Commit graph

42 commits

Author SHA1 Message Date
Yann Droneaud
9b5ad4f5da lib: rsa: use actual OpenSSL 1.1.0 EVP MD API
Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new()
                     EVP_MD_CTX_destroy() is EVP_MD_CTX_free()
                     EVP_MD_CTX_init() is EVP_MD_CTX_reset()

As there's no need to reset a newly created EVP_MD_CTX, moreover
EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init()
can be dropped.
As there's no need to reset an EVP_MD_CTX before it's destroyed,
as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset()
is not needed and can be dropped.

Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
2022-03-04 15:20:07 -05:00
Simon Glass
c033dc8c0c image: Return destination node for add_verify_data() method
It is useful to know where the verification data was written. Update the
API to return this.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26 08:50:44 -07:00
Heinrich Schuchardt
185f812c41 doc: replace @return by Return:
Sphinx expects Return: and not @return to indicate a return value.

find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-19 18:11:34 +01:00
Heinrich Schuchardt
675c3ccc5c lib/rsa: avoid -Wdiscarded-qualifiers
The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
Our code drops the const qualifier leading to

In file included from tools/lib/rsa/rsa-sign.c:1:
./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
./tools/../lib/rsa/rsa-sign.c:631:13: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
  631 |         rsa = EVP_PKEY_get0_RSA(pkey);
      |             ^

Add a type conversion.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-01-10 08:13:24 -05:00
Heinrich Schuchardt
3a8b919932 tools: avoid OpenSSL deprecation warnings
Our Gitlab CI buildsystem is set up to treat warnings as errors.
With OpenSSL 3.0 a lot of deprecation warnings occur.

With the patch compatibility with OpenSSL 1.1.1 is declared.
In the long run we should upgrade our code to use the current API.

A -Wdiscarded-qualifiers warning is muted by casting.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-12-26 06:57:20 +01:00
Simon Glass
2bbed3ff8c image: Use Kconfig to enable FIT_RSASSA_PSS on host
Add a host Kconfig for FIT_RSASSA_PSS. With this we can use
CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the
forcing of this in the image.h header.

Drop the #ifdef around padding_pss_verify() too since it is not needed.
Use the compiler to check the config where possible, instead of the
preprocessor.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-10-08 15:53:26 -04:00
Tom Rini
6674edaabf Prepare v2021.10-rc4
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmFBKRgACgkQFHw5/5Y0
 tyw/PwwAtGB3rBeYW4rjWuMC5WP1UDTnvZIAok5ImWumWDahjDm8Yq2VCzAe9adw
 EYBjuNmaNl9aQvGVqlVJeIcLku5MLuLQu2za8vhc1R8X9VTPPY+LLTcdOokOmB8y
 8JiaE7fJsb1bZeV+diF9tss3B0IkUrwSJtW1d+qfdz/4UiRvwK5BhnZgzIobDldO
 g1Ldz/xiR2GOAXlUMwDrNAi6qNvmeAqRsQxySVrjltAV2ST7LJnOiHuWvJX6g6VS
 l796Hleh/kULfEW6n+1ZaTNqvVRcJ8xYSOG8w8y9u6HuPBA3JrYH1p1Eo5n7PPDv
 US71Iy/ncweTyfTMEBThWLqjHOQ05sVkWX/r4fj2iJRli+Og53lE1fVJ4ajIx7vz
 Tc76wI43i0I5lr2yTErjUG6EzDDoueqd+c8BwxihNLUK/+QG31xoCEMfC80C25ro
 QhYVFgiPWN0ySUD5M5tbGXODvfNNIDKXpY5oSOTVtemZtDEMpO2zBM1s/K3RV7Ud
 Je9Pj0Cu
 =Me42
 -----END PGP SIGNATURE-----

Merge tag 'v2021.10-rc4' into next

Prepare v2021.10-rc4

Signed-off-by: Tom Rini <trini@konsulko.com>

# gpg: Signature made Tue 14 Sep 2021 06:58:32 PM EDT
# gpg:                using RSA key 1A3C7F70E08FAB1707809BBF147C39FF9634B72C
# gpg: Good signature from "Thomas Rini <trini@konsulko.com>" [ultimate]

# Conflicts:
#	board/Arcturus/ucp1020/spl.c
#	cmd/mvebu/Kconfig
#	common/Kconfig.boot
#	common/image-fit.c
#	configs/UCP1020_defconfig
#	configs/sifive_unmatched_defconfig
#	drivers/pci/Kconfig
#	include/configs/UCP1020.h
#	include/configs/sifive-unmatched.h
#	lib/Makefile
#	scripts/config_whitelist.txt
2021-09-16 10:29:40 -04:00
Heinrich Schuchardt
d607dfd878 lib/rsa: don't use NULL as key_id
If keydir is not provided but name is we want to use name as key_id.

But with the current coding name is only used on its own if it is NULL
and keydir is provided which never occurs.

Fixes: 824ee745fb ("lib/rsa: Use the 'keyfile' argument from mkimage")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-09-14 09:07:18 -04:00
Heinrich Schuchardt
295ab733df lib: -Wformat-truncation in rsa_engine_get_priv_key
With glibc 2.33 (Ubuntu package glibc6 2.33-0ubuntu9) building
sifive_unmatched_defconfig results in:

In file included from /usr/include/stdio.h:866,
                  from ././include/compiler.h:26,
                  from <command-line>:
In function ‘snprintf’,
     inlined from ‘rsa_engine_get_priv_key’ at ./tools/../^:273:4:
/usr/include/riscv64-linux-gnu/bits/stdio2.h:71:10: warning:
‘%s’ directive argument is null [-Wformat-truncation=]
    71 |   return __builtin___snprintf_chk (__s, __n,
__USE_FORTIFY_LEVEL - 1,
       |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    72 |        __glibc_objsize (__s), __fmt,
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    73 |        __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~

Avoid passing a NULL string.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-09-01 19:25:37 -04:00
Alexandru Gagniuc
fe68a67a5f lib/rsa: Remove support for OpenSSL < 1.1.0 and libressl < 2.7.0
Older OpenSSL and libressl versions have a slightly different API.
This require #ifdefs to support. However, we still can't support it
because the ECDSA path does not compile with these older versions.
These #ifdefs are truly a vestigial appendage.

Alternatively, the ECDSA path could be updated for older libraries,
but this requires significant extra code, and #ifdefs. Those libraries
are over three years old, and there concerns whether it makes sense to
build modern software for real world use against such old libraries.

Thusly, remove #ifdefs and code for old OpenSSL and LibreSSL support.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-09-01 19:25:37 -04:00
Marc Kleine-Budde
62b27a561c mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine
This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2021-07-28 20:46:34 -04:00
Chan, Donald
6d59ace988 lib: rsa: rsa-sign: Minor bug in debug message
*sig_size isn't set until later so use the correct variables.

Signed-off-by: Donald Chan <hoiho@lab126.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-07-28 20:46:34 -04:00
Simon Glass
ad74aed11e image: Rename CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
Drop the ENABLE and SUPPORT parts of this, which are redundant.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-07-16 12:58:55 -04:00
Chan, Donald
fbc777429f lib/rsa: Use EVP_PKEY instead of RSA
Most modern OpenSSL engines have methods overridden at the EVP level rather
than at RSA level, to make these engines work properly with mkimage, the RSA
signing code needs to switch to using EVP_* APIs as much as possible.

Signed-off-by: Donald Chan <hoiho@lab126.com>
[trini: Rebase on top of keyfile changes]
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-04-14 17:45:04 -04:00
Alexandru Gagniuc
824ee745fb lib/rsa: Use the 'keyfile' argument from mkimage
Keys can be derived from keydir, and the "key-name-hint" property of
the FIT. They can also be specified ad-literam via 'keyfile'. Update
the RSA signing path to use the appropriate one.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-04-14 15:23:01 -04:00
Alexandru Gagniuc
4c17e5f691 lib/rsa: Make fdt_add_bignum() available outside of RSA code
fdt_add_bignum() is useful for algorithms other than just RSA. To
allow its use for ECDSA, move it to a common file under lib/.

The new file is suffixed with '-libcrypto' because it has a direct
dependency on openssl. This is due to the use of the "BIGNUM *" type.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-04-14 15:06:08 -04:00
Heinrich Schuchardt
de95930946 lib/rsa: correct check after allocation in fdt_add_bignum()
After allocating to pointer ctx we should check that pointer and not
another pointer already checked above.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-08-27 11:26:58 -04:00
Jan Luebbe
24bf6e84ce lib: rsa: avoid overriding the object name when already specified
If "object=" is specified in "keydir" when using the pkcs11 engine do
not append another "object=<key-name-hint>". This makes it possible to
use object names other than the key name hint. These two string
identifiers are not necessarily equal.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
2020-05-15 14:47:35 -04:00
Jonathan Gray
0ff042d836 rsa: don't use malloc.h in rsa-sign.c
stdlib.h is the header for malloc since at least c89/c90.
There is no system malloc.h on OpenBSD and trying to use malloc.h here
falls back to the U-Boot malloc.h breaking the build of qemu_arm64.

Fixes: 336d4615f8 ("dm: core: Create a new header file for 'compat' features")
Signed-off-by: Jonathan Gray <jsg@jsg.id.au>
2020-05-15 14:47:35 -04:00
Simon Glass
72188f5462 image: Use constants for 'required' and 'key-name-hint'
These are used in multiple places so update them to use a shared #define.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
2020-04-01 07:45:09 -06:00
Simon Glass
336d4615f8 dm: core: Create a new header file for 'compat' features
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.

Move the compatibility features into a separate header file.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-02-05 19:33:46 -07:00
Vesa Jääskeläinen
5b123e0109 lib: rsa: add support to other openssl engine types than pkcs11
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.

Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
2019-07-18 11:31:23 -04:00
Philippe Reynes
061daa0b61 rsa: add support of padding pss
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03 10:44:10 -05:00
Philippe Reynes
20031567e1 rsa: add a structure for the padding
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03 10:44:10 -05:00
Philippe Reynes
3b5d6979fc rsa: use new openssl API to create signature
Previous implementation of the rsa signature was using
the openssl API EVP_Sign*, but the new openssl API
EVP_DigestSign* is more flexible. So we move to this
new API.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2018-12-03 10:44:10 -05:00
Caliph Nomble
7ac1a432a1 rsa: Fix LibreSSL before v2.7.0
Fix LibreSSL compilation for versions before v2.7.0.

Signed-off-by: Caliph Nomble <nomble@palism.com>
Reviewed-by: Jonathan Gray <jsg@jsg.id.au>
2018-08-13 14:03:57 -04:00
Simon Glass
8a682e03d7 rsa: Fix missing memory leak on error in fdt_add_bignum()
Thsi function can fail without freeing all its memory. Fix it.

Reported-by: Coverity (CID: 131217)
Signed-off-by: Simon Glass <sjg@chromium.org>
2018-06-19 07:31:44 -04:00
Tom Rini
83d290c56f SPDX: Convert all of our single license tags to Linux Kernel style
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-07 09:34:12 -04:00
Jelle van der Waa
c3b4328166 rsa: Fix build with OpenSSL 1.1.x
The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.

EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be
called to reinitialise an already created structure.
2017-05-12 08:37:19 -04:00
George McCollister
f1ca1fdebf mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
2017-01-14 16:47:13 -05:00
Andrew Duda
83dd98e012 image: Combine image_sig_algo with image_sign_info
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.

Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.

Indirectly adds support for "sha1,rsa4096" signing/verification.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2016-11-21 14:07:31 -05:00
mario.six@gdsys.cc
713fb2dcb2 tools, rsa: Further minor cleanups on top of c236ebd and 2b9ec7
[NOTE: I took v1 of these patches in, and then v2 came out, this commit
is squashing the minor deltas from v1 -> v2 of updates to c236ebd and
2b9ec76 into this commit - trini]

- Added an additional NULL check, as suggested by Simon Glass to
  fit_image_process_sig
- Re-formatted the comment blocks

Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Simon Glass <sjg@chromium.org>
[For merging the chnages from v2 back onto v1]
Signed-off-by: Tom Rini <trini@konsulko.com>
2016-07-25 12:01:36 -04:00
mario.six@gdsys.cc
2b9ec762c4 rsa: Fix return value and masked error
When signing images, we repeatedly call fit_add_file_data() with
successively increasing size values to include the keys in the DTB.

Unfortunately, if large keys are used (such as 4096 bit RSA keys), this
process fails sometimes, and mkimage needs to be called repeatedly to
integrate the keys into the DTB.

This is because fit_add_file_data actually returns the wrong error
code, and the loop terminates prematurely, instead of trying again with
a larger size value.

This patch corrects the return value by fixing the return value of
fdt_add_bignum, fixes a case where an error is masked by a unconditional
setting of a return value variable, and also removes a error message,
which is misleading, since we actually allow the function to fail. A
(hopefully helpful) comment is also added to explain the lack of error
message.

This is probably related to 1152a05 ("tools: Correct error handling in
fit_image_process_hash()") and the corresponding error reported here:

https://www.mail-archive.com/u-boot@lists.denx.de/msg217417.html

Signed-off-by: Mario Six <mario.six@gdsys.cc>
2016-07-22 14:46:24 -04:00
Simon Glass
5426716231 rsa: Fix two errors in the implementation
1. Failure to set the return code correctly
2. Failure to detect the loop end condition when the value is equal to
the modulus.

Reported-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Signed-off-by: Simon Glass <sjg@chromium.org>
2014-08-09 11:17:04 -04:00
Michael van der Westhuizen
e0f2f15534 Implement generalised RSA public exponents for verified boot
Remove the verified boot limitation that only allows a single
RSA public exponent of 65537 (F4).  This change allows use with
existing PKI infrastructure and has been tested with HSM-based
PKI.

Change the configuration OF tree format to store the RSA public
exponent as a 64 bit integer and implement backward compatibility
for verified boot configuration trees without this extra field.

Parameterise vboot_test.sh to test different public exponents.

Mathematics and other hard work by Andrew Bott.

Tested with the following public exponents: 3, 5, 17, 257, 39981,
50457, 65537 and 4294967297.

Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com>
Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com>
Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com>
Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com>
Cc: Simon Glass <sjg@chromium.org>
2014-08-09 11:17:01 -04:00
Simon Glass
597a8b2c68 mkimage: Automatically expand FDT in more cases
The original code did not cover every case and there was a missing negative
sign in one case. Expand the coverage and fix the bug.

Signed-off-by: Simon Glass <sjg@chromium.org>
2014-06-19 11:18:56 -04:00
Simon Glass
4f427a421f fdt: Update functions which write to an FDT to return -ENOSPC
When writing values into an FDT it is possible that there will be
insufficient space. If the caller gets a useful error then it can
potentially deal with the situation.

Adjust these functions to return -ENOSPC when the FDT is full.

Signed-off-by: Simon Glass <sjg@chromium.org>
2014-06-11 16:25:46 -04:00
Heiko Schocher
29a23f9d6c tools, fit_check_sign: verify a signed fit image
add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
2014-03-21 16:40:38 -04:00
Heiko Schocher
646257d1f4 rsa: add sha256-rsa2048 algorithm
based on patch from andreas@oetken.name:

http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.

aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>
2014-03-21 16:39:34 -04:00
Wolfgang Denk
1a4596601f Add GPL-2.0+ SPDX-License-Identifier to source files
Signed-off-by: Wolfgang Denk <wd@denx.de>
[trini: Fixup common/cmd_io.c]
Signed-off-by: Tom Rini <trini@ti.com>
2013-07-24 09:44:38 -04:00
Andreas Bießmann
1a260fe3ef lib/rsa/rsa-sig.c: compile on OS X
Interfaces exposed by error.h seems not to be used in rsa-sig.c, remove it.
This also fixes an compile error on OS X:

---8<---
u-boot/lib/rsa/rsa-sign.c:23:19: error: error.h: No such file or directory
--->8---

Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com>
Acked-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Tested-by: Lubomir Popov <lpopov@mm-sol.com>
2013-07-03 09:35:30 -04:00
Simon Glass
19c402afa2 image: Add RSA support for image signing
RSA provides a public key encryption facility which is ideal for image
signing and verification.

Images are signed using a private key by mkimage. Then at run-time, the
images are verified using a private key.

This implementation uses openssl for the host part (mkimage). To avoid
bringing large libraries into the U-Boot binary, the RSA public key
is encoded using a simple numeric representation in the device tree.

Signed-off-by: Simon Glass <sjg@chromium.org>
2013-06-26 10:18:56 -04:00