u-boot-toradex.git/lib/rsa, branch master U-Boot bootloader for Apalis and Colibri modules treewide: fix uImage.FIT document paths 2026-03-27T09:50:29+00:00 Daniel Golle daniel@makrotopia.org 2026-02-27T00:03:29+00:00 72cc446490e74fdf392f5e049cf8fd28d9c6818d Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the documentation in doc/uImage.FIT to doc/usage/fit, subsequently all documents and example sources have been converted to reStructuredText. Fix (almost) all of the remaining occurrences of the old path and filenames across the tree. The exception is doc/uImage.FIT/command_syntax_extensions.txt which apparently has been removed entirely, or at least I was unable to locate where that document is now. Signed-off-by: Daniel Golle <daniel@makrotopia.org> 
Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the
documentation in doc/uImage.FIT to doc/usage/fit, subsequently all
documents and example sources have been converted to reStructuredText.

Fix (almost) all of the remaining occurrences of the old path and
filenames across the tree.

The exception is doc/uImage.FIT/command_syntax_extensions.txt which
apparently has been removed entirely, or at least I was unable to
locate where that document is now.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
lib: rsa: use FIT_ALGO_PROP constant instead of "algo" in FIT 2025-12-16T17:39:38+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-12-03T16:19:33+00:00 883359e152d5000943411ef7d2daaec6c137f47d Some FIT image properties have their string represented in include/image.h via constants. FIT_ALGO_PROP does exist and would fit the bill so let's use it instead of using a hardcoded string. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
Some FIT image properties have their string represented in
include/image.h via constants. FIT_ALGO_PROP does exist and would fit the
bill so let's use it instead of using a hardcoded string.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Merge patch series "rsa: fix dependency, rename and relocate RSASSA PSS symbols" 2025-11-11T20:53:33+00:00 Tom Rini trini@konsulko.com 2025-11-11T20:53:33+00:00 62e89de7698a637c673b08ec129941d8079a5405 Quentin Schulz <foss+uboot@0leil.net> says: While historically signature verification is mostly done for FIT such FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't the only kind of file we can verify signatures of. It can also be done manually with rsa_verify_hash() with an embedded public key. Considering the impacted code is guarded by RSA_VERIFY, let's make the symbol depend on that otherwise selecting it without RSA_VERIFY won't do anything. The FIT_SIGNATURE dependency wasn't also enough before as it only implied RSA_VERIFY. Then, simply relocate the RSA SSA PSS padding with the other RSA symbols in lib/rsa instead of in boot/ and rename it to remove the mention to FIT. Finally, add the PSS padding wherever PKCS1.5 padding is specified as one or the other can be used. Link: https://lore.kernel.org/r/20251031-rsa-pss-always-v2-0-a29184ea064d@cherry.de 
Quentin Schulz <foss+uboot@0leil.net> says:

While historically signature verification is mostly done for FIT such
FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't
the only kind of file we can verify signatures of. It can also be done
manually with rsa_verify_hash() with an embedded public key.

Considering the impacted code is guarded by RSA_VERIFY, let's make the
symbol depend on that otherwise selecting it without RSA_VERIFY won't do
anything. The FIT_SIGNATURE dependency wasn't also enough before as it
only implied RSA_VERIFY.

Then, simply relocate the RSA SSA PSS padding with the other RSA symbols
in lib/rsa instead of in boot/ and rename it to remove the mention to
FIT.

Finally, add the PSS padding wherever PKCS1.5 padding is specified as
one or the other can be used.

Link: https://lore.kernel.org/r/20251031-rsa-pss-always-v2-0-a29184ea064d@cherry.de
rsa: update doxygen doc for RSA signature verification to mention PSS 2025-11-11T20:53:25+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-31T17:08:24+00:00 c50f6b11b3242adba0c8a3a6a50082a2eca01772 While the verification step originally only supported PKCS1.5 as padding algorithm for the signature, it was later extended to add support for PSS but the doxygen doc wasn't updated to reflect that so let's fix that oversight. Fixes: 061daa0b61f0 ("rsa: add support of padding pss") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
While the verification step originally only supported PKCS1.5 as padding
algorithm for the signature, it was later extended to add support for
PSS but the doxygen doc wasn't updated to reflect that so let's fix
that oversight.

Fixes: 061daa0b61f0 ("rsa: add support of padding pss")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
rsa: rename FIT_RSASSA_PSS to RSASSA_PSS and move symbols under lib/rsa 2025-11-11T20:53:25+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-31T17:08:23+00:00 360dd89b361dde2a0bbad65763538e1eea7d3c94 This renames FIT_RSASSA_PSS symbols to drop the FIT_ prefix to avoid potential confusion since there's nothing FIT specific to those symbols. It also isn't really related to booting, so boot/Kconfig is an odd place for them to live. Since they make sense only in relation with RSA, simply move them to lib/rsa where it makes more sense for them to reside. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This renames FIT_RSASSA_PSS symbols to drop the FIT_ prefix to avoid
potential confusion since there's nothing FIT specific to those symbols.

It also isn't really related to booting, so boot/Kconfig is an odd place
for them to live. Since they make sense only in relation with RSA,
simply move them to lib/rsa where it makes more sense for them to
reside.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
rsa: fix typo in $(PHASE_)RSA_VERIFY_WITH_PKEY help text 2025-11-06T23:32:33+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-10-29T11:20:27+00:00 64ba0aa9f48cd3c2bba92c1f15a9da4c21000d2e Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
lib/rsa: allow matching pkcs11 path by object id 2025-07-08T22:19:31+00:00 Tobias Olausson tobias@eub.se 2025-06-26T06:54:20+00:00 0707f73a8ba26f5aeaeada6f5942d003bf67ce06 The object= part matches against the label that the pkcs11 token uses for that object, but in some cases, specifically with a Yubikey using ykcs11, where the keys have been imported, the labels differ between the private and public keys [1], making the object= matching useless. These keys will have the same id however, so matching against that works for both the private and public part. [1]: https://github.com/Yubico/yubico-piv-tool/blob/master/doc/YKCS11/Functions_and_values.adoc#key-alias-per-slot-and-object-type Signed-off-by: Tobias Olausson <tobias@eub.se> 
The object= part matches against the label that the pkcs11 token uses
for that object, but in some cases, specifically with a Yubikey using
ykcs11, where the keys have been imported, the labels differ between the
private and public keys [1], making the object= matching useless. These
keys will have the same id however, so matching against that works for
both the private and public part.

[1]: https://github.com/Yubico/yubico-piv-tool/blob/master/doc/YKCS11/Functions_and_values.adoc#key-alias-per-slot-and-object-type

Signed-off-by: Tobias Olausson <tobias@eub.se>
lib: rsa: fix compilation error without openssl 2025-06-22T16:16:39+00:00 Shiji Yang yangshiji66@outlook.com 2025-06-19T16:38:17+00:00 961e260cdcd01d68c8dae87eef67e116f1a67aed The symbol TOOLS_IMAGE_PRE_LOAD doesn't depend on TOOLS_LIBCRYPTO. If we choose to build tools without openssl, rsa_verify_openssl() will attempt to call the unavailable openssl library functions. Fixes: 942c8c8e6697 ("rsa: Add rsa_verify_openssl() to use openssl for host builds") Signed-off-by: Shiji Yang <yangshiji66@outlook.com> 
The symbol TOOLS_IMAGE_PRE_LOAD doesn't depend on TOOLS_LIBCRYPTO.
If we choose to build tools without openssl, rsa_verify_openssl()
will attempt to call the unavailable openssl library functions.

Fixes: 942c8c8e6697 ("rsa: Add rsa_verify_openssl() to use openssl for host builds")
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
lib: rsa: add NULL check for 'algo' in 2025-03-13T20:23:09+00:00 Anton Moryakov ant.v.moryakov@gmail.com 2025-02-25T13:53:27+00:00 babc6eef2f48970f394816c955a4a7481ce8df80 - Check return value of fdt_getprop for NULL. - Return -EFAULT if 'algo' property is missing. - Prevent NULL pointer dereference in strcmp." Triggers found by static analyzer Svace. Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> 
- Check return value of fdt_getprop for NULL.
- Return -EFAULT if 'algo' property is missing.
- Prevent NULL pointer dereference in strcmp."

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
rsa: Add rsa_verify_openssl() to use openssl for host builds 2025-02-28T22:51:01+00:00 Paul HENRYS paul.henrys_ext@softathome.com 2025-02-24T21:20:50+00:00 942c8c8e669739d2e8dec67a7ed90158defc93ed rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data when building host tools. Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com> 
rsa_verify_openssl() is used in lib/rsa/rsa-verify.c to authenticate data
when building host tools.

Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>