Update on ECDSA verification progress, I've forked Alex's repo and have
included my changes in the 'ecdsa-vrf-1' branch [1]. This includes the
isolated OpenSSL code for verification, and I split up the
lib/ecdsa/ecdsa-libcrypto.c file into lib/ecdsa/ecdsa-sign.c and
lib/ecdsa/ecdsa-verify.c. I've also included unit tests under
test/py/tests/test_vboot_ecdsa.py, which test ECDSA with the sha1 and
sha256 digest algos. There are some outstanding changes to be made
before it's ready for review, mainly cleaning up the OpenSSL code as it
has redundant code still included though it works without any additional
dependencies, and better integration with U-Boot's build system.
Currently I've added a new Kconfig setting to turn on ECDSA
signing/verification called "CONFIG_FIT_SIGNATURE_ECDSA" in
common/Kconfig.boot which sets config options "CONFIG_ECDSA" and
"CONFIG_ECDSA_VERIFY". This is done mainly to replicate how the RSA
config was setup, though creating "CONFIG_FIT_SIGNATURE_ECDSA" separate
from "CONFIG_FIT_SIGNATURE" feels messy, there's probably a better approach.
Today is also my last day at my internship. Deskin, a team member of
mine at Microsoft who was keeping an eye on the project, will be the
main point of contact from here (desk...@linux.microsoft.com) though I
can also be reached at timroman...@gmail.com (CC'd) and will be
responsive if there are any questions.
All the best,
Tim
[1] timr11/u-boot: u-boot + elliptic curve verification (github.com)
<https://github.com/timr11/u-boot>
On 2021-04-08 12:56 p.m., Tim Romanski wrote:
Ok, will do. I'm writing the verification code, I noticed you're
passing the public key into the fdt using fdt_add_bignum, which
converts the x and y values into big endian integer arrays. Do you
have a method to read these values from the fdt and convert them back
into bignums, or is that TODO? I can get that done if it's not yet
implemented.
All the best,
Tim
On 2021-04-07 4:03 p.m., Alex G. wrote:
On 4/7/21 12:29 PM, Tim Romanski wrote:
Question for Alex, I see your repo has a few branches related to
ECDSA (patch-ecdsa-v[1-5], patch-mkimage-keyfile-v{1,2}). You sent
me a link to 'patch-ecdsa-v1' in a previous email, is that the one
that's being upstreamed? Should I be working off a different branch
or is that one ok?
I'm up to v6 on the patch submission. The differences are not that
big, but I recommend sticking to the latest.
Alex
