rsa: adds rsa3072 algorithm

Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.

Add test case in vboot for sha384 with rsa3072 algorithm testing.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 19cde8739738089ee7060d88b8c20fd042a39ec9..d0886b7071f135ddf54e21cfc5b251201dfffd36 100644 (file)
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -312,3 +312,4 @@ CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y
+CONFIG_SHA384=y

diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index 01b480d0f3ed887abcb30dff1abd2bd4e49a5dc4..b9634e38d9a92eb3f025483d2f2930c124e1d6ea 100644 (file)
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -111,6 +111,7 @@ int padding_pss_verify(struct image_sign_info *info,
 #define RSA_DEFAULT_PADDING_NAME               "pkcs-1.5"
 
 #define RSA2048_BYTES  (2048 / 8)
+#define RSA3072_BYTES  (3072 / 8)
 #define RSA4096_BYTES  (4096 / 8)
 
 /* This is the minimum/maximum key size we support, in bits */

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 32c7507024b85725c3e48541c994e7e25c912ed2..112664059c9f15466f5ad61d4c703ef383e3b3fa 100644 (file)
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -595,6 +595,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
        .verify = rsa_verify,
 };
 
+U_BOOT_CRYPTO_ALGO(rsa3072) = {
+       .name = "rsa3072",
+       .key_len = RSA3072_BYTES,
+       .verify = rsa_verify,
+};
+
 U_BOOT_CRYPTO_ALGO(rsa4096) = {
        .name = "rsa4096",
        .key_len = RSA4096_BYTES,

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 095e00cce36511fcb50ac9a440c95aa77c328b1a..b080d482af91b56a064c3d38adbba88b169f338c 100644 (file)
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
     ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
     ['sha256-pss-required', 'sha256', '-pss', None, True, False],
     ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+    ['sha384-basic', 'sha384', '', None, False, False],
+    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
 ]
 
 @pytest.mark.boardspec('sandbox')
@@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
             name: Name of of the key (e.g. 'dev')
         """
         public_exponent = 65537
+
+        if sha_algo == "sha384":
+            rsa_keygen_bits = 3072
+        else:
+            rsa_keygen_bits = 2048
+
         util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
-                     '-pkeyopt rsa_keygen_bits:2048 '
+                     '-pkeyopt rsa_keygen_bits:%d '
                      '-pkeyopt rsa_keygen_pubexp:%d' %
-                     (tmpdir, name, public_exponent))
+                     (tmpdir, name, rsa_keygen_bits, public_exponent))
 
         # Create a certificate containing the public key
         util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '

diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
new file mode 100644 (file)
index 0000000..2869401
--- /dev/null
+++ b/test/py/tests/vboot/sign-configs-sha384.its
@@ -0,0 +1,45 @@
+/dts-v1/;
+
+/ {
+       description = "Chrome OS kernel image with one or more FDT blobs";
+       #address-cells = <1>;
+
+       images {
+               kernel {
+                       data = /incbin/("test-kernel.bin");
+                       type = "kernel_noload";
+                       arch = "sandbox";
+                       os = "linux";
+                       compression = "none";
+                       load = <0x4>;
+                       entry = <0x8>;
+                       kernel-version = <1>;
+                       hash-1 {
+                               algo = "sha384";
+                       };
+               };
+               fdt-1 {
+                       description = "snow";
+                       data = /incbin/("sandbox-kernel.dtb");
+                       type = "flat_dt";
+                       arch = "sandbox";
+                       compression = "none";
+                       fdt-version = <1>;
+                       hash-1 {
+                               algo = "sha384";
+                       };
+               };
+       };
+       configurations {
+               default = "conf-1";
+               conf-1 {
+                       kernel = "kernel";
+                       fdt = "fdt-1";
+                       signature {
+                               algo = "sha384,rsa3072";
+                               key-name-hint = "dev";
+                               sign-images = "fdt", "kernel";
+                       };
+               };
+       };
+};

diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
new file mode 100644 (file)
index 0000000..be1a9a6
--- /dev/null
+++ b/test/py/tests/vboot/sign-images-sha384.its
@@ -0,0 +1,42 @@
+/dts-v1/;
+
+/ {
+       description = "Chrome OS kernel image with one or more FDT blobs";
+       #address-cells = <1>;
+
+       images {
+               kernel {
+                       data = /incbin/("test-kernel.bin");
+                       type = "kernel_noload";
+                       arch = "sandbox";
+                       os = "linux";
+                       compression = "none";
+                       load = <0x4>;
+                       entry = <0x8>;
+                       kernel-version = <1>;
+                       signature {
+                               algo = "sha384,rsa3072";
+                               key-name-hint = "dev";
+                       };
+               };
+               fdt-1 {
+                       description = "snow";
+                       data = /incbin/("sandbox-kernel.dtb");
+                       type = "flat_dt";
+                       arch = "sandbox";
+                       compression = "none";
+                       fdt-version = <1>;
+                       signature {
+                               algo = "sha384,rsa3072";
+                               key-name-hint = "dev";
+                       };
+               };
+       };
+       configurations {
+               default = "conf-1";
+               conf-1 {
+                       kernel = "kernel";
+                       fdt = "fdt-1";
+               };
+       };
+};

diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
index 8ed6998dab04c138210922ef72302c3a2bc7be69..d0133aec4c819cfb030ef296b0c509bbc9e3cf8e 100644 (file)
--- a/tools/image-sig-host.c
+++ b/tools/image-sig-host.c
@@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
                .add_verify_data = rsa_add_verify_data,
                .verify = rsa_verify,
        },
+       {
+               .name = "rsa3072",
+               .key_len = RSA3072_BYTES,
+               .sign = rsa_sign,
+               .add_verify_data = rsa_add_verify_data,
+               .verify = rsa_verify,
+       },
        {
                .name = "rsa4096",
                .key_len = RSA4096_BYTES,