From patchwork Mon Apr 11 07:56:22 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilias Apalodimas <ilias.apalodimas@linaro.org>
X-Patchwork-Id: 559581
Delivered-To: patch@linaro.org
Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp2307755map;
 Mon, 11 Apr 2022 00:56:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwFELzkY4o0E1rH1Jzy6BL+xjkdGUIo/mgID/Zf2yKl7WeYQ5qVrepH71tVGThdIUEl5foj
X-Received: by 2002:a05:6402:27d0:b0:419:5184:58ae with SMTP id
 c16-20020a05640227d000b00419518458aemr32578523ede.314.1649663795829;
 Mon, 11 Apr 2022 00:56:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649663795; cv=none;
 d=google.com; s=arc-20160816;
 b=TPIa8ED4AbpO2OZMYTG2gubyJV9f7z07NeBwJWxEsT5wbx1amD56LyYkMkwct3MqZh
 m5MqSLeBaZM88vH86BGAVr5I33Frqgr5tTkRJ7Gf+Mnfyd5lPBP51/bG9y55WfLi+/ZK
 If7/zz4wDA87AiB9axS6ThNB78Ydc0UrBKgYkwEx3DTc4l5K4CjZzNGZ6YbAjQVUUUQL
 5DvsuU9uQ36moO/XUXXx7uIeKFKgvK3RE5wxiU9KqfOIUf67WlPK4No56mK6wK4Lk3UY
 PwsGVOL6aU7OyZcvUM7wVpL3ocaEka5QuboX2DDf8TCA4h20Exa+3W14BeDfCOMM13SQ
 6hhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from:dkim-signature;
 bh=rHC/AjRqqfXFArmytO7Q5Xhvw6g/KFhjvkuXE8yr9Ss=;
 b=B48I2Ancx/hLGufK8ELY2dlXXfzNBOpF3Mo5wNkDNlvhPFZVfjeQ1CT+2p9aO9Si8U
 LpLxuGKiAPI/gdlrBW7LcrSO4vErmxCtuFJqkCodNDUVcfDgta4TGk2aDqdirgb2zWTY
 Ytb6/nRZdkdYNkRY6oXYggErVW8aaauYlnAWjFABS3lvcyv/j2QhYPJmeHcuj+fa++6U
 bK9luCj+D6JrxD4wkWExZs+mJSQHO5cQN3ohPU/JhT0t0XaPZdejwYxCJnw8IEfuCVX9
 3SA3Qi+fFTlQRf2EqpTbcnAhtiUAMizojyp5fhga6T7R4zXBzZOnGRE/4fxxVcxMucmM
 DUYw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=DGByooZB;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de.
 [2a01:238:438b:c500:173d:9f52:ddab:ee01])
 by mx.google.com with ESMTPS id
 i6-20020a05640242c600b0041cf34412c6si7240932edc.598.2022.04.11.00.56.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 11 Apr 2022 00:56:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=DGByooZB;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de;
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 4367783B34;
 Mon, 11 Apr 2022 09:56:31 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="DGByooZB";
 dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 0547083B9E; Mon, 11 Apr 2022 09:56:29 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com
 [IPv6:2a00:1450:4864:20::433])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 0133283AEE
 for <u-boot@lists.denx.de>; Mon, 11 Apr 2022 09:56:25 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-wr1-x433.google.com with SMTP id b19so21683991wrh.11
 for <u-boot@lists.denx.de>; Mon, 11 Apr 2022 00:56:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=rHC/AjRqqfXFArmytO7Q5Xhvw6g/KFhjvkuXE8yr9Ss=;
 b=DGByooZB+s6jWmDBhSNjYVcdo6QcJ5DF0ZFVFv9kpAH5KigUhpwPT8UayNaLMvclxi
 HD+qvYfyUI3OCvPJbTNeW5xk9/NMWN2e7NmP+IpHCc7GiM7SWyqogMLrXlY0FQ+JfaJX
 /+548ZKEV6T04+Y5z97ZL2RA5TFTobJLPp/zbneqgKm+ZyvZvmyJr03BdubWqN03w97U
 Lp+3DNA96nWLzOlJGQJHzk86g4VVUfI5qByBbiY403yYHXyWVX9+qrojIpTNHbzOQ7c1
 AqpqN8Ov9gS9jHNdjVMChVY0pE8XdfQh2bozPq6vBiBM88WJX3LP7SjLeST+b1ZCbGEE
 Oxog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=rHC/AjRqqfXFArmytO7Q5Xhvw6g/KFhjvkuXE8yr9Ss=;
 b=jzmDw+Un/2NgutKiTZNsxvjF5xhURuGgabjufkM6d6EQVA8Z1kXSy18onsVjb/9C8a
 rF8hcO1LQL6zY6LMjtV3Jo9dqdJLIL643FX0wPgslVsaxYJR4cq2Mp1DjNc2eiFeag1R
 ZBhh95i9JGVQDfzKy1fzDjd+BnUJ6I51bSpEMbqBa42Jx5UoF8EWa9oQRPF4xB1ND3ZH
 2UyDDs6HjUynrpdMDBN/b62IU5ITGPwDlFwbxQVLDZjkMtyUa85ZnplbasiK3MitcLqJ
 NZzAr+8DqplJfyi1cgfzjn/g9PKW0DNB2ywOeG6GmS88OzTWwmqEIXuUD7he9OEFH5Vu
 HKaQ==
X-Gm-Message-State: AOAM5334FlWEjqWu4FIv6dskdPXM/VguCO08mqEFfrYlLJFDq7k62qOR
 YllZkp53IVw/RRxj02jfzCO8bg==
X-Received: by 2002:adf:ba8f:0:b0:1e9:4afb:179b with SMTP id
 p15-20020adfba8f000000b001e94afb179bmr24245675wrg.57.1649663785584;
 Mon, 11 Apr 2022 00:56:25 -0700 (PDT)
Received: from hades.. ([2a02:587:4679:5116:3efd:feff:fe6b:c5ca])
 by smtp.gmail.com with ESMTPSA id
 k6-20020a05600c1c8600b0038e7e07f476sm21470036wms.35.2022.04.11.00.56.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 11 Apr 2022 00:56:25 -0700 (PDT)
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: xypron.glpk@gmx.de
Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>, u-boot@lists.denx.de
Subject: [RFC PATCH] efi_loader: add sha384/512 on certificate revocation
Date: Mon, 11 Apr 2022 10:56:22 +0300
Message-Id: <20220411075622.2069454-1-ilias.apalodimas@linaro.org>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Currently we don't support sha384/512 for the X.509
certificate To-Be-Signed contents.  Moreover if we come across such a
hash we skip the check and approve the image,  although the image
might needs to be rejected.

It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 include/efi_api.h              |  6 ++++
 lib/efi_loader/efi_signature.c | 62 ++++++++++++++++++++++++++--------
 2 files changed, 53 insertions(+), 15 deletions(-)

diff --git a/include/efi_api.h b/include/efi_api.h
index 982c2001728d..b9a04958f9ba 100644
--- a/include/efi_api.h
+++ b/include/efi_api.h
@@ -1873,6 +1873,12 @@ struct efi_system_resource_table {
 #define EFI_CERT_X509_SHA256_GUID \
 	EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \
 		 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
+#define EFI_CERT_X509_SHA384_GUID \
+	EFI_GUID(0x7076876e, 0x80c2, 0x4ee6,		\
+		 0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b)
+#define EFI_CERT_X509_SHA512_GUID \
+	EFI_GUID(0x446dbf63, 0x2502, 0x4cda,		\
+		 0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d)
 #define EFI_CERT_TYPE_PKCS7_GUID \
 	EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
 		 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 79ed077ae7dd..392eae6c0d64 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -24,6 +24,8 @@ const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
 const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
 const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
 const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
+const efi_guid_t efi_guid_cert_x509_sha384 = EFI_CERT_X509_SHA384_GUID;
+const efi_guid_t efi_guid_cert_x509_sha512 = EFI_CERT_X509_SHA512_GUID;
 const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
 
 static u8 pkcs7_hdr[] = {
@@ -124,23 +126,32 @@ struct pkcs7_message *efi_parse_pkcs7_header(const void *buf,
  * Return:	true on success, false on error
  */
 static bool efi_hash_regions(struct image_region *regs, int count,
-			     void **hash, size_t *size)
+			     void **hash, size_t size)
 {
+	char hash_algo[16];
+	int ret;
+
+	/* basic sanity checking */
+	if (!size)
+		return false;
+
+	ret = snprintf(hash_algo, sizeof(hash_algo), "sha%ld", size * 8);
+	if (ret >= sizeof(hash_algo))
+		return false;
+
 	if (!*hash) {
-		*hash = calloc(1, SHA256_SUM_LEN);
+		*hash = calloc(1, size);
 		if (!*hash) {
 			EFI_PRINT("Out of memory\n");
 			return false;
 		}
 	}
-	if (size)
-		*size = SHA256_SUM_LEN;
 
-	hash_calculate("sha256", regs, count, *hash);
+	hash_calculate(hash_algo, regs, count, *hash);
 #ifdef DEBUG
 	EFI_PRINT("hash calculated:\n");
 	print_hex_dump("    ", DUMP_PREFIX_OFFSET, 16, 1,
-		       *hash, SHA256_SUM_LEN, false);
+		       *hash, size, false);
 #endif
 
 	return true;
@@ -190,7 +201,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
 	struct efi_signature_store *siglist;
 	struct efi_sig_data *sig_data;
 	void *hash = NULL;
-	size_t size = 0;
+	size_t size = SHA256_SUM_LEN;
 	bool found = false;
 	bool hash_done = false;
 
@@ -216,7 +227,7 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
 			continue;
 
 		if (!hash_done &&
-		    !efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
+		    !efi_hash_regions(regs->reg, regs->num, &hash, size)) {
 			EFI_PRINT("Digesting an image failed\n");
 			break;
 		}
@@ -263,7 +274,7 @@ static bool efi_lookup_certificate(struct x509_certificate *cert,
 	struct efi_sig_data *sig_data;
 	struct image_region reg[1];
 	void *hash = NULL, *hash_tmp = NULL;
-	size_t size = 0;
+	size_t size = SHA256_SUM_LEN;
 	bool found = false;
 
 	EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db);
@@ -278,7 +289,7 @@ static bool efi_lookup_certificate(struct x509_certificate *cert,
 	/* calculate hash of TBSCertificate */
 	reg[0].data = cert->tbs;
 	reg[0].size = cert->tbs_size;
-	if (!efi_hash_regions(reg, 1, &hash, &size))
+	if (!efi_hash_regions(reg, 1, &hash, size))
 		goto out;
 
 	EFI_PRINT("%s: searching for %s\n", __func__, cert->subject);
@@ -300,7 +311,7 @@ static bool efi_lookup_certificate(struct x509_certificate *cert,
 				  cert_tmp->subject);
 			reg[0].data = cert_tmp->tbs;
 			reg[0].size = cert_tmp->tbs_size;
-			if (!efi_hash_regions(reg, 1, &hash_tmp, NULL))
+			if (!efi_hash_regions(reg, 1, &hash_tmp, size))
 				goto out;
 
 			x509_free_certificate(cert_tmp);
@@ -377,6 +388,26 @@ out:
 	return verified;
 }
 
+/** guid_to_sha_len - return the sha size in bytes for a given guid
+ *                    used of EFI security databases
+ *
+ * @guid: guid to check
+ *
+ * Return: len or 0 if no match is found
+ */
+static int guid_to_sha_len(efi_guid_t *guid)
+{
+	int size = 0;
+
+	if (!guidcmp(guid, &efi_guid_cert_x509_sha256))
+		size = SHA256_SUM_LEN;
+	else if (!guidcmp(guid, &efi_guid_cert_x509_sha384))
+		size = SHA384_SUM_LEN;
+	else if (!guidcmp(guid, &efi_guid_cert_x509_sha512))
+		size = SHA512_SUM_LEN;
+
+	return size;
+}
 /**
  * efi_signature_check_revocation - check revocation with dbx
  * @sinfo:	Signer's info
@@ -400,7 +431,7 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo,
 	struct efi_sig_data *sig_data;
 	struct image_region reg[1];
 	void *hash = NULL;
-	size_t size = 0;
+	size_t size = SHA256_SUM_LEN;
 	time64_t revoc_time;
 	bool revoked = false;
 
@@ -411,13 +442,14 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo,
 
 	EFI_PRINT("Checking revocation against %s\n", cert->subject);
 	for (siglist = dbx; siglist; siglist = siglist->next) {
-		if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256))
+		size = guid_to_sha_len(&siglist->sig_type);
+		if (!size)
 			continue;
 
 		/* calculate hash of TBSCertificate */
 		reg[0].data = cert->tbs;
 		reg[0].size = cert->tbs_size;
-		if (!efi_hash_regions(reg, 1, &hash, &size))
+		if (!efi_hash_regions(reg, 1, &hash, size))
 			goto out;
 
 		for (sig_data = siglist->sig_data_list; sig_data;
@@ -500,7 +532,7 @@ bool efi_signature_verify(struct efi_image_regions *regs,
 		 */
 		if (!msg->data &&
 		    !efi_hash_regions(regs->reg, regs->num,
-				      (void **)&sinfo->sig->digest, NULL)) {
+				      (void **)&sinfo->sig->digest, SHA256_SUM_LEN)) {
 			EFI_PRINT("Digesting an image failed\n");
 			goto out;
 		}