mtk_image.o \
+ $(ECDSA_OBJS-y) \
$(RSA_OBJS-y) \
$(AES_OBJS-y)
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3 6/6] test/py: ecdsa: Add test for mkimage ECDSA signing
2021-01-07 22:33 [PATCH v3 0/6] Add support for ECDSA image signing (with test) Alexandru Gagniuc
` (4 preceding siblings ...)
2021-01-07 22:33 ` [PATCH v3 5/6] test/py: Add pycryptodomex to list of required pakages Alexandru Gagniuc
@ 2021-01-07 22:33 ` Alexandru Gagniuc
2021-01-13 16:10 ` Simon Glass
5 siblings, 1 reply; 14+ messages in thread
From: Alexandru Gagniuc @ 2021-01-07 22:33 UTC (permalink / raw)
To: u-boot
Add a test to make sure that the ECDSA signatures generated by
mkimage can be verified successfully. pyCryptodomex was chosen as the
crypto library because it integrates much better with python code.
Using openssl would have been unnecessarily painful.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
test/py/tests/test_fit_ecdsa.py | 111 ++++++++++++++++++++++++++++++++
1 file changed, 111 insertions(+)
create mode 100644 test/py/tests/test_fit_ecdsa.py
diff --git a/test/py/tests/test_fit_ecdsa.py b/test/py/tests/test_fit_ecdsa.py
new file mode 100644
index 0000000000..6cadb0cbb5
--- /dev/null
+++ b/test/py/tests/test_fit_ecdsa.py
@@ -0,0 +1,111 @@
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (c) 2020,2021 Alexandru Gagniuc <mr.nuke.me@gmail.com>
+
+"""
+Test ECDSA signing of FIT images
+
+This test uses mkimage to sign an existing FIT image with an ECDSA key. The
+signature is then extracted, and verified against pyCryptodome.
+This test doesn't run the sandbox. It only checks the host tool 'mkimage'
+"""
+
+import pytest
+import u_boot_utils as util
+from Cryptodome.Hash import SHA256
+from Cryptodome.PublicKey import ECC
+from Cryptodome.Signature import DSS
+
+class SignableFitImage(object):
+ """ Helper to manipulate a FIT image on disk """
+ def __init__(self, cons, file_name):
+ self.fit = file_name
+ self.cons = cons
+ self.signable_nodes = set()
+
+ def __fdt_list(self, path):
+ return util.run_and_log(self.cons, f'fdtget -l {self.fit} {path}')
+
+ def __fdt_set(self, node, **prop_value):
+ for prop, value in prop_value.items():
+ util.run_and_log(self.cons, f'fdtput -ts {self.fit} {node} {prop} {value}')
+
+ def __fdt_get_binary(self, node, prop):
+ numbers = util.run_and_log(self.cons, f'fdtget -tbi {self.fit} {node} {prop}')
+
+ bignum = bytearray()
+ for little_num in numbers.split():
+ bignum.append(int(little_num))
+
+ return bignum
+
+ def find_signable_image_nodes(self):
+ for node in self.__fdt_list('/images').split():
+ image = f'/images/{node}'
+ if 'signature' in self.__fdt_list(image):
+ self.signable_nodes.add(image)
+
+ return self.signable_nodes
+
+ def change_signature_algo_to_ecdsa(self):
+ for image in self.signable_nodes:
+ self.__fdt_set(f'{image}/signature', algo='sha256,ecdsa256')
+
+ def sign(self, mkimage, key_file):
+ util.run_and_log(self.cons, [mkimage, '-F', self.fit, f'-k{key_file}'])
+
+ def check_signatures(self, key):
+ for image in self.signable_nodes:
+ raw_sig = self.__fdt_get_binary(f'{image}/signature', 'value')
+ raw_bin = self.__fdt_get_binary(image, 'data')
+
+ sha = SHA256.new(raw_bin)
+ verifier = DSS.new(key, 'fips-186-3')
+ verifier.verify(sha, bytes(raw_sig))
+
+
+ at pytest.mark.buildconfigspec('fit_signature')
+ at pytest.mark.requiredtool('dtc')
+ at pytest.mark.requiredtool('fdtget')
+ at pytest.mark.requiredtool('fdtput')
+def test_fit_ecdsa(u_boot_console):
+ """ Test that signatures generated by mkimage are legible. """
+ def generate_ecdsa_key():
+ return ECC.generate(curve='prime256v1')
+
+ def assemble_fit_image(dest_fit, its, destdir):
+ dtc_args = f'-I dts -O dtb -i {destdir}'
+ util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', its, dest_fit])
+
+ def dtc(dts):
+ dtb = dts.replace('.dts', '.dtb')
+ util.run_and_log(cons, f'dtc {datadir}/{dts} -O dtb -o {tempdir}/{dtb}')
+
+ cons = u_boot_console
+ mkimage = cons.config.build_dir + '/tools/mkimage'
+ datadir = cons.config.source_dir + '/test/py/tests/vboot/'
+ tempdir = cons.config.result_dir
+ key_file = f'{tempdir}/ecdsa-test-key.pem'
+ fit_file = f'{tempdir}/test.fit'
+ dtc('sandbox-kernel.dts')
+
+ key = generate_ecdsa_key()
+
+ # Create a fake kernel image -- zeroes will do just fine
+ with open(f'{tempdir}/test-kernel.bin', 'w') as fd:
+ fd.write(500 * chr(0))
+
+ # invokations of mkimage expect to read the key from disk
+ with open(key_file, 'w') as f:
+ f.write(key.export_key(format='PEM'))
+
+ assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256.its', tempdir)
+
+ fit = SignableFitImage(cons, fit_file)
+ nodes = fit.find_signable_image_nodes()
+ if len(nodes) == 0:
+ raise ValueError('FIT image has no "/image" nodes with "signature"')
+
+ fit.change_signature_algo_to_ecdsa()
+ fit.sign(mkimage, key_file)
+ fit.check_signatures(key)
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread