mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 1/8] rsatoc: fix compiler warnings
@ 2022-05-04 13:14 Sascha Hauer
  2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Fixes:

scripts/rsatoc.c:189:5: warning: no previous prototype for ‘rsa_get_params’ [-Wmissing-prototypes]

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rsatoc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index f2d91b8e0d..722c5dba19 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -184,8 +184,8 @@ cleanup:
 /*
  * rsa_get_params(): - Get the important parameters of an RSA public key
  */
-int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
-		   BIGNUM **modulusp, BIGNUM **r_squaredp)
+static int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
+			  BIGNUM **modulusp, BIGNUM **r_squaredp)
 {
 	BIGNUM *big1, *big2, *big32, *big2_32;
 	BIGNUM *n, *r, *r_squared, *tmp;
@@ -359,7 +359,7 @@ static int print_bignum(BIGNUM *num, int num_bits)
 static int gen_key(const char *keyname, const char *path)
 {
 	BIGNUM *modulus, *r_squared;
-	uint64_t exponent;
+	uint64_t exponent = 0;
 	uint32_t n0_inv;
 	int ret;
 	int bits;
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/8] rsatoc: Add option to print dts output
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Add -d option to generate output in dts format rather than C.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 scripts/rsatoc.c | 103 +++++++++++++++++++++++++++++++++++------------
 1 file changed, 78 insertions(+), 25 deletions(-)

diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index 722c5dba19..d7f6dad7f0 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -18,6 +18,8 @@
 #include <openssl/evp.h>
 #include <openssl/engine.h>
 
+static int dts;
+
 static int rsa_err(const char *msg)
 {
 	unsigned long sslErr = ERR_get_error();
@@ -311,6 +313,7 @@ static int print_bignum(BIGNUM *num, int num_bits)
 	BIGNUM *tmp, *big2, *big32, *big2_32;
 	BN_CTX *ctx;
 	int i;
+	uint32_t *arr;
 
 	tmp = BN_new();
 	big2 = BN_new();
@@ -338,16 +341,35 @@ static int print_bignum(BIGNUM *num, int num_bits)
 	BN_set_word(big32, 32L);
 	BN_exp(big2_32, big2, big32, ctx); /* B = 2^32 */
 
+	arr = malloc(num_bits / 32 * sizeof(uint32_t));
+
 	for (i = 0; i < num_bits / 32; i++) {
 		BN_mod(tmp, num, big2_32, ctx); /* n = N mod B */
-		if (i % 4)
-			fprintf(outfilep, " ");
-		else
-			fprintf(outfilep, "\n\t");
-		fprintf(outfilep, "0x%08lx,", BN_get_word(tmp));
+		arr[i] = BN_get_word(tmp);
 		BN_rshift(num, num, 32); /*  N = N/B */
 	}
 
+	if (dts) {
+		for (i = 0; i < num_bits / 32; i++) {
+			if (i % 4)
+				fprintf(outfilep, " ");
+			else
+				fprintf(outfilep, "\n\t\t\t\t");
+			fprintf(outfilep, "0x%08x", arr[num_bits / 32 - 1 - i]);
+			BN_rshift(num, num, 32); /*  N = N/B */
+		}
+	} else {
+		for (i = 0; i < num_bits / 32; i++) {
+			if (i % 4)
+				fprintf(outfilep, " ");
+			else
+				fprintf(outfilep, "\n\t");
+			fprintf(outfilep, "0x%08x,", arr[i]);
+			BN_rshift(num, num, 32); /*  N = N/B */
+		}
+	}
+
+	free(arr);
 	BN_free(tmp);
 	BN_free(big2);
 	BN_free(big32);
@@ -404,25 +426,42 @@ static int gen_key(const char *keyname, const char *path)
 
 	bits = BN_num_bits(modulus);
 
-	fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
-	print_bignum(modulus, bits);
-	fprintf(outfilep, "\n};\n\n");
-
-	fprintf(outfilep, "static uint32_t %s_rr[] = {", key_name_c);
-	print_bignum(r_squared, bits);
-	fprintf(outfilep, "\n};\n\n");
-
-	fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
-	fprintf(outfilep, "\t.len = %d,\n", bits / 32);
-	fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
-	fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
-	fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
-	fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
-	fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
-	fprintf(outfilep, "};\n\n");
-
-	fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
-	       key_name_c, key_name_c, key_name_c);
+	if (dts) {
+		fprintf(outfilep, "\t\tkey-%s {\n", key_name_c);
+		fprintf(outfilep, "\t\t\trsa,r-squared = <");
+		print_bignum(r_squared, bits);
+		fprintf(outfilep, ">;\n");
+		fprintf(outfilep, "\t\t\trsa,modulus= <");
+		print_bignum(modulus, bits);
+		fprintf(outfilep, ">;\n");
+		fprintf(outfilep, "\t\t\trsa,exponent = <0x%0lx 0x%lx>;\n",
+			(exponent >> 32) & 0xffffffff,
+			exponent & 0xffffffff);
+		fprintf(outfilep, "\t\t\trsa,n0-inverse = <0x%0x>;\n", n0_inv);
+		fprintf(outfilep, "\t\t\trsa,num-bits = <0x%0x>;\n", bits);
+		fprintf(outfilep, "\t\t\tkey-name-hint = \"%s\";\n", key_name_c);
+		fprintf(outfilep, "\t\t};\n");
+	} else {
+		fprintf(outfilep, "\nstatic uint32_t %s_modulus[] = {", key_name_c);
+		print_bignum(modulus, bits);
+		fprintf(outfilep, "\n};\n\n");
+
+		fprintf(outfilep, "static uint32_t %s_rr[] = {", key_name_c);
+		print_bignum(r_squared, bits);
+		fprintf(outfilep, "\n};\n\n");
+
+		fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+		fprintf(outfilep, "\t.len = %d,\n", bits / 32);
+		fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
+		fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
+		fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
+		fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
+		fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
+		fprintf(outfilep, "};\n\n");
+
+		fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
+			key_name_c, key_name_c, key_name_c);
+	}
 
 	return 0;
 }
@@ -435,11 +474,14 @@ int main(int argc, char *argv[])
 
 	outfilep = stdout;
 
-	while ((opt = getopt(argc, argv, "o:")) > 0) {
+	while ((opt = getopt(argc, argv, "o:d")) > 0) {
 		switch (opt) {
 		case 'o':
 			outfile = optarg;
 			break;
+		case 'd':
+			dts = 1;
+			break;
 		}
 	}
 
@@ -457,6 +499,12 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
+	if (dts) {
+		fprintf(outfilep, "/dts-v1/;\n");
+		fprintf(outfilep, "/ {\n");
+		fprintf(outfilep, "\tsignature {\n");
+	}
+
 	for (i = optind; i < argc; i++) {
 		keyname = argv[i];
 
@@ -484,5 +532,10 @@ int main(int argc, char *argv[])
 		gen_key(keyname, path);
 	}
 
+	if (dts) {
+		fprintf(outfilep, "\t};\n");
+		fprintf(outfilep, "};\n");
+	}
+
 	exit(0);
 }
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
  2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

The config_filename macro has been dropped from mainline in
b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove
config_filename macro"). Adopt the mechanism it has been replaced with
for barebox.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 crypto/Makefile        | 12 ++++++++---
 scripts/Kbuild.include | 49 ------------------------------------------
 2 files changed, 9 insertions(+), 52 deletions(-)

diff --git a/crypto/Makefile b/crypto/Makefile
index be0f79d4e3..7e67f58bc7 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -25,7 +25,13 @@ extra-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsa-keys.h
 ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
 
 $(obj)/rsa.o: $(obj)/rsa-keys.h
-$(eval $(call config_filename,CRYPTO_RSA_KEY))
-$(obj)/rsa-keys.h: FORCE
-	$(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CRYPTO_RSA_KEY_SRCPREFIX)$(CRYPTO_RSA_KEY_FILENAME))
+
+CONFIG_CRYPTO_RSA_KEY := $(CONFIG_CRYPTO_RSA_KEY:"%"=%)
+
+ifneq ($(filter-out pkcs11:%, $(CONFIG_CRYPTO_RSA_KEY)),)
+RSA_DEP := $(CONFIG_CRYPTO_RSA_KEY)
+endif
+
+$(obj)/rsa-keys.h: $(RSA_DEP) FORCE
+	$(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(if $(RSA_DEP),$<,$(CONFIG_CRYPTO_RSA_KEY)))
 endif
diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
index ab092e455c..eeb459f8fa 100644
--- a/scripts/Kbuild.include
+++ b/scripts/Kbuild.include
@@ -262,55 +262,6 @@ why =                                                                        \
 echo-why = $(call escsq, $(strip $(why)))
 endif
 
-###############################################################################
-#
-# When a Kconfig string contains a filename, it is suitable for
-# passing to shell commands. It is surrounded by double-quotes, and
-# any double-quotes or backslashes within it are escaped by
-# backslashes.
-#
-# This is no use for dependencies or $(wildcard). We need to strip the
-# surrounding quotes and the escaping from quotes and backslashes, and
-# we *do* need to escape any spaces in the string. So, for example:
-#
-# Usage: $(eval $(call config_filename,FOO))
-#
-# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option,
-# transformed as described above to be suitable for use within the
-# makefile.
-#
-# Also, if the filename is a relative filename and exists in the source
-# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to
-# be prefixed to *both* command invocation and dependencies.
-#
-# Note: We also print the filenames in the quiet_cmd_foo text, and
-# perhaps ought to have a version specially escaped for that purpose.
-# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good
-# enough.  It'll strip the quotes in the common case where there's no
-# space and it's a simple filename, and it'll retain the quotes when
-# there's a space. There are some esoteric cases in which it'll print
-# the wrong thing, but we don't really care. The actual dependencies
-# and commands *do* get it right, with various combinations of single
-# and double quotes, backslashes and spaces in the filenames.
-#
-###############################################################################
-#
-define config_filename
-ifneq ($$(CONFIG_$(1)),"")
-$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1)))))))
-ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME)))
-else
-ifeq ($$(wildcard $$($(1)_FILENAME)),)
-ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),)
-$(1)_SRCPREFIX := $(srctree)/
-endif
-endif
-endif
-endif
-endef
-#
-###############################################################################
-
 # delete partially updated (i.e. corrupted) files on error
 .DELETE_ON_ERROR:
 
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 4/8] rsa: Collect keys on list
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
  2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
  2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Currently there is no way to iterate over all available RSA keys.
This patch collects all keys on a list so we can add an iterator
in the next step.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/image-fit.c | 25 ++----------
 crypto/rsa.c       | 97 ++++++++++++++++++++++++++++++++++++++--------
 include/rsa.h      |  3 +-
 3 files changed, 86 insertions(+), 39 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 38a372ff52..152d066f47 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -255,10 +255,8 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
 static int fit_check_rsa_signature(struct device_node *sig_node,
 				   enum hash_algo algo, void *hash)
 {
-	struct rsa_public_key *key;
+	const struct rsa_public_key *key;
 	const char *key_name;
-	char *key_path;
-	struct device_node *key_node;
 	int sig_len;
 	const char *sig_value;
 	int ret;
@@ -275,22 +273,9 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
 	}
 
 	key = rsa_get_key(key_name);
-	if (IS_ERR(key)) {
-		key_path = xasprintf("/signature/key-%s", key_name);
-		key_node = of_find_node_by_path(key_path);
-		if (!key_node) {
-			pr_info("failed to find key node %s\n", key_path);
-			free(key_path);
-			return -ENOENT;
-		}
-		free(key_path);
-
-		key = rsa_of_read_key(key_node);
-
-		if (IS_ERR(key)) {
-			pr_info("failed to read key in %s\n", key_node->full_name);
-			return -ENOENT;
-		}
+	if (!key) {
+		pr_err("No such key: %s\n", key_name);
+		return -ENOENT;
 	}
 
 	ret = rsa_verify(key, sig_value, sig_len, hash, algo);
@@ -299,8 +284,6 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
 	else
 		pr_info("image signature OK\n");
 
-	rsa_key_free(key);
-
 	return ret;
 }
 
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 1aea738e52..4e2d463b54 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -388,8 +388,13 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node)
 	struct rsa_public_key *key;
 	int err;
 
+	if (strncmp(node->name, "key-", 4))
+		return ERR_PTR(-EINVAL);
+
 	key = xzalloc(sizeof(*key));
 
+	key->key_name_hint = xstrdup(node->name + 4);
+
 	of_property_read_u32(node, "rsa,num-bits", &key->len);
 	of_property_read_u32(node, "rsa,n0-inverse", &key->n0inv);
 
@@ -439,35 +444,93 @@ void rsa_key_free(struct rsa_public_key *key)
 	free(key);
 }
 
-#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
-#include "rsa-keys.h"
-
-extern const struct rsa_public_key * const __rsa_keys_start;
-extern const struct rsa_public_key * const __rsa_keys_end;
+static LIST_HEAD(rsa_keys);
 
-struct rsa_public_key *rsa_get_key(const char *name)
+const struct rsa_public_key *rsa_get_key(const char *name)
 {
 	const struct rsa_public_key *key;
-	struct rsa_public_key *new;
-	const struct rsa_public_key * const *iter;
 
-	for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) {
-		key = *iter;
-		if (!strcmp(name, key->key_name_hint))
-			goto found;
+	list_for_each_entry(key, &rsa_keys, list) {
+		if (!strcmp(key->key_name_hint, name))
+			return key;
 	}
 
-	return ERR_PTR(-ENOENT);
-found:
+	return NULL;
+}
+
+static int rsa_key_add(struct rsa_public_key *key)
+{
+	if (rsa_get_key(key->key_name_hint))
+		return -EEXIST;
+
+	list_add_tail(&key->list, &rsa_keys);
+
+	return 0;
+}
+
+static struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key)
+{
+	struct rsa_public_key *new;
+
 	new = xmemdup(key, sizeof(*key));
 	new->modulus = xmemdup(key->modulus, key->len * sizeof(uint32_t));
 	new->rr = xmemdup(key->rr, key->len  * sizeof(uint32_t));
 
 	return new;
 }
-#else
-struct rsa_public_key *rsa_get_key(const char *name)
+
+extern const struct rsa_public_key * const __rsa_keys_start;
+extern const struct rsa_public_key * const __rsa_keys_end;
+
+static void rsa_init_keys_of(void)
 {
-	return ERR_PTR(-ENOENT);
+	struct device_node *sigs, *sig;
+	struct rsa_public_key *key;
+	int ret;
+
+	if (!IS_ENABLED(CONFIG_OFTREE))
+		return;
+
+	sigs = of_find_node_by_path("/signature");
+	if (!sigs)
+		return;
+
+	for_each_child_of_node(sigs, sig) {
+		key = rsa_of_read_key(sig);
+		if (IS_ERR(key)) {
+			pr_err("Cannot read rsa key from %s: %pe\n",
+			       sig->full_name, key);
+			continue;
+		}
+
+		ret = rsa_key_add(key);
+		if (ret)
+			pr_err("Cannot add rsa key %s: %s\n",
+				key->key_name_hint, strerror(-ret));
+	}
 }
+
+static int rsa_init_keys(void)
+{
+	const struct rsa_public_key * const *iter;
+	struct rsa_public_key *key;
+	int ret;
+
+	for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) {
+		key = rsa_key_dup(*iter);
+		ret = rsa_key_add(key);
+		if (ret)
+			pr_err("Cannot add rsa key %s: %s\n",
+			       key->key_name_hint, strerror(-ret));
+	}
+
+	rsa_init_keys_of();
+
+	return 0;
+}
+
+device_initcall(rsa_init_keys);
+
+#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
+#include "rsa-keys.h"
 #endif
diff --git a/include/rsa.h b/include/rsa.h
index 803660d19a..4ef16ea5a8 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -29,6 +29,7 @@ struct rsa_public_key {
 	uint32_t *rr;		/* R^2 as little endian array */
 	uint64_t exponent;	/* public exponent */
 	char *key_name_hint;
+	struct list_head list;
 };
 
 /**
@@ -52,6 +53,6 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
 
 struct rsa_public_key *rsa_of_read_key(struct device_node *node);
 void rsa_key_free(struct rsa_public_key *key);
-struct rsa_public_key *rsa_get_key(const char *name);
+const struct rsa_public_key *rsa_get_key(const char *name);
 
 #endif
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 5/8] rsa: Add iterator for rsa keys
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
                   ` (2 preceding siblings ...)
  2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 crypto/rsa.c  | 9 +++++++++
 include/rsa.h | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/crypto/rsa.c b/crypto/rsa.c
index 4e2d463b54..2eeb9984b1 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -446,6 +446,15 @@ void rsa_key_free(struct rsa_public_key *key)
 
 static LIST_HEAD(rsa_keys);
 
+const struct rsa_public_key *rsa_key_next(const struct rsa_public_key *prev)
+{
+	prev = list_prepare_entry(prev, &rsa_keys, list);
+	list_for_each_entry_continue(prev, &rsa_keys, list)
+		return prev;
+
+	return NULL;
+}
+
 const struct rsa_public_key *rsa_get_key(const char *name)
 {
 	const struct rsa_public_key *key;
diff --git a/include/rsa.h b/include/rsa.h
index 4ef16ea5a8..650fb234f2 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -55,4 +55,8 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node);
 void rsa_key_free(struct rsa_public_key *key);
 const struct rsa_public_key *rsa_get_key(const char *name);
 
+const struct rsa_public_key *rsa_key_next(const struct rsa_public_key *prev);
+
+#define for_each_rsa_key(key) \
+		for (key = rsa_key_next(NULL); key; key = rsa_key_next(key))
 #endif
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 6/8] rsa: Add pr_fmt and use pr_debug
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
                   ` (3 preceding siblings ...)
  2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
  2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Add pr_fmt to print more context and use pr_debug consistently.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 crypto/rsa.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/crypto/rsa.c b/crypto/rsa.c
index 2eeb9984b1..6d23ecb11c 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -5,6 +5,7 @@
  *
  * SPDX-License-Identifier:	GPL-2.0+
  */
+#define pr_fmt(fmt) "rsa: " fmt
 
 #include <common.h>
 #include <malloc.h>
@@ -184,8 +185,8 @@ static int pow_mod(const struct rsa_public_key *key, void *__inout)
 
 	/* Sanity check for stack size - key->len is in 32-bit words */
 	if (key->len > RSA_MAX_KEY_BITS / 32) {
-		debug("RSA key words %u exceeds maximum %d\n", key->len,
-		      RSA_MAX_KEY_BITS / 32);
+		pr_debug("RSA key words %u exceeds maximum %d\n", key->len,
+			 RSA_MAX_KEY_BITS / 32);
 		return -EINVAL;
 	}
 
@@ -199,13 +200,13 @@ static int pow_mod(const struct rsa_public_key *key, void *__inout)
 		return -EINVAL;
 
 	if (k < 2) {
-		debug("Public exponent is too short (%d bits, minimum 2)\n",
-		      k);
+		pr_debug("Public exponent is too short (%d bits, minimum 2)\n",
+			 k);
 		return -EINVAL;
 	}
 
 	if (!is_public_exponent_bit_set(key, 0)) {
-		debug("LSB of RSA public exponent must be set.\n");
+		pr_debug("LSB of RSA public exponent must be set.\n");
 		return -EINVAL;
 	}
 
@@ -317,7 +318,7 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
 		return -EOPNOTSUPP;
 
 	if (sig_len != (key->len * sizeof(uint32_t))) {
-		debug("Signature is of incorrect length %u, should be %zu\n", sig_len,
+		pr_debug("Signature is of incorrect length %u, should be %zu\n", sig_len,
 				key->len * sizeof(uint32_t));
 		ret = -EINVAL;
 		goto out_free_digest;
@@ -325,8 +326,8 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
 
 	/* Sanity check for stack size */
 	if (sig_len > RSA_MAX_SIG_BITS / 8) {
-		debug("Signature length %u exceeds maximum %d\n", sig_len,
-		      RSA_MAX_SIG_BITS / 8);
+		pr_debug("Signature length %u exceeds maximum %d\n", sig_len,
+			 RSA_MAX_SIG_BITS / 8);
 		ret = -EINVAL;
 		goto out_free_digest;
 	}
@@ -408,15 +409,15 @@ struct rsa_public_key *rsa_of_read_key(struct device_node *node)
 	rr = of_get_property(node, "rsa,r-squared", NULL);
 
 	if (!key->len || !modulus || !rr) {
-		debug("%s: Missing RSA key info", __func__);
+		pr_debug("%s: Missing RSA key info", __func__);
 		err = -EFAULT;
 		goto out;
 	}
 
 	/* Sanity check for stack size */
 	if (key->len > RSA_MAX_KEY_BITS || key->len < RSA_MIN_KEY_BITS) {
-		debug("RSA key bits %u outside allowed range %d..%d\n",
-		      key->len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);
+		pr_debug("RSA key bits %u outside allowed range %d..%d\n",
+			 key->len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);
 		err = -EFAULT;
 		goto out;
 	}
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 7/8] rsa: Turn error messages into debug messages
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
                   ` (4 preceding siblings ...)
  2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 crypto/rsa.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/rsa.c b/crypto/rsa.c
index 6d23ecb11c..e97e5192ab 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -342,27 +342,27 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
 
 	PS_end = T_offset - 1;
 	if (buf[PS_end] != 0x00) {
-		pr_err(" = -EBADMSG [EM[T-1] == %02u]\n", buf[PS_end]);
+		pr_debug(" = -EBADMSG [EM[T-1] == %02u]\n", buf[PS_end]);
 		ret = -EBADMSG;
 		goto out_free_digest;
 	}
 
 	for (i = 2; i < PS_end; i++) {
 		if (buf[i] != 0xff) {
-			pr_err(" = -EBADMSG [EM[PS%x] == %02u]\n", i - 2, buf[i]);
+			pr_debug(" = -EBADMSG [EM[PS%x] == %02u]\n", i - 2, buf[i]);
 			ret = -EBADMSG;
 			goto out_free_digest;
 		}
 	}
 
 	if (memcmp(asn1_template, buf + T_offset, asn1_size) != 0) {
-		pr_err(" = -EBADMSG [EM[T] ASN.1 mismatch]\n");
+		pr_debug(" = -EBADMSG [EM[T] ASN.1 mismatch]\n");
 		ret = -EBADMSG;
 		goto out_free_digest;
 	}
 
 	if (memcmp(hash, buf + T_offset + asn1_size, digest_length(d)) != 0) {
-		pr_err(" = -EKEYREJECTED [EM[T] hash mismatch]\n");
+		pr_debug(" = -EKEYREJECTED [EM[T] hash mismatch]\n");
 		ret = -EKEYREJECTED;
 		goto out_free_digest;
 	}
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 8/8] fit: try other keys as fallback
  2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
                   ` (5 preceding siblings ...)
  2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
@ 2022-05-04 13:14 ` Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2022-05-04 13:14 UTC (permalink / raw)
  To: Barebox List

So far the rsa key and the image signature must have a matching
key-name-hint. Relax that by trying other available keys when
the key-name-hints don't match or when the matching key can't verify
the signature.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/image-fit.c | 36 ++++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 152d066f47..a410632d70 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -256,7 +256,7 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
 				   enum hash_algo algo, void *hash)
 {
 	const struct rsa_public_key *key;
-	const char *key_name;
+	const char *key_name = NULL;
 	int sig_len;
 	const char *sig_value;
 	int ret;
@@ -267,24 +267,32 @@ static int fit_check_rsa_signature(struct device_node *sig_node,
 		return -EINVAL;
 	}
 
-	if (of_property_read_string(sig_node, "key-name-hint", &key_name)) {
-		pr_err("key name not found in %s\n", sig_node->full_name);
-		return -EINVAL;
+	of_property_read_string(sig_node, "key-name-hint", &key_name);
+	if (key_name) {
+		key = rsa_get_key(key_name);
+		if (key) {
+			ret = rsa_verify(key, sig_value, sig_len, hash, algo);
+			if (!ret)
+				goto ok;
+		}
 	}
 
-	key = rsa_get_key(key_name);
-	if (!key) {
-		pr_err("No such key: %s\n", key_name);
-		return -ENOENT;
+	for_each_rsa_key(key) {
+		if (key_name && !strcmp(key->key_name_hint, key_name))
+			continue;
+
+		ret = rsa_verify(key, sig_value, sig_len, hash, algo);
+		if (!ret)
+			goto ok;
 	}
 
-	ret = rsa_verify(key, sig_value, sig_len, hash, algo);
-	if (ret)
-		pr_err("image signature BAD\n");
-	else
-		pr_info("image signature OK\n");
+	pr_err("image signature BAD\n");
 
-	return ret;
+	return -EBADMSG;
+ok:
+	pr_info("image signature OK\n");
+
+	return 0;
 }
 
 /*
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-05-04 13:17 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-04 13:14 [PATCH 1/8] rsatoc: fix compiler warnings Sascha Hauer
2022-05-04 13:14 ` [PATCH 2/8] rsatoc: Add option to print dts output Sascha Hauer
2022-05-04 13:14 ` [PATCH 3/8] crypto: simplify $(srctree)/ handling and remove config_filename macro Sascha Hauer
2022-05-04 13:14 ` [PATCH 4/8] rsa: Collect keys on list Sascha Hauer
2022-05-04 13:14 ` [PATCH 5/8] rsa: Add iterator for rsa keys Sascha Hauer
2022-05-04 13:14 ` [PATCH 6/8] rsa: Add pr_fmt and use pr_debug Sascha Hauer
2022-05-04 13:14 ` [PATCH 7/8] rsa: Turn error messages into debug messages Sascha Hauer
2022-05-04 13:14 ` [PATCH 8/8] fit: try other keys as fallback Sascha Hauer

mail archive of the barebox mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lore.barebox.org/barebox/0 barebox/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 barebox barebox/ https://lore.barebox.org/barebox \
		barebox@lists.infradead.org barebox@lists.infradead.org
	public-inbox-index barebox

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git