diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/display_options.c | 18 | ||||
-rw-r--r-- | lib/rsa/Makefile | 4 | ||||
-rw-r--r-- | lib/rsa/rsa-keyprop.c | 35 | ||||
-rw-r--r-- | lib/rsa/rsa-verify.c | 75 | ||||
-rw-r--r-- | lib/tpm-v2.c | 44 |
5 files changed, 117 insertions, 59 deletions
diff --git a/lib/display_options.c b/lib/display_options.c index 1dd5b6affd..ea9977cc18 100644 --- a/lib/display_options.c +++ b/lib/display_options.c @@ -138,19 +138,13 @@ int print_buffer(ulong addr, const void *data, uint width, uint count, { /* linebuf as a union causes proper alignment */ union linebuf { -#ifdef MEM_SUPPORT_64BIT_DATA uint64_t uq[MAX_LINE_LENGTH_BYTES/sizeof(uint64_t) + 1]; -#endif uint32_t ui[MAX_LINE_LENGTH_BYTES/sizeof(uint32_t) + 1]; uint16_t us[MAX_LINE_LENGTH_BYTES/sizeof(uint16_t) + 1]; uint8_t uc[MAX_LINE_LENGTH_BYTES/sizeof(uint8_t) + 1]; } lb; int i; -#ifdef MEM_SUPPORT_64BIT_DATA - uint64_t __maybe_unused x; -#else - uint32_t __maybe_unused x; -#endif + ulong x; if (linelen*width > MAX_LINE_LENGTH_BYTES) linelen = MAX_LINE_LENGTH_BYTES / width; @@ -169,20 +163,16 @@ int print_buffer(ulong addr, const void *data, uint width, uint count, for (i = 0; i < thislinelen; i++) { if (width == 4) x = lb.ui[i] = *(volatile uint32_t *)data; -#ifdef MEM_SUPPORT_64BIT_DATA - else if (width == 8) - x = lb.uq[i] = *(volatile uint64_t *)data; -#endif + else if (MEM_SUPPORT_64BIT_DATA && width == 8) + x = lb.uq[i] = *(volatile ulong *)data; else if (width == 2) x = lb.us[i] = *(volatile uint16_t *)data; else x = lb.uc[i] = *(volatile uint8_t *)data; #if defined(CONFIG_SPL_BUILD) printf(" %x", (uint)x); -#elif defined(MEM_SUPPORT_64BIT_DATA) - printf(" %0*llx", width * 2, (long long)x); #else - printf(" %0*x", width * 2, x); + printf(" %0*lx", width * 2, x); #endif data += width; } diff --git a/lib/rsa/Makefile b/lib/rsa/Makefile index 14ed3cb401..8b75d41f04 100644 --- a/lib/rsa/Makefile +++ b/lib/rsa/Makefile @@ -5,6 +5,6 @@ # (C) Copyright 2000-2007 # Wolfgang Denk, DENX Software Engineering, wd@denx.de. -obj-$(CONFIG_$(SPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o -obj-$(CONFIG_RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o +obj-$(CONFIG_$(SPL_TPL_)RSA_VERIFY) += rsa-verify.o rsa-checksum.o +obj-$(CONFIG_$(SPL_TPL_)RSA_VERIFY_WITH_PKEY) += rsa-keyprop.o obj-$(CONFIG_RSA_SOFTWARE_EXP) += rsa-mod-exp.o diff --git a/lib/rsa/rsa-keyprop.c b/lib/rsa/rsa-keyprop.c index 9464df0093..1e83eedc82 100644 --- a/lib/rsa/rsa-keyprop.c +++ b/lib/rsa/rsa-keyprop.c @@ -654,21 +654,17 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop) { struct rsa_key rsa_key; uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL; - const int max_rsa_size = 4096; - int rlen, i, ret; + int rlen, i, ret = 0; *prop = calloc(sizeof(**prop), 1); - n = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5)); - rr = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5)); - rrtmp = calloc(sizeof(uint32_t), 1 + (max_rsa_size >> 5)); - if (!(*prop) || !n || !rr || !rrtmp) { + if (!(*prop)) { ret = -ENOMEM; - goto err; + goto out; } ret = rsa_parse_pub_key(&rsa_key, key, keylen); if (ret) - goto err; + goto out; /* modulus */ /* removing leading 0's */ @@ -678,20 +674,28 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop) (*prop)->modulus = malloc(rsa_key.n_sz - i); if (!(*prop)->modulus) { ret = -ENOMEM; - goto err; + goto out; } memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i); + n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5)); + rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits * 2) >> 5)); + rrtmp = calloc(sizeof(uint32_t), 2 + (((*prop)->num_bits * 2) >> 5)); + if (!n || !rr || !rrtmp) { + ret = -ENOMEM; + goto out; + } + /* exponent */ (*prop)->public_exponent = calloc(1, sizeof(uint64_t)); if (!(*prop)->public_exponent) { ret = -ENOMEM; - goto err; + goto out; } memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t) - rsa_key.e_sz, rsa_key.e, rsa_key.e_sz); - (*prop)->exp_len = rsa_key.e_sz; + (*prop)->exp_len = sizeof(uint64_t); /* n0 inverse */ br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i); @@ -710,16 +714,15 @@ int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop) (*prop)->rr = malloc(rlen); if (!(*prop)->rr) { ret = -ENOMEM; - goto err; + goto out; } br_i32_encode((void *)(*prop)->rr, rlen, rr); - return 0; - -err: +out: free(n); free(rr); free(rrtmp); - rsa_free_key_prop(*prop); + if (ret < 0) + rsa_free_key_prop(*prop); return ret; } diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 1d55b997e3..6c4bbc4625 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -194,6 +194,19 @@ out: return ret; } +/* + * padding_pss_verify() - verify the pss padding of a signature + * + * Only works with a rsa_pss_saltlen:-2 (default value) right now + * saltlen:-1 "set the salt length to the digest length" is currently + * not supported. + * + * @info: Specifies key and FIT information + * @msg: byte array of message, len equal to msg_len + * @msg_len: Message length + * @hash: Pointer to the expected hash + * @hash_len: Length of the hash + */ int padding_pss_verify(struct image_sign_info *info, uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len) @@ -285,7 +298,7 @@ out: } #endif -#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY) +#if CONFIG_IS_ENABLED(FIT_SIGNATURE) || CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) /** * rsa_verify_key() - Verify a signature against some data using RSA Key * @@ -359,7 +372,7 @@ static int rsa_verify_key(struct image_sign_info *info, } #endif -#ifdef CONFIG_RSA_VERIFY_WITH_PKEY +#if CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) /** * rsa_verify_with_pkey() - Verify a signature against some data using * only modulus and exponent as RSA key properties. @@ -465,34 +478,12 @@ static int rsa_verify_with_keynode(struct image_sign_info *info, } #endif -int rsa_verify(struct image_sign_info *info, - const struct image_region region[], int region_count, - uint8_t *sig, uint sig_len) +int rsa_verify_hash(struct image_sign_info *info, + const uint8_t *hash, uint8_t *sig, uint sig_len) { - /* Reserve memory for maximum checksum-length */ - uint8_t hash[info->crypto->key_len]; int ret = -EACCES; - /* - * Verify that the checksum-length does not exceed the - * rsa-signature-length - */ - if (info->checksum->checksum_len > - info->crypto->key_len) { - debug("%s: invlaid checksum-algorithm %s for %s\n", - __func__, info->checksum->name, info->crypto->name); - return -EINVAL; - } - - /* Calculate checksum with checksum-algorithm */ - ret = info->checksum->calculate(info->checksum->name, - region, region_count, hash); - if (ret < 0) { - debug("%s: Error in checksum calculation\n", __func__); - return -EINVAL; - } - - if (IS_ENABLED(CONFIG_RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) { + if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) { /* don't rely on fdt properties */ ret = rsa_verify_with_pkey(info, hash, sig, sig_len); @@ -542,3 +533,33 @@ int rsa_verify(struct image_sign_info *info, return ret; } + +int rsa_verify(struct image_sign_info *info, + const struct image_region region[], int region_count, + uint8_t *sig, uint sig_len) +{ + /* Reserve memory for maximum checksum-length */ + uint8_t hash[info->crypto->key_len]; + int ret = -EACCES; + + /* + * Verify that the checksum-length does not exceed the + * rsa-signature-length + */ + if (info->checksum->checksum_len > + info->crypto->key_len) { + debug("%s: invlaid checksum-algorithm %s for %s\n", + __func__, info->checksum->name, info->crypto->name); + return -EINVAL; + } + + /* Calculate checksum with checksum-algorithm */ + ret = info->checksum->calculate(info->checksum->name, + region, region_count, hash); + if (ret < 0) { + debug("%s: Error in checksum calculation\n", __func__); + return -EINVAL; + } + + return rsa_verify_hash(info, hash, sig, sig_len); +} diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 5a039f65d1..a4c352e3ef 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -422,3 +422,47 @@ u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw, return tpm_sendrecv_command(dev, command_v2, NULL, NULL); } + +u32 tpm2_get_random(struct udevice *dev, void *data, u32 count) +{ + const u8 command_v2[10] = { + tpm_u16(TPM2_ST_NO_SESSIONS), + tpm_u32(12), + tpm_u32(TPM2_CC_GET_RANDOM), + }; + u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE]; + + const size_t data_size_offset = 10; + const size_t data_offset = 12; + size_t response_length = sizeof(response); + u32 data_size; + u8 *out = data; + + while (count > 0) { + u32 this_bytes = min((size_t)count, + sizeof(response) - data_offset); + u32 err; + + if (pack_byte_string(buf, sizeof(buf), "sw", + 0, command_v2, sizeof(command_v2), + sizeof(command_v2), this_bytes)) + return TPM_LIB_ERROR; + err = tpm_sendrecv_command(dev, buf, response, + &response_length); + if (err) + return err; + if (unpack_byte_string(response, response_length, "w", + data_size_offset, &data_size)) + return TPM_LIB_ERROR; + if (data_size > this_bytes) + return TPM_LIB_ERROR; + if (unpack_byte_string(response, response_length, "s", + data_offset, out, data_size)) + return TPM_LIB_ERROR; + + count -= data_size; + out += data_size; + } + + return 0; +} |