[Bug 2078395] Re: [SRU] Add RSA3072 support to jammy
ethan.hsieh
2078395 at bugs.launchpad.net
Thu Sep 5 05:36:24 UTC 2024
** Description changed:
[Impact]
The mkimage command is used to create images for use with the U-Boot boot loader.
mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.
+
+ Here is the error message:
+ $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
+ Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node
+ mkimage Can't add hashes to FIT blob: -1
Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
The patch for adding RSA3072 support:
https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050
[Test case]
Test Case 1:
1. Install packages required for the sandbox test
$ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
2. Run sandbox test to check if two new test cases for sha384 pass.
$ ./test/py/test.py --bd sandbox --build
test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha384-basic', 'sha384', '', None, False, False],
+ ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
suite
Test Case 2:
Create a test fitimage and sign with rsa3072 algorithm.
$ sudo mkimage -F -k keydir -f fdt.its test.dtb
[Where problems could occur]
The regression risk should be low because this patch just adds RSA3072
support.
[Other Info]
The patch is already in Noble, so we only need to backport to Jammy
** Description changed:
[Impact]
The mkimage command is used to create images for use with the U-Boot boot loader.
mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.
Here is the error message:
$ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node
mkimage Can't add hashes to FIT blob: -1
Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
The patch for adding RSA3072 support:
https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050
[Test case]
Test Case 1:
1. Install packages required for the sandbox test
$ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
2. Run sandbox test to check if two new test cases for sha384 pass.
$ ./test/py/test.py --bd sandbox --build
test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha384-basic', 'sha384', '', None, False, False],
+ ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
suite
Test Case 2:
Create a test fitimage and sign with rsa3072 algorithm.
- $ sudo mkimage -F -k keydir -f fdt.its test.dtb
+ $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
+ FIT description: Flattened Device Tree blob
+ Created: Thu Sep 5 13:32:52 2024
+ Image 0 (fdt-mediatek_genio-510-evk.dtb)
+ Description: Flattened Device Tree blob
+ ...
+ Sign algo: sha256,rsa3072:u-boot-img
+ Default Configuration: 'conf-mediatek_genio-510-evk.dtb'
+ Configuration 0 (conf-mediatek_genio-510-evk.dtb)
+ Description: FDT blob
+ Kernel: unavailable
+ FDT: fdt-mediatek_genio-510-evk.dtb
+ Hash algo: sha256
+ Hash value: unavailable
+ Sign algo: sha256,rsa3072:u-boot
+ ...
[Where problems could occur]
The regression risk should be low because this patch just adds RSA3072
support.
[Other Info]
The patch is already in Noble, so we only need to backport to Jammy
** Description changed:
[Impact]
The mkimage command is used to create images for use with the U-Boot boot loader.
mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.
Here is the error message:
- $ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
+ $ mkimage -F -k /home/ethan/keys/ -f fdt.its fdt.its apusys.dtbo
Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node
mkimage Can't add hashes to FIT blob: -1
Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
The patch for adding RSA3072 support:
https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050
[Test case]
Test Case 1:
1. Install packages required for the sandbox test
$ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
2. Run sandbox test to check if two new test cases for sha384 pass.
$ ./test/py/test.py --bd sandbox --build
test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha384-basic', 'sha384', '', None, False, False],
+ ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
suite
Test Case 2:
Create a test fitimage and sign with rsa3072 algorithm.
$ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
FIT description: Flattened Device Tree blob
Created: Thu Sep 5 13:32:52 2024
- Image 0 (fdt-mediatek_genio-510-evk.dtb)
- Description: Flattened Device Tree blob
+ Image 0 (fdt-mediatek_genio-510-evk.dtb)
+ Description: Flattened Device Tree blob
...
- Sign algo: sha256,rsa3072:u-boot-img
- Default Configuration: 'conf-mediatek_genio-510-evk.dtb'
- Configuration 0 (conf-mediatek_genio-510-evk.dtb)
- Description: FDT blob
- Kernel: unavailable
- FDT: fdt-mediatek_genio-510-evk.dtb
- Hash algo: sha256
- Hash value: unavailable
- Sign algo: sha256,rsa3072:u-boot
+ Sign algo: sha256,rsa3072:u-boot-img
+ Default Configuration: 'conf-mediatek_genio-510-evk.dtb'
+ Configuration 0 (conf-mediatek_genio-510-evk.dtb)
+ Description: FDT blob
+ Kernel: unavailable
+ FDT: fdt-mediatek_genio-510-evk.dtb
+ Hash algo: sha256
+ Hash value: unavailable
+ Sign algo: sha256,rsa3072:u-boot
...
[Where problems could occur]
The regression risk should be low because this patch just adds RSA3072
support.
[Other Info]
The patch is already in Noble, so we only need to backport to Jammy
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2078395
Title:
[SRU] Add RSA3072 support to jammy
Status in u-boot package in Ubuntu:
Fix Released
Status in u-boot source package in Jammy:
Incomplete
Bug description:
[Impact]
The mkimage command is used to create images for use with the U-Boot boot loader.
mkimage on jammy doesn't support RSA3072. Users cannot sign the fitimage with RSA3072.
Here is the error message:
$ mkimage -F -k /home/ethan/keys/ -f fdt.its fdt.its apusys.dtbo
Unsupported signature algorithm (sha256,rsa3072) for 'signature-1' signature node in 'fdt-mediatek_apusys.dtbo' image node
mkimage Can't add hashes to FIT blob: -1
Currently, U-Boot on jammy already supports RSA2048 and RSA4096. The following patch is just to add RSA3072 support.
The patch for adding RSA3072 support:
https://github.com/u-boot/u-boot/commit/2a4b0d5890deb0c973f8db7bb03adad96aff1050
[Test case]
Test Case 1:
1. Install packages required for the sandbox test
$ sudo apt install efitools libguestfs-tools libsdl2-dev python3-pycryptodome
2. Run sandbox test to check if two new test cases for sha384 pass.
$ ./test/py/test.py --bd sandbox --build
test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
['sha256-pss-required', 'sha256', '-pss', None, True, False],
['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha384-basic', 'sha384', '', None, False, False],
+ ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
]
https://u-boot.readthedocs.io/en/latest/develop/testing.html#pytest-
suite
Test Case 2:
Create a test fitimage and sign with rsa3072 algorithm.
$ mkimage -F -k /home/ethan/keys/ -f fdt.its genio-510-evk.dtb
FIT description: Flattened Device Tree blob
Created: Thu Sep 5 13:32:52 2024
Image 0 (fdt-mediatek_genio-510-evk.dtb)
Description: Flattened Device Tree blob
...
Sign algo: sha256,rsa3072:u-boot-img
Default Configuration: 'conf-mediatek_genio-510-evk.dtb'
Configuration 0 (conf-mediatek_genio-510-evk.dtb)
Description: FDT blob
Kernel: unavailable
FDT: fdt-mediatek_genio-510-evk.dtb
Hash algo: sha256
Hash value: unavailable
Sign algo: sha256,rsa3072:u-boot
...
[Where problems could occur]
The regression risk should be low because this patch just adds RSA3072
support.
[Other Info]
The patch is already in Noble, so we only need to backport to Jammy
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/2078395/+subscriptions
More information about the Ubuntu-sponsors
mailing list