From patchwork Tue Jul 2 18:22:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955571 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=dSYU4BiT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBNX64Y5z1xqb for ; Wed, 3 Jul 2024 04:32:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 826FE887E3; Tue, 2 Jul 2024 20:32:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dSYU4BiT"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E6B1E887E4; Tue, 2 Jul 2024 20:32:40 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C09E787D74 for ; Tue, 2 Jul 2024 20:32:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-79d5e61704eso276397685a.3 for ; Tue, 02 Jul 2024 11:32:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945157; x=1720549957; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e1HYAfVjlkAiFFwMJYWGiQOWsGpJ3jn5FCf0xeu4vP0=; b=dSYU4BiTT4hxZ1Gx5HvI0yd8HTC2DrNX41VNbEhIlvGpxe46eEBeuuJd7dSOxiBhF/ mOJAJdOnW60VJrESnB0iDZqc/lttdHwj5AzbyWnrGiTb2vPvlxdB90CKI7RlVzTjSjer okmjoXHWPdpq1Ke0yDqbnzhBY1Wu4ciWucvnhVC5SF+HNmyD9KsIzk88Hzdqfc4zgvdV kpA4w4n3Xm+kzafKVihjhixxmH2byKUWOdlWdYn/KyJmt1N9b47L3Voe4q3E116kG+9a D9ti0mjotGMYRZkxLl6UwADbVD7M0wnGOYhFJClwUgbF/Q3eqkHGb1fMcjnJcSso5rXd ED+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945157; x=1720549957; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e1HYAfVjlkAiFFwMJYWGiQOWsGpJ3jn5FCf0xeu4vP0=; b=DpxHCdLJV1IyuOwIHZy2gMtJijwUdnCGmzCHSqxnLJo+VG/BZs923Qm1P6YaMSlyOA ZaFV7T6y+2e4pQ3b0lQXTGCyEGqLhGBgMJ8aM1rX3KkoU9Whq3hnZ20FdIuT6MtAERYJ RxAMgqHXf4OOFh1pXu3xNFZEssF0K89V8WFJshx6AVkiPJOkgvMW1eSvge09/qoFhI6F BEruE1z6gUGrR/x8xSr8MLVZEcrTXTs8O9wpLBUoqpEh0kwtaXNxovpf+/bDYW1sz9va C9AuNFkTztRhb+uCnP4fjpGpodajx8G6EkMkjh54deDFzJnxzdXiwDWZ+FRo1bw00UES x+og== X-Gm-Message-State: AOJu0YyzUJ0qAoiBbRRAfEBao/2/BmUW3yPLEjeUMA5o1H5+N4lkjtLH 4JdJpqDCGBiCBysooZe3uFaBKuXtbwi5CniRohlx3/QG4rpOmsCSGc4/REkwoejRRk+bZPfLj1W e X-Google-Smtp-Source: AGHT+IEFF/5i+NtZOe97oKpTSShLZAW1gnvULYGFf+PsuSlxqjQz/hf3EOEJkEfXcsxFbkDL0by1Vg== X-Received: by 2002:a05:620a:462b:b0:79d:8033:91da with SMTP id af79cd13be357-79d80339485mr1106009985a.22.1719945157347; Tue, 02 Jul 2024 11:32:37 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.32.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:32:36 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 22/29] lib/crypto: Adapt PKCS7 parser to MbedTLS Date: Tue, 2 Jul 2024 11:22:58 -0700 Message-Id: <20240702182325.2904421-23-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for PKCS7 parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Minor fix of the include directories. include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++ lib/crypto/Makefile | 7 +++-- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 2c45cce5234..469c2711fa6 100644 --- a/include/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -11,6 +11,12 @@ #include #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #include #define kenter(FMT, ...) \ @@ -18,7 +24,54 @@ #define kleave(FMT, ...) \ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) +/* Backup the parsed MedTLS context that we need */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +struct pkcs7_mbedtls_ctx { + void *content_data; +}; + +struct pkcs7_sinfo_mbedtls_ctx { + void *authattrs_data; + void *content_data_digest; +}; +#endif + +/* + * MbedTLS integration Notes: + * + * MbedTLS PKCS#7 library does not originally support parsing MicroSoft + * Authentication Code which is used for verifying the PE image digest. + * + * 1. Authenticated Attributes (authenticatedAttributes) + * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes + * fields not exist. + * See MbedTLS function 'pkcs7_get_signer_info' for details. + * + * 2. MicroSoft Authentication Code (mscode) + * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1 + * (MBEDTLS_OID_PKCS7_DATA, aka OID_data). + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka + * OID_msIndirectData) is not supported. + * See MbedTLS function 'pkcs7_get_content_info_type' for details. + * + * But the EFI loader assumes that a PKCS#7 message with an EFI image always + * contains MicroSoft Authentication Code as Content Data (msg->data is NOT + * NULL), see function 'efi_signature_verify'. + * + * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch" + * is to support both above features by parsing the Content Data and + * Authenticate Attributes from a given PKCS#7 message. + * + * Other fields we don't need to populate from MbedTLS, which are used + * internally by pkcs7_verify: + * 'signer', 'unsupported_crypto', 'blacklisted' + * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of + * Content Data or Authenticate Attributes. + */ struct pkcs7_signed_info { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx; +#endif struct pkcs7_signed_info *next; struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ unsigned index; @@ -55,6 +108,9 @@ struct pkcs7_signed_info { }; struct pkcs7_message { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *certs; /* Certificate list */ struct x509_certificate *crl; /* Revocation list */ struct pkcs7_signed_info *signed_infos; diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 7f5f04d582c..428dcba0a6b 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h # PKCS#7 message handling # obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o -pkcs7_message-y := \ +pkcs7_message-y := pkcs7_helper.o +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ pkcs7.asn1.o \ - pkcs7_helper.o \ pkcs7_parser.o -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h +obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o + # # Signed PE binary-wrapped key handling #