socsec: change rsa order to big endian for AST2600 A3
In general, software such as openssl calculates digest(big endian) of input data and uses big-endian digest to sign for RSA signature creation.
However, AST2600 A1 only supports little endian. In other words, AST2600 A1 crypto hardware engine digest output is “little endian”.
That is why our SOCSEC tool reverse signature and digest to match the AST2600 A1 crypto engine design(little endian).
AST2600 A3 changed the design to support big endian. ASPEED recommends using big endian to remain compatible with general software tool design
and therefore SOCSEC tool does not need to reverse digest and signature.
Default to big endian for OpenBMC platforms as A3 is production silicon, and earlier revisions are not well supported.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Change-Id: Iba46f704b86990d53937f104c3c601da5a3c111f
diff --git a/meta-aspeed/classes/socsec-sign.bbclass b/meta-aspeed/classes/socsec-sign.bbclass
index 0af88d9..06b14c0 100644
--- a/meta-aspeed/classes/socsec-sign.bbclass
+++ b/meta-aspeed/classes/socsec-sign.bbclass
@@ -12,7 +12,9 @@
# intersects the stack. The parameter below can be used to instruct
# socsec to work in either mode (ommitting it throws a warning), but
# newer (post v00.03.03) u-boot-aspeed-sdk need this set to false
-SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false"
+# A1 rsa order is little endian and A3 is big endian
+# Set big endian for A3 support
+SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false --rsa_key_order=big"
DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", " socsec-native", "", d)}'