* [PATCH 1/8] rsatoc: fix compiler warnings
@ 2022-05-04 13:14 Sascha Hauer
2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Fixes:
scripts/rsatoc.c:189:5: warning: no previous prototype for ‘rsa_get_params’ [-Wmissing-prototypes]
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
scripts/rsatoc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index f2d91b8e0d..722c5dba19 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -184,8 +184,8 @@ cleanup:
/*
* rsa_get_params(): - Get the important parameters of an RSA public key
*/
-int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
- BIGNUM **modulusp, BIGNUM **r_squaredp)
+static int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
+ BIGNUM **modulusp, BIGNUM **r_squaredp)
{
BIGNUM *big1, *big2, *big32, *big2_32;
BIGNUM *n, *r, *r_squared, *tmp;
@@ -359,7 +359,7 @@ static int print_bignum(BIGNUM *num, int num_bits)
static int gen_key(const char *keyname, const char *path)
{
BIGNUM *modulus, *r_squared;
- uint64_t exponent;
+ uint64_t exponent = 0;
uint32_t n0_inv;
int ret;
int bits;
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 2/8] rsatoc: Add option to print dts output
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Add -d option to generate output in dts format rather than C.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
scripts/rsatoc.c | 103 +++++++++++++++++++++++++++++++++++------------
1 file changed, 78 insertions(+), 25 deletions(-)
diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index 722c5dba19..d7f6dad7f0 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -18,6 +18,8 @@
#include <openssl/evp.h>
#include <openssl/engine.h>
+static int dts;
+
static int rsa_err(const char *msg)
{
unsigned long sslErr = ERR_get_error();
@@ -311,6 +313,7 @@ static int print_bignum(BIGNUM *num, int num_bits)
BIGNUM *tmp, *big2, *big32, *big2_32;
BN_CTX *ctx;
int i;
+ uint32_t *arr;
tmp = BN_new();
big2 = BN_new();
@@ -338,16 +341,35 @@ static int print_bignum(BIGNUM *num, int num_bits)
BN_set_word(big32, 32L);
BN_exp(big2_32, big2, big32, ctx); /* B = 2^32 */
+ arr = malloc(num_bits / 32 * sizeof(uint32_t));
+
for (i = 0; i < num_bits / 32; i++) {
BN_mod(tmp, num, big2_32, ctx); /* n = N mod B */
- if (i % 4)
- fprintf(outfilep, " ");
- else
- fprintf(outfilep, "\n\t");
- fprintf(outfilep, "0x%08lx,", BN_get_word(tmp));
+ arr[i] = BN_get_word(tmp);
BN_rshift(num, num, 32); /* N = N/B */
}
+ if (dts) {
+ for (i = 0; i < num_bits / 32; i++) {
+ if (i % 4)
+ fprintf(outfilep, " ");
+ else
+ fprintf(outfilep, "\n\t\t\t\t");
+ fprintf(outfilep, "0x%08x", arr[num_bits / 32 - 1 - i]);
+ BN_rshift(num, num, 32); /* N = N/B */
+ }
+ } else {
+ for (i = 0; i < num_bits / 32; i++) {
+ if (i % 4)
+ fprintf(outfilep, " ");
+ else
+ fprintf(outfilep, "\n\t");
+ fprintf(outfilep, "0x%08x,", arr[i]);
+ BN_rshift(num, num, 32); /* N = N/B */
+ }
+ }
+
+ free(arr);
BN_free(tmp);
BN_free(big2);
BN_free(big32);
@@ -404,25 +426,42 @@ static int gen_key(const char *keyname, const char *path)
bits = BN_num_bits(modulus);
- fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
- print_bignum(modulus, bits);
- fprintf(outfilep, "\n};\n\n");
-
- fprintf(outfilep, "static uint32_t %s_rr[] = {", key_name_c);
- print_bignum(r_squared, bits);
- fprintf(outfilep, "\n};\n\n");
-
- fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
- fprintf(outfilep, "\t.len = %d,\n", bits / 32);
- fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
- fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
- fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
- fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
- fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
- fprintf(outfilep, "};\n\n");
-
- fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
- key_name_c, key_name_c, key_name_c);
+ if (dts) {
+ fprintf(outfilep, "\t\tkey-%s {\n", key_name_c);
+ fprintf(outfilep, "\t\t\trsa,r-squared = <");
+ print_bignum(r_squared, bits);
+ fprintf(outfilep, ">;\n");
+ fprintf(outfilep, "\t\t\trsa,modulus= <");
+ print_bignum(modulus, bits);
+ fprintf(outfilep, ">;\n");
+ fprintf(outfilep, "\t\t\trsa,exponent = <0x%0lx 0x%lx>;\n",
+ (exponent >> 32) & 0xffffffff,
+ exponent & 0xffffffff);
+ fprintf(outfilep, "\t\t\trsa,n0-inverse = <0x%0x>;\n", n0_inv);
+ fprintf(outfilep, "\t\t\trsa,num-bits = <0x%0x>;\n", bits);
+ fprintf(outfilep, "\t\t\tkey-name-hint = \"%s\";\n", key_name_c);
+ fprintf(outfilep, "\t\t};\n");
+ } else {
+ fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
+ print_bignum(modulus, bits);
+ fprintf(outfilep, "\n};\n\n");
+
+ fprintf(outfilep, "static uint32_t %s_rr[] = {", key_name_c);
+ print_bignum(r_squared, bits);
+ fprintf(outfilep, "\n};\n\n");
+
+ fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+ fprintf(outfilep, "\t.len = %d,\n", bits / 32);
+ fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
+ fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
+ fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
+ fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
+ fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
+ fprintf(outfilep, "};\n\n");
+
+ fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
+ key_name_c, key_name_c, key_name_c);
+ }
return 0;
}
@@ -435,11 +474,14 @@ int main(int argc, char *argv[])
outfilep = stdout;
- while ((opt = getopt(argc, argv, "o:")) > 0) {
+ while ((opt = getopt(argc, argv, "o:d")) > 0) {
switch (opt) {
case 'o':
outfile = optarg;
break;
+ case 'd':
+ dts = 1;
+ break;
}
}
@@ -457,6 +499,12 @@ int main(int argc, char *argv[])
exit(1);
}
+ if (dts) {
+ fprintf(outfilep, "/dts-v1/;\n");
+ fprintf(outfilep, "/ {\n");
+ fprintf(outfilep, "\tsignature {\n");
+ }
+
for (i = optind; i < argc; i++) {
keyname = argv[i];
@@ -484,5 +532,10 @@ int main(int argc, char *argv[])
gen_key(keyname, path);
}
+ if (dts) {
+ fprintf(outfilep, "\t};\n");
+ fprintf(outfilep, "};\n");
+ }
+
exit(0);
}
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
The config_filename macro has been dropped from mainline in
b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove
config_filename macro"). Adopt the mechanism it has been replaced with
for barebox.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/Makefile | 12 ++++++++---
scripts/Kbuild.include | 49 ------------------------------------------
2 files changed, 9 insertions(+), 52 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index be0f79d4e3..7e67f58bc7 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -25,7 +25,13 @@ extra-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsa-keys.h
ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
$(obj)/rsa.o: $(obj)/rsa-keys.h
-$(eval $(call config_filename,CRYPTO_RSA_KEY))
-$(obj)/rsa-keys.h: FORCE
- $(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CRYPTO_RSA_KEY_SRCPREFIX)$(CRYPTO_RSA_KEY_FILENAME))
+
+CONFIG_CRYPTO_RSA_KEY := $(CONFIG_CRYPTO_RSA_KEY:"%"=%)
+
+ifneq ($(filter-out pkcs11:%, $(CONFIG_CRYPTO_RSA_KEY)),)
+RSA_DEP := $(CONFIG_CRYPTO_RSA_KEY)
+endif
+
+$(obj)/rsa-keys.h: $(RSA_DEP) FORCE
+ $(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(if $(RSA_DEP),$<,$(CONFIG_CRYPTO_RSA_KEY)))
endif
diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
index ab092e455c..eeb459f8fa 100644
--- a/scripts/Kbuild.include
+++ b/scripts/Kbuild.include
@@ -262,55 +262,6 @@ why = \
echo-why = $(call escsq, $(strip $(why)))
endif
-###############################################################################
-#
-# When a Kconfig string contains a filename, it is suitable for
-# passing to shell commands. It is surrounded by double-quotes, and
-# any double-quotes or backslashes within it are escaped by
-# backslashes.
-#
-# This is no use for dependencies or $(wildcard). We need to strip the
-# surrounding quotes and the escaping from quotes and backslashes, and
-# we *do* need to escape any spaces in the string. So, for example:
-#
-# Usage: $(eval $(call config_filename,FOO))
-#
-# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option,
-# transformed as described above to be suitable for use within the
-# makefile.
-#
-# Also, if the filename is a relative filename and exists in the source
-# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to
-# be prefixed to *both* command invocation and dependencies.
-#
-# Note: We also print the filenames in the quiet_cmd_foo text, and
-# perhaps ought to have a version specially escaped for that purpose.
-# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good
-# enough. It'll strip the quotes in the common case where there's no
-# space and it's a simple filename, and it'll retain the quotes when
-# there's a space. There are some esoteric cases in which it'll print
-# the wrong thing, but we don't really care. The actual dependencies
-# and commands *do* get it right, with various combinations of single
-# and double quotes, backslashes and spaces in the filenames.
-#
-###############################################################################
-#
-define config_filename
-ifneq ($$(CONFIG_$(1)),"")
-$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1)))))))
-ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME)))
-else
-ifeq ($$(wildcard $$($(1)_FILENAME)),)
-ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),)
-$(1)_SRCPREFIX := $(srctree)/
-endif
-endif
-endif
-endif
-endef
-#
-###############################################################################
-
# delete partially updated (i.e. corrupted) files on error
.DELETE_ON_ERROR:
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 4/8] rsa: Collect keys on list
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Currently there is no way to iterate over all available RSA keys.
This patch collects all keys on a list so we can add an iterator
in the next step.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
common/image-fit.c | 25 ++----------
crypto/rsa.c | 97 ++++++++++++++++++++++++++++++++++++++--------
include/rsa.h | 3 +-
3 files changed, 86 insertions(+), 39 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index 38a372ff52..152d066f47 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -255,10 +255,8 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
static int fit_check_rsa_signature(struct device_node *sig_node,
enum hash_algo algo, void *hash)
{
- struct rsa_public_key *key;
+ const struct rsa_public_key *key;
const char *key_name;
- char *key_path;
- struct device_node *key_node;
int sig_len;
const char *sig_value;
int ret;
@@ -275,22 +273,9 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
}
key = rsa_get_key(key_name);
- if (IS_ERR(key)) {
- key_path = xasprintf("/signature/key-%s", key_name);
- key_node = of_find_node_by_path(key_path);
- if (!key_node) {
- pr_info("failed to find key node %s\n", key_path);
- free(key_path);
- return -ENOENT;
- }
- free(key_path);
-
- key = rsa_of_read_key(key_node);
-
- if (IS_ERR(key)) {
- pr_info("failed to read key in %s\n", key_node->full_name);
- return -ENOENT;
- }
+ if (!key) {
+ pr_err("No such key: %s\n", key_name);
+ return -ENOENT;
}
ret = rsa_verify(key, sig_value, sig_len, hash, algo);
@@ -299,8 +284,6 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
else
pr_info("image signature OK\n");
- rsa_key_free(key);
-
return ret;
}
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 1aea738e52..4e2d463b54 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -388,8 +388,13 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node)
struct rsa_public_key *key;
int err;
+ if (strncmp(node->name, "key-", 4))
+ return ERR_PTR(-EINVAL);
+
key = xzalloc(sizeof(*key));
+ key->key_name_hint = xstrdup(node->name + 4);
+
of_property_read_u32(node, "rsa,num-bits", &key->len);
of_property_read_u32(node, "rsa,n0-inverse", &key->n0inv);
@@ -439,35 +444,93 @@ void rsa_key_free(struct rsa_public_key *key)
free(key);
}
-#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
-#include "rsa-keys.h"
-
-extern const struct rsa_public_key * const __rsa_keys_start;
-extern const struct rsa_public_key * const __rsa_keys_end;
+static LIST_HEAD(rsa_keys);
-struct rsa_public_key *rsa_get_key(const char *name)
+const struct rsa_public_key *rsa_get_key(const char *name)
{
const struct rsa_public_key *key;
- struct rsa_public_key *new;
- const struct rsa_public_key * const *iter;
- for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) {
- key = *iter;
- if (!strcmp(name, key->key_name_hint))
- goto found;
+ list_for_each_entry(key, &rsa_keys, list) {
+ if (!strcmp(key->key_name_hint, name))
+ return key;
}
- return ERR_PTR(-ENOENT);
-found:
+ return NULL;
+}
+
+static int rsa_key_add(struct rsa_public_key *key)
+{
+ if (rsa_get_key(key->key_name_hint))
+ return -EEXIST;
+
+ list_add_tail(&key->list, &rsa_keys);
+
+ return 0;
+}
+
+static struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key)
+{
+ struct rsa_public_key *new;
+
new = xmemdup(key, sizeof(*key));
new->modulus = xmemdup(key->modulus, key->len * sizeof(uint32_t));
new->rr = xmemdup(key->rr, key->len * sizeof(uint32_t));
return new;
}
-#else
-struct rsa_public_key *rsa_get_key(const char *name)
+
+extern const struct rsa_public_key * const __rsa_keys_start;
+extern const struct rsa_public_key * const __rsa_keys_end;
+
+static void rsa_init_keys_of(void)
{
- return ERR_PTR(-ENOENT);
+ struct device_node *sigs, *sig;
+ struct rsa_public_key *key;
+ int ret;
+
+ if (!IS_ENABLED(CONFIG_OFTREE))
+ return;
+
+ sigs = of_find_node_by_path("/signature");
+ if (!sigs)
+ return;
+
+ for_each_child_of_node(sigs, sig) {
+ key = rsa_of_read_key(sig);
+ if (IS_ERR(key)) {
+ pr_err("Cannot read rsa key from %s: %pe\n",
+ sig->full_name, key);
+ continue;
+ }
+
+ ret = rsa_key_add(key);
+ if (ret)
+ pr_err("Cannot add rsa key %s: %s\n",
+ key->key_name_hint, strerror(-ret));
+ }
}
+
+static int rsa_init_keys(void)
+{
+ const struct rsa_public_key * const *iter;
+ struct rsa_public_key *key;
+ int ret;
+
+ for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) {
+ key = rsa_key_dup(*iter);
+ ret = rsa_key_add(key);
+ if (ret)
+ pr_err("Cannot add rsa key %s: %s\n",
+ key->key_name_hint, strerror(-ret));
+ }
+
+ rsa_init_keys_of();
+
+ return 0;
+}
+
+device_initcall(rsa_init_keys);
+
+#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
+#include "rsa-keys.h"
#endif
diff --git a/include/rsa.h b/include/rsa.h
index 803660d19a..4ef16ea5a8 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -29,6 +29,7 @@ struct rsa_public_key {
uint32_t *rr; /* R^2 as little endian array */
uint64_t exponent; /* public exponent */
char *key_name_hint;
+ struct list_head list;
};
/**
@@ -52,6 +53,6 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
struct rsa_public_key *rsa_of_read_key(struct device_node *node);
void rsa_key_free(struct rsa_public_key *key);
-struct rsa_public_key *rsa_get_key(const char *name);
+const struct rsa_public_key *rsa_get_key(const char *name);
#endif
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 5/8] rsa: Add iterator for rsa keys
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
` (2 preceding siblings ...)
2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/rsa.c | 9 +++++++++
include/rsa.h | 4 ++++
2 files changed, 13 insertions(+)
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 4e2d463b54..2eeb9984b1 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -446,6 +446,15 @@ void rsa_key_free(struct rsa_public_key *key)
static LIST_HEAD(rsa_keys);
+const struct rsa_public_key *rsa_key_next(const struct rsa_public_key *prev)
+{
+ prev = list_prepare_entry(prev, &rsa_keys, list);
+ list_for_each_entry_continue(prev, &rsa_keys, list)
+ return prev;
+
+ return NULL;
+}
+
const struct rsa_public_key *rsa_get_key(const char *name)
{
const struct rsa_public_key *key;
diff --git a/include/rsa.h b/include/rsa.h
index 4ef16ea5a8..650fb234f2 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -55,4 +55,8 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node);
void rsa_key_free(struct rsa_public_key *key);
const struct rsa_public_key *rsa_get_key(const char *name);
+const struct rsa_public_key *rsa_key_next(const struct rsa_public_key *prev);
+
+#define for_each_rsa_key(key) \
+ for (key = rsa_key_next(NULL); key; key = rsa_key_next(key))
#endif
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 6/8] rsa: Add pr_fmt and use pr_debug
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
` (3 preceding siblings ...)
2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Add pr_fmt to print more context and use pr_debug consistently.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/rsa.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 2eeb9984b1..6d23ecb11c 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -5,6 +5,7 @@
*
* SPDX-License-Identifier: GPL-2.0+
*/
+#define pr_fmt(fmt) "rsa: " fmt
#include <common.h>
#include <malloc.h>
@@ -184,8 +185,8 @@ static int pow_mod(const struct rsa_public_key *key, void *__inout)
/* Sanity check for stack size - key->len is in 32-bit words */
if (key->len > RSA_MAX_KEY_BITS / 32) {
- debug("RSA key words %u exceeds maximum %d\n", key->len,
- RSA_MAX_KEY_BITS / 32);
+ pr_debug("RSA key words %u exceeds maximum %d\n", key->len,
+ RSA_MAX_KEY_BITS / 32);
return -EINVAL;
}
@@ -199,13 +200,13 @@ static int pow_mod(const struct rsa_public_key *key, void *__inout)
return -EINVAL;
if (k < 2) {
- debug("Public exponent is too short (%d bits, minimum 2)\n",
- k);
+ pr_debug("Public exponent is too short (%d bits, minimum 2)\n",
+ k);
return -EINVAL;
}
if (!is_public_exponent_bit_set(key, 0)) {
- debug("LSB of RSA public exponent must be set.\n");
+ pr_debug("LSB of RSA public exponent must be set.\n");
return -EINVAL;
}
@@ -317,7 +318,7 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
return -EOPNOTSUPP;
if (sig_len != (key->len * sizeof(uint32_t))) {
- debug("Signature is of incorrect length %u, should be %zu\n", sig_len,
+ pr_debug("Signature is of incorrect length %u, should be %zu\n", sig_len,
key->len * sizeof(uint32_t));
ret = -EINVAL;
goto out_free_digest;
@@ -325,8 +326,8 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
/* Sanity check for stack size */
if (sig_len > RSA_MAX_SIG_BITS / 8) {
- debug("Signature length %u exceeds maximum %d\n", sig_len,
- RSA_MAX_SIG_BITS / 8);
+ pr_debug("Signature length %u exceeds maximum %d\n", sig_len,
+ RSA_MAX_SIG_BITS / 8);
ret = -EINVAL;
goto out_free_digest;
}
@@ -408,15 +409,15 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node)
rr = of_get_property(node, "rsa,r-squared", NULL);
if (!key->len || !modulus || !rr) {
- debug("%s: Missing RSA key info", __func__);
+ pr_debug("%s: Missing RSA key info", __func__);
err = -EFAULT;
goto out;
}
/* Sanity check for stack size */
if (key->len > RSA_MAX_KEY_BITS || key->len < RSA_MIN_KEY_BITS) {
- debug("RSA key bits %u outside allowed range %d..%d\n",
- key->len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);
+ pr_debug("RSA key bits %u outside allowed range %d..%d\n",
+ key->len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);
err = -EFAULT;
goto out;
}
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 7/8] rsa: Turn error messages into debug messages
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
` (4 preceding siblings ...)
2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/rsa.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 6d23ecb11c..e97e5192ab 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -342,27 +342,27 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
PS_end = T_offset - 1;
if (buf[PS_end] != 0x00) {
- pr_err(" = -EBADMSG [EM[T-1] == %02u]\n", buf[PS_end]);
+ pr_debug(" = -EBADMSG [EM[T-1] == %02u]\n", buf[PS_end]);
ret = -EBADMSG;
goto out_free_digest;
}
for (i = 2; i < PS_end; i++) {
if (buf[i] != 0xff) {
- pr_err(" = -EBADMSG [EM[PS%x] == %02u]\n", i - 2, buf[i]);
+ pr_debug(" = -EBADMSG [EM[PS%x] == %02u]\n", i - 2, buf[i]);
ret = -EBADMSG;
goto out_free_digest;
}
}
if (memcmp(asn1_template, buf + T_offset, asn1_size) != 0) {
- pr_err(" = -EBADMSG [EM[T] ASN.1 mismatch]\n");
+ pr_debug(" = -EBADMSG [EM[T] ASN.1 mismatch]\n");
ret = -EBADMSG;
goto out_free_digest;
}
if (memcmp(hash, buf + T_offset + asn1_size, digest_length(d)) != 0) {
- pr_err(" = -EKEYREJECTED [EM[T] hash mismatch]\n");
+ pr_debug(" = -EKEYREJECTED [EM[T] hash mismatch]\n");
ret = -EKEYREJECTED;
goto out_free_digest;
}
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 8/8] fit: try other keys as fallback
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
` (5 preceding siblings ...)
2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
To: Barebox List
So far the rsa key and the image signature must have a matching
key-name-hint. Relax that by trying other available keys when
the key-name-hints don't match or when the matching key can't verify
the signature.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
common/image-fit.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index 152d066f47..a410632d70 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -256,7 +256,7 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
enum hash_algo algo, void *hash)
{
const struct rsa_public_key *key;
- const char *key_name;
+ const char *key_name = NULL;
int sig_len;
const char *sig_value;
int ret;
@@ -267,24 +267,32 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
return -EINVAL;
}
- if (of_property_read_string(sig_node, "key-name-hint", &key_name)) {
- pr_err("key name not found in %s\n", sig_node->full_name);
- return -EINVAL;
+ of_property_read_string(sig_node, "key-name-hint", &key_name);
+ if (key_name) {
+ key = rsa_get_key(key_name);
+ if (key) {
+ ret = rsa_verify(key, sig_value, sig_len, hash, algo);
+ if (!ret)
+ goto ok;
+ }
}
- key = rsa_get_key(key_name);
- if (!key) {
- pr_err("No such key: %s\n", key_name);
- return -ENOENT;
+ for_each_rsa_key(key) {
+ if (key_name && !strcmp(key->key_name_hint, key_name))
+ continue;
+
+ ret = rsa_verify(key, sig_value, sig_len, hash, algo);
+ if (!ret)
+ goto ok;
}
- ret = rsa_verify(key, sig_value, sig_len, hash, algo);
- if (ret)
- pr_err("image signature BAD\n");
- else
- pr_info("image signature OK\n");
+ pr_err("image signature BAD\n");
- return ret;
+ return -EBADMSG;
+ok:
+ pr_info("image signature OK\n");
+
+ return 0;
}
/*
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-05-04 13:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox