From patchwork Wed Jan 19 11:54:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 533269 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp782643imr; Wed, 19 Jan 2022 03:54:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxqzYSLUbcqXIv08Yv3ZGm0/youhs6FwGYEfBCbYWmClRL3zl2lgL6lpR7NVfxwQAPBVLiJ X-Received: by 2002:a17:906:2bc3:: with SMTP id n3mr25019769ejg.332.1642593294495; Wed, 19 Jan 2022 03:54:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642593294; cv=none; d=google.com; s=arc-20160816; b=HqmE8Os5jN73K2lgLrEytsC6WWHjg9qVjQ/YcB+cNLZkCrp1aWkb3KukYpxSCB6Nyx IYBTulctHA4bM+YPDOfSzt+xbFYYa+6oq7GtvQblLDT6ubZsF9oGtR0MxxXroq3ywYSX DbfLV3PRJRpqDEEr6viG+ZPVHYKNVRbSBELQRs7PRIDBmXj+vGxSBNDIcEkh4gh7G6WS nPPbhVCM1aWOrHk9HEBSsoN3fZyyFpi4C2KpXJ2Y7OU1J916DxXsIHUxwkVQ22P6mSI2 xmSxSLm5NdeJiXH7ujEIYZRl9GYE/dVFjelwS6aFm0zbMI1mwcT/8n257NcudA6+3+K/ gRwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=116MRhS/cne8DwT08ZfO1dSzYUrsZmrRy4t50sDkkNA=; b=YWtMD8N04DICHgnAAqyvo+XScRGaEDXqNFBYHTKhizZy1td1e+fkuxn9XKi96t/FGI KPy6meMexkUBfgOUNw6yzGjUcH3JZr+0NiHqgrSEXciPGhuBZB9TbL5Tk0cphJh7OZRD bBf85HwNK4+Cymu99BLKnY5+qvnlbtgBbfMvhQvBjkcH9pYL9W6HQeQos1ZtCiO7AT1W 05F8RR676UB+bpPrTHpUkl8CaPoB+/LHVrR6ecXg3/E7RoOC0RtK9bRg0xV/pTR+tX0+ 0vp6iIYe40Rcdo9ojhObDCN4trmuprIaru89t8I+gjdTlGHMG2NE7aRwmLtQkqAdXP8w 1I2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=arlqu00D; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id sb17si7397975ejc.150.2022.01.19.03.54.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:54:54 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=arlqu00D; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BC45982EC6; Wed, 19 Jan 2022 12:54:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="arlqu00D"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 979EE832EA; Wed, 19 Jan 2022 12:54:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4F8BB81B4B for ; Wed, 19 Jan 2022 12:54:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x32f.google.com with SMTP id o7-20020a05600c510700b00347e10f66d1so4503536wms.0 for ; Wed, 19 Jan 2022 03:54:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=116MRhS/cne8DwT08ZfO1dSzYUrsZmrRy4t50sDkkNA=; b=arlqu00Dx7Xw/dAR+6hZ9VO31Pfs60eZDz4rSWjooOfjKoVf8vQaLA1UAmcR1cUqYk pFKFK2JjpyBxWMIhGsnae6wcRAt+1Rn/YDsC/R/LvCqUhT+KlxE/3Au7mUurq5gyvgYQ 9iPHOMcfw44/nAi76EEq3nvTJ1AwQu12W/FiEWCQEQodedHb5omE9GAea+HyA2Kj4Djo SuS31Hx2EhsPykDlV6T8874FnMfyPppc0xvDHS4IG2iDVOP06DMsBhKNSVY3OuPgllpd PGr+lEd5Faza70HBzBq7fa4ocvKGsjkVzTv204kLWdaevZrL+gzDLPbhW4kMNtrgbifH 7hWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=116MRhS/cne8DwT08ZfO1dSzYUrsZmrRy4t50sDkkNA=; b=39gPRpWGBPi4vVLBOhq0DlelDxrrIscpI/Gz5c416FdpPou/0OmCuLHtvxWcHJAfr0 NxzXCI+/xHGI+sP0vObvRindekGsvJtYCzuF1A1tdpi1fYieWYvk2XFut3D4wwaRBVND kpX/TyQbzHSMjenyDVR5IlnqTSw5aZnUNQOD7c0on6O+lbLno1j8XBM3VNsF03104gMv g/Xtx07OVpyMfF8UHzOy6kJJuOMpZEfOP0UF87ibbounXP1lHtcro1CtswxkuI6JCBXR g/yYSMrmf3GqaIYPYh0LjajAByXmoEBC+uXv0U64VIaThp6ZOmaeMRmH42lRyTuW6vQo vbtA== X-Gm-Message-State: AOAM532bImHAkxDm8b8a/89+6eeeLI9e+O8KdI0NogErIfJGnE6PT7C+ HVI55GRMjYos5saUpm5Wmm/58Q== X-Received: by 2002:a5d:6d4f:: with SMTP id k15mr28580080wri.345.1642593285939; Wed, 19 Jan 2022 03:54:45 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:230:64ff:fe3b:505d]) by smtp.gmail.com with ESMTPSA id b13sm19338565wrf.64.2022.01.19.03.54.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:54:45 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , Alexander Graf , u-boot@lists.denx.de Subject: [PATCH 1/2 v2] lib/crypto: Enable more algorithms in cert verification Date: Wed, 19 Jan 2022 13:54:41 +0200 Message-Id: <20220119115443.373264-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Right now the code explicitly limits us to sha1,256 hashes with RSA2048 encryption. But the limitation is artificial since U-Boot supports a wider range of algorithms. The internal image_get_[checksum|crypto]_algo() functions expect an argument in the format of ,. So let's remove the size checking and create the needed string on the fly in order to support more hash/signing combinations. Signed-off-by: Ilias Apalodimas --- changes since v1: - added patch [2/2] explicitly disabling sha1 - removed a TODO comment - added a print notifying wrt to image_get_(checksum|crypto)_algo usage lib/crypto/public_key.c | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index df6033cdb499..3671ed138559 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -97,6 +97,7 @@ int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig) { struct image_sign_info info; + char algo[256]; int ret; pr_devel("==>%s()\n", __func__); @@ -108,30 +109,26 @@ int public_key_verify_signature(const struct public_key *pkey, return -EINVAL; memset(&info, '\0', sizeof(info)); + memset(algo, 0, sizeof(algo)); info.padding = image_get_padding_algo("pkcs-1.5"); - /* - * Note: image_get_[checksum|crypto]_algo takes a string - * argument like "," - * TODO: support other hash algorithms - */ - if (strcmp(sig->pkey_algo, "rsa") || (sig->s_size * 8) != 2048) { - pr_warn("Encryption is not RSA2048: %s%d\n", - sig->pkey_algo, sig->s_size * 8); - return -ENOPKG; - } - if (!strcmp(sig->hash_algo, "sha1")) { - info.checksum = image_get_checksum_algo("sha1,rsa2048"); - info.name = "sha1,rsa2048"; - } else if (!strcmp(sig->hash_algo, "sha256")) { - info.checksum = image_get_checksum_algo("sha256,rsa2048"); - info.name = "sha256,rsa2048"; - } else { - pr_warn("unknown msg digest algo: %s\n", sig->hash_algo); + if (strcmp(sig->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); return -ENOPKG; } + ret = snprintf(algo, sizeof(algo), "%s,%s%d", sig->hash_algo, + sig->pkey_algo, sig->s_size * 8); + + if (ret >= sizeof(algo)) + return -EINVAL; + + info.checksum = image_get_checksum_algo((const char *)algo); + info.name = (const char *)algo; info.crypto = image_get_crypto_algo(info.name); - if (IS_ERR(info.checksum) || IS_ERR(info.crypto)) + if (!info.checksum || !info.crypto) { + pr_err("<%s> not supported on image_get_(checksum|crypto)_algo()\n", + algo); return -ENOPKG; + } info.key = pkey->key; info.keylen = pkey->keylen; From patchwork Wed Jan 19 11:54:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 533270 Delivered-To: patch@linaro.org Received: by 2002:ac0:f7d2:0:0:0:0:0 with SMTP id i18csp782732imr; Wed, 19 Jan 2022 03:55:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJzjqo2YsaE4BjIlpAoRjI4QXQqVguysIAYPU/rGWyE4igOOOAiVFTqBo+mPuvgyaOgk+/9n X-Received: by 2002:a17:907:968d:: with SMTP id hd13mr1047793ejc.101.1642593304049; Wed, 19 Jan 2022 03:55:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642593304; cv=none; d=google.com; s=arc-20160816; b=yXWF2LS58iIsoupOBdZn0Uh6bNpqAeJ9d2L/FOf39YwAaj46p8dGbhNmnNSJsFa9Eg PcW+am+EyXRB3WaYjV2pKBquJTD+b1/NloM7z4U1Xm3/Y7kcSs6NUfPMBHh1YKWXd7gT mbgiFvSBhqufwcA1bFoG4CN0E1JUDZV3z7D4FvZ39iina0Kk+4A0+O96Out6Ir9BLXyk lnIPItAQSJYGffU6It5qi+iw7f5JxtYlLyFFy18KLiiFzDyOTrmqCWA2ATzXs8Lx464U kpGW1JjxbN6OpdxFL0FzkuBowlTBBYjLfjDIygY5hPgz7ud3us5rpJP0xfjVZ9K2u1wn zj5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=hUyC76JRNPWlFrXKBnCFzPwwjcQxX5C9kuDfGOuCuNd+NC5qBzhC715aOXfR940sko vRfSVsTJFY/BhVDBN9r5kqyxRYhF4Axao7wttPuY3hL0rvGqKmz4WD37wT/yV0JZNx8H MYLaTL/1YcI12s3hkiEEKaj0Pr61FSKyReENLd3x3Vt1UQjIuY9zMt7LL0JuC4Gx914Y 5VK1ne2KjEq6HSatAvOvJEgNljdoQXiP/wQiyATr59aZhPSjbS9d4c/hCKaHM+FPwN1K 0E3o+SOAZCa6DGYmS7CMxjPNODfVQ87x3lDVoH8lkvli+Fqz85kdzuB6ZKe4YeVYx2rR yyQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A7MWaiv/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hq31si2485189ejc.802.2022.01.19.03.55.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:55:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A7MWaiv/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 531C983811; Wed, 19 Jan 2022 12:54:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="A7MWaiv/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8136A81B4B; Wed, 19 Jan 2022 12:54:50 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B4B888303A for ; Wed, 19 Jan 2022 12:54:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x333.google.com with SMTP id i187-20020a1c3bc4000000b0034d2ed1be2aso12534088wma.1 for ; Wed, 19 Jan 2022 03:54:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=A7MWaiv/uXN53FZpPCISlCJ4FK5LyBsqbW4Fdiiui2C25MlmAkI0QdevSBCxdytj3X PM5vIP4QCWdr2hpbaqRLfdDv/Uj6tpnBqi8V2qyDMQwMdLY2ClL2o42mVjxd0AMCn5Z2 GGedvnfUG6PiISL91j5bGF+KxV4NdfzELl22oFRz0WyTAo7fPlj3huioYdRWidbEjY0i IoqHN2nmP07W1GCTTPmev1+WjvTuPf+CIMVP4OMJc5rHyr2ge4+YmuBjywV6oPmjl8SY gGZ5A/QAisP2lELh3vvsO25Syvl3q0F9HbcNupo/4KYEvT9psgJ9ubRmc7AWu4AXuZyW 0Bvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iMnQf/SCNrAkGsejvazMamcP8icsvuDkAWhtK6jvtgk=; b=ln6UjWOXOcmP32p8hN1MyhtKiHqtJH6WPvVd6am7b+3mqgkQTBqniZa9d1SQmjydbb jHayu5PnL1HFA9FN8WTULukZbXGewYqmDf0WnlXyx8g4HJdFq0MZdyhIJf1XDCi+dyTN sAwQ62fRTrubOAkAMRfBQDEWvOyeOpT+Sx5n35M9FPB9X0z47zEGvQNjMl+DUOclVE0m VieX3CYB7oyJ480czHlufH3y3EOo7QLKxEyAY/uM9hCT70YdNsXrz+XF3XdXdFwm5IpH q2TL3svLTGf5Z/TGNBZAgr8nV7y0QheouNBbiz/x5hho7JWZblMU8JejZ0h6lbZHnmS7 Y0JQ== X-Gm-Message-State: AOAM533gYFbZYqGKw/WDumaKMrUm/5uBeUjfGJTTjwvnkJcjRocCn/hU Os6z/QriGXXVueS+4l3WcW7rtQ== X-Received: by 2002:a05:6000:168c:: with SMTP id y12mr29920093wrd.389.1642593287380; Wed, 19 Jan 2022 03:54:47 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:230:64ff:fe3b:505d]) by smtp.gmail.com with ESMTPSA id b13sm19338565wrf.64.2022.01.19.03.54.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 03:54:47 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , Alexander Graf , u-boot@lists.denx.de Subject: [PATCH 2/2 v2] efi_loader: Ignore sha1 on signature verification Date: Wed, 19 Jan 2022 13:54:42 +0200 Message-Id: <20220119115443.373264-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220119115443.373264-1-ilias.apalodimas@linaro.org> References: <20220119115443.373264-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Since SHA1 has know collisions disable it on EFI verification for variables and executables Signed-off-by: Ilias Apalodimas --- lib/efi_loader/efi_signature.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 6e3ee3c0c004..1903adc89ed0 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -476,6 +476,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, if (ret < 0 || !signer) goto out; + if (!strcmp(signer->sig->hash_algo, "sha1")) { + pr_err("SHA1 support is disabled for EFI\n"); + goto out; + } + if (sinfo->blacklisted) goto out;