From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C7F5C433EF for ; Tue, 5 Oct 2021 18:32:28 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 45CF761186 for ; Tue, 5 Oct 2021 18:32:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 45CF761186 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9BC6982B68; Tue, 5 Oct 2021 20:32:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="T6AXyntg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2429F83138; Tue, 5 Oct 2021 20:32:22 +0200 (CEST) Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B69588291E for ; Tue, 5 Oct 2021 20:32:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=mr.nuke.me@gmail.com Received: by mail-ot1-x329.google.com with SMTP id h9-20020a9d2f09000000b005453f95356cso27031033otb.11 for ; Tue, 05 Oct 2021 11:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=0Bk2sdfV+8cMaWq1XMV+IBC8CozM/dLEylzscxP059s=; b=T6AXyntgUp0DW8XFDuuKZBlkSCbHZVUKdWIhVap8N25FOh/KUryBKkRFXISEAJhOzb 6PREUX4WVvfo8HnJuqDeP3GxcnKMSgEfjDoeuCirmxRcZ9RjAVuA6NOs4tjmiLDIHe+Q Ruf+ckgmBYRcu3xhzYljOSTdeHHqN7aYi1eItcWJjG+QNEpPH00SNnuzNvDj/mPxNpMw zLG3nwDsO3tHDsUPksC+Y+qNcGSXQrfhc5PuVUXtzvOR3XdUchIGmZxeMwYSXcl2y4go IvMv7f5cscAQL3/z0683HEvtbDgDXE3ke2W2gEzTaZwNG8H24u2Mq7eXrAXfqU3XmOo9 Yiog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0Bk2sdfV+8cMaWq1XMV+IBC8CozM/dLEylzscxP059s=; b=n1Ms+zbQQSkrg/3SUXWQoa4M7mOvxYLHIOeufk1SF3XTQBxe3cY6qUP8ETyOd68O9h WR73O/kz4Iit8M3Ut6Z8SGeDEAlJwwZu9Bkwd3cp1hr5sp3ezjEVn4ILGlt5OAY27g6x oPe0ZBjQD2oy38DFdro0yYKXFXMgUE+NfcrzvhHbsEJS5nf3sGmkh4qy546DQFBEBrpi 92DUCeyPpJBbG0Xjz6CI2bAn8iHbZueHTyA7Xnd3eSrI0V/B17CIkj26JbeHje8u6XUp CxMhZzS1nyp3T6ByNZ6ci3KBOCXfLACa9c+ULvqGp9DIwNTca0kOEbmj/EB2vo6HP5lA bUyQ== X-Gm-Message-State: AOAM533bQc7tad56h+cysuuprxh5phANnlfeP/rG5cQIuU+NI4J7V+NR LBENzOfO7sC2eFUeRzp1Geg= X-Google-Smtp-Source: ABdhPJywK3oOYnztKel7Yfx+UIB+1POPdmnn+i6GUfGxATUubv5Q6RVE7J39+8NoPmcT1fwJGvK0aQ== X-Received: by 2002:a05:6830:1d8b:: with SMTP id y11mr15861573oti.291.1633458737485; Tue, 05 Oct 2021 11:32:17 -0700 (PDT) Received: from nuclearis3.gtech (c-98-195-139-126.hsd1.tx.comcast.net. [98.195.139.126]) by smtp.gmail.com with ESMTPSA id a9sm3645379otk.3.2021.10.05.11.32.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Oct 2021 11:32:16 -0700 (PDT) Subject: Re: [PATCH v5 10/29] image: Use Kconfig to enable FIT_RSASSA_PSS on host To: Simon Glass , U-Boot Mailing List Cc: Andre Przywara , Rasmus Villemoes , Robert Marko , Masahiro Yamada , Tom Rini , Joe Hershberger , Marek Vasut References: <20210926014342.127913-1-sjg@chromium.org> <20210925194327.v5.10.I0481c8d9b6f4bd7e467d0324c81295dd0a9bbc96@changeid> From: "Alex G." Message-ID: <1bf0c28c-12db-df80-51dc-5855e1974aa5@gmail.com> Date: Tue, 5 Oct 2021 13:32:15 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210925194327.v5.10.I0481c8d9b6f4bd7e467d0324c81295dd0a9bbc96@changeid> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On 9/25/21 8:43 PM, Simon Glass wrote: > Add a host Kconfig for FIT_RSASSA_PSS. With this we can use > CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the > forcing of this in the image.h header. > > Drop the #ifdef around padding_pss_verify() too since it is not needed. > Use the compiler to check the config where possible, instead of the > preprocessor. > > Signed-off-by: Simon Glass Reviewed-by: Alexandru Gagniuc > --- > > Changes in v5: > - Avoid preprocessor in a few more places > - Use TOOLS_ instead of HOST_ > > include/image.h | 3 --- > include/u-boot/rsa.h | 2 -- > lib/rsa/rsa-sign.c | 5 ++--- > lib/rsa/rsa-verify.c | 16 +++------------- > tools/Kconfig | 5 +++++ > 5 files changed, 10 insertions(+), 21 deletions(-) Now that's what I'm talking about! deletions > insertions > > diff --git a/include/image.h b/include/image.h > index 6efbef06e64..dc872ef5b24 100644 > --- a/include/image.h > +++ b/include/image.h > @@ -27,9 +27,6 @@ struct fdt_region; > #include > #include > > -/* new uImage format support enabled on host */ > -#define CONFIG_FIT_RSASSA_PSS 1 > - > #define IMAGE_ENABLE_IGNORE 0 > #define IMAGE_INDENT_STRING "" > > diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h > index 89a9c4caa0a..7556aa5b4b7 100644 > --- a/include/u-boot/rsa.h > +++ b/include/u-boot/rsa.h > @@ -103,11 +103,9 @@ int padding_pkcs_15_verify(struct image_sign_info *info, > uint8_t *msg, int msg_len, > const uint8_t *hash, int hash_len); > > -#ifdef CONFIG_FIT_RSASSA_PSS > int padding_pss_verify(struct image_sign_info *info, > uint8_t *msg, int msg_len, > const uint8_t *hash, int hash_len); > -#endif /* CONFIG_FIT_RSASSA_PSS */ > > #define RSA_DEFAULT_PADDING_NAME "pkcs-1.5" > > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c > index c27a784c429..0579e5294ee 100644 > --- a/lib/rsa/rsa-sign.c > +++ b/lib/rsa/rsa-sign.c > @@ -401,15 +401,14 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, > goto err_sign; > } > > -#ifdef CONFIG_FIT_RSASSA_PSS > - if (padding_algo && !strcmp(padding_algo->name, "pss")) { > + if (CONFIG_IS_ENABLED(FIT_RSASSA_PSS) && padding_algo && > + !strcmp(padding_algo->name, "pss")) { > if (EVP_PKEY_CTX_set_rsa_padding(ckey, > RSA_PKCS1_PSS_PADDING) <= 0) { > ret = rsa_err("Signer padding setup failed"); > goto err_sign; > } > } > -#endif /* CONFIG_FIT_RSASSA_PSS */ > > for (i = 0; i < region_count; i++) { > if (!EVP_DigestSignUpdate(context, region[i].data, > diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c > index ad6d33d043a..9e522d210d7 100644 > --- a/lib/rsa/rsa-verify.c > +++ b/lib/rsa/rsa-verify.c > @@ -102,7 +102,6 @@ U_BOOT_PADDING_ALGO(pkcs_15) = { > }; > #endif > > -#ifdef CONFIG_FIT_RSASSA_PSS > static void u32_i2osp(uint32_t val, uint8_t *buf) > { > buf[0] = (uint8_t)((val >> 24) & 0xff); > @@ -311,9 +310,6 @@ U_BOOT_PADDING_ALGO(pss) = { > }; > #endif > > -#endif > - > -#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) > /** > * rsa_verify_key() - Verify a signature against some data using RSA Key > * > @@ -385,9 +381,7 @@ static int rsa_verify_key(struct image_sign_info *info, > > return 0; > } > -#endif > > -#if CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) > /** > * rsa_verify_with_pkey() - Verify a signature against some data using > * only modulus and exponent as RSA key properties. > @@ -408,6 +402,9 @@ int rsa_verify_with_pkey(struct image_sign_info *info, > struct key_prop *prop; > int ret; > > + if (!CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY)) > + return -EACCES; > + > /* Public key is self-described to fill key_prop */ > ret = rsa_gen_key_prop(info->key, info->keylen, &prop); > if (ret) { > @@ -422,13 +419,6 @@ int rsa_verify_with_pkey(struct image_sign_info *info, > > return ret; > } > -#else > -int rsa_verify_with_pkey(struct image_sign_info *info, > - const void *hash, uint8_t *sig, uint sig_len) > -{ > - return -EACCES; > -} > -#endif > > #if CONFIG_IS_ENABLED(FIT_SIGNATURE) > /** > diff --git a/tools/Kconfig b/tools/Kconfig > index 9d1c0efd40c..8685c800f93 100644 > --- a/tools/Kconfig > +++ b/tools/Kconfig > @@ -35,6 +35,11 @@ config TOOLS_FIT_PRINT > help > Print the content of the FIT verbosely in the tools builds > > +config TOOLS_FIT_RSASSA_PSS > + def_bool y > + help > + Support the rsassa-pss signature scheme in the tools builds If we're going to have these TOOLS_ configs always on, what's the point in adding a help text? > + > config TOOLS_FIT_SIGNATURE > def_bool y > help >