Re: [PATCH v2 2/6] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

29 Mar 2021

Hi Alexandru,
On Tue, 16 Mar 2021 at 13:24, Alexandru Gagniuc mr.nuke.me@gmail.com wrote:
...
Prepare the source tree for accepting implementations of the ECDSA
algorithm. This patch deals with the boring aspects of Makefiles and
Kconfig files.
Signed-off-by: Alexandru Gagniuc mr.nuke.me@gmail.com
include/image.h          | 10 +++++-----
 include/u-boot/rsa.h     |  2 +-
 lib/Kconfig              |  1 +
 lib/Makefile             |  1 +
 lib/ecdsa/Kconfig        | 23 +++++++++++++++++++++++
 lib/ecdsa/Makefile       |  1 +
 lib/ecdsa/ecdsa-verify.c | 13 +++++++++++++
 7 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 lib/ecdsa/Kconfig
 create mode 100644 lib/ecdsa/Makefile
 create mode 100644 lib/ecdsa/ecdsa-verify.c

diff --git a/include/image.h b/include/image.h
index b5bcf08e61..800d981f03 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1219,20 +1219,20 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 #if defined(USE_HOSTCC)
 # if defined(CONFIG_FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN    1
-#  define IMAGE_ENABLE_VERIFY  1
+#  define IMAGE_ENABLE_VERIFY_RSA      1
 #  define IMAGE_ENABLE_VERIFY_ECDSA    1
 #  define FIT_IMAGE_ENABLE_VERIFY      1
 #  include <openssl/evp.h>
 # else
 #  define IMAGE_ENABLE_SIGN    0
-#  define IMAGE_ENABLE_VERIFY  0
+#  define IMAGE_ENABLE_VERIFY_RSA      0
 # define IMAGE_ENABLE_VERIFY_ECDSA     0
 #  define FIT_IMAGE_ENABLE_VERIFY      0
 # endif
 #else
 # define IMAGE_ENABLE_SIGN     0
-# define IMAGE_ENABLE_VERIFY           CONFIG_IS_ENABLED(RSA_VERIFY)
-# define IMAGE_ENABLE_VERIFY_ECDSA     0
+# define IMAGE_ENABLE_VERIFY_RSA       CONFIG_IS_ENABLED(RSA_VERIFY)
+# define IMAGE_ENABLE_VERIFY_ECDSA     CONFIG_IS_ENABLED(ECDSA_VERIFY)
 # define FIT_IMAGE_ENABLE_VERIFY       CONFIG_IS_ENABLED(FIT_SIGNATURE)
 #endif
@@ -1288,7 +1288,7 @@ struct image_region {
        int size;
 };
-#if IMAGE_ENABLE_VERIFY
+#if FIT_IMAGE_ENABLE_VERIFY
 # include <u-boot/hash-checksum.h>
 #endif
 struct checksum_algo {
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index bed1c097c2..eb258fca4c 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -81,7 +81,7 @@ static inline int rsa_add_verify_data(struct image_sign_info *info,
 }
 #endif
-#if IMAGE_ENABLE_VERIFY
+#if IMAGE_ENABLE_VERIFY_RSA
 /**

rsa_verify_hash() - Verify a signature against a hash


diff --git a/lib/Kconfig b/lib/Kconfig
index 7288340614..48895e4e4f 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -295,6 +295,7 @@ config AES
          supported by the algorithm but only a 128-bit key is supported at
          present.
+source lib/ecdsa/Kconfig
 source lib/rsa/Kconfig
 source lib/crypto/Kconfig
diff --git a/lib/Makefile b/lib/Makefile
index 1d4b7d3aad..de55914f52 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -59,6 +59,7 @@ endif
obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/
 obj-$(CONFIG_$(SPL_)MD5) += md5.o
+obj-$(CONFIG_ECDSA) += ecdsa/
 obj-$(CONFIG_$(SPL_)RSA) += rsa/
 obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
 obj-$(CONFIG_SHA1) += sha1.o
diff --git a/lib/ecdsa/Kconfig b/lib/ecdsa/Kconfig
new file mode 100644
index 0000000000..1244d6b6ea
--- /dev/null
+++ b/lib/ecdsa/Kconfig
@@ -0,0 +1,23 @@
+config ECDSA

  bool "Enable ECDSA support"


  depends on DM


  help


    This enables the ECDSA algorithm for FIT image verification in U-Boot.


    See doc/uImage.FIT/signature.txt for more details.


    The ECDSA algorithm is implemented using the driver model. So


    CONFIG_DM is required by this library.


    ECDSA is enabled for mkimage regardless of this  option.



drop extra space before option
Can you write out ECDSA in full once, briefly mention what it is and
perhaps a link to more info?
...



+if ECDSA



+config ECDSA_VERIFY

  bool "Enable ECDSA verification support in U-Boot."


  help


    Allow ECDSA signatures to be recognized and verified in U-Boot.




+config SPL_ECDSA_VERIFY

  bool "Enable ECDSA verification support in SPL"


  help


    Allow ECDSA signatures to be recognized and verified in SPL.




+endif
diff --git a/lib/ecdsa/Makefile b/lib/ecdsa/Makefile
new file mode 100644
index 0000000000..771d6d3135
--- /dev/null
+++ b/lib/ecdsa/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_$(SPL_)ECDSA_VERIFY) += ecdsa-verify.o
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
new file mode 100644
index 0000000000..d2e6a40f4a
--- /dev/null
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*


Copyright (c) 2020, Alexandru Gagniuc mr.nuke.me@gmail.com


*/


+#include <u-boot/ecdsa.h>



+int ecdsa_verify(struct image_sign_info *info,

           const struct image_region region[], int region_count,


           uint8_t *sig, uint sig_len)



+{

  return -EOPNOTSUPP;



+}
2.26.2
Regards,Simon

    

Re: [PATCH v2 2/6] lib: ecdsa: Add skeleton to implement ecdsa verification in u-boot

Simon Glass

Signed-off-by: Alexandru Gagniuc mr.nuke.me@gmail.com

+}