From 2895c6fbb926f1a9ecfeefdff55dd2ea9f06ed9f Mon Sep 17 00:00:00 2001 From: Alex Plotnick Date: Thu, 20 Apr 2023 12:42:37 -0600 Subject: [PATCH 1/2] Use new x509_cert::Certificate interface to lpc55_sign --- hubtools/Cargo.toml | 6 ++++-- hubtools/src/lib.rs | 31 ++++++++++++++++++++++++------- 2 files changed, 28 insertions(+), 9 deletions(-) diff --git a/hubtools/Cargo.toml b/hubtools/Cargo.toml index 83b7ac1..30bcbd9 100644 --- a/hubtools/Cargo.toml +++ b/hubtools/Cargo.toml @@ -10,10 +10,12 @@ packed_struct = { version = "0.10", default-features = false, features = ["std"] path-slash = { version = "0.1", default-features = false } thiserror = { version = "1", default-features = false } toml = { version = "0.7", default-features = false, features = ["parse"] } +x509-cert = { version = "0.2", default-features = false, features = ["std"] } zerocopy = { version = "0.6", default-features = false } zip = { version = "0.6", default-features = false, features = ["bzip2"] } tlvc = { git = "https://github.com/oxidecomputer/tlvc", default-features = false } tlvc-text = { git = "https://github.com/oxidecomputer/tlvc", default-features = false } -lpc55_sign = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false, version = "0.2" } -lpc55_areas = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false, version = "0.2" } +# TODO: remove branch once lpc55_support#58 merges +lpc55_sign = { git = "https://github.com/oxidecomputer/lpc55_support", branch = "rust-crypto", default-features = false, version = "0.2" } +lpc55_areas = { git = "https://github.com/oxidecomputer/lpc55_support", branch = "rust-crypto", default-features = false, version = "0.2" } diff --git a/hubtools/src/lib.rs b/hubtools/src/lib.rs index 4a0ff23..c3ffe38 100644 --- a/hubtools/src/lib.rs +++ b/hubtools/src/lib.rs @@ -5,6 +5,7 @@ use object::{Object, ObjectSection}; use packed_struct::PackedStruct; use path_slash::PathBufExt; use thiserror::Error; +use x509_cert::Certificate; use zerocopy::{AsBytes, FromBytes}; use std::{ @@ -214,8 +215,8 @@ impl RawHubrisImage { pub fn sign( &mut self, - signing_certs: Vec>, - root_certs: Vec>, + signing_certs: Vec, + root_certs: Vec, private_key: &str, execution_address: u32, ) -> Result<(), Error> { @@ -328,6 +329,9 @@ pub enum Error { #[error("wrong chip: expected lpc55, got {0}")] WrongChip(String), + + #[error("certificates have unsupported {0}-bit public keys")] + UnsupportedKeySize(usize), } //////////////////////////////////////////////////////////////////////////////// @@ -701,8 +705,8 @@ impl RawHubrisArchive { /// changes back to the archive on disk. pub fn sign( &mut self, - signing_certs: Vec>, - root_certs: Vec>, + signing_certs: Vec, + root_certs: Vec, private_key: &str, execution_address: u32, ) -> Result<(), Error> { @@ -745,9 +749,16 @@ impl RawHubrisArchive { default_isp: lpc55_areas::DefaultIsp, speed: lpc55_areas::BootSpeed, boot_error_pin: lpc55_areas::BootErrorPin, - root_certs: Vec>, + root_certs: Vec, ) -> Result<(), Error> { - let rkth = lpc55_sign::signed_image::root_key_table_hash(root_certs)?; + let root_certs = lpc55_sign::signed_image::pad_roots(root_certs)?; + let use_rsa_4096 = + match lpc55_sign::signed_image::required_key_size(&root_certs)? { + Some(2048) | None => false, + Some(4096) => true, + Some(x) => return Err(Error::UnsupportedKeySize(x)), + }; + let rkth = lpc55_sign::signed_image::root_key_table_hash(&root_certs)?; let cmpa = lpc55_sign::signed_image::generate_cmpa( dice, enable_secure_boot, @@ -757,6 +768,7 @@ impl RawHubrisArchive { boot_error_pin, rkth, false, + use_rsa_4096, )?; if self.new_files.contains_key(CMPA_FILE) || self.extract_file(CMPA_FILE).is_ok() @@ -776,8 +788,13 @@ impl RawHubrisArchive { &mut self, settings: lpc55_areas::DebugSettings, revoke: [lpc55_areas::ROTKeyStatus; 4], + image_key_revoke: u16, ) -> Result<(), Error> { - let cfpa = lpc55_sign::signed_image::generate_cfpa(settings, revoke)?; + let cfpa = lpc55_sign::signed_image::generate_cfpa( + settings, + revoke, + image_key_revoke, + )?; if self.new_files.contains_key(CFPA_FILE) || self.extract_file(CFPA_FILE).is_ok() { From 7d683b925b4d821f1247d011122b8dfb98516254 Mon Sep 17 00:00:00 2001 From: Alex Plotnick Date: Fri, 21 Apr 2023 09:26:48 -0600 Subject: [PATCH 2/2] Drop branch on lpc55_support --- hubtools/Cargo.toml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hubtools/Cargo.toml b/hubtools/Cargo.toml index 30bcbd9..9b88936 100644 --- a/hubtools/Cargo.toml +++ b/hubtools/Cargo.toml @@ -16,6 +16,5 @@ zip = { version = "0.6", default-features = false, features = ["bzip2"] } tlvc = { git = "https://github.com/oxidecomputer/tlvc", default-features = false } tlvc-text = { git = "https://github.com/oxidecomputer/tlvc", default-features = false } -# TODO: remove branch once lpc55_support#58 merges -lpc55_sign = { git = "https://github.com/oxidecomputer/lpc55_support", branch = "rust-crypto", default-features = false, version = "0.2" } -lpc55_areas = { git = "https://github.com/oxidecomputer/lpc55_support", branch = "rust-crypto", default-features = false, version = "0.2" } +lpc55_sign = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false, version = "0.2" } +lpc55_areas = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false, version = "0.2" }