summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2020-07-08 20:20:24 -0400
committerTom Rini <trini@konsulko.com>2020-07-08 20:20:24 -0400
commit61608f395e7dcb2be6060407a72a1149b046430a (patch)
tree387269e837a47126d5a7ccdef2b4d5af60598e16 /lib
parent186529953fd10a97e6343418095edd1c535aaeb2 (diff)
parentc89b41b4db4a746647c4f0e6d33c6f4edfe96e38 (diff)
Merge branch '2020-07-08-misc-features-and-fixes'
- mem cmd improvements - TPM fixes - SPL/NAND/FIT fixes - RSA improvements
Diffstat (limited to 'lib')
-rw-r--r--lib/display_options.c18
-rw-r--r--lib/rsa/Makefile4
-rw-r--r--lib/rsa/rsa-keyprop.c35
-rw-r--r--lib/rsa/rsa-verify.c75
-rw-r--r--lib/tpm-v2.c44
5 files changed, 117 insertions, 59 deletions
diff --git a/lib/display_options.c b/lib/display_options.c
index 1dd5b6affd..ea9977cc18 100644
--- a/lib/display_options.c
+++ b/lib/display_options.c
@@ -138,19 +138,13 @@ int print_buffer(ulong addr, const void *data, uint width, uint count,
{
/* linebuf as a union causes proper alignment */
union linebuf {
-#ifdef MEM_SUPPORT_64BIT_DATA
uint64_t uq[MAX_LINE_LENGTH_BYTES/sizeof(uint64_t) + 1];
-#endif
uint32_t ui[MAX_LINE_LENGTH_BYTES/sizeof(uint32_t) + 1];
uint16_t us[MAX_LINE_LENGTH_BYTES/sizeof(uint16_t) + 1];
uint8_t uc[MAX_LINE_LENGTH_BYTES/sizeof(uint8_t) + 1];
} lb;
int i;
-#ifdef MEM_SUPPORT_64BIT_DATA
- uint64_t __maybe_unused x;
-#else
- uint32_t __maybe_unused x;
-#endif
+ ulong x;
if (linelen*width > MAX_LINE_LENGTH_BYTES)
linelen = MAX_LINE_LENGTH_BYTES / width;
@@ -169,20 +163,16 @@ int print_buffer(ulong addr, const void *data, uint width, uint count,
for (i = 0; i < thislinelen; i++) {
if (width == 4)
x = lb.ui[i] = *(volatile uint32_t *)data;
-#ifdef MEM_SUPPORT_64BIT_DATA
- else if (width == 8)
- x = lb.uq[i] = *(volatile uint64_t *)data;
-#endif
+ else if (MEM_SUPPORT_64BIT_DATA && width == 8)
+ x = lb.uq[i] = *(volatile ulong *)data;
else if (width == 2)
x = lb.us[i] = *(volatile uint16_t *)data;
else
x = lb.uc[i] = *(volatile uint8_t *)data;
#if defined(CONFIG_SPL_BUILD)
printf(" %x", (uint)x);
-#elif defined(MEM_SUPPORT_64BIT_DATA)
- printf(" %0*llx", width * 2, (long long)x);
#else
- printf(" %0*x", width * 2, x);
+ printf(" %0*lx", width * 2, x);
#endif
data += width;
}
diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile
index 14ed3cb401..8b75d41f04 100644
--- a/lib/rsa/Makefile
+++ b/lib/rsa/Makefile
@@ -5,6 +5,6 @@
# (C) Copyright 2000-2007
# Wolfgang Denk, DENX Software Engineering, wd@denx.de.
-obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
-obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
+obj-$(CONFIG_$(SPL_TPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o
+obj-$(CONFIG_$(SPL_TPL_)RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o
obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o
diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c
index 9464df0093..1e83eedc82 100644
--- a/lib/rsa/rsa-keyprop.c
+++ b/lib/rsa/rsa-keyprop.c
@@ -654,21 +654,17 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
{
struct rsa_key rsa_key;
uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
- const int max_rsa_size = 4096;
- int rlen, i, ret;
+ int rlen, i, ret = 0;
*prop = calloc(sizeof(**prop), 1);
- n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
- rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
- rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5));
- if (!(*prop) || !n || !rr || !rrtmp) {
+ if (!(*prop)) {
ret = -ENOMEM;
- goto err;
+ goto out;
}
ret = rsa_parse_pub_key(&rsa_key, key, keylen);
if (ret)
- goto err;
+ goto out;
/* modulus */
/* removing leading 0's */
@@ -678,20 +674,28 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
(*prop)->modulus = malloc(rsa_key.n_sz - i);
if (!(*prop)->modulus) {
ret = -ENOMEM;
- goto err;
+ goto out;
}
memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);
+ n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
+ rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits * 2) >> 5));
+ rrtmp = calloc(sizeof(uint32_t), 2 + (((*prop)->num_bits * 2) >> 5));
+ if (!n || !rr || !rrtmp) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
/* exponent */
(*prop)->public_exponent = calloc(1, sizeof(uint64_t));
if (!(*prop)->public_exponent) {
ret = -ENOMEM;
- goto err;
+ goto out;
}
memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
- rsa_key.e_sz,
rsa_key.e, rsa_key.e_sz);
- (*prop)->exp_len = rsa_key.e_sz;
+ (*prop)->exp_len = sizeof(uint64_t);
/* n0 inverse */
br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
@@ -710,16 +714,15 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
(*prop)->rr = malloc(rlen);
if (!(*prop)->rr) {
ret = -ENOMEM;
- goto err;
+ goto out;
}
br_i32_encode((void *)(*prop)->rr, rlen, rr);
- return 0;
-
-err:
+out:
free(n);
free(rr);
free(rrtmp);
- rsa_free_key_prop(*prop);
+ if (ret < 0)
+ rsa_free_key_prop(*prop);
return ret;
}
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 1d55b997e3..6c4bbc4625 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -194,6 +194,19 @@ out:
return ret;
}
+/*
+ * padding_pss_verify() - verify the pss padding of a signature
+ *
+ * Only works with a rsa_pss_saltlen:-2 (default value) right now
+ * saltlen:-1 "set the salt length to the digest length" is currently
+ * not supported.
+ *
+ * @info: Specifies key and FIT information
+ * @msg: byte array of message, len equal to msg_len
+ * @msg_len: Message length
+ * @hash: Pointer to the expected hash
+ * @hash_len: Length of the hash
+ */
int padding_pss_verify(struct image_sign_info *info,
uint8_t *msg, int msg_len,
const uint8_t *hash, int hash_len)
@@ -285,7 +298,7 @@ out:
}
#endif
-#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY)
+#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY)
/**
* rsa_verify_key() - Verify a signature against some data using RSA Key
*
@@ -359,7 +372,7 @@ static int rsa_verify_key(struct image_sign_info *info,
}
#endif
-#ifdef CONFIG_RSA_VERIFY_WITH_PKEY
+#if CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY)
/**
* rsa_verify_with_pkey() - Verify a signature against some data using
* only modulus and exponent as RSA key properties.
@@ -465,34 +478,12 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
}
#endif
-int rsa_verify(struct image_sign_info *info,
- const struct image_region region[], int region_count,
- uint8_t *sig, uint sig_len)
+int rsa_verify_hash(struct image_sign_info *info,
+ const uint8_t *hash, uint8_t *sig, uint sig_len)
{
- /* Reserve memory for maximum checksum-length */
- uint8_t hash[info->crypto->key_len];
int ret = -EACCES;
- /*
- * Verify that the checksum-length does not exceed the
- * rsa-signature-length
- */
- if (info->checksum->checksum_len >
- info->crypto->key_len) {
- debug("%s: invlaid checksum-algorithm %s for %s\n",
- __func__, info->checksum->name, info->crypto->name);
- return -EINVAL;
- }
-
- /* Calculate checksum with checksum-algorithm */
- ret = info->checksum->calculate(info->checksum->name,
- region, region_count, hash);
- if (ret < 0) {
- debug("%s: Error in checksum calculation\n", __func__);
- return -EINVAL;
- }
-
- if (IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
+ if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
/* don't rely on fdt properties */
ret = rsa_verify_with_pkey(info, hash, sig, sig_len);
@@ -542,3 +533,33 @@ int rsa_verify(struct image_sign_info *info,
return ret;
}
+
+int rsa_verify(struct image_sign_info *info,
+ const struct image_region region[], int region_count,
+ uint8_t *sig, uint sig_len)
+{
+ /* Reserve memory for maximum checksum-length */
+ uint8_t hash[info->crypto->key_len];
+ int ret = -EACCES;
+
+ /*
+ * Verify that the checksum-length does not exceed the
+ * rsa-signature-length
+ */
+ if (info->checksum->checksum_len >
+ info->crypto->key_len) {
+ debug("%s: invlaid checksum-algorithm %s for %s\n",
+ __func__, info->checksum->name, info->crypto->name);
+ return -EINVAL;
+ }
+
+ /* Calculate checksum with checksum-algorithm */
+ ret = info->checksum->calculate(info->checksum->name,
+ region, region_count, hash);
+ if (ret < 0) {
+ debug("%s: Error in checksum calculation\n", __func__);
+ return -EINVAL;
+ }
+
+ return rsa_verify_hash(info, hash, sig, sig_len);
+}
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 5a039f65d1..a4c352e3ef 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -422,3 +422,47 @@ u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}
+
+u32 tpm2_get_random(struct udevice *dev, void *data, u32 count)
+{
+ const u8 command_v2[10] = {
+ tpm_u16(TPM2_ST_NO_SESSIONS),
+ tpm_u32(12),
+ tpm_u32(TPM2_CC_GET_RANDOM),
+ };
+ u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+
+ const size_t data_size_offset = 10;
+ const size_t data_offset = 12;
+ size_t response_length = sizeof(response);
+ u32 data_size;
+ u8 *out = data;
+
+ while (count > 0) {
+ u32 this_bytes = min((size_t)count,
+ sizeof(response) - data_offset);
+ u32 err;
+
+ if (pack_byte_string(buf, sizeof(buf), "sw",
+ 0, command_v2, sizeof(command_v2),
+ sizeof(command_v2), this_bytes))
+ return TPM_LIB_ERROR;
+ err = tpm_sendrecv_command(dev, buf, response,
+ &response_length);
+ if (err)
+ return err;
+ if (unpack_byte_string(response, response_length, "w",
+ data_size_offset, &data_size))
+ return TPM_LIB_ERROR;
+ if (data_size > this_bytes)
+ return TPM_LIB_ERROR;
+ if (unpack_byte_string(response, response_length, "s",
+ data_offset, out, data_size))
+ return TPM_LIB_ERROR;
+
+ count -= data_size;
+ out += data_size;
+ }
+
+ return 0;
+}