[Bug 2078395] Re: [SRU] Add RSA3072 support to jammy

Fri Sep 13 15:26:45 UTC 2024

Hello ethan.hsieh, or anyone else affected,

Accepted u-boot into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/u-boot/2022.01+dfsg-2ubuntu2.6 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: u-boot (Ubuntu Jammy)
       Status: Incomplete => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to u-boot in Ubuntu.
https://bugs.launchpad.net/bugs/2078395

Title:
  [SRU] Add RSA3072 support to jammy

Status in u-boot package in Ubuntu:
  Fix Released
Status in u-boot source package in Jammy:
  Fix Committed

Bug description:
  [Impact]

  The mkimage command is used to create images for use with the U-Boot boot loader.
  mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.

  Here is the error message:
  $ mkimage -F -k /home/ethan/keys/ -f fdt.its fdt.its apusys.dtbo
  Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node
  mkimage Can't add hashes to FIT blob: -1

  Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
  The patch for adding RSA3072 support:
  https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050

  [Test case]

  Test Case 1:
  1. Install packages required for the sandbox test
  $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
  2. Run sandbox test to check if two new test cases for sha384 pass.
  $ ./test/py/test.py --bd sandbox --build
  test/py/tests/test_vboot.py
  @@ -45,6 +45,8 @@ TESTDATA = [
       ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
       ['sha256-pss-required', 'sha256', '-pss', None, True, False],
       ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
  +    ['sha384-basic', 'sha384', '', None, False, False],
  +    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
   ]

  https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
  suite

  Test Case 2:
  Create a test fitimage and sign with rsa3072 algorithm.
  $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
  FIT description: Flattened Device Tree blob
  Created:         Thu Sep  5 13:32:52 2024
   Image 0 (fdt-mediatek_genio-510-evk.dtb)
    Description:  Flattened Device Tree blob
  ...
    Sign algo:    sha256,rsa3072:u-boot-img
   Default Configuration: 'conf-mediatek_genio-510-evk.dtb'
   Configuration 0 (conf-mediatek_genio-510-evk.dtb)
    Description:  FDT blob
    Kernel:       unavailable
    FDT:          fdt-mediatek_genio-510-evk.dtb
    Hash algo:    sha256
    Hash value:   unavailable
    Sign algo:    sha256,rsa3072:u-boot
  ...

  [Where problems could occur]

  The regression risk should be low because this patch just adds RSA3072
  support.

  [Other Info]

  The patch is already in Noble, so we only need to backport to Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+subscriptions