From: Ruchika Gupta <ruchika.gupta@nxp.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 3/4] SECURE BOOT: separate function created for signature
Date: Fri, 15 Jan 2016 07:07:57 +0000 [thread overview]
Message-ID: <VI1PR04MB1247179DEACF6834EFF940B7E5CD0@VI1PR04MB1247.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <1449564255-13596-4-git-send-email-aneesh.bansal@freescale.com>
> -----Original Message-----
> From: Aneesh Bansal
> Sent: Tuesday, December 08, 2015 2:14 PM
> To: u-boot at lists.denx.de
> Cc: Yusong Sun <yorksun@freescale.com>; Ruchika Gupta
> <ruchika.gupta@freescale.com>; Prabhakar Kushwaha
> <prabhakar@freescale.com>; Aneesh Bansal
> <aneesh.bansal@freescale.com>; Saksham Jain <saksham@freescale.com>
> Subject: [PATCH 3/4] SECURE BOOT: separate function created for signature
>
> The code for image hash calculation, hash calculation from RSA signature and
> comparison of hashes has been mobed to a separate function.
>
> Signed-off-by: Saksham Jain <saksham@freescale.com>
> Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
> ---
> board/freescale/common/fsl_validate.c | 98 +++++++++++++++++++-----------
> -----
> 1 file changed, 54 insertions(+), 44 deletions(-)
>
> diff --git a/board/freescale/common/fsl_validate.c
> b/board/freescale/common/fsl_validate.c
> index ef7a5ae..08a2f79 100644
> --- a/board/freescale/common/fsl_validate.c
> +++ b/board/freescale/common/fsl_validate.c
> @@ -721,6 +721,58 @@ static inline int str2longbe(const char *p, ulong
> *num)
>
> return *p != '\0' && *endptr == '\0';
> }
> +/* Function to calculate the ESBC Image Hash
> + * and hash from Digital signature.
> + * The Two hash's are compared to yield the
> + * result of signature validation.
> + */
> +static int calculate_cmp_img_sig(struct fsl_secboot_img_priv *img) {
> + int ret;
> + uint32_t key_len;
> + struct key_prop prop;
> +#if !defined(USE_HOSTCC)
> + struct udevice *mod_exp_dev;
> +#endif
> + ret = calc_esbchdr_esbc_hash(img);
> + if (ret)
> + return ret;
> +
> + /* Construct encoded hash EM' wrt PKCSv1.5 */
> + construct_img_encoded_hash_second(img);
> +
> + /* Fill prop structure for public key */
> + memset(&prop, 0, sizeof(struct key_prop));
> + key_len = get_key_len(img) / 2;
> + prop.modulus = img->img_key;
> + prop.public_exponent = img->img_key + key_len;
> + prop.num_bits = key_len * 8;
> + prop.exp_len = key_len;
> +
> + ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
> + if (ret) {
> + printf("RSA: Can't find Modular Exp implementation\n");
> + return -EINVAL;
> + }
> +
> + ret = rsa_mod_exp(mod_exp_dev, img->img_sign, img->hdr.sign_len,
> + &prop, img->img_encoded_hash);
> + if (ret)
> + return ret;
> +
> + /*
> + * compare the encoded messages EM' and EM wrt RSA PKCSv1.5
> + * memcmp returns zero on success
> + * memcmp returns non-zero on failure
> + */
> + ret = memcmp(&img->img_encoded_hash_second, &img-
> >img_encoded_hash,
> + img->hdr.sign_len);
> +
> + if (ret)
> + return ERROR_ESBC_CLIENT_HASH_COMPARE_EM;
> +
> + return 0;
> +}
>
> int fsl_secboot_validate(ulong haddr, char *arg_hash_str) { @@ -732,11
> +784,6 @@ int fsl_secboot_validate(ulong haddr, char *arg_hash_str)
> void *esbc;
> int ret, i, hash_cmd = 0;
> u32 srk_hash[8];
> - uint32_t key_len;
> - struct key_prop prop;
> -#if !defined(USE_HOSTCC)
> - struct udevice *mod_exp_dev;
> -#endif
>
> if (arg_hash_str != NULL) {
> const char *cp = arg_hash_str;
> @@ -821,46 +868,9 @@ int fsl_secboot_validate(ulong haddr, char
> *arg_hash_str)
> goto exit;
> }
>
> - ret = calc_esbchdr_esbc_hash(img);
> - if (ret) {
> - fsl_secblk_handle_error(ret);
> - goto exit;
> - }
> -
> - /* Construct encoded hash EM' wrt PKCSv1.5 */
> - construct_img_encoded_hash_second(img);
> -
> - /* Fill prop structure for public key */
> - memset(&prop, 0, sizeof(struct key_prop));
> - key_len = get_key_len(img) / 2;
> - prop.modulus = img->img_key;
> - prop.public_exponent = img->img_key + key_len;
> - prop.num_bits = key_len * 8;
> - prop.exp_len = key_len;
> -
> - ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
> - if (ret) {
> - printf("RSA: Can't find Modular Exp implementation\n");
> - return -EINVAL;
> - }
> -
> - ret = rsa_mod_exp(mod_exp_dev, img->img_sign, img->hdr.sign_len,
> - &prop, img->img_encoded_hash);
> - if (ret) {
> - fsl_secblk_handle_error(ret);
> - goto exit;
> - }
> -
> - /*
> - * compare the encoded messages EM' and EM wrt RSA PKCSv1.5
> - * memcmp returns zero on success
> - * memcmp returns non-zero on failure
> - */
> - ret = memcmp(&img->img_encoded_hash_second, &img-
> >img_encoded_hash,
> - img->hdr.sign_len);
> -
> + ret = calculate_cmp_img_sig(img);
> if (ret) {
> -
> fsl_secboot_handle_error(ERROR_ESBC_CLIENT_HASH_COMPARE_E
> M);
> + fsl_secboot_handle_error(ret);
> goto exit;
> }
>
> --
> 1.8.1.4
Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com>
next prev parent reply other threads:[~2016-01-15 7:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 8:44 [U-Boot] [PATCH 0/4] SECURE BOOT: support image validation before U-Boot completion Aneesh Bansal
2015-12-08 8:44 ` [U-Boot] [PATCH 1/4] SECURE BOOT: change prototype of fsl_secboot_validate function Aneesh Bansal
2016-01-15 7:07 ` Ruchika Gupta
2016-01-27 16:48 ` york sun
2015-12-08 8:44 ` [U-Boot] [PATCH 2/4] SECURE BOOT: separate functions for reading keys Aneesh Bansal
2016-01-15 7:07 ` Ruchika Gupta
2016-01-27 16:48 ` york sun
2015-12-08 8:44 ` [U-Boot] [PATCH 3/4] SECURE BOOT: separate function created for signature Aneesh Bansal
2016-01-15 7:07 ` Ruchika Gupta [this message]
2016-01-27 16:49 ` york sun
2015-12-08 8:44 ` [U-Boot] [PATCH 4/4] SECURE BOOT: support for validation of dynamic image Aneesh Bansal
2016-01-15 7:08 ` Ruchika Gupta
2016-01-27 16:49 ` york sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1PR04MB1247179DEACF6834EFF940B7E5CD0@VI1PR04MB1247.eurprd04.prod.outlook.com \
--to=ruchika.gupta@nxp.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.