On Mon, Feb 17, 2020 at 10:42:41AM +0900, AKASHI Takahiro wrote:
Hi Tom,
On Fri, Feb 14, 2020 at 07:29:37AM -0500, Tom Rini wrote:
On Mon, Jan 27, 2020 at 07:27:33PM +0900, AKASHI Takahiro wrote:
# This patch set is a prerequisite for UEFI secure boot.
The current rsa_verify() requires five parameters for a RSA public key for efficiency while RSA, in theory, requires only two. In addition, those parameters are expected to come from FIT image.
So this function won't fit very well when we want to use it for the purpose of implementing UEFI secure boot, in particular, image authentication as well as variable authentication, where the essential two parameters are set to be retrieved from one of X509 certificates in signature database.
So, in this patch, additional three parameters will be calculated on the fly when rsa_verify() is called without fdt which should contain parameters above.
This calculation heavily relies on "big-number (or multi-precision) library." Therefore some routines from BearSSL[1] under MIT license are imported in this implementation. See Patch#4. # Please let me know if this is not appropriate.
Prerequisite:
- public key parser in my "import x509/pkcs7 parser" patch[2]
# Checkpatch will complain with lots of warnings/errors, but # I intentionally don't fix them for maximum maintainability.
[1] https://bearssl.org/ [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
At this point it needs to be rebased again. There's a ton of failures in https://gitlab.denx.de/u-boot/u-boot/pipelines/2198 which is after I
I think that you have wrongly merged my rsa extension patch here. Looking at your modified commit, https://gitlab.denx.de/u-boot/u-boot/commit/13fb61ce20dcd65cd4ccba1554eca634... there is one missing hunk from my original. Please revert the change in include/image.h and then apply a diff attached below.
Please rebase and repost the series.
did https://gitlab.denx.de/u-boot/u-boot/commit/7db0379f85995d8c7673db7b04eb36d9... and I'll put a proper commit message on that later today and post it and CC relevant parties.
I believe that your commit above has nothing to do with my patch (and test failures).
I'll re-confirm things then with the next post.
It's otherwise looking good. I do want to confirm that on boards like minnowmax the slight growth in fit_image_check_sig is expected. It's only 6 bytes so it probably is and we get a larger reduction in rsa_verify all-around.
Growth due to my patch??
Unless it's something else I mis-merged, yes. But given the area this series works on, it's not unexpected growth.
Thanks!