BIOS crypto

From OLPC
Jump to navigation Jump to search

bios-crypto is OLPC's repository for Open Firmware crypto-related code, and for some Linux tools which generate activations, developer keys, etc.

bios-crypto contains forked versions of libtomcrypt and tomsfastmath which are shared by both the firmware code and the Linux tools.

git://dev.laptop.org/bios-crypto

libtomcrypt fork

The git tree contains various RSA-related fixes/improvements which should be upstreamed. The git history is quite clean and each change has a good commit messsage.

One potential complication here is that libtomcrypt has changed licensing model since those patches were written. We may need the permission of OLPC and/or the author to get these relicensed.

Once upstreaming is done, we can switch to using the upstream libtomcrypt for the Linux tools. The firmware will probably wish to continue using the old, forked version for simplicity of the build process.

tomsfastmath fork

There are very few changes from the upstream version of tomsfastmath here. Not sure if the remaining two changes are upstreamable. The firmware can continue using this version (very low maintenance), the Linux tools may wish to switch to libtommath (see below).

64-bit

bios-crypto does not work on 64-bit. At least, anything that uses sig01 (e.g. activation/devkey generation) generates bad data. If sig01 is changed to use ltm_desc (libtommath instead of tomsfastmath), things start working again.

Fedora packaging

We want to include the Linux tools in Fedora so that activation/devkey generation and image signing is much more accessible for OLPC customers. There are a couple of hurdles to overcome:

  1. We cannot use forked libraries, we must use the systemwide ones.
  2. tomsfastmath is not in Fedora.

(1) can be fixed by upstreaming work.

As for (2), tomsfastmath is supposed to be newer, faster and messier than libtommath (which is present in Fedora and is a drop-in replacement in the context of libtomcrypt and bios-crypto). However, libtommath is packaged in Fedora and works on 64-bit too. Given that speed is not a big concern outside of the BIOS, we should switch the Linux tools such as sig01 to use libtommath, solving the 64 bit issue and enabling an easy ride into Fedora-land.