summaryrefslogtreecommitdiff
path: root/lib/rsa
AgeCommit message (Collapse)Author
2019-10-15rsa: Return immediately if required-key verification failsDaniele Alessandrelli
Currently, if image verification with a required key fails, rsa_verify() code tries to find another key to verify the FIT image. This however, is not the intended behavior as the documentation says that required keys "must be verified for the image / configuration to be considered valid". This patch fixes the issue by making rsa_verify() return immediately if the verification of a required key fails. Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com>
2019-07-18lib: rsa: add support to other openssl engine types than pkcs11Vesa Jääskeläinen
There are multiple other openssl engines used by HSMs that can be used to sign FIT images instead of forcing users to use pkcs11 type of service. Relax engine selection so that other openssl engines can be specified and use generic key id definition formula. Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Cc: Tom Rini <trini@konsulko.com>
2019-03-25rsa: check that pointer checksum isn't NULL before using itPhilippe Reynes
The pointer checksum were used before checking that it isn't NULL. We move the code that use it after the check. Reported-by: Coverity (CID: 185835) Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03rsa: add support of padding pssPhilippe Reynes
We add the support of the padding pss for rsa signature. This new padding is often recommended instead of pkcs-1.5. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03rsa: add a structure for the paddingPhilippe Reynes
The rsa signature use a padding algorithm. By default, we use the padding pkcs-1.5. In order to add some new padding algorithm, we add a padding framework to manage several padding algorithm. The choice of the padding is done in the file .its. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03rsa: use new openssl API to create signaturePhilippe Reynes
Previous implementation of the rsa signature was using the openssl API EVP_Sign*, but the new openssl API EVP_DigestSign* is more flexible. So we move to this new API. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-08-13rsa: Fix LibreSSL before v2.7.0Caliph Nomble
Fix LibreSSL compilation for versions before v2.7.0. Signed-off-by: Caliph Nomble <nomble@palism.com> Reviewed-by: Jonathan Gray <jsg@jsg.id.au>
2018-07-19xilinx: zynq: Add support to secure imagesSiva Durga Prasad Paladugu
This patch basically adds two new commands for loadig secure images. 1. zynq rsa adds support to load secure image which can be both authenticated or encrypted or both authenticated and encrypted image in xilinx bootimage(BOOT.bin) format. 2. zynq aes command adds support to decrypt and load encrypted image back to DDR as per destination address. The image has to be encrypted using xilinx bootgen tool and to get only the encrypted image from tool use -split option while invoking bootgen. Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com>
2018-06-19rsa: Fix missing memory leak on error in fdt_add_bignum()Simon Glass
Thsi function can fail without freeing all its memory. Fix it. Reported-by: Coverity (CID: 131217) Signed-off-by: Simon Glass <sjg@chromium.org>
2018-05-07SPDX: Convert all of our single license tags to Linux Kernel styleTom Rini
When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com>
2018-04-28lib/rsa: Kconfig: Remove superfluous 'depends on RSA'Eugeniu Rosca
RSA_SOFTWARE_EXP and RSA_FREESCALE_EXP are wrapped inside: if RSA ... endif So, remove the redundant "depends on RSA" from their depends expression. In addition, move SPL_RSA into the same "if RSA ... endif" block, since its only direct dependeny is CONFIG_RSA. This tidies up and simplifies reading of lib/rsa/Kconfig. No functional change intended. Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2017-05-12rsa: Fix build with OpenSSL 1.1.xJelle van der Waa
The rsa_st struct has been made opaque in 1.1.x, add forward compatible code to access the n, e, d members of rsa_struct. EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be called to reinitialise an already created structure.
2017-03-20Kconfig: Don't use RSA_FREESCALE_EXP on IMXGeorge McCollister
The CAAM in IMX parts doesn't support public key hardware acceleration (PKHA), so don't use RSA_FREESCALE_EXP. If you try to use it on IMX (assuming you have the clocks enabled first) you will get back an "Invalid KEY Command" error since PKHA isn't a valid key destination for these parts. Signed-off-by: George McCollister <george.mccollister@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com>
2017-01-14mkimage: Add support for signing with pkcs11George McCollister
Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com>
2016-11-21image: Combine image_sig_algo with image_sign_infoAndrew Duda
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA pairings will still fail on verify operations when the hash length is longer than the key length. Follow the same naming scheme "checksum,crytpo" without explicitly defining the string. Indirectly adds support for "sha1,rsa4096" signing/verification. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21image: Add crypto_algo struct for RSA infoAndrew Duda
Cut down on the repetition of algorithm information by defining separate checksum and crypto structs. image_sig_algos are now simply pairs of unique checksum and crypto algos. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21rsa: Verify RSA padding programaticallyAndrew Duda
Padding verification was done against static SHA/RSA pair arrays which take up a lot of static memory, are mostly 0xff, and cannot be reused for additional SHA/RSA pairings. The padding can be easily computed according to PKCS#1v2.1 as: EM = 0x00 || 0x01 || PS || 0x00 || T where PS is (emLen - tLen - 3) octets of 0xff and T is DER encoding of the hash. Store DER prefix in checksum_algo and create rsa_verify_padding function to handle verification of a message for any SHA/RSA pairing. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21rsa: cosmetic: rename pad_len to key_lenAndrew Duda
checksum_algo's pad_len field isn't actually used to store the length of the padding but the total length of the RSA key (msg_len + pad_len) Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-09-23treewide: replace #include <asm/errno.h> with <linux/errno.h>Masahiro Yamada
Now, arch/${ARCH}/include/asm/errno.h and include/linux/errno.h have the same content. (both just wrap <asm-generic/errno.h>) Replace all include directives for <asm/errno.h> with <linux/errno.h>. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> [trini: Fixup include/clk.] Signed-off-by: Tom Rini <trini@konsulko.com>
2016-07-25tools, rsa: Further minor cleanups on top of c236ebd and 2b9ec7mario.six@gdsys.cc
[NOTE: I took v1 of these patches in, and then v2 came out, this commit is squashing the minor deltas from v1 -> v2 of updates to c236ebd and 2b9ec76 into this commit - trini] - Added an additional NULL check, as suggested by Simon Glass to fit_image_process_sig - Re-formatted the comment blocks Signed-off-by: Mario Six <mario.six@gdsys.cc> Reviewed-by: Simon Glass <sjg@chromium.org> [For merging the chnages from v2 back onto v1] Signed-off-by: Tom Rini <trini@konsulko.com>
2016-07-22rsa: Fix return value and masked errormario.six@gdsys.cc
When signing images, we repeatedly call fit_add_file_data() with successively increasing size values to include the keys in the DTB. Unfortunately, if large keys are used (such as 4096 bit RSA keys), this process fails sometimes, and mkimage needs to be called repeatedly to integrate the keys into the DTB. This is because fit_add_file_data actually returns the wrong error code, and the loop terminates prematurely, instead of trying again with a larger size value. This patch corrects the return value by fixing the return value of fdt_add_bignum, fixes a case where an error is masked by a unconditional setting of a return value variable, and also removes a error message, which is misleading, since we actually allow the function to fail. A (hopefully helpful) comment is also added to explain the lack of error message. This is probably related to 1152a05 ("tools: Correct error handling in fit_image_process_hash()") and the corresponding error reported here: https://www.mail-archive.com/u-boot@lists.denx.de/msg217417.html Signed-off-by: Mario Six <mario.six@gdsys.cc>
2016-06-12verified-boot: Minimal support for booting U-Boot proper from SPLTeddy Reed
This allows a board to configure verified boot within the SPL using a FIT or FIT with external data. It also allows the SPL to perform signature verification without needing relocation. The board configuration will need to add the following feature defines: CONFIG_SPL_CRYPTO_SUPPORT CONFIG_SPL_HASH_SUPPORT CONFIG_SPL_SHA256 In this example, SHA256 is the only selected hashing algorithm. And the following booleans: CONFIG_SPL=y CONFIG_SPL_DM=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_FIT=y CONFIG_SPL_OF_CONTROL=y CONFIG_SPL_OF_LIBFDT=y CONFIG_SPL_FIT_SIGNATURE=y Signed-off-by: Teddy Reed <teddy.reed@gmail.com> Acked-by: Simon Glass <sjg@chromium.org> Acked-by: Andreas Dannenberg <dannenberg@ti.com> Acked-by: Sumit Garg <sumit.garg@nxp.com>
2016-03-14Kconfig: Move CONFIG_FIT and related options to KconfigSimon Glass
There are already two FIT options in Kconfig but the CONFIG options are still in the header files. We need to do a proper move to fix this. Move these options to Kconfig and tidy up board configuration: CONFIG_FIT CONFIG_OF_BOARD_SETUP CONFIG_OF_SYSTEM_SETUP CONFIG_FIT_SIGNATURE CONFIG_FIT_BEST_MATCH CONFIG_FIT_VERBOSE CONFIG_OF_STDOUT_VIA_ALIAS CONFIG_RSA Unfortunately the first one is a little complicated. We need to make sure this option is not enabled in SPL by this change. Also this option is enabled automatically in the host builds by defining CONFIG_FIT in the image.h file. To solve this, add a new IMAGE_USE_FIT #define which can be used in files that are built on the host but must also build for U-Boot and SPL. Note: Masahiro's moveconfig.py script is amazing. Signed-off-by: Simon Glass <sjg@chromium.org> [trini: Add microblaze change, various configs/ re-applies] Signed-off-by: Tom Rini <trini@konsulko.com>
2015-03-05rsa : Compile Modular Exponentiation files based on CONFIG_RSA_SOFTWARE_EXPgaurav rana
Remove dependency of rsa_mod_exp from CONFIG_FIT_SIGNATURE. As rsa modular exponentiation is an independent module and can be invoked independently. Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com> Acked-by: Simon Glass <sjg@chromium.org> Reviewed-by: York Sun <yorksun@freescale.com>
2015-01-29rsa: Use checksum algorithms from struct hash_algoRuchika Gupta
Currently the hash functions used in RSA are called directly from the sha1 and sha256 libraries. Change the RSA checksum library to use the progressive hash API's registered with struct hash_algo. This will allow the checksum library to use the hardware accelerated progressive hash API's once available. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> (Fixed build error in am335x_boneblack_vboot due to duplicate CONFIG_DM) Change-Id: Ic44279432f88d4e8594c6e94feb1cfcae2443a54
2015-01-29lib/rsa: Add Kconfig for devices supporting RSA Modular ExponentiationRuchika Gupta
Kconfig option added for devices which support RSA Verification. 1. RSA_SOFTWARE_EXP Enables driver for supporting RSA Modular Exponentiation in Software 2. RSA_FREESCALE_EXP Enables driver for supporting RSA Modular Exponentiation using Freescale specific driver The above drivers use RSA uclass Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> (Removed duplicate line in Kconfig comment) Change-Id: I7663c4d5350e2bfc3dfa2696f70ef777d6ccc6f6
2015-01-29lib/rsa: Modify rsa to use DM driverRuchika Gupta
Modify rsa_verify to use the rsa driver of DM library .The tools will continue to use the same RSA sw library. CONFIG_RSA is now dependent on CONFIG_DM. All configurations which enable FIT based signatures have been modified to enable CONFIG_DM by default. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
2015-01-29rsa: Split the rsa-verify to separate the modular exponentiationRuchika Gupta
Public exponentiation which is required in rsa verify functionality is tightly integrated with verification code in rsa_verify.c. The patch splits the file into twp separating the modular exponentiation. 1. rsa-verify.c - The file parses device tree keys node to fill a keyprop structure. The keyprop structure can then be converted to implementation specific format. (struct rsa_pub_key for sw implementation) - The parsed device tree node is then passed to a generic rsa_mod_exp function. 2. rsa-mod-exp.c Move the software specific functions related to modular exponentiation from rsa-verify.c to this file. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> CC: Simon Glass <sjg@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
2014-08-09rsa: Fix two errors in the implementationSimon Glass
1. Failure to set the return code correctly 2. Failure to detect the loop end condition when the value is equal to the modulus. Reported-by: Jeroen Hofstee <jeroen@myspectrum.nl> Signed-off-by: Simon Glass <sjg@chromium.org>
2014-08-09Implement generalised RSA public exponents for verified bootMichael van der Westhuizen
Remove the verified boot limitation that only allows a single RSA public exponent of 65537 (F4). This change allows use with existing PKI infrastructure and has been tested with HSM-based PKI. Change the configuration OF tree format to store the RSA public exponent as a 64 bit integer and implement backward compatibility for verified boot configuration trees without this extra field. Parameterise vboot_test.sh to test different public exponents. Mathematics and other hard work by Andrew Bott. Tested with the following public exponents: 3, 5, 17, 257, 39981, 50457, 65537 and 4294967297. Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com> Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com> Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com> Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com> Cc: Simon Glass <sjg@chromium.org>
2014-06-19includes: move openssl headers to include/u-bootJeroen Hofstee
commit 18b06652cd "tools: include u-boot version of sha256.h" unconditionally forced the sha256.h from u-boot to be used for tools instead of the host version. This is fragile though as it will also include the host version. Therefore move it to include/u-boot to join u-boot/md5.h etc which were renamed for the same reason. cc: Simon Glass <sjg@chromium.org> Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
2014-06-19mkimage: Automatically expand FDT in more casesSimon Glass
The original code did not cover every case and there was a missing negative sign in one case. Expand the coverage and fix the bug. Signed-off-by: Simon Glass <sjg@chromium.org>
2014-06-11fdt: Update functions which write to an FDT to return -ENOSPCSimon Glass
When writing values into an FDT it is possible that there will be insufficient space. If the caller gets a useful error then it can potentially deal with the situation. Adjust these functions to return -ENOSPC when the FDT is full. Signed-off-by: Simon Glass <sjg@chromium.org>
2014-03-21tools, fit_check_sign: verify a signed fit imageHeiko Schocher
add host tool "fit_check_sign" which verifies, if a fit image is signed correct. Signed-off-by: Heiko Schocher <hs@denx.de> Cc: Simon Glass <sjg@chromium.org>
2014-03-21rsa: add sha256,rsa4096 algorithmHeiko Schocher
Add support for sha256,rsa4096 signatures in u-boot. Signed-off-by: Heiko Schocher <hs@denx.de> Acked-by: Simon Glass <sjg@chromium.org> Cc: andreas@oetken.name
2014-03-21rsa: add sha256-rsa2048 algorithmHeiko Schocher
based on patch from andreas@oetken.name: http://patchwork.ozlabs.org/patch/294318/ commit message: I currently need support for rsa-sha256 signatures in u-boot and found out that the code for signatures is not very generic. Thus adding of different hash-algorithms for rsa-signatures is not easy to do without copy-pasting the rsa-code. I attached a patch for how I think it could be better and included support for rsa-sha256. This is a fast first shot. aditionally work: - removed checkpatch warnings - removed compiler warnings - rebased against current head Signed-off-by: Heiko Schocher <hs@denx.de> Cc: andreas@oetken.name Cc: Simon Glass <sjg@chromium.org>
2013-11-17lib: descend into sub directories only when it is necessaryMasahiro Yamada
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
2013-10-31lib: convert makefiles to Kbuild styleMasahiro Yamada
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
2013-07-24Add GPL-2.0+ SPDX-License-Identifier to source filesWolfgang Denk
Signed-off-by: Wolfgang Denk <wd@denx.de> [trini: Fixup common/cmd_io.c] Signed-off-by: Tom Rini <trini@ti.com>
2013-07-03lib/rsa/rsa-sig.c: compile on OS XAndreas Bießmann
Interfaces exposed by error.h seems not to be used in rsa-sig.c, remove it. This also fixes an compile error on OS X: ---8<--- u-boot/lib/rsa/rsa-sign.c:23:19: error: error.h: No such file or directory --->8--- Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com> Acked-by: Jeroen Hofstee <jeroen@myspectrum.nl> Tested-by: Lubomir Popov <lpopov@mm-sol.com>
2013-06-26image: Add RSA support for image signingSimon Glass
RSA provides a public key encryption facility which is ideal for image signing and verification. Images are signed using a private key by mkimage. Then at run-time, the images are verified using a private key. This implementation uses openssl for the host part (mkimage). To avoid bringing large libraries into the U-Boot binary, the RSA public key is encoded using a simple numeric representation in the device tree. Signed-off-by: Simon Glass <sjg@chromium.org>