From: Akashi Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 5/8] efi_loader: Make the pkcs7 header parsing function an extern
Date: Thu, 7 May 2020 16:34:16 +0900 [thread overview]
Message-ID: <20200507073416.GF3330@laputa> (raw)
In-Reply-To: <20200430173630.15608-6-sughosh.ganu@linaro.org>
On Thu, Apr 30, 2020 at 11:06:27PM +0530, Sughosh Ganu wrote:
> The pkcs7 header parsing functionality is pretty generic, and can be
> used by other features like capsule authentication. Make the function
> as an extern, also changing it's name to efi_parse_pkcs7_header.
The patch itself is fine to me, but is "pkcs7 header" a common term?
-Takahiro Akashi
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> include/efi_loader.h | 2 +
> lib/efi_loader/efi_signature.c | 78 ++++++++++++++++++++++++++++++++
> lib/efi_loader/efi_variable.c | 82 +---------------------------------
> 3 files changed, 82 insertions(+), 80 deletions(-)
>
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index b7638d5825..8d923451ce 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -781,6 +781,8 @@ bool efi_secure_boot_enabled(void);
>
> bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
> WIN_CERTIFICATE **auth, size_t *auth_len);
> +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, size_t buflen);
> +
> #endif /* CONFIG_EFI_SECURE_BOOT */
>
> #ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> index bf6f39aab2..9897f5418e 100644
> --- a/lib/efi_loader/efi_signature.c
> +++ b/lib/efi_loader/efi_signature.c
> @@ -25,6 +25,84 @@ const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
>
> #ifdef CONFIG_EFI_SECURE_BOOT
>
> +static u8 pkcs7_hdr[] = {
> + /* SEQUENCE */
> + 0x30, 0x82, 0x05, 0xc7,
> + /* OID: pkcs7-signedData */
> + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02,
> + /* Context Structured? */
> + 0xa0, 0x82, 0x05, 0xb8,
> +};
> +
> +/**
> + * efi_parse_pkcs7_header - parse a signature in variable
> + * @buf: Pointer to the payload's value
> + * @buflen: Length of @buf
> + *
> + * Parse a signature embedded in variable's value and instantiate
> + * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
> + * pkcs7's signedData, some header needed be prepended for correctly
> + * parsing authentication data, particularly for variable's.
> + *
> + * Return: Pointer to pkcs7_message structure on success, NULL on error
> + */
> +struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, size_t buflen)
> +{
> + u8 *ebuf;
> + size_t ebuflen, len;
> + struct pkcs7_message *msg;
> +
> + /*
> + * This is the best assumption to check if the binary is
> + * already in a form of pkcs7's signedData.
> + */
> + if (buflen > sizeof(pkcs7_hdr) &&
> + !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
> + msg = pkcs7_parse_message(buf, buflen);
> + goto out;
> + }
> +
> + /*
> + * Otherwise, we should add a dummy prefix sequence for pkcs7
> + * message parser to be able to process.
> + * NOTE: EDK2 also uses similar hack in WrapPkcs7Data()
> + * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
> + * TODO:
> + * The header should be composed in a more refined manner.
> + */
> + debug("Makeshift prefix added to authentication data\n");
> + ebuflen = sizeof(pkcs7_hdr) + buflen;
> + if (ebuflen <= 0x7f) {
> + debug("Data is too short\n");
> + return NULL;
> + }
> +
> + ebuf = malloc(ebuflen);
> + if (!ebuf) {
> + debug("Out of memory\n");
> + return NULL;
> + }
> +
> + memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr));
> + memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen);
> + len = ebuflen - 4;
> + ebuf[2] = (len >> 8) & 0xff;
> + ebuf[3] = len & 0xff;
> + len = ebuflen - 0x13;
> + ebuf[0x11] = (len >> 8) & 0xff;
> + ebuf[0x12] = len & 0xff;
> +
> + msg = pkcs7_parse_message(ebuf, ebuflen);
> +
> + free(ebuf);
> +
> +out:
> + if (IS_ERR(msg))
> + return NULL;
> +
> + return msg;
> +}
> +
> /**
> * efi_hash_regions - calculate a hash value
> * @regs: List of regions
> diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
> index 6c2dd82306..be34a2cadd 100644
> --- a/lib/efi_loader/efi_variable.c
> +++ b/lib/efi_loader/efi_variable.c
> @@ -415,85 +415,7 @@ bool efi_secure_boot_enabled(void)
> return efi_secure_boot;
> }
>
> -#ifdef CONFIG_EFI_SECURE_BOOT
> -static u8 pkcs7_hdr[] = {
> - /* SEQUENCE */
> - 0x30, 0x82, 0x05, 0xc7,
> - /* OID: pkcs7-signedData */
> - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02,
> - /* Context Structured? */
> - 0xa0, 0x82, 0x05, 0xb8,
> -};
> -
> -/**
> - * efi_variable_parse_signature - parse a signature in variable
> - * @buf: Pointer to variable's value
> - * @buflen: Length of @buf
> - *
> - * Parse a signature embedded in variable's value and instantiate
> - * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
> - * pkcs7's signedData, some header needed be prepended for correctly
> - * parsing authentication data, particularly for variable's.
> - *
> - * Return: Pointer to pkcs7_message structure on success, NULL on error
> - */
> -static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
> - size_t buflen)
> -{
> - u8 *ebuf;
> - size_t ebuflen, len;
> - struct pkcs7_message *msg;
> -
> - /*
> - * This is the best assumption to check if the binary is
> - * already in a form of pkcs7's signedData.
> - */
> - if (buflen > sizeof(pkcs7_hdr) &&
> - !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
> - msg = pkcs7_parse_message(buf, buflen);
> - goto out;
> - }
> -
> - /*
> - * Otherwise, we should add a dummy prefix sequence for pkcs7
> - * message parser to be able to process.
> - * NOTE: EDK2 also uses similar hack in WrapPkcs7Data()
> - * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
> - * TODO:
> - * The header should be composed in a more refined manner.
> - */
> - debug("Makeshift prefix added to authentication data\n");
> - ebuflen = sizeof(pkcs7_hdr) + buflen;
> - if (ebuflen <= 0x7f) {
> - debug("Data is too short\n");
> - return NULL;
> - }
> -
> - ebuf = malloc(ebuflen);
> - if (!ebuf) {
> - debug("Out of memory\n");
> - return NULL;
> - }
> -
> - memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr));
> - memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen);
> - len = ebuflen - 4;
> - ebuf[2] = (len >> 8) & 0xff;
> - ebuf[3] = len & 0xff;
> - len = ebuflen - 0x13;
> - ebuf[0x11] = (len >> 8) & 0xff;
> - ebuf[0x12] = len & 0xff;
> -
> - msg = pkcs7_parse_message(ebuf, ebuflen);
> -
> - free(ebuf);
> -
> -out:
> - if (IS_ERR(msg))
> - return NULL;
> -
> - return msg;
> -}
> +#ifdef CONFIG_SECURE_BOOT
>
> /**
> * efi_variable_authenticate - authenticate a variable
> @@ -591,7 +513,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
> /* variable's signature list */
> if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
> goto err;
> - var_sig = efi_variable_parse_signature(auth->auth_info.cert_data,
> + var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data,
> auth->auth_info.hdr.dwLength
> - sizeof(auth->auth_info));
> if (IS_ERR(var_sig)) {
> --
> 2.17.1
>
next prev parent reply other threads:[~2020-05-07 7:34 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-30 17:36 [PATCH 0/8] qemu: arm64: Add support for uefi firmware management protocol routines Sughosh Ganu
2020-04-30 17:36 ` [PATCH 1/8] semihosting: Change semihosting file operation functions into global symbols Sughosh Ganu
2020-05-11 3:05 ` Akashi Takahiro
2020-05-18 16:34 ` Heinrich Schuchardt
2020-04-30 17:36 ` [PATCH 2/8] semihosting: Add support for writing to a file Sughosh Ganu
2020-05-18 17:04 ` Heinrich Schuchardt
2020-04-30 17:36 ` [PATCH 3/8] qemu: arm64: Add support for efi firmware management protocol routines Sughosh Ganu
2020-04-30 18:39 ` Heinrich Schuchardt
2020-04-30 19:13 ` Sughosh Ganu
2020-05-01 9:33 ` Heinrich Schuchardt
2020-05-05 11:15 ` Grant Likely
2020-05-05 17:04 ` Heinrich Schuchardt
2020-05-05 17:23 ` Grant Likely
2020-05-05 17:57 ` Heinrich Schuchardt
2020-05-06 15:04 ` Grant Likely
2020-05-09 10:04 ` Heinrich Schuchardt
2020-05-10 11:59 ` Sughosh Ganu
2020-05-18 17:14 ` Grant Likely
2020-05-07 2:33 ` Akashi Takahiro
2020-05-07 20:47 ` Heinrich Schuchardt
2020-05-07 23:36 ` Akashi Takahiro
2020-04-30 17:36 ` [PATCH 4/8] efi_loader: Allow parsing of miscellaneous signature database variables Sughosh Ganu
2020-04-30 17:36 ` [PATCH 5/8] efi_loader: Make the pkcs7 header parsing function an extern Sughosh Ganu
2020-05-07 7:34 ` Akashi Takahiro [this message]
2020-05-07 11:18 ` Sughosh Ganu
2020-05-08 0:51 ` Akashi Takahiro
2020-05-10 11:20 ` Sughosh Ganu
2020-04-30 17:36 ` [PATCH 6/8] efi: capsule: Add support for uefi capsule authentication Sughosh Ganu
2020-05-07 8:19 ` Akashi Takahiro
2020-05-07 11:50 ` Sughosh Ganu
2020-05-08 0:42 ` Akashi Takahiro
2020-05-10 11:26 ` Sughosh Ganu
2020-05-11 2:45 ` Akashi Takahiro
2020-04-30 17:36 ` [PATCH 7/8] qemu: arm64: " Sughosh Ganu
2020-04-30 17:36 ` [PATCH 8/8] qemu: arm64: Add documentation for capsule update Sughosh Ganu
2020-04-30 18:37 ` Heinrich Schuchardt
2020-04-30 19:08 ` Sughosh Ganu
2020-04-30 19:27 ` Tom Rini
2020-05-01 5:47 ` Sughosh Ganu
2020-05-07 2:10 ` Akashi Takahiro
2020-05-07 20:52 ` Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200507073416.GF3330@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox