Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * ECDSA image signing implementation using libcrypto backend |
| 4 | * |
| 5 | * The signature is a binary representation of the (R, S) points, padded to the |
| 6 | * key size. The signature will be (2 * key_size_bits) / 8 bytes. |
| 7 | * |
| 8 | * Deviations from behavior of RSA equivalent: |
| 9 | * - Verification uses private key. This is not technically required, but a |
| 10 | * limitation on how clumsy the openssl API is to use. |
| 11 | * - Handling of keys and key paths: |
| 12 | * - The '-K' key directory option must contain path to the key file, |
| 13 | * instead of the key directory. |
| 14 | * - No assumptions are made about the file extension of the key |
| 15 | * - The 'key-name-hint' property is only used for naming devicetree nodes, |
| 16 | * but is not used for looking up keys on the filesystem. |
| 17 | * |
| 18 | * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com> |
| 19 | */ |
| 20 | |
Heinrich Schuchardt | 43ee801 | 2021-12-18 11:25:12 +0100 | [diff] [blame] | 21 | #define OPENSSL_API_COMPAT 0x10101000L |
| 22 | |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 23 | #include <u-boot/ecdsa.h> |
| 24 | #include <u-boot/fdt-libcrypto.h> |
| 25 | #include <openssl/ssl.h> |
| 26 | #include <openssl/ec.h> |
| 27 | #include <openssl/bn.h> |
| 28 | |
| 29 | /* Image signing context for openssl-libcrypto */ |
| 30 | struct signer { |
| 31 | EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */ |
| 32 | EC_KEY *ecdsa_key; /* Pointer to EC_KEY object */ |
| 33 | void *hash; /* Pointer to hash used for verification */ |
| 34 | void *signature; /* Pointer to output signature. Do not free()!*/ |
| 35 | }; |
| 36 | |
| 37 | static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info) |
| 38 | { |
| 39 | memset(ctx, 0, sizeof(*ctx)); |
| 40 | |
| 41 | if (!OPENSSL_init_ssl(0, NULL)) { |
| 42 | fprintf(stderr, "Failure to init SSL library\n"); |
| 43 | return -1; |
| 44 | } |
| 45 | |
| 46 | ctx->hash = malloc(info->checksum->checksum_len); |
| 47 | ctx->signature = malloc(info->crypto->key_len * 2); |
| 48 | |
| 49 | if (!ctx->hash || !ctx->signature) |
| 50 | return -ENOMEM; |
| 51 | |
| 52 | return 0; |
| 53 | } |
| 54 | |
| 55 | static void free_ctx(struct signer *ctx) |
| 56 | { |
| 57 | if (ctx->ecdsa_key) |
| 58 | EC_KEY_free(ctx->ecdsa_key); |
| 59 | |
| 60 | if (ctx->evp_key) |
| 61 | EVP_PKEY_free(ctx->evp_key); |
| 62 | |
| 63 | if (ctx->hash) |
| 64 | free(ctx->hash); |
| 65 | } |
| 66 | |
| 67 | /* |
| 68 | * Convert an ECDSA signature to raw format |
| 69 | * |
| 70 | * openssl DER-encodes 'binary' signatures. We want the signature in a raw |
| 71 | * (R, S) point pair. So we have to dance a bit. |
| 72 | */ |
| 73 | static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order) |
| 74 | { |
| 75 | int point_bytes = order; |
| 76 | const BIGNUM *r, *s; |
| 77 | uintptr_t s_buf; |
| 78 | |
| 79 | ECDSA_SIG_get0(sig, &r, &s); |
| 80 | s_buf = (uintptr_t)buf + point_bytes; |
| 81 | BN_bn2binpad(r, buf, point_bytes); |
| 82 | BN_bn2binpad(s, (void *)s_buf, point_bytes); |
| 83 | } |
| 84 | |
| 85 | /* Get a signature from a raw encoding */ |
| 86 | static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order) |
| 87 | { |
| 88 | int point_bytes = order; |
| 89 | uintptr_t s_buf; |
| 90 | ECDSA_SIG *sig; |
| 91 | BIGNUM *r, *s; |
| 92 | |
| 93 | sig = ECDSA_SIG_new(); |
| 94 | if (!sig) |
| 95 | return NULL; |
| 96 | |
| 97 | s_buf = (uintptr_t)buf + point_bytes; |
| 98 | r = BN_bin2bn(buf, point_bytes, NULL); |
| 99 | s = BN_bin2bn((void *)s_buf, point_bytes, NULL); |
| 100 | ECDSA_SIG_set0(sig, r, s); |
| 101 | |
| 102 | return sig; |
| 103 | } |
| 104 | |
| 105 | /* ECDSA key size in bytes */ |
| 106 | static size_t ecdsa_key_size_bytes(const EC_KEY *key) |
| 107 | { |
| 108 | const EC_GROUP *group; |
| 109 | |
| 110 | group = EC_KEY_get0_group(key); |
| 111 | return EC_GROUP_order_bits(group) / 8; |
| 112 | } |
| 113 | |
| 114 | static int read_key(struct signer *ctx, const char *key_name) |
| 115 | { |
| 116 | FILE *f = fopen(key_name, "r"); |
| 117 | |
| 118 | if (!f) { |
| 119 | fprintf(stderr, "Can not get key file '%s'\n", key_name); |
| 120 | return -ENOENT; |
| 121 | } |
| 122 | |
| 123 | ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL); |
| 124 | fclose(f); |
| 125 | if (!ctx->evp_key) { |
| 126 | fprintf(stderr, "Can not read key from '%s'\n", key_name); |
| 127 | return -EIO; |
| 128 | } |
| 129 | |
| 130 | if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) { |
| 131 | fprintf(stderr, "'%s' is not an ECDSA key\n", key_name); |
| 132 | return -EINVAL; |
| 133 | } |
| 134 | |
| 135 | ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key); |
| 136 | if (!ctx->ecdsa_key) |
| 137 | fprintf(stderr, "Can not extract ECDSA key\n"); |
| 138 | |
| 139 | return (ctx->ecdsa_key) ? 0 : -EINVAL; |
| 140 | } |
| 141 | |
| 142 | /* Prepare a 'signer' context that's ready to sign and verify. */ |
| 143 | static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info) |
| 144 | { |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 145 | int key_len_bytes, ret; |
Alexandru Gagniuc | 80c81a3 | 2021-02-19 12:45:19 -0600 | [diff] [blame] | 146 | char kname[1024]; |
| 147 | |
| 148 | memset(ctx, 0, sizeof(*ctx)); |
| 149 | |
| 150 | if (info->keyfile) { |
| 151 | snprintf(kname, sizeof(kname), "%s", info->keyfile); |
| 152 | } else if (info->keydir && info->keyname) { |
| 153 | snprintf(kname, sizeof(kname), "%s/%s.pem", info->keydir, |
| 154 | info->keyname); |
| 155 | } else { |
| 156 | fprintf(stderr, "keyfile, keyname, or key-name-hint missing\n"); |
| 157 | return -EINVAL; |
| 158 | } |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 159 | |
| 160 | ret = alloc_ctx(ctx, info); |
| 161 | if (ret) |
| 162 | return ret; |
| 163 | |
| 164 | ret = read_key(ctx, kname); |
| 165 | if (ret) |
| 166 | return ret; |
| 167 | |
| 168 | key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key); |
| 169 | if (key_len_bytes != info->crypto->key_len) { |
| 170 | fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n", |
| 171 | info->crypto->key_len * 8, key_len_bytes * 8); |
| 172 | return -EINVAL; |
| 173 | } |
| 174 | |
| 175 | return 0; |
| 176 | } |
| 177 | |
| 178 | static int do_sign(struct signer *ctx, struct image_sign_info *info, |
| 179 | const struct image_region region[], int region_count) |
| 180 | { |
| 181 | const struct checksum_algo *algo = info->checksum; |
| 182 | ECDSA_SIG *sig; |
| 183 | |
| 184 | algo->calculate(algo->name, region, region_count, ctx->hash); |
| 185 | sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key); |
| 186 | |
| 187 | ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len); |
| 188 | |
| 189 | return 0; |
| 190 | } |
| 191 | |
| 192 | static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info) |
| 193 | { |
| 194 | ECDSA_SIG *sig; |
| 195 | int okay; |
| 196 | |
| 197 | sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len); |
| 198 | if (!sig) |
| 199 | return -ENOMEM; |
| 200 | |
| 201 | okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len, |
| 202 | sig, ctx->ecdsa_key); |
| 203 | if (!okay) |
| 204 | fprintf(stderr, "WARNING: Signature is fake news!\n"); |
| 205 | |
| 206 | ECDSA_SIG_free(sig); |
| 207 | return !okay; |
| 208 | } |
| 209 | |
| 210 | static int do_verify(struct signer *ctx, struct image_sign_info *info, |
| 211 | const struct image_region region[], int region_count, |
| 212 | uint8_t *raw_sig, uint sig_len) |
| 213 | { |
| 214 | const struct checksum_algo *algo = info->checksum; |
| 215 | |
| 216 | if (sig_len != info->crypto->key_len * 2) { |
| 217 | fprintf(stderr, "Signature has wrong length\n"); |
| 218 | return -EINVAL; |
| 219 | } |
| 220 | |
| 221 | memcpy(ctx->signature, raw_sig, sig_len); |
| 222 | algo->calculate(algo->name, region, region_count, ctx->hash); |
| 223 | |
| 224 | return ecdsa_check_signature(ctx, info); |
| 225 | } |
| 226 | |
| 227 | int ecdsa_sign(struct image_sign_info *info, const struct image_region region[], |
| 228 | int region_count, uint8_t **sigp, uint *sig_len) |
| 229 | { |
| 230 | struct signer ctx; |
| 231 | int ret; |
| 232 | |
| 233 | ret = prepare_ctx(&ctx, info); |
| 234 | if (ret >= 0) { |
| 235 | do_sign(&ctx, info, region, region_count); |
| 236 | *sigp = ctx.signature; |
| 237 | *sig_len = info->crypto->key_len * 2; |
| 238 | |
| 239 | ret = ecdsa_check_signature(&ctx, info); |
| 240 | } |
| 241 | |
| 242 | free_ctx(&ctx); |
| 243 | return ret; |
| 244 | } |
| 245 | |
| 246 | int ecdsa_verify(struct image_sign_info *info, |
| 247 | const struct image_region region[], int region_count, |
| 248 | uint8_t *sig, uint sig_len) |
| 249 | { |
| 250 | struct signer ctx; |
| 251 | int ret; |
| 252 | |
| 253 | ret = prepare_ctx(&ctx, info); |
| 254 | if (ret >= 0) |
| 255 | ret = do_verify(&ctx, info, region, region_count, sig, sig_len); |
| 256 | |
| 257 | free_ctx(&ctx); |
| 258 | return ret; |
| 259 | } |
| 260 | |
| 261 | static int do_add(struct signer *ctx, void *fdt, const char *key_node_name) |
| 262 | { |
| 263 | int signature_node, key_node, ret, key_bits; |
| 264 | const char *curve_name; |
| 265 | const EC_GROUP *group; |
| 266 | const EC_POINT *point; |
| 267 | BIGNUM *x, *y; |
| 268 | |
| 269 | signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME); |
| 270 | if (signature_node < 0) { |
| 271 | fprintf(stderr, "Could not find 'signature node: %s\n", |
| 272 | fdt_strerror(signature_node)); |
| 273 | return signature_node; |
| 274 | } |
| 275 | |
| 276 | key_node = fdt_add_subnode(fdt, signature_node, key_node_name); |
| 277 | if (key_node < 0) { |
| 278 | fprintf(stderr, "Could not create '%s' node: %s\n", |
| 279 | key_node_name, fdt_strerror(key_node)); |
| 280 | return key_node; |
| 281 | } |
| 282 | |
| 283 | group = EC_KEY_get0_group(ctx->ecdsa_key); |
| 284 | key_bits = EC_GROUP_order_bits(group); |
| 285 | curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group)); |
| 286 | /* Let 'x' and 'y' memory leak by not BN_free()'ing them. */ |
| 287 | x = BN_new(); |
| 288 | y = BN_new(); |
| 289 | point = EC_KEY_get0_public_key(ctx->ecdsa_key); |
| 290 | EC_POINT_get_affine_coordinates(group, point, x, y, NULL); |
| 291 | |
| 292 | ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name); |
| 293 | if (ret < 0) |
| 294 | return ret; |
| 295 | |
| 296 | ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits); |
| 297 | if (ret < 0) |
| 298 | return ret; |
| 299 | |
| 300 | ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits); |
| 301 | if (ret < 0) |
| 302 | return ret; |
| 303 | |
Simon Glass | 94336dc | 2021-11-12 12:28:11 -0700 | [diff] [blame] | 304 | return key_node; |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 305 | } |
| 306 | |
| 307 | int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt) |
| 308 | { |
| 309 | const char *fdt_key_name; |
| 310 | struct signer ctx; |
| 311 | int ret; |
| 312 | |
| 313 | fdt_key_name = info->keyname ? info->keyname : "default-key"; |
| 314 | ret = prepare_ctx(&ctx, info); |
| 315 | if (ret >= 0) |
Simon Glass | 94336dc | 2021-11-12 12:28:11 -0700 | [diff] [blame] | 316 | ret = do_add(&ctx, fdt, fdt_key_name); |
Alexandru Gagniuc | 3ebd200 | 2021-02-19 12:45:12 -0600 | [diff] [blame] | 317 | |
| 318 | free_ctx(&ctx); |
| 319 | return ret; |
| 320 | } |