So far we relied on the U-Boot mkimage tool to generate us device tree
snippets containing rsa public keys which we then compiled into barebox.
Make this easier and allow to directly specify a filename or PKCS#11 URI
in Kconfig. With this we no longer need the U-Boot mkimage tool here and
no more external steps to prepare device tree snippets.
With this rsa public keys can be directly compiled as C structs into
barebox which is much more direct than putting it into the device tree.
Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
crypto/.gitignore | 2 ++
crypto/Kconfig | 19 ++++++++++++++++++
crypto/Makefile | 10 ++++++++++
crypto/rsa.c | 33 +++++++++++++++++++++++++++++++
include/asm-generic/barebox.lds.h | 6 ++++++
include/rsa.h | 2 ++
scripts/Makefile.lib | 18 +++++++++++++++++
7 files changed, 90 insertions(+)
create mode 100644 crypto/.gitignore
diff --git a/crypto/.gitignore b/crypto/.gitignore
new file mode 100644
index 0000000000..92d8af3cf4
--- /dev/null
+++ b/crypto/.gitignore
@@ -0,0 +1,2 @@
+rsa-keys.h
+rsa-keys.h.tmp
diff --git a/crypto/Kconfig b/crypto/Kconfig
index c06d3c054e..42b018b296 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -94,6 +94,25 @@ config CRYPTO_PBKDF2
config CRYPTO_RSA
bool
+config CRYPTO_RSA_BUILTIN_KEYS
+ bool
+ default y if CRYPTO_RSA_KEYS != ""
+
+config CRYPTO_RSA_KEY
+ depends on CRYPTO_RSA
+ string "RSA key to compile in"
+ help
+ This option should be a filename of a PEM-formatted file containing
+ X.509 certificates to be included into barebox. If the string starts
+ with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
+
+config CRYPTO_RSA_KEY_NAME_HINT
+ depends on CRYPTO_RSA
+ string "FIT image key name hint"
+ help
+ In FIT images keys are identified by a key name hint string. Provide
+ the key name hint here.
+
config CRYPTO_KEYSTORE
bool "Keystore"
help
diff --git a/crypto/Makefile b/crypto/Makefile
index d6fb74aad9..018f85e253 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -16,3 +16,13 @@ obj-$(CONFIG_DIGEST_SHA512_GENERIC) += sha4.o
obj-$(CONFIG_CRYPTO_PBKDF2) += pbkdf2.o
obj-$(CONFIG_CRYPTO_RSA) += rsa.o
obj-$(CONFIG_CRYPTO_KEYSTORE) += keystore.o
+
+extra-y += rsa-keys.h
+
+ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
+
+$(obj)/rsa.o: $(obj)/rsa-keys.h
+$(eval $(call config_filename,CRYPTO_RSA_KEY))
+$(obj)/rsa-keys.h: FORCE
+ $(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CRYPTO_RSA_KEY_SRCPREFIX)$(CRYPTO_RSA_KEY_FILENAME))
+endif
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 2e70c8127d..64241854c8 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -438,3 +438,36 @@ void rsa_key_free(struct rsa_public_key *key)
free(key->rr);
free(key);
}
+
+#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS
+#include "rsa-keys.h"
+
+extern const struct rsa_public_key * const __rsa_keys_start;
+extern const struct rsa_public_key * const __rsa_keys_end;
+
+struct rsa_public_key *rsa_get_key(const char *name)
+{
+ const struct rsa_public_key *key;
+ struct rsa_public_key *new;
+ const struct rsa_public_key * const *iter;
+
+ for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) {
+ key = *iter;
+ if (!strcmp(name, key->key_name_hint))
+ goto found;
+ }
+
+ return ERR_PTR(-ENOENT);
+found:
+ new = xmemdup(key, sizeof(*key));
+ new->modulus = xmemdup(key->modulus, key->len * sizeof(uint32_t));
+ new->rr = xmemdup(key->rr, key->len * sizeof(uint32_t));
+
+ return new;
+}
+#else
+struct rsa_public_key *rsa_get_key(const char *name)
+{
+ return ERR_PTR(-ENOENT);
+}
+#endif
diff --git a/include/asm-generic/barebox.lds.h b/include/asm-generic/barebox.lds.h
index 8e8ae183db..b6ca8eb2be 100644
--- a/include/asm-generic/barebox.lds.h
+++ b/include/asm-generic/barebox.lds.h
@@ -98,6 +98,11 @@
#define BAREBOX_PCI_FIXUP
#endif
+#define BAREBOX_RSA_KEYS \
+ __rsa_keys_start = .; \
+ KEEP(*(.rsa_keys.rodata.*)); \
+ __rsa_keys_end = .; \
+
#define RO_DATA_SECTION \
BAREBOX_INITCALLS \
BAREBOX_EXITCALLS \
@@ -107,6 +112,7 @@
BAREBOX_MAGICVARS \
BAREBOX_CLK_TABLE \
BAREBOX_DTB \
+ BAREBOX_RSA_KEYS \
BAREBOX_PCI_FIXUP
#if defined(CONFIG_ARCH_BAREBOX_MAX_BARE_INIT_SIZE) && \
diff --git a/include/rsa.h b/include/rsa.h
index cf2e6c7e08..803660d19a 100644
--- a/include/rsa.h
+++ b/include/rsa.h
@@ -28,6 +28,7 @@ struct rsa_public_key {
uint32_t *modulus; /* modulus as little endian array */
uint32_t *rr; /* R^2 as little endian array */
uint64_t exponent; /* public exponent */
+ char *key_name_hint;
};
/**
@@ -51,5 +52,6 @@ int rsa_verify(const struct rsa_public_key *key, const uint8_t *sig,
struct rsa_public_key *rsa_of_read_key(struct device_node *node);
void rsa_key_free(struct rsa_public_key *key);
+struct rsa_public_key *rsa_get_key(const char *name);
#endif
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index c4d307ae30..ecaf5e1e7b 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -526,5 +526,23 @@ quiet_cmd_stm32_image = STM32-IMG $@
quiet_cmd_b64dec = B64DEC $@
cmd_b64dec = base64 -d $< > $@
+# rsa_keys
+# ---------------------------------------------------------------------------
+# Build a header file containing a rsa public key.
+#
+# The keys can change without the build system noticing, so we always
+# have to call rsatoc. To avoid unnecessary rebuilds of barebox compare
+# its output to the last rsatoc output. Only if it differs overwrite the
+# target file.
+quiet_cmd_rsa_keys = RSAKEY $@
+cmd_rsa_keys = \
+ $(srctree)/scripts/rsatoc $2 \
+ > $@.tmp && \
+ if cmp -s $@.tmp $@; then \
+ rm $@.tmp; \
+ else \
+ mv $@.tmp $@; \
+ fi
+
%: %.base64
$(call cmd,b64dec)
--
2.23.0
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
