Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-19 02:54:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

tools: doimage: migrate to mbedtls v2.8 APIs

Browse source 
Replace deprecated mbedtls_sha256 with mbedtls_sha256_ret
The mbedtls_pk_parse_key does not work correctly anymore
with the DER buffer embedded in the secure image extentson
using the buffer size as the the key length.
Move to mbedtls_pk_parse_subpubkey API that handles such
case correctly.
The DER format already contains the key length, so there
is no particular reason to supply it to the key parser.
Update the doimage version to 3.3

Change-Id: I0ec5ee84b7d1505b43138e0b7a6bdba44a6702b6
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
This commit is contained in:
Konstantin Porotchkin 2019-05-01 17:08:18 +03:00 committed by Manish Pandey
parent b3be0c7068
commit a79df348a5
1 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
tools/marvell/doimage/doimage.c
View file

@ -51,7 +51,7 @@
/* Number of address pairs in control array */ /* Number of address pairs in control array */
#define CP_CTRL_EL_ARRAY_SZ 32 #define CP_CTRL_EL_ARRAY_SZ 32
#define VERSION_STRING "Marvell(C) doimage utility version 3.2" #define VERSION_STRING "Marvell(C) doimage utility version 3.3"
/* A8K definitions */ /* A8K definitions */
@ -303,7 +303,7 @@ int create_rsa_signature(mbedtls_pk_context *pk_ctx,
MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256); MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
/* First compute the SHA256 hash for the input blob */ /* First compute the SHA256 hash for the input blob */
mbedtls_sha256(input, ilen, hash, 0); mbedtls_sha256_ret(input, ilen, hash, 0);
/* Then calculate the hash signature */ /* Then calculate the hash signature */
rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx), rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx),
@ -354,6 +354,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
mbedtls_pk_context pk_ctx; mbedtls_pk_context pk_ctx;
unsigned char hash[32]; unsigned char hash[32];
int rval; int rval;
unsigned char *pkey = (unsigned char *)pub_key;
/* Not sure this is required, /* Not sure this is required,
* but it's safer to start with empty buffer * but it's safer to start with empty buffer
@ -373,8 +374,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
} }
/* Check ability to read the public key */ /* Check ability to read the public key */
rval = mbedtls_pk_parse_public_key(&pk_ctx, pub_key, rval = mbedtls_pk_parse_subpubkey(&pkey, pub_key + klen, &pk_ctx);
MAX_RSA_DER_BYTE_LEN);
if (rval != 0) { if (rval != 0) {
fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n", fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n",
rval); rval);
@ -387,7 +387,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
MBEDTLS_MD_SHA256); MBEDTLS_MD_SHA256);
/* Compute the SHA256 hash for the input buffer */ /* Compute the SHA256 hash for the input buffer */
mbedtls_sha256(input, ilen, hash, 0); mbedtls_sha256_ret(input, ilen, hash, 0);
rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx), rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx),
mbedtls_ctr_drbg_random, mbedtls_ctr_drbg_random,
@ -458,7 +458,7 @@ int image_encrypt(uint8_t *buf, uint32_t blen)
/* compute SHA-256 digest of the results /* compute SHA-256 digest of the results
* and use it as the init vector (IV) * and use it as the init vector (IV)
*/ */
mbedtls_sha256(IV, AES_BLOCK_SZ, digest, 0); mbedtls_sha256_ret(IV, AES_BLOCK_SZ, digest, 0);
memcpy(IV, digest, AES_BLOCK_SZ); memcpy(IV, digest, AES_BLOCK_SZ);
mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key, mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key,
AES_KEY_BIT_LEN); AES_KEY_BIT_LEN);
@ -880,11 +880,13 @@ int format_sec_ext(char *filename, FILE *out_fd)
fname); fname);
return 1; return 1;
} }
/* Data in the output buffer is aligned to the buffer end */ /* Data in the output buffer is aligned to the buffer end */
der_buf_start = output_buf + sizeof(output_buf) - output_len; der_buf_start = output_buf + sizeof(output_buf) - output_len;
/* In the header DER data is aligned /* In the header DER data is aligned
* to the start of appropriate field * to the start of appropriate field
*/ */
bzero(out_der_key, MAX_RSA_DER_BYTE_LEN);
memcpy(out_der_key, der_buf_start, output_len); memcpy(out_der_key, der_buf_start, output_len);
} /* for every private key file */ } /* for every private key file */
@ -899,8 +901,10 @@ int format_sec_ext(char *filename, FILE *out_fd)
fprintf(stderr, "Failed to sign CSK keys block!\n"); fprintf(stderr, "Failed to sign CSK keys block!\n");
return 1; return 1;
} }
/* Check that everything is correct */ /* Check that everything is correct */
if (verify_rsa_signature(sec_ext.kak_key, MAX_RSA_DER_BYTE_LEN, if (verify_rsa_signature(sec_ext.kak_key,
MAX_RSA_DER_BYTE_LEN,
&sec_ext.csk_keys[0][0], &sec_ext.csk_keys[0][0],
sizeof(sec_ext.csk_keys), sizeof(sec_ext.csk_keys),
opts.sec_opts->kak_key_file, opts.sec_opts->kak_key_file,
@ -1333,7 +1337,7 @@ int parse_image(uint8_t *buf, int size)
goto error; goto error;
} }
mbedtls_sha256(sec_entry->kak_key, mbedtls_sha256_ret(sec_entry->kak_key,
MAX_RSA_DER_BYTE_LEN, hash, 0); MAX_RSA_DER_BYTE_LEN, hash, 0);
fprintf(stdout, fprintf(stdout,
">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n"); ">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n");