mirror of
https://source.denx.de/u-boot/u-boot.git
synced 2025-12-19 00:11:30 +01:00
62e89de769
Quentin Schulz <foss+uboot@0leil.net> says: While historically signature verification is mostly done for FIT such FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't the only kind of file we can verify signatures of. It can also be done manually with rsa_verify_hash() with an embedded public key. Considering the impacted code is guarded by RSA_VERIFY, let's make the symbol depend on that otherwise selecting it without RSA_VERIFY won't do anything. The FIT_SIGNATURE dependency wasn't also enough before as it only implied RSA_VERIFY. Then, simply relocate the RSA SSA PSS padding with the other RSA symbols in lib/rsa instead of in boot/ and rename it to remove the mention to FIT. Finally, add the PSS padding wherever PKCS1.5 padding is specified as one or the other can be used. Link: https://lore.kernel.org/r/20251031-rsa-pss-always-v2-0-a29184ea064d@cherry.de
108 lines
3.7 KiB
Plaintext
108 lines
3.7 KiB
Plaintext
config RSA
|
|
bool "Use RSA Library"
|
|
select RSA_FREESCALE_EXP if FSL_CAAM && !ARCH_MX7 && !ARCH_MX7ULP && !ARCH_MX6 && !ARCH_MX5
|
|
select RSA_ASPEED_EXP if ASPEED_ACRY
|
|
select RSA_SOFTWARE_EXP if !RSA_FREESCALE_EXP && !RSA_ASPEED_EXP
|
|
help
|
|
RSA support. This enables the RSA algorithm used for FIT image
|
|
verification in U-Boot.
|
|
See doc/uImage.FIT/signature.txt for more details.
|
|
The Modular Exponentiation algorithm in RSA is implemented using
|
|
driver model. So CONFIG_DM needs to be enabled by default for this
|
|
library to function.
|
|
The signing part is build into mkimage regardless of this
|
|
option. The software based modular exponentiation is built into
|
|
mkimage irrespective of this option.
|
|
|
|
if RSA
|
|
|
|
config SPL_RSA
|
|
bool "Use RSA Library within SPL"
|
|
depends on SPL
|
|
|
|
config SPL_RSA_VERIFY
|
|
bool
|
|
depends on SPL_RSA
|
|
help
|
|
Add RSA signature verification support in SPL.
|
|
|
|
config RSA_VERIFY
|
|
bool
|
|
help
|
|
Add RSA signature verification support.
|
|
|
|
config RSA_VERIFY_WITH_PKEY
|
|
bool "Execute RSA verification without key parameters from FDT"
|
|
select RSA_VERIFY
|
|
select ASYMMETRIC_KEY_TYPE
|
|
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
select RSA_PUBLIC_KEY_PARSER
|
|
help
|
|
The standard RSA-signature verification code (FIT_SIGNATURE) uses
|
|
pre-calculated key properties, that are stored in fdt blob, in
|
|
decrypting a signature.
|
|
This does not suit the use case where there is no way defined to
|
|
provide such additional key properties in standardized form,
|
|
particularly UEFI secure boot.
|
|
This option enables RSA signature verification with a public key
|
|
directly specified in image_sign_info, where all the necessary
|
|
key properties will be calculated on the fly in verification code.
|
|
|
|
config SPL_RSA_VERIFY_WITH_PKEY
|
|
bool "Execute RSA verification without key parameters from FDT within SPL"
|
|
depends on SPL
|
|
select SPL_RSA_VERIFY
|
|
select SPL_ASYMMETRIC_KEY_TYPE
|
|
select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
select SPL_RSA_PUBLIC_KEY_PARSER
|
|
help
|
|
The standard RSA-signature verification code (FIT_SIGNATURE) uses
|
|
pre-calculated key properties, that are stored in fdt blob, in
|
|
decrypting a signature.
|
|
This does not suit the use case where there is no way defined to
|
|
provide such additional key properties in standardized form,
|
|
particularly UEFI secure boot.
|
|
This option enables RSA signature verification with a public key
|
|
directly specified in image_sign_info, where all the necessary
|
|
key properties will be calculated on the fly in verification code
|
|
in the SPL.
|
|
|
|
config RSASSA_PSS
|
|
bool "Support rsassa-pss signature scheme"
|
|
depends on RSA_VERIFY
|
|
help
|
|
Enable this to support the pss padding algorithm as described
|
|
in the rfc8017 (https://tools.ietf.org/html/rfc8017).
|
|
|
|
config SPL_RSASSA_PSS
|
|
bool "Support rsassa-pss signature scheme within SPL"
|
|
depends on SPL_RSA_VERIFY
|
|
help
|
|
Enable this to support the pss padding algorithm as described
|
|
in the rfc8017 (https://tools.ietf.org/html/rfc8017) within SPL.
|
|
|
|
config RSA_SOFTWARE_EXP
|
|
bool "Enable driver for RSA Modular Exponentiation in software"
|
|
depends on DM
|
|
help
|
|
Enables driver for modular exponentiation in software. This is a RSA
|
|
algorithm used in FIT image verification. It required RSA Key as
|
|
input.
|
|
See doc/uImage.FIT/signature.txt for more details.
|
|
|
|
config RSA_FREESCALE_EXP
|
|
bool "Enable RSA Modular Exponentiation with FSL crypto accelerator"
|
|
depends on DM && FSL_CAAM && !ARCH_MX7 && !ARCH_MX7ULP && !ARCH_MX6 && !ARCH_MX5
|
|
help
|
|
Enables driver for RSA modular exponentiation using Freescale cryptographic
|
|
accelerator - CAAM.
|
|
|
|
config RSA_ASPEED_EXP
|
|
bool "Enable RSA Modular Exponentiation with ASPEED crypto accelerator"
|
|
depends on DM && ASPEED_ACRY
|
|
help
|
|
Enables driver for RSA modular exponentiation using ASPEED cryptographic
|
|
accelerator - ACRY
|
|
|
|
endif
|