From patchwork Sun Oct 19 07:23:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 626 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1760858627; bh=ZldZuoQS/DHhLI4pXVSKClkt6/BoltzSq06gcFTCYNw=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=nvgUeoAWdXpHtZuTe0zoVJaP4Ph9/vVk73eM13syO09gLFprdsomM+CrxhpTWpNbj /e9MQQbakVMJYMfJUsfGD5yOqNcmAOFVy4s7G6y5n9IX4mVUKNi2qATATm8ASYxrJo QJKjofYkISu5ralSUsqszl+ScNQQ18y1dmVDZrYyHfV4G2me7DmWx4p30qin19Px7o ES1/8Fou4SGuuO9HOWVV8FsVDiE7XLQcKhi2oKdtpOJ17/hvmHn00cIAnFd7CL8Mt4 kK0XmWdAwxy4ML7AdVHap8+bKJFhcfG+Tqy3m/y4PWl1QfXI3s0Lgo62vLb2jXkcb0 hvOlNb/kG+T0A== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 5F86F681B1 for ; Sun, 19 Oct 2025 01:23:47 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id mHkCTpDZp9Pw for ; Sun, 19 Oct 2025 01:23:47 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1760858627; bh=ZldZuoQS/DHhLI4pXVSKClkt6/BoltzSq06gcFTCYNw=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=nvgUeoAWdXpHtZuTe0zoVJaP4Ph9/vVk73eM13syO09gLFprdsomM+CrxhpTWpNbj /e9MQQbakVMJYMfJUsfGD5yOqNcmAOFVy4s7G6y5n9IX4mVUKNi2qATATm8ASYxrJo QJKjofYkISu5ralSUsqszl+ScNQQ18y1dmVDZrYyHfV4G2me7DmWx4p30qin19Px7o ES1/8Fou4SGuuO9HOWVV8FsVDiE7XLQcKhi2oKdtpOJ17/hvmHn00cIAnFd7CL8Mt4 kK0XmWdAwxy4ML7AdVHap8+bKJFhcfG+Tqy3m/y4PWl1QfXI3s0Lgo62vLb2jXkcb0 hvOlNb/kG+T0A== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 4C1B268198 for ; Sun, 19 Oct 2025 01:23:47 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1760858625; bh=Zk80KOaxlHse9B+IZX67nVGoV3JKY3WZuXxu8Pg23Pc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r7z9Odg7fBr+dqcX5Ml8/fodtRfibQxIxcolIpiSx+04GrgGP6+i4oVowooTwamnQ Z3ZJnf+EQAM8aHUxh+tysWpW4Mus5ZEOT0ZsNEwStC6Zl4If5ZAyYwlwR/Gu+4aA6G O9dR8/AMPAmYC8o+Cn5JtKeC8ZD1Sus7taL8c86aQ/Dm+vgJFSkvrnc+IixNDlXjL/ XqZQjcO6SFJYl3nEj2XGyOtrp+vTxYQ1pLMAM+UfHNK+RGI3yEdayjtOF9lEA2ef4b +IahFx5hWIzq0yGWtFwV7gWzR4X8MEc1si14kXMACbEf+tKVwYuuClttFIQH9Vy39Y ZTz0vQ5ChdudQ== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 572C46807A; Sun, 19 Oct 2025 01:23:45 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id hsbrf5-ggldC; Sun, 19 Oct 2025 01:23:45 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1760858621; bh=jsFasjvyW+z8ANAiBPpnFUgpe76u12sMSPTeJ7ga/kg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZtoA/gXkNdA8FyqZ15P54u5xQoTJXn4YX/svnRoxbxZPp+m391DA3CMNxbW3oTh7N sdk/goE6Zuh65Dqv78cKhQGtjuQ5uLMlWNAyXml9aZNK8CYgrGGkKmCo+zKRJylDGx xYUnNZxh8zlHKl7vH1XrF8NLofHi5avFUPqllT76DgpT0rI7J0U0y3EEJfBuxoR5Ic P7y2tlE5jpcGCKYs6gnUY5byq8XQrSntLV3C4L/9MhqR1fmyj32y+GmGL6FbLYLjiZ 3GiU2kH7EEwXl8tet+WMP0RriPNLHIVISDaillUHIBVTbQqRxpk06q0YC3kpYA8nnk UTZI5j+XHxVvw== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id D3B9F6810E; Sun, 19 Oct 2025 01:23:40 -0600 (MDT) From: Simon Glass To: U-Boot Concept Date: Sun, 19 Oct 2025 01:23:02 -0600 Message-ID: <20251019072313.3235339-3-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251019072313.3235339-1-sjg@u-boot.org> References: <20251019072313.3235339-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: UWE3J2TW2KH3M7BBDIYXD4TKU5UFD2DZ X-Message-ID-Hash: UWE3J2TW2KH3M7BBDIYXD4TKU5UFD2DZ X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 2/8] lib: Add blake2s support for TKey USS derivation List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass The TKey User-Supplied Secret (USS) feature requires blake2s hashing to derive app-specific secrets. Add blake2s implementation alongside the existing blake2b support. The blake2s implementation is ported from the reference BLAKE2 implementation at https://github.com/BLAKE2/BLAKE2 Co-developed-by: Claude Signed-off-by: Simon Glass --- include/u-boot/blake2.h | 51 +++++++- lib/Makefile | 2 +- lib/blake2/blake2s.c | 282 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 331 insertions(+), 4 deletions(-) create mode 100644 lib/blake2/blake2s.c diff --git a/include/u-boot/blake2.h b/include/u-boot/blake2.h index 4984023a1a2..d4d88744eaf 100644 --- a/include/u-boot/blake2.h +++ b/include/u-boot/blake2.h @@ -19,9 +19,7 @@ * Modifications includes: * * - Remove unsupported compilers like MSC/CPP - * - Remove blake2s/blake2sp/blake2bp - * This blake2 implementation is mostly for btrfs, which only utilizes - * blake2b. + * - Added blake2s for TKey USS support */ #ifndef BLAKE2_H #define BLAKE2_H @@ -91,4 +89,51 @@ /* This is simply an alias for blake2b */ int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); + enum blake2s_constant + { + BLAKE2S_BLOCKBYTES = 64, + BLAKE2S_OUTBYTES = 32, + BLAKE2S_KEYBYTES = 32, + BLAKE2S_SALTBYTES = 8, + BLAKE2S_PERSONALBYTES = 8 + }; + + typedef struct blake2s_state__ + { + uint32_t h[8]; + uint32_t t[2]; + uint32_t f[2]; + uint8_t buf[BLAKE2S_BLOCKBYTES]; + size_t buflen; + size_t outlen; + uint8_t last_node; + } blake2s_state; + + BLAKE2_PACKED(struct blake2s_param__ + { + uint8_t digest_length; /* 1 */ + uint8_t key_length; /* 2 */ + uint8_t fanout; /* 3 */ + uint8_t depth; /* 4 */ + uint32_t leaf_length; /* 8 */ + uint32_t node_offset; /* 12 */ + uint16_t xof_length; /* 14 */ + uint8_t node_depth; /* 15 */ + uint8_t inner_length; /* 16 */ + uint8_t salt[BLAKE2S_SALTBYTES]; /* 24 */ + uint8_t personal[BLAKE2S_PERSONALBYTES]; /* 32 */ + }); + + typedef struct blake2s_param__ blake2s_param; + + /* Streaming API */ + int blake2s_init( blake2s_state *S, size_t outlen ); + int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ); + int blake2s_init_param( blake2s_state *S, const blake2s_param *P ); + int blake2s_update( blake2s_state *S, const void *in, size_t inlen ); + int blake2s_final( blake2s_state *S, void *out, size_t outlen ); + + /* Simple API */ + int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); + #endif diff --git a/lib/Makefile b/lib/Makefile index fd18002181d..43df5733ffd 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -79,7 +79,7 @@ obj-$(CONFIG_$(PHASE_)ACPI) += acpi/ obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(PHASE_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o -obj-$(CONFIG_BLAKE2) += blake2/blake2b.o +obj-$(CONFIG_BLAKE2) += blake2/blake2b.o blake2/blake2s.o obj-$(CONFIG_$(PHASE_)MD5_LEGACY) += md5.o obj-$(CONFIG_$(PHASE_)SHA1_LEGACY) += sha1.o diff --git a/lib/blake2/blake2s.c b/lib/blake2/blake2s.c new file mode 100644 index 00000000000..eebc369fae8 --- /dev/null +++ b/lib/blake2/blake2s.c @@ -0,0 +1,282 @@ +/* SPDX-License-Identifier: CC0-1.0 */ +/* + BLAKE2 reference source code package - reference C implementations + + Copyright 2012, Samuel Neves . You may use this under the + terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + your option. The terms of these licenses can be found at: + + - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + - OpenSSL license : https://www.openssl.org/source/license.html + - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + + More information about the BLAKE2 hash function can be found at + https://blake2.net. +*/ + +/* + * Cross-ported from BLAKE2 (https://github.com/BLAKE2/BLAKE2). + * Modifications includes: + * + * - Remove unused features like selftest + * - Use u-boot library functions/macros + */ +#include +#include +#include +#include +#include "blake2-impl.h" + +static const uint32_t blake2s_IV[8] = +{ + 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, + 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL +}; + +static const uint8_t blake2s_sigma[10][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , +}; + +static void blake2s_set_lastnode( blake2s_state *S ) +{ + S->f[1] = (uint32_t)-1; +} + +static int blake2s_is_lastblock( const blake2s_state *S ) +{ + return S->f[0] != 0; +} + +static void blake2s_set_lastblock( blake2s_state *S ) +{ + if( S->last_node ) blake2s_set_lastnode( S ); + + S->f[0] = (uint32_t)-1; +} + +static void blake2s_increment_counter( blake2s_state *S, const uint32_t inc ) +{ + S->t[0] += inc; + S->t[1] += ( S->t[0] < inc ); +} + +static void blake2s_init0( blake2s_state *S ) +{ + size_t i; + memset( S, 0, sizeof( blake2s_state ) ); + + for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i]; +} + +int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) +{ + const unsigned char *p = ( const unsigned char * )( P ); + size_t i; + + blake2s_init0( S ); + + for( i = 0; i < 8; ++i ) + S->h[i] ^= load32( &p[i * 4] ); + + S->outlen = P->digest_length; + return 0; +} + +int blake2s_init( blake2s_state *S, size_t outlen ) +{ + blake2s_param P[1]; + + if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store16( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + return blake2s_init_param( S, P ); +} + +int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ) +{ + blake2s_param P[1]; + + if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; + + if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = (uint8_t)keylen; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store16( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + + if( blake2s_init_param( S, P ) < 0 ) return -1; + + { + uint8_t block[BLAKE2S_BLOCKBYTES]; + memset( block, 0, BLAKE2S_BLOCKBYTES ); + memcpy( block, key, keylen ); + blake2s_update( S, block, BLAKE2S_BLOCKBYTES ); + memset( block, 0, BLAKE2S_BLOCKBYTES ); + } + return 0; +} + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = rotr32(d ^ a, 16); \ + c = c + d; \ + b = rotr32(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = rotr32(d ^ a, 8); \ + c = c + d; \ + b = rotr32(b ^ c, 7); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + +static void blake2s_compress( blake2s_state *S, const uint8_t in[BLAKE2S_BLOCKBYTES] ) +{ + uint32_t m[16]; + uint32_t v[16]; + size_t i; + + for( i = 0; i < 16; ++i ) { + m[i] = load32( in + i * sizeof( m[i] ) ); + } + + for( i = 0; i < 8; ++i ) { + v[i] = S->h[i]; + } + + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; + + ROUND( 0 ); + ROUND( 1 ); + ROUND( 2 ); + ROUND( 3 ); + ROUND( 4 ); + ROUND( 5 ); + ROUND( 6 ); + ROUND( 7 ); + ROUND( 8 ); + ROUND( 9 ); + + for( i = 0; i < 8; ++i ) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } +} + +#undef G +#undef ROUND + +int blake2s_update( blake2s_state *S, const void *pin, size_t inlen ) +{ + const unsigned char * in = (const unsigned char *)pin; + if( inlen > 0 ) + { + size_t left = S->buflen; + size_t fill = BLAKE2S_BLOCKBYTES - left; + if( inlen > fill ) + { + S->buflen = 0; + memcpy( S->buf + left, in, fill ); + blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES ); + blake2s_compress( S, S->buf ); + in += fill; inlen -= fill; + while(inlen > BLAKE2S_BLOCKBYTES) { + blake2s_increment_counter(S, BLAKE2S_BLOCKBYTES); + blake2s_compress( S, in ); + in += BLAKE2S_BLOCKBYTES; + inlen -= BLAKE2S_BLOCKBYTES; + } + } + memcpy( S->buf + S->buflen, in, inlen ); + S->buflen += inlen; + } + return 0; +} + +int blake2s_final( blake2s_state *S, void *out, size_t outlen ) +{ + uint8_t buffer[BLAKE2S_OUTBYTES] = {0}; + size_t i; + + if( out == NULL || outlen < S->outlen ) + return -1; + + if( blake2s_is_lastblock( S ) ) + return -1; + + blake2s_increment_counter( S, ( uint32_t )S->buflen ); + blake2s_set_lastblock( S ); + memset( S->buf + S->buflen, 0, BLAKE2S_BLOCKBYTES - S->buflen ); + blake2s_compress( S, S->buf ); + + for( i = 0; i < 8; ++i ) + store32( buffer + sizeof( S->h[i] ) * i, S->h[i] ); + + memcpy( out, buffer, S->outlen ); + memset( buffer, 0, sizeof( buffer ) ); + return 0; +} + +int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) +{ + blake2s_state S[1]; + + if ( ( ( !key ) || ( !keylen ) ) && ( keylen > 0 ) ) return -1; + + if( keylen > 0 ) + { + if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1; + } + else + { + if( blake2s_init( S, outlen ) < 0 ) return -1; + } + + blake2s_update( S, ( const uint8_t * )in, inlen ); + blake2s_final( S, out, outlen ); + return 0; +}