Message ID | 20240702182325.2904421-24-raymond.mao@linaro.org |
---|---|
State | Changes Requested |
Delegated to: | Tom Rini |
Headers | show |
Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
Hi Raymond On Tue, 2 Jul 2024 at 21:33, Raymond Mao <raymond.mao@linaro.org> wrote: > > Add porting layer for MSCode on top of MbedTLS ASN1 library. > Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and > MbedTLS implementations respectively. You should mention explicitly on the commit message, that this patch is expected to be merged in mbedTLS upstream and we can remove it in the future > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - Move the porting layer to MbedTLS dir. > Changes in v3 > - None. > Changes in v4 > - Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and > MbedTLS implementations respectively. > - Fix a few code style. > > lib/mbedtls/Kconfig | 17 +++++ > lib/mbedtls/Makefile | 1 + > lib/mbedtls/mscode_parser.c | 123 ++++++++++++++++++++++++++++++++++++ > 3 files changed, 141 insertions(+) > create mode 100644 lib/mbedtls/mscode_parser.c > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > index 8c5b617bb48..d8a8f87e031 100644 > --- a/lib/mbedtls/Kconfig > +++ b/lib/mbedtls/Kconfig > @@ -126,6 +126,7 @@ config LEGACY_CRYPTO_CERT > ASYMMETRIC_PUBLIC_KEY_SUBTYPE > select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER > select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER > + select MSCODE_PARSER_LEGACY if MSCODE_PARSER > select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ > ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL > help > @@ -156,6 +157,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY > This option chooses legacy certificate library for PKCS7 message > parser. > > +config MSCODE_PARSER_LEGACY Where is this used? Is it on a later patch? The MSCODE_PARSER_MBEDTLS option is part of this patch on the Makefile > + bool "MS authenticode parser with legacy certificate library" > + depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER > + select ASN1_DECODER_LEGACY > + help > + This option chooses legacy certificate library for MS authenticode > + parser. > + > if SPL > > config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY > @@ -280,6 +289,7 @@ config MBEDTLS_LIB_X509 > ASYMMETRIC_PUBLIC_KEY_SUBTYPE > select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER > select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER > + select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER > select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ > ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL > help > @@ -309,6 +319,13 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS > This option chooses MbedTLS certificate library for PKCS7 message > parser. > > +config MSCODE_PARSER_MBEDTLS > + bool "MS authenticode parser with MbedTLS certificate library" > + select ASN1_DECODER_MBEDTLS > + help > + This option chooses MbedTLS certificate library for MS authenticode > + parser. > + > if SPL > > config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS > diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > index 7b40ff0c467..ac7c487449d 100644 > --- a/lib/mbedtls/Makefile > +++ b/lib/mbedtls/Makefile > @@ -27,6 +27,7 @@ x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ > x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ > x509_cert_parser.o > x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o > +x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o > > # MbedTLS crypto library > obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o > diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c > new file mode 100644 > index 00000000000..c3805c6503c > --- /dev/null > +++ b/lib/mbedtls/mscode_parser.c > @@ -0,0 +1,123 @@ [...] Thanks /Ilias
Hi Ilias, On Fri, 26 Jul 2024 at 06:10, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > Hi Raymond > > On Tue, 2 Jul 2024 at 21:33, Raymond Mao <raymond.mao@linaro.org> wrote: > > > > Add porting layer for MSCode on top of MbedTLS ASN1 library. > > Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and > > MbedTLS implementations respectively. > > You should mention explicitly on the commit message, that this patch > is expected to be merged in mbedTLS upstream and we can remove it in > the future > > This patch is native U-Boot patch. The ones for MbedTLS upstream are all tagged with "mbedtls/external". > > > > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > > --- > > Changes in v2 > > - Move the porting layer to MbedTLS dir. > > Changes in v3 > > - None. > > Changes in v4 > > - Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and > > MbedTLS implementations respectively. > > - Fix a few code style. > > > > lib/mbedtls/Kconfig | 17 +++++ > > lib/mbedtls/Makefile | 1 + > > lib/mbedtls/mscode_parser.c | 123 ++++++++++++++++++++++++++++++++++++ > > 3 files changed, 141 insertions(+) > > create mode 100644 lib/mbedtls/mscode_parser.c > > > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > > index 8c5b617bb48..d8a8f87e031 100644 > > --- a/lib/mbedtls/Kconfig > > +++ b/lib/mbedtls/Kconfig > > @@ -126,6 +126,7 @@ config LEGACY_CRYPTO_CERT > > ASYMMETRIC_PUBLIC_KEY_SUBTYPE > > select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER > > select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER > > + select MSCODE_PARSER_LEGACY if MSCODE_PARSER > > select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ > > ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL > > help > > @@ -156,6 +157,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY > > This option chooses legacy certificate library for PKCS7 > message > > parser. > > > > +config MSCODE_PARSER_LEGACY > > Where is this used? Is it on a later patch? The MSCODE_PARSER_MBEDTLS > option is part of this patch on the Makefile > > It is used in the next patch (#24) , it is good to split into two since they are in different domains (mbedtls/crypto). Regards, Raymond
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 8c5b617bb48..d8a8f87e031 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -126,6 +126,7 @@ config LEGACY_CRYPTO_CERT ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -156,6 +157,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY This option chooses legacy certificate library for PKCS7 message parser. +config MSCODE_PARSER_LEGACY + bool "MS authenticode parser with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY @@ -280,6 +289,7 @@ config MBEDTLS_LIB_X509 ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -309,6 +319,13 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS This option chooses MbedTLS certificate library for PKCS7 message parser. +config MSCODE_PARSER_MBEDTLS + bool "MS authenticode parser with MbedTLS certificate library" + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 7b40ff0c467..ac7c487449d 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -27,6 +27,7 @@ x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o +x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c new file mode 100644 index 00000000000..c3805c6503c --- /dev/null +++ b/lib/mbedtls/mscode_parser.c @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * MSCode parser using MbedTLS ASN1 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao <raymond.mao@linaro.org> + */ + +#include <linux/kernel.h> +#include <linux/err.h> +#include <crypto/pkcs7.h> +#include <crypto/mscode.h> + +/* + * Parse a Microsoft Individual Code Signing blob + * + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) + * U.P.SEQUENCE { + * U.P.BITSTRING NaN : 0 unused bit(s); + * [C.P.0] { + * [C.P.2] { + * [C.P.0] <arbitrary string> + * } + * } + * } + * } + * U.P.SEQUENCE { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER <digest algorithm OID> + * U.P.NULL + * } + * U.P.OCTETSTRING <PE image digest> + * } + * + * @ctx: PE file context. + * @content_data: content data pointer. + * @data_len: content data length. + * @asn1hdrlen: ASN1 header length. + */ +int mscode_parse(void *ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *_ctx = ctx; + unsigned char *p = (unsigned char *)content_data; + unsigned char *end = (unsigned char *)content_data + data_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, + len)) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + + /* + * Check if the inner sequence contains a supported hash + * algorithm OID + */ + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) + _ctx->digest_algo = "md5"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, + len)) + _ctx->digest_algo = "sha1"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, + len)) + _ctx->digest_algo = "sha224"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, + len)) + _ctx->digest_algo = "sha256"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, + len)) + _ctx->digest_algo = "sha384"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, + len)) + _ctx->digest_algo = "sha512"; + + if (!_ctx->digest_algo) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + _ctx->digest = p; + _ctx->digest_len = len; + + return 0; +}
Add porting layer for MSCode on top of MbedTLS ASN1 library. Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and MbedTLS implementations respectively. - Fix a few code style. lib/mbedtls/Kconfig | 17 +++++ lib/mbedtls/Makefile | 1 + lib/mbedtls/mscode_parser.c | 123 ++++++++++++++++++++++++++++++++++++ 3 files changed, 141 insertions(+) create mode 100644 lib/mbedtls/mscode_parser.c