[Bug 2078395] Re: [SRU] Add RSA3072 support to jammy

ethan.hsieh 2078395 at bugs.launchpad.net
Thu Sep 5 02:07:00 UTC 2024 

Hi Robie,

>> mkimage on jammy doesn't support RSA3072.
> This does not explain the impact on users. Please explain why the regression risk of changing a stable release is justified.
Users cannot sign the fitimage with RSA3072.

Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050

>> Create a test fitimage and sign with rsa3072 algorithm.
> How?
Please see test cases in the bug description.
1. Test case 1
Two new sandbox tests are added for verifying algo "sha384,rsa3072".
2. Test case 2
$ sudo mkimage -F -k keydir -f fdt.its test.dtb
I'll sign the test fitimage with rsa3072. For fdt.its, please see the attached file.


** Attachment added: "fdt.its"
   https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+attachment/5813558/+files/fdt.its

** Description changed:

  [Impact]
  
  The mkimage command is used to create images for use with the U-Boot boot loader.
- mkimage on jammy doesn't support RSA3072.
+ mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.
  
- The patch for adding RSA3072 support
+ Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
+ The patch for adding RSA3072 support:
  https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050
  
  [Test case]
  
  Test Case 1:
  1. Install packages required for the sandbox test
  $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
  2. Run sandbox test to check if two new test cases for sha384 pass.
  $ ./test/py/test.py --bd sandbox --build
  test/py/tests/test_vboot.py
  @@ -45,6 +45,8 @@ TESTDATA = [
-      ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
-      ['sha256-pss-required', 'sha256', '-pss', None, True, False],
-      ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+      ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
+      ['sha256-pss-required', 'sha256', '-pss', None, True, False],
+      ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
  +    ['sha384-basic', 'sha384', '', None, False, False],
  +    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
-  ]
+  ]
  
  https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
  suite
  
  Test Case 2:
  Create a test fitimage and sign with rsa3072 algorithm.
  $ sudo mkimage -F -k keydir -f fdt.its test.dtb
  
  [Where problems could occur]
  
  The regression risk should be low because this patch just adds RSA3072
  support.
  
  [Other Info]
  
  The patch is already in Noble, so we only need to backport to Jammy

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2078395

Title:
  [SRU] Add RSA3072 support to jammy

Status in u-boot package in Ubuntu:
  Fix Released
Status in u-boot source package in Jammy:
  Incomplete

Bug description:
  [Impact]

  The mkimage command is used to create images for use with the U-Boot boot loader.
  mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.

  Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
  The patch for adding RSA3072 support:
  https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050

  [Test case]

  Test Case 1:
  1. Install packages required for the sandbox test
  $ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
  2. Run sandbox test to check if two new test cases for sha384 pass.
  $ ./test/py/test.py --bd sandbox --build
  test/py/tests/test_vboot.py
  @@ -45,6 +45,8 @@ TESTDATA = [
       ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
       ['sha256-pss-required', 'sha256', '-pss', None, True, False],
       ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
  +    ['sha384-basic', 'sha384', '', None, False, False],
  +    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
   ]

  https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
  suite

  Test Case 2:
  Create a test fitimage and sign with rsa3072 algorithm.
  $ sudo mkimage -F -k keydir -f fdt.its test.dtb

  [Where problems could occur]

  The regression risk should be low because this patch just adds RSA3072
  support.

  [Other Info]

  The patch is already in Noble, so we only need to backport to Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+subscriptions

More information about the Ubuntu-sponsors mailing list