* [PATCH 0/5] rsatoc: make useful for standalone RSA keys @ 2023-09-21 10:23 Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command Ahmad Fatoum ` (5 more replies) 0 siblings, 6 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox Standalone RSA public keys are those that aren't part of the default keyring used for FIT verification. This can be useful if barebox is to do board-specific RSA verification of e.g. unlock tokens. This series lays first ground work. Ahmad Fatoum (4): scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS rsatoc: support extracting RSA public key from X.509 SPKI format rsa: fix typos and missing type definitions rsatoc: support generating standalone keys unreferenced by FIT keyring Rouven Czerwinski (1): rsa: escape pkcs11 string passed to RSA command -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum @ 2023-09-21 10:23 ` Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 2/5] scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS Ahmad Fatoum ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox From: Rouven Czerwinski <r.czerwinski@pengutronix.de> Escape the pkcs11 string that can be passed to the rsatoc script. Otherwise the sh -c invocation for commands will interpret the pkcs11 URI semicolon separator as the end of the command. Fixes: b39100bcea12 ("rsa: Allow to directly compile in rsa public keys") Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> Link: https://lore.barebox.org/20230719134630.174215-1-r.czerwinski@pengutronix.de Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> --- scripts/Makefile.lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index f04c09f9e280..fe77c83ba230 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -625,7 +625,7 @@ quiet_cmd_b64dec = B64DEC $@ # target file. quiet_cmd_rsa_keys = RSAKEY $@ cmd_rsa_keys = \ - $(objtree)/scripts/rsatoc -o $@.tmp $(2) && \ + $(objtree)/scripts/rsatoc -o $@.tmp "$(2)" && \ if cmp -s $@.tmp $@; then \ rm $@.tmp; \ else \ -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/5] scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command Ahmad Fatoum @ 2023-09-21 10:23 ` Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format Ahmad Fatoum ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox; +Cc: Ahmad Fatoum rsatoc is automatically built if CONFIG_CRYPTO_RSA_BUILTIN_KEYS=y. For testing, it can be useful to build the tool standalone, so add an option to do just that. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- crypto/Kconfig | 1 + scripts/Kconfig | 7 +++++++ scripts/Makefile | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index 04e5ef43705b..4ad7bd844fa1 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -121,6 +121,7 @@ config CRYPTO_RSA config CRYPTO_RSA_BUILTIN_KEYS bool default y if CRYPTO_RSA_KEY != "" + select RSATOC config CRYPTO_RSA_KEY depends on CRYPTO_RSA diff --git a/scripts/Kconfig b/scripts/Kconfig index 26c6a3c19806..9be04fa7c8bf 100644 --- a/scripts/Kconfig +++ b/scripts/Kconfig @@ -110,6 +110,13 @@ config QOICONV help This enable converting png to qoi images to generate boot logo. +config RSATOC + bool "RSA to C converter" if COMPILE_HOST_TOOLS + help + This utility converts RSA keys in PEM format to either C or + device tree snippets. This requires OpenSSL on the build host + and will be selected by the build system if required. + endmenu menu "Target Tools" diff --git a/scripts/Makefile b/scripts/Makefile index 75dc5926c057..0a56401fac52 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,7 +11,7 @@ hostprogs-always-y += bareboxenv hostprogs-always-y += bareboxcrc32 hostprogs-always-y += kernel-install hostprogs-always-$(CONFIG_QOICONV) += qoiconv -hostprogs-always-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsatoc +hostprogs-always-$(CONFIG_RSATOC) += rsatoc HOSTCFLAGS_rsatoc.o = `$(PKG_CONFIG) --cflags openssl` HOSTLDLIBS_rsatoc = `$(PKG_CONFIG) --libs openssl` hostprogs-always-$(CONFIG_IMD) += bareboximd -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 2/5] scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS Ahmad Fatoum @ 2023-09-21 10:23 ` Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 4/5] rsa: fix typos and missing type definitions Ahmad Fatoum ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox; +Cc: Ahmad Fatoum In addition to PKCS#11 URIs, rsatoc supports extracting RSA public keys out of x.509 PEM certificats, which is a base64-encoded format that begins with the header `-----BEGIN CERTIFICATE-----'. Another popular format for RSA public keys is the X.509 SPKI format, which starts with the header `-----BEGIN PUBLIC KEY-----'. As public keys are the only thing rsatoc is interested in, add support for the latter as well. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- scripts/rsatoc.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c index d7f6dad7f01e..f5b0ba27f9bc 100644 --- a/scripts/rsatoc.c +++ b/scripts/rsatoc.c @@ -58,17 +58,21 @@ static int rsa_pem_get_pub_key(const char *path, RSA **rsap) /* Read the certificate */ cert = NULL; if (!PEM_read_X509(f, &cert, NULL, NULL)) { - rsa_err("Couldn't read certificate"); - ret = -EINVAL; - goto err_cert; - } - - /* Get the public key from the certificate. */ - key = X509_get_pubkey(cert); - if (!key) { - rsa_err("Couldn't read public key\n"); - ret = -EINVAL; - goto err_pubkey; + rewind(f); + key = PEM_read_PUBKEY(f, NULL, NULL, NULL); + if (!key) { + rsa_err("Couldn't read certificate"); + ret = -EINVAL; + goto err_cert; + } + } else { + /* Get the public key from the certificate. */ + key = X509_get_pubkey(cert); + if (!key) { + rsa_err("Couldn't read public key\n"); + ret = -EINVAL; + goto err_pubkey; + } } /* Convert to a RSA_style key. */ -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 4/5] rsa: fix typos and missing type definitions 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum ` (2 preceding siblings ...) 2023-09-21 10:23 ` [PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format Ahmad Fatoum @ 2023-09-21 10:23 ` Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring Ahmad Fatoum 2023-09-21 12:32 ` [PATCH 0/5] rsatoc: make useful for standalone RSA keys Sascha Hauer 5 siblings, 0 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox; +Cc: Ahmad Fatoum Including <rsa.h> as first header shows some that some includes are missing and looking into the file, the kerneldoc comment is out of date. Fix both. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- include/rsa.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/rsa.h b/include/rsa.h index 650fb234f263..f1e3c1b6c366 100644 --- a/include/rsa.h +++ b/include/rsa.h @@ -12,6 +12,7 @@ #ifndef _RSA_H #define _RSA_H +#include <linux/types.h> #include <errno.h> #include <digest.h> @@ -38,10 +39,10 @@ struct rsa_public_key { * Verify a RSA PKCS1.5 signature against an expected hash. * * @info: Specifies key and FIT information - * @data: Pointer to the input data - * @data_len: Data length * @sig: Signature * @sig_len: Number of bytes in signature + * @hash: hash over payload + * @algo: hashing algo * @return 0 if verified, -ve on error */ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig, @@ -51,6 +52,8 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig, /* This is the maximum signature length that we support, in bits */ #define RSA_MAX_SIG_BITS 4096 +struct device_node; + struct rsa_public_key *rsa_of_read_key(struct device_node *node); void rsa_key_free(struct rsa_public_key *key); const struct rsa_public_key *rsa_get_key(const char *name); -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum ` (3 preceding siblings ...) 2023-09-21 10:23 ` [PATCH 4/5] rsa: fix typos and missing type definitions Ahmad Fatoum @ 2023-09-21 10:23 ` Ahmad Fatoum 2023-09-21 12:32 ` [PATCH 0/5] rsatoc: make useful for standalone RSA keys Sascha Hauer 5 siblings, 0 replies; 7+ messages in thread From: Ahmad Fatoum @ 2023-09-21 10:23 UTC (permalink / raw) To: barebox; +Cc: Ahmad Fatoum By default, all keys generated by rsatoc and included into barebox, whether as C code or device tree snippets are added to the single key ring that's used for FIT image verification. Users may want to add other keys by the same means, but not have them available to FIT image verification. Support this use case by adding a -s option that generates standalone keys. These are unreferenced by the key ring and automatic DT parsing and expect the user to manually reference them, either via global variable with a symbol name equal __key_${hint} or by looking into /signature-standalone/key-${hint}. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- scripts/Makefile.lib | 2 +- scripts/rsatoc.c | 34 ++++++++++++++++++++++++++-------- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index fe77c83ba230..680dc486fd76 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -625,7 +625,7 @@ quiet_cmd_b64dec = B64DEC $@ # target file. quiet_cmd_rsa_keys = RSAKEY $@ cmd_rsa_keys = \ - $(objtree)/scripts/rsatoc -o $@.tmp "$(2)" && \ + $(objtree)/scripts/rsatoc -o $@.tmp "$(2)" $(3) && \ if cmp -s $@.tmp $@; then \ rm $@.tmp; \ else \ diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c index f5b0ba27f9bc..6d10dca4169c 100644 --- a/scripts/rsatoc.c +++ b/scripts/rsatoc.c @@ -18,7 +18,7 @@ #include <openssl/evp.h> #include <openssl/engine.h> -static int dts; +static int dts, standalone; static int rsa_err(const char *msg) { @@ -454,17 +454,24 @@ static int gen_key(const char *keyname, const char *path) print_bignum(r_squared, bits); fprintf(outfilep, "\n};\n\n"); - fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c); + if (standalone) { + fprintf(outfilep, "struct rsa_public_key __key_%s;\n", key_name_c); + fprintf(outfilep, "struct rsa_public_key __key_%s = {\n", key_name_c); + } else { + fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c); + } + fprintf(outfilep, "\t.len = %d,\n", bits / 32); fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv); fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c); fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c); fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent); fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname); - fprintf(outfilep, "};\n\n"); + fprintf(outfilep, "};\n"); - fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n", - key_name_c, key_name_c, key_name_c); + if (!standalone) + fprintf(outfilep, "\nstruct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n", + key_name_c, key_name_c, key_name_c); } return 0; @@ -478,7 +485,7 @@ int main(int argc, char *argv[]) outfilep = stdout; - while ((opt = getopt(argc, argv, "o:d")) > 0) { + while ((opt = getopt(argc, argv, "o:ds")) > 0) { switch (opt) { case 'o': outfile = optarg; @@ -486,6 +493,9 @@ int main(int argc, char *argv[]) case 'd': dts = 1; break; + case 's': + standalone = 1; + break; } } @@ -499,14 +509,22 @@ int main(int argc, char *argv[]) } if (optind == argc) { - fprintf(stderr, "Usage: %s <key_name_hint>:<crt> ...\n", argv[0]); + fprintf(stderr, "Usage: %s [-ods] OUTFIE<key_name_hint>:<crt> ...\n", argv[0]); + fprintf(stderr, "\t-o FILE\twrite output into FILE instead of stdout\n"); + fprintf(stderr, "\t-d\tgenerate device tree snippet instead of C code\n"); + fprintf(stderr, "\t-s\tgenerate standalone key outside FIT image keyring\n"); exit(1); } if (dts) { fprintf(outfilep, "/dts-v1/;\n"); fprintf(outfilep, "/ {\n"); - fprintf(outfilep, "\tsignature {\n"); + if (standalone) + fprintf(outfilep, "\tsignature-standalone {\n"); + else + fprintf(outfilep, "\tsignature {\n"); + } else if (standalone) { + fprintf(outfilep, "#include <rsa.h>\n"); } for (i = optind; i < argc; i++) { -- 2.39.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] rsatoc: make useful for standalone RSA keys 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum ` (4 preceding siblings ...) 2023-09-21 10:23 ` [PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring Ahmad Fatoum @ 2023-09-21 12:32 ` Sascha Hauer 5 siblings, 0 replies; 7+ messages in thread From: Sascha Hauer @ 2023-09-21 12:32 UTC (permalink / raw) To: Ahmad Fatoum; +Cc: barebox On Thu, Sep 21, 2023 at 12:23:05PM +0200, Ahmad Fatoum wrote: > Standalone RSA public keys are those that aren't part of the default > keyring used for FIT verification. This can be useful if barebox is to > do board-specific RSA verification of e.g. unlock tokens. > > This series lays first ground work. > > Ahmad Fatoum (4): > scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS > rsatoc: support extracting RSA public key from X.509 SPKI format > rsa: fix typos and missing type definitions > rsatoc: support generating standalone keys unreferenced by FIT keyring > > Rouven Czerwinski (1): > rsa: escape pkcs11 string passed to RSA command Applied, thanks Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-09-21 12:33 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 2/5] scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 4/5] rsa: fix typos and missing type definitions Ahmad Fatoum 2023-09-21 10:23 ` [PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring Ahmad Fatoum 2023-09-21 12:32 ` [PATCH 0/5] rsatoc: make useful for standalone RSA keys Sascha Hauer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox