From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 13 Sep 2024 09:07:11 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sp0Oe-0042Dm-0f for lore@lore.pengutronix.de; Fri, 13 Sep 2024 09:07:11 +0200 Received: from bombadil.infradead.org ([2607:7c80:54:3::133]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sp0Oc-0005no-Id for lore@pengutronix.de; Fri, 13 Sep 2024 09:07:11 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=938DGtJGfN8nlIG1scIucJXgU2lsDZSJudgzVW3HQP4=; b=cvCQ8SFTVzDu+1fT25ul3XkzQK r7UEuIwMrWOy3+V8zCMXkFzLDflvMgrRacS6NRT+ks9tzlvnq4MC4Pd4Eouq4kX3XlwdQNg2Pca+X 9tc/6AOcdOgarm/KR0XsO0aAuF7kbEE8L2xeUiWcL8ltiO2TM3+6w1OU6AERLoK+OdmJU0Y5W+3iQ iu3FXEbvPS+As51tfkzFGjr1rdaykRaX8gx4DZ1dvHT3bHlqAFQbknPk0tw0M1lVH9pl6yJv3xl6Y tgbhC+p1URtSaFCtWunBDNKYPI3X4PjofJP+P8/ZOzU78GJ4OOfzpLfAcxwvK6qgD27dF5gE+FNpM 9GNk9xPA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sp0OA-0000000F7Vs-0GMO; Fri, 13 Sep 2024 07:06:42 +0000 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sp0O6-0000000F7V8-1Z9t for barebox@lists.infradead.org; Fri, 13 Sep 2024 07:06:40 +0000 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sp0O4-0005bf-VA; Fri, 13 Sep 2024 09:06:36 +0200 Received: from [2a0a:edc0:2:b01:1d::c5] (helo=pty.whiteo.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sp0O4-007ZFb-IQ; Fri, 13 Sep 2024 09:06:36 +0200 Received: from sha by pty.whiteo.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1sp0O4-005f1x-1X; Fri, 13 Sep 2024 09:06:36 +0200 Date: Fri, 13 Sep 2024 09:06:36 +0200 From: Sascha Hauer To: Ahmad Fatoum Cc: Barebox List Message-ID: References: <20240906104028.2187872-1-s.hauer@pengutronix.de> <20240906104028.2187872-9-s.hauer@pengutronix.de> <434fa007-ee38-4757-8221-4a4319552cb6@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <434fa007-ee38-4757-8221-4a4319552cb6@pengutronix.de> X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-Accept-Language: de,en X-Accept-Content-Type: text/plain X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240913_000638_724621_84D00B18 X-CRM114-Status: GOOD ( 35.79 ) X-BeenThere: barebox@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "barebox" X-SA-Exim-Connect-IP: 2607:7c80:54:3::133 X-SA-Exim-Mail-From: barebox-bounces+lore=pengutronix.de@lists.infradead.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-5.2 required=4.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.2 Subject: Re: [PATCH v3 08/15] crypto: rsa: encapsulate rsa keys in public keys struct X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on metis.whiteo.stw.pengutronix.de) On Wed, Sep 11, 2024 at 10:33:41AM +0200, Ahmad Fatoum wrote: > On 06.09.24 12:40, Sascha Hauer wrote: > > This encapsulates struct rsa_public_key into a struct public_key. So far > > RSA keys are the only supported key type. With adding ECDSA keys we need > > a container struct so that we can add ECDSA keys using the same > > mechanisms. > > > > Also we rename CONFIG_CRYPTO_RSA_KEY to CONFIG_CRYPTO_PUBLIC_KEYS and > > CONFIG_CRYPTO_RSA_BUILTIN_KEYS to CONFIG_CRYPTO_BUILTIN_KEYS as these > > variables will be used for all types of keys, not only RSA keys. > > Ah, the option is renamed anyway. Still disallowing pkcs11 as hint-name > should make migration easier a bit, I think. As said, keytoc won't allow pkcs11: as a key name hint. Sascha > > > > > Signed-off-by: Sascha Hauer > > --- > > crypto/Kconfig | 11 ++++----- > > crypto/Makefile | 17 +++++++------- > > crypto/public-keys.c | 39 +++++++++++++++++++++++++++++++ > > crypto/rsa.c | 23 ++---------------- > > include/asm-generic/barebox.lds.h | 10 ++++---- > > include/crypto/public_key.h | 20 ++++++++++++++++ > > include/rsa.h | 16 +++++++++++++ > > scripts/keytoc.c | 18 ++++++++++---- > > 8 files changed, 110 insertions(+), 44 deletions(-) > > create mode 100644 crypto/public-keys.c > > create mode 100644 include/crypto/public_key.h > > > > diff --git a/crypto/Kconfig b/crypto/Kconfig > > index 64a016eb2c..612e6f33fc 100644 > > --- a/crypto/Kconfig > > +++ b/crypto/Kconfig > > @@ -118,14 +118,13 @@ config CRYPTO_PBKDF2 > > config CRYPTO_RSA > > bool > > > > -config CRYPTO_RSA_BUILTIN_KEYS > > - bool > > - default y if CRYPTO_RSA_KEY != "" > > +config CRYPTO_BUILTIN_KEYS > > + bool "builtin keys" > > select KEYTOC > > > > -config CRYPTO_RSA_KEY > > - depends on CRYPTO_RSA > > - string "RSA key to compile in" > > +config CRYPTO_PUBLIC_KEYS > > + depends on CRYPTO_BUILTIN_KEYS > > + string "public keys to compile in" > > help > > This option should be a filename of a PEM-formatted file containing > > X.509 certificates to be included into barebox. If the string starts > > diff --git a/crypto/Makefile b/crypto/Makefile > > index f3e49ab7ba..b07e5dd8d4 100644 > > --- a/crypto/Makefile > > +++ b/crypto/Makefile > > @@ -18,20 +18,21 @@ obj-y += memneq.o > > obj-$(CONFIG_CRYPTO_PBKDF2) += pbkdf2.o > > obj-$(CONFIG_CRYPTO_RSA) += rsa.o > > obj-$(CONFIG_CRYPTO_KEYSTORE) += keystore.o > > +obj-$(CONFIG_CRYPTO_BUILTIN_KEYS) += public-keys.o > > > > obj-$(CONFIG_JWT) += jwt.o > > > > -extra-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsa-keys.h > > +extra-$(CONFIG_CRYPTO_BUILTIN_KEYS) += public-keys.h > > > > -ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS > > +ifdef CONFIG_CRYPTO_BUILTIN_KEYS > > > > -$(obj)/rsa.o: $(obj)/rsa-keys.h > > +$(obj)/public-keys.o: $(obj)/public-keys.h > > > > -CONFIG_CRYPTO_RSA_KEY := $(CONFIG_CRYPTO_RSA_KEY:"%"=%) > > +CONFIG_CRYPTO_PUBLIC_KEYS := $(CONFIG_CRYPTO_PUBLIC_KEYS:"%"=%) > > > > -RSA_DEP := $(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_RSA_KEY)) > > -RSA_DEP := $(shell echo $(RSA_DEP) | sed -e "s/[[:alnum:]]*://g") > > +PUBLIC_KEYS_DEP := $(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_PUBLIC_KEYS)) > > +PUBLIC_KEYS_DEP := $(shell echo $(PUBLIC_KEYS_DEP) | sed -e "s/[[:alnum:]]*://g") > > > > -$(obj)/rsa-keys.h: $(RSA_DEP) FORCE > > - $(call cmd,public_keys,$(CONFIG_CRYPTO_RSA_KEY)) > > +$(obj)/public-keys.h: $(PUBLIC_KEYS_DEP) FORCE > > + $(call cmd,public_keys,$(CONFIG_CRYPTO_PUBLIC_KEYS)) > > endif > > diff --git a/crypto/public-keys.c b/crypto/public-keys.c > > new file mode 100644 > > index 0000000000..a3ef3bafc8 > > --- /dev/null > > +++ b/crypto/public-keys.c > > @@ -0,0 +1,39 @@ > > +#include > > +#include > > +#include > > + > > +extern const struct public_key * const __public_keys_start; > > +extern const struct public_key * const __public_keys_end; > > + > > +static int init_public_keys(void) > > +{ > > + const struct public_key * const *iter; > > + int ret; > > + > > + for (iter = &__public_keys_start; iter != &__public_keys_end; iter++) { > > + struct rsa_public_key *rsa_key; > > + > > + switch ((*iter)->type) { > > + case PUBLIC_KEY_TYPE_RSA: > > + rsa_key = rsa_key_dup((*iter)->rsa); > > + if (!rsa_key) > > + continue; > > + > > + ret = rsa_key_add(rsa_key); > > + if (ret) > > + pr_err("Cannot add rsa key: %pe\n", ERR_PTR(ret)); > > + break; > > + default: > > + pr_err("Ignoring unknown key type %u\n", (*iter)->type); > > + } > > + > > + } > > + > > + return 0; > > +} > > + > > +device_initcall(init_public_keys); > > + > > +#ifdef CONFIG_CRYPTO_BUILTIN_KEYS > > +#include "public-keys.h" > > +#endif > > diff --git a/crypto/rsa.c b/crypto/rsa.c > > index a379b77c9a..8eab07beed 100644 > > --- a/crypto/rsa.c > > +++ b/crypto/rsa.c > > @@ -469,7 +469,7 @@ const struct rsa_public_key *rsa_get_key(const char *name) > > return NULL; > > } > > > > -static int rsa_key_add(struct rsa_public_key *key) > > +int rsa_key_add(struct rsa_public_key *key) > > { > > if (rsa_get_key(key->key_name_hint)) > > return -EEXIST; > > @@ -479,7 +479,7 @@ static int rsa_key_add(struct rsa_public_key *key) > > return 0; > > } > > > > -static struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key) > > +struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key) > > { > > struct rsa_public_key *new; > > > > @@ -490,9 +490,6 @@ static struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key) > > return new; > > } > > > > -extern const struct rsa_public_key * const __rsa_keys_start; > > -extern const struct rsa_public_key * const __rsa_keys_end; > > - > > static void rsa_init_keys_of(void) > > { > > struct device_node *sigs, *sig; > > @@ -523,25 +520,9 @@ static void rsa_init_keys_of(void) > > > > static int rsa_init_keys(void) > > { > > - const struct rsa_public_key * const *iter; > > - struct rsa_public_key *key; > > - int ret; > > - > > - for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) { > > - key = rsa_key_dup(*iter); > > - ret = rsa_key_add(key); > > - if (ret) > > - pr_err("Cannot add rsa key %s: %s\n", > > - key->key_name_hint, strerror(-ret)); > > - } > > - > > rsa_init_keys_of(); > > > > return 0; > > } > > > > device_initcall(rsa_init_keys); > > - > > -#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS > > -#include "rsa-keys.h" > > -#endif > > diff --git a/include/asm-generic/barebox.lds.h b/include/asm-generic/barebox.lds.h > > index d3736ebaed..eb4c42ca5b 100644 > > --- a/include/asm-generic/barebox.lds.h > > +++ b/include/asm-generic/barebox.lds.h > > @@ -106,11 +106,11 @@ > > #define BAREBOX_PCI_FIXUP > > #endif > > > > -#define BAREBOX_RSA_KEYS \ > > +#define BAREBOX_PUBLIC_KEYS \ > > STRUCT_ALIGN(); \ > > - __rsa_keys_start = .; \ > > - KEEP(*(.rsa_keys.rodata.*)); \ > > - __rsa_keys_end = .; \ > > + __public_keys_start = .; \ > > + KEEP(*(.public_keys.rodata.*)); \ > > + __public_keys_end = .; \ > > > > #define BAREBOX_DEEP_PROBE \ > > STRUCT_ALIGN(); \ > > @@ -140,7 +140,7 @@ > > BAREBOX_MAGICVARS \ > > BAREBOX_CLK_TABLE \ > > BAREBOX_DTB \ > > - BAREBOX_RSA_KEYS \ > > + BAREBOX_PUBLIC_KEYS \ > > BAREBOX_PCI_FIXUP \ > > BAREBOX_DEEP_PROBE > > > > diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h > > new file mode 100644 > > index 0000000000..83e8401aed > > --- /dev/null > > +++ b/include/crypto/public_key.h > > @@ -0,0 +1,20 @@ > > +#ifndef __CRYPTO_PUBLIC_KEY_H > > +#define __CRYPTO_PUBLIC_KEY_H > > + > > +struct rsa_public_key; > > +struct ecdsa_public_key; > > + > > +enum pulic_key_type { > > + PUBLIC_KEY_TYPE_RSA, > > +}; > > + > > +struct public_key { > > + enum pulic_key_type type; > > + > > + union { > > + struct rsa_public_key *rsa; > > + struct ecdsa_public_key *ecdsa; > > + }; > > +}; > > + > > +#endif /* __CRYPTO_PUBLIC_KEY_H */ > > diff --git a/include/rsa.h b/include/rsa.h > > index f1e3c1b6c3..ecb2f42957 100644 > > --- a/include/rsa.h > > +++ b/include/rsa.h > > @@ -62,4 +62,20 @@ const struct rsa_public_key *rsa_key_next(const struct rsa_public_key *prev); > > > > #define for_each_rsa_key(key) \ > > for (key = rsa_key_next(NULL); key; key = rsa_key_next(key)) > > + > > +#ifdef CONFIG_CRYPTO_RSA > > +int rsa_key_add(struct rsa_public_key *key); > > +struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key); > > +#else > > +static inline int rsa_key_add(struct rsa_public_key *key) > > +{ > > + return -ENOSYS; > > +} > > + > > +static inline struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key); > > +{ > > + return NULL; > > +} > > +#endif > > + > > #endif > > diff --git a/scripts/keytoc.c b/scripts/keytoc.c > > index 85a7cd7319..e66c5989bf 100644 > > --- a/scripts/keytoc.c > > +++ b/scripts/keytoc.c > > @@ -488,9 +488,14 @@ static int gen_key_ecdsa(EVP_PKEY *key, const char *key_name, const char *key_na > > fprintf(outfilep, "\t.x = %s_x,\n", key_name_c); > > fprintf(outfilep, "\t.y = %s_y,\n", key_name_c); > > fprintf(outfilep, "};\n"); > > - if (!standalone) > > - fprintf(outfilep, "\nstruct ecdsa_public_key *%s_ecdsa_p __attribute__((section(\".ecdsa_keys.rodata.%s\"))) = &%s;\n", > > + if (!standalone) { > > + fprintf(outfilep, "\nstatic struct public_key %s_public_key = {\n", key_name_c); > > + fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_ECDSA,\n"); > > + fprintf(outfilep, "\t.ecdsa = &%s,\n", key_name_c); > > + fprintf(outfilep, "};"); > > + fprintf(outfilep, "\nstruct public_key *%s_ecdsa_p __attribute__((section(\".public_keys.rodata.%s\"))) = &%s_public_key;\n", > > key_name_c, key_name_c, key_name_c); > > + } > > } > > > > return 0; > > @@ -549,9 +554,14 @@ static int gen_key_rsa(EVP_PKEY *key, const char *key_name, const char *key_name > > fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", key_name); > > fprintf(outfilep, "};\n"); > > > > - if (!standalone) > > - fprintf(outfilep, "\nstruct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n", > > + if (!standalone) { > > + fprintf(outfilep, "\nstatic struct public_key %s_public_key = {\n", key_name_c); > > + fprintf(outfilep, "\t.type = PUBLIC_KEY_TYPE_RSA,\n"); > > + fprintf(outfilep, "\t.rsa = &%s,\n", key_name_c); > > + fprintf(outfilep, "};"); > > + fprintf(outfilep, "\nstruct public_key *%sp __attribute__((section(\".public_keys.rodata.%s\"))) = &%s_public_key;\n", > > key_name_c, key_name_c, key_name_c); > > + } > > } > > > > return 0; > > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |