rsa: adds rsa3072 algorithm

Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.

Add test case in vboot for sha384 with rsa3072 algorithm testing.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Jamin Lin 2022-01-19 16:23:21 +08:00 committed by Tom Rini
parent 05ec899140
commit 2a4b0d5890
7 changed files with 112 additions and 2 deletions

View file

@ -312,3 +312,4 @@ CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
CONFIG_SHA384=y

View file

@ -111,6 +111,7 @@ int padding_pss_verify(struct image_sign_info *info,
#define RSA_DEFAULT_PADDING_NAME "pkcs-1.5"
#define RSA2048_BYTES (2048 / 8)
#define RSA3072_BYTES (3072 / 8)
#define RSA4096_BYTES (4096 / 8)
/* This is the minimum/maximum key size we support, in bits */

View file

@ -595,6 +595,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
.verify = rsa_verify,
};
U_BOOT_CRYPTO_ALGO(rsa3072) = {
.name = "rsa3072",
.key_len = RSA3072_BYTES,
.verify = rsa_verify,
};
U_BOOT_CRYPTO_ALGO(rsa4096) = {
.name = "rsa4096",
.key_len = RSA4096_BYTES,

View file

@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
['sha384-basic', 'sha384', '', None, False, False],
['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
@pytest.mark.boardspec('sandbox')
@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
name: Name of of the key (e.g. 'dev')
"""
public_exponent = 65537
if sha_algo == "sha384":
rsa_keygen_bits = 3072
else:
rsa_keygen_bits = 2048
util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
'-pkeyopt rsa_keygen_bits:2048 '
'-pkeyopt rsa_keygen_bits:%d '
'-pkeyopt rsa_keygen_pubexp:%d' %
(tmpdir, name, public_exponent))
(tmpdir, name, rsa_keygen_bits, public_exponent))
# Create a certificate containing the public key
util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '

View file

@ -0,0 +1,45 @@
/dts-v1/;
/ {
description = "Chrome OS kernel image with one or more FDT blobs";
#address-cells = <1>;
images {
kernel {
data = /incbin/("test-kernel.bin");
type = "kernel_noload";
arch = "sandbox";
os = "linux";
compression = "none";
load = <0x4>;
entry = <0x8>;
kernel-version = <1>;
hash-1 {
algo = "sha384";
};
};
fdt-1 {
description = "snow";
data = /incbin/("sandbox-kernel.dtb");
type = "flat_dt";
arch = "sandbox";
compression = "none";
fdt-version = <1>;
hash-1 {
algo = "sha384";
};
};
};
configurations {
default = "conf-1";
conf-1 {
kernel = "kernel";
fdt = "fdt-1";
signature {
algo = "sha384,rsa3072";
key-name-hint = "dev";
sign-images = "fdt", "kernel";
};
};
};
};

View file

@ -0,0 +1,42 @@
/dts-v1/;
/ {
description = "Chrome OS kernel image with one or more FDT blobs";
#address-cells = <1>;
images {
kernel {
data = /incbin/("test-kernel.bin");
type = "kernel_noload";
arch = "sandbox";
os = "linux";
compression = "none";
load = <0x4>;
entry = <0x8>;
kernel-version = <1>;
signature {
algo = "sha384,rsa3072";
key-name-hint = "dev";
};
};
fdt-1 {
description = "snow";
data = /incbin/("sandbox-kernel.dtb");
type = "flat_dt";
arch = "sandbox";
compression = "none";
fdt-version = <1>;
signature {
algo = "sha384,rsa3072";
key-name-hint = "dev";
};
};
};
configurations {
default = "conf-1";
conf-1 {
kernel = "kernel";
fdt = "fdt-1";
};
};
};

View file

@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
},
{
.name = "rsa3072",
.key_len = RSA3072_BYTES,
.sign = rsa_sign,
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
},
{
.name = "rsa4096",
.key_len = RSA4096_BYTES,