On Mon, Jan 27, 2020 at 07:27:33PM +0900, AKASHI Takahiro wrote: > # This patch set is a prerequisite for UEFI secure boot. > > The current rsa_verify() requires five parameters for a RSA public key > for efficiency while RSA, in theory, requires only two. In addition, > those parameters are expected to come from FIT image. > > So this function won't fit very well when we want to use it for the purpose > of implementing UEFI secure boot, in particular, image authentication > as well as variable authentication, where the essential two parameters > are set to be retrieved from one of X509 certificates in signature > database. > > So, in this patch, additional three parameters will be calculated > on the fly when rsa_verify() is called without fdt which should contain > parameters above. > > This calculation heavily relies on "big-number (or multi-precision) > library." Therefore some routines from BearSSL[1] under MIT license are > imported in this implementation. See Patch#4. > # Please let me know if this is not appropriate. > > Prerequisite: > * public key parser in my "import x509/pkcs7 parser" patch[2] > > # Checkpatch will complain with lots of warnings/errors, but > # I intentionally don't fix them for maximum maintainability. > > [1] https://bearssl.org/ > [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
At this point it needs to be rebased again. There's a ton of failures in https://gitlab.denx.de/u-boot/u-boot/pipelines/2198 which is after I did https://gitlab.denx.de/u-boot/u-boot/commit/7db0379f85995d8c7673db7b04eb36d96546c9c8 and I'll put a proper commit message on that later today and post it and CC relevant parties. It's otherwise looking good. I do want to confirm that on boards like minnowmax the slight growth in fit_image_check_sig is expected. It's only 6 bytes so it probably is and we get a larger reduction in rsa_verify all-around. Thanks! -- Tom
signature.asc
Description: PGP signature