From: Avnish Chouhan <avnish@linux.ibm.com>
To: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Cc: grub-devel@gnu.org, dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, stefanb@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, daniel.kiper@oracle.com
Subject: Re: [PATCH v1 05/21] pgp: factor out rsa_pad
Date: Fri, 24 Jan 2025 16:10:37 +0530 [thread overview]
Message-ID: <745f83a5e64e5b367328db70d981854a@linux.ibm.com> (raw)
In-Reply-To: <20241218145647.1390837-6-sudhakar@linux.ibm.com>
Indentation looks off in couple of places. Please fix it.
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
> From: Daniel Axtens <dja@axtens.net>
>
> rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
> We want to use it in other RSA signature verification applications.
>
> I considered and rejected putting it in lib/crypto.c. That file doesn't
> currently require any MPI functions, but rsa_pad does. That's not so
> much of a problem for the grub kernel and modules, but crypto.c also
> gets built into all the grub utilities. So - despite the utils not
> using any asymmetric ciphers - we would need to built the entire MPI
> infrastructure in to them.
>
> A better and simpler solution is just to spin rsa_pad out into its own
> PKCS#1 v1.5 module.
>
> Signed-off-by: Daniel Axtens <dja@axtens.net>
> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
> ---
> grub-core/Makefile.core.def | 8 +++++
> grub-core/commands/pgp.c | 28 ++----------------
> grub-core/lib/pkcs1_v15.c | 59 +++++++++++++++++++++++++++++++++++++
> include/grub/pkcs1_v15.h | 27 +++++++++++++++++
> 4 files changed, 96 insertions(+), 26 deletions(-)
> create mode 100644 grub-core/lib/pkcs1_v15.c
> create mode 100644 include/grub/pkcs1_v15.h
>
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index f70e02e69..60db2adc5 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -2540,6 +2540,14 @@ module = {
> cppflags = '$(CPPFLAGS_GCRY)';
> };
>
> +module = {
> + name = pkcs1_v15;
> + common = lib/pkcs1_v15.c;
> +
> + cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
> + cppflags = '$(CPPFLAGS_GCRY)';
> +};
> +
> module = {
> name = all_video;
> common = lib/fake_module.c;
> diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
> index c6766f044..b084dc9a2 100644
> --- a/grub-core/commands/pgp.c
> +++ b/grub-core/commands/pgp.c
> @@ -24,6 +24,7 @@
> #include <grub/file.h>
> #include <grub/command.h>
> #include <grub/crypto.h>
> +#include <grub/pkcs1_v15.h>
> #include <grub/i18n.h>
> #include <grub/gcrypt/gcrypt.h>
> #include <grub/pubkey.h>
> @@ -411,32 +412,7 @@ static int
> rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
> {
> - grub_size_t tlen, emlen, fflen;
> - grub_uint8_t *em, *emptr;
> - unsigned nbits = gcry_mpi_get_nbits (sk->mpis[0]);
> - int ret;
> - tlen = hash->mdlen + hash->asnlen;
> - emlen = (nbits + 7) / 8;
> - if (emlen < tlen + 11)
> - return 1;
> -
> - em = grub_malloc (emlen);
> - if (!em)
> - return 1;
> -
> - em[0] = 0x00;
> - em[1] = 0x01;
> - fflen = emlen - tlen - 3;
> - for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
> - *emptr = 0xff;
> - *emptr++ = 0x00;
> - grub_memcpy (emptr, hash->asnoid, hash->asnlen);
> - emptr += hash->asnlen;
> - grub_memcpy (emptr, hval, hash->mdlen);
> -
> - ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
> - grub_free (em);
> - return ret;
> + return grub_crypto_rsa_pad(hmpi, hval, hash, sk->mpis[0]);
> }
>
> struct grub_pubkey_context
> diff --git a/grub-core/lib/pkcs1_v15.c b/grub-core/lib/pkcs1_v15.c
> new file mode 100644
> index 000000000..dbacd563d
> --- /dev/null
> +++ b/grub-core/lib/pkcs1_v15.c
> @@ -0,0 +1,59 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2013 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published
> by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <grub/dl.h>
> +#include <grub/gcrypt/gcrypt.h>
> +
> +GRUB_MOD_LICENSE ("GPLv3+");
> +
> +/*
> + * Given a hash value 'hval', of hash specification 'hash', perform
> + * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
> + * (see RFC 8017 s 9.2) and place the result in 'hmpi'.
> + */
> +gcry_err_code_t
> +grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
> + const gcry_md_spec_t * hash, gcry_mpi_t mod)
> +{
> + grub_size_t tlen, emlen, fflen;
> + grub_uint8_t *em, *emptr;
> + unsigned nbits = gcry_mpi_get_nbits (mod);
> + int ret;
> + tlen = hash->mdlen + hash->asnlen;
> + emlen = (nbits + 7) / 8;
> + if (emlen < tlen + 11)
> + return GPG_ERR_TOO_SHORT;
> +
> + em = grub_malloc (emlen);
> + if (!em)
> + return 1;
> +
> + em[0] = 0x00;
> + em[1] = 0x01;
> + fflen = emlen - tlen - 3;
> + for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
> + *emptr = 0xff;
> + *emptr++ = 0x00;
> + grub_memcpy (emptr, hash->asnoid, hash->asnlen);
> + emptr += hash->asnlen;
> + grub_memcpy (emptr, hval, hash->mdlen);
> +
> + ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
> + grub_free (em);
> + return ret;
> +}
> diff --git a/include/grub/pkcs1_v15.h b/include/grub/pkcs1_v15.h
> new file mode 100644
> index 000000000..5c338c84a
> --- /dev/null
> +++ b/include/grub/pkcs1_v15.h
> @@ -0,0 +1,27 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2013 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published
> by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +/*
> + * Given a hash value 'hval', of hash specification 'hash', perform
> + * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
> + * (See RFC 8017 s 9.2)
> + */
> +gcry_err_code_t
> +grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
> + const gcry_md_spec_t * hash, gcry_mpi_t mod);
> +
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-01-24 10:41 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 14:56 [PATCH v1 00/21] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2024-12-18 14:56 ` [PATCH v1 01/21] powerpc-ieee1275: Add support for signing grub with an appended signature Sudhakar Kuppusamy
2024-12-27 14:58 ` Stefan Berger
2025-02-26 4:24 ` sudhakar
2025-01-04 18:30 ` Vladimir 'phcoder' Serbinenko
2025-01-06 6:25 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 02/21] docs/grub: Document signing grub under UEFI Sudhakar Kuppusamy
2024-12-27 15:00 ` Stefan Berger
2024-12-18 14:56 ` [PATCH v1 03/21] docs/grub: Document signing grub with an appended signature Sudhakar Kuppusamy
2024-12-27 15:04 ` Stefan Berger
2025-01-04 18:32 ` Vladimir 'phcoder' Serbinenko
2025-01-24 9:44 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 04/21] dl: provide a fake grub_dl_set_persistent for the emu target Sudhakar Kuppusamy
2024-12-27 15:06 ` Stefan Berger
2025-01-04 18:36 ` Vladimir 'phcoder' Serbinenko
2025-01-24 9:47 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 05/21] pgp: factor out rsa_pad Sudhakar Kuppusamy
2024-12-27 15:11 ` Stefan Berger
2025-01-04 18:40 ` Vladimir 'phcoder' Serbinenko
2025-02-27 15:26 ` sudhakar
2025-01-24 10:40 ` Avnish Chouhan [this message]
2025-02-27 15:28 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 06/21] crypto: move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2024-12-27 15:13 ` Stefan Berger
2025-01-04 18:41 ` Vladimir 'phcoder' Serbinenko
2025-01-24 10:42 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 07/21] grub-install: support embedding x509 certificates Sudhakar Kuppusamy
2024-12-27 16:08 ` Stefan Berger
2025-01-24 10:45 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 08/21] appended signatures: import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2024-12-28 19:02 ` Stefan Berger
2025-01-24 10:47 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 09/21] appended signatures: parse PKCS#7 signedData and X.509 certificates Sudhakar Kuppusamy
2024-12-28 19:46 ` Stefan Berger
2025-02-26 4:26 ` sudhakar
2025-01-24 11:10 ` Avnish Chouhan
2025-02-27 15:31 ` sudhakar
2025-01-24 11:23 ` Michal Suchánek
2024-12-18 14:56 ` [PATCH v1 10/21] appended signatures: support verifying appended signatures Sudhakar Kuppusamy
2024-12-29 16:37 ` Stefan Berger
2025-02-06 6:10 ` Avnish Chouhan
2025-02-27 15:33 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 11/21] appended signatures: verification tests Sudhakar Kuppusamy
2024-12-30 15:39 ` Stefan Berger
2025-02-14 10:27 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 12/21] appended signatures: documentation Sudhakar Kuppusamy
2024-12-30 15:50 ` Stefan Berger
2025-02-26 4:28 ` sudhakar
2025-02-14 10:39 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 13/21] ieee1275: enter lockdown based on /ibm,secure-boot Sudhakar Kuppusamy
2024-12-30 22:02 ` Stefan Berger
2025-02-06 6:23 ` Avnish Chouhan
2025-02-27 15:34 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 14/21] ieee1275: Platform Keystore (PKS) Support Sudhakar Kuppusamy
2024-12-30 22:14 ` Stefan Berger
2025-02-26 4:33 ` sudhakar
2025-02-06 9:09 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables Sudhakar Kuppusamy
2024-12-30 23:01 ` Stefan Berger
2025-02-26 4:43 ` sudhakar
2024-12-30 23:04 ` Stefan Berger
2025-02-26 4:44 ` sudhakar
2025-02-07 5:57 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 16/21] appendedsig: The creation of trusted and distrusted lists Sudhakar Kuppusamy
2024-12-31 17:21 ` Stefan Berger
2025-02-27 15:21 ` sudhakar
2025-02-07 6:39 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 17/21] appendedsig: While verifying the kernel, use " Sudhakar Kuppusamy
2024-12-31 17:37 ` Stefan Berger
2025-02-27 15:22 ` sudhakar
2025-02-07 6:44 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 18/21] ieee1275: set use_static_keys flag Sudhakar Kuppusamy
2025-01-02 13:22 ` Stefan Berger
2025-02-27 15:24 ` sudhakar
2025-02-07 6:46 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note Sudhakar Kuppusamy
2025-01-02 13:19 ` Stefan Berger
2025-02-27 15:23 ` sudhakar
2025-02-07 6:54 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 20/21] appendedsig: The grub command's trusted and distrusted support Sudhakar Kuppusamy
2025-02-07 10:16 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 21/21] appendedsig: documentation Sudhakar Kuppusamy
2025-02-07 10:00 ` Avnish Chouhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=745f83a5e64e5b367328db70d981854a@linux.ibm.com \
--to=avnish@linux.ibm.com \
--cc=daniel.kiper@oracle.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
--cc=sudhakar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.