Message ID | 20240816214436.1877263-10-raymond.mao@linaro.org |
---|---|
State | Changes Requested |
Delegated to: | Tom Rini |
Headers | show |
Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Sat, 17 Aug 2024 at 00:48, Raymond Mao <raymond.mao@linaro.org> wrote: > > Populate Microsoft Authentication Code from the content data > into PKCS7 decoding context if it exists in a PKCS7 message. > Add OIDs for describing objects using for Microsoft Authentication > Code. > > The PR for this patch is at: > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > For enabling EFI loader PKCS7 features with MbedTLS build, > we need this patch on top of MbedTLS v3.6.0 before it is merged into > the next MbedTLS LTS release. > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - None. > Changes in v3 > - Update commit message. > Changes in v4 > - None. > Changes in v5 > - None. > Changes in v6 > - None. > > .../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++ > .../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++ > lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++---- > 3 files changed, 90 insertions(+), 10 deletions(-) > > diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > index fdc25ebf885..2ee982808fa 100644 > --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > @@ -352,6 +352,36 @@ > #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ > #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */ > > +/* > + * MicroSoft Authenticate Code OIDs > + */ > +#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */ > +#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */ > +/* > + * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4) > + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)} > + */ > +#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ > + "\x02\x01\x04" > +/* > + * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11) > + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)} > + */ > +#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ > + "\x02\x01\x0b" > +/* > + * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12) > + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)} > + */ > +#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ > + "\x02\x01\x0b" > +/* > + * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15) > + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)} > + */ > +#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ > + "\x02\x01\x0f" > + > /* > * EC key algorithms from RFC 5480 > */ > diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > index e9b482208e6..9e29b74af70 100644 > --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data { > } > mbedtls_pkcs7_signed_data; > > +/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */ > +typedef struct mbedtls_pkcs7_conten_data { > + int data_type; /* Type of Data */ > + size_t data_len; /* Length of Data */ > + size_t data_hdrlen; /* Length of Data ASN.1 header */ > + void *data; /* Content Data */ > +} > +mbedtls_pkcs7_conten_data; > + > /** > * Structure holding PKCS #7 structure, only signed data for now > */ > typedef struct mbedtls_pkcs7 { > mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); > mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); > + mbedtls_pkcs7_conten_data content_data; > } > mbedtls_pkcs7; > > diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c > index 3aac662ba69..0c2436b56b7 100644 > --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c > +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c > @@ -29,6 +29,13 @@ > #include <time.h> > #endif > > +enum OID { > + /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */ > + MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */ > + /* Microsoft Authenticode & Software Publishing */ > + MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */ > +}; > + > /** > * Initializes the mbedtls_pkcs7 structure. > */ > @@ -449,7 +456,7 @@ cleanup: > * signerInfos SignerInfos } > */ > static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, > - mbedtls_pkcs7_signed_data *signed_data) > + mbedtls_pkcs7 *pkcs7) > { > unsigned char *p = buf; > unsigned char *end = buf + buflen; > @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, > size_t len = 0; > int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; > mbedtls_md_type_t md_alg; > + mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data; > > ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED > | MBEDTLS_ASN1_SEQUENCE); > @@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, > if (ret != 0) { > return ret; > } > - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { > + > + /* > + * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and > + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for > + * U-Boot Secure Boot > + */ > + if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { > + pkcs7->content_data.data_type = MBEDTLS_OID_DATA; > + } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, > + &content_type)) { > + pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA; > + } else { > return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; > } > > if (p != end_content_info) { > + unsigned char *tmp_p = p; > + > /* Determine if valid content is present */ > ret = mbedtls_asn1_get_tag(&p, > end_content_info, > &len, > - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); > + MBEDTLS_ASN1_CONSTRUCTED | > + MBEDTLS_ASN1_CONTEXT_SPECIFIC); > + if (ret != 0 || p + len != end_content_info) { > + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, > + ret); > + } > + > + /* > + * U-Boot Secure Boot needs to calculate the digest of MicroSoft > + * Authentication Code during verifying an EFI image. > + * Thus we need to save the context of Content Data. > + */ > + pkcs7->content_data.data_hdrlen = p - tmp_p; > + /* Parse the content data from a sequence */ > + ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, > + MBEDTLS_ASN1_CONSTRUCTED | > + MBEDTLS_ASN1_SEQUENCE); > if (ret != 0) { > - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); > + /* TODO: Other Content Data formats are not supported at the moment */ > + return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; > + } else if (p + len != end_content_info) { > + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, > + ret); > } > + > + pkcs7->content_data.data = p; > + pkcs7->content_data.data_len = len; > + > p += len; > - if (p != end_content_info) { > - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); > - } > - /* Valid content is present - this is not supported */ > - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; > } > > /* Look for certificates, there may or may not be any */ > @@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, > } > > try_data: > - ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data); > + ret = pkcs7_get_signed_data(p, len, pkcs7); > if (ret != 0) { > goto out; > } > -- > 2.25.1 > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index fdc25ebf885..2ee982808fa 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -352,6 +352,36 @@ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */ +/* + * MicroSoft Authenticate Code OIDs + */ +#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */ +#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */ +/* + * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)} + */ +#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x04" +/* + * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)} + */ +#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)} + */ +#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)} + */ +#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0f" + /* * EC key algorithms from RFC 5480 */ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index e9b482208e6..9e29b74af70 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data { } mbedtls_pkcs7_signed_data; +/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */ +typedef struct mbedtls_pkcs7_conten_data { + int data_type; /* Type of Data */ + size_t data_len; /* Length of Data */ + size_t data_hdrlen; /* Length of Data ASN.1 header */ + void *data; /* Content Data */ +} +mbedtls_pkcs7_conten_data; + /** * Structure holding PKCS #7 structure, only signed data for now */ typedef struct mbedtls_pkcs7 { mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); + mbedtls_pkcs7_conten_data content_data; } mbedtls_pkcs7; diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 3aac662ba69..0c2436b56b7 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -29,6 +29,13 @@ #include <time.h> #endif +enum OID { + /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */ + MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */ + /* Microsoft Authenticode & Software Publishing */ + MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */ +}; + /** * Initializes the mbedtls_pkcs7 structure. */ @@ -449,7 +456,7 @@ cleanup: * signerInfos SignerInfos } */ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, - mbedtls_pkcs7_signed_data *signed_data) + mbedtls_pkcs7 *pkcs7) { unsigned char *p = buf; unsigned char *end = buf + buflen; @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data; ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, if (ret != 0) { return ret; } - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + + /* + * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for + * U-Boot Secure Boot + */ + if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_DATA; + } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, + &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA; + } else { return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; } if (p != end_content_info) { + unsigned char *tmp_p = p; + /* Determine if valid content is present */ ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CONTEXT_SPECIFIC); + if (ret != 0 || p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); + } + + /* + * U-Boot Secure Boot needs to calculate the digest of MicroSoft + * Authentication Code during verifying an EFI image. + * Thus we need to save the context of Content Data. + */ + pkcs7->content_data.data_hdrlen = p - tmp_p; + /* Parse the content data from a sequence */ + ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); + /* TODO: Other Content Data formats are not supported at the moment */ + return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + } else if (p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); } + + pkcs7->content_data.data = p; + pkcs7->content_data.data_len = len; + p += len; - if (p != end_content_info) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); - } - /* Valid content is present - this is not supported */ - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } /* Look for certificates, there may or may not be any */ @@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } try_data: - ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data); + ret = pkcs7_get_signed_data(p, len, pkcs7); if (ret != 0) { goto out; }
Populate Microsoft Authentication Code from the content data into PKCS7 decoding context if it exists in a PKCS7 message. Add OIDs for describing objects using for Microsoft Authentication Code. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. .../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++---- 3 files changed, 90 insertions(+), 10 deletions(-)