1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * ECDSA image signing implementation using libcrypto backend
4 *
5 * The signature is a binary representation of the (R, S) points, padded to the
6 * key size. The signature will be (2 * key_size_bits) / 8 bytes.
7 *
8 * Deviations from behavior of RSA equivalent:
9 * - Verification uses private key. This is not technically required, but a
10 * limitation on how clumsy the openssl API is to use.
11 * - Handling of keys and key paths:
12 * - The '-K' key directory option must contain path to the key file,
13 * instead of the key directory.
14 * - No assumptions are made about the file extension of the key
15 * - The 'key-name-hint' property is only used for naming devicetree nodes,
16 * but is not used for looking up keys on the filesystem.
17 *
18 * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com>
19 */
20
21 #include <u-boot/ecdsa.h>
22 #include <u-boot/fdt-libcrypto.h>
23 #include <openssl/ssl.h>
24 #include <openssl/ec.h>
25 #include <openssl/bn.h>
26
27 /* Image signing context for openssl-libcrypto */
28 struct signer {
29 EVP_PKEY *evp_key; /* Pointer to EVP_PKEY object */
30 EC_KEY *ecdsa_key; /* Pointer to EC_KEY object */
31 void *hash; /* Pointer to hash used for verification */
32 void *signature; /* Pointer to output signature. Do not free()!*/
33 };
34
alloc_ctx(struct signer * ctx,const struct image_sign_info * info)35 static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info)
36 {
37 memset(ctx, 0, sizeof(*ctx));
38
39 if (!OPENSSL_init_ssl(0, NULL)) {
40 fprintf(stderr, "Failure to init SSL library\n");
41 return -1;
42 }
43
44 ctx->hash = malloc(info->checksum->checksum_len);
45 ctx->signature = malloc(info->crypto->key_len * 2);
46
47 if (!ctx->hash || !ctx->signature)
48 return -ENOMEM;
49
50 return 0;
51 }
52
free_ctx(struct signer * ctx)53 static void free_ctx(struct signer *ctx)
54 {
55 if (ctx->ecdsa_key)
56 EC_KEY_free(ctx->ecdsa_key);
57
58 if (ctx->evp_key)
59 EVP_PKEY_free(ctx->evp_key);
60
61 if (ctx->hash)
62 free(ctx->hash);
63 }
64
65 /*
66 * Convert an ECDSA signature to raw format
67 *
68 * openssl DER-encodes 'binary' signatures. We want the signature in a raw
69 * (R, S) point pair. So we have to dance a bit.
70 */
ecdsa_sig_encode_raw(void * buf,const ECDSA_SIG * sig,size_t order)71 static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order)
72 {
73 int point_bytes = order;
74 const BIGNUM *r, *s;
75 uintptr_t s_buf;
76
77 ECDSA_SIG_get0(sig, &r, &s);
78 s_buf = (uintptr_t)buf + point_bytes;
79 BN_bn2binpad(r, buf, point_bytes);
80 BN_bn2binpad(s, (void *)s_buf, point_bytes);
81 }
82
83 /* Get a signature from a raw encoding */
ecdsa_sig_from_raw(void * buf,size_t order)84 static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order)
85 {
86 int point_bytes = order;
87 uintptr_t s_buf;
88 ECDSA_SIG *sig;
89 BIGNUM *r, *s;
90
91 sig = ECDSA_SIG_new();
92 if (!sig)
93 return NULL;
94
95 s_buf = (uintptr_t)buf + point_bytes;
96 r = BN_bin2bn(buf, point_bytes, NULL);
97 s = BN_bin2bn((void *)s_buf, point_bytes, NULL);
98 ECDSA_SIG_set0(sig, r, s);
99
100 return sig;
101 }
102
103 /* ECDSA key size in bytes */
ecdsa_key_size_bytes(const EC_KEY * key)104 static size_t ecdsa_key_size_bytes(const EC_KEY *key)
105 {
106 const EC_GROUP *group;
107
108 group = EC_KEY_get0_group(key);
109 return EC_GROUP_order_bits(group) / 8;
110 }
111
read_key(struct signer * ctx,const char * key_name)112 static int read_key(struct signer *ctx, const char *key_name)
113 {
114 FILE *f = fopen(key_name, "r");
115
116 if (!f) {
117 fprintf(stderr, "Can not get key file '%s'\n", key_name);
118 return -ENOENT;
119 }
120
121 ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
122 fclose(f);
123 if (!ctx->evp_key) {
124 fprintf(stderr, "Can not read key from '%s'\n", key_name);
125 return -EIO;
126 }
127
128 if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) {
129 fprintf(stderr, "'%s' is not an ECDSA key\n", key_name);
130 return -EINVAL;
131 }
132
133 ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key);
134 if (!ctx->ecdsa_key)
135 fprintf(stderr, "Can not extract ECDSA key\n");
136
137 return (ctx->ecdsa_key) ? 0 : -EINVAL;
138 }
139
140 /* Prepare a 'signer' context that's ready to sign and verify. */
prepare_ctx(struct signer * ctx,const struct image_sign_info * info)141 static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info)
142 {
143 int key_len_bytes, ret;
144 char kname[1024];
145
146 memset(ctx, 0, sizeof(*ctx));
147
148 if (info->keyfile) {
149 snprintf(kname, sizeof(kname), "%s", info->keyfile);
150 } else if (info->keydir && info->keyname) {
151 snprintf(kname, sizeof(kname), "%s/%s.pem", info->keydir,
152 info->keyname);
153 } else {
154 fprintf(stderr, "keyfile, keyname, or key-name-hint missing\n");
155 return -EINVAL;
156 }
157
158 ret = alloc_ctx(ctx, info);
159 if (ret)
160 return ret;
161
162 ret = read_key(ctx, kname);
163 if (ret)
164 return ret;
165
166 key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key);
167 if (key_len_bytes != info->crypto->key_len) {
168 fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n",
169 info->crypto->key_len * 8, key_len_bytes * 8);
170 return -EINVAL;
171 }
172
173 return 0;
174 }
175
do_sign(struct signer * ctx,struct image_sign_info * info,const struct image_region region[],int region_count)176 static int do_sign(struct signer *ctx, struct image_sign_info *info,
177 const struct image_region region[], int region_count)
178 {
179 const struct checksum_algo *algo = info->checksum;
180 ECDSA_SIG *sig;
181
182 algo->calculate(algo->name, region, region_count, ctx->hash);
183 sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key);
184
185 ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len);
186
187 return 0;
188 }
189
ecdsa_check_signature(struct signer * ctx,struct image_sign_info * info)190 static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info)
191 {
192 ECDSA_SIG *sig;
193 int okay;
194
195 sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len);
196 if (!sig)
197 return -ENOMEM;
198
199 okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len,
200 sig, ctx->ecdsa_key);
201 if (!okay)
202 fprintf(stderr, "WARNING: Signature is fake news!\n");
203
204 ECDSA_SIG_free(sig);
205 return !okay;
206 }
207
do_verify(struct signer * ctx,struct image_sign_info * info,const struct image_region region[],int region_count,uint8_t * raw_sig,uint sig_len)208 static int do_verify(struct signer *ctx, struct image_sign_info *info,
209 const struct image_region region[], int region_count,
210 uint8_t *raw_sig, uint sig_len)
211 {
212 const struct checksum_algo *algo = info->checksum;
213
214 if (sig_len != info->crypto->key_len * 2) {
215 fprintf(stderr, "Signature has wrong length\n");
216 return -EINVAL;
217 }
218
219 memcpy(ctx->signature, raw_sig, sig_len);
220 algo->calculate(algo->name, region, region_count, ctx->hash);
221
222 return ecdsa_check_signature(ctx, info);
223 }
224
ecdsa_sign(struct image_sign_info * info,const struct image_region region[],int region_count,uint8_t ** sigp,uint * sig_len)225 int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
226 int region_count, uint8_t **sigp, uint *sig_len)
227 {
228 struct signer ctx;
229 int ret;
230
231 ret = prepare_ctx(&ctx, info);
232 if (ret >= 0) {
233 do_sign(&ctx, info, region, region_count);
234 *sigp = ctx.signature;
235 *sig_len = info->crypto->key_len * 2;
236
237 ret = ecdsa_check_signature(&ctx, info);
238 }
239
240 free_ctx(&ctx);
241 return ret;
242 }
243
ecdsa_verify(struct image_sign_info * info,const struct image_region region[],int region_count,uint8_t * sig,uint sig_len)244 int ecdsa_verify(struct image_sign_info *info,
245 const struct image_region region[], int region_count,
246 uint8_t *sig, uint sig_len)
247 {
248 struct signer ctx;
249 int ret;
250
251 ret = prepare_ctx(&ctx, info);
252 if (ret >= 0)
253 ret = do_verify(&ctx, info, region, region_count, sig, sig_len);
254
255 free_ctx(&ctx);
256 return ret;
257 }
258
do_add(struct signer * ctx,void * fdt,const char * key_node_name)259 static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
260 {
261 int signature_node, key_node, ret, key_bits;
262 const char *curve_name;
263 const EC_GROUP *group;
264 const EC_POINT *point;
265 BIGNUM *x, *y;
266
267 signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME);
268 if (signature_node < 0) {
269 fprintf(stderr, "Could not find 'signature node: %s\n",
270 fdt_strerror(signature_node));
271 return signature_node;
272 }
273
274 key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
275 if (key_node < 0) {
276 fprintf(stderr, "Could not create '%s' node: %s\n",
277 key_node_name, fdt_strerror(key_node));
278 return key_node;
279 }
280
281 group = EC_KEY_get0_group(ctx->ecdsa_key);
282 key_bits = EC_GROUP_order_bits(group);
283 curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group));
284 /* Let 'x' and 'y' memory leak by not BN_free()'ing them. */
285 x = BN_new();
286 y = BN_new();
287 point = EC_KEY_get0_public_key(ctx->ecdsa_key);
288 EC_POINT_get_affine_coordinates(group, point, x, y, NULL);
289
290 ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name);
291 if (ret < 0)
292 return ret;
293
294 ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits);
295 if (ret < 0)
296 return ret;
297
298 ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits);
299 if (ret < 0)
300 return ret;
301
302 return 0;
303 }
304
ecdsa_add_verify_data(struct image_sign_info * info,void * fdt)305 int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt)
306 {
307 const char *fdt_key_name;
308 struct signer ctx;
309 int ret;
310
311 fdt_key_name = info->keyname ? info->keyname : "default-key";
312 ret = prepare_ctx(&ctx, info);
313 if (ret >= 0)
314 do_add(&ctx, fdt, fdt_key_name);
315
316 free_ctx(&ctx);
317 return ret;
318 }
319