blob: ae6dfa0ba97fdb1db8b6e844ed381a0f2bb1aa0b [file] [log] [blame]
Alexandru Gagniuced6c9e02021-02-19 12:45:12 -06001// SPDX-License-Identifier: GPL-2.0+
2/*
3 * ECDSA image signing implementation using libcrypto backend
4 *
5 * The signature is a binary representation of the (R, S) points, padded to the
6 * key size. The signature will be (2 * key_size_bits) / 8 bytes.
7 *
8 * Deviations from behavior of RSA equivalent:
9 * - Verification uses private key. This is not technically required, but a
10 * limitation on how clumsy the openssl API is to use.
11 * - Handling of keys and key paths:
12 * - The '-K' key directory option must contain path to the key file,
13 * instead of the key directory.
14 * - No assumptions are made about the file extension of the key
15 * - The 'key-name-hint' property is only used for naming devicetree nodes,
16 * but is not used for looking up keys on the filesystem.
17 *
18 * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com>
19 */
20
Heinrich Schuchardt3a8b9192021-12-18 11:25:12 +010021#define OPENSSL_API_COMPAT 0x10101000L
22
Alexandru Gagniuced6c9e02021-02-19 12:45:12 -060023#include <u-boot/ecdsa.h>
24#include <u-boot/fdt-libcrypto.h>
25#include <openssl/ssl.h>
26#include <openssl/ec.h>
27#include <openssl/bn.h>
28
29/* Image signing context for openssl-libcrypto */
30struct signer {
31 EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */
32 EC_KEY *ecdsa_key; /* Pointer to EC_KEY object */
33 void *hash; /* Pointer to hash used for verification */
34 void *signature; /* Pointer to output signature. Do not free()!*/
35};
36
37static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info)
38{
39 memset(ctx, 0, sizeof(*ctx));
40
41 if (!OPENSSL_init_ssl(0, NULL)) {
42 fprintf(stderr, "Failure to init SSL library\n");
43 return -1;
44 }
45
46 ctx->hash = malloc(info->checksum->checksum_len);
47 ctx->signature = malloc(info->crypto->key_len * 2);
48
49 if (!ctx->hash || !ctx->signature)
50 return -ENOMEM;
51
52 return 0;
53}
54
55static void free_ctx(struct signer *ctx)
56{
57 if (ctx->ecdsa_key)
58 EC_KEY_free(ctx->ecdsa_key);
59
60 if (ctx->evp_key)
61 EVP_PKEY_free(ctx->evp_key);
62
63 if (ctx->hash)
64 free(ctx->hash);
65}
66
67/*
68 * Convert an ECDSA signature to raw format
69 *
70 * openssl DER-encodes 'binary' signatures. We want the signature in a raw
71 * (R, S) point pair. So we have to dance a bit.
72 */
73static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order)
74{
75 int point_bytes = order;
76 const BIGNUM *r, *s;
77 uintptr_t s_buf;
78
79 ECDSA_SIG_get0(sig, &r, &s);
80 s_buf = (uintptr_t)buf + point_bytes;
81 BN_bn2binpad(r, buf, point_bytes);
82 BN_bn2binpad(s, (void *)s_buf, point_bytes);
83}
84
85/* Get a signature from a raw encoding */
86static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order)
87{
88 int point_bytes = order;
89 uintptr_t s_buf;
90 ECDSA_SIG *sig;
91 BIGNUM *r, *s;
92
93 sig = ECDSA_SIG_new();
94 if (!sig)
95 return NULL;
96
97 s_buf = (uintptr_t)buf + point_bytes;
98 r = BN_bin2bn(buf, point_bytes, NULL);
99 s = BN_bin2bn((void *)s_buf, point_bytes, NULL);
100 ECDSA_SIG_set0(sig, r, s);
101
102 return sig;
103}
104
105/* ECDSA key size in bytes */
106static size_t ecdsa_key_size_bytes(const EC_KEY *key)
107{
108 const EC_GROUP *group;
109
110 group = EC_KEY_get0_group(key);
111 return EC_GROUP_order_bits(group) / 8;
112}
113
114static int read_key(struct signer *ctx, const char *key_name)
115{
116 FILE *f = fopen(key_name, "r");
117
118 if (!f) {
119 fprintf(stderr, "Can not get key file '%s'\n", key_name);
120 return -ENOENT;
121 }
122
123 ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
124 fclose(f);
125 if (!ctx->evp_key) {
126 fprintf(stderr, "Can not read key from '%s'\n", key_name);
127 return -EIO;
128 }
129
130 if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) {
131 fprintf(stderr, "'%s' is not an ECDSA key\n", key_name);
132 return -EINVAL;
133 }
134
135 ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key);
136 if (!ctx->ecdsa_key)
137 fprintf(stderr, "Can not extract ECDSA key\n");
138
139 return (ctx->ecdsa_key) ? 0 : -EINVAL;
140}
141
142/* Prepare a 'signer' context that's ready to sign and verify. */
143static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info)
144{
Alexandru Gagniuced6c9e02021-02-19 12:45:12 -0600145 int key_len_bytes, ret;
Alexandru Gagniuceb227592021-02-19 12:45:19 -0600146 char kname[1024];
147
148 memset(ctx, 0, sizeof(*ctx));
149
150 if (info->keyfile) {
151 snprintf(kname, sizeof(kname), "%s", info->keyfile);
152 } else if (info->keydir && info->keyname) {
153 snprintf(kname, sizeof(kname), "%s/%s.pem", info->keydir,
154 info->keyname);
155 } else {
156 fprintf(stderr, "keyfile, keyname, or key-name-hint missing\n");
157 return -EINVAL;
158 }
Alexandru Gagniuced6c9e02021-02-19 12:45:12 -0600159
160 ret = alloc_ctx(ctx, info);
161 if (ret)
162 return ret;
163
164 ret = read_key(ctx, kname);
165 if (ret)
166 return ret;
167
168 key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key);
169 if (key_len_bytes != info->crypto->key_len) {
170 fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n",
171 info->crypto->key_len * 8, key_len_bytes * 8);
172 return -EINVAL;
173 }
174
175 return 0;
176}
177
178static int do_sign(struct signer *ctx, struct image_sign_info *info,
179 const struct image_region region[], int region_count)
180{
181 const struct checksum_algo *algo = info->checksum;
182 ECDSA_SIG *sig;
183
184 algo->calculate(algo->name, region, region_count, ctx->hash);
185 sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key);
186
187 ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len);
188
189 return 0;
190}
191
192static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info)
193{
194 ECDSA_SIG *sig;
195 int okay;
196
197 sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len);
198 if (!sig)
199 return -ENOMEM;
200
201 okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len,
202 sig, ctx->ecdsa_key);
203 if (!okay)
204 fprintf(stderr, "WARNING: Signature is fake news!\n");
205
206 ECDSA_SIG_free(sig);
207 return !okay;
208}
209
210static int do_verify(struct signer *ctx, struct image_sign_info *info,
211 const struct image_region region[], int region_count,
212 uint8_t *raw_sig, uint sig_len)
213{
214 const struct checksum_algo *algo = info->checksum;
215
216 if (sig_len != info->crypto->key_len * 2) {
217 fprintf(stderr, "Signature has wrong length\n");
218 return -EINVAL;
219 }
220
221 memcpy(ctx->signature, raw_sig, sig_len);
222 algo->calculate(algo->name, region, region_count, ctx->hash);
223
224 return ecdsa_check_signature(ctx, info);
225}
226
227int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
228 int region_count, uint8_t **sigp, uint *sig_len)
229{
230 struct signer ctx;
231 int ret;
232
233 ret = prepare_ctx(&ctx, info);
234 if (ret >= 0) {
235 do_sign(&ctx, info, region, region_count);
236 *sigp = ctx.signature;
237 *sig_len = info->crypto->key_len * 2;
238
239 ret = ecdsa_check_signature(&ctx, info);
240 }
241
242 free_ctx(&ctx);
243 return ret;
244}
245
246int ecdsa_verify(struct image_sign_info *info,
247 const struct image_region region[], int region_count,
248 uint8_t *sig, uint sig_len)
249{
250 struct signer ctx;
251 int ret;
252
253 ret = prepare_ctx(&ctx, info);
254 if (ret >= 0)
255 ret = do_verify(&ctx, info, region, region_count, sig, sig_len);
256
257 free_ctx(&ctx);
258 return ret;
259}
260
261static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
262{
263 int signature_node, key_node, ret, key_bits;
264 const char *curve_name;
265 const EC_GROUP *group;
266 const EC_POINT *point;
267 BIGNUM *x, *y;
268
269 signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME);
270 if (signature_node < 0) {
271 fprintf(stderr, "Could not find 'signature node: %s\n",
272 fdt_strerror(signature_node));
273 return signature_node;
274 }
275
276 key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
277 if (key_node < 0) {
278 fprintf(stderr, "Could not create '%s' node: %s\n",
279 key_node_name, fdt_strerror(key_node));
280 return key_node;
281 }
282
283 group = EC_KEY_get0_group(ctx->ecdsa_key);
284 key_bits = EC_GROUP_order_bits(group);
285 curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group));
286 /* Let 'x' and 'y' memory leak by not BN_free()'ing them. */
287 x = BN_new();
288 y = BN_new();
289 point = EC_KEY_get0_public_key(ctx->ecdsa_key);
290 EC_POINT_get_affine_coordinates(group, point, x, y, NULL);
291
292 ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name);
293 if (ret < 0)
294 return ret;
295
296 ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits);
297 if (ret < 0)
298 return ret;
299
300 ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits);
301 if (ret < 0)
302 return ret;
303
304 return 0;
305}
306
307int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt)
308{
309 const char *fdt_key_name;
310 struct signer ctx;
311 int ret;
312
313 fdt_key_name = info->keyname ? info->keyname : "default-key";
314 ret = prepare_ctx(&ctx, info);
315 if (ret >= 0)
316 do_add(&ctx, fdt, fdt_key_name);
317
318 free_ctx(&ctx);
319 return ret;
320}