[PATCH 1/4] doc: signature: update algorithms support description
U-Boot supports more hash and verification algorithms these days.
Signed-off-by: Baruch Siach baruch@tkos.co.il --- doc/uImage.FIT/signature.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index c71280b63bb6..bc123f512f7b 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -42,8 +42,8 @@ device. Algorithms ---------- In principle any suitable algorithm can be used to sign and verify a hash. -At present only one class of algorithms is supported: SHA1 hashing with RSA. -This works by hashing the image to produce a 20-byte hash. +U-Boot supports a few hashing and verification algorithms. See below for +details.
While it is acceptable to bring in large cryptographic libraries such as openssl on the host side (e.g. mkimage), it is not desirable for U-Boot.
U-Boot now uses the U_BOOT_CRYPTO_ALGO() macro.
Signed-off-by: Baruch Siach baruch@tkos.co.il --- doc/uImage.FIT/signature.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index bc123f512f7b..b6707417ff63 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -56,10 +56,10 @@ of data from the FDT and exponentiation mod n. Code size impact is a little under 5KB on Tegra Seaboard, for example.
It is relatively straightforward to add new algorithms if required. If -another RSA variant is needed, then it can be added to the table in -image-sig.c. If another algorithm is needed (such as DSA) then it can be -placed alongside rsa.c, and its functions added to the table in image-sig.c -also. +another RSA variant is needed, then it can be added with the +U_BOOT_CRYPTO_ALGO() macro. If another algorithm is needed (such as DSA) then +it can be placed in a directory alongside lib/rsa/, and its functions added +using U_BOOT_CRYPTO_ALGO().
Creating an RSA key pair and certificate
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
U-Boot now uses the U_BOOT_CRYPTO_ALGO() macro.
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
On 5/3/23 03:28, Simon Glass wrote:
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
U-Boot now uses the U_BOOT_CRYPTO_ALGO() macro.
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
Thanks Baruch for updating the FIT documents.
The information in folder uImage.FIT should be moved to /doc/usage/ except for the its files. A few parts may have to split out into /doc/devel/.
Acked-by: Heinrich Schuchardt xypron.glpk@gmx.de
Signed-off-by: Baruch Siach baruch@tkos.co.il --- doc/uImage.FIT/signature.txt | 1 + 1 file changed, 1 insertion(+)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index b6707417ff63..240244b30e63 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -439,6 +439,7 @@ be enabled:
CONFIG_FIT_SIGNATURE - enable signing and verification in FITs CONFIG_RSA - enable RSA algorithm for signing +CONFIG_ECDSA - enable ECDSA algorithm for signing
WARNING: When relying on signed FIT images with required signature check the legacy image format is default disabled by not defining
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
Missing commit message
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Simon Glass sjg@chromium.org
Since U-Boot supports more RSA/SHA variants, as well as ECDSA, remove these items from the TODO list.
Signed-off-by: Baruch Siach baruch@tkos.co.il --- doc/uImage.FIT/signature.txt | 2 -- 1 file changed, 2 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 240244b30e63..21eb3894aada 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -695,8 +695,6 @@ bootm.
Possible Future Work -------------------- -- Add support for other RSA/SHA variants, such as rsa4096,sha512. -- Other algorithms besides RSA - More sandbox tests for failure modes - Passwords for keys/certificates - Perhaps implement OAEP
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
Since U-Boot supports more RSA/SHA variants, as well as ECDSA, remove these items from the TODO list.
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 2 -- 1 file changed, 2 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
U-Boot supports more hash and verification algorithms these days.
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
Would you be interested in moving this documentation to doc/develop in the rST format?
Regards, Simon
Hi Simon,
On Tue, May 02 2023, Simon Glass wrote:
On Mon, 1 May 2023 at 22:47, Baruch Siach baruch@tkos.co.il wrote:
U-Boot supports more hash and verification algorithms these days.
Signed-off-by: Baruch Siach baruch@tkos.co.il
doc/uImage.FIT/signature.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
Thanks.
Would you be interested in moving this documentation to doc/develop in the rST format?
I hope to find some time to help with that.
baruch
participants (3)
-
Baruch Siach -
Heinrich Schuchardt -
Simon Glass