New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 684354 link

Starred by 1 user
Status: Verified
Owner:
drinkcat@chromium.org
Closed: Feb 2017
Cc:
vpalatin@chromium.org
rspangler@chromium.org
puthik@chromium.org
wfrichar@chromium.org
adurbin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 689371


Sign in to add a comment

futility: Add support for exponent 3 RSA keys

Project Member Reported by drinkcat@chromium.org, Jan 24 2017 
There are 2 types of RSA keys in EC repository:
 - exponent F4 (0x10001), example board/hoho/dev_key.pem
 - exponent 3, example board/hammer/dev_key.pem

# openssl rsa -in hoho/dev_key.pem -noout -text | grep publicExponent
publicExponent: 65537 (0x10001)
# openssl rsa -in hammer/dev_key.pem -noout -text | grep publicExponent
publicExponent: 3 (0x3)

We'd like to use exponent 3 keys for faster signature verification, however, futility does not seem to support it.

Basically, these instructions fail with an exponent 3 key:

futility create --desc "Key One" board/hoho/dev_key.pem foo

#Sign a RW binary and build a complete image out of the parts:
dd if=/dev/zero bs=$((65536 - 1024)) count=1 of=rw.bin
dd if=build/hammer/RW/ec.RW.flat of=rw.bin conv=notrunc

futility sign --type rwsig --prikey foo.vbprik2 build/hammer/RW/ec.RW.flat rw.bin.signed

dd if=/dev/zero bs=65536 count=1 of=image.bin
dd if=rw.bin of=image.bin conv=notrunc
dd if=rw.bin.signed bs=$((65536 - 1024)) seek=1 of=image.bin conv=notrunc
   
futility show --type rwsig --pubkey foo.vbpubk2 image.bin

Comment 1 by rspangler@chromium.org, Jan 24 2017 

We'll need to add a new signature type to vboot for exponent 3.  There's some support for it in the context of the BDB, but it's not plumbed in for futility or the rest of vboot.

Until this gets implemented, you're stuck with 65537.

Comment 2 by drinkcat@chromium.org, Feb 7 2017

Owner: drinkcat@chromium.org
Status: Started (was: Available)

Comment 3 by drinkcat@chromium.org, Feb 7 2017

Blockedon: 689371
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/3ac811d4a580449c7a389264975d5fce44cd1d78

commit 3ac811d4a580449c7a389264975d5fce44cd1d78
Author: Nicolas Boichat <drinkcat@google.com>
Date: Sat Feb 11 10:42:02 2017

gen_test_keys.sh: Fixup key_index when keys already exist

BRANCH=none
BUG= chromium:684354 
TEST=rm tests/testkeys/key_rsa2048*; make genkeys -j8

Change-Id: I6c75d2d54faf7a02c8fc4ef1ccc8647809c1aae8
Reviewed-on: https://chromium-review.googlesource.com/438949
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

[modify] https://crrev.com/3ac811d4a580449c7a389264975d5fce44cd1d78/tests/gen_test_keys.sh
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/d02ae3899c1644bc9f866cb0b0f7e9d6f5842e8f

commit d02ae3899c1644bc9f866cb0b0f7e9d6f5842e8f
Author: Nicolas Boichat <drinkcat@google.com>
Date: Sat Feb 11 10:42:01 2017

Makefile: Add gentestcases target

This calls gen_test_cases.sh in the proper environment.

Also, prevent gen_test_cases.sh from overriding test_file, to
provide stable signature (and avoid large git diff for no reason).

BRANCH=none
BUG= chromium:684354 
TEST=make gentestcases -j8; git diff => no changes

Change-Id: I556285fd1a07a4d84f4ebd3fd7881ae06743716e
Reviewed-on: https://chromium-review.googlesource.com/439064
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/d02ae3899c1644bc9f866cb0b0f7e9d6f5842e8f/Makefile
[modify] https://crrev.com/d02ae3899c1644bc9f866cb0b0f7e9d6f5842e8f/tests/gen_test_cases.sh
Project Member

Comment 6 by bugdroid1@chromium.org, Feb 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/f3101060309281da2095744ca77a84e3d9703755

commit f3101060309281da2095744ca77a84e3d9703755
Author: Nicolas Boichat <drinkcat@google.com>
Date: Sat Feb 11 12:21:57 2017

tests: Add simple test for rwsig images

This tests that futility can correctly create and verify rwsig images.
Note that we do not test RSA 8192, as the signature is longer than
1024 bytes, and the test logic would need to be changed.

BRANCH=none
BUG= chromium:684354 
TEST=make runfutiltests

Change-Id: I690e59fe8fa3e273dd81176211c58e1677fa720f
Reviewed-on: https://chromium-review.googlesource.com/438950
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

[add] https://crrev.com/f3101060309281da2095744ca77a84e3d9703755/tests/futility/test_show_rwsig.sh
[modify] https://crrev.com/f3101060309281da2095744ca77a84e3d9703755/tests/futility/run_test_scripts.sh
Project Member

Comment 7 by bugdroid1@chromium.org, Feb 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/8c53e881f8849c5458ba71ff954d8edfc70d6052

commit 8c53e881f8849c5458ba71ff954d8edfc70d6052
Author: Nicolas Boichat <drinkcat@google.com>
Date: Wed Feb 15 18:47:29 2017

host_key2: Add VB2_SIG_ALG_COUNT to count the number of valid signatures

More reliable than simply assuming that VB2_SIG_RSA8192 is the last
signature.

BRANCH=none
BUG= chromium:684354 
TEST=rm tests/testkeys/key_*; make genkeys -j
TEST=make runtests -j

Change-Id: I755b3afb50313fcdf292fb3cd5b0dfe09f8593e3
Reviewed-on: https://chromium-review.googlesource.com/438948
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/8c53e881f8849c5458ba71ff954d8edfc70d6052/firmware/2lib/include/2crypto.h
[modify] https://crrev.com/8c53e881f8849c5458ba71ff954d8edfc70d6052/host/lib/host_key2.c
Project Member

Comment 8 by bugdroid1@chromium.org, Feb 18 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/83bd850f3fd45648bb811f6080efac396c8a2062

commit 83bd850f3fd45648bb811f6080efac396c8a2062
Author: Nicolas Boichat <drinkcat@google.com>
Date: Sat Feb 18 08:39:28 2017

vboot_reference: Add support for 2048-bit exponent 3 keys

This also adds the required tests (keys, testcases).

BRANCH=none
BUG= chromium:684354 
TEST=make runtests

Change-Id: I5e148f8792ea325f813d76089271f3c4bcc2935d
Reviewed-on: https://chromium-review.googlesource.com/438951
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/firmware/2lib/2sha_utility.c
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testcases/test_file.rsa2048_exp3_sha256.sig
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha256.vbpubk
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testcases/test_file.rsa2048_exp3_sha512.sig
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testcases/test_file.rsa2048_exp3_sha1.sig
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/host/lib21/host_key.c
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/firmware/2lib/include/2crypto.h
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.crt
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/gen_test_keys.sh
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.keyb
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha256.vbprivk
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/utility/dumpRSAPublicKey.c
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha1.vbpubk
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha512.vbprivk
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/common.sh
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/firmware/2lib/2rsa.c
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/futility/test_show_rwsig.sh
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha1.vbprivk
[modify] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/futility/file_type_usbpd1.c
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.sha512.vbpubk
[add] https://crrev.com/83bd850f3fd45648bb811f6080efac396c8a2062/tests/testkeys/key_rsa2048_exp3.pem

Comment 9 by drinkcat@chromium.org, Feb 20 2017

Status: Verified (was: Started)
Good enough for now. We'll probably add RSA-3072 exponent 3 support later on.
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b

commit a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b
Author: Nicolas Boichat <drinkcat@google.com>
Date: Thu Mar 16 18:25:47 2017

vboot_reference: Add support for 3072-bit exponent 3 keys

This also adds the required tests (keys, testcases), and some
additional tests in vb2_rsa_utility_tests.c that were not
added when 2048-bit exponent 3 support was added.

BRANCH=none
BUG= chromium:684354 
TEST=make runtests

Change-Id: I56d22302c2254ef500b9d2d290a79d8c8bc39942
Reviewed-on: https://chromium-review.googlesource.com/449060
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/firmware/2lib/2sha_utility.c
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha512.vbpubk
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testcases/test_file.rsa3072_exp3_sha512.sig
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha1.vbpubk
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.crt
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/host/lib21/host_key.c
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testcases/test_file.rsa3072_exp3_sha256.sig
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/firmware/2lib/include/2crypto.h
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/rsa_padding_test.h
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/utility/dumpRSAPublicKey.c
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.pem
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha1.vbprivk
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.keyb
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/vb2_rsa_utility_tests.c
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/common.sh
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha256.vbpubk
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/firmware/2lib/2rsa.c
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha512.vbprivk
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testkeys/key_rsa3072_exp3.sha256.vbprivk
[add] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/testcases/test_file.rsa3072_exp3_sha1.sig
[modify] https://crrev.com/a1c5f7c006b7bb3d5894f132f70ba3bbadfd9d6b/tests/futility/test_rwsig.sh

Sign in to add a comment