[U-Boot] [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot

[U-Boot] [PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot

[AKASHI Takahiro]

# This patch set is a prerequisite for UEFI secure boot.

The current rsa_verify() requires five parameters for a RSA public key
for efficiency while RSA, in theory, requires only two. In addition,
those parameters are expected to come from FIT image.

So this function won't fit very well when we want to use it for the purpose
of implementing UEFI secure boot, in particular, image authentication
as well as variable authentication, where the essential two parameters
are set to be retrieved from one of X509 certificates in signature
database.

So, in this patch, additional three parameters will be calculated
on the fly when rsa_verify() is called without fdt which should contain
parameters above.

This calculation heavily relies on "big-number (or multi-precision)
library." Therefore some routines from BearSSL[1] under MIT license are
imported in this implementation. See Patch#4.
# Please let me know if this is not appropriate.

Prerequisite:
* public key parser in my "import x509/pkcs7 parser" patch[2]

# Checkpatch will complain with lots of warnings/errors, but
# I intentionally don't fix them for maximum maintainability.

  [1] https://bearssl.org/
  [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html

Changes in v4 (Nov 21, 2019)
* rebased to v2020.01-rc3
* change a function prototype of rsa_gen_key_prop() to return an error
  code (patch#4,#5)
* re-order include files in alphabetical order (patch#6)
* add some comments per Simon's review comments

Changes in v3 (Nov 13, 2019)
* remove RSA_VERIFY_WITH_PKEY, which is to be added in patch#2 (patch#1)
* modify unit test Kconfg due to removal of test/lib/Kconfig (patch#6)

Changes in v2 (Oct 29, 2019)
* fix build errors at Travis CI
* not include linux/kconfig.h (patch#1)
* add a separate patch for adding CONFIG_RSA_VERIFY_WITH_PKEY (patch#2)
* take a prerequisite patch from my "secure boot patch" (patch#3)
* add a dependency on RSA_PUBLIC_KEY_PARSER (patch#4)
* remove "inline" directives (patch#4)
* add function descriptions, which mostly come from BearSSL's src/inner.h
  (patch#4)
* improve Kconfig help text after Simon's comment (patch#5)
* add function description of rsa_verify_with_pkey() (patch#5)
* modify rsa_verify() to use "if (CONFIG_IS_ENABLED(...) " style
  rather than "#ifdef CONFIG_..." (patch#5)
* add function tests (patch#6)

Changes in v1 (Oct 9, 2019)
* fix a build error on pine64-lts_defconfig (reported by Heinrich)
  by defining FIT_IMAGE_ENABLE_VERIFY flag and adding
  SPL_RSA_VERIFY config (patch#1)
* remove FIT-specific code from image-sig.c and put them to new
  image-fit-sig.c to allow us to disable CONFIG_FIT_SIGNATURE (patch#1)
* compile rsa-keyprop.c only if necessary (i.e. if
  CONFIG_RSA_VERIFY_WITH_PKEY) (patch#2)
* add SPDX license identifier in rsa-keyprop.c (patch#2)
* include <common.h> instead of <stdio.h> (patch#2)
* use U-Boot's byteorder helper functions instead of BearSSL's (patch#2)

AKASHI Takahiro (6):
  lib: rsa: decouple rsa from FIT image verification
  rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config
  include: image.h: add key info to image_sign_info
  lib: rsa: generate additional parameters for public key
  lib: rsa: add rsa_verify_with_pkey()
  test: add rsa_verify() unit test

 Kconfig                      |   1 +
 common/Makefile              |   3 +-
 common/image-fit-sig.c       | 417 ++++++++++++++++++++
 common/image-fit.c           |   6 +-
 common/image-sig.c           | 396 -------------------
 include/image.h              |  20 +-
 include/u-boot/rsa-mod-exp.h |  23 ++
 lib/rsa/Kconfig              |  27 ++
 lib/rsa/Makefile             |   3 +-
 lib/rsa/rsa-keyprop.c        | 725 +++++++++++++++++++++++++++++++++++
 lib/rsa/rsa-verify.c         | 137 +++++--
 test/Kconfig                 |  12 +
 test/lib/Makefile            |   1 +
 test/lib/rsa.c               | 206 ++++++++++
 tools/Makefile               |   2 +-
 15 files changed, 1544 insertions(+), 435 deletions(-)
 create mode 100644 common/image-fit-sig.c
 create mode 100644 lib/rsa/rsa-keyprop.c
 create mode 100644 test/lib/rsa.c

-- 
2.21.0

[U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification

[AKASHI Takahiro]

Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 Kconfig                |   1 +
 common/Makefile        |   3 +-
 common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++
 common/image-fit.c     |   6 +-
 common/image-sig.c     | 396 --------------------------------------
 include/image.h        |  13 +-
 lib/rsa/Kconfig        |  12 ++
 lib/rsa/Makefile       |   2 +-
 lib/rsa/rsa-verify.c   |  78 +++++---
 tools/Makefile         |   2 +-
 10 files changed, 493 insertions(+), 437 deletions(-)
 create mode 100644 common/image-fit-sig.c

diff --git a/Kconfig b/Kconfig
index 66b059f749a7..63690514b261 100644
--- a/Kconfig
+++ b/Kconfig
@@ -417,6 +417,7 @@ config SPL_FIT_SIGNATURE
 	depends on SPL_DM
 	select SPL_FIT
 	select SPL_RSA
+	select SPL_RSA_VERIFY
 
 config SPL_LOAD_FIT
 	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
diff --git a/common/Makefile b/common/Makefile
index 302d8beaf356..d66c0068bb88 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -112,7 +112,8 @@ obj-$(CONFIG_ANDROID_BOOT_IMAGE) += image-android.o
 obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += image-fdt.o
 obj-$(CONFIG_$(SPL_TPL_)FIT) += image-fit.o
 obj-$(CONFIG_$(SPL_)MULTI_DTB_FIT) += boot_fit.o common_fit.o
-obj-$(CONFIG_$(SPL_TPL_)FIT_SIGNATURE) += image-sig.o
+obj-$(CONFIG_$(SPL_)RSA_VERIFY) += image-sig.o
+obj-$(CONFIG_$(SPL_TPL_)FIT_SIGNATURE) += image-fit-sig.o
 obj-$(CONFIG_IO_TRACE) += iotrace.o
 obj-y += memsize.o
 obj-y += stdio.o
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
new file mode 100644
index 000000000000..f6caeb0c5901
--- /dev/null
+++ b/common/image-fit-sig.c
@@ -0,0 +1,417 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2013, Google Inc.
+ */
+
+#ifdef USE_HOSTCC
+#include "mkimage.h"
+#include <time.h>
+#else
+#include <common.h>
+#include <malloc.h>
+DECLARE_GLOBAL_DATA_PTR;
+#endif /* !USE_HOSTCC*/
+#include <image.h>
+#include <u-boot/rsa.h>
+#include <u-boot/rsa-checksum.h>
+
+#define IMAGE_MAX_HASHED_NODES		100
+
+#ifdef USE_HOSTCC
+void *host_blob;
+
+void image_set_host_blob(void *blob)
+{
+	host_blob = blob;
+}
+
+void *image_get_host_blob(void)
+{
+	return host_blob;
+}
+#endif
+
+/**
+ * fit_region_make_list() - Make a list of image regions
+ *
+ * Given a list of fdt_regions, create a list of image_regions. This is a
+ * simple conversion routine since the FDT and image code use different
+ * structures.
+ *
+ * @fit: FIT image
+ * @fdt_regions: Pointer to FDT regions
+ * @count: Number of FDT regions
+ * @region: Pointer to image regions, which must hold @count records. If
+ * region is NULL, then (except for an SPL build) the array will be
+ * allocated.
+ * @return: Pointer to image regions
+ */
+struct image_region *fit_region_make_list(const void *fit,
+					  struct fdt_region *fdt_regions,
+					  int count,
+					  struct image_region *region)
+{
+	int i;
+
+	debug("Hash regions:\n");
+	debug("%10s %10s\n", "Offset", "Size");
+
+	/*
+	 * Use malloc() except in SPL (to save code size). In SPL the caller
+	 * must allocate the array.
+	 */
+#ifndef CONFIG_SPL_BUILD
+	if (!region)
+		region = calloc(sizeof(*region), count);
+#endif
+	if (!region)
+		return NULL;
+	for (i = 0; i < count; i++) {
+		debug("%10x %10x\n", fdt_regions[i].offset,
+		      fdt_regions[i].size);
+		region[i].data = fit + fdt_regions[i].offset;
+		region[i].size = fdt_regions[i].size;
+	}
+
+	return region;
+}
+
+static int fit_image_setup_verify(struct image_sign_info *info,
+				  const void *fit, int noffset,
+				  int required_keynode, char **err_msgp)
+{
+	char *algo_name;
+	const char *padding_name;
+
+	if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
+		*err_msgp = "Total size too large";
+		return 1;
+	}
+
+	if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
+		*err_msgp = "Can't get hash algo property";
+		return -1;
+	}
+
+	padding_name = fdt_getprop(fit, noffset, "padding", NULL);
+	if (!padding_name)
+		padding_name = RSA_DEFAULT_PADDING_NAME;
+
+	memset(info, '\0', sizeof(*info));
+	info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+	info->fit = (void *)fit;
+	info->node_offset = noffset;
+	info->name = algo_name;
+	info->checksum = image_get_checksum_algo(algo_name);
+	info->crypto = image_get_crypto_algo(algo_name);
+	info->padding = image_get_padding_algo(padding_name);
+	info->fdt_blob = gd_fdt_blob();
+	info->required_keynode = required_keynode;
+	printf("%s:%s", algo_name, info->keyname);
+
+	if (!info->checksum || !info->crypto || !info->padding) {
+		*err_msgp = "Unknown signature algorithm";
+		return -1;
+	}
+
+	return 0;
+}
+
+int fit_image_check_sig(const void *fit, int noffset, const void *data,
+			size_t size, int required_keynode, char **err_msgp)
+{
+	struct image_sign_info info;
+	struct image_region region;
+	uint8_t *fit_value;
+	int fit_value_len;
+
+	*err_msgp = NULL;
+	if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
+				   err_msgp))
+		return -1;
+
+	if (fit_image_hash_get_value(fit, noffset, &fit_value,
+				     &fit_value_len)) {
+		*err_msgp = "Can't get hash value property";
+		return -1;
+	}
+
+	region.data = data;
+	region.size = size;
+
+	if (info.crypto->verify(&info, &region, 1, fit_value, fit_value_len)) {
+		*err_msgp = "Verification failed";
+		return -1;
+	}
+
+	return 0;
+}
+
+static int fit_image_verify_sig(const void *fit, int image_noffset,
+				const char *data, size_t size,
+				const void *sig_blob, int sig_offset)
+{
+	int noffset;
+	char *err_msg = "";
+	int verified = 0;
+	int ret;
+
+	/* Process all hash subnodes of the component image node */
+	fdt_for_each_subnode(noffset, fit, image_noffset) {
+		const char *name = fit_get_name(fit, noffset, NULL);
+
+		if (!strncmp(name, FIT_SIG_NODENAME,
+			     strlen(FIT_SIG_NODENAME))) {
+			ret = fit_image_check_sig(fit, noffset, data,
+						  size, -1, &err_msg);
+			if (ret) {
+				puts("- ");
+			} else {
+				puts("+ ");
+				verified = 1;
+				break;
+			}
+		}
+	}
+
+	if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) {
+		err_msg = "Corrupted or truncated tree";
+		goto error;
+	}
+
+	return verified ? 0 : -EPERM;
+
+error:
+	printf(" error!\n%s for '%s' hash node in '%s' image node\n",
+	       err_msg, fit_get_name(fit, noffset, NULL),
+	       fit_get_name(fit, image_noffset, NULL));
+	return -1;
+}
+
+int fit_image_verify_required_sigs(const void *fit, int image_noffset,
+				   const char *data, size_t size,
+				   const void *sig_blob, int *no_sigsp)
+{
+	int verify_count = 0;
+	int noffset;
+	int sig_node;
+
+	/* Work out what we need to verify */
+	*no_sigsp = 1;
+	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
+	if (sig_node < 0) {
+		debug("%s: No signature node found: %s\n", __func__,
+		      fdt_strerror(sig_node));
+		return 0;
+	}
+
+	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
+		const char *required;
+		int ret;
+
+		required = fdt_getprop(sig_blob, noffset, "required", NULL);
+		if (!required || strcmp(required, "image"))
+			continue;
+		ret = fit_image_verify_sig(fit, image_noffset, data, size,
+					   sig_blob, noffset);
+		if (ret) {
+			printf("Failed to verify required signature '%s'\n",
+			       fit_get_name(sig_blob, noffset, NULL));
+			return ret;
+		}
+		verify_count++;
+	}
+
+	if (verify_count)
+		*no_sigsp = 0;
+
+	return 0;
+}
+
+int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+			 char **err_msgp)
+{
+	char * const exc_prop[] = {"data"};
+	const char *prop, *end, *name;
+	struct image_sign_info info;
+	const uint32_t *strings;
+	uint8_t *fit_value;
+	int fit_value_len;
+	int max_regions;
+	int i, prop_len;
+	char path[200];
+	int count;
+
+	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
+	      fit_get_name(fit, noffset, NULL),
+	      fit_get_name(gd_fdt_blob(), required_keynode, NULL));
+	*err_msgp = NULL;
+	if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
+				   err_msgp))
+		return -1;
+
+	if (fit_image_hash_get_value(fit, noffset, &fit_value,
+				     &fit_value_len)) {
+		*err_msgp = "Can't get hash value property";
+		return -1;
+	}
+
+	/* Count the number of strings in the property */
+	prop = fdt_getprop(fit, noffset, "hashed-nodes", &prop_len);
+	end = prop ? prop + prop_len : prop;
+	for (name = prop, count = 0; name < end; name++)
+		if (!*name)
+			count++;
+	if (!count) {
+		*err_msgp = "Can't get hashed-nodes property";
+		return -1;
+	}
+
+	if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') {
+		*err_msgp = "hashed-nodes property must be null-terminated";
+		return -1;
+	}
+
+	/* Add a sanity check here since we are using the stack */
+	if (count > IMAGE_MAX_HASHED_NODES) {
+		*err_msgp = "Number of hashed nodes exceeds maximum";
+		return -1;
+	}
+
+	/* Create a list of node names from those strings */
+	char *node_inc[count];
+
+	debug("Hash nodes (%d):\n", count);
+	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
+		debug("   '%s'\n", name);
+		node_inc[i] = (char *)name;
+	}
+
+	/*
+	 * Each node can generate one region for each sub-node. Allow for
+	 * 7 sub-nodes (hash-1, signature-1, etc.) and some extra.
+	 */
+	max_regions = 20 + count * 7;
+	struct fdt_region fdt_regions[max_regions];
+
+	/* Get a list of regions to hash */
+	count = fdt_find_regions(fit, node_inc, count,
+				 exc_prop, ARRAY_SIZE(exc_prop),
+				 fdt_regions, max_regions - 1,
+				 path, sizeof(path), 0);
+	if (count < 0) {
+		*err_msgp = "Failed to hash configuration";
+		return -1;
+	}
+	if (count == 0) {
+		*err_msgp = "No data to hash";
+		return -1;
+	}
+	if (count >= max_regions - 1) {
+		*err_msgp = "Too many hash regions";
+		return -1;
+	}
+
+	/* Add the strings */
+	strings = fdt_getprop(fit, noffset, "hashed-strings", NULL);
+	if (strings) {
+		/*
+		 * The strings region offset must be a static 0x0.
+		 * This is set in tool/image-host.c
+		 */
+		fdt_regions[count].offset = fdt_off_dt_strings(fit);
+		fdt_regions[count].size = fdt32_to_cpu(strings[1]);
+		count++;
+	}
+
+	/* Allocate the region list on the stack */
+	struct image_region region[count];
+
+	fit_region_make_list(fit, fdt_regions, count, region);
+	if (info.crypto->verify(&info, region, count, fit_value,
+				fit_value_len)) {
+		*err_msgp = "Verification failed";
+		return -1;
+	}
+
+	return 0;
+}
+
+static int fit_config_verify_sig(const void *fit, int conf_noffset,
+				 const void *sig_blob, int sig_offset)
+{
+	int noffset;
+	char *err_msg = "";
+	int verified = 0;
+	int ret;
+
+	/* Process all hash subnodes of the component conf node */
+	fdt_for_each_subnode(noffset, fit, conf_noffset) {
+		const char *name = fit_get_name(fit, noffset, NULL);
+
+		if (!strncmp(name, FIT_SIG_NODENAME,
+			     strlen(FIT_SIG_NODENAME))) {
+			ret = fit_config_check_sig(fit, noffset, sig_offset,
+						   &err_msg);
+			if (ret) {
+				puts("- ");
+			} else {
+				puts("+ ");
+				verified = 1;
+				break;
+			}
+		}
+	}
+
+	if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) {
+		err_msg = "Corrupted or truncated tree";
+		goto error;
+	}
+
+	return verified ? 0 : -EPERM;
+
+error:
+	printf(" error!\n%s for '%s' hash node in '%s' config node\n",
+	       err_msg, fit_get_name(fit, noffset, NULL),
+	       fit_get_name(fit, conf_noffset, NULL));
+	return -1;
+}
+
+int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
+				    const void *sig_blob)
+{
+	int noffset;
+	int sig_node;
+
+	/* Work out what we need to verify */
+	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
+	if (sig_node < 0) {
+		debug("%s: No signature node found: %s\n", __func__,
+		      fdt_strerror(sig_node));
+		return 0;
+	}
+
+	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
+		const char *required;
+		int ret;
+
+		required = fdt_getprop(sig_blob, noffset, "required", NULL);
+		if (!required || strcmp(required, "conf"))
+			continue;
+		ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
+					    noffset);
+		if (ret) {
+			printf("Failed to verify required signature '%s'\n",
+			       fit_get_name(sig_blob, noffset, NULL));
+			return ret;
+		}
+	}
+
+	return 0;
+}
+
+int fit_config_verify(const void *fit, int conf_noffset)
+{
+	return fit_config_verify_required_sigs(fit, conf_noffset,
+					       gd_fdt_blob());
+}
diff --git a/common/image-fit.c b/common/image-fit.c
index 5c63c769de27..2d78f0b47da2 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1216,7 +1216,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
 	int ret;
 
 	/* Verify all required signatures */
-	if (IMAGE_ENABLE_VERIFY &&
+	if (FIT_IMAGE_ENABLE_VERIFY &&
 	    fit_image_verify_required_sigs(fit, image_noffset, data, size,
 					   gd_fdt_blob(), &verify_all)) {
 		err_msg = "Unable to verify required signature";
@@ -1238,7 +1238,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
 						 &err_msg))
 				goto error;
 			puts("+ ");
-		} else if (IMAGE_ENABLE_VERIFY && verify_all &&
+		} else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
 				!strncmp(name, FIT_SIG_NODENAME,
 					strlen(FIT_SIG_NODENAME))) {
 			ret = fit_image_check_sig(fit, noffset, data,
@@ -1870,7 +1870,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
 		if (image_type == IH_TYPE_KERNEL)
 			images->fit_uname_cfg = fit_base_uname_config;
 
-		if (IMAGE_ENABLE_VERIFY && images->verify) {
+		if (FIT_IMAGE_ENABLE_VERIFY && images->verify) {
 			puts("   Verifying Hash Integrity ... ");
 			if (fit_config_verify(fit, cfg_noffset)) {
 				puts("Bad Data Hash\n");
diff --git a/common/image-sig.c b/common/image-sig.c
index 639a1124504f..84b2c0439cf8 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -17,18 +17,6 @@ DECLARE_GLOBAL_DATA_PTR;
 
 #define IMAGE_MAX_HASHED_NODES		100
 
-#ifdef USE_HOSTCC
-void *host_blob;
-void image_set_host_blob(void *blob)
-{
-	host_blob = blob;
-}
-void *image_get_host_blob(void)
-{
-	return host_blob;
-}
-#endif
-
 struct checksum_algo checksum_algos[] = {
 	{
 		.name = "sha1",
@@ -162,387 +150,3 @@ struct padding_algo *image_get_padding_algo(const char *name)
 
 	return NULL;
 }
-
-/**
- * fit_region_make_list() - Make a list of image regions
- *
- * Given a list of fdt_regions, create a list of image_regions. This is a
- * simple conversion routine since the FDT and image code use different
- * structures.
- *
- * @fit: FIT image
- * @fdt_regions: Pointer to FDT regions
- * @count: Number of FDT regions
- * @region: Pointer to image regions, which must hold @count records. If
- * region is NULL, then (except for an SPL build) the array will be
- * allocated.
- * @return: Pointer to image regions
- */
-struct image_region *fit_region_make_list(const void *fit,
-		struct fdt_region *fdt_regions, int count,
-		struct image_region *region)
-{
-	int i;
-
-	debug("Hash regions:\n");
-	debug("%10s %10s\n", "Offset", "Size");
-
-	/*
-	 * Use malloc() except in SPL (to save code size). In SPL the caller
-	 * must allocate the array.
-	 */
-#ifndef CONFIG_SPL_BUILD
-	if (!region)
-		region = calloc(sizeof(*region), count);
-#endif
-	if (!region)
-		return NULL;
-	for (i = 0; i < count; i++) {
-		debug("%10x %10x\n", fdt_regions[i].offset,
-		      fdt_regions[i].size);
-		region[i].data = fit + fdt_regions[i].offset;
-		region[i].size = fdt_regions[i].size;
-	}
-
-	return region;
-}
-
-static int fit_image_setup_verify(struct image_sign_info *info,
-		const void *fit, int noffset, int required_keynode,
-		char **err_msgp)
-{
-	char *algo_name;
-	const char *padding_name;
-
-	if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
-		*err_msgp = "Total size too large";
-		return 1;
-	}
-
-	if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
-		*err_msgp = "Can't get hash algo property";
-		return -1;
-	}
-
-	padding_name = fdt_getprop(fit, noffset, "padding", NULL);
-	if (!padding_name)
-		padding_name = RSA_DEFAULT_PADDING_NAME;
-
-	memset(info, '\0', sizeof(*info));
-	info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
-	info->fit = (void *)fit;
-	info->node_offset = noffset;
-	info->name = algo_name;
-	info->checksum = image_get_checksum_algo(algo_name);
-	info->crypto = image_get_crypto_algo(algo_name);
-	info->padding = image_get_padding_algo(padding_name);
-	info->fdt_blob = gd_fdt_blob();
-	info->required_keynode = required_keynode;
-	printf("%s:%s", algo_name, info->keyname);
-
-	if (!info->checksum || !info->crypto || !info->padding) {
-		*err_msgp = "Unknown signature algorithm";
-		return -1;
-	}
-
-	return 0;
-}
-
-int fit_image_check_sig(const void *fit, int noffset, const void *data,
-		size_t size, int required_keynode, char **err_msgp)
-{
-	struct image_sign_info info;
-	struct image_region region;
-	uint8_t *fit_value;
-	int fit_value_len;
-
-	*err_msgp = NULL;
-	if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
-				   err_msgp))
-		return -1;
-
-	if (fit_image_hash_get_value(fit, noffset, &fit_value,
-				     &fit_value_len)) {
-		*err_msgp = "Can't get hash value property";
-		return -1;
-	}
-
-	region.data = data;
-	region.size = size;
-
-	if (info.crypto->verify(&info, &region, 1, fit_value, fit_value_len)) {
-		*err_msgp = "Verification failed";
-		return -1;
-	}
-
-	return 0;
-}
-
-static int fit_image_verify_sig(const void *fit, int image_noffset,
-		const char *data, size_t size, const void *sig_blob,
-		int sig_offset)
-{
-	int noffset;
-	char *err_msg = "";
-	int verified = 0;
-	int ret;
-
-	/* Process all hash subnodes of the component image node */
-	fdt_for_each_subnode(noffset, fit, image_noffset) {
-		const char *name = fit_get_name(fit, noffset, NULL);
-
-		if (!strncmp(name, FIT_SIG_NODENAME,
-			     strlen(FIT_SIG_NODENAME))) {
-			ret = fit_image_check_sig(fit, noffset, data,
-							size, -1, &err_msg);
-			if (ret) {
-				puts("- ");
-			} else {
-				puts("+ ");
-				verified = 1;
-				break;
-			}
-		}
-	}
-
-	if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) {
-		err_msg = "Corrupted or truncated tree";
-		goto error;
-	}
-
-	return verified ? 0 : -EPERM;
-
-error:
-	printf(" error!\n%s for '%s' hash node in '%s' image node\n",
-	       err_msg, fit_get_name(fit, noffset, NULL),
-	       fit_get_name(fit, image_noffset, NULL));
-	return -1;
-}
-
-int fit_image_verify_required_sigs(const void *fit, int image_noffset,
-		const char *data, size_t size, const void *sig_blob,
-		int *no_sigsp)
-{
-	int verify_count = 0;
-	int noffset;
-	int sig_node;
-
-	/* Work out what we need to verify */
-	*no_sigsp = 1;
-	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
-	if (sig_node < 0) {
-		debug("%s: No signature node found: %s\n", __func__,
-		      fdt_strerror(sig_node));
-		return 0;
-	}
-
-	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
-		const char *required;
-		int ret;
-
-		required = fdt_getprop(sig_blob, noffset, "required", NULL);
-		if (!required || strcmp(required, "image"))
-			continue;
-		ret = fit_image_verify_sig(fit, image_noffset, data, size,
-					sig_blob, noffset);
-		if (ret) {
-			printf("Failed to verify required signature '%s'\n",
-			       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
-		}
-		verify_count++;
-	}
-
-	if (verify_count)
-		*no_sigsp = 0;
-
-	return 0;
-}
-
-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
-			 char **err_msgp)
-{
-	char * const exc_prop[] = {"data"};
-	const char *prop, *end, *name;
-	struct image_sign_info info;
-	const uint32_t *strings;
-	uint8_t *fit_value;
-	int fit_value_len;
-	int max_regions;
-	int i, prop_len;
-	char path[200];
-	int count;
-
-	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
-	      fit_get_name(fit, noffset, NULL),
-	      fit_get_name(gd_fdt_blob(), required_keynode, NULL));
-	*err_msgp = NULL;
-	if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
-				   err_msgp))
-		return -1;
-
-	if (fit_image_hash_get_value(fit, noffset, &fit_value,
-				     &fit_value_len)) {
-		*err_msgp = "Can't get hash value property";
-		return -1;
-	}
-
-	/* Count the number of strings in the property */
-	prop = fdt_getprop(fit, noffset, "hashed-nodes", &prop_len);
-	end = prop ? prop + prop_len : prop;
-	for (name = prop, count = 0; name < end; name++)
-		if (!*name)
-			count++;
-	if (!count) {
-		*err_msgp = "Can't get hashed-nodes property";
-		return -1;
-	}
-
-	if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') {
-		*err_msgp = "hashed-nodes property must be null-terminated";
-		return -1;
-	}
-
-	/* Add a sanity check here since we are using the stack */
-	if (count > IMAGE_MAX_HASHED_NODES) {
-		*err_msgp = "Number of hashed nodes exceeds maximum";
-		return -1;
-	}
-
-	/* Create a list of node names from those strings */
-	char *node_inc[count];
-
-	debug("Hash nodes (%d):\n", count);
-	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
-		debug("   '%s'\n", name);
-		node_inc[i] = (char *)name;
-	}
-
-	/*
-	 * Each node can generate one region for each sub-node. Allow for
-	 * 7 sub-nodes (hash-1, signature-1, etc.) and some extra.
-	 */
-	max_regions = 20 + count * 7;
-	struct fdt_region fdt_regions[max_regions];
-
-	/* Get a list of regions to hash */
-	count = fdt_find_regions(fit, node_inc, count,
-			exc_prop, ARRAY_SIZE(exc_prop),
-			fdt_regions, max_regions - 1,
-			path, sizeof(path), 0);
-	if (count < 0) {
-		*err_msgp = "Failed to hash configuration";
-		return -1;
-	}
-	if (count == 0) {
-		*err_msgp = "No data to hash";
-		return -1;
-	}
-	if (count >= max_regions - 1) {
-		*err_msgp = "Too many hash regions";
-		return -1;
-	}
-
-	/* Add the strings */
-	strings = fdt_getprop(fit, noffset, "hashed-strings", NULL);
-	if (strings) {
-		/*
-		 * The strings region offset must be a static 0x0.
-		 * This is set in tool/image-host.c
-		 */
-		fdt_regions[count].offset = fdt_off_dt_strings(fit);
-		fdt_regions[count].size = fdt32_to_cpu(strings[1]);
-		count++;
-	}
-
-	/* Allocate the region list on the stack */
-	struct image_region region[count];
-
-	fit_region_make_list(fit, fdt_regions, count, region);
-	if (info.crypto->verify(&info, region, count, fit_value,
-				fit_value_len)) {
-		*err_msgp = "Verification failed";
-		return -1;
-	}
-
-	return 0;
-}
-
-static int fit_config_verify_sig(const void *fit, int conf_noffset,
-		const void *sig_blob, int sig_offset)
-{
-	int noffset;
-	char *err_msg = "";
-	int verified = 0;
-	int ret;
-
-	/* Process all hash subnodes of the component conf node */
-	fdt_for_each_subnode(noffset, fit, conf_noffset) {
-		const char *name = fit_get_name(fit, noffset, NULL);
-
-		if (!strncmp(name, FIT_SIG_NODENAME,
-			     strlen(FIT_SIG_NODENAME))) {
-			ret = fit_config_check_sig(fit, noffset, sig_offset,
-						   &err_msg);
-			if (ret) {
-				puts("- ");
-			} else {
-				puts("+ ");
-				verified = 1;
-				break;
-			}
-		}
-	}
-
-	if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) {
-		err_msg = "Corrupted or truncated tree";
-		goto error;
-	}
-
-	return verified ? 0 : -EPERM;
-
-error:
-	printf(" error!\n%s for '%s' hash node in '%s' config node\n",
-	       err_msg, fit_get_name(fit, noffset, NULL),
-	       fit_get_name(fit, conf_noffset, NULL));
-	return -1;
-}
-
-int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
-		const void *sig_blob)
-{
-	int noffset;
-	int sig_node;
-
-	/* Work out what we need to verify */
-	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
-	if (sig_node < 0) {
-		debug("%s: No signature node found: %s\n", __func__,
-		      fdt_strerror(sig_node));
-		return 0;
-	}
-
-	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
-		const char *required;
-		int ret;
-
-		required = fdt_getprop(sig_blob, noffset, "required", NULL);
-		if (!required || strcmp(required, "conf"))
-			continue;
-		ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
-					    noffset);
-		if (ret) {
-			printf("Failed to verify required signature '%s'\n",
-			       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
-		}
-	}
-
-	return 0;
-}
-
-int fit_config_verify(const void *fit, int conf_noffset)
-{
-	return fit_config_verify_required_sigs(fit, conf_noffset,
-					       gd_fdt_blob());
-}
diff --git a/include/image.h b/include/image.h
index f4d2aaf53e87..7eb0b4b53184 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1086,6 +1086,7 @@ int fit_conf_get_prop_node(const void *fit, int noffset,
 
 int fit_check_ramdisk(const void *fit, int os_noffset,
 		uint8_t arch, int verify);
+#endif /* IMAGE_ENABLE_FIT */
 
 int calculate_hash(const void *data, int data_len, const char *algo,
 			uint8_t *value, int *value_len);
@@ -1098,16 +1099,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 # if defined(CONFIG_FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN	1
 #  define IMAGE_ENABLE_VERIFY	1
+#  define FIT_IMAGE_ENABLE_VERIFY	1
 #  include <openssl/evp.h>
 # else
 #  define IMAGE_ENABLE_SIGN	0
 #  define IMAGE_ENABLE_VERIFY	0
+#  define FIT_IMAGE_ENABLE_VERIFY	0
 # endif
 #else
 # define IMAGE_ENABLE_SIGN	0
-# define IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
+# define IMAGE_ENABLE_VERIFY		CONFIG_IS_ENABLED(RSA_VERIFY)
+# define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #endif
 
+#if IMAGE_ENABLE_FIT
 #ifdef USE_HOSTCC
 void *image_get_host_blob(void);
 void image_set_host_blob(void *host_blob);
@@ -1121,6 +1126,7 @@ void image_set_host_blob(void *host_blob);
 #else
 #define IMAGE_ENABLE_BEST_MATCH	0
 #endif
+#endif /* IMAGE_ENABLE_FIT */
 
 /* Information passed to the signing routines */
 struct image_sign_info {
@@ -1137,7 +1143,6 @@ struct image_sign_info {
 	const char *require_keys;	/* Value for 'required' property */
 	const char *engine_id;		/* Engine to use for signing */
 };
-#endif /* Allow struct image_region to always be defined for rsa.h */
 
 /* A part of an image, used for hashing */
 struct image_region {
@@ -1145,8 +1150,6 @@ struct image_region {
 	int size;
 };
 
-#if IMAGE_ENABLE_FIT
-
 #if IMAGE_ENABLE_VERIFY
 # include <u-boot/rsa-checksum.h>
 #endif
@@ -1247,6 +1250,8 @@ struct crypto_algo *image_get_crypto_algo(const char *full_name);
  */
 struct padding_algo *image_get_padding_algo(const char *name);
 
+#if IMAGE_ENABLE_FIT
+
 /**
  * fit_image_verify_required_sigs() - Verify signatures marked as 'required'
  *
diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 2b33f323bccc..03ffa2969048 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -1,5 +1,6 @@
 config RSA
 	bool "Use RSA Library"
+	select RSA_VERIFY
 	select RSA_FREESCALE_EXP if FSL_CAAM && !ARCH_MX7 && !ARCH_MX6 && !ARCH_MX5
 	select RSA_SOFTWARE_EXP if !RSA_FREESCALE_EXP
 	help
@@ -17,6 +18,17 @@ if RSA
 
 config SPL_RSA
 	bool "Use RSA Library within SPL"
+	select SPL_RSA_VERIFY
+
+config SPL_RSA_VERIFY
+	bool
+	help
+	  Add RSA signature verification support in SPL.
+
+config RSA_VERIFY
+	bool
+	help
+	  Add RSA signature verification support.
 
 config RSA_SOFTWARE_EXP
 	bool "Enable driver for RSA Modular Exponentiation in software"
diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
index a51c6e1685fb..c07305188e0c 100644
--- a/lib/rsa/Makefile
+++ b/lib/rsa/Makefile
@@ -5,5 +5,5 @@
 # (C) Copyright 2000-2007
 # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
 
-obj-$(CONFIG_$(SPL_)FIT_SIGNATURE) += rsa-verify.o rsa-checksum.o
+obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
 obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 82dc513260e2..d2fd0692fa13 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -270,6 +270,7 @@ out:
 }
 #endif
 
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 /**
  * rsa_verify_key() - Verify a signature against some data using RSA Key
  *
@@ -341,7 +342,9 @@ static int rsa_verify_key(struct image_sign_info *info,
 
 	return 0;
 }
+#endif
 
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 /**
  * rsa_verify_with_keynode() - Verify a signature against some data using
  * information in node with prperties of RSA Key like modulus, exponent etc.
@@ -395,18 +398,22 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
 
 	return ret;
 }
+#else
+static int rsa_verify_with_keynode(struct image_sign_info *info,
+				   const void *hash, uint8_t *sig,
+				   uint sig_len, int node)
+{
+	return -EACCES;
+}
+#endif
 
 int rsa_verify(struct image_sign_info *info,
 	       const struct image_region region[], int region_count,
 	       uint8_t *sig, uint sig_len)
 {
-	const void *blob = info->fdt_blob;
 	/* Reserve memory for maximum checksum-length */
 	uint8_t hash[info->crypto->key_len];
-	int ndepth, noffset;
-	int sig_node, node;
-	char name[100];
-	int ret;
+	int ret = -EACCES;
 
 	/*
 	 * Verify that the checksum-length does not exceed the
@@ -419,12 +426,6 @@ int rsa_verify(struct image_sign_info *info,
 		return -EINVAL;
 	}
 
-	sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
-	if (sig_node < 0) {
-		debug("%s: No signature node found\n", __func__);
-		return -ENOENT;
-	}
-
 	/* Calculate checksum with checksum-algorithm */
 	ret = info->checksum->calculate(info->checksum->name,
 					region, region_count, hash);
@@ -433,29 +434,44 @@ int rsa_verify(struct image_sign_info *info,
 		return -EINVAL;
 	}
 
-	/* See if we must use a particular key */
-	if (info->required_keynode != -1) {
-		ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
-			info->required_keynode);
-		return ret;
-	}
+	if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
+		const void *blob = info->fdt_blob;
+		int ndepth, noffset;
+		int sig_node, node;
+		char name[100];
 
-	/* Look for a key that matches our hint */
-	snprintf(name, sizeof(name), "key-%s", info->keyname);
-	node = fdt_subnode_offset(blob, sig_node, name);
-	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
-	if (!ret)
-		return ret;
+		sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
+		if (sig_node < 0) {
+			debug("%s: No signature node found\n", __func__);
+			return -ENOENT;
+		}
 
-	/* No luck, so try each of the keys in turn */
-	for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
-			(noffset >= 0) && (ndepth > 0);
-			noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
-		if (ndepth == 1 && noffset != node) {
+		/* See if we must use a particular key */
+		if (info->required_keynode != -1) {
 			ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
-						      noffset);
-			if (!ret)
-				break;
+						      info->required_keynode);
+			return ret;
+		}
+
+		/* Look for a key that matches our hint */
+		snprintf(name, sizeof(name), "key-%s", info->keyname);
+		node = fdt_subnode_offset(blob, sig_node, name);
+		ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
+		if (!ret)
+			return ret;
+
+		/* No luck, so try each of the keys in turn */
+		for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
+							 &ndepth);
+		     (noffset >= 0) && (ndepth > 0);
+		     noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
+			if (ndepth == 1 && noffset != node) {
+				ret = rsa_verify_with_keynode(info, hash,
+							      sig, sig_len,
+							      noffset);
+				if (!ret)
+					break;
+			}
 		}
 	}
 
diff --git a/tools/Makefile b/tools/Makefile
index 345bc84e48db..1f885cca7034 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -58,7 +58,7 @@ hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign
 hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
 
 FIT_OBJS-$(CONFIG_FIT) := fit_common.o fit_image.o image-host.o common/image-fit.o
-FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := common/image-sig.o
+FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := common/image-sig.o common/image-fit-sig.o
 
 # The following files are synced with upstream DTC.
 # Use synced versions from scripts/dtc/libfdt/.
-- 
2.21.0

[U-Boot] [PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[AKASHI Takahiro]

In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
rsa_verify() will be extended to be able to perform RSA decryption without
additional RSA key properties from FIT image, i.e. rr and n0inv.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 lib/rsa/Kconfig | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 03ffa2969048..71e4c06bf883 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -30,6 +30,20 @@ config RSA_VERIFY
 	help
 	  Add RSA signature verification support.
 
+config RSA_VERIFY_WITH_PKEY
+	bool "Execute RSA verification without key parameters from FDT"
+	depends on RSA
+	help
+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
+	  pre-calculated key properties, that are stored in fdt blob, in
+	  decrypting a signature.
+	  This does not suit the use case where there is no way defined to
+	  provide such additional key properties in standardized form,
+	  particularly UEFI secure boot.
+	  This options enables RSA signature verification with a public key
+	  directly specified in image_sign_info, where all the necessary
+	  key properties will be calculated on the fly in verification code.
+
 config RSA_SOFTWARE_EXP
 	bool "Enable driver for RSA Modular Exponentiation in software"
 	depends on DM
-- 
2.21.0

[U-Boot] [PATCH v4 3/6] include: image.h: add key info to image_sign_info

[AKASHI Takahiro]

For FIT verification, all the properties of a public key come from
"control fdt" pointed to by fdt_blob. In UEFI secure boot, on the other
hand, a public key is located and retrieved from dedicated signature
database stored as UEFI variables.

Added two fields may hold values of a public key if fdt_blob is NULL, and
will be used in rsa_verify_with_pkey() to verify a signature in UEFI
sub-system.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 include/image.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/image.h b/include/image.h
index 7eb0b4b53184..20e1f95cf2a7 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1142,6 +1142,13 @@ struct image_sign_info {
 	int required_keynode;		/* Node offset of key to use: -1=any */
 	const char *require_keys;	/* Value for 'required' property */
 	const char *engine_id;		/* Engine to use for signing */
+	/*
+	 * Note: the following two fields are always valid even w/o
+	 * RSA_VERIFY_WITH_PKEY in order to make sure this structure is
+	 * the same on target and host. Otherwise, vboot test may fail.
+	 */
+	const void *key;		/* Pointer to public key in DER */
+	int keylen;			/* Length of public key */
 };
 
 /* A part of an image, used for hashing */
-- 
2.21.0

[U-Boot] [PATCH v4 4/6] lib: rsa: generate additional parameters for public key

[AKASHI Takahiro]

In the current implementation of FIT_SIGNATURE, five parameters for
a RSA public key are required while only two of them are essential.
(See rsa-mod-exp.h and uImage.FIT/signature.txt)
This is a result of considering relatively limited computer power
and resources on embedded systems, while such a assumption may not
be quite practical for other use cases.

In this patch, added is a function, rsa_gen_key_prop(), which will
generate additional parameters for other uses, in particular
UEFI secure boot, on the fly.

Note: the current code uses some "big number" routines from BearSSL
for the calculation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/u-boot/rsa-mod-exp.h |  23 ++
 lib/rsa/Kconfig              |   1 +
 lib/rsa/Makefile             |   1 +
 lib/rsa/rsa-keyprop.c        | 725 +++++++++++++++++++++++++++++++++++
 4 files changed, 750 insertions(+)
 create mode 100644 lib/rsa/rsa-keyprop.c

diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
index 8a428c4b6a1a..1da8af1bb83d 100644
--- a/include/u-boot/rsa-mod-exp.h
+++ b/include/u-boot/rsa-mod-exp.h
@@ -26,6 +26,29 @@ struct key_prop {
 	uint32_t exp_len;	/* Exponent length in number of uint8_t */
 };
 
+/**
+ * rsa_gen_key_prop() - Generate key properties of RSA public key
+ * @key:	Specifies key data in DER format
+ * @keylen:	Length of @key
+ * @prop:	Generated key property
+ *
+ * This function takes a blob of encoded RSA public key data in DER
+ * format, parse it and generate all the relevant properties
+ * in key_prop structure.
+ * Return a pointer to struct key_prop in @prop on success.
+ *
+ * Return:	0 on success, negative on error
+ */
+int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **proc);
+
+/**
+ * rsa_free_key_prop() - Free key properties
+ * @prop:	Pointer to struct key_prop
+ *
+ * This function frees all the memories allocated by rsa_gen_key_prop().
+ */
+void rsa_free_key_prop(struct key_prop *prop);
+
 /**
  * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
  *
diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 71e4c06bf883..d1d6f6cf64a3 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -33,6 +33,7 @@ config RSA_VERIFY
 config RSA_VERIFY_WITH_PKEY
 	bool "Execute RSA verification without key parameters from FDT"
 	depends on RSA
+	imply RSA_PUBLIC_KEY_PARSER
 	help
 	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
 	  pre-calculated key properties, that are stored in fdt blob, in
diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
index c07305188e0c..14ed3cb4012b 100644
--- a/lib/rsa/Makefile
+++ b/lib/rsa/Makefile
@@ -6,4 +6,5 @@
 # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
 
 obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
+obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
 obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
new file mode 100644
index 000000000000..9464df009343
--- /dev/null
+++ b/lib/rsa/rsa-keyprop.c
@@ -0,0 +1,725 @@
+// SPDX-License-Identifier: GPL-2.0+ and MIT
+/*
+ * RSA library - generate parameters for a public key
+ *
+ * Copyright (c) 2019 Linaro Limited
+ * Author: AKASHI Takahiro
+ *
+ * Big number routines in this file come from BearSSL:
+ * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
+ */
+
+#include <common.h>
+#include <image.h>
+#include <malloc.h>
+#include <asm/byteorder.h>
+#include <crypto/internal/rsa.h>
+#include <u-boot/rsa-mod-exp.h>
+
+/**
+ * br_dec16be() - Convert 16-bit big-endian integer to native
+ * @src:	Pointer to data
+ * Return:	Native-endian integer
+ */
+static unsigned br_dec16be(const void *src)
+{
+	return be16_to_cpup(src);
+}
+
+/**
+ * br_dec32be() - Convert 32-bit big-endian integer to native
+ * @src:	Pointer to data
+ * Return:	Native-endian integer
+ */
+static uint32_t br_dec32be(const void *src)
+{
+	return be32_to_cpup(src);
+}
+
+/**
+ * br_enc32be() - Convert native 32-bit integer to big-endian
+ * @dst:	Pointer to buffer to store big-endian integer in
+ * @x:		Native 32-bit integer
+ */
+static void br_enc32be(void *dst, uint32_t x)
+{
+	__be32 tmp;
+
+	tmp = cpu_to_be32(x);
+	memcpy(dst, &tmp, sizeof(tmp));
+}
+
+/* from BearSSL's src/inner.h */
+
+/*
+ * Negate a boolean.
+ */
+static uint32_t NOT(uint32_t ctl)
+{
+	return ctl ^ 1;
+}
+
+/*
+ * Multiplexer: returns x if ctl == 1, y if ctl == 0.
+ */
+static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
+{
+	return y ^ (-ctl & (x ^ y));
+}
+
+/*
+ * Equality check: returns 1 if x == y, 0 otherwise.
+ */
+static uint32_t EQ(uint32_t x, uint32_t y)
+{
+	uint32_t q;
+
+	q = x ^ y;
+	return NOT((q | -q) >> 31);
+}
+
+/*
+ * Inequality check: returns 1 if x != y, 0 otherwise.
+ */
+static uint32_t NEQ(uint32_t x, uint32_t y)
+{
+	uint32_t q;
+
+	q = x ^ y;
+	return (q | -q) >> 31;
+}
+
+/*
+ * Comparison: returns 1 if x > y, 0 otherwise.
+ */
+static uint32_t GT(uint32_t x, uint32_t y)
+{
+	/*
+	 * If both x < 2^31 and y < 2^31, then y-x will have its high
+	 * bit set if x > y, cleared otherwise.
+	 *
+	 * If either x >= 2^31 or y >= 2^31 (but not both), then the
+	 * result is the high bit of x.
+	 *
+	 * If both x >= 2^31 and y >= 2^31, then we can virtually
+	 * subtract 2^31 from both, and we are back to the first case.
+	 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
+	 * fine.
+	 */
+	uint32_t z;
+
+	z = y - x;
+	return (z ^ ((x ^ y) & (x ^ z))) >> 31;
+}
+
+/*
+ * Compute the bit length of a 32-bit integer. Returned value is between 0
+ * and 32 (inclusive).
+ */
+static uint32_t BIT_LENGTH(uint32_t x)
+{
+	uint32_t k, c;
+
+	k = NEQ(x, 0);
+	c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
+	c = GT(x, 0x00FF); x = MUX(c, x >>  8, x); k += c << 3;
+	c = GT(x, 0x000F); x = MUX(c, x >>  4, x); k += c << 2;
+	c = GT(x, 0x0003); x = MUX(c, x >>  2, x); k += c << 1;
+	k += GT(x, 0x0001);
+	return k;
+}
+
+#define GE(x, y)   NOT(GT(y, x))
+#define LT(x, y)   GT(y, x)
+#define MUL(x, y)   ((uint64_t)(x) * (uint64_t)(y))
+
+/*
+ * Integers 'i32'
+ * --------------
+ *
+ * The 'i32' functions implement computations on big integers using
+ * an internal representation as an array of 32-bit integers. For
+ * an array x[]:
+ *  -- x[0] contains the "announced bit length" of the integer
+ *  -- x[1], x[2]... contain the value in little-endian order (x[1]
+ *     contains the least significant 32 bits)
+ *
+ * Multiplications rely on the elementary 32x32->64 multiplication.
+ *
+ * The announced bit length specifies the number of bits that are
+ * significant in the subsequent 32-bit words. Unused bits in the
+ * last (most significant) word are set to 0; subsequent words are
+ * uninitialized and need not exist at all.
+ *
+ * The execution time and memory access patterns of all computations
+ * depend on the announced bit length, but not on the actual word
+ * values. For modular integers, the announced bit length of any integer
+ * modulo n is equal to the actual bit length of n; thus, computations
+ * on modular integers are "constant-time" (only the modulus length may
+ * leak).
+ */
+
+/*
+ * Extract one word from an integer. The offset is counted in bits.
+ * The word MUST entirely fit within the word elements corresponding
+ * to the announced bit length of a[].
+ */
+static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
+{
+	size_t u;
+	unsigned j;
+
+	u = (size_t)(off >> 5) + 1;
+	j = (unsigned)off & 31;
+	if (j == 0) {
+		return a[u];
+	} else {
+		return (a[u] >> j) | (a[u + 1] << (32 - j));
+	}
+}
+
+/* from BearSSL's src/int/i32_bitlen.c */
+
+/*
+ * Compute the actual bit length of an integer. The argument x should
+ * point to the first (least significant) value word of the integer.
+ * The len 'xlen' contains the number of 32-bit words to access.
+ *
+ * CT: value or length of x does not leak.
+ */
+static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
+{
+	uint32_t tw, twk;
+
+	tw = 0;
+	twk = 0;
+	while (xlen -- > 0) {
+		uint32_t w, c;
+
+		c = EQ(tw, 0);
+		w = x[xlen];
+		tw = MUX(c, w, tw);
+		twk = MUX(c, (uint32_t)xlen, twk);
+	}
+	return (twk << 5) + BIT_LENGTH(tw);
+}
+
+/* from BearSSL's src/int/i32_decode.c */
+
+/*
+ * Decode an integer from its big-endian unsigned representation. The
+ * "true" bit length of the integer is computed, but all words of x[]
+ * corresponding to the full 'len' bytes of the source are set.
+ *
+ * CT: value or length of x does not leak.
+ */
+static void br_i32_decode(uint32_t *x, const void *src, size_t len)
+{
+	const unsigned char *buf;
+	size_t u, v;
+
+	buf = src;
+	u = len;
+	v = 1;
+	for (;;) {
+		if (u < 4) {
+			uint32_t w;
+
+			if (u < 2) {
+				if (u == 0) {
+					break;
+				} else {
+					w = buf[0];
+				}
+			} else {
+				if (u == 2) {
+					w = br_dec16be(buf);
+				} else {
+					w = ((uint32_t)buf[0] << 16)
+						| br_dec16be(buf + 1);
+				}
+			}
+			x[v ++] = w;
+			break;
+		} else {
+			u -= 4;
+			x[v ++] = br_dec32be(buf + u);
+		}
+	}
+	x[0] = br_i32_bit_length(x + 1, v - 1);
+}
+
+/* from BearSSL's src/int/i32_encode.c */
+
+/*
+ * Encode an integer into its big-endian unsigned representation. The
+ * output length in bytes is provided (parameter 'len'); if the length
+ * is too short then the integer is appropriately truncated; if it is
+ * too long then the extra bytes are set to 0.
+ */
+static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
+{
+	unsigned char *buf;
+	size_t k;
+
+	buf = dst;
+
+	/*
+	 * Compute the announced size of x in bytes; extra bytes are
+	 * filled with zeros.
+	 */
+	k = (x[0] + 7) >> 3;
+	while (len > k) {
+		*buf ++ = 0;
+		len --;
+	}
+
+	/*
+	 * Now we use k as index within x[]. That index starts at 1;
+	 * we initialize it to the topmost complete word, and process
+	 * any remaining incomplete word.
+	 */
+	k = (len + 3) >> 2;
+	switch (len & 3) {
+	case 3:
+		*buf ++ = x[k] >> 16;
+		/* fall through */
+	case 2:
+		*buf ++ = x[k] >> 8;
+		/* fall through */
+	case 1:
+		*buf ++ = x[k];
+		k --;
+	}
+
+	/*
+	 * Encode all complete words.
+	 */
+	while (k > 0) {
+		br_enc32be(buf, x[k]);
+		k --;
+		buf += 4;
+	}
+}
+
+/* from BearSSL's src/int/i32_ninv32.c */
+
+/*
+ * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
+ */
+static uint32_t br_i32_ninv32(uint32_t x)
+{
+	uint32_t y;
+
+	y = 2 - x;
+	y *= 2 - y * x;
+	y *= 2 - y * x;
+	y *= 2 - y * x;
+	y *= 2 - y * x;
+	return MUX(x & 1, -y, 0);
+}
+
+/* from BearSSL's src/int/i32_add.c */
+
+/*
+ * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
+ * is unmodified, but the carry is still computed and returned. The
+ * arrays a[] and b[] MUST have the same announced bit length.
+ *
+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
+ */
+static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
+{
+	uint32_t cc;
+	size_t u, m;
+
+	cc = 0;
+	m = (a[0] + 63) >> 5;
+	for (u = 1; u < m; u ++) {
+		uint32_t aw, bw, naw;
+
+		aw = a[u];
+		bw = b[u];
+		naw = aw + bw + cc;
+
+		/*
+		 * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
+		 * AND the carry was already 1.
+		 */
+		cc = (cc & EQ(naw, aw)) | LT(naw, aw);
+		a[u] = MUX(ctl, naw, aw);
+	}
+	return cc;
+}
+
+/* from BearSSL's src/int/i32_sub.c */
+
+/*
+ * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
+ * then a[] is unmodified, but the carry is still computed and returned.
+ * The arrays a[] and b[] MUST have the same announced bit length.
+ *
+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
+ */
+static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
+{
+	uint32_t cc;
+	size_t u, m;
+
+	cc = 0;
+	m = (a[0] + 63) >> 5;
+	for (u = 1; u < m; u ++) {
+		uint32_t aw, bw, naw;
+
+		aw = a[u];
+		bw = b[u];
+		naw = aw - bw - cc;
+
+		/*
+		 * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
+		 * AND the carry was already 1.
+		 */
+		cc = (cc & EQ(naw, aw)) | GT(naw, aw);
+		a[u] = MUX(ctl, naw, aw);
+	}
+	return cc;
+}
+
+/* from BearSSL's src/int/i32_div32.c */
+
+/*
+ * Constant-time division. The dividend hi:lo is divided by the
+ * divisor d; the quotient is returned and the remainder is written
+ * in *r. If hi == d, then the quotient does not fit on 32 bits;
+ * returned value is thus truncated. If hi > d, returned values are
+ * indeterminate.
+ */
+static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r)
+{
+	/* TODO: optimize this */
+	uint32_t q;
+	uint32_t ch, cf;
+	int k;
+
+	q = 0;
+	ch = EQ(hi, d);
+	hi = MUX(ch, 0, hi);
+	for (k = 31; k > 0; k --) {
+		int j;
+		uint32_t w, ctl, hi2, lo2;
+
+		j = 32 - k;
+		w = (hi << j) | (lo >> k);
+		ctl = GE(w, d) | (hi >> k);
+		hi2 = (w - d) >> j;
+		lo2 = lo - (d << k);
+		hi = MUX(ctl, hi2, hi);
+		lo = MUX(ctl, lo2, lo);
+		q |= ctl << k;
+	}
+	cf = GE(lo, d) | hi;
+	q |= cf;
+	*r = MUX(cf, lo - d, lo);
+	return q;
+}
+
+/*
+ * Wrapper for br_divrem(); the remainder is returned, and the quotient
+ * is discarded.
+ */
+static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
+{
+	uint32_t r;
+
+	br_divrem(hi, lo, d, &r);
+	return r;
+}
+
+/*
+ * Wrapper for br_divrem(); the quotient is returned, and the remainder
+ * is discarded.
+ */
+static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
+{
+	uint32_t r;
+
+	return br_divrem(hi, lo, d, &r);
+}
+
+/* from BearSSL's src/int/i32_muladd.c */
+
+/*
+ * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
+ * function assumes that x[] and m[] have the same announced bit
+ * length, and the announced bit length of m[] matches its true
+ * bit length.
+ *
+ * x[] and m[] MUST be distinct arrays.
+ *
+ * CT: only the common announced bit length of x and m leaks, not
+ * the values of x, z or m.
+ */
+static void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m)
+{
+	uint32_t m_bitlen;
+	size_t u, mlen;
+	uint32_t a0, a1, b0, hi, g, q, tb;
+	uint32_t chf, clow, under, over;
+	uint64_t cc;
+
+	/*
+	 * We can test on the modulus bit length since we accept to
+	 * leak that length.
+	 */
+	m_bitlen = m[0];
+	if (m_bitlen == 0) {
+		return;
+	}
+	if (m_bitlen <= 32) {
+		x[1] = br_rem(x[1], z, m[1]);
+		return;
+	}
+	mlen = (m_bitlen + 31) >> 5;
+
+	/*
+	 * Principle: we estimate the quotient (x*2^32+z)/m by
+	 * doing a 64/32 division with the high words.
+	 *
+	 * Let:
+	 *   w = 2^32
+	 *   a = (w*a0 + a1) * w^N + a2
+	 *   b = b0 * w^N + b2
+	 * such that:
+	 *   0 <= a0 < w
+	 *   0 <= a1 < w
+	 *   0 <= a2 < w^N
+	 *   w/2 <= b0 < w
+	 *   0 <= b2 < w^N
+	 *   a < w*b
+	 * I.e. the two top words of a are a0:a1, the top word of b is
+	 * b0, we ensured that b0 is "full" (high bit set), and a is
+	 * such that the quotient q = a/b fits on one word (0 <= q < w).
+	 *
+	 * If a = b*q + r (with 0 <= r < q), we can estimate q by
+	 * doing an Euclidean division on the top words:
+	 *   a0*w+a1 = b0*u + v  (with 0 <= v < w)
+	 * Then the following holds:
+	 *   0 <= u <= w
+	 *   u-2 <= q <= u
+	 */
+	a0 = br_i32_word(x, m_bitlen - 32);
+	hi = x[mlen];
+	memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
+	x[1] = z;
+	a1 = br_i32_word(x, m_bitlen - 32);
+	b0 = br_i32_word(m, m_bitlen - 32);
+
+	/*
+	 * We estimate a divisor q. If the quotient returned by br_div()
+	 * is g:
+	 * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
+	 * -- Otherwise:
+	 *    -- if g == 0 then we set q = 0;
+	 *    -- otherwise, we set q = g - 1.
+	 * The properties described above then ensure that the true
+	 * quotient is q-1, q or q+1.
+	 */
+	g = br_div(a0, a1, b0);
+	q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));
+
+	/*
+	 * We subtract q*m from x (with the extra high word of value 'hi').
+	 * Since q may be off by 1 (in either direction), we may have to
+	 * add or subtract m afterwards.
+	 *
+	 * The 'tb' flag will be true (1)@the end of the loop if the
+	 * result is greater than or equal to the modulus (not counting
+	 * 'hi' or the carry).
+	 */
+	cc = 0;
+	tb = 1;
+	for (u = 1; u <= mlen; u ++) {
+		uint32_t mw, zw, xw, nxw;
+		uint64_t zl;
+
+		mw = m[u];
+		zl = MUL(mw, q) + cc;
+		cc = (uint32_t)(zl >> 32);
+		zw = (uint32_t)zl;
+		xw = x[u];
+		nxw = xw - zw;
+		cc += (uint64_t)GT(nxw, xw);
+		x[u] = nxw;
+		tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
+	}
+
+	/*
+	 * If we underestimated q, then either cc < hi (one extra bit
+	 * beyond the top array word), or cc == hi and tb is true (no
+	 * extra bit, but the result is not lower than the modulus). In
+	 * these cases we must subtract m once.
+	 *
+	 * Otherwise, we may have overestimated, which will show as
+	 * cc > hi (thus a negative result). Correction is adding m once.
+	 */
+	chf = (uint32_t)(cc >> 32);
+	clow = (uint32_t)cc;
+	over = chf | GT(clow, hi);
+	under = ~over & (tb | (~chf & LT(clow, hi)));
+	br_i32_add(x, m, over);
+	br_i32_sub(x, m, under);
+}
+
+/* from BearSSL's src/int/i32_reduce.c */
+
+/*
+ * Reduce an integer (a[]) modulo another (m[]). The result is written
+ * in x[] and its announced bit length is set to be equal to that of m[].
+ *
+ * x[] MUST be distinct from a[] and m[].
+ *
+ * CT: only announced bit lengths leak, not values of x, a or m.
+ */
+static void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m)
+{
+	uint32_t m_bitlen, a_bitlen;
+	size_t mlen, alen, u;
+
+	m_bitlen = m[0];
+	mlen = (m_bitlen + 31) >> 5;
+
+	x[0] = m_bitlen;
+	if (m_bitlen == 0) {
+		return;
+	}
+
+	/*
+	 * If the source is shorter, then simply copy all words from a[]
+	 * and zero out the upper words.
+	 */
+	a_bitlen = a[0];
+	alen = (a_bitlen + 31) >> 5;
+	if (a_bitlen < m_bitlen) {
+		memcpy(x + 1, a + 1, alen * sizeof *a);
+		for (u = alen; u < mlen; u ++) {
+			x[u + 1] = 0;
+		}
+		return;
+	}
+
+	/*
+	 * The source length is@least equal to that of the modulus.
+	 * We must thus copy N-1 words, and input the remaining words
+	 * one by one.
+	 */
+	memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
+	x[mlen] = 0;
+	for (u = 1 + alen - mlen; u > 0; u --) {
+		br_i32_muladd_small(x, a[u], m);
+	}
+}
+
+/**
+ * rsa_free_key_prop() - Free key properties
+ * @prop:	Pointer to struct key_prop
+ *
+ * This function frees all the memories allocated by rsa_gen_key_prop().
+ */
+void rsa_free_key_prop(struct key_prop *prop)
+{
+	if (!prop)
+		return;
+
+	free((void *)prop->modulus);
+	free((void *)prop->public_exponent);
+	free((void *)prop->rr);
+
+	free(prop);
+}
+
+/**
+ * rsa_gen_key_prop() - Generate key properties of RSA public key
+ * @key:	Specifies key data in DER format
+ * @keylen:	Length of @key
+ * @prop:	Generated key property
+ *
+ * This function takes a blob of encoded RSA public key data in DER
+ * format, parse it and generate all the relevant properties
+ * in key_prop structure.
+ * Return a pointer to struct key_prop in @prop on success.
+ *
+ * Return:	0 on success, negative on error
+ */
+int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
+{
+	struct rsa_key rsa_key;
+	uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
+	const int max_rsa_size = 4096;
+	int rlen, i, ret;
+
+	*prop = calloc(sizeof(**prop), 1);
+	n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+	rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+	rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+	if (!(*prop) || !n || !rr || !rrtmp) {
+		ret = -ENOMEM;
+		goto err;
+	}
+
+	ret = rsa_parse_pub_key(&rsa_key, key, keylen);
+	if (ret)
+		goto err;
+
+	/* modulus */
+	/* removing leading 0's */
+	for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
+		;
+	(*prop)->num_bits = (rsa_key.n_sz - i) * 8;
+	(*prop)->modulus = malloc(rsa_key.n_sz - i);
+	if (!(*prop)->modulus) {
+		ret = -ENOMEM;
+		goto err;
+	}
+	memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
+
+	/* exponent */
+	(*prop)->public_exponent = calloc(1, sizeof(uint64_t));
+	if (!(*prop)->public_exponent) {
+		ret = -ENOMEM;
+		goto err;
+	}
+	memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
+						- rsa_key.e_sz,
+	       rsa_key.e, rsa_key.e_sz);
+	(*prop)->exp_len = rsa_key.e_sz;
+
+	/* n0 inverse */
+	br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
+	(*prop)->n0inv = br_i32_ninv32(n[1]);
+
+	/* R^2 mod n; R = 2^(num_bits) */
+	rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
+	rr[0] = 0;
+	*(uint8_t *)&rr[0] = (1 << (rlen % 8));
+	for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
+		rr[i] = 0;
+	br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
+	br_i32_reduce(rr, rrtmp, n);
+
+	rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
+	(*prop)->rr = malloc(rlen);
+	if (!(*prop)->rr) {
+		ret = -ENOMEM;
+		goto err;
+	}
+	br_i32_encode((void *)(*prop)->rr, rlen, rr);
+
+	return 0;
+
+err:
+	free(n);
+	free(rr);
+	free(rrtmp);
+	rsa_free_key_prop(*prop);
+	return ret;
+}
-- 
2.21.0

[U-Boot] [PATCH v4 5/6] lib: rsa: add rsa_verify_with_pkey()

[AKASHI Takahiro]

This function, and hence rsa_verify(), will perform RSA verification
with two essential parameters for a RSA public key in contract of
rsa_verify_with_keynode(), which requires additional three parameters
stored in FIT image.

It will be used in implementing UEFI secure boot, i.e. image authentication
and variable authentication.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 lib/rsa/rsa-verify.c | 65 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index d2fd0692fa13..1ea02c02dab3 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -17,9 +17,22 @@
 #include "mkimage.h"
 #include <fdt_support.h>
 #endif
+#include <linux/kconfig.h>
 #include <u-boot/rsa-mod-exp.h>
 #include <u-boot/rsa.h>
 
+#ifndef __UBOOT__
+/*
+ * NOTE:
+ * Since host tools, like mkimage, make use of openssl library for
+ * RSA encryption, rsa_verify_with_pkey()/rsa_gen_key_prop() are
+ * of no use and should not be compiled in.
+ * So just turn off CONFIG_RSA_VERIFY_WITH_PKEY.
+ */
+
+#undef CONFIG_RSA_VERIFY_WITH_PKEY
+#endif
+
 /* Default public exponent for backward compatibility */
 #define RSA_DEFAULT_PUBEXP	65537
 
@@ -270,7 +283,7 @@ out:
 }
 #endif
 
-#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY)
 /**
  * rsa_verify_key() - Verify a signature against some data using RSA Key
  *
@@ -344,6 +357,49 @@ static int rsa_verify_key(struct image_sign_info *info,
 }
 #endif
 
+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
+/**
+ * rsa_verify_with_pkey() - Verify a signature against some data using
+ * only modulus and exponent as RSA key properties.
+ * @info:	Specifies key information
+ * @hash:	Pointer to the expected hash
+ * @sig:	Signature
+ * @sig_len:	Number of bytes in signature
+ *
+ * Parse a RSA public key blob in DER format pointed to in @info and fill
+ * a key_prop structure with properties of the key. Then verify a RSA PKCS1.5
+ * signature against an expected hash using the calculated properties.
+ *
+ * Return	0 if verified, -ve on error
+ */
+static int rsa_verify_with_pkey(struct image_sign_info *info,
+				const void *hash, uint8_t *sig, uint sig_len)
+{
+	struct key_prop *prop;
+	int ret;
+
+	/* Public key is self-described to fill key_prop */
+	ret = rsa_gen_key_prop(info->key, info->keylen, &prop);
+	if (ret) {
+		debug("Generating necessary parameter for decoding failed\n");
+		return ret;
+	}
+
+	ret = rsa_verify_key(info, prop, sig, sig_len, hash,
+			     info->crypto->key_len);
+
+	rsa_free_key_prop(prop);
+
+	return ret;
+}
+#else
+static int rsa_verify_with_pkey(struct image_sign_info *info,
+				const void *hash, uint8_t *sig, uint sig_len)
+{
+	return -EACCES;
+}
+#endif
+
 #if CONFIG_IS_ENABLED(FIT_SIGNATURE)
 /**
  * rsa_verify_with_keynode() - Verify a signature against some data using
@@ -434,6 +490,13 @@ int rsa_verify(struct image_sign_info *info,
 		return -EINVAL;
 	}
 
+	if (IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
+		/* don't rely on fdt properties */
+		ret = rsa_verify_with_pkey(info, hash, sig, sig_len);
+
+		return ret;
+	}
+
 	if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
 		const void *blob = info->fdt_blob;
 		int ndepth, noffset;
-- 
2.21.0

[U-Boot] [PATCH v4 6/6] test: add rsa_verify() unit test

[AKASHI Takahiro]

In this patch, a very simple test is added to verify that rsa_verify()
using rsa_verify_with_pkey() work correctly.

To keep the code simple, all the test data, either public key and
verified binary data, are embedded in the source.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 test/Kconfig      |  12 +++
 test/lib/Makefile |   1 +
 test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 219 insertions(+)
 create mode 100644 test/lib/rsa.c

diff --git a/test/Kconfig b/test/Kconfig
index cb7954041eda..64d76c3b20a5 100644
--- a/test/Kconfig
+++ b/test/Kconfig
@@ -28,6 +28,18 @@ config UT_LIB_ASN1
 	  Enables a test which exercises asn1 compiler and decoder function
 	  via various parsers.
 
+config UT_LIB_RSA
+	bool "Unit test for rsa_verify() function"
+	imply RSA
+	imply ASYMMETRIC_KEY_TYPE
+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	imply RSA_PUBLIC_KEY_PARSER
+	imply RSA_VERIFY_WITH_PKEY
+	default y
+	help
+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
+	  only, at the 'ut lib' command.
+
 endif
 
 config UT_TIME
diff --git a/test/lib/Makefile b/test/lib/Makefile
index 72d2ec74b5f4..2bf6ef3935bb 100644
--- a/test/lib/Makefile
+++ b/test/lib/Makefile
@@ -8,3 +8,4 @@ obj-y += lmb.o
 obj-y += string.o
 obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
 obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
diff --git a/test/lib/rsa.c b/test/lib/rsa.c
new file mode 100644
index 000000000000..44f8ade226f4
--- /dev/null
+++ b/test/lib/rsa.c
@@ -0,0 +1,206 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2019 Linaro Limited
+ * Author: AKASHI Takahiro
+ *
+ * Unit test for rsa_verify() function
+ */
+
+#include <common.h>
+#include <command.h>
+#include <image.h>
+#include <test/lib.h>
+#include <test/test.h>
+#include <test/ut.h>
+#include <u-boot/rsa.h>
+
+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
+/*
+ * openssl genrsa 2048 -out private.pem
+ * openssl rsa -in private.pem -pubout -outform der -out public.der
+ * dd if=public.der of=public.raw bs=24 skip=1
+ */
+static unsigned char public_key[] = {
+	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
+	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
+	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
+	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
+	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
+	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
+	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
+	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
+	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
+	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
+	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
+	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
+	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
+	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
+	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
+	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
+	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
+	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
+	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
+	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
+	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
+	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
+	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+
+static unsigned int public_key_len = 270;
+
+/*
+ * dd if=/dev/urandom of=data.raw bs=512 count=1
+ */
+static unsigned char data_raw[] = {
+	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
+	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
+	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
+	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
+	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
+	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
+	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
+	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
+	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
+	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
+	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
+	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
+	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
+	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
+	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
+	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
+	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
+	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
+	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
+	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
+	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
+	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
+	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
+	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
+	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
+	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
+	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
+	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
+	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
+	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
+	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
+	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
+	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
+	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
+	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
+	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
+	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
+	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
+	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
+	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
+	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
+	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
+	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
+};
+
+static unsigned int data_raw_len = 512;
+
+/*
+ * openssl dgst -sha256 -sign private.key -out data.enc data.raw
+ */
+unsigned char data_enc[] = {
+	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
+	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
+	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
+	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
+	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
+	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
+	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
+	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
+	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
+	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
+	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
+	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
+	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
+	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
+	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
+	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
+	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
+	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
+	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
+	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
+	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
+	0x89, 0x06, 0xc9, 0x3a
+};
+
+static unsigned int data_enc_len = 256;
+
+/**
+ * lib_rsa_verify_valid() - unit test for rsa_verify()
+ *
+ * Test rsa_verify() with valid hash
+ *
+ * @uts:	unit test state
+ * Return:	0 = success, 1 = failure
+ */
+static int lib_rsa_verify_valid(struct unit_test_state *uts)
+{
+	struct image_sign_info info;
+	struct image_region reg;
+	int ret;
+
+	memset(&info, '\0', sizeof(info));
+	info.name = "sha256,rsa2048";
+	info.padding = image_get_padding_algo("pkcs-1.5");
+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
+	info.crypto = image_get_crypto_algo(info.name);
+
+	info.key = public_key;
+	info.keylen = public_key_len;
+
+	reg.data = data_raw;
+	reg.size = data_raw_len;
+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
+	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
+
+	return CMD_RET_SUCCESS;
+}
+
+LIB_TEST(lib_rsa_verify_valid, 0);
+
+/**
+ * lib_rsa_verify_invalid() - unit test for rsa_verify()
+ *
+ * Test rsa_verify() with invalid hash
+ *
+ * @uts:	unit test state
+ * Return:	0 = success, 1 = failure
+ */
+static int lib_rsa_verify_invalid(struct unit_test_state *uts)
+{
+	struct image_sign_info info;
+	struct image_region reg;
+	unsigned char ctmp;
+	int ret;
+
+	memset(&info, '\0', sizeof(info));
+	info.name = "sha256,rsa2048";
+	info.padding = image_get_padding_algo("pkcs-1.5");
+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
+	info.crypto = image_get_crypto_algo(info.name);
+
+	info.key = public_key;
+	info.keylen = public_key_len;
+
+	/* randomly corrupt enc'ed data */
+	ctmp = data_enc[data_enc_len - 10];
+	data_enc[data_enc_len - 10] = 0x12;
+
+	reg.data = data_raw;
+	reg.size = data_raw_len;
+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
+
+	/* revert a change */
+	data_enc[data_enc_len - 10] = ctmp;
+
+	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
+
+	return CMD_RET_SUCCESS;
+}
+
+LIB_TEST(lib_rsa_verify_invalid, 0);
+#endif /* RSA_VERIFY_WITH_PKEY */
-- 
2.21.0

[U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification

[Tom Rini]

On Thu, Nov 21, 2019 at 09:11:16AM +0900, AKASHI Takahiro wrote:

> Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
> RSA functions from FIT verification and allow for adding a RSA-based
> signature verification for other file formats, in particular PE file
> for UEFI secure boot.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> ---
>  Kconfig                |   1 +
>  common/Makefile        |   3 +-
>  common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++
>  common/image-fit.c     |   6 +-
>  common/image-sig.c     | 396 --------------------------------------
>  include/image.h        |  13 +-
>  lib/rsa/Kconfig        |  12 ++
>  lib/rsa/Makefile       |   2 +-
>  lib/rsa/rsa-verify.c   |  78 +++++---
>  tools/Makefile         |   2 +-
>  10 files changed, 493 insertions(+), 437 deletions(-)
>  create mode 100644 common/image-fit-sig.c

OK, the way this works today we see things like:
            T1042RDB_PI_NAND_SECURE_BOOT: all +706 data +88 rodata +58 spl/u-boot-spl:all +704 spl/u-boot-spl:data +144 spl/u-boot-spl:text +560 text +560
               u-boot: add: 8/0, grow: 0/0 bytes: 584/0 (584)
                 function                                   old     new   delta
                 hash_calculate                               -     192    +192
                 padding_pkcs_15_verify                       -     184    +184
                 rsa_verify                                   -     104    +104
                 crypto_algos                                 -      40     +40
                 checksum_algos                               -      40     +40
                 rsa_sign                                     -       8      +8
                 rsa_add_verify_data                          -       8      +8
                 padding_algos                                -       8      +8
               spl-u-boot-spl: add: 10/0, grow: 0/0 bytes: 618/0 (618)
                 function                                   old     new   delta
                 hash_calculate                               -     192    +192
                 padding_pkcs_15_verify                       -     184    +184
                 rsa_verify                                   -     104    +104
                 crypto_algos                                 -      40     +40
                 checksum_algos                               -      40     +40
                 sha256_der_prefix                            -      19     +19
                 sha1_der_prefix                              -      15     +15
                 rsa_sign                                     -       8      +8
                 rsa_add_verify_data                          -       8      +8
                 padding_algos                                -       8      +8

Which seems wrong, we should be making any changes here opt-in, yes?  Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20191206/0ec13c61/attachment.sig>

[U-Boot] [PATCH v4 1/6] lib: rsa: decouple rsa from FIT image verification

[AKASHI Takahiro]

Tom, Simon,

On Fri, Dec 06, 2019 at 07:25:47PM -0500, Tom Rini wrote:
> On Thu, Nov 21, 2019 at 09:11:16AM +0900, AKASHI Takahiro wrote:
> 
> > Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
> > RSA functions from FIT verification and allow for adding a RSA-based
> > signature verification for other file formats, in particular PE file
> > for UEFI secure boot.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > ---
> >  Kconfig                |   1 +
> >  common/Makefile        |   3 +-
> >  common/image-fit-sig.c | 417 +++++++++++++++++++++++++++++++++++++++++
> >  common/image-fit.c     |   6 +-
> >  common/image-sig.c     | 396 --------------------------------------
> >  include/image.h        |  13 +-
> >  lib/rsa/Kconfig        |  12 ++
> >  lib/rsa/Makefile       |   2 +-
> >  lib/rsa/rsa-verify.c   |  78 +++++---
> >  tools/Makefile         |   2 +-
> >  10 files changed, 493 insertions(+), 437 deletions(-)
> >  create mode 100644 common/image-fit-sig.c
> 
> OK, the way this works today we see things like:
>             T1042RDB_PI_NAND_SECURE_BOOT: all +706 data +88 rodata +58 spl/u-boot-spl:all +704 spl/u-boot-spl:data +144 spl/u-boot-spl:text +560 text +560
>                u-boot: add: 8/0, grow: 0/0 bytes: 584/0 (584)
>                  function                                   old     new   delta
>                  hash_calculate                               -     192    +192
>                  padding_pkcs_15_verify                       -     184    +184
>                  rsa_verify                                   -     104    +104
>                  crypto_algos                                 -      40     +40
>                  checksum_algos                               -      40     +40
>                  rsa_sign                                     -       8      +8
>                  rsa_add_verify_data                          -       8      +8
>                  padding_algos                                -       8      +8
>                spl-u-boot-spl: add: 10/0, grow: 0/0 bytes: 618/0 (618)
>                  function                                   old     new   delta
>                  hash_calculate                               -     192    +192
>                  padding_pkcs_15_verify                       -     184    +184
>                  rsa_verify                                   -     104    +104
>                  crypto_algos                                 -      40     +40
>                  checksum_algos                               -      40     +40
>                  sha256_der_prefix                            -      19     +19
>                  sha1_der_prefix                              -      15     +15
>                  rsa_sign                                     -       8      +8
>                  rsa_add_verify_data                          -       8      +8
>                  padding_algos                                -       8      +8
> 
> Which seems wrong, we should be making any changes here opt-in, yes?  Thanks!

Okay, I found out what was wrong with my patch.

*But*, it seems to me that lib/rsa/Kconfig, in particular
RSA_FREESCALE_EXP, is weird because CONFIG_RSA as well as
RSA_FREESCALE_EXP is enabled in T1042RDB_PI_NAND_SECURE_BOOT_defconfig,
and yet rsa_verify(), which is the heart of CONFIG_RSA (library),
is NOT enabled in the configuration (for T1042RDB).
So the generated code will have no real user of this crypto driver,
i.e. drivers/crypto/fsl/fsl_rsa.c.

Anyway, I will post a fixed version early next week.

Thanks,
-Takahiro Akashi

> -- 
> Tom

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[Heinrich Schuchardt]

On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> rsa_verify() will be extended to be able to perform RSA decryption without
> additional RSA key properties from FIT image, i.e. rr and n0inv.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>

The patch series does not build for some configurations.

> ---
>   lib/rsa/Kconfig | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
>
> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> index 03ffa2969048..71e4c06bf883 100644
> --- a/lib/rsa/Kconfig
> +++ b/lib/rsa/Kconfig
> @@ -30,6 +30,20 @@ config RSA_VERIFY
>   	help
>   	  Add RSA signature verification support.
>
> +config RSA_VERIFY_WITH_PKEY

For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
I get an error:

lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'

RSA_PUBLIC_KEY_PARSER depends on
ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]

Please, fix the dependencies.

Best regards

Heinrich

> +	bool "Execute RSA verification without key parameters from FDT"
> +	depends on RSA
> +	help
> +	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> +	  pre-calculated key properties, that are stored in fdt blob, in
> +	  decrypting a signature.
> +	  This does not suit the use case where there is no way defined to
> +	  provide such additional key properties in standardized form,
> +	  particularly UEFI secure boot.
> +	  This options enables RSA signature verification with a public key
> +	  directly specified in image_sign_info, where all the necessary
> +	  key properties will be calculated on the fly in verification code.
> +
>   config RSA_SOFTWARE_EXP
>   	bool "Enable driver for RSA Modular Exponentiation in software"
>   	depends on DM
>

[PATCH v4 6/6] test: add rsa_verify() unit test

[Heinrich Schuchardt]

On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> In this patch, a very simple test is added to verify that rsa_verify()
> using rsa_verify_with_pkey() work correctly.
>
> To keep the code simple, all the test data, either public key and
> verified binary data, are embedded in the source.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>   test/Kconfig      |  12 +++
>   test/lib/Makefile |   1 +
>   test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
>   3 files changed, 219 insertions(+)
>   create mode 100644 test/lib/rsa.c
>
> diff --git a/test/Kconfig b/test/Kconfig
> index cb7954041eda..64d76c3b20a5 100644
> --- a/test/Kconfig
> +++ b/test/Kconfig
> @@ -28,6 +28,18 @@ config UT_LIB_ASN1
>   	  Enables a test which exercises asn1 compiler and decoder function
>   	  via various parsers.
>
> +config UT_LIB_RSA
> +	bool "Unit test for rsa_verify() function"
> +	imply RSA
> +	imply ASYMMETRIC_KEY_TYPE
> +	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +	imply RSA_PUBLIC_KEY_PARSER
> +	imply RSA_VERIFY_WITH_PKEY

This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
executed otherwise.

Best regards

Heinrich

> +	default y
> +	help
> +	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> +	  only, at the 'ut lib' command.
> +
>   endif
>
>   config UT_TIME
> diff --git a/test/lib/Makefile b/test/lib/Makefile
> index 72d2ec74b5f4..2bf6ef3935bb 100644
> --- a/test/lib/Makefile
> +++ b/test/lib/Makefile
> @@ -8,3 +8,4 @@ obj-y += lmb.o
>   obj-y += string.o
>   obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
>   obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> +obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> new file mode 100644
> index 000000000000..44f8ade226f4
> --- /dev/null
> +++ b/test/lib/rsa.c
> @@ -0,0 +1,206 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (c) 2019 Linaro Limited
> + * Author: AKASHI Takahiro
> + *
> + * Unit test for rsa_verify() function
> + */
> +
> +#include <common.h>
> +#include <command.h>
> +#include <image.h>
> +#include <test/lib.h>
> +#include <test/test.h>
> +#include <test/ut.h>
> +#include <u-boot/rsa.h>
> +
> +#ifdef CONFIG_RSA_VERIFY_WITH_PKEY

Please, remove this ifdef. Simply do not build this module if
CONFIG_RSA_VERIFY_WITH_PKEY is not defined.

> +/*
> + * openssl genrsa 2048 -out private.pem
> + * openssl rsa -in private.pem -pubout -outform der -out public.der
> + * dd if=public.der of=public.raw bs=24 skip=1
> + */
> +static unsigned char public_key[] = {
> +	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
> +	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
> +	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
> +	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
> +	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
> +	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
> +	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
> +	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
> +	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
> +	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
> +	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
> +	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
> +	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
> +	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
> +	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
> +	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
> +	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
> +	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
> +	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
> +	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
> +	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
> +	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
> +	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
> +};
> +
> +static unsigned int public_key_len = 270;
> +
> +/*
> + * dd if=/dev/urandom of=data.raw bs=512 count=1
> + */
> +static unsigned char data_raw[] = {
> +	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
> +	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
> +	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
> +	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
> +	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
> +	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
> +	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
> +	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
> +	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
> +	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
> +	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
> +	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
> +	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
> +	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
> +	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
> +	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
> +	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
> +	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
> +	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
> +	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
> +	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
> +	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
> +	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
> +	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
> +	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
> +	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
> +	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
> +	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
> +	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
> +	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
> +	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
> +	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
> +	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
> +	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
> +	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
> +	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
> +	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
> +	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
> +	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
> +	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
> +	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
> +	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
> +	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
> +};
> +
> +static unsigned int data_raw_len = 512;
> +
> +/*
> + * openssl dgst -sha256 -sign private.key -out data.enc data.raw
> + */
> +unsigned char data_enc[] = {
> +	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
> +	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
> +	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
> +	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
> +	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
> +	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
> +	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
> +	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
> +	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
> +	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
> +	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
> +	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
> +	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
> +	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
> +	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
> +	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
> +	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
> +	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
> +	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
> +	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
> +	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
> +	0x89, 0x06, 0xc9, 0x3a
> +};
> +
> +static unsigned int data_enc_len = 256;
> +
> +/**
> + * lib_rsa_verify_valid() - unit test for rsa_verify()
> + *
> + * Test rsa_verify() with valid hash
> + *
> + * @uts:	unit test state
> + * Return:	0 = success, 1 = failure
> + */
> +static int lib_rsa_verify_valid(struct unit_test_state *uts)
> +{
> +	struct image_sign_info info;
> +	struct image_region reg;
> +	int ret;
> +
> +	memset(&info, '\0', sizeof(info));
> +	info.name = "sha256,rsa2048";
> +	info.padding = image_get_padding_algo("pkcs-1.5");
> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> +	info.crypto = image_get_crypto_algo(info.name);
> +
> +	info.key = public_key;
> +	info.keylen = public_key_len;
> +
> +	reg.data = data_raw;
> +	reg.size = data_raw_len;
> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> +	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
> +
> +	return CMD_RET_SUCCESS;
> +}
> +
> +LIB_TEST(lib_rsa_verify_valid, 0);
> +
> +/**
> + * lib_rsa_verify_invalid() - unit test for rsa_verify()
> + *
> + * Test rsa_verify() with invalid hash
> + *
> + * @uts:	unit test state
> + * Return:	0 = success, 1 = failure
> + */
> +static int lib_rsa_verify_invalid(struct unit_test_state *uts)
> +{
> +	struct image_sign_info info;
> +	struct image_region reg;
> +	unsigned char ctmp;
> +	int ret;
> +
> +	memset(&info, '\0', sizeof(info));
> +	info.name = "sha256,rsa2048";
> +	info.padding = image_get_padding_algo("pkcs-1.5");
> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> +	info.crypto = image_get_crypto_algo(info.name);
> +
> +	info.key = public_key;
> +	info.keylen = public_key_len;
> +
> +	/* randomly corrupt enc'ed data */
> +	ctmp = data_enc[data_enc_len - 10];
> +	data_enc[data_enc_len - 10] = 0x12;
> +
> +	reg.data = data_raw;
> +	reg.size = data_raw_len;
> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> +
> +	/* revert a change */
> +	data_enc[data_enc_len - 10] = ctmp;
> +
> +	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
> +
> +	return CMD_RET_SUCCESS;
> +}
> +
> +LIB_TEST(lib_rsa_verify_invalid, 0);
> +#endif /* RSA_VERIFY_WITH_PKEY */
>

[PATCH v4 4/6] lib: rsa: generate additional parameters for public key

[Heinrich Schuchardt]

On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> In the current implementation of FIT_SIGNATURE, five parameters for
> a RSA public key are required while only two of them are essential.
> (See rsa-mod-exp.h and uImage.FIT/signature.txt)
> This is a result of considering relatively limited computer power
> and resources on embedded systems, while such a assumption may not
> be quite practical for other use cases.
>
> In this patch, added is a function, rsa_gen_key_prop(), which will
> generate additional parameters for other uses, in particular
> UEFI secure boot, on the fly.
>
> Note: the current code uses some "big number" rouKtines from BearSSL
> for the calculation.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>   include/u-boot/rsa-mod-exp.h |  23 ++
>   lib/rsa/Kconfig              |   1 +
>   lib/rsa/Makefile             |   1 +
>   lib/rsa/rsa-keyprop.c        | 725 +++++++++++++++++++++++++++++++++++
>   4 files changed, 750 insertions(+)
>   create mode 100644 lib/rsa/rsa-keyprop.c
>
> diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
> index 8a428c4b6a1a..1da8af1bb83d 100644
> --- a/include/u-boot/rsa-mod-exp.h
> +++ b/include/u-boot/rsa-mod-exp.h
> @@ -26,6 +26,29 @@ struct key_prop {
>   	uint32_t exp_len;	/* Exponent length in number of uint8_t */
>   };
>
> +/**
> + * rsa_gen_key_prop() - Generate key properties of RSA public key
> + * @key:	Specifies key data in DER format
> + * @keylen:	Length of @key
> + * @prop:	Generated key property
> + *
> + * This function takes a blob of encoded RSA public key data in DER
> + * format, parse it and generate all the relevant properties
> + * in key_prop structure.
> + * Return a pointer to struct key_prop in @prop on success.
> + *
> + * Return:	0 on success, negative on error
> + */
> +int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **proc);
> +
> +/**
> + * rsa_free_key_prop() - Free key properties
> + * @prop:	Pointer to struct key_prop
> + *
> + * This function frees all the memories allocated by rsa_gen_key_prop().
> + */
> +void rsa_free_key_prop(struct key_prop *prop);
> +
>   /**
>    * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
>    *
> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> index 71e4c06bf883..d1d6f6cf64a3 100644
> --- a/lib/rsa/Kconfig
> +++ b/lib/rsa/Kconfig
> @@ -33,6 +33,7 @@ config RSA_VERIFY
>   config RSA_VERIFY_WITH_PKEY
>   	bool "Execute RSA verification without key parameters from FDT"
>   	depends on RSA
> +	imply RSA_PUBLIC_KEY_PARSER

Do we really need RSA_PUBLIC_KEY_PARSER whenever we use CONFIG_RSA=y?
E.g. on a system without the UEFI sub-system?

Otherwise simply let RSA_PUBLIC_KEY_PARSER depend on RSA.

>   	help
>   	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
>   	  pre-calculated key properties, that are stored in fdt blob, in
> diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
> index c07305188e0c..14ed3cb4012b 100644
> --- a/lib/rsa/Makefile
> +++ b/lib/rsa/Makefile
> @@ -6,4 +6,5 @@
>   # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
>
>   obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
> +obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
>   obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
> diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
> new file mode 100644
> index 000000000000..9464df009343
> --- /dev/null
> +++ b/lib/rsa/rsa-keyprop.c
> @@ -0,0 +1,725 @@
> +// SPDX-License-Identifier: GPL-2.0+ and MIT
> +/*
> + * RSA library - generate parameters for a public key
> + *
> + * Copyright (c) 2019 Linaro Limited
> + * Author: AKASHI Takahiro
> + *
> + * Big number routines in this file come from BearSSL:
> + * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
> + */
> +
> +#include <common.h>
> +#include <image.h>
> +#include <malloc.h>
> +#include <asm/byteorder.h>
> +#include <crypto/internal/rsa.h>
> +#include <u-boot/rsa-mod-exp.h>
> +
> +/**
> + * br_dec16be() - Convert 16-bit big-endian integer to native
> + * @src:	Pointer to data
> + * Return:	Native-endian integer
> + */
> +static unsigned br_dec16be(const void *src)
> +{
> +	return be16_to_cpup(src);
> +}
> +
> +/**
> + * br_dec32be() - Convert 32-bit big-endian integer to native
> + * @src:	Pointer to data
> + * Return:	Native-endian integer
> + */
> +static uint32_t br_dec32be(const void *src)
> +{
> +	return be32_to_cpup(src);
> +}
> +
> +/**
> + * br_enc32be() - Convert native 32-bit integer to big-endian
> + * @dst:	Pointer to buffer to store big-endian integer in
> + * @x:		Native 32-bit integer
> + */
> +static void br_enc32be(void *dst, uint32_t x)
> +{
> +	__be32 tmp;
> +
> +	tmp = cpu_to_be32(x);
> +	memcpy(dst, &tmp, sizeof(tmp));
> +}
> +
> +/* from BearSSL's src/inner.h */
> +
> +/*
> + * Negate a boolean.
> + */
> +static uint32_t NOT(uint32_t ctl)
> +{
> +	return ctl ^ 1;
> +}
> +
> +/*
> + * Multiplexer: returns x if ctl == 1, y if ctl == 0.
> + */
> +static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
> +{
> +	return y ^ (-ctl & (x ^ y));
> +}
> +
> +/*
> + * Equality check: returns 1 if x == y, 0 otherwise.
> + */
> +static uint32_t EQ(uint32_t x, uint32_t y)
> +{
> +	uint32_t q;
> +
> +	q = x ^ y;
> +	return NOT((q | -q) >> 31);
> +}
> +
> +/*
> + * Inequality check: returns 1 if x != y, 0 otherwise.
> + */
> +static uint32_t NEQ(uint32_t x, uint32_t y)
> +{
> +	uint32_t q;
> +
> +	q = x ^ y;
> +	return (q | -q) >> 31;

We want to minimize the code size of U-Boot.

So, please, review this code and remove all of this bogus.

Best regards

Heinrich

> +}
> +
> +/*
> + * Comparison: returns 1 if x > y, 0 otherwise.
> + */
> +static uint32_t GT(uint32_t x, uint32_t y)
> +{
> +	/*
> +	 * If both x < 2^31 and y < 2^31, then y-x will have its high
> +	 * bit set if x > y, cleared otherwise.
> +	 *
> +	 * If either x >= 2^31 or y >= 2^31 (but not both), then the
> +	 * result is the high bit of x.
> +	 *
> +	 * If both x >= 2^31 and y >= 2^31, then we can virtually
> +	 * subtract 2^31 from both, and we are back to the first case.
> +	 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
> +	 * fine.
> +	 */
> +	uint32_t z;
> +
> +	z = y - x;
> +	return (z ^ ((x ^ y) & (x ^ z))) >> 31;
> +}
> +
> +/*
> + * Compute the bit length of a 32-bit integer. Returned value is between 0
> + * and 32 (inclusive).
> + */
> +static uint32_t BIT_LENGTH(uint32_t x)
> +{
> +	uint32_t k, c;
> +
> +	k = NEQ(x, 0);
> +	c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
> +	c = GT(x, 0x00FF); x = MUX(c, x >>  8, x); k += c << 3;
> +	c = GT(x, 0x000F); x = MUX(c, x >>  4, x); k += c << 2;
> +	c = GT(x, 0x0003); x = MUX(c, x >>  2, x); k += c << 1;
> +	k += GT(x, 0x0001);
> +	return k;
> +}
> +
> +#define GE(x, y)   NOT(GT(y, x))
> +#define LT(x, y)   GT(y, x)
> +#define MUL(x, y)   ((uint64_t)(x) * (uint64_t)(y))
> +
> +/*
> + * Integers 'i32'
> + * --------------
> + *
> + * The 'i32' functions implement computations on big integers using
> + * an internal representation as an array of 32-bit integers. For
> + * an array x[]:
> + *  -- x[0] contains the "announced bit length" of the integer
> + *  -- x[1], x[2]... contain the value in little-endian order (x[1]
> + *     contains the least significant 32 bits)
> + *
> + * Multiplications rely on the elementary 32x32->64 multiplication.
> + *
> + * The announced bit length specifies the number of bits that are
> + * significant in the subsequent 32-bit words. Unused bits in the
> + * last (most significant) word are set to 0; subsequent words are
> + * uninitialized and need not exist at all.
> + *
> + * The execution time and memory access patterns of all computations
> + * depend on the announced bit length, but not on the actual word
> + * values. For modular integers, the announced bit length of any integer
> + * modulo n is equal to the actual bit length of n; thus, computations
> + * on modular integers are "constant-time" (only the modulus length may
> + * leak).
> + */
> +
> +/*
> + * Extract one word from an integer. The offset is counted in bits.
> + * The word MUST entirely fit within the word elements corresponding
> + * to the announced bit length of a[].
> + */
> +static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
> +{
> +	size_t u;
> +	unsigned j;
> +
> +	u = (size_t)(off >> 5) + 1;
> +	j = (unsigned)off & 31;
> +	if (j == 0) {
> +		return a[u];
> +	} else {
> +		return (a[u] >> j) | (a[u + 1] << (32 - j));
> +	}
> +}
> +
> +/* from BearSSL's src/int/i32_bitlen.c */
> +
> +/*
> + * Compute the actual bit length of an integer. The argument x should
> + * point to the first (least significant) value word of the integer.
> + * The len 'xlen' contains the number of 32-bit words to access.
> + *
> + * CT: value or length of x does not leak.
> + */
> +static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
> +{
> +	uint32_t tw, twk;
> +
> +	tw = 0;
> +	twk = 0;
> +	while (xlen -- > 0) {
> +		uint32_t w, c;
> +
> +		c = EQ(tw, 0);
> +		w = x[xlen];
> +		tw = MUX(c, w, tw);
> +		twk = MUX(c, (uint32_t)xlen, twk);
> +	}
> +	return (twk << 5) + BIT_LENGTH(tw);
> +}
> +
> +/* from BearSSL's src/int/i32_decode.c */
> +
> +/*
> + * Decode an integer from its big-endian unsigned representation. The
> + * "true" bit length of the integer is computed, but all words of x[]
> + * corresponding to the full 'len' bytes of the source are set.
> + *
> + * CT: value or length of x does not leak.
> + */
> +static void br_i32_decode(uint32_t *x, const void *src, size_t len)
> +{
> +	const unsigned char *buf;
> +	size_t u, v;
> +
> +	buf = src;
> +	u = len;
> +	v = 1;
> +	for (;;) {
> +		if (u < 4) {
> +			uint32_t w;
> +
> +			if (u < 2) {
> +				if (u == 0) {
> +					break;
> +				} else {
> +					w = buf[0];
> +				}
> +			} else {
> +				if (u == 2) {
> +					w = br_dec16be(buf);
> +				} else {
> +					w = ((uint32_t)buf[0] << 16)
> +						| br_dec16be(buf + 1);
> +				}
> +			}
> +			x[v ++] = w;
> +			break;
> +		} else {
> +			u -= 4;
> +			x[v ++] = br_dec32be(buf + u);
> +		}
> +	}
> +	x[0] = br_i32_bit_length(x + 1, v - 1);
> +}
> +
> +/* from BearSSL's src/int/i32_encode.c */
> +
> +/*
> + * Encode an integer into its big-endian unsigned representation. The
> + * output length in bytes is provided (parameter 'len'); if the length
> + * is too short then the integer is appropriately truncated; if it is
> + * too long then the extra bytes are set to 0.
> + */
> +static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
> +{
> +	unsigned char *buf;
> +	size_t k;
> +
> +	buf = dst;
> +
> +	/*
> +	 * Compute the announced size of x in bytes; extra bytes are
> +	 * filled with zeros.
> +	 */
> +	k = (x[0] + 7) >> 3;
> +	while (len > k) {
> +		*buf ++ = 0;
> +		len --;
> +	}
> +
> +	/*
> +	 * Now we use k as index within x[]. That index starts at 1;
> +	 * we initialize it to the topmost complete word, and process
> +	 * any remaining incomplete word.
> +	 */
> +	k = (len + 3) >> 2;
> +	switch (len & 3) {
> +	case 3:
> +		*buf ++ = x[k] >> 16;
> +		/* fall through */
> +	case 2:
> +		*buf ++ = x[k] >> 8;
> +		/* fall through */
> +	case 1:
> +		*buf ++ = x[k];
> +		k --;
> +	}
> +
> +	/*
> +	 * Encode all complete words.
> +	 */
> +	while (k > 0) {
> +		br_enc32be(buf, x[k]);
> +		k --;
> +		buf += 4;
> +	}
> +}
> +
> +/* from BearSSL's src/int/i32_ninv32.c */
> +
> +/*
> + * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
> + */
> +static uint32_t br_i32_ninv32(uint32_t x)
> +{
> +	uint32_t y;
> +
> +	y = 2 - x;
> +	y *= 2 - y * x;
> +	y *= 2 - y * x;
> +	y *= 2 - y * x;
> +	y *= 2 - y * x;
> +	return MUX(x & 1, -y, 0);
> +}
> +
> +/* from BearSSL's src/int/i32_add.c */
> +
> +/*
> + * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
> + * is unmodified, but the carry is still computed and returned. The
> + * arrays a[] and b[] MUST have the same announced bit length.
> + *
> + * a[] and b[] MAY be the same array, but partial overlap is not allowed.
> + */
> +static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
> +{
> +	uint32_t cc;
> +	size_t u, m;
> +
> +	cc = 0;
> +	m = (a[0] + 63) >> 5;
> +	for (u = 1; u < m; u ++) {
> +		uint32_t aw, bw, naw;
> +
> +		aw = a[u];
> +		bw = b[u];
> +		naw = aw + bw + cc;
> +
> +		/*
> +		 * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
> +		 * AND the carry was already 1.
> +		 */
> +		cc = (cc & EQ(naw, aw)) | LT(naw, aw);
> +		a[u] = MUX(ctl, naw, aw);
> +	}
> +	return cc;
> +}
> +
> +/* from BearSSL's src/int/i32_sub.c */
> +
> +/*
> + * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
> + * then a[] is unmodified, but the carry is still computed and returned.
> + * The arrays a[] and b[] MUST have the same announced bit length.
> + *
> + * a[] and b[] MAY be the same array, but partial overlap is not allowed.
> + */
> +static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
> +{
> +	uint32_t cc;
> +	size_t u, m;
> +
> +	cc = 0;
> +	m = (a[0] + 63) >> 5;
> +	for (u = 1; u < m; u ++) {
> +		uint32_t aw, bw, naw;
> +
> +		aw = a[u];
> +		bw = b[u];
> +		naw = aw - bw - cc;
> +
> +		/*
> +		 * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
> +		 * AND the carry was already 1.
> +		 */
> +		cc = (cc & EQ(naw, aw)) | GT(naw, aw);
> +		a[u] = MUX(ctl, naw, aw);
> +	}
> +	return cc;
> +}
> +
> +/* from BearSSL's src/int/i32_div32.c */
> +
> +/*
> + * Constant-time division. The dividend hi:lo is divided by the
> + * divisor d; the quotient is returned and the remainder is written
> + * in *r. If hi == d, then the quotient does not fit on 32 bits;
> + * returned value is thus truncated. If hi > d, returned values are
> + * indeterminate.
> + */
> +static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r)
> +{
> +	/* TODO: optimize this */
> +	uint32_t q;
> +	uint32_t ch, cf;
> +	int k;
> +
> +	q = 0;
> +	ch = EQ(hi, d);
> +	hi = MUX(ch, 0, hi);
> +	for (k = 31; k > 0; k --) {
> +		int j;
> +		uint32_t w, ctl, hi2, lo2;
> +
> +		j = 32 - k;
> +		w = (hi << j) | (lo >> k);
> +		ctl = GE(w, d) | (hi >> k);
> +		hi2 = (w - d) >> j;
> +		lo2 = lo - (d << k);
> +		hi = MUX(ctl, hi2, hi);
> +		lo = MUX(ctl, lo2, lo);
> +		q |= ctl << k;
> +	}
> +	cf = GE(lo, d) | hi;
> +	q |= cf;
> +	*r = MUX(cf, lo - d, lo);
> +	return q;
> +}
> +
> +/*
> + * Wrapper for br_divrem(); the remainder is returned, and the quotient
> + * is discarded.
> + */
> +static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
> +{
> +	uint32_t r;
> +
> +	br_divrem(hi, lo, d, &r);
> +	return r;
> +}
> +
> +/*
> + * Wrapper for br_divrem(); the quotient is returned, and the remainder
> + * is discarded.
> + */
> +static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
> +{
> +	uint32_t r;
> +
> +	return br_divrem(hi, lo, d, &r);
> +}
> +
> +/* from BearSSL's src/int/i32_muladd.c */
> +
> +/*
> + * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
> + * function assumes that x[] and m[] have the same announced bit
> + * length, and the announced bit length of m[] matches its true
> + * bit length.
> + *
> + * x[] and m[] MUST be distinct arrays.
> + *
> + * CT: only the common announced bit length of x and m leaks, not
> + * the values of x, z or m.
> + */
> +static void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m)
> +{
> +	uint32_t m_bitlen;
> +	size_t u, mlen;
> +	uint32_t a0, a1, b0, hi, g, q, tb;
> +	uint32_t chf, clow, under, over;
> +	uint64_t cc;
> +
> +	/*
> +	 * We can test on the modulus bit length since we accept to
> +	 * leak that length.
> +	 */
> +	m_bitlen = m[0];
> +	if (m_bitlen == 0) {
> +		return;
> +	}
> +	if (m_bitlen <= 32) {
> +		x[1] = br_rem(x[1], z, m[1]);
> +		return;
> +	}
> +	mlen = (m_bitlen + 31) >> 5;
> +
> +	/*
> +	 * Principle: we estimate the quotient (x*2^32+z)/m by
> +	 * doing a 64/32 division with the high words.
> +	 *
> +	 * Let:
> +	 *   w = 2^32
> +	 *   a = (w*a0 + a1) * w^N + a2
> +	 *   b = b0 * w^N + b2
> +	 * such that:
> +	 *   0 <= a0 < w
> +	 *   0 <= a1 < w
> +	 *   0 <= a2 < w^N
> +	 *   w/2 <= b0 < w
> +	 *   0 <= b2 < w^N
> +	 *   a < w*b
> +	 * I.e. the two top words of a are a0:a1, the top word of b is
> +	 * b0, we ensured that b0 is "full" (high bit set), and a is
> +	 * such that the quotient q = a/b fits on one word (0 <= q < w).
> +	 *
> +	 * If a = b*q + r (with 0 <= r < q), we can estimate q by
> +	 * doing an Euclidean division on the top words:
> +	 *   a0*w+a1 = b0*u + v  (with 0 <= v < w)
> +	 * Then the following holds:
> +	 *   0 <= u <= w
> +	 *   u-2 <= q <= u
> +	 */
> +	a0 = br_i32_word(x, m_bitlen - 32);
> +	hi = x[mlen];
> +	memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
> +	x[1] = z;
> +	a1 = br_i32_word(x, m_bitlen - 32);
> +	b0 = br_i32_word(m, m_bitlen - 32);
> +
> +	/*
> +	 * We estimate a divisor q. If the quotient returned by br_div()
> +	 * is g:
> +	 * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
> +	 * -- Otherwise:
> +	 *    -- if g == 0 then we set q = 0;
> +	 *    -- otherwise, we set q = g - 1.
> +	 * The properties described above then ensure that the true
> +	 * quotient is q-1, q or q+1.
> +	 */
> +	g = br_div(a0, a1, b0);
> +	q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));
> +
> +	/*
> +	 * We subtract q*m from x (with the extra high word of value 'hi').
> +	 * Since q may be off by 1 (in either direction), we may have to
> +	 * add or subtract m afterwards.
> +	 *
> +	 * The 'tb' flag will be true (1) at the end of the loop if the
> +	 * result is greater than or equal to the modulus (not counting
> +	 * 'hi' or the carry).
> +	 */
> +	cc = 0;
> +	tb = 1;
> +	for (u = 1; u <= mlen; u ++) {
> +		uint32_t mw, zw, xw, nxw;
> +		uint64_t zl;
> +
> +		mw = m[u];
> +		zl = MUL(mw, q) + cc;
> +		cc = (uint32_t)(zl >> 32);
> +		zw = (uint32_t)zl;
> +		xw = x[u];
> +		nxw = xw - zw;
> +		cc += (uint64_t)GT(nxw, xw);
> +		x[u] = nxw;
> +		tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
> +	}
> +
> +	/*
> +	 * If we underestimated q, then either cc < hi (one extra bit
> +	 * beyond the top array word), or cc == hi and tb is true (no
> +	 * extra bit, but the result is not lower than the modulus). In
> +	 * these cases we must subtract m once.
> +	 *
> +	 * Otherwise, we may have overestimated, which will show as
> +	 * cc > hi (thus a negative result). Correction is adding m once.
> +	 */
> +	chf = (uint32_t)(cc >> 32);
> +	clow = (uint32_t)cc;
> +	over = chf | GT(clow, hi);
> +	under = ~over & (tb | (~chf & LT(clow, hi)));
> +	br_i32_add(x, m, over);
> +	br_i32_sub(x, m, under);
> +}
> +
> +/* from BearSSL's src/int/i32_reduce.c */
> +
> +/*
> + * Reduce an integer (a[]) modulo another (m[]). The result is written
> + * in x[] and its announced bit length is set to be equal to that of m[].
> + *
> + * x[] MUST be distinct from a[] and m[].
> + *
> + * CT: only announced bit lengths leak, not values of x, a or m.
> + */
> +static void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m)
> +{
> +	uint32_t m_bitlen, a_bitlen;
> +	size_t mlen, alen, u;
> +
> +	m_bitlen = m[0];
> +	mlen = (m_bitlen + 31) >> 5;
> +
> +	x[0] = m_bitlen;
> +	if (m_bitlen == 0) {
> +		return;
> +	}
> +
> +	/*
> +	 * If the source is shorter, then simply copy all words from a[]
> +	 * and zero out the upper words.
> +	 */
> +	a_bitlen = a[0];
> +	alen = (a_bitlen + 31) >> 5;
> +	if (a_bitlen < m_bitlen) {
> +		memcpy(x + 1, a + 1, alen * sizeof *a);
> +		for (u = alen; u < mlen; u ++) {
> +			x[u + 1] = 0;
> +		}
> +		return;
> +	}
> +
> +	/*
> +	 * The source length is at least equal to that of the modulus.
> +	 * We must thus copy N-1 words, and input the remaining words
> +	 * one by one.
> +	 */
> +	memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
> +	x[mlen] = 0;
> +	for (u = 1 + alen - mlen; u > 0; u --) {
> +		br_i32_muladd_small(x, a[u], m);
> +	}
> +}
> +
> +/**
> + * rsa_free_key_prop() - Free key properties
> + * @prop:	Pointer to struct key_prop
> + *
> + * This function frees all the memories allocated by rsa_gen_key_prop().
> + */
> +void rsa_free_key_prop(struct key_prop *prop)
> +{
> +	if (!prop)
> +		return;
> +
> +	free((void *)prop->modulus);
> +	free((void *)prop->public_exponent);
> +	free((void *)prop->rr);
> +
> +	free(prop);
> +}
> +
> +/**
> + * rsa_gen_key_prop() - Generate key properties of RSA public key
> + * @key:	Specifies key data in DER format
> + * @keylen:	Length of @key
> + * @prop:	Generated key property
> + *
> + * This function takes a blob of encoded RSA public key data in DER
> + * format, parse it and generate all the relevant properties
> + * in key_prop structure.
> + * Return a pointer to struct key_prop in @prop on success.
> + *
> + * Return:	0 on success, negative on error
> + */
> +int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
> +{
> +	struct rsa_key rsa_key;
> +	uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
> +	const int max_rsa_size = 4096;
> +	int rlen, i, ret;
> +
> +	*prop = calloc(sizeof(**prop), 1);
> +	n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> +	rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> +	rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> +	if (!(*prop) || !n || !rr || !rrtmp) {
> +		ret = -ENOMEM;
> +		goto err;
> +	}
> +
> +	ret = rsa_parse_pub_key(&rsa_key, key, keylen);
> +	if (ret)
> +		goto err;
> +
> +	/* modulus */
> +	/* removing leading 0's */
> +	for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
> +		;
> +	(*prop)->num_bits = (rsa_key.n_sz - i) * 8;
> +	(*prop)->modulus = malloc(rsa_key.n_sz - i);
> +	if (!(*prop)->modulus) {
> +		ret = -ENOMEM;
> +		goto err;
> +	}
> +	memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
> +
> +	/* exponent */
> +	(*prop)->public_exponent = calloc(1, sizeof(uint64_t));
> +	if (!(*prop)->public_exponent) {
> +		ret = -ENOMEM;
> +		goto err;
> +	}
> +	memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
> +						- rsa_key.e_sz,
> +	       rsa_key.e, rsa_key.e_sz);
> +	(*prop)->exp_len = rsa_key.e_sz;
> +
> +	/* n0 inverse */
> +	br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> +	(*prop)->n0inv = br_i32_ninv32(n[1]);
> +
> +	/* R^2 mod n; R = 2^(num_bits) */
> +	rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
> +	rr[0] = 0;
> +	*(uint8_t *)&rr[0] = (1 << (rlen % 8));
> +	for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
> +		rr[i] = 0;
> +	br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
> +	br_i32_reduce(rr, rrtmp, n);
> +
> +	rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
> +	(*prop)->rr = malloc(rlen);
> +	if (!(*prop)->rr) {
> +		ret = -ENOMEM;
> +		goto err;
> +	}
> +	br_i32_encode((void *)(*prop)->rr, rlen, rr);
> +
> +	return 0;
> +
> +err:
> +	free(n);
> +	free(rr);
> +	free(rrtmp);
> +	rsa_free_key_prop(*prop);
> +	return ret;
> +}
>

[PATCH v4 4/6] lib: rsa: generate additional parameters for public key

[Heinrich Schuchardt]

On 1/8/20 7:07 PM, Heinrich Schuchardt wrote:
>
>
> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>> In the current implementation of FIT_SIGNATURE, five parameters for
>> a RSA public key are required while only two of them are essential.
>> (See rsa-mod-exp.h and uImage.FIT/signature.txt)
>> This is a result of considering relatively limited computer power
>> and resources on embedded systems, while such a assumption may not
>> be quite practical for other use cases.
>>
>> In this patch, added is a function, rsa_gen_key_prop(), which will
>> generate additional parameters for other uses, in particular
>> UEFI secure boot, on the fly.
>>
>> Note: the current code uses some "big number" rouKtines from BearSSL
>> for the calculation.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   include/u-boot/rsa-mod-exp.h |  23 ++
>>   lib/rsa/Kconfig              |   1 +
>>   lib/rsa/Makefile             |   1 +
>>   lib/rsa/rsa-keyprop.c        | 725 +++++++++++++++++++++++++++++++++++
>>   4 files changed, 750 insertions(+)
>>   create mode 100644 lib/rsa/rsa-keyprop.c
>>
>> diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
>> index 8a428c4b6a1a..1da8af1bb83d 100644
>> --- a/include/u-boot/rsa-mod-exp.h
>> +++ b/include/u-boot/rsa-mod-exp.h
>> @@ -26,6 +26,29 @@ struct key_prop {
>>       uint32_t exp_len;    /* Exponent length in number of uint8_t */
>>   };
>>
>> +/**
>> + * rsa_gen_key_prop() - Generate key properties of RSA public key
>> + * @key:    Specifies key data in DER format
>> + * @keylen:    Length of @key
>> + * @prop:    Generated key property
>> + *
>> + * This function takes a blob of encoded RSA public key data in DER
>> + * format, parse it and generate all the relevant properties
>> + * in key_prop structure.
>> + * Return a pointer to struct key_prop in @prop on success.
>> + *
>> + * Return:    0 on success, negative on error
>> + */
>> +int rsa_gen_key_prop(const void *key, uint32_t keylen, struct
>> key_prop **proc);
>> +
>> +/**
>> + * rsa_free_key_prop() - Free key properties
>> + * @prop:    Pointer to struct key_prop
>> + *
>> + * This function frees all the memories allocated by rsa_gen_key_prop().
>> + */
>> +void rsa_free_key_prop(struct key_prop *prop);
>> +
>>   /**
>>    * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
>>    *
>> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
>> index 71e4c06bf883..d1d6f6cf64a3 100644
>> --- a/lib/rsa/Kconfig
>> +++ b/lib/rsa/Kconfig
>> @@ -33,6 +33,7 @@ config RSA_VERIFY
>>   config RSA_VERIFY_WITH_PKEY
>>       bool "Execute RSA verification without key parameters from FDT"
>>       depends on RSA
>> +    imply RSA_PUBLIC_KEY_PARSER
>
> Do we really need RSA_PUBLIC_KEY_PARSER whenever we use CONFIG_RSA=y?
> E.g. on a system without the UEFI sub-system?
>
> Otherwise simply let RSA_PUBLIC_KEY_PARSER depend on RSA.
>
>>       help
>>         The standard RSA-signature verification code (FIT_SIGNATURE) uses
>>         pre-calculated key properties, that are stored in fdt blob, in
>> diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
>> index c07305188e0c..14ed3cb4012b 100644
>> --- a/lib/rsa/Makefile
>> +++ b/lib/rsa/Makefile
>> @@ -6,4 +6,5 @@
>>   # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
>>
>>   obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
>> +obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
>>   obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
>> diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
>> new file mode 100644
>> index 000000000000..9464df009343
>> --- /dev/null
>> +++ b/lib/rsa/rsa-keyprop.c
>> @@ -0,0 +1,725 @@
>> +// SPDX-License-Identifier: GPL-2.0+ and MIT
>> +/*
>> + * RSA library - generate parameters for a public key
>> + *
>> + * Copyright (c) 2019 Linaro Limited
>> + * Author: AKASHI Takahiro
>> + *
>> + * Big number routines in this file come from BearSSL:
>> + * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
>> + */
>> +
>> +#include <common.h>
>> +#include <image.h>
>> +#include <malloc.h>
>> +#include <asm/byteorder.h>
>> +#include <crypto/internal/rsa.h>
>> +#include <u-boot/rsa-mod-exp.h>
>> +
>> +/**
>> + * br_dec16be() - Convert 16-bit big-endian integer to native
>> + * @src:    Pointer to data
>> + * Return:    Native-endian integer
>> + */
>> +static unsigned br_dec16be(const void *src)
>> +{
>> +    return be16_to_cpup(src);
>> +}
>> +
>> +/**
>> + * br_dec32be() - Convert 32-bit big-endian integer to native
>> + * @src:    Pointer to data
>> + * Return:    Native-endian integer
>> + */
>> +static uint32_t br_dec32be(const void *src)
>> +{
>> +    return be32_to_cpup(src);
>> +}
>> +
>> +/**
>> + * br_enc32be() - Convert native 32-bit integer to big-endian
>> + * @dst:    Pointer to buffer to store big-endian integer in
>> + * @x:        Native 32-bit integer
>> + */
>> +static void br_enc32be(void *dst, uint32_t x)
>> +{
>> +    __be32 tmp;
>> +
>> +    tmp = cpu_to_be32(x);
>> +    memcpy(dst, &tmp, sizeof(tmp));
>> +}
>> +
>> +/* from BearSSL's src/inner.h */
>> +
>> +/*
>> + * Negate a boolean.
>> + */
>> +static uint32_t NOT(uint32_t ctl)
>> +{
>> +    return ctl ^ 1;
>> +}
>> +
>> +/*
>> + * Multiplexer: returns x if ctl == 1, y if ctl == 0.
>> + */
>> +static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
>> +{
>> +    return y ^ (-ctl & (x ^ y));
>> +}
>> +
>> +/*
>> + * Equality check: returns 1 if x == y, 0 otherwise.
>> + */
>> +static uint32_t EQ(uint32_t x, uint32_t y)
>> +{
>> +    uint32_t q;
>> +
>> +    q = x ^ y;
>> +    return NOT((q | -q) >> 31);
>> +}
>> +
>> +/*
>> + * Inequality check: returns 1 if x != y, 0 otherwise.
>> + */
>> +static uint32_t NEQ(uint32_t x, uint32_t y)
>> +{
>> +    uint32_t q;
>> +
>> +    q = x ^ y;
>> +    return (q | -q) >> 31;
>
> We want to minimize the code size of U-Boot.
>
> So, please, review this code and remove all of this bogus.

Are timing attacks relevant in any of our UEFI use cases?

I thought we only are verifying signatures against public keys that are
anyway in reach of an adversery.

Best regards

Heinrich

>
>> +}
>> +
>> +/*
>> + * Comparison: returns 1 if x > y, 0 otherwise.
>> + */
>> +static uint32_t GT(uint32_t x, uint32_t y)
>> +{
>> +    /*
>> +     * If both x < 2^31 and y < 2^31, then y-x will have its high
>> +     * bit set if x > y, cleared otherwise.
>> +     *
>> +     * If either x >= 2^31 or y >= 2^31 (but not both), then the
>> +     * result is the high bit of x.
>> +     *
>> +     * If both x >= 2^31 and y >= 2^31, then we can virtually
>> +     * subtract 2^31 from both, and we are back to the first case.
>> +     * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
>> +     * fine.
>> +     */
>> +    uint32_t z;
>> +
>> +    z = y - x;
>> +    return (z ^ ((x ^ y) & (x ^ z))) >> 31;
>> +}
>> +
>> +/*
>> + * Compute the bit length of a 32-bit integer. Returned value is
>> between 0
>> + * and 32 (inclusive).
>> + */
>> +static uint32_t BIT_LENGTH(uint32_t x)
>> +{
>> +    uint32_t k, c;
>> +
>> +    k = NEQ(x, 0);
>> +    c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
>> +    c = GT(x, 0x00FF); x = MUX(c, x >>  8, x); k += c << 3;
>> +    c = GT(x, 0x000F); x = MUX(c, x >>  4, x); k += c << 2;
>> +    c = GT(x, 0x0003); x = MUX(c, x >>  2, x); k += c << 1;
>> +    k += GT(x, 0x0001);
>> +    return k;
>> +}
>> +
>> +#define GE(x, y)   NOT(GT(y, x))
>> +#define LT(x, y)   GT(y, x)
>> +#define MUL(x, y)   ((uint64_t)(x) * (uint64_t)(y))
>> +
>> +/*
>> + * Integers 'i32'
>> + * --------------
>> + *
>> + * The 'i32' functions implement computations on big integers using
>> + * an internal representation as an array of 32-bit integers. For
>> + * an array x[]:
>> + *  -- x[0] contains the "announced bit length" of the integer
>> + *  -- x[1], x[2]... contain the value in little-endian order (x[1]
>> + *     contains the least significant 32 bits)
>> + *
>> + * Multiplications rely on the elementary 32x32->64 multiplication.
>> + *
>> + * The announced bit length specifies the number of bits that are
>> + * significant in the subsequent 32-bit words. Unused bits in the
>> + * last (most significant) word are set to 0; subsequent words are
>> + * uninitialized and need not exist at all.
>> + *
>> + * The execution time and memory access patterns of all computations
>> + * depend on the announced bit length, but not on the actual word
>> + * values. For modular integers, the announced bit length of any integer
>> + * modulo n is equal to the actual bit length of n; thus, computations
>> + * on modular integers are "constant-time" (only the modulus length may
>> + * leak).
>> + */
>> +
>> +/*
>> + * Extract one word from an integer. The offset is counted in bits.
>> + * The word MUST entirely fit within the word elements corresponding
>> + * to the announced bit length of a[].
>> + */
>> +static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
>> +{
>> +    size_t u;
>> +    unsigned j;
>> +
>> +    u = (size_t)(off >> 5) + 1;
>> +    j = (unsigned)off & 31;
>> +    if (j == 0) {
>> +        return a[u];
>> +    } else {
>> +        return (a[u] >> j) | (a[u + 1] << (32 - j));
>> +    }
>> +}
>> +
>> +/* from BearSSL's src/int/i32_bitlen.c */
>> +
>> +/*
>> + * Compute the actual bit length of an integer. The argument x should
>> + * point to the first (least significant) value word of the integer.
>> + * The len 'xlen' contains the number of 32-bit words to access.
>> + *
>> + * CT: value or length of x does not leak.
>> + */
>> +static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
>> +{
>> +    uint32_t tw, twk;
>> +
>> +    tw = 0;
>> +    twk = 0;
>> +    while (xlen -- > 0) {
>> +        uint32_t w, c;
>> +
>> +        c = EQ(tw, 0);
>> +        w = x[xlen];
>> +        tw = MUX(c, w, tw);
>> +        twk = MUX(c, (uint32_t)xlen, twk);
>> +    }
>> +    return (twk << 5) + BIT_LENGTH(tw);
>> +}
>> +
>> +/* from BearSSL's src/int/i32_decode.c */
>> +
>> +/*
>> + * Decode an integer from its big-endian unsigned representation. The
>> + * "true" bit length of the integer is computed, but all words of x[]
>> + * corresponding to the full 'len' bytes of the source are set.
>> + *
>> + * CT: value or length of x does not leak.
>> + */
>> +static void br_i32_decode(uint32_t *x, const void *src, size_t len)
>> +{
>> +    const unsigned char *buf;
>> +    size_t u, v;
>> +
>> +    buf = src;
>> +    u = len;
>> +    v = 1;
>> +    for (;;) {
>> +        if (u < 4) {
>> +            uint32_t w;
>> +
>> +            if (u < 2) {
>> +                if (u == 0) {
>> +                    break;
>> +                } else {
>> +                    w = buf[0];
>> +                }
>> +            } else {
>> +                if (u == 2) {
>> +                    w = br_dec16be(buf);
>> +                } else {
>> +                    w = ((uint32_t)buf[0] << 16)
>> +                        | br_dec16be(buf + 1);
>> +                }
>> +            }
>> +            x[v ++] = w;
>> +            break;
>> +        } else {
>> +            u -= 4;
>> +            x[v ++] = br_dec32be(buf + u);
>> +        }
>> +    }
>> +    x[0] = br_i32_bit_length(x + 1, v - 1);
>> +}
>> +
>> +/* from BearSSL's src/int/i32_encode.c */
>> +
>> +/*
>> + * Encode an integer into its big-endian unsigned representation. The
>> + * output length in bytes is provided (parameter 'len'); if the length
>> + * is too short then the integer is appropriately truncated; if it is
>> + * too long then the extra bytes are set to 0.
>> + */
>> +static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
>> +{
>> +    unsigned char *buf;
>> +    size_t k;
>> +
>> +    buf = dst;
>> +
>> +    /*
>> +     * Compute the announced size of x in bytes; extra bytes are
>> +     * filled with zeros.
>> +     */
>> +    k = (x[0] + 7) >> 3;
>> +    while (len > k) {
>> +        *buf ++ = 0;
>> +        len --;
>> +    }
>> +
>> +    /*
>> +     * Now we use k as index within x[]. That index starts at 1;
>> +     * we initialize it to the topmost complete word, and process
>> +     * any remaining incomplete word.
>> +     */
>> +    k = (len + 3) >> 2;
>> +    switch (len & 3) {
>> +    case 3:
>> +        *buf ++ = x[k] >> 16;
>> +        /* fall through */
>> +    case 2:
>> +        *buf ++ = x[k] >> 8;
>> +        /* fall through */
>> +    case 1:
>> +        *buf ++ = x[k];
>> +        k --;
>> +    }
>> +
>> +    /*
>> +     * Encode all complete words.
>> +     */
>> +    while (k > 0) {
>> +        br_enc32be(buf, x[k]);
>> +        k --;
>> +        buf += 4;
>> +    }
>> +}
>> +
>> +/* from BearSSL's src/int/i32_ninv32.c */
>> +
>> +/*
>> + * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
>> + */
>> +static uint32_t br_i32_ninv32(uint32_t x)
>> +{
>> +    uint32_t y;
>> +
>> +    y = 2 - x;
>> +    y *= 2 - y * x;
>> +    y *= 2 - y * x;
>> +    y *= 2 - y * x;
>> +    y *= 2 - y * x;
>> +    return MUX(x & 1, -y, 0);
>> +}
>> +
>> +/* from BearSSL's src/int/i32_add.c */
>> +
>> +/*
>> + * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
>> + * is unmodified, but the carry is still computed and returned. The
>> + * arrays a[] and b[] MUST have the same announced bit length.
>> + *
>> + * a[] and b[] MAY be the same array, but partial overlap is not
>> allowed.
>> + */
>> +static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
>> +{
>> +    uint32_t cc;
>> +    size_t u, m;
>> +
>> +    cc = 0;
>> +    m = (a[0] + 63) >> 5;
>> +    for (u = 1; u < m; u ++) {
>> +        uint32_t aw, bw, naw;
>> +
>> +        aw = a[u];
>> +        bw = b[u];
>> +        naw = aw + bw + cc;
>> +
>> +        /*
>> +         * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
>> +         * AND the carry was already 1.
>> +         */
>> +        cc = (cc & EQ(naw, aw)) | LT(naw, aw);
>> +        a[u] = MUX(ctl, naw, aw);
>> +    }
>> +    return cc;
>> +}
>> +
>> +/* from BearSSL's src/int/i32_sub.c */
>> +
>> +/*
>> + * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
>> + * then a[] is unmodified, but the carry is still computed and returned.
>> + * The arrays a[] and b[] MUST have the same announced bit length.
>> + *
>> + * a[] and b[] MAY be the same array, but partial overlap is not
>> allowed.
>> + */
>> +static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
>> +{
>> +    uint32_t cc;
>> +    size_t u, m;
>> +
>> +    cc = 0;
>> +    m = (a[0] + 63) >> 5;
>> +    for (u = 1; u < m; u ++) {
>> +        uint32_t aw, bw, naw;
>> +
>> +        aw = a[u];
>> +        bw = b[u];
>> +        naw = aw - bw - cc;
>> +
>> +        /*
>> +         * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
>> +         * AND the carry was already 1.
>> +         */
>> +        cc = (cc & EQ(naw, aw)) | GT(naw, aw);
>> +        a[u] = MUX(ctl, naw, aw);
>> +    }
>> +    return cc;
>> +}
>> +
>> +/* from BearSSL's src/int/i32_div32.c */
>> +
>> +/*
>> + * Constant-time division. The dividend hi:lo is divided by the
>> + * divisor d; the quotient is returned and the remainder is written
>> + * in *r. If hi == d, then the quotient does not fit on 32 bits;
>> + * returned value is thus truncated. If hi > d, returned values are
>> + * indeterminate.
>> + */
>> +static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d,
>> uint32_t *r)
>> +{
>> +    /* TODO: optimize this */
>> +    uint32_t q;
>> +    uint32_t ch, cf;
>> +    int k;
>> +
>> +    q = 0;
>> +    ch = EQ(hi, d);
>> +    hi = MUX(ch, 0, hi);
>> +    for (k = 31; k > 0; k --) {
>> +        int j;
>> +        uint32_t w, ctl, hi2, lo2;
>> +
>> +        j = 32 - k;
>> +        w = (hi << j) | (lo >> k);
>> +        ctl = GE(w, d) | (hi >> k);
>> +        hi2 = (w - d) >> j;
>> +        lo2 = lo - (d << k);
>> +        hi = MUX(ctl, hi2, hi);
>> +        lo = MUX(ctl, lo2, lo);
>> +        q |= ctl << k;
>> +    }
>> +    cf = GE(lo, d) | hi;
>> +    q |= cf;
>> +    *r = MUX(cf, lo - d, lo);
>> +    return q;
>> +}
>> +
>> +/*
>> + * Wrapper for br_divrem(); the remainder is returned, and the quotient
>> + * is discarded.
>> + */
>> +static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
>> +{
>> +    uint32_t r;
>> +
>> +    br_divrem(hi, lo, d, &r);
>> +    return r;
>> +}
>> +
>> +/*
>> + * Wrapper for br_divrem(); the quotient is returned, and the remainder
>> + * is discarded.
>> + */
>> +static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
>> +{
>> +    uint32_t r;
>> +
>> +    return br_divrem(hi, lo, d, &r);
>> +}
>> +
>> +/* from BearSSL's src/int/i32_muladd.c */
>> +
>> +/*
>> + * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
>> + * function assumes that x[] and m[] have the same announced bit
>> + * length, and the announced bit length of m[] matches its true
>> + * bit length.
>> + *
>> + * x[] and m[] MUST be distinct arrays.
>> + *
>> + * CT: only the common announced bit length of x and m leaks, not
>> + * the values of x, z or m.
>> + */
>> +static void br_i32_muladd_small(uint32_t *x, uint32_t z, const
>> uint32_t *m)
>> +{
>> +    uint32_t m_bitlen;
>> +    size_t u, mlen;
>> +    uint32_t a0, a1, b0, hi, g, q, tb;
>> +    uint32_t chf, clow, under, over;
>> +    uint64_t cc;
>> +
>> +    /*
>> +     * We can test on the modulus bit length since we accept to
>> +     * leak that length.
>> +     */
>> +    m_bitlen = m[0];
>> +    if (m_bitlen == 0) {
>> +        return;
>> +    }
>> +    if (m_bitlen <= 32) {
>> +        x[1] = br_rem(x[1], z, m[1]);
>> +        return;
>> +    }
>> +    mlen = (m_bitlen + 31) >> 5;
>> +
>> +    /*
>> +     * Principle: we estimate the quotient (x*2^32+z)/m by
>> +     * doing a 64/32 division with the high words.
>> +     *
>> +     * Let:
>> +     *   w = 2^32
>> +     *   a = (w*a0 + a1) * w^N + a2
>> +     *   b = b0 * w^N + b2
>> +     * such that:
>> +     *   0 <= a0 < w
>> +     *   0 <= a1 < w
>> +     *   0 <= a2 < w^N
>> +     *   w/2 <= b0 < w
>> +     *   0 <= b2 < w^N
>> +     *   a < w*b
>> +     * I.e. the two top words of a are a0:a1, the top word of b is
>> +     * b0, we ensured that b0 is "full" (high bit set), and a is
>> +     * such that the quotient q = a/b fits on one word (0 <= q < w).
>> +     *
>> +     * If a = b*q + r (with 0 <= r < q), we can estimate q by
>> +     * doing an Euclidean division on the top words:
>> +     *   a0*w+a1 = b0*u + v  (with 0 <= v < w)
>> +     * Then the following holds:
>> +     *   0 <= u <= w
>> +     *   u-2 <= q <= u
>> +     */
>> +    a0 = br_i32_word(x, m_bitlen - 32);
>> +    hi = x[mlen];
>> +    memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
>> +    x[1] = z;
>> +    a1 = br_i32_word(x, m_bitlen - 32);
>> +    b0 = br_i32_word(m, m_bitlen - 32);
>> +
>> +    /*
>> +     * We estimate a divisor q. If the quotient returned by br_div()
>> +     * is g:
>> +     * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
>> +     * -- Otherwise:
>> +     *    -- if g == 0 then we set q = 0;
>> +     *    -- otherwise, we set q = g - 1.
>> +     * The properties described above then ensure that the true
>> +     * quotient is q-1, q or q+1.
>> +     */
>> +    g = br_div(a0, a1, b0);
>> +    q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));
>> +
>> +    /*
>> +     * We subtract q*m from x (with the extra high word of value 'hi').
>> +     * Since q may be off by 1 (in either direction), we may have to
>> +     * add or subtract m afterwards.
>> +     *
>> +     * The 'tb' flag will be true (1) at the end of the loop if the
>> +     * result is greater than or equal to the modulus (not counting
>> +     * 'hi' or the carry).
>> +     */
>> +    cc = 0;
>> +    tb = 1;
>> +    for (u = 1; u <= mlen; u ++) {
>> +        uint32_t mw, zw, xw, nxw;
>> +        uint64_t zl;
>> +
>> +        mw = m[u];
>> +        zl = MUL(mw, q) + cc;
>> +        cc = (uint32_t)(zl >> 32);
>> +        zw = (uint32_t)zl;
>> +        xw = x[u];
>> +        nxw = xw - zw;
>> +        cc += (uint64_t)GT(nxw, xw);
>> +        x[u] = nxw;
>> +        tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
>> +    }
>> +
>> +    /*
>> +     * If we underestimated q, then either cc < hi (one extra bit
>> +     * beyond the top array word), or cc == hi and tb is true (no
>> +     * extra bit, but the result is not lower than the modulus). In
>> +     * these cases we must subtract m once.
>> +     *
>> +     * Otherwise, we may have overestimated, which will show as
>> +     * cc > hi (thus a negative result). Correction is adding m once.
>> +     */
>> +    chf = (uint32_t)(cc >> 32);
>> +    clow = (uint32_t)cc;
>> +    over = chf | GT(clow, hi);
>> +    under = ~over & (tb | (~chf & LT(clow, hi)));
>> +    br_i32_add(x, m, over);
>> +    br_i32_sub(x, m, under);
>> +}
>> +
>> +/* from BearSSL's src/int/i32_reduce.c */
>> +
>> +/*
>> + * Reduce an integer (a[]) modulo another (m[]). The result is written
>> + * in x[] and its announced bit length is set to be equal to that of
>> m[].
>> + *
>> + * x[] MUST be distinct from a[] and m[].
>> + *
>> + * CT: only announced bit lengths leak, not values of x, a or m.
>> + */
>> +static void br_i32_reduce(uint32_t *x, const uint32_t *a, const
>> uint32_t *m)
>> +{
>> +    uint32_t m_bitlen, a_bitlen;
>> +    size_t mlen, alen, u;
>> +
>> +    m_bitlen = m[0];
>> +    mlen = (m_bitlen + 31) >> 5;
>> +
>> +    x[0] = m_bitlen;
>> +    if (m_bitlen == 0) {
>> +        return;
>> +    }
>> +
>> +    /*
>> +     * If the source is shorter, then simply copy all words from a[]
>> +     * and zero out the upper words.
>> +     */
>> +    a_bitlen = a[0];
>> +    alen = (a_bitlen + 31) >> 5;
>> +    if (a_bitlen < m_bitlen) {
>> +        memcpy(x + 1, a + 1, alen * sizeof *a);
>> +        for (u = alen; u < mlen; u ++) {
>> +            x[u + 1] = 0;
>> +        }
>> +        return;
>> +    }
>> +
>> +    /*
>> +     * The source length is at least equal to that of the modulus.
>> +     * We must thus copy N-1 words, and input the remaining words
>> +     * one by one.
>> +     */
>> +    memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
>> +    x[mlen] = 0;
>> +    for (u = 1 + alen - mlen; u > 0; u --) {
>> +        br_i32_muladd_small(x, a[u], m);
>> +    }
>> +}
>> +
>> +/**
>> + * rsa_free_key_prop() - Free key properties
>> + * @prop:    Pointer to struct key_prop
>> + *
>> + * This function frees all the memories allocated by rsa_gen_key_prop().
>> + */
>> +void rsa_free_key_prop(struct key_prop *prop)
>> +{
>> +    if (!prop)
>> +        return;
>> +
>> +    free((void *)prop->modulus);
>> +    free((void *)prop->public_exponent);
>> +    free((void *)prop->rr);
>> +
>> +    free(prop);
>> +}
>> +
>> +/**
>> + * rsa_gen_key_prop() - Generate key properties of RSA public key
>> + * @key:    Specifies key data in DER format
>> + * @keylen:    Length of @key
>> + * @prop:    Generated key property
>> + *
>> + * This function takes a blob of encoded RSA public key data in DER
>> + * format, parse it and generate all the relevant properties
>> + * in key_prop structure.
>> + * Return a pointer to struct key_prop in @prop on success.
>> + *
>> + * Return:    0 on success, negative on error
>> + */
>> +int rsa_gen_key_prop(const void *key, uint32_t keylen, struct
>> key_prop **prop)
>> +{
>> +    struct rsa_key rsa_key;
>> +    uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
>> +    const int max_rsa_size = 4096;
>> +    int rlen, i, ret;
>> +
>> +    *prop = calloc(sizeof(**prop), 1);
>> +    n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
>> +    rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
>> +    rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
>> +    if (!(*prop) || !n || !rr || !rrtmp) {
>> +        ret = -ENOMEM;
>> +        goto err;
>> +    }
>> +
>> +    ret = rsa_parse_pub_key(&rsa_key, key, keylen);
>> +    if (ret)
>> +        goto err;
>> +
>> +    /* modulus */
>> +    /* removing leading 0's */
>> +    for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
>> +        ;
>> +    (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
>> +    (*prop)->modulus = malloc(rsa_key.n_sz - i);
>> +    if (!(*prop)->modulus) {
>> +        ret = -ENOMEM;
>> +        goto err;
>> +    }
>> +    memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
>> +
>> +    /* exponent */
>> +    (*prop)->public_exponent = calloc(1, sizeof(uint64_t));
>> +    if (!(*prop)->public_exponent) {
>> +        ret = -ENOMEM;
>> +        goto err;
>> +    }
>> +    memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
>> +                        - rsa_key.e_sz,
>> +           rsa_key.e, rsa_key.e_sz);
>> +    (*prop)->exp_len = rsa_key.e_sz;
>> +
>> +    /* n0 inverse */
>> +    br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
>> +    (*prop)->n0inv = br_i32_ninv32(n[1]);
>> +
>> +    /* R^2 mod n; R = 2^(num_bits) */
>> +    rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
>> +    rr[0] = 0;
>> +    *(uint8_t *)&rr[0] = (1 << (rlen % 8));
>> +    for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
>> +        rr[i] = 0;
>> +    br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
>> +    br_i32_reduce(rr, rrtmp, n);
>> +
>> +    rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
>> +    (*prop)->rr = malloc(rlen);
>> +    if (!(*prop)->rr) {
>> +        ret = -ENOMEM;
>> +        goto err;
>> +    }
>> +    br_i32_encode((void *)(*prop)->rr, rlen, rr);
>> +
>> +    return 0;
>> +
>> +err:
>> +    free(n);
>> +    free(rr);
>> +    free(rrtmp);
>> +    rsa_free_key_prop(*prop);
>> +    return ret;
>> +}
>>

[PATCH v4 6/6] test: add rsa_verify() unit test

[Heinrich Schuchardt]

On 1/8/20 6:43 PM, Heinrich Schuchardt wrote:
>
>
> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>> In this patch, a very simple test is added to verify that rsa_verify()
>> using rsa_verify_with_pkey() work correctly.
>>
>> To keep the code simple, all the test data, either public key and
>> verified binary data, are embedded in the source.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   test/Kconfig      |  12 +++
>>   test/lib/Makefile |   1 +
>>   test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
>>   3 files changed, 219 insertions(+)
>>   create mode 100644 test/lib/rsa.c
>>
>> diff --git a/test/Kconfig b/test/Kconfig
>> index cb7954041eda..64d76c3b20a5 100644
>> --- a/test/Kconfig
>> +++ b/test/Kconfig
>> @@ -28,6 +28,18 @@ config UT_LIB_ASN1
>>         Enables a test which exercises asn1 compiler and decoder function
>>         via various parsers.
>>
>> +config UT_LIB_RSA
>> +    bool "Unit test for rsa_verify() function"
>> +    imply RSA
>> +    imply ASYMMETRIC_KEY_TYPE
>> +    imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
>> +    imply RSA_PUBLIC_KEY_PARSER
>> +    imply RSA_VERIFY_WITH_PKEY
>
> This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> executed otherwise.

When on qemu_arm64_defconfig I select all of the above mentioned configs
I get a build error:

aarch64-linux-gnu-ld.bfd: common/built-in.o:(.data.checksum_algos+0x10):
undefined reference to `sha1_der_prefix'
aarch64-linux-gnu-ld.bfd: common/built-in.o:(.data.checksum_algos+0x30):
undefined reference to `sha256_der_prefix'

Best regards

Heinrich

>
> Best regards
>
> Heinrich
>
>> +    default y
>> +    help
>> +      Enables rsa_verify() test, currently rsa_verify_with_pkey only()
>> +      only, at the 'ut lib' command.
>> +
>>   endif
>>
>>   config UT_TIME
>> diff --git a/test/lib/Makefile b/test/lib/Makefile
>> index 72d2ec74b5f4..2bf6ef3935bb 100644
>> --- a/test/lib/Makefile
>> +++ b/test/lib/Makefile
>> @@ -8,3 +8,4 @@ obj-y += lmb.o
>>   obj-y += string.o
>>   obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
>>   obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
>> +obj-$(CONFIG_UT_LIB_RSA) += rsa.o
>> diff --git a/test/lib/rsa.c b/test/lib/rsa.c
>> new file mode 100644
>> index 000000000000..44f8ade226f4
>> --- /dev/null
>> +++ b/test/lib/rsa.c
>> @@ -0,0 +1,206 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +/*
>> + * Copyright (c) 2019 Linaro Limited
>> + * Author: AKASHI Takahiro
>> + *
>> + * Unit test for rsa_verify() function
>> + */
>> +
>> +#include <common.h>
>> +#include <command.h>
>> +#include <image.h>
>> +#include <test/lib.h>
>> +#include <test/test.h>
>> +#include <test/ut.h>
>> +#include <u-boot/rsa.h>
>> +
>> +#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
>
> Please, remove this ifdef. Simply do not build this module if
> CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
>
>> +/*
>> + * openssl genrsa 2048 -out private.pem
>> + * openssl rsa -in private.pem -pubout -outform der -out public.der
>> + * dd if=public.der of=public.raw bs=24 skip=1
>> + */
>> +static unsigned char public_key[] = {
>> +    0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25,
>> 0x23,
>> +    0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94,
>> 0x43,
>> +    0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07,
>> 0x4f,
>> +    0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95,
>> 0x1c,
>> +    0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02,
>> 0x6a,
>> +    0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62,
>> 0x1e,
>> +    0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92,
>> 0xb8,
>> +    0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf,
>> 0x05,
>> +    0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97,
>> 0x68,
>> +    0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7,
>> 0x67,
>> +    0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe,
>> 0x19,
>> +    0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad,
>> 0x92,
>> +    0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb,
>> 0xc7,
>> +    0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab,
>> 0xa4,
>> +    0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed,
>> 0xbf,
>> +    0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30,
>> 0x36,
>> +    0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1,
>> 0x99,
>> +    0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10,
>> 0xc8,
>> +    0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca,
>> 0x35,
>> +    0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79,
>> 0x6e,
>> +    0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55,
>> 0x60,
>> +    0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16,
>> 0x79,
>> +    0x75, 0x02, 0x03, 0x01, 0x00, 0x01
>> +};
>> +
>> +static unsigned int public_key_len = 270;
>> +
>> +/*
>> + * dd if=/dev/urandom of=data.raw bs=512 count=1
>> + */
>> +static unsigned char data_raw[] = {
>> +    0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92,
>> 0xd7,
>> +    0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55,
>> 0xb2,
>> +    0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c,
>> 0x4b,
>> +    0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb,
>> 0xdd,
>> +    0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1,
>> 0x77,
>> +    0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a,
>> 0x0a,
>> +    0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e,
>> 0x82,
>> +    0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a,
>> 0x88,
>> +    0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b,
>> 0x0d,
>> +    0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72,
>> 0x75,
>> +    0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4,
>> 0xb4,
>> +    0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96,
>> 0x1a,
>> +    0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24,
>> 0x06,
>> +    0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde,
>> 0x7b,
>> +    0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89,
>> 0xe3,
>> +    0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2,
>> 0x26,
>> +    0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97,
>> 0xfc,
>> +    0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27,
>> 0xa9,
>> +    0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d,
>> 0xfd,
>> +    0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5,
>> 0x95,
>> +    0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e,
>> 0xd3,
>> +    0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb,
>> 0x6c,
>> +    0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1,
>> 0x81,
>> +    0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7,
>> 0x39,
>> +    0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15,
>> 0x08,
>> +    0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6,
>> 0xbf,
>> +    0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45,
>> 0x1e,
>> +    0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2,
>> 0x4d,
>> +    0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66,
>> 0xdb,
>> +    0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b,
>> 0x62,
>> +    0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04,
>> 0xb1,
>> +    0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4,
>> 0xa4,
>> +    0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53,
>> 0x3f,
>> +    0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf,
>> 0x76,
>> +    0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f,
>> 0x69,
>> +    0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41,
>> 0x1c,
>> +    0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb,
>> 0xce,
>> +    0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01,
>> 0x54,
>> +    0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1,
>> 0xcc,
>> +    0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59,
>> 0x7e,
>> +    0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12,
>> 0xa0,
>> +    0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b,
>> 0xbc,
>> +    0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
>> +};
>> +
>> +static unsigned int data_raw_len = 512;
>> +
>> +/*
>> + * openssl dgst -sha256 -sign private.key -out data.enc data.raw
>> + */
>> +unsigned char data_enc[] = {
>> +    0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d,
>> 0xed,
>> +    0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b,
>> 0x2c,
>> +    0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2,
>> 0x4a,
>> +    0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50,
>> 0x18,
>> +    0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52,
>> 0x89,
>> +    0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22,
>> 0xdf,
>> +    0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a,
>> 0x3f,
>> +    0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78,
>> 0x67,
>> +    0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7,
>> 0x58,
>> +    0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c,
>> 0xdc,
>> +    0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c,
>> 0xf9,
>> +    0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c,
>> 0x37,
>> +    0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77,
>> 0xd5,
>> +    0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b,
>> 0x6f,
>> +    0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7,
>> 0x15,
>> +    0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65,
>> 0x12,
>> +    0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45,
>> 0x6e,
>> +    0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9,
>> 0x37,
>> +    0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b,
>> 0xf7,
>> +    0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb,
>> 0x2c,
>> +    0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c,
>> 0xd1,
>> +    0x89, 0x06, 0xc9, 0x3a
>> +};
>> +
>> +static unsigned int data_enc_len = 256;
>> +
>> +/**
>> + * lib_rsa_verify_valid() - unit test for rsa_verify()
>> + *
>> + * Test rsa_verify() with valid hash
>> + *
>> + * @uts:    unit test state
>> + * Return:    0 = success, 1 = failure
>> + */
>> +static int lib_rsa_verify_valid(struct unit_test_state *uts)
>> +{
>> +    struct image_sign_info info;
>> +    struct image_region reg;
>> +    int ret;
>> +
>> +    memset(&info, '\0', sizeof(info));
>> +    info.name = "sha256,rsa2048";
>> +    info.padding = image_get_padding_algo("pkcs-1.5");
>> +    info.checksum = image_get_checksum_algo("sha256,rsa2048");
>> +    info.crypto = image_get_crypto_algo(info.name);
>> +
>> +    info.key = public_key;
>> +    info.keylen = public_key_len;
>> +
>> +    reg.data = data_raw;
>> +    reg.size = data_raw_len;
>> +    ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>> +    ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n",
>> ret);
>> +
>> +    return CMD_RET_SUCCESS;
>> +}
>> +
>> +LIB_TEST(lib_rsa_verify_valid, 0);
>> +
>> +/**
>> + * lib_rsa_verify_invalid() - unit test for rsa_verify()
>> + *
>> + * Test rsa_verify() with invalid hash
>> + *
>> + * @uts:    unit test state
>> + * Return:    0 = success, 1 = failure
>> + */
>> +static int lib_rsa_verify_invalid(struct unit_test_state *uts)
>> +{
>> +    struct image_sign_info info;
>> +    struct image_region reg;
>> +    unsigned char ctmp;
>> +    int ret;
>> +
>> +    memset(&info, '\0', sizeof(info));
>> +    info.name = "sha256,rsa2048";
>> +    info.padding = image_get_padding_algo("pkcs-1.5");
>> +    info.checksum = image_get_checksum_algo("sha256,rsa2048");
>> +    info.crypto = image_get_crypto_algo(info.name);
>> +
>> +    info.key = public_key;
>> +    info.keylen = public_key_len;
>> +
>> +    /* randomly corrupt enc'ed data */
>> +    ctmp = data_enc[data_enc_len - 10];
>> +    data_enc[data_enc_len - 10] = 0x12;
>> +
>> +    reg.data = data_raw;
>> +    reg.size = data_raw_len;
>> +    ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>> +
>> +    /* revert a change */
>> +    data_enc[data_enc_len - 10] = ctmp;
>> +
>> +    ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
>> +
>> +    return CMD_RET_SUCCESS;
>> +}
>> +
>> +LIB_TEST(lib_rsa_verify_invalid, 0);
>> +#endif /* RSA_VERIFY_WITH_PKEY */
>>
>

[PATCH v4 4/6] lib: rsa: generate additional parameters for public key

[AKASHI Takahiro]

On Wed, Jan 08, 2020 at 07:07:01PM +0100, Heinrich Schuchardt wrote:
> 
> 
> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >In the current implementation of FIT_SIGNATURE, five parameters for
> >a RSA public key are required while only two of them are essential.
> >(See rsa-mod-exp.h and uImage.FIT/signature.txt)
> >This is a result of considering relatively limited computer power
> >and resources on embedded systems, while such a assumption may not
> >be quite practical for other use cases.
> >
> >In this patch, added is a function, rsa_gen_key_prop(), which will
> >generate additional parameters for other uses, in particular
> >UEFI secure boot, on the fly.
> >
> >Note: the current code uses some "big number" rouKtines from BearSSL
> >for the calculation.
> >
> >Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >---
> >  include/u-boot/rsa-mod-exp.h |  23 ++
> >  lib/rsa/Kconfig              |   1 +
> >  lib/rsa/Makefile             |   1 +
> >  lib/rsa/rsa-keyprop.c        | 725 +++++++++++++++++++++++++++++++++++
> >  4 files changed, 750 insertions(+)
> >  create mode 100644 lib/rsa/rsa-keyprop.c
> >
> >diff --git a/include/u-boot/rsa-mod-exp.h b/include/u-boot/rsa-mod-exp.h
> >index 8a428c4b6a1a..1da8af1bb83d 100644
> >--- a/include/u-boot/rsa-mod-exp.h
> >+++ b/include/u-boot/rsa-mod-exp.h
> >@@ -26,6 +26,29 @@ struct key_prop {
> >  	uint32_t exp_len;	/* Exponent length in number of uint8_t */
> >  };
> >
> >+/**
> >+ * rsa_gen_key_prop() - Generate key properties of RSA public key
> >+ * @key:	Specifies key data in DER format
> >+ * @keylen:	Length of @key
> >+ * @prop:	Generated key property
> >+ *
> >+ * This function takes a blob of encoded RSA public key data in DER
> >+ * format, parse it and generate all the relevant properties
> >+ * in key_prop structure.
> >+ * Return a pointer to struct key_prop in @prop on success.
> >+ *
> >+ * Return:	0 on success, negative on error
> >+ */
> >+int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **proc);
> >+
> >+/**
> >+ * rsa_free_key_prop() - Free key properties
> >+ * @prop:	Pointer to struct key_prop
> >+ *
> >+ * This function frees all the memories allocated by rsa_gen_key_prop().
> >+ */
> >+void rsa_free_key_prop(struct key_prop *prop);
> >+
> >  /**
> >   * rsa_mod_exp_sw() - Perform RSA Modular Exponentiation in sw
> >   *
> >diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> >index 71e4c06bf883..d1d6f6cf64a3 100644
> >--- a/lib/rsa/Kconfig
> >+++ b/lib/rsa/Kconfig
> >@@ -33,6 +33,7 @@ config RSA_VERIFY
> >  config RSA_VERIFY_WITH_PKEY
> >  	bool "Execute RSA verification without key parameters from FDT"
> >  	depends on RSA
> >+	imply RSA_PUBLIC_KEY_PARSER
> 
> Do we really need RSA_PUBLIC_KEY_PARSER whenever we use CONFIG_RSA=y?

???
RSA_PUBLIC_KEY_PARSER will be selected only if RSA_VERIFY_WITH_PKEY
is enabled. I avoided to use 'select' here because RSA_PUBLIC_KEY_PARSER
is also 'selectable.'

> E.g. on a system without the UEFI sub-system?
> 
> Otherwise simply let RSA_PUBLIC_KEY_PARSER depend on RSA.

Such a dependency sounds odd to me.

> 
> >  	help
> >  	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> >  	  pre-calculated key properties, that are stored in fdt blob, in
> >diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
> >index c07305188e0c..14ed3cb4012b 100644
> >--- a/lib/rsa/Makefile
> >+++ b/lib/rsa/Makefile
> >@@ -6,4 +6,5 @@
> >  # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
> >
> >  obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
> >+obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
> >  obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
> >diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
> >new file mode 100644
> >index 000000000000..9464df009343
> >--- /dev/null
> >+++ b/lib/rsa/rsa-keyprop.c
> >@@ -0,0 +1,725 @@
> >+// SPDX-License-Identifier: GPL-2.0+ and MIT
> >+/*
> >+ * RSA library - generate parameters for a public key
> >+ *
> >+ * Copyright (c) 2019 Linaro Limited
> >+ * Author: AKASHI Takahiro
> >+ *
> >+ * Big number routines in this file come from BearSSL:
> >+ * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
> >+ */
> >+
> >+#include <common.h>
> >+#include <image.h>
> >+#include <malloc.h>
> >+#include <asm/byteorder.h>
> >+#include <crypto/internal/rsa.h>
> >+#include <u-boot/rsa-mod-exp.h>
> >+
> >+/**
> >+ * br_dec16be() - Convert 16-bit big-endian integer to native
> >+ * @src:	Pointer to data
> >+ * Return:	Native-endian integer
> >+ */
> >+static unsigned br_dec16be(const void *src)
> >+{
> >+	return be16_to_cpup(src);
> >+}
> >+
> >+/**
> >+ * br_dec32be() - Convert 32-bit big-endian integer to native
> >+ * @src:	Pointer to data
> >+ * Return:	Native-endian integer
> >+ */
> >+static uint32_t br_dec32be(const void *src)
> >+{
> >+	return be32_to_cpup(src);
> >+}
> >+
> >+/**
> >+ * br_enc32be() - Convert native 32-bit integer to big-endian
> >+ * @dst:	Pointer to buffer to store big-endian integer in
> >+ * @x:		Native 32-bit integer
> >+ */
> >+static void br_enc32be(void *dst, uint32_t x)
> >+{
> >+	__be32 tmp;
> >+
> >+	tmp = cpu_to_be32(x);
> >+	memcpy(dst, &tmp, sizeof(tmp));
> >+}
> >+
> >+/* from BearSSL's src/inner.h */
> >+
> >+/*
> >+ * Negate a boolean.
> >+ */
> >+static uint32_t NOT(uint32_t ctl)
> >+{
> >+	return ctl ^ 1;
> >+}
> >+
> >+/*
> >+ * Multiplexer: returns x if ctl == 1, y if ctl == 0.
> >+ */
> >+static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
> >+{
> >+	return y ^ (-ctl & (x ^ y));
> >+}
> >+
> >+/*
> >+ * Equality check: returns 1 if x == y, 0 otherwise.
> >+ */
> >+static uint32_t EQ(uint32_t x, uint32_t y)
> >+{
> >+	uint32_t q;
> >+
> >+	q = x ^ y;
> >+	return NOT((q | -q) >> 31);
> >+}
> >+
> >+/*
> >+ * Inequality check: returns 1 if x != y, 0 otherwise.
> >+ */
> >+static uint32_t NEQ(uint32_t x, uint32_t y)
> >+{
> >+	uint32_t q;
> >+
> >+	q = x ^ y;
> >+	return (q | -q) >> 31;
> 
> We want to minimize the code size of U-Boot.

I don't get your point. Please elaborate your concern.

> So, please, review this code and remove all of this bogus.

Which part of the code do you mention as 'bogus'?

Thanks,
-Takahiro Akashi

> 
> Best regards
> 
> Heinrich
> 
> >+}
> >+
> >+/*
> >+ * Comparison: returns 1 if x > y, 0 otherwise.
> >+ */
> >+static uint32_t GT(uint32_t x, uint32_t y)
> >+{
> >+	/*
> >+	 * If both x < 2^31 and y < 2^31, then y-x will have its high
> >+	 * bit set if x > y, cleared otherwise.
> >+	 *
> >+	 * If either x >= 2^31 or y >= 2^31 (but not both), then the
> >+	 * result is the high bit of x.
> >+	 *
> >+	 * If both x >= 2^31 and y >= 2^31, then we can virtually
> >+	 * subtract 2^31 from both, and we are back to the first case.
> >+	 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
> >+	 * fine.
> >+	 */
> >+	uint32_t z;
> >+
> >+	z = y - x;
> >+	return (z ^ ((x ^ y) & (x ^ z))) >> 31;
> >+}
> >+
> >+/*
> >+ * Compute the bit length of a 32-bit integer. Returned value is between 0
> >+ * and 32 (inclusive).
> >+ */
> >+static uint32_t BIT_LENGTH(uint32_t x)
> >+{
> >+	uint32_t k, c;
> >+
> >+	k = NEQ(x, 0);
> >+	c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
> >+	c = GT(x, 0x00FF); x = MUX(c, x >>  8, x); k += c << 3;
> >+	c = GT(x, 0x000F); x = MUX(c, x >>  4, x); k += c << 2;
> >+	c = GT(x, 0x0003); x = MUX(c, x >>  2, x); k += c << 1;
> >+	k += GT(x, 0x0001);
> >+	return k;
> >+}
> >+
> >+#define GE(x, y)   NOT(GT(y, x))
> >+#define LT(x, y)   GT(y, x)
> >+#define MUL(x, y)   ((uint64_t)(x) * (uint64_t)(y))
> >+
> >+/*
> >+ * Integers 'i32'
> >+ * --------------
> >+ *
> >+ * The 'i32' functions implement computations on big integers using
> >+ * an internal representation as an array of 32-bit integers. For
> >+ * an array x[]:
> >+ *  -- x[0] contains the "announced bit length" of the integer
> >+ *  -- x[1], x[2]... contain the value in little-endian order (x[1]
> >+ *     contains the least significant 32 bits)
> >+ *
> >+ * Multiplications rely on the elementary 32x32->64 multiplication.
> >+ *
> >+ * The announced bit length specifies the number of bits that are
> >+ * significant in the subsequent 32-bit words. Unused bits in the
> >+ * last (most significant) word are set to 0; subsequent words are
> >+ * uninitialized and need not exist at all.
> >+ *
> >+ * The execution time and memory access patterns of all computations
> >+ * depend on the announced bit length, but not on the actual word
> >+ * values. For modular integers, the announced bit length of any integer
> >+ * modulo n is equal to the actual bit length of n; thus, computations
> >+ * on modular integers are "constant-time" (only the modulus length may
> >+ * leak).
> >+ */
> >+
> >+/*
> >+ * Extract one word from an integer. The offset is counted in bits.
> >+ * The word MUST entirely fit within the word elements corresponding
> >+ * to the announced bit length of a[].
> >+ */
> >+static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
> >+{
> >+	size_t u;
> >+	unsigned j;
> >+
> >+	u = (size_t)(off >> 5) + 1;
> >+	j = (unsigned)off & 31;
> >+	if (j == 0) {
> >+		return a[u];
> >+	} else {
> >+		return (a[u] >> j) | (a[u + 1] << (32 - j));
> >+	}
> >+}
> >+
> >+/* from BearSSL's src/int/i32_bitlen.c */
> >+
> >+/*
> >+ * Compute the actual bit length of an integer. The argument x should
> >+ * point to the first (least significant) value word of the integer.
> >+ * The len 'xlen' contains the number of 32-bit words to access.
> >+ *
> >+ * CT: value or length of x does not leak.
> >+ */
> >+static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
> >+{
> >+	uint32_t tw, twk;
> >+
> >+	tw = 0;
> >+	twk = 0;
> >+	while (xlen -- > 0) {
> >+		uint32_t w, c;
> >+
> >+		c = EQ(tw, 0);
> >+		w = x[xlen];
> >+		tw = MUX(c, w, tw);
> >+		twk = MUX(c, (uint32_t)xlen, twk);
> >+	}
> >+	return (twk << 5) + BIT_LENGTH(tw);
> >+}
> >+
> >+/* from BearSSL's src/int/i32_decode.c */
> >+
> >+/*
> >+ * Decode an integer from its big-endian unsigned representation. The
> >+ * "true" bit length of the integer is computed, but all words of x[]
> >+ * corresponding to the full 'len' bytes of the source are set.
> >+ *
> >+ * CT: value or length of x does not leak.
> >+ */
> >+static void br_i32_decode(uint32_t *x, const void *src, size_t len)
> >+{
> >+	const unsigned char *buf;
> >+	size_t u, v;
> >+
> >+	buf = src;
> >+	u = len;
> >+	v = 1;
> >+	for (;;) {
> >+		if (u < 4) {
> >+			uint32_t w;
> >+
> >+			if (u < 2) {
> >+				if (u == 0) {
> >+					break;
> >+				} else {
> >+					w = buf[0];
> >+				}
> >+			} else {
> >+				if (u == 2) {
> >+					w = br_dec16be(buf);
> >+				} else {
> >+					w = ((uint32_t)buf[0] << 16)
> >+						| br_dec16be(buf + 1);
> >+				}
> >+			}
> >+			x[v ++] = w;
> >+			break;
> >+		} else {
> >+			u -= 4;
> >+			x[v ++] = br_dec32be(buf + u);
> >+		}
> >+	}
> >+	x[0] = br_i32_bit_length(x + 1, v - 1);
> >+}
> >+
> >+/* from BearSSL's src/int/i32_encode.c */
> >+
> >+/*
> >+ * Encode an integer into its big-endian unsigned representation. The
> >+ * output length in bytes is provided (parameter 'len'); if the length
> >+ * is too short then the integer is appropriately truncated; if it is
> >+ * too long then the extra bytes are set to 0.
> >+ */
> >+static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
> >+{
> >+	unsigned char *buf;
> >+	size_t k;
> >+
> >+	buf = dst;
> >+
> >+	/*
> >+	 * Compute the announced size of x in bytes; extra bytes are
> >+	 * filled with zeros.
> >+	 */
> >+	k = (x[0] + 7) >> 3;
> >+	while (len > k) {
> >+		*buf ++ = 0;
> >+		len --;
> >+	}
> >+
> >+	/*
> >+	 * Now we use k as index within x[]. That index starts at 1;
> >+	 * we initialize it to the topmost complete word, and process
> >+	 * any remaining incomplete word.
> >+	 */
> >+	k = (len + 3) >> 2;
> >+	switch (len & 3) {
> >+	case 3:
> >+		*buf ++ = x[k] >> 16;
> >+		/* fall through */
> >+	case 2:
> >+		*buf ++ = x[k] >> 8;
> >+		/* fall through */
> >+	case 1:
> >+		*buf ++ = x[k];
> >+		k --;
> >+	}
> >+
> >+	/*
> >+	 * Encode all complete words.
> >+	 */
> >+	while (k > 0) {
> >+		br_enc32be(buf, x[k]);
> >+		k --;
> >+		buf += 4;
> >+	}
> >+}
> >+
> >+/* from BearSSL's src/int/i32_ninv32.c */
> >+
> >+/*
> >+ * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
> >+ */
> >+static uint32_t br_i32_ninv32(uint32_t x)
> >+{
> >+	uint32_t y;
> >+
> >+	y = 2 - x;
> >+	y *= 2 - y * x;
> >+	y *= 2 - y * x;
> >+	y *= 2 - y * x;
> >+	y *= 2 - y * x;
> >+	return MUX(x & 1, -y, 0);
> >+}
> >+
> >+/* from BearSSL's src/int/i32_add.c */
> >+
> >+/*
> >+ * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
> >+ * is unmodified, but the carry is still computed and returned. The
> >+ * arrays a[] and b[] MUST have the same announced bit length.
> >+ *
> >+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
> >+ */
> >+static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
> >+{
> >+	uint32_t cc;
> >+	size_t u, m;
> >+
> >+	cc = 0;
> >+	m = (a[0] + 63) >> 5;
> >+	for (u = 1; u < m; u ++) {
> >+		uint32_t aw, bw, naw;
> >+
> >+		aw = a[u];
> >+		bw = b[u];
> >+		naw = aw + bw + cc;
> >+
> >+		/*
> >+		 * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
> >+		 * AND the carry was already 1.
> >+		 */
> >+		cc = (cc & EQ(naw, aw)) | LT(naw, aw);
> >+		a[u] = MUX(ctl, naw, aw);
> >+	}
> >+	return cc;
> >+}
> >+
> >+/* from BearSSL's src/int/i32_sub.c */
> >+
> >+/*
> >+ * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
> >+ * then a[] is unmodified, but the carry is still computed and returned.
> >+ * The arrays a[] and b[] MUST have the same announced bit length.
> >+ *
> >+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
> >+ */
> >+static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
> >+{
> >+	uint32_t cc;
> >+	size_t u, m;
> >+
> >+	cc = 0;
> >+	m = (a[0] + 63) >> 5;
> >+	for (u = 1; u < m; u ++) {
> >+		uint32_t aw, bw, naw;
> >+
> >+		aw = a[u];
> >+		bw = b[u];
> >+		naw = aw - bw - cc;
> >+
> >+		/*
> >+		 * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
> >+		 * AND the carry was already 1.
> >+		 */
> >+		cc = (cc & EQ(naw, aw)) | GT(naw, aw);
> >+		a[u] = MUX(ctl, naw, aw);
> >+	}
> >+	return cc;
> >+}
> >+
> >+/* from BearSSL's src/int/i32_div32.c */
> >+
> >+/*
> >+ * Constant-time division. The dividend hi:lo is divided by the
> >+ * divisor d; the quotient is returned and the remainder is written
> >+ * in *r. If hi == d, then the quotient does not fit on 32 bits;
> >+ * returned value is thus truncated. If hi > d, returned values are
> >+ * indeterminate.
> >+ */
> >+static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r)
> >+{
> >+	/* TODO: optimize this */
> >+	uint32_t q;
> >+	uint32_t ch, cf;
> >+	int k;
> >+
> >+	q = 0;
> >+	ch = EQ(hi, d);
> >+	hi = MUX(ch, 0, hi);
> >+	for (k = 31; k > 0; k --) {
> >+		int j;
> >+		uint32_t w, ctl, hi2, lo2;
> >+
> >+		j = 32 - k;
> >+		w = (hi << j) | (lo >> k);
> >+		ctl = GE(w, d) | (hi >> k);
> >+		hi2 = (w - d) >> j;
> >+		lo2 = lo - (d << k);
> >+		hi = MUX(ctl, hi2, hi);
> >+		lo = MUX(ctl, lo2, lo);
> >+		q |= ctl << k;
> >+	}
> >+	cf = GE(lo, d) | hi;
> >+	q |= cf;
> >+	*r = MUX(cf, lo - d, lo);
> >+	return q;
> >+}
> >+
> >+/*
> >+ * Wrapper for br_divrem(); the remainder is returned, and the quotient
> >+ * is discarded.
> >+ */
> >+static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
> >+{
> >+	uint32_t r;
> >+
> >+	br_divrem(hi, lo, d, &r);
> >+	return r;
> >+}
> >+
> >+/*
> >+ * Wrapper for br_divrem(); the quotient is returned, and the remainder
> >+ * is discarded.
> >+ */
> >+static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
> >+{
> >+	uint32_t r;
> >+
> >+	return br_divrem(hi, lo, d, &r);
> >+}
> >+
> >+/* from BearSSL's src/int/i32_muladd.c */
> >+
> >+/*
> >+ * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
> >+ * function assumes that x[] and m[] have the same announced bit
> >+ * length, and the announced bit length of m[] matches its true
> >+ * bit length.
> >+ *
> >+ * x[] and m[] MUST be distinct arrays.
> >+ *
> >+ * CT: only the common announced bit length of x and m leaks, not
> >+ * the values of x, z or m.
> >+ */
> >+static void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m)
> >+{
> >+	uint32_t m_bitlen;
> >+	size_t u, mlen;
> >+	uint32_t a0, a1, b0, hi, g, q, tb;
> >+	uint32_t chf, clow, under, over;
> >+	uint64_t cc;
> >+
> >+	/*
> >+	 * We can test on the modulus bit length since we accept to
> >+	 * leak that length.
> >+	 */
> >+	m_bitlen = m[0];
> >+	if (m_bitlen == 0) {
> >+		return;
> >+	}
> >+	if (m_bitlen <= 32) {
> >+		x[1] = br_rem(x[1], z, m[1]);
> >+		return;
> >+	}
> >+	mlen = (m_bitlen + 31) >> 5;
> >+
> >+	/*
> >+	 * Principle: we estimate the quotient (x*2^32+z)/m by
> >+	 * doing a 64/32 division with the high words.
> >+	 *
> >+	 * Let:
> >+	 *   w = 2^32
> >+	 *   a = (w*a0 + a1) * w^N + a2
> >+	 *   b = b0 * w^N + b2
> >+	 * such that:
> >+	 *   0 <= a0 < w
> >+	 *   0 <= a1 < w
> >+	 *   0 <= a2 < w^N
> >+	 *   w/2 <= b0 < w
> >+	 *   0 <= b2 < w^N
> >+	 *   a < w*b
> >+	 * I.e. the two top words of a are a0:a1, the top word of b is
> >+	 * b0, we ensured that b0 is "full" (high bit set), and a is
> >+	 * such that the quotient q = a/b fits on one word (0 <= q < w).
> >+	 *
> >+	 * If a = b*q + r (with 0 <= r < q), we can estimate q by
> >+	 * doing an Euclidean division on the top words:
> >+	 *   a0*w+a1 = b0*u + v  (with 0 <= v < w)
> >+	 * Then the following holds:
> >+	 *   0 <= u <= w
> >+	 *   u-2 <= q <= u
> >+	 */
> >+	a0 = br_i32_word(x, m_bitlen - 32);
> >+	hi = x[mlen];
> >+	memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
> >+	x[1] = z;
> >+	a1 = br_i32_word(x, m_bitlen - 32);
> >+	b0 = br_i32_word(m, m_bitlen - 32);
> >+
> >+	/*
> >+	 * We estimate a divisor q. If the quotient returned by br_div()
> >+	 * is g:
> >+	 * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
> >+	 * -- Otherwise:
> >+	 *    -- if g == 0 then we set q = 0;
> >+	 *    -- otherwise, we set q = g - 1.
> >+	 * The properties described above then ensure that the true
> >+	 * quotient is q-1, q or q+1.
> >+	 */
> >+	g = br_div(a0, a1, b0);
> >+	q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));
> >+
> >+	/*
> >+	 * We subtract q*m from x (with the extra high word of value 'hi').
> >+	 * Since q may be off by 1 (in either direction), we may have to
> >+	 * add or subtract m afterwards.
> >+	 *
> >+	 * The 'tb' flag will be true (1) at the end of the loop if the
> >+	 * result is greater than or equal to the modulus (not counting
> >+	 * 'hi' or the carry).
> >+	 */
> >+	cc = 0;
> >+	tb = 1;
> >+	for (u = 1; u <= mlen; u ++) {
> >+		uint32_t mw, zw, xw, nxw;
> >+		uint64_t zl;
> >+
> >+		mw = m[u];
> >+		zl = MUL(mw, q) + cc;
> >+		cc = (uint32_t)(zl >> 32);
> >+		zw = (uint32_t)zl;
> >+		xw = x[u];
> >+		nxw = xw - zw;
> >+		cc += (uint64_t)GT(nxw, xw);
> >+		x[u] = nxw;
> >+		tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
> >+	}
> >+
> >+	/*
> >+	 * If we underestimated q, then either cc < hi (one extra bit
> >+	 * beyond the top array word), or cc == hi and tb is true (no
> >+	 * extra bit, but the result is not lower than the modulus). In
> >+	 * these cases we must subtract m once.
> >+	 *
> >+	 * Otherwise, we may have overestimated, which will show as
> >+	 * cc > hi (thus a negative result). Correction is adding m once.
> >+	 */
> >+	chf = (uint32_t)(cc >> 32);
> >+	clow = (uint32_t)cc;
> >+	over = chf | GT(clow, hi);
> >+	under = ~over & (tb | (~chf & LT(clow, hi)));
> >+	br_i32_add(x, m, over);
> >+	br_i32_sub(x, m, under);
> >+}
> >+
> >+/* from BearSSL's src/int/i32_reduce.c */
> >+
> >+/*
> >+ * Reduce an integer (a[]) modulo another (m[]). The result is written
> >+ * in x[] and its announced bit length is set to be equal to that of m[].
> >+ *
> >+ * x[] MUST be distinct from a[] and m[].
> >+ *
> >+ * CT: only announced bit lengths leak, not values of x, a or m.
> >+ */
> >+static void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m)
> >+{
> >+	uint32_t m_bitlen, a_bitlen;
> >+	size_t mlen, alen, u;
> >+
> >+	m_bitlen = m[0];
> >+	mlen = (m_bitlen + 31) >> 5;
> >+
> >+	x[0] = m_bitlen;
> >+	if (m_bitlen == 0) {
> >+		return;
> >+	}
> >+
> >+	/*
> >+	 * If the source is shorter, then simply copy all words from a[]
> >+	 * and zero out the upper words.
> >+	 */
> >+	a_bitlen = a[0];
> >+	alen = (a_bitlen + 31) >> 5;
> >+	if (a_bitlen < m_bitlen) {
> >+		memcpy(x + 1, a + 1, alen * sizeof *a);
> >+		for (u = alen; u < mlen; u ++) {
> >+			x[u + 1] = 0;
> >+		}
> >+		return;
> >+	}
> >+
> >+	/*
> >+	 * The source length is at least equal to that of the modulus.
> >+	 * We must thus copy N-1 words, and input the remaining words
> >+	 * one by one.
> >+	 */
> >+	memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
> >+	x[mlen] = 0;
> >+	for (u = 1 + alen - mlen; u > 0; u --) {
> >+		br_i32_muladd_small(x, a[u], m);
> >+	}
> >+}
> >+
> >+/**
> >+ * rsa_free_key_prop() - Free key properties
> >+ * @prop:	Pointer to struct key_prop
> >+ *
> >+ * This function frees all the memories allocated by rsa_gen_key_prop().
> >+ */
> >+void rsa_free_key_prop(struct key_prop *prop)
> >+{
> >+	if (!prop)
> >+		return;
> >+
> >+	free((void *)prop->modulus);
> >+	free((void *)prop->public_exponent);
> >+	free((void *)prop->rr);
> >+
> >+	free(prop);
> >+}
> >+
> >+/**
> >+ * rsa_gen_key_prop() - Generate key properties of RSA public key
> >+ * @key:	Specifies key data in DER format
> >+ * @keylen:	Length of @key
> >+ * @prop:	Generated key property
> >+ *
> >+ * This function takes a blob of encoded RSA public key data in DER
> >+ * format, parse it and generate all the relevant properties
> >+ * in key_prop structure.
> >+ * Return a pointer to struct key_prop in @prop on success.
> >+ *
> >+ * Return:	0 on success, negative on error
> >+ */
> >+int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
> >+{
> >+	struct rsa_key rsa_key;
> >+	uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
> >+	const int max_rsa_size = 4096;
> >+	int rlen, i, ret;
> >+
> >+	*prop = calloc(sizeof(**prop), 1);
> >+	n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> >+	rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> >+	rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
> >+	if (!(*prop) || !n || !rr || !rrtmp) {
> >+		ret = -ENOMEM;
> >+		goto err;
> >+	}
> >+
> >+	ret = rsa_parse_pub_key(&rsa_key, key, keylen);
> >+	if (ret)
> >+		goto err;
> >+
> >+	/* modulus */
> >+	/* removing leading 0's */
> >+	for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
> >+		;
> >+	(*prop)->num_bits = (rsa_key.n_sz - i) * 8;
> >+	(*prop)->modulus = malloc(rsa_key.n_sz - i);
> >+	if (!(*prop)->modulus) {
> >+		ret = -ENOMEM;
> >+		goto err;
> >+	}
> >+	memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
> >+
> >+	/* exponent */
> >+	(*prop)->public_exponent = calloc(1, sizeof(uint64_t));
> >+	if (!(*prop)->public_exponent) {
> >+		ret = -ENOMEM;
> >+		goto err;
> >+	}
> >+	memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
> >+						- rsa_key.e_sz,
> >+	       rsa_key.e, rsa_key.e_sz);
> >+	(*prop)->exp_len = rsa_key.e_sz;
> >+
> >+	/* n0 inverse */
> >+	br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
> >+	(*prop)->n0inv = br_i32_ninv32(n[1]);
> >+
> >+	/* R^2 mod n; R = 2^(num_bits) */
> >+	rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
> >+	rr[0] = 0;
> >+	*(uint8_t *)&rr[0] = (1 << (rlen % 8));
> >+	for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
> >+		rr[i] = 0;
> >+	br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
> >+	br_i32_reduce(rr, rrtmp, n);
> >+
> >+	rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
> >+	(*prop)->rr = malloc(rlen);
> >+	if (!(*prop)->rr) {
> >+		ret = -ENOMEM;
> >+		goto err;
> >+	}
> >+	br_i32_encode((void *)(*prop)->rr, rlen, rr);
> >+
> >+	return 0;
> >+
> >+err:
> >+	free(n);
> >+	free(rr);
> >+	free(rrtmp);
> >+	rsa_free_key_prop(*prop);
> >+	return ret;
> >+}
> >

[PATCH v4 6/6] test: add rsa_verify() unit test

[AKASHI Takahiro]

On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> 
> 
> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >In this patch, a very simple test is added to verify that rsa_verify()
> >using rsa_verify_with_pkey() work correctly.
> >
> >To keep the code simple, all the test data, either public key and
> >verified binary data, are embedded in the source.
> >
> >Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >---
> >  test/Kconfig      |  12 +++
> >  test/lib/Makefile |   1 +
> >  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 219 insertions(+)
> >  create mode 100644 test/lib/rsa.c
> >
> >diff --git a/test/Kconfig b/test/Kconfig
> >index cb7954041eda..64d76c3b20a5 100644
> >--- a/test/Kconfig
> >+++ b/test/Kconfig
> >@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> >  	  Enables a test which exercises asn1 compiler and decoder function
> >  	  via various parsers.
> >
> >+config UT_LIB_RSA
> >+	bool "Unit test for rsa_verify() function"
> >+	imply RSA
> >+	imply ASYMMETRIC_KEY_TYPE
> >+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> >+	imply RSA_PUBLIC_KEY_PARSER
> >+	imply RSA_VERIFY_WITH_PKEY
> 
> This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> executed otherwise.

See below.

> Best regards
> 
> Heinrich
> 
> >+	default y
> >+	help
> >+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> >+	  only, at the 'ut lib' command.
> >+
> >  endif
> >
> >  config UT_TIME
> >diff --git a/test/lib/Makefile b/test/lib/Makefile
> >index 72d2ec74b5f4..2bf6ef3935bb 100644
> >--- a/test/lib/Makefile
> >+++ b/test/lib/Makefile
> >@@ -8,3 +8,4 @@ obj-y += lmb.o
> >  obj-y += string.o
> >  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> >  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> >+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> >diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> >new file mode 100644
> >index 000000000000..44f8ade226f4
> >--- /dev/null
> >+++ b/test/lib/rsa.c
> >@@ -0,0 +1,206 @@
> >+// SPDX-License-Identifier: GPL-2.0+
> >+/*
> >+ * Copyright (c) 2019 Linaro Limited
> >+ * Author: AKASHI Takahiro
> >+ *
> >+ * Unit test for rsa_verify() function
> >+ */
> >+
> >+#include <common.h>
> >+#include <command.h>
> >+#include <image.h>
> >+#include <test/lib.h>
> >+#include <test/test.h>
> >+#include <test/ut.h>
> >+#include <u-boot/rsa.h>
> >+
> >+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> 
> Please, remove this ifdef. Simply do not build this module if
> CONFIG_RSA_VERIFY_WITH_PKEY is not defined.

That is why I added this #ifdef here to avoid a build error.
I think it is a good idea to make test code as generic as possible
to easily add more test cases.

I believe that the original RSA helper functions (w/o WITH_PKEY)
should also be exercised in a unit test. Otherwise, the code
will only be exercised indirectly through FIT image verification
and such a situation will contradict what Tom (or Heinrich?) demanded
against my RSA patch.

-Takahiro Akashi

> >+/*
> >+ * openssl genrsa 2048 -out private.pem
> >+ * openssl rsa -in private.pem -pubout -outform der -out public.der
> >+ * dd if=public.der of=public.raw bs=24 skip=1
> >+ */
> >+static unsigned char public_key[] = {
> >+	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
> >+	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
> >+	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
> >+	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
> >+	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
> >+	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
> >+	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
> >+	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
> >+	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
> >+	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
> >+	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
> >+	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
> >+	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
> >+	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
> >+	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
> >+	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
> >+	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
> >+	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
> >+	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
> >+	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
> >+	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
> >+	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
> >+	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
> >+};
> >+
> >+static unsigned int public_key_len = 270;
> >+
> >+/*
> >+ * dd if=/dev/urandom of=data.raw bs=512 count=1
> >+ */
> >+static unsigned char data_raw[] = {
> >+	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
> >+	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
> >+	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
> >+	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
> >+	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
> >+	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
> >+	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
> >+	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
> >+	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
> >+	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
> >+	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
> >+	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
> >+	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
> >+	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
> >+	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
> >+	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
> >+	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
> >+	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
> >+	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
> >+	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
> >+	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
> >+	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
> >+	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
> >+	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
> >+	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
> >+	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
> >+	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
> >+	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
> >+	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
> >+	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
> >+	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
> >+	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
> >+	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
> >+	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
> >+	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
> >+	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
> >+	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
> >+	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
> >+	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
> >+	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
> >+	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
> >+	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
> >+	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
> >+};
> >+
> >+static unsigned int data_raw_len = 512;
> >+
> >+/*
> >+ * openssl dgst -sha256 -sign private.key -out data.enc data.raw
> >+ */
> >+unsigned char data_enc[] = {
> >+	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
> >+	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
> >+	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
> >+	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
> >+	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
> >+	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
> >+	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
> >+	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
> >+	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
> >+	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
> >+	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
> >+	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
> >+	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
> >+	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
> >+	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
> >+	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
> >+	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
> >+	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
> >+	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
> >+	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
> >+	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
> >+	0x89, 0x06, 0xc9, 0x3a
> >+};
> >+
> >+static unsigned int data_enc_len = 256;
> >+
> >+/**
> >+ * lib_rsa_verify_valid() - unit test for rsa_verify()
> >+ *
> >+ * Test rsa_verify() with valid hash
> >+ *
> >+ * @uts:	unit test state
> >+ * Return:	0 = success, 1 = failure
> >+ */
> >+static int lib_rsa_verify_valid(struct unit_test_state *uts)
> >+{
> >+	struct image_sign_info info;
> >+	struct image_region reg;
> >+	int ret;
> >+
> >+	memset(&info, '\0', sizeof(info));
> >+	info.name = "sha256,rsa2048";
> >+	info.padding = image_get_padding_algo("pkcs-1.5");
> >+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >+	info.crypto = image_get_crypto_algo(info.name);
> >+
> >+	info.key = public_key;
> >+	info.keylen = public_key_len;
> >+
> >+	reg.data = data_raw;
> >+	reg.size = data_raw_len;
> >+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >+	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
> >+
> >+	return CMD_RET_SUCCESS;
> >+}
> >+
> >+LIB_TEST(lib_rsa_verify_valid, 0);
> >+
> >+/**
> >+ * lib_rsa_verify_invalid() - unit test for rsa_verify()
> >+ *
> >+ * Test rsa_verify() with invalid hash
> >+ *
> >+ * @uts:	unit test state
> >+ * Return:	0 = success, 1 = failure
> >+ */
> >+static int lib_rsa_verify_invalid(struct unit_test_state *uts)
> >+{
> >+	struct image_sign_info info;
> >+	struct image_region reg;
> >+	unsigned char ctmp;
> >+	int ret;
> >+
> >+	memset(&info, '\0', sizeof(info));
> >+	info.name = "sha256,rsa2048";
> >+	info.padding = image_get_padding_algo("pkcs-1.5");
> >+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >+	info.crypto = image_get_crypto_algo(info.name);
> >+
> >+	info.key = public_key;
> >+	info.keylen = public_key_len;
> >+
> >+	/* randomly corrupt enc'ed data */
> >+	ctmp = data_enc[data_enc_len - 10];
> >+	data_enc[data_enc_len - 10] = 0x12;
> >+
> >+	reg.data = data_raw;
> >+	reg.size = data_raw_len;
> >+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >+
> >+	/* revert a change */
> >+	data_enc[data_enc_len - 10] = ctmp;
> >+
> >+	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
> >+
> >+	return CMD_RET_SUCCESS;
> >+}
> >+
> >+LIB_TEST(lib_rsa_verify_invalid, 0);
> >+#endif /* RSA_VERIFY_WITH_PKEY */
> >

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[AKASHI Takahiro]

On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> >rsa_verify() will be extended to be able to perform RSA decryption without
> >additional RSA key properties from FIT image, i.e. rr and n0inv.
> >
> >Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >Reviewed-by: Simon Glass <sjg@chromium.org>
> 
> The patch series does not build for some configurations.
> 
> >---
> >  lib/rsa/Kconfig | 14 ++++++++++++++
> >  1 file changed, 14 insertions(+)
> >
> >diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> >index 03ffa2969048..71e4c06bf883 100644
> >--- a/lib/rsa/Kconfig
> >+++ b/lib/rsa/Kconfig
> >@@ -30,6 +30,20 @@ config RSA_VERIFY
> >  	help
> >  	  Add RSA signature verification support.
> >
> >+config RSA_VERIFY_WITH_PKEY
> 
> For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
> I get an error:

This error is inevitable as both RSA_VERIFY_WITH_PKEY and
RSA_PUBLIC_KEY_PARSER are "select"able configurations with
visible prompts and then
we should generally avoid potential illegal configurations;
The one should NOT forcibly select the other as the kernel kconfig
document suggests.

#  Note:
#        select should be used with care. select will force
#        a symbol to a value without visiting the dependencies.
#        By abusing select you are able to select a symbol FOO even
#        if FOO depends on BAR that is not set.
#        In general use select only for non-visible symbols
#        (no prompts anywhere) and for symbols with no dependencies.
#        That will limit the usefulness but on the other hand avoid
#        the illegal configurations all over.

-Takahiro Akashi


> lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
> 
> RSA_PUBLIC_KEY_PARSER depends on
> ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
> 
> Please, fix the dependencies.
> 
> Best regards
> 
> Heinrich
> 
> >+	bool "Execute RSA verification without key parameters from FDT"
> >+	depends on RSA
> >+	help
> >+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> >+	  pre-calculated key properties, that are stored in fdt blob, in
> >+	  decrypting a signature.
> >+	  This does not suit the use case where there is no way defined to
> >+	  provide such additional key properties in standardized form,
> >+	  particularly UEFI secure boot.
> >+	  This options enables RSA signature verification with a public key
> >+	  directly specified in image_sign_info, where all the necessary
> >+	  key properties will be calculated on the fly in verification code.
> >+
> >  config RSA_SOFTWARE_EXP
> >  	bool "Enable driver for RSA Modular Exponentiation in software"
> >  	depends on DM
> >

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[Heinrich Schuchardt]

On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
> On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
>> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>>> In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
>>> rsa_verify() will be extended to be able to perform RSA decryption without
>>> additional RSA key properties from FIT image, i.e. rr and n0inv.
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>> Reviewed-by: Simon Glass <sjg@chromium.org>
>>
>> The patch series does not build for some configurations.
>>
>>> ---
>>>   lib/rsa/Kconfig | 14 ++++++++++++++
>>>   1 file changed, 14 insertions(+)
>>>
>>> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
>>> index 03ffa2969048..71e4c06bf883 100644
>>> --- a/lib/rsa/Kconfig
>>> +++ b/lib/rsa/Kconfig
>>> @@ -30,6 +30,20 @@ config RSA_VERIFY
>>>   	help
>>>   	  Add RSA signature verification support.
>>>
>>> +config RSA_VERIFY_WITH_PKEY
>>
>> For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
>> I get an error:
>
> This error is inevitable as both RSA_VERIFY_WITH_PKEY and
> RSA_PUBLIC_KEY_PARSER are "select"able configurations with
> visible prompts and then

No, it is not inevitbable. Just ensure that in the Makefiles all modules
are selected that you need for your configuration.

> we should generally avoid potential illegal configurations;

Yes, we want to avoid potentially illegal configurations everywhere.
This is why we have a randconfig build target.

Best regards

Heinrich

> The one should NOT forcibly select the other as the kernel kconfig
> document suggests.
>
> #  Note:
> #        select should be used with care. select will force
> #        a symbol to a value without visiting the dependencies.
> #        By abusing select you are able to select a symbol FOO even
> #        if FOO depends on BAR that is not set.
> #        In general use select only for non-visible symbols
> #        (no prompts anywhere) and for symbols with no dependencies.
> #        That will limit the usefulness but on the other hand avoid
> #        the illegal configurations all over.
>
> -Takahiro Akashi
>
>
>> lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
>>
>> RSA_PUBLIC_KEY_PARSER depends on
>> ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
>>
>> Please, fix the dependencies.
>>
>> Best regards
>>
>> Heinrich
>>
>>> +	bool "Execute RSA verification without key parameters from FDT"
>>> +	depends on RSA
>>> +	help
>>> +	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
>>> +	  pre-calculated key properties, that are stored in fdt blob, in
>>> +	  decrypting a signature.
>>> +	  This does not suit the use case where there is no way defined to
>>> +	  provide such additional key properties in standardized form,
>>> +	  particularly UEFI secure boot.
>>> +	  This options enables RSA signature verification with a public key
>>> +	  directly specified in image_sign_info, where all the necessary
>>> +	  key properties will be calculated on the fly in verification code.
>>> +
>>>   config RSA_SOFTWARE_EXP
>>>   	bool "Enable driver for RSA Modular Exponentiation in software"
>>>   	depends on DM
>>>
>

[PATCH v4 6/6] test: add rsa_verify() unit test

[Heinrich Schuchardt]

On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
>>
>>
>> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>>> In this patch, a very simple test is added to verify that rsa_verify()
>>> using rsa_verify_with_pkey() work correctly.
>>>
>>> To keep the code simple, all the test data, either public key and
>>> verified binary data, are embedded in the source.
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>> ---
>>>   test/Kconfig      |  12 +++
>>>   test/lib/Makefile |   1 +
>>>   test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
>>>   3 files changed, 219 insertions(+)
>>>   create mode 100644 test/lib/rsa.c
>>>
>>> diff --git a/test/Kconfig b/test/Kconfig
>>> index cb7954041eda..64d76c3b20a5 100644
>>> --- a/test/Kconfig
>>> +++ b/test/Kconfig
>>> @@ -28,6 +28,18 @@ config UT_LIB_ASN1
>>>   	  Enables a test which exercises asn1 compiler and decoder function
>>>   	  via various parsers.
>>>
>>> +config UT_LIB_RSA
>>> +	bool "Unit test for rsa_verify() function"
>>> +	imply RSA
>>> +	imply ASYMMETRIC_KEY_TYPE
>>> +	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
>>> +	imply RSA_PUBLIC_KEY_PARSER
>>> +	imply RSA_VERIFY_WITH_PKEY
>>
>> This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
>> executed otherwise.
>
> See below.
>
>> Best regards
>>
>> Heinrich
>>
>>> +	default y
>>> +	help
>>> +	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
>>> +	  only, at the 'ut lib' command.
>>> +
>>>   endif
>>>
>>>   config UT_TIME
>>> diff --git a/test/lib/Makefile b/test/lib/Makefile
>>> index 72d2ec74b5f4..2bf6ef3935bb 100644
>>> --- a/test/lib/Makefile
>>> +++ b/test/lib/Makefile
>>> @@ -8,3 +8,4 @@ obj-y += lmb.o
>>>   obj-y += string.o
>>>   obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
>>>   obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
>>> +obj-$(CONFIG_UT_LIB_RSA) += rsa.o
>>> diff --git a/test/lib/rsa.c b/test/lib/rsa.c
>>> new file mode 100644
>>> index 000000000000..44f8ade226f4
>>> --- /dev/null
>>> +++ b/test/lib/rsa.c
>>> @@ -0,0 +1,206 @@
>>> +// SPDX-License-Identifier: GPL-2.0+
>>> +/*
>>> + * Copyright (c) 2019 Linaro Limited
>>> + * Author: AKASHI Takahiro
>>> + *
>>> + * Unit test for rsa_verify() function
>>> + */
>>> +
>>> +#include <common.h>
>>> +#include <command.h>
>>> +#include <image.h>
>>> +#include <test/lib.h>
>>> +#include <test/test.h>
>>> +#include <test/ut.h>
>>> +#include <u-boot/rsa.h>
>>> +
>>> +#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
>>
>> Please, remove this ifdef. Simply do not build this module if
>> CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
>
> That is why I added this #ifdef here to avoid a build error.
> I think it is a good idea to make test code as generic as possible
> to easily add more test cases.

It is preferable to move configuration dependencies to the Makefile.

You can create a new C file if you have tests needing a different
configuration.

test/lib/rsa_verify.c might be a better name for the file.

In test/Kconfig, please, replace

config UT_LIB_RSA
         bool "Unit test for rsa_verify() function"
         imply RSA

by

config UT_LIB_RSA
         bool "Unit test for rsa_verify() function"
	default y
         depends on RSA

We run all unit tests in Gitlab CI. This requires default=y.

'imply' gives you no guarantee that RSA is selected. See the build
errors I reported for your other patches in the series.

Best regards

Heinrich

>
> I believe that the original RSA helper functions (w/o WITH_PKEY)
> should also be exercised in a unit test. Otherwise, the code
> will only be exercised indirectly through FIT image verification
> and such a situation will contradict what Tom (or Heinrich?) demanded
> against my RSA patch.
>
> -Takahiro Akashi
>
>>> +/*
>>> + * openssl genrsa 2048 -out private.pem
>>> + * openssl rsa -in private.pem -pubout -outform der -out public.der
>>> + * dd if=public.der of=public.raw bs=24 skip=1
>>> + */
>>> +static unsigned char public_key[] = {
>>> +	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
>>> +	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
>>> +	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
>>> +	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
>>> +	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
>>> +	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
>>> +	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
>>> +	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
>>> +	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
>>> +	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
>>> +	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
>>> +	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
>>> +	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
>>> +	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
>>> +	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
>>> +	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
>>> +	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
>>> +	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
>>> +	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
>>> +	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
>>> +	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
>>> +	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
>>> +	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
>>> +};
>>> +
>>> +static unsigned int public_key_len = 270;
>>> +
>>> +/*
>>> + * dd if=/dev/urandom of=data.raw bs=512 count=1
>>> + */
>>> +static unsigned char data_raw[] = {
>>> +	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
>>> +	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
>>> +	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
>>> +	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
>>> +	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
>>> +	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
>>> +	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
>>> +	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
>>> +	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
>>> +	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
>>> +	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
>>> +	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
>>> +	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
>>> +	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
>>> +	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
>>> +	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
>>> +	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
>>> +	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
>>> +	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
>>> +	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
>>> +	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
>>> +	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
>>> +	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
>>> +	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
>>> +	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
>>> +	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
>>> +	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
>>> +	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
>>> +	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
>>> +	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
>>> +	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
>>> +	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
>>> +	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
>>> +	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
>>> +	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
>>> +	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
>>> +	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
>>> +	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
>>> +	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
>>> +	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
>>> +	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
>>> +	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
>>> +	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
>>> +};
>>> +
>>> +static unsigned int data_raw_len = 512;
>>> +
>>> +/*
>>> + * openssl dgst -sha256 -sign private.key -out data.enc data.raw
>>> + */
>>> +unsigned char data_enc[] = {
>>> +	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
>>> +	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
>>> +	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
>>> +	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
>>> +	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
>>> +	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
>>> +	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
>>> +	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
>>> +	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
>>> +	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
>>> +	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
>>> +	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
>>> +	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
>>> +	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
>>> +	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
>>> +	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
>>> +	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
>>> +	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
>>> +	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
>>> +	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
>>> +	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
>>> +	0x89, 0x06, 0xc9, 0x3a
>>> +};
>>> +
>>> +static unsigned int data_enc_len = 256;
>>> +
>>> +/**
>>> + * lib_rsa_verify_valid() - unit test for rsa_verify()
>>> + *
>>> + * Test rsa_verify() with valid hash
>>> + *
>>> + * @uts:	unit test state
>>> + * Return:	0 = success, 1 = failure
>>> + */
>>> +static int lib_rsa_verify_valid(struct unit_test_state *uts)
>>> +{
>>> +	struct image_sign_info info;
>>> +	struct image_region reg;
>>> +	int ret;
>>> +
>>> +	memset(&info, '\0', sizeof(info));
>>> +	info.name = "sha256,rsa2048";
>>> +	info.padding = image_get_padding_algo("pkcs-1.5");
>>> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
>>> +	info.crypto = image_get_crypto_algo(info.name);
>>> +
>>> +	info.key = public_key;
>>> +	info.keylen = public_key_len;
>>> +
>>> +	reg.data = data_raw;
>>> +	reg.size = data_raw_len;
>>> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>>> +	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
>>> +
>>> +	return CMD_RET_SUCCESS;
>>> +}
>>> +
>>> +LIB_TEST(lib_rsa_verify_valid, 0);
>>> +
>>> +/**
>>> + * lib_rsa_verify_invalid() - unit test for rsa_verify()
>>> + *
>>> + * Test rsa_verify() with invalid hash
>>> + *
>>> + * @uts:	unit test state
>>> + * Return:	0 = success, 1 = failure
>>> + */
>>> +static int lib_rsa_verify_invalid(struct unit_test_state *uts)
>>> +{
>>> +	struct image_sign_info info;
>>> +	struct image_region reg;
>>> +	unsigned char ctmp;
>>> +	int ret;
>>> +
>>> +	memset(&info, '\0', sizeof(info));
>>> +	info.name = "sha256,rsa2048";
>>> +	info.padding = image_get_padding_algo("pkcs-1.5");
>>> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
>>> +	info.crypto = image_get_crypto_algo(info.name);
>>> +
>>> +	info.key = public_key;
>>> +	info.keylen = public_key_len;
>>> +
>>> +	/* randomly corrupt enc'ed data */
>>> +	ctmp = data_enc[data_enc_len - 10];
>>> +	data_enc[data_enc_len - 10] = 0x12;
>>> +
>>> +	reg.data = data_raw;
>>> +	reg.size = data_raw_len;
>>> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>>> +
>>> +	/* revert a change */
>>> +	data_enc[data_enc_len - 10] = ctmp;
>>> +
>>> +	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
>>> +
>>> +	return CMD_RET_SUCCESS;
>>> +}
>>> +
>>> +LIB_TEST(lib_rsa_verify_invalid, 0);
>>> +#endif /* RSA_VERIFY_WITH_PKEY */
>>>
>

[PATCH v4 6/6] test: add rsa_verify() unit test

[AKASHI Takahiro]

On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
> On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> >On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> >>
> >>
> >>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >>>In this patch, a very simple test is added to verify that rsa_verify()
> >>>using rsa_verify_with_pkey() work correctly.
> >>>
> >>>To keep the code simple, all the test data, either public key and
> >>>verified binary data, are embedded in the source.
> >>>
> >>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>---
> >>>  test/Kconfig      |  12 +++
> >>>  test/lib/Makefile |   1 +
> >>>  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> >>>  3 files changed, 219 insertions(+)
> >>>  create mode 100644 test/lib/rsa.c
> >>>
> >>>diff --git a/test/Kconfig b/test/Kconfig
> >>>index cb7954041eda..64d76c3b20a5 100644
> >>>--- a/test/Kconfig
> >>>+++ b/test/Kconfig
> >>>@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> >>>  	  Enables a test which exercises asn1 compiler and decoder function
> >>>  	  via various parsers.
> >>>
> >>>+config UT_LIB_RSA
> >>>+	bool "Unit test for rsa_verify() function"
> >>>+	imply RSA
> >>>+	imply ASYMMETRIC_KEY_TYPE
> >>>+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> >>>+	imply RSA_PUBLIC_KEY_PARSER
> >>>+	imply RSA_VERIFY_WITH_PKEY
> >>
> >>This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> >>executed otherwise.
> >
> >See below.
> >
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>+	default y
> >>>+	help
> >>>+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> >>>+	  only, at the 'ut lib' command.
> >>>+
> >>>  endif
> >>>
> >>>  config UT_TIME
> >>>diff --git a/test/lib/Makefile b/test/lib/Makefile
> >>>index 72d2ec74b5f4..2bf6ef3935bb 100644
> >>>--- a/test/lib/Makefile
> >>>+++ b/test/lib/Makefile
> >>>@@ -8,3 +8,4 @@ obj-y += lmb.o
> >>>  obj-y += string.o
> >>>  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> >>>  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> >>>+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> >>>diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> >>>new file mode 100644
> >>>index 000000000000..44f8ade226f4
> >>>--- /dev/null
> >>>+++ b/test/lib/rsa.c
> >>>@@ -0,0 +1,206 @@
> >>>+// SPDX-License-Identifier: GPL-2.0+
> >>>+/*
> >>>+ * Copyright (c) 2019 Linaro Limited
> >>>+ * Author: AKASHI Takahiro
> >>>+ *
> >>>+ * Unit test for rsa_verify() function
> >>>+ */
> >>>+
> >>>+#include <common.h>
> >>>+#include <command.h>
> >>>+#include <image.h>
> >>>+#include <test/lib.h>
> >>>+#include <test/test.h>
> >>>+#include <test/ut.h>
> >>>+#include <u-boot/rsa.h>
> >>>+
> >>>+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> >>
> >>Please, remove this ifdef. Simply do not build this module if
> >>CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
> >
> >That is why I added this #ifdef here to avoid a build error.
> >I think it is a good idea to make test code as generic as possible
> >to easily add more test cases.
> 
> It is preferable to move configuration dependencies to the Makefile.
> 
> You can create a new C file if you have tests needing a different
> configuration.
> 
> test/lib/rsa_verify.c might be a better name for the file.
> 
> In test/Kconfig, please, replace
> 
> config UT_LIB_RSA
>         bool "Unit test for rsa_verify() function"
>         imply RSA
> 
> by
> 
> config UT_LIB_RSA
>         bool "Unit test for rsa_verify() function"
> 	default y
>         depends on RSA

Initially in my development code, I did the exact same thing,
but I didn't adopt this approach.

If we follow your proposal, UT_LIB_RSA won't be selected
unless RSA is enabled.
So UT_LIB_RSA won't be executed under most existing configurations
in the current CI.  This was not what I wanted.

What I wanted here is that, if UT (and UT_LIB) is selected, all
the configurations needed for enabling all the test cases be
also selected *automatically*.

I think that this is what Tom implied in his comment.

Thanks,
-Takahiro Akashi


> We run all unit tests in Gitlab CI. This requires default=y.
> 
> 'imply' gives you no guarantee that RSA is selected. See the build
> errors I reported for your other patches in the series.
> 
> Best regards
> 
> Heinrich
> 
> >
> >I believe that the original RSA helper functions (w/o WITH_PKEY)
> >should also be exercised in a unit test. Otherwise, the code
> >will only be exercised indirectly through FIT image verification
> >and such a situation will contradict what Tom (or Heinrich?) demanded
> >against my RSA patch.
> >
> >-Takahiro Akashi
> >
> >>>+/*
> >>>+ * openssl genrsa 2048 -out private.pem
> >>>+ * openssl rsa -in private.pem -pubout -outform der -out public.der
> >>>+ * dd if=public.der of=public.raw bs=24 skip=1
> >>>+ */
> >>>+static unsigned char public_key[] = {
> >>>+	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
> >>>+	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
> >>>+	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
> >>>+	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
> >>>+	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
> >>>+	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
> >>>+	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
> >>>+	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
> >>>+	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
> >>>+	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
> >>>+	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
> >>>+	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
> >>>+	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
> >>>+	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
> >>>+	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
> >>>+	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
> >>>+	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
> >>>+	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
> >>>+	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
> >>>+	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
> >>>+	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
> >>>+	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
> >>>+	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
> >>>+};
> >>>+
> >>>+static unsigned int public_key_len = 270;
> >>>+
> >>>+/*
> >>>+ * dd if=/dev/urandom of=data.raw bs=512 count=1
> >>>+ */
> >>>+static unsigned char data_raw[] = {
> >>>+	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
> >>>+	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
> >>>+	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
> >>>+	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
> >>>+	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
> >>>+	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
> >>>+	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
> >>>+	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
> >>>+	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
> >>>+	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
> >>>+	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
> >>>+	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
> >>>+	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
> >>>+	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
> >>>+	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
> >>>+	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
> >>>+	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
> >>>+	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
> >>>+	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
> >>>+	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
> >>>+	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
> >>>+	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
> >>>+	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
> >>>+	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
> >>>+	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
> >>>+	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
> >>>+	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
> >>>+	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
> >>>+	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
> >>>+	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
> >>>+	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
> >>>+	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
> >>>+	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
> >>>+	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
> >>>+	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
> >>>+	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
> >>>+	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
> >>>+	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
> >>>+	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
> >>>+	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
> >>>+	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
> >>>+	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
> >>>+	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
> >>>+};
> >>>+
> >>>+static unsigned int data_raw_len = 512;
> >>>+
> >>>+/*
> >>>+ * openssl dgst -sha256 -sign private.key -out data.enc data.raw
> >>>+ */
> >>>+unsigned char data_enc[] = {
> >>>+	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
> >>>+	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
> >>>+	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
> >>>+	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
> >>>+	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
> >>>+	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
> >>>+	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
> >>>+	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
> >>>+	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
> >>>+	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
> >>>+	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
> >>>+	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
> >>>+	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
> >>>+	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
> >>>+	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
> >>>+	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
> >>>+	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
> >>>+	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
> >>>+	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
> >>>+	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
> >>>+	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
> >>>+	0x89, 0x06, 0xc9, 0x3a
> >>>+};
> >>>+
> >>>+static unsigned int data_enc_len = 256;
> >>>+
> >>>+/**
> >>>+ * lib_rsa_verify_valid() - unit test for rsa_verify()
> >>>+ *
> >>>+ * Test rsa_verify() with valid hash
> >>>+ *
> >>>+ * @uts:	unit test state
> >>>+ * Return:	0 = success, 1 = failure
> >>>+ */
> >>>+static int lib_rsa_verify_valid(struct unit_test_state *uts)
> >>>+{
> >>>+	struct image_sign_info info;
> >>>+	struct image_region reg;
> >>>+	int ret;
> >>>+
> >>>+	memset(&info, '\0', sizeof(info));
> >>>+	info.name = "sha256,rsa2048";
> >>>+	info.padding = image_get_padding_algo("pkcs-1.5");
> >>>+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >>>+	info.crypto = image_get_crypto_algo(info.name);
> >>>+
> >>>+	info.key = public_key;
> >>>+	info.keylen = public_key_len;
> >>>+
> >>>+	reg.data = data_raw;
> >>>+	reg.size = data_raw_len;
> >>>+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >>>+	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
> >>>+
> >>>+	return CMD_RET_SUCCESS;
> >>>+}
> >>>+
> >>>+LIB_TEST(lib_rsa_verify_valid, 0);
> >>>+
> >>>+/**
> >>>+ * lib_rsa_verify_invalid() - unit test for rsa_verify()
> >>>+ *
> >>>+ * Test rsa_verify() with invalid hash
> >>>+ *
> >>>+ * @uts:	unit test state
> >>>+ * Return:	0 = success, 1 = failure
> >>>+ */
> >>>+static int lib_rsa_verify_invalid(struct unit_test_state *uts)
> >>>+{
> >>>+	struct image_sign_info info;
> >>>+	struct image_region reg;
> >>>+	unsigned char ctmp;
> >>>+	int ret;
> >>>+
> >>>+	memset(&info, '\0', sizeof(info));
> >>>+	info.name = "sha256,rsa2048";
> >>>+	info.padding = image_get_padding_algo("pkcs-1.5");
> >>>+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >>>+	info.crypto = image_get_crypto_algo(info.name);
> >>>+
> >>>+	info.key = public_key;
> >>>+	info.keylen = public_key_len;
> >>>+
> >>>+	/* randomly corrupt enc'ed data */
> >>>+	ctmp = data_enc[data_enc_len - 10];
> >>>+	data_enc[data_enc_len - 10] = 0x12;
> >>>+
> >>>+	reg.data = data_raw;
> >>>+	reg.size = data_raw_len;
> >>>+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >>>+
> >>>+	/* revert a change */
> >>>+	data_enc[data_enc_len - 10] = ctmp;
> >>>+
> >>>+	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
> >>>+
> >>>+	return CMD_RET_SUCCESS;
> >>>+}
> >>>+
> >>>+LIB_TEST(lib_rsa_verify_invalid, 0);
> >>>+#endif /* RSA_VERIFY_WITH_PKEY */
> >>>
> >
> 

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[AKASHI Takahiro]

On Tue, Jan 14, 2020 at 12:43:40PM +0100, Heinrich Schuchardt wrote:
> On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
> >On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
> >>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >>>In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> >>>rsa_verify() will be extended to be able to perform RSA decryption without
> >>>additional RSA key properties from FIT image, i.e. rr and n0inv.
> >>>
> >>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>Reviewed-by: Simon Glass <sjg@chromium.org>
> >>
> >>The patch series does not build for some configurations.
> >>
> >>>---
> >>>  lib/rsa/Kconfig | 14 ++++++++++++++
> >>>  1 file changed, 14 insertions(+)
> >>>
> >>>diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> >>>index 03ffa2969048..71e4c06bf883 100644
> >>>--- a/lib/rsa/Kconfig
> >>>+++ b/lib/rsa/Kconfig
> >>>@@ -30,6 +30,20 @@ config RSA_VERIFY
> >>>  	help
> >>>  	  Add RSA signature verification support.
> >>>
> >>>+config RSA_VERIFY_WITH_PKEY
> >>
> >>For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
> >>I get an error:
> >
> >This error is inevitable as both RSA_VERIFY_WITH_PKEY and
> >RSA_PUBLIC_KEY_PARSER are "select"able configurations with
> >visible prompts and then
> 
> No, it is not inevitbable. Just ensure that in the Makefiles all modules
> are selected that you need for your configuration.

How?
Can you please show me a simple solution?

Thanks,
-Takahiro Akashi


> >we should generally avoid potential illegal configurations;
> 
> Yes, we want to avoid potentially illegal configurations everywhere.
> This is why we have a randconfig build target.
> 
> Best regards
> 
> Heinrich
> 
> >The one should NOT forcibly select the other as the kernel kconfig
> >document suggests.
> >
> >#  Note:
> >#        select should be used with care. select will force
> >#        a symbol to a value without visiting the dependencies.
> >#        By abusing select you are able to select a symbol FOO even
> >#        if FOO depends on BAR that is not set.
> >#        In general use select only for non-visible symbols
> >#        (no prompts anywhere) and for symbols with no dependencies.
> >#        That will limit the usefulness but on the other hand avoid
> >#        the illegal configurations all over.
> >
> >-Takahiro Akashi
> >
> >
> >>lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
> >>
> >>RSA_PUBLIC_KEY_PARSER depends on
> >>ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
> >>
> >>Please, fix the dependencies.
> >>
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>+	bool "Execute RSA verification without key parameters from FDT"
> >>>+	depends on RSA
> >>>+	help
> >>>+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> >>>+	  pre-calculated key properties, that are stored in fdt blob, in
> >>>+	  decrypting a signature.
> >>>+	  This does not suit the use case where there is no way defined to
> >>>+	  provide such additional key properties in standardized form,
> >>>+	  particularly UEFI secure boot.
> >>>+	  This options enables RSA signature verification with a public key
> >>>+	  directly specified in image_sign_info, where all the necessary
> >>>+	  key properties will be calculated on the fly in verification code.
> >>>+
> >>>  config RSA_SOFTWARE_EXP
> >>>  	bool "Enable driver for RSA Modular Exponentiation in software"
> >>>  	depends on DM
> >>>
> >
> 

[PATCH v4 6/6] test: add rsa_verify() unit test

[Heinrich Schuchardt]

On 1/17/20 2:53 AM, AKASHI Takahiro wrote:
> On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
>> On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
>>> On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
>>>>
>>>>
>>>> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>>>>> In this patch, a very simple test is added to verify that rsa_verify()
>>>>> using rsa_verify_with_pkey() work correctly.
>>>>>
>>>>> To keep the code simple, all the test data, either public key and
>>>>> verified binary data, are embedded in the source.
>>>>>
>>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>>> ---
>>>>>   test/Kconfig      |  12 +++
>>>>>   test/lib/Makefile |   1 +
>>>>>   test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
>>>>>   3 files changed, 219 insertions(+)
>>>>>   create mode 100644 test/lib/rsa.c
>>>>>
>>>>> diff --git a/test/Kconfig b/test/Kconfig
>>>>> index cb7954041eda..64d76c3b20a5 100644
>>>>> --- a/test/Kconfig
>>>>> +++ b/test/Kconfig
>>>>> @@ -28,6 +28,18 @@ config UT_LIB_ASN1
>>>>>   	  Enables a test which exercises asn1 compiler and decoder function
>>>>>   	  via various parsers.
>>>>>
>>>>> +config UT_LIB_RSA
>>>>> +	bool "Unit test for rsa_verify() function"
>>>>> +	imply RSA
>>>>> +	imply ASYMMETRIC_KEY_TYPE
>>>>> +	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
>>>>> +	imply RSA_PUBLIC_KEY_PARSER
>>>>> +	imply RSA_VERIFY_WITH_PKEY
>>>>
>>>> This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
>>>> executed otherwise.
>>>
>>> See below.
>>>
>>>> Best regards
>>>>
>>>> Heinrich
>>>>
>>>>> +	default y
>>>>> +	help
>>>>> +	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
>>>>> +	  only, at the 'ut lib' command.
>>>>> +
>>>>>   endif
>>>>>
>>>>>   config UT_TIME
>>>>> diff --git a/test/lib/Makefile b/test/lib/Makefile
>>>>> index 72d2ec74b5f4..2bf6ef3935bb 100644
>>>>> --- a/test/lib/Makefile
>>>>> +++ b/test/lib/Makefile
>>>>> @@ -8,3 +8,4 @@ obj-y += lmb.o
>>>>>   obj-y += string.o
>>>>>   obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
>>>>>   obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
>>>>> +obj-$(CONFIG_UT_LIB_RSA) += rsa.o
>>>>> diff --git a/test/lib/rsa.c b/test/lib/rsa.c
>>>>> new file mode 100644
>>>>> index 000000000000..44f8ade226f4
>>>>> --- /dev/null
>>>>> +++ b/test/lib/rsa.c
>>>>> @@ -0,0 +1,206 @@
>>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>>> +/*
>>>>> + * Copyright (c) 2019 Linaro Limited
>>>>> + * Author: AKASHI Takahiro
>>>>> + *
>>>>> + * Unit test for rsa_verify() function
>>>>> + */
>>>>> +
>>>>> +#include <common.h>
>>>>> +#include <command.h>
>>>>> +#include <image.h>
>>>>> +#include <test/lib.h>
>>>>> +#include <test/test.h>
>>>>> +#include <test/ut.h>
>>>>> +#include <u-boot/rsa.h>
>>>>> +
>>>>> +#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
>>>>
>>>> Please, remove this ifdef. Simply do not build this module if
>>>> CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
>>>
>>> That is why I added this #ifdef here to avoid a build error.
>>> I think it is a good idea to make test code as generic as possible
>>> to easily add more test cases.
>>
>> It is preferable to move configuration dependencies to the Makefile.
>>
>> You can create a new C file if you have tests needing a different
>> configuration.
>>
>> test/lib/rsa_verify.c might be a better name for the file.
>>
>> In test/Kconfig, please, replace
>>
>> config UT_LIB_RSA
>>          bool "Unit test for rsa_verify() function"
>>          imply RSA
>>
>> by
>>
>> config UT_LIB_RSA
>>          bool "Unit test for rsa_verify() function"
>> 	default y
>>          depends on RSA
>
> Initially in my development code, I did the exact same thing,
> but I didn't adopt this approach.
>
> If we follow your proposal, UT_LIB_RSA won't be selected
> unless RSA is enabled.
> So UT_LIB_RSA won't be executed under most existing configurations
> in the current CI.  This was not what I wanted.
>
> What I wanted here is that, if UT (and UT_LIB) is selected, all
> the configurations needed for enabling all the test cases be
> also selected *automatically*.

What I want is that if I run 'make menuconfig' and select CONFIG_UT
manually I end up with a configuration that compiles and that does what
I have configured.

Just try:

make wandboard_config
make menuconfig
# set CONFIG_UT=y
# set CONFIG_UT_LIB_RSA=y

This results in

CONFIG_RSA=n

because 'imply RSA' does not switch on CONFIG_RSA in this case.

You end up with a configuration where the test is selected in .config
but cannot be executed.

Please, change your patches such that it is guaranteed that if a test is
activated in the configuration it is executed by the 'ut all' command.

Best regards

Heinrich

>
> I think that this is what Tom implied in his comment.
>
> Thanks,
> -Takahiro Akashi
>
>
>> We run all unit tests in Gitlab CI. This requires default=y.
>>
>> 'imply' gives you no guarantee that RSA is selected. See the build
>> errors I reported for your other patches in the series.
>>
>> Best regards
>>
>> Heinrich
>>
>>>
>>> I believe that the original RSA helper functions (w/o WITH_PKEY)
>>> should also be exercised in a unit test. Otherwise, the code
>>> will only be exercised indirectly through FIT image verification
>>> and such a situation will contradict what Tom (or Heinrich?) demanded
>>> against my RSA patch.
>>>
>>> -Takahiro Akashi
>>>
>>>>> +/*
>>>>> + * openssl genrsa 2048 -out private.pem
>>>>> + * openssl rsa -in private.pem -pubout -outform der -out public.der
>>>>> + * dd if=public.der of=public.raw bs=24 skip=1
>>>>> + */
>>>>> +static unsigned char public_key[] = {
>>>>> +	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
>>>>> +	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
>>>>> +	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
>>>>> +	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
>>>>> +	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
>>>>> +	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
>>>>> +	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
>>>>> +	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
>>>>> +	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
>>>>> +	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
>>>>> +	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
>>>>> +	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
>>>>> +	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
>>>>> +	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
>>>>> +	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
>>>>> +	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
>>>>> +	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
>>>>> +	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
>>>>> +	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
>>>>> +	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
>>>>> +	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
>>>>> +	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
>>>>> +	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
>>>>> +};
>>>>> +
>>>>> +static unsigned int public_key_len = 270;
>>>>> +
>>>>> +/*
>>>>> + * dd if=/dev/urandom of=data.raw bs=512 count=1
>>>>> + */
>>>>> +static unsigned char data_raw[] = {
>>>>> +	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
>>>>> +	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
>>>>> +	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
>>>>> +	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
>>>>> +	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
>>>>> +	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
>>>>> +	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
>>>>> +	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
>>>>> +	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
>>>>> +	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
>>>>> +	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
>>>>> +	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
>>>>> +	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
>>>>> +	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
>>>>> +	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
>>>>> +	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
>>>>> +	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
>>>>> +	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
>>>>> +	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
>>>>> +	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
>>>>> +	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
>>>>> +	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
>>>>> +	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
>>>>> +	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
>>>>> +	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
>>>>> +	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
>>>>> +	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
>>>>> +	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
>>>>> +	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
>>>>> +	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
>>>>> +	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
>>>>> +	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
>>>>> +	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
>>>>> +	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
>>>>> +	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
>>>>> +	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
>>>>> +	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
>>>>> +	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
>>>>> +	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
>>>>> +	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
>>>>> +	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
>>>>> +	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
>>>>> +	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
>>>>> +};
>>>>> +
>>>>> +static unsigned int data_raw_len = 512;
>>>>> +
>>>>> +/*
>>>>> + * openssl dgst -sha256 -sign private.key -out data.enc data.raw
>>>>> + */
>>>>> +unsigned char data_enc[] = {
>>>>> +	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
>>>>> +	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
>>>>> +	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
>>>>> +	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
>>>>> +	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
>>>>> +	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
>>>>> +	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
>>>>> +	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
>>>>> +	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
>>>>> +	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
>>>>> +	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
>>>>> +	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
>>>>> +	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
>>>>> +	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
>>>>> +	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
>>>>> +	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
>>>>> +	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
>>>>> +	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
>>>>> +	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
>>>>> +	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
>>>>> +	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
>>>>> +	0x89, 0x06, 0xc9, 0x3a
>>>>> +};
>>>>> +
>>>>> +static unsigned int data_enc_len = 256;
>>>>> +
>>>>> +/**
>>>>> + * lib_rsa_verify_valid() - unit test for rsa_verify()
>>>>> + *
>>>>> + * Test rsa_verify() with valid hash
>>>>> + *
>>>>> + * @uts:	unit test state
>>>>> + * Return:	0 = success, 1 = failure
>>>>> + */
>>>>> +static int lib_rsa_verify_valid(struct unit_test_state *uts)
>>>>> +{
>>>>> +	struct image_sign_info info;
>>>>> +	struct image_region reg;
>>>>> +	int ret;
>>>>> +
>>>>> +	memset(&info, '\0', sizeof(info));
>>>>> +	info.name = "sha256,rsa2048";
>>>>> +	info.padding = image_get_padding_algo("pkcs-1.5");
>>>>> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
>>>>> +	info.crypto = image_get_crypto_algo(info.name);
>>>>> +
>>>>> +	info.key = public_key;
>>>>> +	info.keylen = public_key_len;
>>>>> +
>>>>> +	reg.data = data_raw;
>>>>> +	reg.size = data_raw_len;
>>>>> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>>>>> +	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
>>>>> +
>>>>> +	return CMD_RET_SUCCESS;
>>>>> +}
>>>>> +
>>>>> +LIB_TEST(lib_rsa_verify_valid, 0);
>>>>> +
>>>>> +/**
>>>>> + * lib_rsa_verify_invalid() - unit test for rsa_verify()
>>>>> + *
>>>>> + * Test rsa_verify() with invalid hash
>>>>> + *
>>>>> + * @uts:	unit test state
>>>>> + * Return:	0 = success, 1 = failure
>>>>> + */
>>>>> +static int lib_rsa_verify_invalid(struct unit_test_state *uts)
>>>>> +{
>>>>> +	struct image_sign_info info;
>>>>> +	struct image_region reg;
>>>>> +	unsigned char ctmp;
>>>>> +	int ret;
>>>>> +
>>>>> +	memset(&info, '\0', sizeof(info));
>>>>> +	info.name = "sha256,rsa2048";
>>>>> +	info.padding = image_get_padding_algo("pkcs-1.5");
>>>>> +	info.checksum = image_get_checksum_algo("sha256,rsa2048");
>>>>> +	info.crypto = image_get_crypto_algo(info.name);
>>>>> +
>>>>> +	info.key = public_key;
>>>>> +	info.keylen = public_key_len;
>>>>> +
>>>>> +	/* randomly corrupt enc'ed data */
>>>>> +	ctmp = data_enc[data_enc_len - 10];
>>>>> +	data_enc[data_enc_len - 10] = 0x12;
>>>>> +
>>>>> +	reg.data = data_raw;
>>>>> +	reg.size = data_raw_len;
>>>>> +	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
>>>>> +
>>>>> +	/* revert a change */
>>>>> +	data_enc[data_enc_len - 10] = ctmp;
>>>>> +
>>>>> +	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
>>>>> +
>>>>> +	return CMD_RET_SUCCESS;
>>>>> +}
>>>>> +
>>>>> +LIB_TEST(lib_rsa_verify_invalid, 0);
>>>>> +#endif /* RSA_VERIFY_WITH_PKEY */
>>>>>
>>>
>>
>

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[Heinrich Schuchardt]

On 1/17/20 3:24 AM, AKASHI Takahiro wrote:
> On Tue, Jan 14, 2020 at 12:43:40PM +0100, Heinrich Schuchardt wrote:
>> On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
>>> On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
>>>> On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
>>>>> In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
>>>>> rsa_verify() will be extended to be able to perform RSA decryption without
>>>>> additional RSA key properties from FIT image, i.e. rr and n0inv.
>>>>>
>>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>>> Reviewed-by: Simon Glass <sjg@chromium.org>
>>>>
>>>> The patch series does not build for some configurations.
>>>>
>>>>> ---
>>>>>   lib/rsa/Kconfig | 14 ++++++++++++++
>>>>>   1 file changed, 14 insertions(+)
>>>>>
>>>>> diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
>>>>> index 03ffa2969048..71e4c06bf883 100644
>>>>> --- a/lib/rsa/Kconfig
>>>>> +++ b/lib/rsa/Kconfig
>>>>> @@ -30,6 +30,20 @@ config RSA_VERIFY
>>>>>   	help
>>>>>   	  Add RSA signature verification support.
>>>>>
>>>>> +config RSA_VERIFY_WITH_PKEY
>>>>
>>>> For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
>>>> I get an error:
>>>
>>> This error is inevitable as both RSA_VERIFY_WITH_PKEY and
>>> RSA_PUBLIC_KEY_PARSER are "select"able configurations with
>>> visible prompts and then
>>
>> No, it is not inevitbable. Just ensure that in the Makefiles all modules
>> are selected that you need for your configuration.
>
> How?
> Can you please show me a simple solution?

ifneq($(CONFIG_RSA_VERIFY_WITH_PKEY)$(CONFIG_RSA_PUBLIC_KEY_PARSER),)
obj-y += foo.o
endif

or

config RSA_VERIFY_WITH_PKEY
	depends on RSA_PUBLIC_KEY_PARSER

or

config RSA_VERIFY_WITH_PKEY
	select RSA_PUBLIC_KEY_PARSER

Best regards

Heinrich

>
> Thanks,
> -Takahiro Akashi
>
>
>>> we should generally avoid potential illegal configurations;
>>
>> Yes, we want to avoid potentially illegal configurations everywhere.
>> This is why we have a randconfig build target.
>>
>> Best regards
>>
>> Heinrich
>>
>>> The one should NOT forcibly select the other as the kernel kconfig
>>> document suggests.
>>>
>>> #  Note:
>>> #        select should be used with care. select will force
>>> #        a symbol to a value without visiting the dependencies.
>>> #        By abusing select you are able to select a symbol FOO even
>>> #        if FOO depends on BAR that is not set.
>>> #        In general use select only for non-visible symbols
>>> #        (no prompts anywhere) and for symbols with no dependencies.
>>> #        That will limit the usefulness but on the other hand avoid
>>> #        the illegal configurations all over.
>>>
>>> -Takahiro Akashi
>>>
>>>
>>>> lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
>>>>
>>>> RSA_PUBLIC_KEY_PARSER depends on
>>>> ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
>>>>
>>>> Please, fix the dependencies.
>>>>
>>>> Best regards
>>>>
>>>> Heinrich
>>>>
>>>>> +	bool "Execute RSA verification without key parameters from FDT"
>>>>> +	depends on RSA
>>>>> +	help
>>>>> +	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
>>>>> +	  pre-calculated key properties, that are stored in fdt blob, in
>>>>> +	  decrypting a signature.
>>>>> +	  This does not suit the use case where there is no way defined to
>>>>> +	  provide such additional key properties in standardized form,
>>>>> +	  particularly UEFI secure boot.
>>>>> +	  This options enables RSA signature verification with a public key
>>>>> +	  directly specified in image_sign_info, where all the necessary
>>>>> +	  key properties will be calculated on the fly in verification code.
>>>>> +
>>>>>   config RSA_SOFTWARE_EXP
>>>>>   	bool "Enable driver for RSA Modular Exponentiation in software"
>>>>>   	depends on DM
>>>>>
>>>
>>
>

[PATCH v4 0/6] rsa: extend rsa_verify() for UEFI secure boot

[Heinrich Schuchardt]

On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> # This patch set is a prerequisite for UEFI secure boot.
>
> The current rsa_verify() requires five parameters for a RSA public key
> for efficiency while RSA, in theory, requires only two. In addition,
> those parameters are expected to come from FIT image.
>
> So this function won't fit very well when we want to use it for the purpose
> of implementing UEFI secure boot, in particular, image authentication
> as well as variable authentication, where the essential two parameters
> are set to be retrieved from one of X509 certificates in signature
> database.
>
> So, in this patch, additional three parameters will be calculated
> on the fly when rsa_verify() is called without fdt which should contain
> parameters above.
>
> This calculation heavily relies on "big-number (or multi-precision)
> library." Therefore some routines from BearSSL[1] under MIT license are
> imported in this implementation. See Patch#4.
> # Please let me know if this is not appropriate.
>
> Prerequisite:
> * public key parser in my "import x509/pkcs7 parser" patch[2]
>
> # Checkpatch will complain with lots of warnings/errors, but
> # I intentionally don't fix them for maximum maintainability.
>
>    [1] https://bearssl.org/
>    [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
>
> Changes in v4 (Nov 21, 2019)
> * rebased to v2020.01-rc3
> * change a function prototype of rsa_gen_key_prop() to return an error
>    code (patch#4,#5)
> * re-order include files in alphabetical order (patch#6)
> * add some comments per Simon's review comments
>
> Changes in v3 (Nov 13, 2019)
> * remove RSA_VERIFY_WITH_PKEY, which is to be added in patch#2 (patch#1)
> * modify unit test Kconfg due to removal of test/lib/Kconfig (patch#6)
>
> Changes in v2 (Oct 29, 2019)
> * fix build errors at Travis CI
> * not include linux/kconfig.h (patch#1)
> * add a separate patch for adding CONFIG_RSA_VERIFY_WITH_PKEY (patch#2)
> * take a prerequisite patch from my "secure boot patch" (patch#3)
> * add a dependency on RSA_PUBLIC_KEY_PARSER (patch#4)
> * remove "inline" directives (patch#4)
> * add function descriptions, which mostly come from BearSSL's src/inner.h
>    (patch#4)
> * improve Kconfig help text after Simon's comment (patch#5)
> * add function description of rsa_verify_with_pkey() (patch#5)
> * modify rsa_verify() to use "if (CONFIG_IS_ENABLED(...) " style
>    rather than "#ifdef CONFIG_..." (patch#5)
> * add function tests (patch#6)
>
> Changes in v1 (Oct 9, 2019)
> * fix a build error on pine64-lts_defconfig (reported by Heinrich)
>    by defining FIT_IMAGE_ENABLE_VERIFY flag and adding
>    SPL_RSA_VERIFY config (patch#1)
> * remove FIT-specific code from image-sig.c and put them to new
>    image-fit-sig.c to allow us to disable CONFIG_FIT_SIGNATURE (patch#1)
> * compile rsa-keyprop.c only if necessary (i.e. if
>    CONFIG_RSA_VERIFY_WITH_PKEY) (patch#2)
> * add SPDX license identifier in rsa-keyprop.c (patch#2)
> * include <common.h> instead of <stdio.h> (patch#2)
> * use U-Boot's byteorder helper functions instead of BearSSL's (patch#2)
>

I tried to test Takahiro's patches and have the following problem:

When I add CONFIG_RSA=y, CONFIG_RSA_SOFTWARE_EXP=y to
pine64-lts_defconfig SPL restarts again and again after
"BL31: Preparing for EL3 exit to normal world ... SPSR = 0x3c9".
CONFIG_SPL_RSA does not make a difference. See below

So even without Takahiro's patches RSA is a complete failure on this board.

Best regards

Heinrich

U-Boot SPL 2020.01-00620-g2d2f91a480 (Jan 18 2020 - 20:10:54 +0000)
DRAM: 2048 MiB
Trying to boot from MMC1
NOTICE:  BL31: v2.2(debug):v2.2-351-g5d3ee0764
NOTICE:  BL31: Built : 06:50:11, Jan 17 2020
NOTICE:  BL31: Detected Allwinner A64/H64/R18 SoC (1689)
NOTICE:  BL31: Found U-Boot DTB at 0x408ef20, model: Pine64 LTS
INFO:    ARM GICv2 driver initialized
INFO:    Configuring SPC Controller
INFO:    PMIC: Probing AXP803 on RSB
INFO:    PMIC: dcdc1 voltage: 3.300V
INFO:    PMIC: dcdc5 voltage: 1.200V
INFO:    PMIC: dcdc6 voltage: 1.100V
INFO:    PMIC: dldo1 voltage: 3.300V
INFO:    PMIC: Enabling DC SW
INFO:    BL31: Platform setup done
INFO:    BL31: Initializing runtime services
INFO:    BL31: cortex_a53: CPU workaround for 843419 was applied
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x4a000000
INFO:    SPSR = 0x3c9

U-Boot SPL 2020.01-00620-g2d2f91a480 (Jan 18 2020 - 20:10:54 +0000)
DRAM: 2048 MiB
Trying to boot from MMC1
NOTICE:  BL31: v2.2(debug):v2.2-351-g5d3ee0764
NOTICE:  BL31: Built : 06:50:11, Jan 17 2020
NOTICE:  BL31: Detected Allwinner A64/H64/R18 SoC (1689)
NOTICE:  BL31: Found U-Boot DTB at 0x408ef20, model: Pine64 LTS
INFO:    ARM GICv2 driver initialized
INFO:    Configuring SPC Controller
INFO:    PMIC: Probing AXP803 on RSB
INFO:    PMIC: dcdc1 voltage: 3.300V
INFO:    PMIC: dcdc5 voltage: 1.200V
INFO:    PMIC: dcdc6 voltage: 1.100V
INFO:    PMIC: dldo1 voltage: 3.300V
INFO:    PMIC: Enabling DC SW
INFO:    BL31: Platform setup done
INFO:    BL31: Initializing runtime services
INFO:    BL31: cortex_a53: CPU workaround for 843419 was applied
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x4a000000
INFO:    SPSR = 0x3c9

...

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[AKASHI Takahiro]

Tom, Simon,

On Fri, Jan 17, 2020 at 06:59:44AM +0100, Heinrich Schuchardt wrote:
> On 1/17/20 3:24 AM, AKASHI Takahiro wrote:
> >On Tue, Jan 14, 2020 at 12:43:40PM +0100, Heinrich Schuchardt wrote:
> >>On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
> >>>On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
> >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >>>>>In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> >>>>>rsa_verify() will be extended to be able to perform RSA decryption without
> >>>>>additional RSA key properties from FIT image, i.e. rr and n0inv.
> >>>>>
> >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>>>Reviewed-by: Simon Glass <sjg@chromium.org>
> >>>>
> >>>>The patch series does not build for some configurations.
> >>>>
> >>>>>---
> >>>>>  lib/rsa/Kconfig | 14 ++++++++++++++
> >>>>>  1 file changed, 14 insertions(+)
> >>>>>
> >>>>>diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> >>>>>index 03ffa2969048..71e4c06bf883 100644
> >>>>>--- a/lib/rsa/Kconfig
> >>>>>+++ b/lib/rsa/Kconfig
> >>>>>@@ -30,6 +30,20 @@ config RSA_VERIFY
> >>>>>  	help
> >>>>>  	  Add RSA signature verification support.
> >>>>>
> >>>>>+config RSA_VERIFY_WITH_PKEY
> >>>>
> >>>>For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
> >>>>I get an error:
> >>>
> >>>This error is inevitable as both RSA_VERIFY_WITH_PKEY and
> >>>RSA_PUBLIC_KEY_PARSER are "select"able configurations with
> >>>visible prompts and then
> >>
> >>No, it is not inevitbable. Just ensure that in the Makefiles all modules
> >>are selected that you need for your configuration.
> >
> >How?
> >Can you please show me a simple solution?
> 

Which is your choice as a maintainer/author of lib/rsa?

In my opinion,

> ifneq($(CONFIG_RSA_VERIFY_WITH_PKEY)$(CONFIG_RSA_PUBLIC_KEY_PARSER),)
> obj-y += foo.o
> endif

I will take this by a process of elimination.

> or
> 
> config RSA_VERIFY_WITH_PKEY
> 	depends on RSA_PUBLIC_KEY_PARSER

I normally use "depends on" to select a subset feature of the target.

> or
> 
> config RSA_VERIFY_WITH_PKEY
> 	select RSA_PUBLIC_KEY_PARSER

Nak, as I said, because RSA_PUBLIC_KEY_PARSER is a visible configuration symbol.

Thanks,
-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> >
> >Thanks,
> >-Takahiro Akashi
> >
> >
> >>>we should generally avoid potential illegal configurations;
> >>
> >>Yes, we want to avoid potentially illegal configurations everywhere.
> >>This is why we have a randconfig build target.
> >>
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>The one should NOT forcibly select the other as the kernel kconfig
> >>>document suggests.
> >>>
> >>>#  Note:
> >>>#        select should be used with care. select will force
> >>>#        a symbol to a value without visiting the dependencies.
> >>>#        By abusing select you are able to select a symbol FOO even
> >>>#        if FOO depends on BAR that is not set.
> >>>#        In general use select only for non-visible symbols
> >>>#        (no prompts anywhere) and for symbols with no dependencies.
> >>>#        That will limit the usefulness but on the other hand avoid
> >>>#        the illegal configurations all over.
> >>>
> >>>-Takahiro Akashi
> >>>
> >>>
> >>>>lib/rsa/rsa-keyprop.c:669: undefined reference to `rsa_parse_pub_key'
> >>>>
> >>>>RSA_PUBLIC_KEY_PARSER depends on
> >>>>ASYMMETRIC_KEY_TYPE [=n] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n]
> >>>>
> >>>>Please, fix the dependencies.
> >>>>
> >>>>Best regards
> >>>>
> >>>>Heinrich
> >>>>
> >>>>>+	bool "Execute RSA verification without key parameters from FDT"
> >>>>>+	depends on RSA
> >>>>>+	help
> >>>>>+	  The standard RSA-signature verification code (FIT_SIGNATURE) uses
> >>>>>+	  pre-calculated key properties, that are stored in fdt blob, in
> >>>>>+	  decrypting a signature.
> >>>>>+	  This does not suit the use case where there is no way defined to
> >>>>>+	  provide such additional key properties in standardized form,
> >>>>>+	  particularly UEFI secure boot.
> >>>>>+	  This options enables RSA signature verification with a public key
> >>>>>+	  directly specified in image_sign_info, where all the necessary
> >>>>>+	  key properties will be calculated on the fly in verification code.
> >>>>>+
> >>>>>  config RSA_SOFTWARE_EXP
> >>>>>  	bool "Enable driver for RSA Modular Exponentiation in software"
> >>>>>  	depends on DM
> >>>>>
> >>>
> >>
> >
> 

[PATCH v4 6/6] test: add rsa_verify() unit test

[AKASHI Takahiro]

On Fri, Jan 17, 2020 at 06:26:34AM +0100, Heinrich Schuchardt wrote:
> On 1/17/20 2:53 AM, AKASHI Takahiro wrote:
> >On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
> >>On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> >>>On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> >>>>
> >>>>
> >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> >>>>>In this patch, a very simple test is added to verify that rsa_verify()
> >>>>>using rsa_verify_with_pkey() work correctly.
> >>>>>
> >>>>>To keep the code simple, all the test data, either public key and
> >>>>>verified binary data, are embedded in the source.
> >>>>>
> >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>>>>---
> >>>>>  test/Kconfig      |  12 +++
> >>>>>  test/lib/Makefile |   1 +
> >>>>>  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> >>>>>  3 files changed, 219 insertions(+)
> >>>>>  create mode 100644 test/lib/rsa.c
> >>>>>
> >>>>>diff --git a/test/Kconfig b/test/Kconfig
> >>>>>index cb7954041eda..64d76c3b20a5 100644
> >>>>>--- a/test/Kconfig
> >>>>>+++ b/test/Kconfig
> >>>>>@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> >>>>>  	  Enables a test which exercises asn1 compiler and decoder function
> >>>>>  	  via various parsers.
> >>>>>
> >>>>>+config UT_LIB_RSA
> >>>>>+	bool "Unit test for rsa_verify() function"
> >>>>>+	imply RSA
> >>>>>+	imply ASYMMETRIC_KEY_TYPE
> >>>>>+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> >>>>>+	imply RSA_PUBLIC_KEY_PARSER
> >>>>>+	imply RSA_VERIFY_WITH_PKEY
> >>>>
> >>>>This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> >>>>executed otherwise.
> >>>
> >>>See below.
> >>>
> >>>>Best regards
> >>>>
> >>>>Heinrich
> >>>>
> >>>>>+	default y
> >>>>>+	help
> >>>>>+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> >>>>>+	  only, at the 'ut lib' command.
> >>>>>+
> >>>>>  endif
> >>>>>
> >>>>>  config UT_TIME
> >>>>>diff --git a/test/lib/Makefile b/test/lib/Makefile
> >>>>>index 72d2ec74b5f4..2bf6ef3935bb 100644
> >>>>>--- a/test/lib/Makefile
> >>>>>+++ b/test/lib/Makefile
> >>>>>@@ -8,3 +8,4 @@ obj-y += lmb.o
> >>>>>  obj-y += string.o
> >>>>>  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> >>>>>  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> >>>>>+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> >>>>>diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> >>>>>new file mode 100644
> >>>>>index 000000000000..44f8ade226f4
> >>>>>--- /dev/null
> >>>>>+++ b/test/lib/rsa.c
> >>>>>@@ -0,0 +1,206 @@
> >>>>>+// SPDX-License-Identifier: GPL-2.0+
> >>>>>+/*
> >>>>>+ * Copyright (c) 2019 Linaro Limited
> >>>>>+ * Author: AKASHI Takahiro
> >>>>>+ *
> >>>>>+ * Unit test for rsa_verify() function
> >>>>>+ */
> >>>>>+
> >>>>>+#include <common.h>
> >>>>>+#include <command.h>
> >>>>>+#include <image.h>
> >>>>>+#include <test/lib.h>
> >>>>>+#include <test/test.h>
> >>>>>+#include <test/ut.h>
> >>>>>+#include <u-boot/rsa.h>
> >>>>>+
> >>>>>+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> >>>>
> >>>>Please, remove this ifdef. Simply do not build this module if
> >>>>CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
> >>>
> >>>That is why I added this #ifdef here to avoid a build error.
> >>>I think it is a good idea to make test code as generic as possible
> >>>to easily add more test cases.
> >>
> >>It is preferable to move configuration dependencies to the Makefile.
> >>
> >>You can create a new C file if you have tests needing a different
> >>configuration.
> >>
> >>test/lib/rsa_verify.c might be a better name for the file.
> >>
> >>In test/Kconfig, please, replace
> >>
> >>config UT_LIB_RSA
> >>         bool "Unit test for rsa_verify() function"
> >>         imply RSA
> >>
> >>by
> >>
> >>config UT_LIB_RSA
> >>         bool "Unit test for rsa_verify() function"
> >>	default y
> >>         depends on RSA
> >
> >Initially in my development code, I did the exact same thing,
> >but I didn't adopt this approach.
> >
> >If we follow your proposal, UT_LIB_RSA won't be selected
> >unless RSA is enabled.
> >So UT_LIB_RSA won't be executed under most existing configurations
> >in the current CI.  This was not what I wanted.
> >
> >What I wanted here is that, if UT (and UT_LIB) is selected, all
> >the configurations needed for enabling all the test cases be
> >also selected *automatically*.
> 
> What I want is that if I run 'make menuconfig' and select CONFIG_UT
> manually I end up with a configuration that compiles and that does what
> I have configured.

Hmm, that is what I intend to do here, but the code doesn't work
as I expected. It works only if CONFIG_UT_LIB_RSA is on in *defconfig.

So I have no option other than changing reverse dependencies as follows,
    CONFIG_UT_LIB_RSA
      select IMAGE_SIGN_INFO
      select RSA
      imply RSA_VERIFY_WITH_PKEY

Using 'select' is still safe as CONFIG_RSA has no dependency.
(Please note we can still use 'imply' for VERIFY_WITH_PKEY here.)

Tom, do you agree to this change?

Thanks,
-Takahiro Akashi

> Just try:
> 
> make wandboard_config
> make menuconfig
> # set CONFIG_UT=y
> # set CONFIG_UT_LIB_RSA=y
> 
> This results in
> 
> CONFIG_RSA=n
> 
> because 'imply RSA' does not switch on CONFIG_RSA in this case.
> 
> You end up with a configuration where the test is selected in .config
> but cannot be executed.
> 
> Please, change your patches such that it is guaranteed that if a test is
> activated in the configuration it is executed by the 'ut all' command.
> 
> Best regards
> 
> Heinrich
> 
> >
> >I think that this is what Tom implied in his comment.
> >
> >Thanks,
> >-Takahiro Akashi
> >
> >
> >>We run all unit tests in Gitlab CI. This requires default=y.
> >>
> >>'imply' gives you no guarantee that RSA is selected. See the build
> >>errors I reported for your other patches in the series.
> >>
> >>Best regards
> >>
> >>Heinrich
> >>
> >>>
> >>>I believe that the original RSA helper functions (w/o WITH_PKEY)
> >>>should also be exercised in a unit test. Otherwise, the code
> >>>will only be exercised indirectly through FIT image verification
> >>>and such a situation will contradict what Tom (or Heinrich?) demanded
> >>>against my RSA patch.
> >>>
> >>>-Takahiro Akashi
> >>>
> >>>>>+/*
> >>>>>+ * openssl genrsa 2048 -out private.pem
> >>>>>+ * openssl rsa -in private.pem -pubout -outform der -out public.der
> >>>>>+ * dd if=public.der of=public.raw bs=24 skip=1
> >>>>>+ */
> >>>>>+static unsigned char public_key[] = {
> >>>>>+	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xca, 0x25, 0x23,
> >>>>>+	0xe0, 0x0a, 0x4d, 0x8f, 0x56, 0xfc, 0xc9, 0x06, 0x4c, 0xcc, 0x94, 0x43,
> >>>>>+	0xe0, 0x56, 0x44, 0x6e, 0x37, 0x54, 0x87, 0x12, 0x84, 0xf9, 0x07, 0x4f,
> >>>>>+	0xe4, 0x23, 0x40, 0xc3, 0x43, 0x84, 0x37, 0x86, 0xd3, 0x9d, 0x95, 0x1c,
> >>>>>+	0xe4, 0x8a, 0x66, 0x02, 0x09, 0xe2, 0x3d, 0xce, 0x2c, 0xc6, 0x02, 0x6a,
> >>>>>+	0xd4, 0x65, 0x61, 0xff, 0x85, 0x6f, 0x88, 0x63, 0xba, 0x31, 0x62, 0x1e,
> >>>>>+	0xb7, 0x95, 0xe9, 0x08, 0x3c, 0xe9, 0x35, 0xde, 0xfd, 0x65, 0x92, 0xb8,
> >>>>>+	0x9e, 0x71, 0xa4, 0xcd, 0x47, 0xfd, 0x04, 0x26, 0xb9, 0x78, 0xbf, 0x05,
> >>>>>+	0x0d, 0xfc, 0x00, 0x84, 0x08, 0xfc, 0xc4, 0x4b, 0xea, 0xf5, 0x97, 0x68,
> >>>>>+	0x0d, 0x97, 0xd7, 0xff, 0x4f, 0x92, 0x82, 0xd7, 0xbb, 0xef, 0xb7, 0x67,
> >>>>>+	0x8e, 0x72, 0x54, 0xe8, 0xc5, 0x9e, 0xfd, 0xd8, 0x38, 0xe9, 0xbe, 0x19,
> >>>>>+	0x37, 0x5b, 0x36, 0x8b, 0xbf, 0x49, 0xa1, 0x59, 0x3a, 0x9d, 0xad, 0x92,
> >>>>>+	0x08, 0x0b, 0xe3, 0xa4, 0xa4, 0x7d, 0xd3, 0x70, 0xc0, 0xb8, 0xfb, 0xc7,
> >>>>>+	0xda, 0xd3, 0x19, 0x86, 0x37, 0x9a, 0xcd, 0xab, 0x30, 0x96, 0xab, 0xa4,
> >>>>>+	0xa2, 0x31, 0xa0, 0x38, 0xfb, 0xbf, 0x85, 0xd3, 0x24, 0x39, 0xed, 0xbf,
> >>>>>+	0xe1, 0x31, 0xed, 0x6c, 0x39, 0xc1, 0xe5, 0x05, 0x2e, 0x12, 0x30, 0x36,
> >>>>>+	0x73, 0x5d, 0x62, 0xf3, 0x82, 0xaf, 0x38, 0xc8, 0xca, 0xfa, 0xa1, 0x99,
> >>>>>+	0x57, 0x3c, 0xe1, 0xc1, 0x7b, 0x05, 0x0b, 0xcc, 0x2e, 0xa9, 0x10, 0xc8,
> >>>>>+	0x68, 0xbd, 0x27, 0xb6, 0x19, 0x9c, 0xd2, 0xad, 0xb3, 0x1f, 0xca, 0x35,
> >>>>>+	0x6e, 0x84, 0x23, 0xa1, 0xe9, 0xa4, 0x4c, 0xab, 0x19, 0x09, 0x79, 0x6e,
> >>>>>+	0x3c, 0x7b, 0x74, 0xfc, 0x33, 0x05, 0xcf, 0xa4, 0x2e, 0xeb, 0x55, 0x60,
> >>>>>+	0x05, 0xc7, 0xcf, 0x3f, 0x92, 0xac, 0x2d, 0x69, 0x0b, 0x19, 0x16, 0x79,
> >>>>>+	0x75, 0x02, 0x03, 0x01, 0x00, 0x01
> >>>>>+};
> >>>>>+
> >>>>>+static unsigned int public_key_len = 270;
> >>>>>+
> >>>>>+/*
> >>>>>+ * dd if=/dev/urandom of=data.raw bs=512 count=1
> >>>>>+ */
> >>>>>+static unsigned char data_raw[] = {
> >>>>>+	0x3e, 0x48, 0x6e, 0xef, 0x83, 0xd1, 0x4c, 0xfd, 0x92, 0x47, 0x92, 0xd7,
> >>>>>+	0xf6, 0x16, 0x25, 0x0a, 0xdf, 0xe2, 0xb6, 0x6c, 0xe7, 0xe0, 0x55, 0xb2,
> >>>>>+	0x70, 0x66, 0xf0, 0xe5, 0xdc, 0xaf, 0xd3, 0x2e, 0xc1, 0x3e, 0x5c, 0x4b,
> >>>>>+	0xb5, 0xa7, 0x23, 0x1f, 0x2c, 0xce, 0xf8, 0x83, 0x00, 0x6d, 0xeb, 0xdd,
> >>>>>+	0x19, 0x71, 0x13, 0xb4, 0xae, 0x5c, 0xa8, 0xae, 0x52, 0xc8, 0xe1, 0x77,
> >>>>>+	0x9e, 0x98, 0x75, 0xbc, 0xef, 0x36, 0x9f, 0x0c, 0x14, 0xed, 0x1a, 0x0a,
> >>>>>+	0x4f, 0x6c, 0xa4, 0xb1, 0xbb, 0x0e, 0x43, 0x93, 0x12, 0xfc, 0x2e, 0x82,
> >>>>>+	0x93, 0x4e, 0xcb, 0xa2, 0xcd, 0x59, 0x3f, 0xc5, 0x11, 0x38, 0x3a, 0x88,
> >>>>>+	0xc3, 0xcf, 0xf9, 0x61, 0xa8, 0x9e, 0x96, 0xb6, 0xbf, 0xa6, 0x5b, 0x0d,
> >>>>>+	0xd9, 0xbd, 0x05, 0x4c, 0xbe, 0xed, 0x86, 0xca, 0x10, 0x63, 0x72, 0x75,
> >>>>>+	0x4b, 0xbd, 0x86, 0x42, 0x30, 0x9d, 0x54, 0x4e, 0x12, 0xda, 0xf4, 0xb4,
> >>>>>+	0xfd, 0xd9, 0x54, 0x95, 0x8f, 0x83, 0xc2, 0x63, 0x44, 0xdd, 0x96, 0x1a,
> >>>>>+	0xd0, 0x7c, 0xcf, 0xcb, 0x16, 0xd6, 0xff, 0xa3, 0xbb, 0xeb, 0x24, 0x06,
> >>>>>+	0xbf, 0x81, 0xd0, 0x29, 0x76, 0x19, 0x66, 0x84, 0xfc, 0x49, 0xde, 0x7b,
> >>>>>+	0x5d, 0xd2, 0x27, 0x58, 0x21, 0x7b, 0xff, 0x4d, 0x64, 0xf3, 0x89, 0xe3,
> >>>>>+	0xea, 0xb6, 0x54, 0x4e, 0xb1, 0x62, 0x52, 0x89, 0xe3, 0x22, 0xf2, 0x26,
> >>>>>+	0x3e, 0x4f, 0x43, 0x58, 0x78, 0x91, 0x55, 0xbc, 0x1e, 0xd6, 0x97, 0xfc,
> >>>>>+	0x0b, 0x85, 0x4c, 0x92, 0x9c, 0xbf, 0xc4, 0xb1, 0x62, 0x93, 0x27, 0xa9,
> >>>>>+	0xb2, 0xf4, 0xb4, 0x7a, 0xfb, 0x56, 0xe5, 0x8f, 0xe1, 0x94, 0x4d, 0xfd,
> >>>>>+	0xe4, 0x72, 0x8d, 0xa9, 0x71, 0x65, 0xcb, 0x2e, 0x6d, 0x39, 0xd5, 0x95,
> >>>>>+	0xe7, 0x3f, 0xab, 0xaa, 0x7a, 0x74, 0x84, 0x25, 0x4b, 0x42, 0x1e, 0xd3,
> >>>>>+	0x86, 0xca, 0x47, 0x4a, 0xf0, 0x24, 0x81, 0x24, 0xb0, 0xe1, 0xbb, 0x6c,
> >>>>>+	0x3f, 0x2a, 0xa0, 0xb8, 0xeb, 0xd6, 0x01, 0xce, 0x63, 0x51, 0xe1, 0x81,
> >>>>>+	0xd2, 0x32, 0x43, 0x56, 0x44, 0x4a, 0x6b, 0x51, 0x24, 0xa2, 0xc7, 0x39,
> >>>>>+	0x7c, 0x54, 0xda, 0xf8, 0xd4, 0x93, 0x7c, 0x8e, 0x4e, 0x9d, 0x15, 0x08,
> >>>>>+	0xce, 0x27, 0xd8, 0x28, 0xb0, 0x5b, 0x75, 0x32, 0x43, 0xe8, 0xd6, 0xbf,
> >>>>>+	0x12, 0xd5, 0xc5, 0x12, 0x8e, 0xeb, 0x77, 0x8f, 0x00, 0xde, 0x45, 0x1e,
> >>>>>+	0xdd, 0xf3, 0xef, 0x43, 0x99, 0x79, 0x86, 0xea, 0x01, 0xce, 0xf2, 0x4d,
> >>>>>+	0xa0, 0xfe, 0x5a, 0x55, 0xc0, 0x1f, 0xce, 0xe8, 0xbe, 0xc2, 0x66, 0xdb,
> >>>>>+	0xcb, 0x3f, 0xa5, 0x48, 0xa1, 0xe2, 0x49, 0xa1, 0x29, 0x65, 0x5b, 0x62,
> >>>>>+	0x39, 0xcc, 0xef, 0xbe, 0x86, 0xb7, 0xe3, 0x44, 0x67, 0x04, 0x04, 0xb1,
> >>>>>+	0xec, 0xd8, 0xb2, 0xb2, 0x38, 0xbc, 0x10, 0xea, 0x7a, 0x0e, 0xa4, 0xa4,
> >>>>>+	0xcb, 0x21, 0xd9, 0xc7, 0xb4, 0x0b, 0xb8, 0x39, 0xb4, 0x07, 0x53, 0x3f,
> >>>>>+	0xb9, 0x55, 0x55, 0xa1, 0x6f, 0x11, 0x49, 0xc0, 0x94, 0x77, 0xaf, 0x76,
> >>>>>+	0x97, 0x7f, 0x31, 0x08, 0xdd, 0x72, 0x48, 0x72, 0xf8, 0x11, 0x4f, 0x69,
> >>>>>+	0x10, 0xef, 0x23, 0x06, 0xf3, 0x34, 0xac, 0xee, 0x97, 0x89, 0x41, 0x1c,
> >>>>>+	0x36, 0x38, 0xb1, 0x80, 0x96, 0x7a, 0x9e, 0x72, 0xab, 0x25, 0xeb, 0xce,
> >>>>>+	0x7b, 0xb8, 0x5d, 0xc8, 0xef, 0xa4, 0x73, 0xa1, 0xa6, 0x8f, 0x01, 0x54,
> >>>>>+	0xce, 0x58, 0x19, 0xe5, 0x7e, 0xfa, 0x77, 0x08, 0x9d, 0x53, 0xc1, 0xcc,
> >>>>>+	0x08, 0xe8, 0x1d, 0xe0, 0x82, 0x5e, 0xe1, 0xe6, 0xbd, 0xbb, 0x59, 0x7e,
> >>>>>+	0x12, 0x9c, 0x39, 0x60, 0x23, 0xf7, 0xbe, 0x0a, 0x7c, 0x48, 0x12, 0xa0,
> >>>>>+	0x84, 0x04, 0x3f, 0xa1, 0x6e, 0x92, 0xcd, 0xa0, 0xac, 0xee, 0x0b, 0xbc,
> >>>>>+	0x18, 0x30, 0x28, 0xbd, 0xf5, 0xfa, 0x3a, 0x35
> >>>>>+};
> >>>>>+
> >>>>>+static unsigned int data_raw_len = 512;
> >>>>>+
> >>>>>+/*
> >>>>>+ * openssl dgst -sha256 -sign private.key -out data.enc data.raw
> >>>>>+ */
> >>>>>+unsigned char data_enc[] = {
> >>>>>+	0xa7, 0x4a, 0x12, 0x8f, 0xee, 0x65, 0x4b, 0xcd, 0x88, 0xca, 0x4d, 0xed,
> >>>>>+	0xe3, 0x04, 0xe7, 0x7c, 0x59, 0xbf, 0x2f, 0xad, 0x95, 0x73, 0x5b, 0x2c,
> >>>>>+	0x4e, 0xb5, 0xda, 0x5e, 0x3a, 0x6d, 0xb4, 0xc5, 0x84, 0x0c, 0xd2, 0x4a,
> >>>>>+	0x62, 0x0d, 0x5f, 0xba, 0x10, 0xee, 0xb1, 0x2a, 0xe1, 0xfe, 0x50, 0x18,
> >>>>>+	0x97, 0xcc, 0xea, 0x26, 0x62, 0x33, 0x5a, 0x1d, 0x51, 0x38, 0x52, 0x89,
> >>>>>+	0x4d, 0xa7, 0x18, 0xff, 0xa6, 0xc8, 0xd4, 0x7a, 0xc0, 0xa6, 0x22, 0xdf,
> >>>>>+	0x41, 0x89, 0x93, 0x9b, 0xe7, 0x9e, 0xc1, 0xc8, 0x80, 0xda, 0x1a, 0x3f,
> >>>>>+	0xa4, 0x7a, 0xd0, 0x07, 0xcb, 0x5c, 0xa4, 0x75, 0x12, 0x54, 0x78, 0x67,
> >>>>>+	0xbf, 0xe6, 0xae, 0x1e, 0x56, 0x33, 0x9e, 0xe0, 0x6e, 0x33, 0xa7, 0x58,
> >>>>>+	0xb0, 0x47, 0x49, 0xa8, 0x37, 0xdb, 0x82, 0x4b, 0xbd, 0x32, 0x9c, 0xdc,
> >>>>>+	0xf4, 0x67, 0x17, 0x24, 0x55, 0xfd, 0x83, 0x1e, 0xc8, 0xb4, 0x5c, 0xf9,
> >>>>>+	0x15, 0x6c, 0x5e, 0xaa, 0x72, 0x03, 0x9e, 0x7c, 0x17, 0xf5, 0x7c, 0x37,
> >>>>>+	0x96, 0x00, 0xb0, 0xd8, 0xaa, 0x05, 0xfa, 0xaa, 0xa1, 0x78, 0x77, 0xd5,
> >>>>>+	0x09, 0xdd, 0x05, 0xc7, 0xe2, 0x9f, 0x68, 0xc7, 0xf8, 0xfb, 0x0b, 0x6f,
> >>>>>+	0x18, 0x1e, 0xcc, 0x93, 0xd3, 0x3f, 0xc9, 0x26, 0x29, 0x64, 0xe7, 0x15,
> >>>>>+	0xdc, 0xb8, 0x19, 0x10, 0x24, 0x55, 0x55, 0x3b, 0x79, 0xa1, 0x65, 0x12,
> >>>>>+	0xe0, 0x0b, 0x88, 0x44, 0x4c, 0xea, 0x85, 0x5a, 0x6b, 0x2d, 0x45, 0x6e,
> >>>>>+	0xe7, 0x83, 0x6f, 0x3a, 0xaa, 0x1e, 0xf1, 0x9c, 0x8f, 0xdc, 0xb9, 0x37,
> >>>>>+	0xa2, 0x15, 0x61, 0x93, 0x06, 0x23, 0xf5, 0xfe, 0xf0, 0xf8, 0x2b, 0xf7,
> >>>>>+	0xc0, 0x68, 0x67, 0xf6, 0x4e, 0x08, 0x0d, 0x0d, 0x08, 0xbe, 0xfb, 0x2c,
> >>>>>+	0x4c, 0xe7, 0xd7, 0x1a, 0xad, 0xd9, 0x98, 0xa1, 0x8d, 0x94, 0x1c, 0xd1,
> >>>>>+	0x89, 0x06, 0xc9, 0x3a
> >>>>>+};
> >>>>>+
> >>>>>+static unsigned int data_enc_len = 256;
> >>>>>+
> >>>>>+/**
> >>>>>+ * lib_rsa_verify_valid() - unit test for rsa_verify()
> >>>>>+ *
> >>>>>+ * Test rsa_verify() with valid hash
> >>>>>+ *
> >>>>>+ * @uts:	unit test state
> >>>>>+ * Return:	0 = success, 1 = failure
> >>>>>+ */
> >>>>>+static int lib_rsa_verify_valid(struct unit_test_state *uts)
> >>>>>+{
> >>>>>+	struct image_sign_info info;
> >>>>>+	struct image_region reg;
> >>>>>+	int ret;
> >>>>>+
> >>>>>+	memset(&info, '\0', sizeof(info));
> >>>>>+	info.name = "sha256,rsa2048";
> >>>>>+	info.padding = image_get_padding_algo("pkcs-1.5");
> >>>>>+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >>>>>+	info.crypto = image_get_crypto_algo(info.name);
> >>>>>+
> >>>>>+	info.key = public_key;
> >>>>>+	info.keylen = public_key_len;
> >>>>>+
> >>>>>+	reg.data = data_raw;
> >>>>>+	reg.size = data_raw_len;
> >>>>>+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >>>>>+	ut_assertf(ret == 0, "verification unexpectedly failed (%d)\n", ret);
> >>>>>+
> >>>>>+	return CMD_RET_SUCCESS;
> >>>>>+}
> >>>>>+
> >>>>>+LIB_TEST(lib_rsa_verify_valid, 0);
> >>>>>+
> >>>>>+/**
> >>>>>+ * lib_rsa_verify_invalid() - unit test for rsa_verify()
> >>>>>+ *
> >>>>>+ * Test rsa_verify() with invalid hash
> >>>>>+ *
> >>>>>+ * @uts:	unit test state
> >>>>>+ * Return:	0 = success, 1 = failure
> >>>>>+ */
> >>>>>+static int lib_rsa_verify_invalid(struct unit_test_state *uts)
> >>>>>+{
> >>>>>+	struct image_sign_info info;
> >>>>>+	struct image_region reg;
> >>>>>+	unsigned char ctmp;
> >>>>>+	int ret;
> >>>>>+
> >>>>>+	memset(&info, '\0', sizeof(info));
> >>>>>+	info.name = "sha256,rsa2048";
> >>>>>+	info.padding = image_get_padding_algo("pkcs-1.5");
> >>>>>+	info.checksum = image_get_checksum_algo("sha256,rsa2048");
> >>>>>+	info.crypto = image_get_crypto_algo(info.name);
> >>>>>+
> >>>>>+	info.key = public_key;
> >>>>>+	info.keylen = public_key_len;
> >>>>>+
> >>>>>+	/* randomly corrupt enc'ed data */
> >>>>>+	ctmp = data_enc[data_enc_len - 10];
> >>>>>+	data_enc[data_enc_len - 10] = 0x12;
> >>>>>+
> >>>>>+	reg.data = data_raw;
> >>>>>+	reg.size = data_raw_len;
> >>>>>+	ret = rsa_verify(&info, &reg, 1, data_enc, data_enc_len);
> >>>>>+
> >>>>>+	/* revert a change */
> >>>>>+	data_enc[data_enc_len - 10] = ctmp;
> >>>>>+
> >>>>>+	ut_assertf(ret != 0, "verification unexpectedly succeeded\n");
> >>>>>+
> >>>>>+	return CMD_RET_SUCCESS;
> >>>>>+}
> >>>>>+
> >>>>>+LIB_TEST(lib_rsa_verify_invalid, 0);
> >>>>>+#endif /* RSA_VERIFY_WITH_PKEY */
> >>>>>
> >>>
> >>
> >
> 

[PATCH v4 2/6] rsa: add CONFIG_RSA_VERIFY_WITH_PKEY config

[Tom Rini]

On Tue, Jan 21, 2020 at 01:29:58PM +0900, AKASHI Takahiro wrote:
> Tom, Simon,
> 
> On Fri, Jan 17, 2020 at 06:59:44AM +0100, Heinrich Schuchardt wrote:
> > On 1/17/20 3:24 AM, AKASHI Takahiro wrote:
> > >On Tue, Jan 14, 2020 at 12:43:40PM +0100, Heinrich Schuchardt wrote:
> > >>On 1/14/20 8:45 AM, AKASHI Takahiro wrote:
> > >>>On Wed, Jan 08, 2020 at 01:35:13PM +0100, Heinrich Schuchardt wrote:
> > >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> > >>>>>In the next couple of commits, under new CONFIG_RSA_VERIFY_WITH_PKEY,
> > >>>>>rsa_verify() will be extended to be able to perform RSA decryption without
> > >>>>>additional RSA key properties from FIT image, i.e. rr and n0inv.
> > >>>>>
> > >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > >>>>>Reviewed-by: Simon Glass <sjg@chromium.org>
> > >>>>
> > >>>>The patch series does not build for some configurations.
> > >>>>
> > >>>>>---
> > >>>>>  lib/rsa/Kconfig | 14 ++++++++++++++
> > >>>>>  1 file changed, 14 insertions(+)
> > >>>>>
> > >>>>>diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
> > >>>>>index 03ffa2969048..71e4c06bf883 100644
> > >>>>>--- a/lib/rsa/Kconfig
> > >>>>>+++ b/lib/rsa/Kconfig
> > >>>>>@@ -30,6 +30,20 @@ config RSA_VERIFY
> > >>>>>  	help
> > >>>>>  	  Add RSA signature verification support.
> > >>>>>
> > >>>>>+config RSA_VERIFY_WITH_PKEY
> > >>>>
> > >>>>For CONFIG_RSA_VERIFY_WITH_PKEY=y and CONFIG_RSA_PUBLIC_KEY_PARSER=n
> > >>>>I get an error:
> > >>>
> > >>>This error is inevitable as both RSA_VERIFY_WITH_PKEY and
> > >>>RSA_PUBLIC_KEY_PARSER are "select"able configurations with
> > >>>visible prompts and then
> > >>
> > >>No, it is not inevitbable. Just ensure that in the Makefiles all modules
> > >>are selected that you need for your configuration.
> > >
> > >How?
> > >Can you please show me a simple solution?
> > 
> 
> Which is your choice as a maintainer/author of lib/rsa?
> 
> In my opinion,
> 
> > ifneq($(CONFIG_RSA_VERIFY_WITH_PKEY)$(CONFIG_RSA_PUBLIC_KEY_PARSER),)
> > obj-y += foo.o
> > endif
> 
> I will take this by a process of elimination.
> 
> > or
> > 
> > config RSA_VERIFY_WITH_PKEY
> > 	depends on RSA_PUBLIC_KEY_PARSER
> 
> I normally use "depends on" to select a subset feature of the target.
> 
> > or
> > 
> > config RSA_VERIFY_WITH_PKEY
> > 	select RSA_PUBLIC_KEY_PARSER
> 
> Nak, as I said, because RSA_PUBLIC_KEY_PARSER is a visible configuration symbol.

This is getting a bit complicated.  So, if and only if
RSA_VERIFY_WITH_PKEY and RSA_PUBLIC_KEY_PARSER can be functional without
the other enabled:
obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += verify-with-pkey.o common-thing.o
obj-$(CONFIG_RSA_PUBLIC_KEY_PARSER) += public-key-parser.o common-thing.o
and we don't need to do anything extra with depends/select.  There's
nothing wrong with listing an object multiple times, it gets sorted
correctly.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200121/13c000ca/attachment.sig>

[PATCH v4 6/6] test: add rsa_verify() unit test

[Tom Rini]

On Tue, Jan 21, 2020 at 02:48:52PM +0900, AKASHI Takahiro wrote:
> On Fri, Jan 17, 2020 at 06:26:34AM +0100, Heinrich Schuchardt wrote:
> > On 1/17/20 2:53 AM, AKASHI Takahiro wrote:
> > >On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
> > >>On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> > >>>On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> > >>>>
> > >>>>
> > >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> > >>>>>In this patch, a very simple test is added to verify that rsa_verify()
> > >>>>>using rsa_verify_with_pkey() work correctly.
> > >>>>>
> > >>>>>To keep the code simple, all the test data, either public key and
> > >>>>>verified binary data, are embedded in the source.
> > >>>>>
> > >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > >>>>>---
> > >>>>>  test/Kconfig      |  12 +++
> > >>>>>  test/lib/Makefile |   1 +
> > >>>>>  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> > >>>>>  3 files changed, 219 insertions(+)
> > >>>>>  create mode 100644 test/lib/rsa.c
> > >>>>>
> > >>>>>diff --git a/test/Kconfig b/test/Kconfig
> > >>>>>index cb7954041eda..64d76c3b20a5 100644
> > >>>>>--- a/test/Kconfig
> > >>>>>+++ b/test/Kconfig
> > >>>>>@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> > >>>>>  	  Enables a test which exercises asn1 compiler and decoder function
> > >>>>>  	  via various parsers.
> > >>>>>
> > >>>>>+config UT_LIB_RSA
> > >>>>>+	bool "Unit test for rsa_verify() function"
> > >>>>>+	imply RSA
> > >>>>>+	imply ASYMMETRIC_KEY_TYPE
> > >>>>>+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > >>>>>+	imply RSA_PUBLIC_KEY_PARSER
> > >>>>>+	imply RSA_VERIFY_WITH_PKEY
> > >>>>
> > >>>>This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> > >>>>executed otherwise.
> > >>>
> > >>>See below.
> > >>>
> > >>>>Best regards
> > >>>>
> > >>>>Heinrich
> > >>>>
> > >>>>>+	default y
> > >>>>>+	help
> > >>>>>+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> > >>>>>+	  only, at the 'ut lib' command.
> > >>>>>+
> > >>>>>  endif
> > >>>>>
> > >>>>>  config UT_TIME
> > >>>>>diff --git a/test/lib/Makefile b/test/lib/Makefile
> > >>>>>index 72d2ec74b5f4..2bf6ef3935bb 100644
> > >>>>>--- a/test/lib/Makefile
> > >>>>>+++ b/test/lib/Makefile
> > >>>>>@@ -8,3 +8,4 @@ obj-y += lmb.o
> > >>>>>  obj-y += string.o
> > >>>>>  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> > >>>>>  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> > >>>>>+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> > >>>>>diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> > >>>>>new file mode 100644
> > >>>>>index 000000000000..44f8ade226f4
> > >>>>>--- /dev/null
> > >>>>>+++ b/test/lib/rsa.c
> > >>>>>@@ -0,0 +1,206 @@
> > >>>>>+// SPDX-License-Identifier: GPL-2.0+
> > >>>>>+/*
> > >>>>>+ * Copyright (c) 2019 Linaro Limited
> > >>>>>+ * Author: AKASHI Takahiro
> > >>>>>+ *
> > >>>>>+ * Unit test for rsa_verify() function
> > >>>>>+ */
> > >>>>>+
> > >>>>>+#include <common.h>
> > >>>>>+#include <command.h>
> > >>>>>+#include <image.h>
> > >>>>>+#include <test/lib.h>
> > >>>>>+#include <test/test.h>
> > >>>>>+#include <test/ut.h>
> > >>>>>+#include <u-boot/rsa.h>
> > >>>>>+
> > >>>>>+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> > >>>>
> > >>>>Please, remove this ifdef. Simply do not build this module if
> > >>>>CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
> > >>>
> > >>>That is why I added this #ifdef here to avoid a build error.
> > >>>I think it is a good idea to make test code as generic as possible
> > >>>to easily add more test cases.
> > >>
> > >>It is preferable to move configuration dependencies to the Makefile.
> > >>
> > >>You can create a new C file if you have tests needing a different
> > >>configuration.
> > >>
> > >>test/lib/rsa_verify.c might be a better name for the file.
> > >>
> > >>In test/Kconfig, please, replace
> > >>
> > >>config UT_LIB_RSA
> > >>         bool "Unit test for rsa_verify() function"
> > >>         imply RSA
> > >>
> > >>by
> > >>
> > >>config UT_LIB_RSA
> > >>         bool "Unit test for rsa_verify() function"
> > >>	default y
> > >>         depends on RSA
> > >
> > >Initially in my development code, I did the exact same thing,
> > >but I didn't adopt this approach.
> > >
> > >If we follow your proposal, UT_LIB_RSA won't be selected
> > >unless RSA is enabled.
> > >So UT_LIB_RSA won't be executed under most existing configurations
> > >in the current CI.  This was not what I wanted.
> > >
> > >What I wanted here is that, if UT (and UT_LIB) is selected, all
> > >the configurations needed for enabling all the test cases be
> > >also selected *automatically*.
> > 
> > What I want is that if I run 'make menuconfig' and select CONFIG_UT
> > manually I end up with a configuration that compiles and that does what
> > I have configured.
> 
> Hmm, that is what I intend to do here, but the code doesn't work
> as I expected. It works only if CONFIG_UT_LIB_RSA is on in *defconfig.
> 
> So I have no option other than changing reverse dependencies as follows,
>     CONFIG_UT_LIB_RSA
>       select IMAGE_SIGN_INFO
>       select RSA
>       imply RSA_VERIFY_WITH_PKEY
> 
> Using 'select' is still safe as CONFIG_RSA has no dependency.
> (Please note we can still use 'imply' for VERIFY_WITH_PKEY here.)
> 
> Tom, do you agree to this change?

OK, my fault for not spotting it before.  Using imply (as we do today on
UT_LIB_ASN1) is wrong.  All of the tests should "depends on" what they
need in order to function.  Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200121/0c9530f9/attachment.sig>

[PATCH v4 6/6] test: add rsa_verify() unit test

[AKASHI Takahiro]

On Tue, Jan 21, 2020 at 10:40:23AM -0500, Tom Rini wrote:
> On Tue, Jan 21, 2020 at 02:48:52PM +0900, AKASHI Takahiro wrote:
> > On Fri, Jan 17, 2020 at 06:26:34AM +0100, Heinrich Schuchardt wrote:
> > > On 1/17/20 2:53 AM, AKASHI Takahiro wrote:
> > > >On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
> > > >>On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> > > >>>On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> > > >>>>
> > > >>>>
> > > >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> > > >>>>>In this patch, a very simple test is added to verify that rsa_verify()
> > > >>>>>using rsa_verify_with_pkey() work correctly.
> > > >>>>>
> > > >>>>>To keep the code simple, all the test data, either public key and
> > > >>>>>verified binary data, are embedded in the source.
> > > >>>>>
> > > >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > >>>>>---
> > > >>>>>  test/Kconfig      |  12 +++
> > > >>>>>  test/lib/Makefile |   1 +
> > > >>>>>  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> > > >>>>>  3 files changed, 219 insertions(+)
> > > >>>>>  create mode 100644 test/lib/rsa.c
> > > >>>>>
> > > >>>>>diff --git a/test/Kconfig b/test/Kconfig
> > > >>>>>index cb7954041eda..64d76c3b20a5 100644
> > > >>>>>--- a/test/Kconfig
> > > >>>>>+++ b/test/Kconfig
> > > >>>>>@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> > > >>>>>  	  Enables a test which exercises asn1 compiler and decoder function
> > > >>>>>  	  via various parsers.
> > > >>>>>
> > > >>>>>+config UT_LIB_RSA
> > > >>>>>+	bool "Unit test for rsa_verify() function"
> > > >>>>>+	imply RSA
> > > >>>>>+	imply ASYMMETRIC_KEY_TYPE
> > > >>>>>+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > > >>>>>+	imply RSA_PUBLIC_KEY_PARSER
> > > >>>>>+	imply RSA_VERIFY_WITH_PKEY
> > > >>>>
> > > >>>>This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> > > >>>>executed otherwise.
> > > >>>
> > > >>>See below.
> > > >>>
> > > >>>>Best regards
> > > >>>>
> > > >>>>Heinrich
> > > >>>>
> > > >>>>>+	default y
> > > >>>>>+	help
> > > >>>>>+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> > > >>>>>+	  only, at the 'ut lib' command.
> > > >>>>>+
> > > >>>>>  endif
> > > >>>>>
> > > >>>>>  config UT_TIME
> > > >>>>>diff --git a/test/lib/Makefile b/test/lib/Makefile
> > > >>>>>index 72d2ec74b5f4..2bf6ef3935bb 100644
> > > >>>>>--- a/test/lib/Makefile
> > > >>>>>+++ b/test/lib/Makefile
> > > >>>>>@@ -8,3 +8,4 @@ obj-y += lmb.o
> > > >>>>>  obj-y += string.o
> > > >>>>>  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> > > >>>>>  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> > > >>>>>+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> > > >>>>>diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> > > >>>>>new file mode 100644
> > > >>>>>index 000000000000..44f8ade226f4
> > > >>>>>--- /dev/null
> > > >>>>>+++ b/test/lib/rsa.c
> > > >>>>>@@ -0,0 +1,206 @@
> > > >>>>>+// SPDX-License-Identifier: GPL-2.0+
> > > >>>>>+/*
> > > >>>>>+ * Copyright (c) 2019 Linaro Limited
> > > >>>>>+ * Author: AKASHI Takahiro
> > > >>>>>+ *
> > > >>>>>+ * Unit test for rsa_verify() function
> > > >>>>>+ */
> > > >>>>>+
> > > >>>>>+#include <common.h>
> > > >>>>>+#include <command.h>
> > > >>>>>+#include <image.h>
> > > >>>>>+#include <test/lib.h>
> > > >>>>>+#include <test/test.h>
> > > >>>>>+#include <test/ut.h>
> > > >>>>>+#include <u-boot/rsa.h>
> > > >>>>>+
> > > >>>>>+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> > > >>>>
> > > >>>>Please, remove this ifdef. Simply do not build this module if
> > > >>>>CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
> > > >>>
> > > >>>That is why I added this #ifdef here to avoid a build error.
> > > >>>I think it is a good idea to make test code as generic as possible
> > > >>>to easily add more test cases.
> > > >>
> > > >>It is preferable to move configuration dependencies to the Makefile.
> > > >>
> > > >>You can create a new C file if you have tests needing a different
> > > >>configuration.
> > > >>
> > > >>test/lib/rsa_verify.c might be a better name for the file.
> > > >>
> > > >>In test/Kconfig, please, replace
> > > >>
> > > >>config UT_LIB_RSA
> > > >>         bool "Unit test for rsa_verify() function"
> > > >>         imply RSA
> > > >>
> > > >>by
> > > >>
> > > >>config UT_LIB_RSA
> > > >>         bool "Unit test for rsa_verify() function"
> > > >>	default y
> > > >>         depends on RSA
> > > >
> > > >Initially in my development code, I did the exact same thing,
> > > >but I didn't adopt this approach.
> > > >
> > > >If we follow your proposal, UT_LIB_RSA won't be selected
> > > >unless RSA is enabled.
> > > >So UT_LIB_RSA won't be executed under most existing configurations
> > > >in the current CI.  This was not what I wanted.
> > > >
> > > >What I wanted here is that, if UT (and UT_LIB) is selected, all
> > > >the configurations needed for enabling all the test cases be
> > > >also selected *automatically*.
> > > 
> > > What I want is that if I run 'make menuconfig' and select CONFIG_UT
> > > manually I end up with a configuration that compiles and that does what
> > > I have configured.
> > 
> > Hmm, that is what I intend to do here, but the code doesn't work
> > as I expected. It works only if CONFIG_UT_LIB_RSA is on in *defconfig.
> > 
> > So I have no option other than changing reverse dependencies as follows,
> >     CONFIG_UT_LIB_RSA
> >       select IMAGE_SIGN_INFO
> >       select RSA
> >       imply RSA_VERIFY_WITH_PKEY
> > 
> > Using 'select' is still safe as CONFIG_RSA has no dependency.
> > (Please note we can still use 'imply' for VERIFY_WITH_PKEY here.)
> > 
> > Tom, do you agree to this change?
> 
> OK, my fault for not spotting it before.  Using imply (as we do today on
> UT_LIB_ASN1) is wrong.  All of the tests should "depends on" what they
> need in order to function.  Thanks!

I know that using "depends on" is an obvious solution here, but
in that case, we won't run those tests automatically in CI unless
the dependency targets, like CONFIG_RSA, are explicitly or
implicitly enabled by *defconfig.

Is that OK for you?

-Takahiro Akashi

> -- 
> Tom

[PATCH v4 6/6] test: add rsa_verify() unit test

[Tom Rini]

On Wed, Jan 22, 2020 at 09:22:42AM +0900, AKASHI Takahiro wrote:
> On Tue, Jan 21, 2020 at 10:40:23AM -0500, Tom Rini wrote:
> > On Tue, Jan 21, 2020 at 02:48:52PM +0900, AKASHI Takahiro wrote:
> > > On Fri, Jan 17, 2020 at 06:26:34AM +0100, Heinrich Schuchardt wrote:
> > > > On 1/17/20 2:53 AM, AKASHI Takahiro wrote:
> > > > >On Tue, Jan 14, 2020 at 01:04:58PM +0100, Heinrich Schuchardt wrote:
> > > > >>On 1/14/20 8:33 AM, AKASHI Takahiro wrote:
> > > > >>>On Wed, Jan 08, 2020 at 06:43:51PM +0100, Heinrich Schuchardt wrote:
> > > > >>>>
> > > > >>>>
> > > > >>>>On 11/21/19 1:11 AM, AKASHI Takahiro wrote:
> > > > >>>>>In this patch, a very simple test is added to verify that rsa_verify()
> > > > >>>>>using rsa_verify_with_pkey() work correctly.
> > > > >>>>>
> > > > >>>>>To keep the code simple, all the test data, either public key and
> > > > >>>>>verified binary data, are embedded in the source.
> > > > >>>>>
> > > > >>>>>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > >>>>>---
> > > > >>>>>  test/Kconfig      |  12 +++
> > > > >>>>>  test/lib/Makefile |   1 +
> > > > >>>>>  test/lib/rsa.c    | 206 ++++++++++++++++++++++++++++++++++++++++++++++
> > > > >>>>>  3 files changed, 219 insertions(+)
> > > > >>>>>  create mode 100644 test/lib/rsa.c
> > > > >>>>>
> > > > >>>>>diff --git a/test/Kconfig b/test/Kconfig
> > > > >>>>>index cb7954041eda..64d76c3b20a5 100644
> > > > >>>>>--- a/test/Kconfig
> > > > >>>>>+++ b/test/Kconfig
> > > > >>>>>@@ -28,6 +28,18 @@ config UT_LIB_ASN1
> > > > >>>>>  	  Enables a test which exercises asn1 compiler and decoder function
> > > > >>>>>  	  via various parsers.
> > > > >>>>>
> > > > >>>>>+config UT_LIB_RSA
> > > > >>>>>+	bool "Unit test for rsa_verify() function"
> > > > >>>>>+	imply RSA
> > > > >>>>>+	imply ASYMMETRIC_KEY_TYPE
> > > > >>>>>+	imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > > > >>>>>+	imply RSA_PUBLIC_KEY_PARSER
> > > > >>>>>+	imply RSA_VERIFY_WITH_PKEY
> > > > >>>>
> > > > >>>>This test should depend on RSA_VERIFY_WITH_PKEY because is cannot be
> > > > >>>>executed otherwise.
> > > > >>>
> > > > >>>See below.
> > > > >>>
> > > > >>>>Best regards
> > > > >>>>
> > > > >>>>Heinrich
> > > > >>>>
> > > > >>>>>+	default y
> > > > >>>>>+	help
> > > > >>>>>+	  Enables rsa_verify() test, currently rsa_verify_with_pkey only()
> > > > >>>>>+	  only, at the 'ut lib' command.
> > > > >>>>>+
> > > > >>>>>  endif
> > > > >>>>>
> > > > >>>>>  config UT_TIME
> > > > >>>>>diff --git a/test/lib/Makefile b/test/lib/Makefile
> > > > >>>>>index 72d2ec74b5f4..2bf6ef3935bb 100644
> > > > >>>>>--- a/test/lib/Makefile
> > > > >>>>>+++ b/test/lib/Makefile
> > > > >>>>>@@ -8,3 +8,4 @@ obj-y += lmb.o
> > > > >>>>>  obj-y += string.o
> > > > >>>>>  obj-$(CONFIG_ERRNO_STR) += test_errno_str.o
> > > > >>>>>  obj-$(CONFIG_UT_LIB_ASN1) += asn1.o
> > > > >>>>>+obj-$(CONFIG_UT_LIB_RSA) += rsa.o
> > > > >>>>>diff --git a/test/lib/rsa.c b/test/lib/rsa.c
> > > > >>>>>new file mode 100644
> > > > >>>>>index 000000000000..44f8ade226f4
> > > > >>>>>--- /dev/null
> > > > >>>>>+++ b/test/lib/rsa.c
> > > > >>>>>@@ -0,0 +1,206 @@
> > > > >>>>>+// SPDX-License-Identifier: GPL-2.0+
> > > > >>>>>+/*
> > > > >>>>>+ * Copyright (c) 2019 Linaro Limited
> > > > >>>>>+ * Author: AKASHI Takahiro
> > > > >>>>>+ *
> > > > >>>>>+ * Unit test for rsa_verify() function
> > > > >>>>>+ */
> > > > >>>>>+
> > > > >>>>>+#include <common.h>
> > > > >>>>>+#include <command.h>
> > > > >>>>>+#include <image.h>
> > > > >>>>>+#include <test/lib.h>
> > > > >>>>>+#include <test/test.h>
> > > > >>>>>+#include <test/ut.h>
> > > > >>>>>+#include <u-boot/rsa.h>
> > > > >>>>>+
> > > > >>>>>+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
> > > > >>>>
> > > > >>>>Please, remove this ifdef. Simply do not build this module if
> > > > >>>>CONFIG_RSA_VERIFY_WITH_PKEY is not defined.
> > > > >>>
> > > > >>>That is why I added this #ifdef here to avoid a build error.
> > > > >>>I think it is a good idea to make test code as generic as possible
> > > > >>>to easily add more test cases.
> > > > >>
> > > > >>It is preferable to move configuration dependencies to the Makefile.
> > > > >>
> > > > >>You can create a new C file if you have tests needing a different
> > > > >>configuration.
> > > > >>
> > > > >>test/lib/rsa_verify.c might be a better name for the file.
> > > > >>
> > > > >>In test/Kconfig, please, replace
> > > > >>
> > > > >>config UT_LIB_RSA
> > > > >>         bool "Unit test for rsa_verify() function"
> > > > >>         imply RSA
> > > > >>
> > > > >>by
> > > > >>
> > > > >>config UT_LIB_RSA
> > > > >>         bool "Unit test for rsa_verify() function"
> > > > >>	default y
> > > > >>         depends on RSA
> > > > >
> > > > >Initially in my development code, I did the exact same thing,
> > > > >but I didn't adopt this approach.
> > > > >
> > > > >If we follow your proposal, UT_LIB_RSA won't be selected
> > > > >unless RSA is enabled.
> > > > >So UT_LIB_RSA won't be executed under most existing configurations
> > > > >in the current CI.  This was not what I wanted.
> > > > >
> > > > >What I wanted here is that, if UT (and UT_LIB) is selected, all
> > > > >the configurations needed for enabling all the test cases be
> > > > >also selected *automatically*.
> > > > 
> > > > What I want is that if I run 'make menuconfig' and select CONFIG_UT
> > > > manually I end up with a configuration that compiles and that does what
> > > > I have configured.
> > > 
> > > Hmm, that is what I intend to do here, but the code doesn't work
> > > as I expected. It works only if CONFIG_UT_LIB_RSA is on in *defconfig.
> > > 
> > > So I have no option other than changing reverse dependencies as follows,
> > >     CONFIG_UT_LIB_RSA
> > >       select IMAGE_SIGN_INFO
> > >       select RSA
> > >       imply RSA_VERIFY_WITH_PKEY
> > > 
> > > Using 'select' is still safe as CONFIG_RSA has no dependency.
> > > (Please note we can still use 'imply' for VERIFY_WITH_PKEY here.)
> > > 
> > > Tom, do you agree to this change?
> > 
> > OK, my fault for not spotting it before.  Using imply (as we do today on
> > UT_LIB_ASN1) is wrong.  All of the tests should "depends on" what they
> > need in order to function.  Thanks!
> 
> I know that using "depends on" is an obvious solution here, but
> in that case, we won't run those tests automatically in CI unless
> the dependency targets, like CONFIG_RSA, are explicitly or
> implicitly enabled by *defconfig.
> 
> Is that OK for you?

Yes, I expect them to be enabled in sandbox and relevant qemu targets to
get broad testing here as that is part of the reason for those targets.
In fact, sandbox should always be a priority to build-support, that is
also where we get Coverity scans run.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200121/f88f9d19/attachment.sig>