blob: 442b7695639a20e189088af66a2d7d746c105eab [file] [log] [blame]
Simon Glass35191a32013-06-13 15:10:02 -07001/*
2 * Copyright (c) 2013, Google Inc.
3 *
Wolfgang Denkd79de1d2013-07-08 09:37:19 +02004 * SPDX-License-Identifier: GPL-2.0+
Simon Glass35191a32013-06-13 15:10:02 -07005 */
6
Heiko Schocherd7b42322014-03-03 12:19:30 +01007#ifndef USE_HOSTCC
Simon Glass35191a32013-06-13 15:10:02 -07008#include <common.h>
9#include <fdtdec.h>
Heiko Schocherd7b42322014-03-03 12:19:30 +010010#include <asm/types.h>
Simon Glass35191a32013-06-13 15:10:02 -070011#include <asm/byteorder.h>
Masahiro Yamada56a931c2016-09-21 11:28:55 +090012#include <linux/errno.h>
Heiko Schocherd7b42322014-03-03 12:19:30 +010013#include <asm/types.h>
Simon Glass35191a32013-06-13 15:10:02 -070014#include <asm/unaligned.h>
Ruchika Guptaa0d3ca62015-01-23 16:01:54 +053015#include <dm.h>
Heiko Schocherd7b42322014-03-03 12:19:30 +010016#else
17#include "fdt_host.h"
18#include "mkimage.h"
19#include <fdt_support.h>
20#endif
Ruchika Guptab92ebab2015-01-23 16:01:50 +053021#include <u-boot/rsa-mod-exp.h>
Jeroen Hofsteebfe88fe2014-06-12 22:27:12 +020022#include <u-boot/rsa.h>
Heiko Schocherd7b42322014-03-03 12:19:30 +010023
Michael van der Westhuizen89f4ed12014-07-02 10:17:26 +020024/* Default public exponent for backward compatibility */
25#define RSA_DEFAULT_PUBEXP 65537
26
Simon Glass35191a32013-06-13 15:10:02 -070027/**
Ruchika Guptab92ebab2015-01-23 16:01:50 +053028 * rsa_verify_key() - Verify a signature against some data using RSA Key
Simon Glass35191a32013-06-13 15:10:02 -070029 *
Ruchika Guptab92ebab2015-01-23 16:01:50 +053030 * Verify a RSA PKCS1.5 signature against an expected hash using
31 * the RSA Key properties in prop structure.
Simon Glass35191a32013-06-13 15:10:02 -070032 *
Ruchika Guptab92ebab2015-01-23 16:01:50 +053033 * @prop: Specifies key
34 * @sig: Signature
35 * @sig_len: Number of bytes in signature
36 * @hash: Pointer to the expected hash
37 * @algo: Checksum algo structure having information on RSA padding etc.
38 * @return 0 if verified, -ve on error
Simon Glass35191a32013-06-13 15:10:02 -070039 */
Ruchika Guptab92ebab2015-01-23 16:01:50 +053040static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
Heiko Schocheredaf9b12014-03-03 12:19:26 +010041 const uint32_t sig_len, const uint8_t *hash,
42 struct checksum_algo *algo)
Simon Glass35191a32013-06-13 15:10:02 -070043{
44 const uint8_t *padding;
45 int pad_len;
46 int ret;
Ruchika Guptaa0d3ca62015-01-23 16:01:54 +053047#if !defined(USE_HOSTCC)
48 struct udevice *mod_exp_dev;
49#endif
Simon Glass35191a32013-06-13 15:10:02 -070050
Ruchika Guptab92ebab2015-01-23 16:01:50 +053051 if (!prop || !sig || !hash || !algo)
Simon Glass35191a32013-06-13 15:10:02 -070052 return -EIO;
53
Ruchika Guptab92ebab2015-01-23 16:01:50 +053054 if (sig_len != (prop->num_bits / 8)) {
Simon Glass35191a32013-06-13 15:10:02 -070055 debug("Signature is of incorrect length %d\n", sig_len);
56 return -EINVAL;
57 }
58
Heiko Schocheredaf9b12014-03-03 12:19:26 +010059 debug("Checksum algorithm: %s", algo->name);
60
Simon Glass35191a32013-06-13 15:10:02 -070061 /* Sanity check for stack size */
62 if (sig_len > RSA_MAX_SIG_BITS / 8) {
63 debug("Signature length %u exceeds maximum %d\n", sig_len,
64 RSA_MAX_SIG_BITS / 8);
65 return -EINVAL;
66 }
67
Ruchika Guptab92ebab2015-01-23 16:01:50 +053068 uint8_t buf[sig_len];
Simon Glass35191a32013-06-13 15:10:02 -070069
Ruchika Guptaa0d3ca62015-01-23 16:01:54 +053070#if !defined(USE_HOSTCC)
71 ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
72 if (ret) {
73 printf("RSA: Can't find Modular Exp implementation\n");
74 return -EINVAL;
75 }
76
77 ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
78#else
Ruchika Guptab92ebab2015-01-23 16:01:50 +053079 ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
Ruchika Guptaa0d3ca62015-01-23 16:01:54 +053080#endif
Ruchika Guptab92ebab2015-01-23 16:01:50 +053081 if (ret) {
82 debug("Error in Modular exponentation\n");
Simon Glass35191a32013-06-13 15:10:02 -070083 return ret;
Ruchika Guptab92ebab2015-01-23 16:01:50 +053084 }
Simon Glass35191a32013-06-13 15:10:02 -070085
Heiko Schocheredaf9b12014-03-03 12:19:26 +010086 padding = algo->rsa_padding;
Heiko Schocher4b817562014-03-03 12:19:27 +010087 pad_len = algo->pad_len - algo->checksum_len;
Simon Glass35191a32013-06-13 15:10:02 -070088
89 /* Check pkcs1.5 padding bytes. */
90 if (memcmp(buf, padding, pad_len)) {
91 debug("In RSAVerify(): Padding check failed!\n");
92 return -EINVAL;
93 }
94
95 /* Check hash. */
96 if (memcmp((uint8_t *)buf + pad_len, hash, sig_len - pad_len)) {
97 debug("In RSAVerify(): Hash check failed!\n");
98 return -EACCES;
99 }
100
101 return 0;
102}
103
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530104/**
105 * rsa_verify_with_keynode() - Verify a signature against some data using
106 * information in node with prperties of RSA Key like modulus, exponent etc.
107 *
108 * Parse sign-node and fill a key_prop structure with properties of the
109 * key. Verify a RSA PKCS1.5 signature against an expected hash using
110 * the properties parsed
111 *
112 * @info: Specifies key and FIT information
113 * @hash: Pointer to the expected hash
114 * @sig: Signature
115 * @sig_len: Number of bytes in signature
116 * @node: Node having the RSA Key properties
117 * @return 0 if verified, -ve on error
118 */
Simon Glass35191a32013-06-13 15:10:02 -0700119static int rsa_verify_with_keynode(struct image_sign_info *info,
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530120 const void *hash, uint8_t *sig,
121 uint sig_len, int node)
Simon Glass35191a32013-06-13 15:10:02 -0700122{
123 const void *blob = info->fdt_blob;
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530124 struct key_prop prop;
Michael van der Westhuizen89f4ed12014-07-02 10:17:26 +0200125 int length;
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530126 int ret = 0;
Simon Glass35191a32013-06-13 15:10:02 -0700127
128 if (node < 0) {
129 debug("%s: Skipping invalid node", __func__);
130 return -EBADF;
131 }
Simon Glass35191a32013-06-13 15:10:02 -0700132
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530133 prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0);
Simon Glass35191a32013-06-13 15:10:02 -0700134
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530135 prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);
Simon Glass35191a32013-06-13 15:10:02 -0700136
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530137 prop.public_exponent = fdt_getprop(blob, node, "rsa,exponent", &length);
138 if (!prop.public_exponent || length < sizeof(uint64_t))
139 prop.public_exponent = NULL;
140
141 prop.exp_len = sizeof(uint64_t);
142
143 prop.modulus = fdt_getprop(blob, node, "rsa,modulus", NULL);
144
145 prop.rr = fdt_getprop(blob, node, "rsa,r-squared", NULL);
146
147 if (!prop.num_bits || !prop.modulus) {
148 debug("%s: Missing RSA key info", __func__);
149 return -EFAULT;
Simon Glass35191a32013-06-13 15:10:02 -0700150 }
151
Ruchika Guptab92ebab2015-01-23 16:01:50 +0530152 ret = rsa_verify_key(&prop, sig, sig_len, hash, info->algo->checksum);
153
154 return ret;
Simon Glass35191a32013-06-13 15:10:02 -0700155}
156
157int rsa_verify(struct image_sign_info *info,
158 const struct image_region region[], int region_count,
159 uint8_t *sig, uint sig_len)
160{
161 const void *blob = info->fdt_blob;
Heiko Schocheredaf9b12014-03-03 12:19:26 +0100162 /* Reserve memory for maximum checksum-length */
Heiko Schocher4b817562014-03-03 12:19:27 +0100163 uint8_t hash[info->algo->checksum->pad_len];
Simon Glass35191a32013-06-13 15:10:02 -0700164 int ndepth, noffset;
165 int sig_node, node;
166 char name[100];
Heiko Schocheredaf9b12014-03-03 12:19:26 +0100167 int ret;
168
169 /*
170 * Verify that the checksum-length does not exceed the
171 * rsa-signature-length
172 */
Heiko Schocher4b817562014-03-03 12:19:27 +0100173 if (info->algo->checksum->checksum_len >
174 info->algo->checksum->pad_len) {
175 debug("%s: invlaid checksum-algorithm %s for %s\n",
176 __func__, info->algo->checksum->name, info->algo->name);
Heiko Schocheredaf9b12014-03-03 12:19:26 +0100177 return -EINVAL;
178 }
Simon Glass35191a32013-06-13 15:10:02 -0700179
180 sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
181 if (sig_node < 0) {
182 debug("%s: No signature node found\n", __func__);
183 return -ENOENT;
184 }
185
Heiko Schocheredaf9b12014-03-03 12:19:26 +0100186 /* Calculate checksum with checksum-algorithm */
Ruchika Gupta2c8987f2015-01-23 16:01:59 +0530187 ret = info->algo->checksum->calculate(info->algo->checksum->name,
188 region, region_count, hash);
189 if (ret < 0) {
190 debug("%s: Error in checksum calculation\n", __func__);
191 return -EINVAL;
192 }
Simon Glass35191a32013-06-13 15:10:02 -0700193
194 /* See if we must use a particular key */
195 if (info->required_keynode != -1) {
196 ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
197 info->required_keynode);
198 if (!ret)
199 return ret;
200 }
201
202 /* Look for a key that matches our hint */
203 snprintf(name, sizeof(name), "key-%s", info->keyname);
204 node = fdt_subnode_offset(blob, sig_node, name);
205 ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
206 if (!ret)
207 return ret;
208
209 /* No luck, so try each of the keys in turn */
210 for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
211 (noffset >= 0) && (ndepth > 0);
212 noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
213 if (ndepth == 1 && noffset != node) {
214 ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
215 noffset);
216 if (!ret)
217 break;
218 }
219 }
220
221 return ret;
222}