mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring
Date: Thu, 21 Sep 2023 12:23:10 +0200	[thread overview]
Message-ID: <20230921102310.1108543-6-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20230921102310.1108543-1-a.fatoum@pengutronix.de>

By default, all keys generated by rsatoc and included into barebox,
whether as C code or device tree snippets are added to the single key
ring that's used for FIT image verification. Users may want to add other
keys by the same means, but not have them available to FIT image
verification.

Support this use case by adding a -s option that generates standalone
keys. These are unreferenced by the key ring and automatic DT parsing
and expect the user to manually reference them, either via global
variable with a symbol name equal __key_${hint} or by looking into
/signature-standalone/key-${hint}.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/Makefile.lib |  2 +-
 scripts/rsatoc.c     | 34 ++++++++++++++++++++++++++--------
 2 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index fe77c83ba230..680dc486fd76 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -625,7 +625,7 @@ quiet_cmd_b64dec = B64DEC  $@
 # target file.
 quiet_cmd_rsa_keys = RSAKEY  $@
 cmd_rsa_keys = \
-	$(objtree)/scripts/rsatoc -o $@.tmp "$(2)" &&			\
+	$(objtree)/scripts/rsatoc -o $@.tmp "$(2)" $(3) &&		\
 	if cmp -s $@.tmp $@; then					\
 		rm $@.tmp;						\
 	else								\
diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index f5b0ba27f9bc..6d10dca4169c 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -18,7 +18,7 @@
 #include <openssl/evp.h>
 #include <openssl/engine.h>
 
-static int dts;
+static int dts, standalone;
 
 static int rsa_err(const char *msg)
 {
@@ -454,17 +454,24 @@ static int gen_key(const char *keyname, const char *path)
 		print_bignum(r_squared, bits);
 		fprintf(outfilep, "\n};\n\n");
 
-		fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+		if (standalone) {
+			fprintf(outfilep, "struct rsa_public_key __key_%s;\n", key_name_c);
+			fprintf(outfilep, "struct rsa_public_key __key_%s = {\n", key_name_c);
+		} else {
+			fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+		}
+
 		fprintf(outfilep, "\t.len = %d,\n", bits / 32);
 		fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
 		fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
 		fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
 		fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
 		fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
-		fprintf(outfilep, "};\n\n");
+		fprintf(outfilep, "};\n");
 
-		fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
-			key_name_c, key_name_c, key_name_c);
+		if (!standalone)
+			fprintf(outfilep, "\nstruct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
+				key_name_c, key_name_c, key_name_c);
 	}
 
 	return 0;
@@ -478,7 +485,7 @@ int main(int argc, char *argv[])
 
 	outfilep = stdout;
 
-	while ((opt = getopt(argc, argv, "o:d")) > 0) {
+	while ((opt = getopt(argc, argv, "o:ds")) > 0) {
 		switch (opt) {
 		case 'o':
 			outfile = optarg;
@@ -486,6 +493,9 @@ int main(int argc, char *argv[])
 		case 'd':
 			dts = 1;
 			break;
+		case 's':
+			standalone = 1;
+			break;
 		}
 	}
 
@@ -499,14 +509,22 @@ int main(int argc, char *argv[])
 	}
 
 	if (optind == argc) {
-		fprintf(stderr, "Usage: %s <key_name_hint>:<crt> ...\n", argv[0]);
+		fprintf(stderr, "Usage: %s [-ods]  OUTFIE<key_name_hint>:<crt> ...\n", argv[0]);
+		fprintf(stderr, "\t-o FILE\twrite output into FILE instead of stdout\n");
+		fprintf(stderr, "\t-d\tgenerate device tree snippet instead of C code\n");
+		fprintf(stderr, "\t-s\tgenerate standalone key outside FIT image keyring\n");
 		exit(1);
 	}
 
 	if (dts) {
 		fprintf(outfilep, "/dts-v1/;\n");
 		fprintf(outfilep, "/ {\n");
-		fprintf(outfilep, "\tsignature {\n");
+		if (standalone)
+			fprintf(outfilep, "\tsignature-standalone {\n");
+		else
+			fprintf(outfilep, "\tsignature {\n");
+	} else if (standalone) {
+		fprintf(outfilep, "#include <rsa.h>\n");
 	}
 
 	for (i = optind; i < argc; i++) {
-- 
2.39.2




  parent reply	other threads:[~2023-09-21 10:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-21 10:23 [PATCH 0/5] rsatoc: make useful for standalone RSA keys Ahmad Fatoum
2023-09-21 10:23 ` [PATCH 1/5] rsa: escape pkcs11 string passed to RSA command Ahmad Fatoum
2023-09-21 10:23 ` [PATCH 2/5] scripts: allow user to build rsatoc if COMPILE_HOST_TOOLS Ahmad Fatoum
2023-09-21 10:23 ` [PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format Ahmad Fatoum
2023-09-21 10:23 ` [PATCH 4/5] rsa: fix typos and missing type definitions Ahmad Fatoum
2023-09-21 10:23 ` Ahmad Fatoum [this message]
2023-09-21 12:32 ` [PATCH 0/5] rsatoc: make useful for standalone RSA keys Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230921102310.1108543-6-a.fatoum@pengutronix.de \
    --to=a.fatoum@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox