Since OpenSSL 1.1.0, EVP_MD_CTX_create() is EVP_MD_CTX_new()
EVP_MD_CTX_destroy() is EVP_MD_CTX_free()
EVP_MD_CTX_init() is EVP_MD_CTX_reset()
As there's no need to reset a newly created EVP_MD_CTX, moreover
EVP_DigestSignInit() does the reset, thus call to EVP_MD_CTX_init()
can be dropped.
As there's no need to reset an EVP_MD_CTX before it's destroyed,
as it will be reset by EVP_MD_CTX_free(), call to EVP_MD_CTX_reset()
is not needed and can be dropped.
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
Our code drops the const qualifier leading to
In file included from tools/lib/rsa/rsa-sign.c:1:
./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
./tools/../lib/rsa/rsa-sign.c:631:13: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
631 | rsa = EVP_PKEY_get0_RSA(pkey);
| ^
Add a type conversion.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Our Gitlab CI buildsystem is set up to treat warnings as errors.
With OpenSSL 3.0 a lot of deprecation warnings occur.
With the patch compatibility with OpenSSL 1.1.1 is declared.
In the long run we should upgrade our code to use the current API.
A -Wdiscarded-qualifiers warning is muted by casting.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add a host Kconfig for FIT_RSASSA_PSS. With this we can use
CONFIG_IS_ENABLED(FIT_RSASSA_PSS) directly in the host build, so drop the
forcing of this in the image.h header.
Drop the #ifdef around padding_pss_verify() too since it is not needed.
Use the compiler to check the config where possible, instead of the
preprocessor.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
If keydir is not provided but name is we want to use name as key_id.
But with the current coding name is only used on its own if it is NULL
and keydir is provided which never occurs.
Fixes: 824ee745fb ("lib/rsa: Use the 'keyfile' argument from mkimage")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
With glibc 2.33 (Ubuntu package glibc6 2.33-0ubuntu9) building
sifive_unmatched_defconfig results in:
In file included from /usr/include/stdio.h:866,
from ././include/compiler.h:26,
from <command-line>:
In function ‘snprintf’,
inlined from ‘rsa_engine_get_priv_key’ at ./tools/../^:273:4:
/usr/include/riscv64-linux-gnu/bits/stdio2.h:71:10: warning:
‘%s’ directive argument is null [-Wformat-truncation=]
71 | return __builtin___snprintf_chk (__s, __n,
__USE_FORTIFY_LEVEL - 1,
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
73 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
Avoid passing a NULL string.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Older OpenSSL and libressl versions have a slightly different API.
This require #ifdefs to support. However, we still can't support it
because the ECDSA path does not compile with these older versions.
These #ifdefs are truly a vestigial appendage.
Alternatively, the ECDSA path could be updated for older libraries,
but this requires significant extra code, and #ifdefs. Those libraries
are over three years old, and there concerns whether it makes sense to
build modern software for real world use against such old libraries.
Thusly, remove #ifdefs and code for old OpenSSL and LibreSSL support.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
*sig_size isn't set until later so use the correct variables.
Signed-off-by: Donald Chan <hoiho@lab126.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop the ENABLE and SUPPORT parts of this, which are redundant.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Most modern OpenSSL engines have methods overridden at the EVP level rather
than at RSA level, to make these engines work properly with mkimage, the RSA
signing code needs to switch to using EVP_* APIs as much as possible.
Signed-off-by: Donald Chan <hoiho@lab126.com>
[trini: Rebase on top of keyfile changes]
Signed-off-by: Tom Rini <trini@konsulko.com>
Keys can be derived from keydir, and the "key-name-hint" property of
the FIT. They can also be specified ad-literam via 'keyfile'. Update
the RSA signing path to use the appropriate one.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_add_bignum() is useful for algorithms other than just RSA. To
allow its use for ECDSA, move it to a common file under lib/.
The new file is suffixed with '-libcrypto' because it has a direct
dependency on openssl. This is due to the use of the "BIGNUM *" type.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
After allocating to pointer ctx we should check that pointer and not
another pointer already checked above.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
If "object=" is specified in "keydir" when using the pkcs11 engine do
not append another "object=<key-name-hint>". This makes it possible to
use object names other than the key name hint. These two string
identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
stdlib.h is the header for malloc since at least c89/c90.
There is no system malloc.h on OpenBSD and trying to use malloc.h here
falls back to the U-Boot malloc.h breaking the build of qemu_arm64.
Fixes: 336d4615f8 ("dm: core: Create a new header file for 'compat' features")
Signed-off-by: Jonathan Gray <jsg@jsg.id.au>
These are used in multiple places so update them to use a shared #define.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Philippe Reynes <philippe.reynes@softathome.com>
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.
Move the compatibility features into a separate header file.
Signed-off-by: Simon Glass <sjg@chromium.org>
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.
Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Previous implementation of the rsa signature was using
the openssl API EVP_Sign*, but the new openssl API
EVP_DigestSign* is more flexible. So we move to this
new API.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
The rsa_st struct has been made opaque in 1.1.x, add forward compatible
code to access the n, e, d members of rsa_struct.
EVP_MD_CTX_cleanup has been removed in 1.1.x and EVP_MD_CTX_reset should be
called to reinitialise an already created structure.
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Remove the need to explicitly add SHA/RSA pairings. Invalid SHA/RSA
pairings will still fail on verify operations when the hash length is
longer than the key length.
Follow the same naming scheme "checksum,crytpo" without explicitly
defining the string.
Indirectly adds support for "sha1,rsa4096" signing/verification.
Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[NOTE: I took v1 of these patches in, and then v2 came out, this commit
is squashing the minor deltas from v1 -> v2 of updates to c236ebd and
2b9ec76 into this commit - trini]
- Added an additional NULL check, as suggested by Simon Glass to
fit_image_process_sig
- Re-formatted the comment blocks
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Simon Glass <sjg@chromium.org>
[For merging the chnages from v2 back onto v1]
Signed-off-by: Tom Rini <trini@konsulko.com>
When signing images, we repeatedly call fit_add_file_data() with
successively increasing size values to include the keys in the DTB.
Unfortunately, if large keys are used (such as 4096 bit RSA keys), this
process fails sometimes, and mkimage needs to be called repeatedly to
integrate the keys into the DTB.
This is because fit_add_file_data actually returns the wrong error
code, and the loop terminates prematurely, instead of trying again with
a larger size value.
This patch corrects the return value by fixing the return value of
fdt_add_bignum, fixes a case where an error is masked by a unconditional
setting of a return value variable, and also removes a error message,
which is misleading, since we actually allow the function to fail. A
(hopefully helpful) comment is also added to explain the lack of error
message.
This is probably related to 1152a05 ("tools: Correct error handling in
fit_image_process_hash()") and the corresponding error reported here:
https://www.mail-archive.com/u-boot@lists.denx.de/msg217417.html
Signed-off-by: Mario Six <mario.six@gdsys.cc>
1. Failure to set the return code correctly
2. Failure to detect the loop end condition when the value is equal to
the modulus.
Reported-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Signed-off-by: Simon Glass <sjg@chromium.org>
Remove the verified boot limitation that only allows a single
RSA public exponent of 65537 (F4). This change allows use with
existing PKI infrastructure and has been tested with HSM-based
PKI.
Change the configuration OF tree format to store the RSA public
exponent as a 64 bit integer and implement backward compatibility
for verified boot configuration trees without this extra field.
Parameterise vboot_test.sh to test different public exponents.
Mathematics and other hard work by Andrew Bott.
Tested with the following public exponents: 3, 5, 17, 257, 39981,
50457, 65537 and 4294967297.
Signed-off-by: Andrew Bott <Andrew.Bott@ipaccess.com>
Signed-off-by: Andrew Wishart <Andrew.Wishart@ipaccess.com>
Signed-off-by: Neil Piercy <Neil.Piercy@ipaccess.com>
Signed-off-by: Michael van der Westhuizen <michael@smart-africa.com>
Cc: Simon Glass <sjg@chromium.org>
The original code did not cover every case and there was a missing negative
sign in one case. Expand the coverage and fix the bug.
Signed-off-by: Simon Glass <sjg@chromium.org>
When writing values into an FDT it is possible that there will be
insufficient space. If the caller gets a useful error then it can
potentially deal with the situation.
Adjust these functions to return -ENOSPC when the FDT is full.
Signed-off-by: Simon Glass <sjg@chromium.org>
add host tool "fit_check_sign" which verifies, if a fit image is
signed correct.
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Simon Glass <sjg@chromium.org>
based on patch from andreas@oetken.name:
http://patchwork.ozlabs.org/patch/294318/
commit message:
I currently need support for rsa-sha256 signatures in u-boot and found out that
the code for signatures is not very generic. Thus adding of different
hash-algorithms for rsa-signatures is not easy to do without copy-pasting the
rsa-code. I attached a patch for how I think it could be better and included
support for rsa-sha256. This is a fast first shot.
aditionally work:
- removed checkpatch warnings
- removed compiler warnings
- rebased against current head
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: andreas@oetken.name
Cc: Simon Glass <sjg@chromium.org>
Interfaces exposed by error.h seems not to be used in rsa-sig.c, remove it.
This also fixes an compile error on OS X:
---8<---
u-boot/lib/rsa/rsa-sign.c:23:19: error: error.h: No such file or directory
--->8---
Signed-off-by: Andreas Bießmann <andreas.devel@googlemail.com>
Acked-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Tested-by: Lubomir Popov <lpopov@mm-sol.com>
RSA provides a public key encryption facility which is ideal for image
signing and verification.
Images are signed using a private key by mkimage. Then at run-time, the
images are verified using a private key.
This implementation uses openssl for the host part (mkimage). To avoid
bringing large libraries into the U-Boot binary, the RSA public key
is encoded using a simple numeric representation in the device tree.
Signed-off-by: Simon Glass <sjg@chromium.org>