summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/efi_loader/Kconfig15
-rw-r--r--lib/efi_loader/Makefile1
-rw-r--r--lib/efi_loader/efi_load_initrd.c198
-rw-r--r--lib/efi_loader/efi_runtime.c36
-rw-r--r--lib/efi_loader/efi_setup.c13
-rw-r--r--lib/efi_selftest/Makefile1
-rw-r--r--lib/efi_selftest/efi_selftest_load_initrd.c220
-rw-r--r--lib/rsa/Kconfig27
-rw-r--r--lib/rsa/Makefile3
-rw-r--r--lib/rsa/rsa-keyprop.c725
-rw-r--r--lib/rsa/rsa-verify.c137
11 files changed, 1334 insertions, 42 deletions
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 76f43eca95f..9890144d416 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -130,4 +130,19 @@ config EFI_RNG_PROTOCOL
Provide a EFI_RNG_PROTOCOL implementation using the hardware random
number generator of the platform.
+config EFI_LOAD_FILE2_INITRD
+ bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk"
+ default n
+ help
+ Expose a EFI_FILE_LOAD2_PROTOCOL that the Linux UEFI stub can
+ use to load the initial ramdisk. Once this is enabled using
+ initrd=<ramdisk> will stop working.
+
+config EFI_INITRD_FILESPEC
+ string "initramfs path"
+ default "host 0:1 initrd"
+ depends on EFI_LOAD_FILE2_INITRD
+ help
+ Full path of the initramfs file, e.g. mmc 0:2 initramfs.cpio.gz.
+
endif
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 04dc8648512..9b3b7044733 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -43,3 +43,4 @@ obj-$(CONFIG_NET) += efi_net.o
obj-$(CONFIG_GENERATE_ACPI_TABLE) += efi_acpi.o
obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_rng.o
+obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_load_initrd.o
diff --git a/lib/efi_loader/efi_load_initrd.c b/lib/efi_loader/efi_load_initrd.c
new file mode 100644
index 00000000000..574a83d7e30
--- /dev/null
+++ b/lib/efi_loader/efi_load_initrd.c
@@ -0,0 +1,198 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020, Linaro Limited
+ */
+
+#include <common.h>
+#include <env.h>
+#include <malloc.h>
+#include <mapmem.h>
+#include <dm.h>
+#include <fs.h>
+#include <efi_loader.h>
+#include <efi_load_initrd.h>
+
+static const efi_guid_t efi_guid_load_file2_protocol =
+ EFI_LOAD_FILE2_PROTOCOL_GUID;
+
+static efi_status_t EFIAPI
+efi_load_file2_initrd(struct efi_load_file_protocol *this,
+ struct efi_device_path *file_path, bool boot_policy,
+ efi_uintn_t *buffer_size, void *buffer);
+
+static const struct efi_load_file_protocol efi_lf2_protocol = {
+ .load_file = efi_load_file2_initrd,
+};
+
+/*
+ * Device path defined by Linux to identify the handle providing the
+ * EFI_LOAD_FILE2_PROTOCOL used for loading the initial ramdisk.
+ */
+static const struct efi_initrd_dp dp = {
+ .vendor = {
+ {
+ DEVICE_PATH_TYPE_MEDIA_DEVICE,
+ DEVICE_PATH_SUB_TYPE_VENDOR_PATH,
+ sizeof(dp.vendor),
+ },
+ EFI_INITRD_MEDIA_GUID,
+ },
+ .end = {
+ DEVICE_PATH_TYPE_END,
+ DEVICE_PATH_SUB_TYPE_END,
+ sizeof(dp.end),
+ }
+};
+
+/**
+ * get_file_size() - retrieve the size of initramfs, set efi status on error
+ *
+ * @dev: device to read from. i.e "mmc"
+ * @part: device partition. i.e "0:1"
+ * @file: name fo file
+ * @status: EFI exit code in case of failure
+ *
+ * Return: size of file
+ */
+static loff_t get_file_size(const char *dev, const char *part, const char *file,
+ efi_status_t *status)
+{
+ loff_t sz = 0;
+ int ret;
+
+ ret = fs_set_blk_dev(dev, part, FS_TYPE_ANY);
+ if (ret) {
+ *status = EFI_NO_MEDIA;
+ goto out;
+ }
+
+ ret = fs_size(file, &sz);
+ if (ret) {
+ sz = 0;
+ *status = EFI_NOT_FOUND;
+ goto out;
+ }
+
+out:
+ return sz;
+}
+
+/**
+ * load_file2() - get information about random number generation
+ *
+ * This function implement the LoadFile2() service in order to load an initram
+ * disk requested by the Linux kernel stub.
+ * See the UEFI spec for details.
+ *
+ * @this: loadfile2 protocol instance
+ * @file_path: relative path of the file. "" in this case
+ * @boot_policy: must be false for Loadfile2
+ * @buffer_size: size of allocated buffer
+ * @buffer: buffer to load the file
+ *
+ * Return: status code
+ */
+static efi_status_t EFIAPI
+efi_load_file2_initrd(struct efi_load_file_protocol *this,
+ struct efi_device_path *file_path, bool boot_policy,
+ efi_uintn_t *buffer_size, void *buffer)
+{
+ const char *filespec = CONFIG_EFI_INITRD_FILESPEC;
+ efi_status_t status = EFI_NOT_FOUND;
+ loff_t file_sz = 0, read_sz = 0;
+ char *dev, *part, *file;
+ char *s;
+ int ret;
+
+ EFI_ENTRY("%p, %p, %d, %p, %p", this, file_path, boot_policy,
+ buffer_size, buffer);
+
+ s = strdup(filespec);
+ if (!s)
+ goto out;
+
+ if (!this || this != &efi_lf2_protocol ||
+ !buffer_size) {
+ status = EFI_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (file_path->type != dp.end.type ||
+ file_path->sub_type != dp.end.sub_type) {
+ status = EFI_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (boot_policy) {
+ status = EFI_UNSUPPORTED;
+ goto out;
+ }
+
+ /* expect something like 'mmc 0:1 initrd.cpio.gz' */
+ dev = strsep(&s, " ");
+ if (!dev)
+ goto out;
+ part = strsep(&s, " ");
+ if (!part)
+ goto out;
+ file = strsep(&s, " ");
+ if (!file)
+ goto out;
+
+ file_sz = get_file_size(dev, part, file, &status);
+ if (!file_sz)
+ goto out;
+
+ if (!buffer || *buffer_size < file_sz) {
+ status = EFI_BUFFER_TOO_SMALL;
+ *buffer_size = file_sz;
+ } else {
+ ret = fs_set_blk_dev(dev, part, FS_TYPE_ANY);
+ if (ret) {
+ status = EFI_NO_MEDIA;
+ goto out;
+ }
+
+ ret = fs_read(file, map_to_sysmem(buffer), 0, *buffer_size,
+ &read_sz);
+ if (ret || read_sz != file_sz)
+ goto out;
+ *buffer_size = read_sz;
+
+ status = EFI_SUCCESS;
+ }
+
+out:
+ free(s);
+ return EFI_EXIT(status);
+}
+
+/**
+ * efi_initrd_register() - Register a handle and loadfile2 protocol
+ *
+ * This function creates a new handle and installs a linux specific GUID
+ * to handle initram disk loading during boot.
+ * See the UEFI spec for details.
+ *
+ * Return: status code
+ */
+efi_status_t efi_initrd_register(void)
+{
+ efi_handle_t efi_initrd_handle = NULL;
+ efi_status_t ret;
+
+ /*
+ * Set up the handle with the EFI_LOAD_FILE2_PROTOCOL which Linux may
+ * use to load the initial ramdisk.
+ */
+ ret = EFI_CALL(efi_install_multiple_protocol_interfaces
+ (&efi_initrd_handle,
+ /* initramfs */
+ &efi_guid_device_path, &dp,
+ /* LOAD_FILE2 */
+ &efi_guid_load_file2_protocol,
+ (void *)&efi_lf2_protocol,
+ NULL));
+
+ return ret;
+}
diff --git a/lib/efi_loader/efi_runtime.c b/lib/efi_loader/efi_runtime.c
index 4b3c843b2ce..4be51335bcb 100644
--- a/lib/efi_loader/efi_runtime.c
+++ b/lib/efi_loader/efi_runtime.c
@@ -18,6 +18,10 @@
/* For manual relocation support */
DECLARE_GLOBAL_DATA_PTR;
+/* GUID of the runtime properties table */
+static const efi_guid_t efi_rt_properties_table_guid =
+ EFI_RT_PROPERTIES_TABLE_GUID;
+
struct efi_runtime_mmio_list {
struct list_head link;
void **ptr;
@@ -94,9 +98,28 @@ static __efi_runtime_data efi_uintn_t efi_descriptor_size;
* handle a good number of runtime callbacks
*/
+/**
+ * efi_init_runtime_supported() - create runtime properties table
+ *
+ * Create a configuration table specifying which services are available at
+ * runtime.
+ *
+ * Return: status code
+ */
efi_status_t efi_init_runtime_supported(void)
{
- u16 efi_runtime_services_supported =
+ efi_status_t ret;
+ struct efi_rt_properties_table *rt_table;
+
+ ret = efi_allocate_pool(EFI_RUNTIME_SERVICES_DATA,
+ sizeof(struct efi_rt_properties_table),
+ (void **)&rt_table);
+ if (ret != EFI_SUCCESS)
+ return ret;
+
+ rt_table->version = EFI_RT_PROPERTIES_TABLE_VERSION;
+ rt_table->length = sizeof(struct efi_rt_properties_table);
+ rt_table->runtime_services_supported =
EFI_RT_SUPPORTED_SET_VIRTUAL_ADDRESS_MAP |
EFI_RT_SUPPORTED_CONVERT_POINTER;
@@ -105,15 +128,12 @@ efi_status_t efi_init_runtime_supported(void)
* as well as efi_runtime_services.
*/
#ifdef CONFIG_EFI_HAVE_RUNTIME_RESET
- efi_runtime_services_supported |= EFI_RT_SUPPORTED_RESET_SYSTEM;
+ rt_table->runtime_services_supported |= EFI_RT_SUPPORTED_RESET_SYSTEM;
#endif
- return EFI_CALL(efi_set_variable(L"RuntimeServicesSupported",
- &efi_global_variable_guid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS,
- sizeof(efi_runtime_services_supported),
- &efi_runtime_services_supported));
+ ret = efi_install_configuration_table(&efi_rt_properties_table_guid,
+ rt_table);
+ return ret;
}
/**
diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c
index de7b616c6da..b458093dfbd 100644
--- a/lib/efi_loader/efi_setup.c
+++ b/lib/efi_loader/efi_setup.c
@@ -122,13 +122,13 @@ efi_status_t efi_init_obj_list(void)
if (ret != EFI_SUCCESS)
goto out;
- /* Indicate supported runtime services */
- ret = efi_init_runtime_supported();
+ /* Initialize system table */
+ ret = efi_initialize_system_table();
if (ret != EFI_SUCCESS)
goto out;
- /* Initialize system table */
- ret = efi_initialize_system_table();
+ /* Indicate supported runtime services */
+ ret = efi_init_runtime_supported();
if (ret != EFI_SUCCESS)
goto out;
@@ -155,6 +155,11 @@ efi_status_t efi_init_obj_list(void)
if (ret != EFI_SUCCESS)
goto out;
#endif
+#ifdef CONFIG_EFI_LOAD_FILE2_INITRD
+ ret = efi_initrd_register();
+ if (ret != EFI_SUCCESS)
+ goto out;
+#endif
#ifdef CONFIG_NET
ret = efi_net_register();
if (ret != EFI_SUCCESS)
diff --git a/lib/efi_selftest/Makefile b/lib/efi_selftest/Makefile
index 3ad96e1cbf0..cf132c372e1 100644
--- a/lib/efi_selftest/Makefile
+++ b/lib/efi_selftest/Makefile
@@ -49,6 +49,7 @@ obj-$(CONFIG_CPU_V7) += efi_selftest_unaligned.o
obj-$(CONFIG_EFI_LOADER_HII) += efi_selftest_hii.o
obj-$(CONFIG_EFI_RNG_PROTOCOL) += efi_selftest_rng.o
obj-$(CONFIG_EFI_GET_TIME) += efi_selftest_rtc.o
+obj-$(CONFIG_EFI_LOAD_FILE2_INITRD) += efi_selftest_load_initrd.o
ifeq ($(CONFIG_GENERATE_ACPI_TABLE),)
obj-y += efi_selftest_fdt.o
diff --git a/lib/efi_selftest/efi_selftest_load_initrd.c b/lib/efi_selftest/efi_selftest_load_initrd.c
new file mode 100644
index 00000000000..e16163caca8
--- /dev/null
+++ b/lib/efi_selftest/efi_selftest_load_initrd.c
@@ -0,0 +1,220 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * efi_selftest_load_initrd
+ *
+ * Copyright (c) 2020 Ilias Apalodimas <ilias.apalodimas@linaro.org>
+ *
+ * This test checks the FileLoad2 protocol.
+ * A known file is read from the file system and verified.
+ *
+ * An example usage - given a file image with a file system in partition 1
+ * holding file initrd - is:
+ *
+ * * Configure the sandbox with
+ *
+ * CONFIG_EFI_SELFTEST=y
+ * CONFIG_EFI_LOAD_FILE2_INITRD=y
+ * CONFIG_EFI_INITRD_FILESPEC="host 0:1 initrd"
+ *
+ * * Run ./u-boot and execute
+ *
+ * host bind 0 image
+ * setenv efi_selftest load initrd
+ * bootefi selftest
+ *
+ * This would provide a test output like:
+ *
+ * Testing EFI API implementation
+ *
+ * Selected test: 'load initrd'
+ *
+ * Setting up 'load initrd'
+ * Setting up 'load initrd' succeeded
+ *
+ * Executing 'load initrd'
+ * Loaded 12378613 bytes
+ * CRC32 2997478465
+ *
+ * Now the size and CRC32 can be compared to the provided file.
+ */
+
+#include <efi_selftest.h>
+#include <efi_loader.h>
+#include <efi_load_initrd.h>
+
+static struct efi_boot_services *boottime;
+
+static struct efi_initrd_dp dp = {
+ .vendor = {
+ {
+ DEVICE_PATH_TYPE_MEDIA_DEVICE,
+ DEVICE_PATH_SUB_TYPE_VENDOR_PATH,
+ sizeof(dp.vendor),
+ },
+ EFI_INITRD_MEDIA_GUID,
+ },
+ .end = {
+ DEVICE_PATH_TYPE_END,
+ DEVICE_PATH_SUB_TYPE_END,
+ sizeof(dp.end),
+ }
+};
+
+static struct efi_initrd_dp dp_invalid = {
+ .vendor = {
+ {
+ DEVICE_PATH_TYPE_MEDIA_DEVICE,
+ DEVICE_PATH_SUB_TYPE_VENDOR_PATH,
+ sizeof(dp.vendor),
+ },
+ EFI_INITRD_MEDIA_GUID,
+ },
+ .end = {
+ 0x8f, /* invalid */
+ 0xfe, /* invalid */
+ sizeof(dp.end),
+ }
+};
+
+static int setup(const efi_handle_t handle,
+ const struct efi_system_table *systable)
+{
+ boottime = systable->boottime;
+
+ return EFI_ST_SUCCESS;
+}
+
+static int execute(void)
+{
+ efi_guid_t lf2_proto_guid = EFI_LOAD_FILE2_PROTOCOL_GUID;
+ struct efi_load_file_protocol *lf2;
+ struct efi_device_path *dp2, *dp2_invalid;
+ efi_status_t status;
+ efi_handle_t handle;
+ char buffer[64];
+ efi_uintn_t buffer_size;
+ void *buf;
+ u32 crc32;
+
+ memset(buffer, 0, sizeof(buffer));
+
+ dp2 = (struct efi_device_path *)&dp;
+ status = boottime->locate_device_path(&lf2_proto_guid, &dp2, &handle);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Unable to locate device path\n");
+ return EFI_ST_FAILURE;
+ }
+
+ status = boottime->handle_protocol(handle, &lf2_proto_guid,
+ (void **)&lf2);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Unable to locate protocol\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /* Case 1:
+ * buffer_size can't be NULL
+ * protocol can't be NULL
+ */
+ status = lf2->load_file(lf2, dp2, false, NULL, &buffer);
+ if (status != EFI_INVALID_PARAMETER) {
+ efi_st_error("Buffer size can't be NULL\n");
+ return EFI_ST_FAILURE;
+ }
+ buffer_size = sizeof(buffer);
+ status = lf2->load_file(NULL, dp2, false, &buffer_size, &buffer);
+ if (status != EFI_INVALID_PARAMETER) {
+ efi_st_error("Protocol can't be NULL\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /*
+ * Case 2: Match end node type/sub-type on device path
+ */
+ dp2_invalid = (struct efi_device_path *)&dp_invalid;
+ buffer_size = sizeof(buffer);
+ status = lf2->load_file(lf2, dp2_invalid, false, &buffer_size, &buffer);
+ if (status != EFI_INVALID_PARAMETER) {
+ efi_st_error("Invalid device path type must return EFI_INVALID_PARAMETER\n");
+ return EFI_ST_FAILURE;
+ }
+
+ status = lf2->load_file(lf2, dp2_invalid, false, &buffer_size, &buffer);
+ if (status != EFI_INVALID_PARAMETER) {
+ efi_st_error("Invalid device path sub-type must return EFI_INVALID_PARAMETER\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /*
+ * Case 3:
+ * BootPolicy 'true' must return EFI_UNSUPPORTED
+ */
+ buffer_size = sizeof(buffer);
+ status = lf2->load_file(lf2, dp2, true, &buffer_size, &buffer);
+ if (status != EFI_UNSUPPORTED) {
+ efi_st_error("BootPolicy true must return EFI_UNSUPPORTED\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /*
+ * Case: Pass buffer size as zero, firmware must return
+ * EFI_BUFFER_TOO_SMALL and an appropriate size
+ */
+ buffer_size = 0;
+ status = lf2->load_file(lf2, dp2, false, &buffer_size, NULL);
+ if (status != EFI_BUFFER_TOO_SMALL || !buffer_size) {
+ efi_st_printf("buffer_size: %u\n", (unsigned int)buffer_size);
+ efi_st_printf("status: %x\n", (unsigned int)status);
+ efi_st_error("Buffer size not updated\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /*
+ * Case: Pass buffer size as smaller than the file_size,
+ * firmware must return * EFI_BUFFER_TOO_SMALL and an appropriate size
+ */
+ buffer_size = 1;
+ status = lf2->load_file(lf2, dp2, false, &buffer_size, &buffer);
+ if (status != EFI_BUFFER_TOO_SMALL || buffer_size <= 1) {
+ efi_st_error("Buffer size not updated\n");
+ return EFI_ST_FAILURE;
+ }
+
+ status = boottime->allocate_pool(EFI_BOOT_SERVICES_DATA, buffer_size,
+ &buf);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Cannot allocate buffer\n");
+ return EFI_ST_FAILURE;
+ }
+
+ /* Case: Pass correct buffer, load the file and verify checksum*/
+ status = lf2->load_file(lf2, dp2, false, &buffer_size, buf);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Loading initrd failed\n");
+ return EFI_ST_FAILURE;
+ }
+
+ efi_st_printf("Loaded %u bytes\n", (unsigned int)buffer_size);
+ status = boottime->calculate_crc32(buf, buffer_size, &crc32);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Could not determine CRC32\n");
+ return EFI_ST_FAILURE;
+ }
+ efi_st_printf("CRC32 %u\n", (unsigned int)crc32);
+
+ status = boottime->free_pool(buf);
+ if (status != EFI_SUCCESS) {
+ efi_st_error("Cannot free buffer\n");
+ return EFI_ST_FAILURE;
+ }
+
+ return EFI_ST_SUCCESS;
+}
+
+EFI_UNIT_TEST(load_initrd) = {
+ .name = "load initrd",
+ .phase = EFI_EXECUTE_BEFORE_BOOTTIME_EXIT,
+ .setup = setup,
+ .execute = execute,
+ .on_request = true,
+};
diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index 2b33f323bcc..a90d67e5a87 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -18,6 +18,33 @@ if RSA
config SPL_RSA
bool "Use RSA Library within SPL"
+config SPL_RSA_VERIFY
+ bool
+ help
+ Add RSA signature verification support in SPL.
+
+config RSA_VERIFY
+ bool
+ help
+ Add RSA signature verification support.
+
+config RSA_VERIFY_WITH_PKEY
+ bool "Execute RSA verification without key parameters from FDT"
+ select RSA_VERIFY
+ select ASYMMETRIC_KEY_TYPE
+ select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select RSA_PUBLIC_KEY_PARSER
+ help
+ The standard RSA-signature verification code (FIT_SIGNATURE) uses
+ pre-calculated key properties, that are stored in fdt blob, in
+ decrypting a signature.
+ This does not suit the use case where there is no way defined to
+ provide such additional key properties in standardized form,
+ particularly UEFI secure boot.
+ This options enables RSA signature verification with a public key
+ directly specified in image_sign_info, where all the necessary
+ key properties will be calculated on the fly in verification code.
+
config RSA_SOFTWARE_EXP
bool "Enable driver for RSA Modular Exponentiation in software"
depends on DM
diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
index a51c6e1685f..14ed3cb4012 100644
--- a/lib/rsa/Makefile
+++ b/lib/rsa/Makefile
@@ -5,5 +5,6 @@
# (C) Copyright 2000-2007
# Wolfgang Denk, DENX Software Engineering, wd@denx.de.
-obj-$(CONFIG_$(SPL_)FIT_SIGNATURE) += rsa-verify.o rsa-checksum.o
+obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
+obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
new file mode 100644
index 00000000000..9464df00934
--- /dev/null
+++ b/lib/rsa/rsa-keyprop.c
@@ -0,0 +1,725 @@
+// SPDX-License-Identifier: GPL-2.0+ and MIT
+/*
+ * RSA library - generate parameters for a public key
+ *
+ * Copyright (c) 2019 Linaro Limited
+ * Author: AKASHI Takahiro
+ *
+ * Big number routines in this file come from BearSSL:
+ * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
+ */
+
+#include <common.h>
+#include <image.h>
+#include <malloc.h>
+#include <asm/byteorder.h>
+#include <crypto/internal/rsa.h>
+#include <u-boot/rsa-mod-exp.h>
+
+/**
+ * br_dec16be() - Convert 16-bit big-endian integer to native
+ * @src: Pointer to data
+ * Return: Native-endian integer
+ */
+static unsigned br_dec16be(const void *src)
+{
+ return be16_to_cpup(src);
+}
+
+/**
+ * br_dec32be() - Convert 32-bit big-endian integer to native
+ * @src: Pointer to data
+ * Return: Native-endian integer
+ */
+static uint32_t br_dec32be(const void *src)
+{
+ return be32_to_cpup(src);
+}
+
+/**
+ * br_enc32be() - Convert native 32-bit integer to big-endian
+ * @dst: Pointer to buffer to store big-endian integer in
+ * @x: Native 32-bit integer
+ */
+static void br_enc32be(void *dst, uint32_t x)
+{
+ __be32 tmp;
+
+ tmp = cpu_to_be32(x);
+ memcpy(dst, &tmp, sizeof(tmp));
+}
+
+/* from BearSSL's src/inner.h */
+
+/*
+ * Negate a boolean.
+ */
+static uint32_t NOT(uint32_t ctl)
+{
+ return ctl ^ 1;
+}
+
+/*
+ * Multiplexer: returns x if ctl == 1, y if ctl == 0.
+ */
+static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
+{
+ return y ^ (-ctl & (x ^ y));
+}
+
+/*
+ * Equality check: returns 1 if x == y, 0 otherwise.
+ */
+static uint32_t EQ(uint32_t x, uint32_t y)
+{
+ uint32_t q;
+
+ q = x ^ y;
+ return NOT((q | -q) >> 31);
+}
+
+/*
+ * Inequality check: returns 1 if x != y, 0 otherwise.
+ */
+static uint32_t NEQ(uint32_t x, uint32_t y)
+{
+ uint32_t q;
+
+ q = x ^ y;
+ return (q | -q) >> 31;
+}
+
+/*
+ * Comparison: returns 1 if x > y, 0 otherwise.
+ */
+static uint32_t GT(uint32_t x, uint32_t y)
+{
+ /*
+ * If both x < 2^31 and y < 2^31, then y-x will have its high
+ * bit set if x > y, cleared otherwise.
+ *
+ * If either x >= 2^31 or y >= 2^31 (but not both), then the
+ * result is the high bit of x.
+ *
+ * If both x >= 2^31 and y >= 2^31, then we can virtually
+ * subtract 2^31 from both, and we are back to the first case.
+ * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
+ * fine.
+ */
+ uint32_t z;
+
+ z = y - x;
+ return (z ^ ((x ^ y) & (x ^ z))) >> 31;
+}
+
+/*
+ * Compute the bit length of a 32-bit integer. Returned value is between 0
+ * and 32 (inclusive).
+ */
+static uint32_t BIT_LENGTH(uint32_t x)
+{
+ uint32_t k, c;
+
+ k = NEQ(x, 0);
+ c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
+ c = GT(x, 0x00FF); x = MUX(c, x >> 8, x); k += c << 3;
+ c = GT(x, 0x000F); x = MUX(c, x >> 4, x); k += c << 2;
+ c = GT(x, 0x0003); x = MUX(c, x >> 2, x); k += c << 1;
+ k += GT(x, 0x0001);
+ return k;
+}
+
+#define GE(x, y) NOT(GT(y, x))
+#define LT(x, y) GT(y, x)
+#define MUL(x, y) ((uint64_t)(x) * (uint64_t)(y))
+
+/*
+ * Integers 'i32'
+ * --------------
+ *
+ * The 'i32' functions implement computations on big integers using
+ * an internal representation as an array of 32-bit integers. For
+ * an array x[]:
+ * -- x[0] contains the "announced bit length" of the integer
+ * -- x[1], x[2]... contain the value in little-endian order (x[1]
+ * contains the least significant 32 bits)
+ *
+ * Multiplications rely on the elementary 32x32->64 multiplication.
+ *
+ * The announced bit length specifies the number of bits that are
+ * significant in the subsequent 32-bit words. Unused bits in the
+ * last (most significant) word are set to 0; subsequent words are
+ * uninitialized and need not exist at all.
+ *
+ * The execution time and memory access patterns of all computations
+ * depend on the announced bit length, but not on the actual word
+ * values. For modular integers, the announced bit length of any integer
+ * modulo n is equal to the actual bit length of n; thus, computations
+ * on modular integers are "constant-time" (only the modulus length may
+ * leak).
+ */
+
+/*
+ * Extract one word from an integer. The offset is counted in bits.
+ * The word MUST entirely fit within the word elements corresponding
+ * to the announced bit length of a[].
+ */
+static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
+{
+ size_t u;
+ unsigned j;
+
+ u = (size_t)(off >> 5) + 1;
+ j = (unsigned)off & 31;
+ if (j == 0) {
+ return a[u];
+ } else {
+ return (a[u] >> j) | (a[u + 1] << (32 - j));
+ }
+}
+
+/* from BearSSL's src/int/i32_bitlen.c */
+
+/*
+ * Compute the actual bit length of an integer. The argument x should
+ * point to the first (least significant) value word of the integer.
+ * The len 'xlen' contains the number of 32-bit words to access.
+ *
+ * CT: value or length of x does not leak.
+ */
+static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
+{
+ uint32_t tw, twk;
+
+ tw = 0;
+ twk = 0;
+ while (xlen -- > 0) {
+ uint32_t w, c;
+
+ c = EQ(tw, 0);
+ w = x[xlen];
+ tw = MUX(c, w, tw);
+ twk = MUX(c, (uint32_t)xlen, twk);
+ }
+ return (twk << 5) + BIT_LENGTH(tw);
+}
+
+/* from BearSSL's src/int/i32_decode.c */
+
+/*
+ * Decode an integer from its big-endian unsigned representation. The
+ * "true" bit length of the integer is computed, but all words of x[]
+ * corresponding to the full 'len' bytes of the source are set.
+ *
+ * CT: value or length of x does not leak.
+ */
+static void br_i32_decode(uint32_t *x, const void *src, size_t len)
+{
+ const unsigned char *buf;
+ size_t u, v;
+
+ buf = src;
+ u = len;
+ v = 1;
+ for (;;) {
+ if (u < 4) {
+ uint32_t w;
+
+ if (u < 2) {
+ if (u == 0) {
+ break;
+ } else {
+ w = buf[0];
+ }
+ } else {
+ if (u == 2) {
+ w = br_dec16be(buf);
+ } else {
+ w = ((uint32_t)buf[0] << 16)
+ | br_dec16be(buf + 1);
+ }
+ }
+ x[v ++] = w;
+ break;
+ } else {
+ u -= 4;
+ x[v ++] = br_dec32be(buf + u);
+ }
+ }
+ x[0] = br_i32_bit_length(x + 1, v - 1);
+}
+
+/* from BearSSL's src/int/i32_encode.c */
+
+/*
+ * Encode an integer into its big-endian unsigned representation. The
+ * output length in bytes is provided (parameter 'len'); if the length
+ * is too short then the integer is appropriately truncated; if it is
+ * too long then the extra bytes are set to 0.
+ */
+static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
+{
+ unsigned char *buf;
+ size_t k;
+
+ buf = dst;
+
+ /*
+ * Compute the announced size of x in bytes; extra bytes are
+ * filled with zeros.
+ */
+ k = (x[0] + 7) >> 3;
+ while (len > k) {
+ *buf ++ = 0;
+ len --;
+ }
+
+ /*
+ * Now we use k as index within x[]. That index starts at 1;
+ * we initialize it to the topmost complete word, and process
+ * any remaining incomplete word.
+ */
+ k = (len + 3) >> 2;
+ switch (len & 3) {
+ case 3:
+ *buf ++ = x[k] >> 16;
+ /* fall through */
+ case 2:
+ *buf ++ = x[k] >> 8;
+ /* fall through */
+ case 1:
+ *buf ++ = x[k];
+ k --;
+ }
+
+ /*
+ * Encode all complete words.
+ */
+ while (k > 0) {
+ br_enc32be(buf, x[k]);
+ k --;
+ buf += 4;
+ }
+}
+
+/* from BearSSL's src/int/i32_ninv32.c */
+
+/*
+ * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
+ */
+static uint32_t br_i32_ninv32(uint32_t x)
+{
+ uint32_t y;
+
+ y = 2 - x;
+ y *= 2 - y * x;
+ y *= 2 - y * x;
+ y *= 2 - y * x;
+ y *= 2 - y * x;
+ return MUX(x & 1, -y, 0);
+}
+
+/* from BearSSL's src/int/i32_add.c */
+
+/*
+ * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
+ * is unmodified, but the carry is still computed and returned. The
+ * arrays a[] and b[] MUST have the same announced bit length.
+ *
+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
+ */
+static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
+{
+ uint32_t cc;
+ size_t u, m;
+
+ cc = 0;
+ m = (a[0] + 63) >> 5;
+ for (u = 1; u < m; u ++) {
+ uint32_t aw, bw, naw;
+
+ aw = a[u];
+ bw = b[u];
+ naw = aw + bw + cc;
+
+ /*
+ * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
+ * AND the carry was already 1.
+ */
+ cc = (cc & EQ(naw, aw)) | LT(naw, aw);
+ a[u] = MUX(ctl, naw, aw);
+ }
+ return cc;
+}
+
+/* from BearSSL's src/int/i32_sub.c */
+
+/*
+ * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
+ * then a[] is unmodified, but the carry is still computed and returned.
+ * The arrays a[] and b[] MUST have the same announced bit length.
+ *
+ * a[] and b[] MAY be the same array, but partial overlap is not allowed.
+ */
+static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
+{
+ uint32_t cc;
+ size_t u, m;
+
+ cc = 0;
+ m = (a[0] + 63) >> 5;
+ for (u = 1; u < m; u ++) {
+ uint32_t aw, bw, naw;
+
+ aw = a[u];
+ bw = b[u];
+ naw = aw - bw - cc;
+
+ /*
+ * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
+ * AND the carry was already 1.
+ */
+ cc = (cc & EQ(naw, aw)) | GT(naw, aw);
+ a[u] = MUX(ctl, naw, aw);
+ }
+ return cc;
+}
+
+/* from BearSSL's src/int/i32_div32.c */
+
+/*
+ * Constant-time division. The dividend hi:lo is divided by the
+ * divisor d; the quotient is returned and the remainder is written
+ * in *r. If hi == d, then the quotient does not fit on 32 bits;
+ * returned value is thus truncated. If hi > d, returned values are
+ * indeterminate.
+ */
+static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r)
+{
+ /* TODO: optimize this */
+ uint32_t q;
+ uint32_t ch, cf;
+ int k;
+
+ q = 0;
+ ch = EQ(hi, d);
+ hi = MUX(ch, 0, hi);
+ for (k = 31; k > 0; k --) {
+ int j;
+ uint32_t w, ctl, hi2, lo2;
+
+ j = 32 - k;
+ w = (hi << j) | (lo >> k);
+ ctl = GE(w, d) | (hi >> k);
+ hi2 = (w - d) >> j;
+ lo2 = lo - (d << k);
+ hi = MUX(ctl, hi2, hi);
+ lo = MUX(ctl, lo2, lo);
+ q |= ctl << k;
+ }
+ cf = GE(lo, d) | hi;
+ q |= cf;
+ *r = MUX(cf, lo - d, lo);
+ return q;
+}
+
+/*
+ * Wrapper for br_divrem(); the remainder is returned, and the quotient
+ * is discarded.
+ */
+static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
+{
+ uint32_t r;
+
+ br_divrem(hi, lo, d, &r);
+ return r;
+}
+
+/*
+ * Wrapper for br_divrem(); the quotient is returned, and the remainder
+ * is discarded.
+ */
+static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
+{
+ uint32_t r;
+
+ return br_divrem(hi, lo, d, &r);
+}
+
+/* from BearSSL's src/int/i32_muladd.c */
+
+/*
+ * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
+ * function assumes that x[] and m[] have the same announced bit
+ * length, and the announced bit length of m[] matches its true
+ * bit length.
+ *
+ * x[] and m[] MUST be distinct arrays.
+ *
+ * CT: only the common announced bit length of x and m leaks, not
+ * the values of x, z or m.
+ */
+static void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m)
+{
+ uint32_t m_bitlen;
+ size_t u, mlen;
+ uint32_t a0, a1, b0, hi, g, q, tb;
+ uint32_t chf, clow, under, over;
+ uint64_t cc;
+
+ /*
+ * We can test on the modulus bit length since we accept to
+ * leak that length.
+ */
+ m_bitlen = m[0];
+ if (m_bitlen == 0) {
+ return;
+ }
+ if (m_bitlen <= 32) {
+ x[1] = br_rem(x[1], z, m[1]);
+ return;
+ }
+ mlen = (m_bitlen + 31) >> 5;
+
+ /*
+ * Principle: we estimate the quotient (x*2^32+z)/m by
+ * doing a 64/32 division with the high words.
+ *
+ * Let:
+ * w = 2^32
+ * a = (w*a0 + a1) * w^N + a2
+ * b = b0 * w^N + b2
+ * such that:
+ * 0 <= a0 < w
+ * 0 <= a1 < w
+ * 0 <= a2 < w^N
+ * w/2 <= b0 < w
+ * 0 <= b2 < w^N
+ * a < w*b
+ * I.e. the two top words of a are a0:a1, the top word of b is
+ * b0, we ensured that b0 is "full" (high bit set), and a is
+ * such that the quotient q = a/b fits on one word (0 <= q < w).
+ *
+ * If a = b*q + r (with 0 <= r < q), we can estimate q by
+ * doing an Euclidean division on the top words:
+ * a0*w+a1 = b0*u + v (with 0 <= v < w)
+ * Then the following holds:
+ * 0 <= u <= w
+ * u-2 <= q <= u
+ */
+ a0 = br_i32_word(x, m_bitlen - 32);
+ hi = x[mlen];
+ memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
+ x[1] = z;
+ a1 = br_i32_word(x, m_bitlen - 32);
+ b0 = br_i32_word(m, m_bitlen - 32);
+
+ /*
+ * We estimate a divisor q. If the quotient returned by br_div()
+ * is g:
+ * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
+ * -- Otherwise:
+ * -- if g == 0 then we set q = 0;
+ * -- otherwise, we set q = g - 1.
+ * The properties described above then ensure that the true
+ * quotient is q-1, q or q+1.
+ */
+ g = br_div(a0, a1, b0);
+ q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));
+
+ /*
+ * We subtract q*m from x (with the extra high word of value 'hi').
+ * Since q may be off by 1 (in either direction), we may have to
+ * add or subtract m afterwards.
+ *
+ * The 'tb' flag will be true (1) at the end of the loop if the
+ * result is greater than or equal to the modulus (not counting
+ * 'hi' or the carry).
+ */
+ cc = 0;
+ tb = 1;
+ for (u = 1; u <= mlen; u ++) {
+ uint32_t mw, zw, xw, nxw;
+ uint64_t zl;
+
+ mw = m[u];
+ zl = MUL(mw, q) + cc;
+ cc = (uint32_t)(zl >> 32);
+ zw = (uint32_t)zl;
+ xw = x[u];
+ nxw = xw - zw;
+ cc += (uint64_t)GT(nxw, xw);
+ x[u] = nxw;
+ tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
+ }
+
+ /*
+ * If we underestimated q, then either cc < hi (one extra bit
+ * beyond the top array word), or cc == hi and tb is true (no
+ * extra bit, but the result is not lower than the modulus). In
+ * these cases we must subtract m once.
+ *
+ * Otherwise, we may have overestimated, which will show as
+ * cc > hi (thus a negative result). Correction is adding m once.
+ */
+ chf = (uint32_t)(cc >> 32);
+ clow = (uint32_t)cc;
+ over = chf | GT(clow, hi);
+ under = ~over & (tb | (~chf & LT(clow, hi)));
+ br_i32_add(x, m, over);
+ br_i32_sub(x, m, under);
+}
+
+/* from BearSSL's src/int/i32_reduce.c */
+
+/*
+ * Reduce an integer (a[]) modulo another (m[]). The result is written
+ * in x[] and its announced bit length is set to be equal to that of m[].
+ *
+ * x[] MUST be distinct from a[] and m[].
+ *
+ * CT: only announced bit lengths leak, not values of x, a or m.
+ */
+static void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m)
+{
+ uint32_t m_bitlen, a_bitlen;
+ size_t mlen, alen, u;
+
+ m_bitlen = m[0];
+ mlen = (m_bitlen + 31) >> 5;
+
+ x[0] = m_bitlen;
+ if (m_bitlen == 0) {
+ return;
+ }
+
+ /*
+ * If the source is shorter, then simply copy all words from a[]
+ * and zero out the upper words.
+ */
+ a_bitlen = a[0];
+ alen = (a_bitlen + 31) >> 5;
+ if (a_bitlen < m_bitlen) {
+ memcpy(x + 1, a + 1, alen * sizeof *a);
+ for (u = alen; u < mlen; u ++) {
+ x[u + 1] = 0;
+ }
+ return;
+ }
+
+ /*
+ * The source length is at least equal to that of the modulus.
+ * We must thus copy N-1 words, and input the remaining words
+ * one by one.
+ */
+ memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
+ x[mlen] = 0;
+ for (u = 1 + alen - mlen; u > 0; u --) {
+ br_i32_muladd_small(x, a[u], m);
+ }
+}
+
+/**
+ * rsa_free_key_prop() - Free key properties
+ * @prop: Pointer to struct key_prop
+ *
+ * This function frees all the memories allocated by rsa_gen_key_prop().
+ */
+void rsa_free_key_prop(struct key_prop *prop)
+{
+ if (!prop)
+ return;
+
+ free((void *)prop->modulus);
+ free((void *)prop->public_exponent);
+ free((void *)prop->rr);
+
+ free(prop);
+}
+
+/**
+ * rsa_gen_key_prop() - Generate key properties of RSA public key
+ * @key: Specifies key data in DER format
+ * @keylen: Length of @key
+ * @prop: Generated key property
+ *
+ * This function takes a blob of encoded RSA public key data in DER
+ * format, parse it and generate all the relevant properties
+ * in key_prop structure.
+ * Return a pointer to struct key_prop in @prop on success.
+ *
+ * Return: 0 on success, negative on error
+ */
+int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
+{
+ struct rsa_key rsa_key;
+ uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
+ const int max_rsa_size = 4096;
+ int rlen, i, ret;
+
+ *prop = calloc(sizeof(**prop), 1);
+ n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+ rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+ rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
+ if (!(*prop) || !n || !rr || !rrtmp) {
+ ret = -ENOMEM;
+ goto err;
+ }
+
+ ret = rsa_parse_pub_key(&rsa_key, key, keylen);
+ if (ret)
+ goto err;
+
+ /* modulus */
+ /* removing leading 0's */
+ for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
+ ;
+ (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
+ (*prop)->modulus = malloc(rsa_key.n_sz - i);
+ if (!(*prop)->modulus) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
+
+ /* exponent */
+ (*prop)->public_exponent = calloc(1, sizeof(uint64_t));
+ if (!(*prop)->public_exponent) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
+ - rsa_key.e_sz,
+ rsa_key.e, rsa_key.e_sz);
+ (*prop)->exp_len = rsa_key.e_sz;
+
+ /* n0 inverse */
+ br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
+ (*prop)->n0inv = br_i32_ninv32(n[1]);
+
+ /* R^2 mod n; R = 2^(num_bits) */
+ rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
+ rr[0] = 0;
+ *(uint8_t *)&rr[0] = (1 << (rlen % 8));
+ for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
+ rr[i] = 0;
+ br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
+ br_i32_reduce(rr, rrtmp, n);
+
+ rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
+ (*prop)->rr = malloc(rlen);
+ if (!(*prop)->rr) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ br_i32_encode((void *)(*prop)->rr, rlen, rr);
+
+ return 0;
+
+err:
+ free(n);
+ free(rr);
+ free(rrtmp);
+ rsa_free_key_prop(*prop);
+ return ret;
+}
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 326a5e4ea97..80e817314b5 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -18,9 +18,22 @@
#include "mkimage.h"
#include <fdt_support.h>
#endif
+#include <linux/kconfig.h>
#include <u-boot/rsa-mod-exp.h>
#include <u-boot/rsa.h>
+#ifndef __UBOOT__
+/*
+ * NOTE:
+ * Since host tools, like mkimage, make use of openssl library for
+ * RSA encryption, rsa_verify_with_pkey()/rsa_gen_key_prop() are
+ * of no use and should not be compiled in.
+ * So just turn off CONFIG_RSA_VERIFY_WITH_PKEY.
+ */
+
+#undef CONFIG_RSA_VERIFY_WITH_PKEY
+#endif
+
/* Default public exponent for backward compatibility */
#define RSA_DEFAULT_PUBEXP 65537
@@ -271,6 +284,7 @@ out:
}
#endif
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY)
/**
* rsa_verify_key() - Verify a signature against some data using RSA Key
*
@@ -342,7 +356,52 @@ static int rsa_verify_key(struct image_sign_info *info,
return 0;
}
+#endif
+#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
+/**
+ * rsa_verify_with_pkey() - Verify a signature against some data using
+ * only modulus and exponent as RSA key properties.
+ * @info: Specifies key information
+ * @hash: Pointer to the expected hash
+ * @sig: Signature
+ * @sig_len: Number of bytes in signature
+ *
+ * Parse a RSA public key blob in DER format pointed to in @info and fill
+ * a key_prop structure with properties of the key. Then verify a RSA PKCS1.5
+ * signature against an expected hash using the calculated properties.
+ *
+ * Return 0 if verified, -ve on error
+ */
+static int rsa_verify_with_pkey(struct image_sign_info *info,
+ const void *hash, uint8_t *sig, uint sig_len)
+{
+ struct key_prop *prop;
+ int ret;
+
+ /* Public key is self-described to fill key_prop */
+ ret = rsa_gen_key_prop(info->key, info->keylen, &prop);
+ if (ret) {
+ debug("Generating necessary parameter for decoding failed\n");
+ return ret;
+ }
+
+ ret = rsa_verify_key(info, prop, sig, sig_len, hash,
+ info->crypto->key_len);
+
+ rsa_free_key_prop(prop);
+
+ return ret;
+}
+#else
+static int rsa_verify_with_pkey(struct image_sign_info *info,
+ const void *hash, uint8_t *sig, uint sig_len)
+{
+ return -EACCES;
+}
+#endif
+
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
/**
* rsa_verify_with_keynode() - Verify a signature against some data using
* information in node with prperties of RSA Key like modulus, exponent etc.
@@ -396,18 +455,22 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
return ret;
}
+#else
+static int rsa_verify_with_keynode(struct image_sign_info *info,
+ const void *hash, uint8_t *sig,
+ uint sig_len, int node)
+{
+ return -EACCES;
+}
+#endif
int rsa_verify(struct image_sign_info *info,
const struct image_region region[], int region_count,
uint8_t *sig, uint sig_len)
{
- const void *blob = info->fdt_blob;
/* Reserve memory for maximum checksum-length */
uint8_t hash[info->crypto->key_len];
- int ndepth, noffset;
- int sig_node, node;
- char name[100];
- int ret;
+ int ret = -EACCES;
/*
* Verify that the checksum-length does not exceed the
@@ -420,12 +483,6 @@ int rsa_verify(struct image_sign_info *info,
return -EINVAL;
}
- sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
- if (sig_node < 0) {
- debug("%s: No signature node found\n", __func__);
- return -ENOENT;
- }
-
/* Calculate checksum with checksum-algorithm */
ret = info->checksum->calculate(info->checksum->name,
region, region_count, hash);
@@ -434,29 +491,51 @@ int rsa_verify(struct image_sign_info *info,
return -EINVAL;
}
- /* See if we must use a particular key */
- if (info->required_keynode != -1) {
- ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
- info->required_keynode);
+ if (IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
+ /* don't rely on fdt properties */
+ ret = rsa_verify_with_pkey(info, hash, sig, sig_len);
+
return ret;
}
- /* Look for a key that matches our hint */
- snprintf(name, sizeof(name), "key-%s", info->keyname);
- node = fdt_subnode_offset(blob, sig_node, name);
- ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
- if (!ret)
- return ret;
+ if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
+ const void *blob = info->fdt_blob;
+ int ndepth, noffset;
+ int sig_node, node;
+ char name[100];
+
+ sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
+ if (sig_node < 0) {
+ debug("%s: No signature node found\n", __func__);
+ return -ENOENT;
+ }
- /* No luck, so try each of the keys in turn */
- for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
- (noffset >= 0) && (ndepth > 0);
- noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
- if (ndepth == 1 && noffset != node) {
+ /* See if we must use a particular key */
+ if (info->required_keynode != -1) {
ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
- noffset);
- if (!ret)
- break;
+ info->required_keynode);
+ return ret;
+ }
+
+ /* Look for a key that matches our hint */
+ snprintf(name, sizeof(name), "key-%s", info->keyname);
+ node = fdt_subnode_offset(blob, sig_node, name);
+ ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
+ if (!ret)
+ return ret;
+
+ /* No luck, so try each of the keys in turn */
+ for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
+ &ndepth);
+ (noffset >= 0) && (ndepth > 0);
+ noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
+ if (ndepth == 1 && noffset != node) {
+ ret = rsa_verify_with_keynode(info, hash,
+ sig, sig_len,
+ noffset);
+ if (!ret)
+ break;
+ }
}
}
generated by cgit v1.2.3 (git 2.0.4) at 2025-08-04 17:18:24 +0000