From: Jonas Rebmann <jre@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Jonas Rebmann <jre@pengutronix.de>
Subject: [PATCH 02/15] crypto: Add support for keyrings
Date: Tue, 14 Oct 2025 13:02:53 +0200 [thread overview]
Message-ID: <20251014-tlv-signature-v1-2-7a8aaf95081c@pengutronix.de> (raw)
In-Reply-To: <20251014-tlv-signature-v1-0-7a8aaf95081c@pengutronix.de>
Public keys for TLV verification will be handled with the mechanism used
in the existing fitimage verification where scripts/keytoc.c generates
public_keys.h based on CONFIG_CRYPTO_PUBLIC_KEYS.
Expand the existing keyspec parser to support a new syntax of
keyring=<keyring>[,fit-hint=<fit_hint>]:<crt>
in addition to the legacy syntax of
[<fit_hint>:]<crt>
With the new keyspec parsing, keyring name and fit hint need to confirm
to the regular expression
[a-zA-Z][a-zA-Z0-9_-]*
For backwards compatibility, the old syntax stays supported with the
keyring defaulting to "fit" and a warning emitted.
Note however that the restriction of fit name hints to above regex
applies even when supplied in the legacy syntax.
To be able to error out when encountering an invalid keyspec, some
refactoring of keytoc.c was necessary.
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
crypto/public-keys.c | 2 +
include/crypto/public_key.h | 1 +
scripts/keytoc.c | 186 +++++++++++++++++++++++++++++++++-----------
3 files changed, 145 insertions(+), 44 deletions(-)
diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index 8884e263b3..a870ec5438 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -46,6 +46,8 @@ static struct public_key *public_key_dup(const struct public_key *key)
k->type = key->type;
if (key->key_name_hint)
k->key_name_hint = xstrdup(key->key_name_hint);
+ if (key->keyring)
+ k->keyring = xstrdup(key->keyring);
k->hash = xmemdup(key->hash, key->hashlen);
k->hashlen = key->hashlen;
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 7edea2d691..c9dd38cc33 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,6 +15,7 @@ struct public_key {
enum public_key_type type;
struct list_head list;
char *key_name_hint;
+ char *keyring;
unsigned char *hash;
unsigned int hashlen;
diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 074af6f0b4..a2b508bf49 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -25,6 +25,15 @@
#include <openssl/param_build.h>
#include <openssl/store.h>
+#include <stdbool.h>
+#include <ctype.h>
+
+struct keyinfo {
+ char *keyname;
+ char *keyring;
+ char *path;
+};
+
static int dts, standalone;
static void enomem_exit(const char *func)
@@ -491,7 +500,7 @@ static int print_hash(EVP_PKEY *key)
return ret ? -EINVAL : 0;
}
-static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_name_c)
+static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *keyring, const char *key_name_c)
{
char group[128];
size_t outlen;
@@ -553,6 +562,7 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
fprintf(outfilep, "\nstatic struct public_key %s_public_key = {\n", key_name_c);
fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_ECDSA,\n");
fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+ fprintf(outfilep, "\t.keyring = \"%s\",\n", keyring);
fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
fprintf(outfilep, "\t.ecdsa = &%s,\n", key_name_c);
@@ -565,9 +575,9 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na
return 0;
}
-static const char *try_resolve_env(const char *input)
+static char *try_resolve_env(char *input)
{
- const char *var;
+ char *var;
if (strncmp(input, "__ENV__", 7))
return input;
@@ -583,7 +593,7 @@ static const char *try_resolve_env(const char *input)
return var;
}
-static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name_c)
+static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *keyring, const char *key_name_c)
{
BIGNUM *modulus, *r_squared;
uint64_t exponent = 0;
@@ -659,6 +669,7 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
fprintf(outfilep, "\nstatic struct public_key %s_public_key = {\n", key_name_c);
fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_RSA,\n");
fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name);
+ fprintf(outfilep, "\t.keyring = \"%s\",\n", keyring);
fprintf(outfilep, "\t.hash = %s_hash,\n", key_name_c);
fprintf(outfilep, "\t.hashlen = %u,\n", SHA256_DIGEST_LENGTH);
fprintf(outfilep, "\t.rsa = &%s,\n", key_name_c);
@@ -671,18 +682,18 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name
return 0;
}
-static int gen_key(const char *keyname, const char *path)
+static int gen_key(struct keyinfo *info)
{
int ret;
EVP_PKEY *key;
char *tmp, *key_name_c;
/* key name handling */
- keyname = try_resolve_env(keyname);
- if (!keyname)
+ info->keyname = try_resolve_env(info->keyname);
+ if (!info->keyname)
exit(1);
- tmp = key_name_c = strdup(keyname);
+ tmp = key_name_c = strdup(info->keyname);
while (*tmp) {
if (*tmp == '-')
@@ -691,32 +702,104 @@ static int gen_key(const char *keyname, const char *path)
}
/* path/URI handling */
- path = try_resolve_env(path);
- if (!path)
+ info->path = try_resolve_env(info->path);
+ if (!info->path)
exit(1);
- if (!strncmp(path, "pkcs11:", 7)) {
- ret = engine_get_pub_key(path, &key);
+ if (!strncmp(info->path, "pkcs11:", 7)) {
+ ret = engine_get_pub_key(info->path, &key);
if (ret)
exit(1);
} else {
- ret = pem_get_pub_key(path, &key);
+ ret = pem_get_pub_key(info->path, &key);
if (ret)
exit(1);
}
/* generate built-in keys */
- ret = gen_key_ecdsa(key, keyname, key_name_c);
+ ret = gen_key_ecdsa(key, info->keyname, info->keyring, key_name_c);
if (ret == -EOPNOTSUPP)
return ret;
if (ret)
- ret = gen_key_rsa(key, keyname, key_name_c);
+ ret = gen_key_rsa(key, info->keyname, info->keyring, key_name_c);
return ret;
}
-static void get_name_path(const char *keyspec, char **keyname, char **path)
+static bool is_identifier(char **s)
+{
+ char *p = *s;
+
+ /* [a-zA-Z] */
+ if (!isalpha(*p))
+ return false;
+ p++;
+
+ /* [a-zA-Z0-9_-]* */
+ while (isalnum(*p) || *p == '_' || *p == '-')
+ p++;
+
+ *s = p;
+ return true;
+}
+
+static bool parse_info(char *p, struct keyinfo *out)
+{
+ char *k = p;
+ char *v;
+
+ if (*p == '\0') /* spec starts with colon. This is valid. */
+ return true;
+
+ if (!is_identifier(&p))
+ return false;
+
+ if (*p == '\0') {
+ out->keyname = strdup(k);
+ if (!k)
+ enomem_exit(__func__);
+ return true; /* legacy syntax */
+ }
+
+ /* new syntax: `<k>=<v>[,k=v[...]]` */
+ for (;;) {
+ if (*p != '=')
+ return false;
+ *p = '\0';
+
+ p++;
+ /* read `<k>=`, excepting <v> */
+ v = p;
+ if (!is_identifier(&p))
+ return false;
+
+ if (*p == '\0' || *p == ',') {
+ char d = *p;
+ *p = '\0';
+ v = strdup(v);
+ if (!v)
+ enomem_exit(__func__);
+ if (strcmp(k, "keyring") == 0)
+ out->keyring = strdup(v);
+ else if (strcmp(k, "hint") == 0)
+ out->keyname = strdup(v);
+ else
+ return false;
+
+ if (d == '\0')
+ return true;
+ } else {
+ return false;
+ }
+ p++;
+ k = p;
+ if (!is_identifier(&p))
+ return true;
+ }
+}
+
+static bool get_name_path(const char *keyspec, struct keyinfo *out)
{
char *sep, *spec;
@@ -724,24 +807,24 @@ static void get_name_path(const char *keyspec, char **keyname, char **path)
if (!spec)
enomem_exit(__func__);
- /* Split <key-hint>:<key-path> pair, <key-hint> is optional */
sep = strchr(spec, ':');
if (!sep) {
- *path = spec;
- return;
+ out->path = spec;
+ return true;
}
*sep = 0;
- *keyname = strdup(spec);
- if (!*keyname)
- enomem_exit(__func__);
-
+ if (!parse_info(spec, out)) {
+ free(spec);
+ return false;
+ }
sep++;
- *path = strdup(sep);
- if (!*path)
+ out->path = strdup(sep);
+ if (!out->path)
enomem_exit(__func__);
free(spec);
+ return true;
}
int main(int argc, char *argv[])
@@ -749,6 +832,8 @@ int main(int argc, char *argv[])
int i, opt, ret;
char *outfile = NULL;
int keynum = 1;
+ int keycount;
+ struct keyinfo *keylist;
outfilep = stdout;
@@ -776,13 +861,33 @@ int main(int argc, char *argv[])
}
if (optind == argc) {
- fprintf(stderr, "Usage: %s [-ods] <key_name_hint>:<crt> ...\n", argv[0]);
+ fprintf(stderr, "Usage: %s [-ods] keyring=<keyring>,hint=<hint>:<crt> ...\n", argv[0]);
fprintf(stderr, "\t-o FILE\twrite output into FILE instead of stdout\n");
fprintf(stderr, "\t-d\tgenerate device tree snippet instead of C code\n");
fprintf(stderr, "\t-s\tgenerate standalone key outside FIT image keyring\n");
exit(1);
}
+ keycount = argc - optind;
+ keylist = calloc(sizeof(struct keyinfo), keycount);
+
+ for (i = 0; i < keycount; i++) {
+ const char *keyspec = argv[optind + i];
+ struct keyinfo *info = &keylist[i];
+
+ if (!keyspec)
+ exit(1);
+
+ if (!strncmp(keyspec, "pkcs11:", 7)) { // legacy format of pkcs11 URI
+ info->path = strdup(keyspec);
+ } else {
+ if (!get_name_path(keyspec, info)) {
+ fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
+ exit(1);
+ }
+ }
+ }
+
if (dts) {
fprintf(outfilep, "/dts-v1/;\n");
fprintf(outfilep, "/ {\n");
@@ -795,32 +900,24 @@ int main(int argc, char *argv[])
fprintf(outfilep, "#include <crypto/rsa.h>\n");
}
- for (i = optind; i < argc; i++) {
- const char *keyspec = argv[i];
- char *keyname = NULL;
- char *path = NULL;
-
- keyspec = try_resolve_env(keyspec);
- if (!keyspec)
- exit(1);
- if (!strncmp(keyspec, "pkcs11:", 7))
- path = strdup(keyspec);
- else
- get_name_path(keyspec, &keyname, &path);
+ for (i = 0; i < keycount; i++) {
+ struct keyinfo *info = &keylist[i];
- if (!keyname) {
- ret = asprintf(&keyname, "key_%d", keynum++);
+ if (!info->keyname) {
+ ret = asprintf(&info->keyname, "key_%d", keynum++);
if (ret < 0)
enomem_exit("asprintf");
}
- ret = gen_key(keyname, path);
+ if (!info->keyring) {
+ info->keyring = strdup("fit");
+ fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", argv[optind + i]);
+ }
+
+ ret = gen_key(info);
if (ret)
exit(1);
-
- free(keyname);
- free(path);
}
if (dts) {
@@ -828,5 +925,6 @@ int main(int argc, char *argv[])
fprintf(outfilep, "};\n");
}
+ /* all keyinfo fields freed on exit */
exit(0);
}
--
2.51.0.297.gca2559c1d6
next prev parent reply other threads:[~2025-10-14 11:03 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-14 11:02 [PATCH 00/15] TLV-Signature and keyrings Jonas Rebmann
2025-10-14 11:02 ` [PATCH 01/15] common: clean up TLV code Jonas Rebmann
2025-10-14 11:02 ` Jonas Rebmann [this message]
2025-10-14 11:02 ` [PATCH 03/15] fit: only accept keys from "fit"-keyring Jonas Rebmann
2025-10-14 11:02 ` [PATCH 04/15] crypto: keytoc: Rename "hint" to "fit-hint" and do not use it in identifiers Jonas Rebmann
2025-10-15 10:15 ` Jonas Rebmann
2025-10-14 11:02 ` [PATCH 05/15] commands: keys: update output format to include keyring Jonas Rebmann
2025-10-14 11:02 ` [PATCH 06/15] commands: tlv: Error out on invalid TLVs Jonas Rebmann
2025-10-14 11:02 ` [PATCH 07/15] scripts: bareboxtlv-generator: Implement signature Jonas Rebmann
2025-10-14 11:02 ` [PATCH 08/15] scripts: bareboxtlv-generator: Increase max_size in example schema Jonas Rebmann
2025-10-14 11:03 ` [PATCH 09/15] common: tlv: Add TLV-Signature support Jonas Rebmann
2025-10-17 9:08 ` Jonas Rebmann
2025-10-14 11:03 ` [PATCH 10/15] common: tlv: default decoder for signed TLV Jonas Rebmann
2025-10-14 11:03 ` [PATCH 11/15] crypto: Use "development" keys for "fit" and "tlv" keyring Jonas Rebmann
2025-10-14 11:03 ` [PATCH 12/15] test: py: add signature to TLV integration tests Jonas Rebmann
2025-10-14 11:03 ` [PATCH 13/15] ci: pytest: Add kconfig fragment for TLV signature " Jonas Rebmann
2025-10-14 11:03 ` [PATCH 14/15] doc/barebox-tlv: Update documentation regarding TLV-Signature Jonas Rebmann
2025-10-15 10:20 ` Jonas Rebmann
2025-10-14 11:03 ` [PATCH 15/15] Documentation: migration-2025.11.0: List changes to CONFIG_CRYPTO_PUBLIC_KEYS Jonas Rebmann
2025-10-15 14:34 ` Jonas Rebmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251014-tlv-signature-v1-2-7a8aaf95081c@pengutronix.de \
--to=jre@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox