Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Patrick DELAUNAY Tue, 09 Feb 2021 07:11:22 -0800

Hi,

On 1/11/21 4:41 PM, Alexandru Gagniuc wrote:

Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.


Signed-off-by: Alexandru Gagniuc<mr.nuke...@gmail.com>
---
  include/image.h          | 10 +++++-----
  include/u-boot/rsa.h     |  2 +-
  lib/Kconfig              |  1 +
  lib/Makefile             |  1 +
  lib/ecdsa/Kconfig        | 23 +++++++++++++++++++++++
  lib/ecdsa/Makefile       |  1 +
  lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
  7 files changed, 45 insertions(+), 6 deletions(-)
  create mode 100644 lib/ecdsa/Kconfig
  create mode 100644 lib/ecdsa/Makefile
  create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index 6628173dca..1d70ba0ece 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1198,20 +1198,20 @@ int calculate_hash(const void *data, int data_len, 
const char *algo,
  #if defined(USE_HOSTCC)
  # if defined(CONFIG_FIT_SIGNATURE)
  #  define IMAGE_ENABLE_SIGN   1
-#  define IMAGE_ENABLE_VERIFY  1
+#  define IMAGE_ENABLE_VERIFY_RSA      1
  #  define IMAGE_ENABLE_VERIFY_ECDSA   1
  #  define FIT_IMAGE_ENABLE_VERIFY     1
  #  include <openssl/evp.h>
  # else
  #  define IMAGE_ENABLE_SIGN   0
-#  define IMAGE_ENABLE_VERIFY  0
+#  define IMAGE_ENABLE_VERIFY_RSA      0
  # define IMAGE_ENABLE_VERIFY_ECDSA    0
  #  define FIT_IMAGE_ENABLE_VERIFY     0
  # endif
  #else
  # define IMAGE_ENABLE_SIGN    0
-# define IMAGE_ENABLE_VERIFY           CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA     0
+# define IMAGE_ENABLE_VERIFY_RSA       CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA     CONFIG_IS_ENABLED(ECDSA_VERIFY)


here you are using CONFIG_IS_ENABLED.

This macro imply to test CONFIG_ECDSA_VERIFY or CONFIG_SPL_ECDSA_VERIFY (for 
SPL build)

=> but CONFIG_SPL_ECDSA_VERIFY is missing, I think you need to add it, as RSA

  # define FIT_IMAGE_ENABLE_VERIFY      CONFIG_IS_ENABLED(FIT_SIGNATURE)
  #endif

@@ -1260,7 +1260,7 @@ struct image_region {

        int size;
  };

-#if IMAGE_ENABLE_VERIFY

+#if FIT_IMAGE_ENABLE_VERIFY
  # include <u-boot/hash-checksum.h>
  #endif
  struct checksum_algo {
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index bed1c097c2..eb258fca4c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info 
*info,
  }
  #endif

-#if IMAGE_ENABLE_VERIFY

+#if IMAGE_ENABLE_VERIFY_RSA
  /**
   * rsa_verify_hash() - Verify a signature against a hash
   *
diff --git a/lib/Kconfig b/lib/Kconfig
index 7673d2e4e0..e2cb846fc0 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -292,6 +292,7 @@ config AES
          supported by the algorithm but only a 128-bit key is supported at
          present.

+source lib/ecdsa/Kconfig

  source lib/rsa/Kconfig
  source lib/crypto/Kconfig

diff --git a/lib/Makefile b/lib/Makefile

index cf64188ba5..ab86be2678 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif

obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/

  obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/


obj-$(CONFIG_$(SPL_)ECDSA) += ecdsa/

  obj-$(CONFIG_$(SPL_)RSA) += rsa/
  obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
  obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 0000000000..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA
+       bool "Enable ECDSA support"
+       depends on DM
+       help
+         This enables the ECDSA algorithm for FIT image verification in U-Boot.
+         See doc/uImage.FIT/signature.txt for more details.
+         The ECDSA algorithm is implemented using the driver model. So
+         CONFIG_DM is required by this library.
+         ECDSA is enabled for mkimage regardless of this  option.
+
+if ECDSA
+


Add CONFIG_SPL_ECDSA to select independently support in SPL et/or in U-Boot

as it is done for RSA

+ config SPL_ECDSA
+       bool "Use ECDSA library within in SPL"

+config ECDSA_VERIFY
+       bool "Enable ECDSA verification support in U-Boot."



+ select SPL_ECDSA

+       help
+         Allow ECDSA signatures to be recognized and verified in U-Boot.
+
+config SPL_ECDSA_VERIFY
+       bool "Enable ECDSA verification support in SPL"
+       help
+         Allow ECDSA signatures to be recognized and verified in SPL.
+
+endif
diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
new file mode 100644
index 0000000000..771d6d3135
--- /dev/null
+++ b/lib/ecdsa/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
new file mode 100644
index 0000000000..d2e6a40f4a
--- /dev/null
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Alexandru Gagniuc<mr.nuke...@gmail.com>
+ */
+
+#include <u-boot/ecdsa.h>
+
+int ecdsa_verify(struct image_sign_info *info,
+                const struct image_region region[], int region_count,
+                uint8_t *sig, uint sig_len)
+{
+       return -EOPNOTSUPP;
+}



Regards,

Patrick

Re: [PATCH 2/5] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Reply via email to