From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Glass Date: Thu, 4 Dec 2014 17:06:03 -0700 Subject: [U-Boot] Hi Simon, Problems about RSA public exponents for verified boot In-Reply-To: References: <1C178FD3E32FB24C8B1881FDCC155D8F8FAB4C15@SZXEMA502-MBX.china.huawei.com> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi, On 4 December 2014 at 01:38, Michael van der Westhuizen wrote: > Hi All, > > Apologies for the delayed response, I?ve been on vacation. > > Since this was working for you (Duxiaoqiang) previously it suggests that you are using the default public exponent. If this is still the case you could, as a temporary workaround, remove the public exponent from your public key data to avoid executing the code causing the abort. > > Simon: Yes, we?ll need an alignment-safe version of fdt64_to_cpu. OK, if someone can test and send a patch I can apply it. Regards, Simon > > Michael > >> On 02 Dec 2014, at 12:31 AM, Simon Glass wrote: >> >> +Michael, U-Boot mailing list >> >> Hi, >> >> On 30 November 2014 at 19:26, Duxiaoqiang wrote: >>> >>> Hi Simon >>> >>> >>> >>> When I test verified boot with new version of U-boot and new version of mkimage, I encountered a alignment problem about RSA public key exponents. >>> >>> >>> >>> I tested verified boot successful few months ago with version of 2014.07-rc4, but failed with the same configuration and operations this time. >>> >>> >>> >>> Problem logs as below: >>> >>> >>> >>> >>> >>> I debug this problem and noticed that the problem was caused by pulic_exponent?s address: 0xff78a04c, this address was not aligned to 8 byte, but this address was pointed by a uint64 * type of pointer. >>> >>> Panic happened in function rsa_verify_with_keynode, just as below: >>> >>> >>> >>> By compared the u-boot.dtb file that signed with RSA public key, I noticed that there are differences about PUBLIC_EXPONENT. >>> >>> With the older version of mkimage, there?s no public exponent section. And this problem only happens when I use the new version of mkimage tool. >>> >>> >>> >>> I also checked uboot?s code, it seems that there?s lack of mechanism to guarantee the alignment about public exponent section. >>> >>> >>> >>> Can you give some suggestions about this problem. Appreciate your time. >> >> Copying Michael. Perhaps we need a safer version of fdt64_to_cpu()? >> >> But you might be the first to run this on aarch64. I have not tried it >> yet, but I do now have a platform. >> >> Regards, >> Simon >