subject:"\[PATCH 2\/5\] lib\: ecdsa\: Add skeleton to implement ecdsa verification in u\-boot"

Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

2021-02-09 Thread Alex G.


Hi Patrick,

On 2/9/21 9:11 AM, Patrick DELAUNAY wrote:

Hi,

On 1/11/21 4:41 PM, Alexandru Gagniuc wrote:

Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.

Signed-off-by: Alexandru Gagniuc
---
  include/image.h  | 10 +-
  include/u-boot/rsa.h |  2 +-
  lib/Kconfig  |  1 +
  lib/Makefile |  1 +
  lib/ecdsa/Kconfig    | 23 +++
  lib/ecdsa/Makefile   |  1 +
  lib/ecdsa/ecdsa-verify.c | 13 +
  7 files changed, 45 insertions(+), 6 deletions(-)
  create mode 100644 lib/ecdsa/Kconfig
  create mode 100644 lib/ecdsa/Makefile
  create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index 6628173dca..1d70ba0ece 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int 
data_len, const char *algo,

  #if defined(USE_HOSTCC)
  # if defined(CONFIG_FIT_SIGNATURE)
  #  define IMAGE_ENABLE_SIGN    1
-#  define IMAGE_ENABLE_VERIFY    1
+#  define IMAGE_ENABLE_VERIFY_RSA    1
  #  define IMAGE_ENABLE_VERIFY_ECDSA    1
  #  define FIT_IMAGE_ENABLE_VERIFY    1
  #  include 
  # else
  #  define IMAGE_ENABLE_SIGN    0
-#  define IMAGE_ENABLE_VERIFY    0
+#  define IMAGE_ENABLE_VERIFY_RSA    0
  # define IMAGE_ENABLE_VERIFY_ECDSA    0
  #  define FIT_IMAGE_ENABLE_VERIFY    0
  # endif
  #else
  # define IMAGE_ENABLE_SIGN    0
-# define IMAGE_ENABLE_VERIFY    CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA    0
+# define IMAGE_ENABLE_VERIFY_RSA    CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA    CONFIG_IS_ENABLED(ECDSA_VERIFY)


here you are using CONFIG_IS_ENABLED.

This macro imply to test CONFIG_ECDSA_VERIFY or CONFIG_SPL_ECDSA_VERIFY 
(for SPL build)


=> but CONFIG_SPL_ECDSA_VERIFY is missing, I think you need to add it, 
as RSA


This patch adds both "config ECDSA_VERIFY" and "config SPL_ECDSA_VERIFY"
see @lib/ecdsa/Kconfig. I believe this achieves what you need.

[snip]

diff --git a/lib/Makefile b/lib/Makefile
index cf64188ba5..ab86be2678 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif
  obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
  obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/


obj-$(CONFIG_$(SPL_)ECDSA) += ecdsa/


The intent here is to use CONFIG_ECDSA to denote ECDSA support. 
CONFIG_ECDSA_VERIFY and CONFIG_SPL_ECDSA_VERIFY are used to enable the 
code in u-boot and SPL respectively. Only verification is supported on 
the target, so these are the only switches that enable or disable code.





  obj-$(CONFIG_$(SPL_)RSA) += rsa/
  obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
  obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 00..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA
+    bool "Enable ECDSA support"
+    depends on DM
+    help
+  This enables the ECDSA algorithm for FIT image verification in 
U-Boot.

+  See doc/uImage.FIT/signature.txt for more details.
+  The ECDSA algorithm is implemented using the driver model. So
+  CONFIG_DM is required by this library.
+  ECDSA is enabled for mkimage regardless of this  option.
+
+if ECDSA
+


Add CONFIG_SPL_ECDSA to select independently support in SPL et/or in U-Boot
as it is done for RSA

+ config SPL_ECDSA
+    bool "Use ECDSA library within in SPL"

I though about an SPL_ECDSA kconfig. As mentioned above, we have 
independent switches to enable the code for u-boot/SPL. We can enable 
ECDSA support in u-boot, SPL, neither or both. What would this switch add?





+config ECDSA_VERIFY
+    bool "Enable ECDSA verification support in U-Boot."



+ select SPL_ECDSA



+    help
+  Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+    bool "Enable ECDSA verification support in SPL"
+    help
+  Allow ECDSA signatures to be recognized and verified in SPL.


This is the switch for SPL (@mentioned earlier).


Alex

Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

2021-02-09 Thread Patrick DELAUNAY


Hi,

On 1/11/21 4:41 PM, Alexandru Gagniuc wrote:

Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.

Signed-off-by: Alexandru Gagniuc
---
  include/image.h  | 10 +-
  include/u-boot/rsa.h |  2 +-
  lib/Kconfig  |  1 +
  lib/Makefile |  1 +
  lib/ecdsa/Kconfig| 23 +++
  lib/ecdsa/Makefile   |  1 +
  lib/ecdsa/ecdsa-verify.c | 13 +
  7 files changed, 45 insertions(+), 6 deletions(-)
  create mode 100644 lib/ecdsa/Kconfig
  create mode 100644 lib/ecdsa/Makefile
  create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index 6628173dca..1d70ba0ece 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int data_len, 
const char *algo,
  #if defined(USE_HOSTCC)
  # if defined(CONFIG_FIT_SIGNATURE)
  #  define IMAGE_ENABLE_SIGN   1
-#  define IMAGE_ENABLE_VERIFY  1
+#  define IMAGE_ENABLE_VERIFY_RSA  1
  #  define IMAGE_ENABLE_VERIFY_ECDSA   1
  #  define FIT_IMAGE_ENABLE_VERIFY 1
  #  include 
  # else
  #  define IMAGE_ENABLE_SIGN   0
-#  define IMAGE_ENABLE_VERIFY  0
+#  define IMAGE_ENABLE_VERIFY_RSA  0
  # define IMAGE_ENABLE_VERIFY_ECDSA0
  #  define FIT_IMAGE_ENABLE_VERIFY 0
  # endif
  #else
  # define IMAGE_ENABLE_SIGN0
-# define IMAGE_ENABLE_VERIFY   CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA 0
+# define IMAGE_ENABLE_VERIFY_RSA   CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA CONFIG_IS_ENABLED(ECDSA_VERIFY)


here you are using CONFIG_IS_ENABLED.

This macro imply to test CONFIG_ECDSA_VERIFY or CONFIG_SPL_ECDSA_VERIFY (for 
SPL build)

=> but CONFIG_SPL_ECDSA_VERIFY is missing, I think you need to add it, as RSA
 


  # define FIT_IMAGE_ENABLE_VERIFY  CONFIG_IS_ENABLED(FIT_SIGNATURE)
  #endif
  
@@ -1260,7 +1260,7 @@ struct image_region {

int size;
  };
  
-#if IMAGE_ENABLE_VERIFY

+#if FIT_IMAGE_ENABLE_VERIFY
  # include 
  #endif
  struct checksum_algo {
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index bed1c097c2..eb258fca4c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info 
*info,
  }
  #endif
  
-#if IMAGE_ENABLE_VERIFY

+#if IMAGE_ENABLE_VERIFY_RSA
  /**
   * rsa_verify_hash() - Verify a signature against a hash
   *
diff --git a/lib/Kconfig b/lib/Kconfig
index 7673d2e4e0..e2cb846fc0 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -292,6 +292,7 @@ config AES
  supported by the algorithm but only a 128-bit key is supported at
  present.
  
+source lib/ecdsa/Kconfig

  source lib/rsa/Kconfig
  source lib/crypto/Kconfig
  
diff --git a/lib/Makefile b/lib/Makefile

index cf64188ba5..ab86be2678 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif
  
  obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/

  obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/


obj-$(CONFIG_$(SPL_)ECDSA) += ecdsa/



  obj-$(CONFIG_$(SPL_)RSA) += rsa/
  obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
  obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 00..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA
+   bool "Enable ECDSA support"
+   depends on DM
+   help
+ This enables the ECDSA algorithm for FIT image verification in U-Boot.
+ See doc/uImage.FIT/signature.txt for more details.
+ The ECDSA algorithm is implemented using the driver model. So
+ CONFIG_DM is required by this library.
+ ECDSA is enabled for mkimage regardless of this  option.
+
+if ECDSA
+


Add CONFIG_SPL_ECDSA to select independently support in SPL et/or in U-Boot

as it is done for RSA

+ config SPL_ECDSA
+   bool "Use ECDSA library within in SPL"

 


+config ECDSA_VERIFY
+   bool "Enable ECDSA verification support in U-Boot."



+ select SPL_ECDSA



+   help
+ Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+   bool "Enable ECDSA verification support in SPL"
+   help
+ Allow ECDSA signatures to be recognized and verified in SPL.
+
+endif
diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
new file mode 100644
index 00..771d6d3135
--- /dev/null
+++ b/lib/ecdsa/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
new file mode 100644
index 00..d2e6a40f4a
--- /dev/null
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc
+ */
+
+#include 
+
+int ecdsa_verify(struct image_sign_info *info,
+const struct image_region region[],

[PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

2021-01-11 Thread Alexandru Gagniuc

Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.

Signed-off-by: Alexandru Gagniuc 
---
 include/image.h  | 10 +-
 include/u-boot/rsa.h |  2 +-
 lib/Kconfig  |  1 +
 lib/Makefile |  1 +
 lib/ecdsa/Kconfig| 23 +++
 lib/ecdsa/Makefile   |  1 +
 lib/ecdsa/ecdsa-verify.c | 13 +
 7 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 lib/ecdsa/Kconfig
 create mode 100644 lib/ecdsa/Makefile
 create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index 6628173dca..1d70ba0ece 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int data_len, 
const char *algo,
 #if defined(USE_HOSTCC)
 # if defined(CONFIG_FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN1
-#  define IMAGE_ENABLE_VERIFY  1
+#  define IMAGE_ENABLE_VERIFY_RSA  1
 #  define IMAGE_ENABLE_VERIFY_ECDSA1
 #  define FIT_IMAGE_ENABLE_VERIFY  1
 #  include 
 # else
 #  define IMAGE_ENABLE_SIGN0
-#  define IMAGE_ENABLE_VERIFY  0
+#  define IMAGE_ENABLE_VERIFY_RSA  0
 # define IMAGE_ENABLE_VERIFY_ECDSA 0
 #  define FIT_IMAGE_ENABLE_VERIFY  0
 # endif
 #else
 # define IMAGE_ENABLE_SIGN 0
-# define IMAGE_ENABLE_VERIFY   CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA 0
+# define IMAGE_ENABLE_VERIFY_RSA   CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA CONFIG_IS_ENABLED(ECDSA_VERIFY)
 # define FIT_IMAGE_ENABLE_VERIFY   CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #endif
 
@@ -1260,7 +1260,7 @@ struct image_region {
int size;
 };
 
-#if IMAGE_ENABLE_VERIFY
+#if FIT_IMAGE_ENABLE_VERIFY
 # include 
 #endif
 struct checksum_algo {
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index bed1c097c2..eb258fca4c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info 
*info,
 }
 #endif
 
-#if IMAGE_ENABLE_VERIFY
+#if IMAGE_ENABLE_VERIFY_RSA
 /**
  * rsa_verify_hash() - Verify a signature against a hash
  *
diff --git a/lib/Kconfig b/lib/Kconfig
index 7673d2e4e0..e2cb846fc0 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -292,6 +292,7 @@ config AES
  supported by the algorithm but only a 128-bit key is supported at
  present.
 
+source lib/ecdsa/Kconfig
 source lib/rsa/Kconfig
 source lib/crypto/Kconfig
 
diff --git a/lib/Makefile b/lib/Makefile
index cf64188ba5..ab86be2678 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif
 
 obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
 obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/
 obj-$(CONFIG_$(SPL_)RSA) += rsa/
 obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
 obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 00..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA
+   bool "Enable ECDSA support"
+   depends on DM
+   help
+ This enables the ECDSA algorithm for FIT image verification in U-Boot.
+ See doc/uImage.FIT/signature.txt for more details.
+ The ECDSA algorithm is implemented using the driver model. So
+ CONFIG_DM is required by this library.
+ ECDSA is enabled for mkimage regardless of this  option.
+
+if ECDSA
+
+config ECDSA_VERIFY
+   bool "Enable ECDSA verification support in U-Boot."
+   help
+ Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+   bool "Enable ECDSA verification support in SPL"
+   help
+ Allow ECDSA signatures to be recognized and verified in SPL.
+
+endif
diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
new file mode 100644
index 00..771d6d3135
--- /dev/null
+++ b/lib/ecdsa/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
new file mode 100644
index 00..d2e6a40f4a
--- /dev/null
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc 
+ */
+
+#include 
+
+int ecdsa_verify(struct image_sign_info *info,
+const struct image_region region[], int region_count,
+uint8_t *sig, uint sig_len)
+{
+   return -EOPNOTSUPP;
+}
-- 
2.26.2

Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

[PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

3 matches

Site Navigation

Mail list logo

Footer information