[Skiboot] [PATCH 2/3] crypto: add pkcs7 parser

Nayna nayna at linux.vnet.ibm.com
Tue Jul 23 02:04:38 AEST 2019



On 07/22/2019 04:57 AM, Oliver O'Halloran wrote:
> On Thu, 2019-07-18 at 16:29 -0500, Eric Richter wrote:
>> From: Nayna Jain <nayna at linux.ibm.com>
>>
>> The secure boot key management involves verification of the key updates
>> which are signed using PKCS7 structure. Though the mbedtls crypto API
>> comes with various crypto API support, it doesn't support PKCS7.
> Is there any reason why you aren't trying to contribute this upstream?
> I'd be a hell of a lot more willing to trust that the code is correct
> if it was reviewed upstream.


Thanks Oliver for the review.
We would really like to contribute it upstream, however due to time 
constraints we have only implemented the limited subset of features 
needed for our secure boot support.


>
>> This patch implements the PKCS7 parser that extracts the signer's info
>> and the signature using mbedtls ASN.1 parsing library. The pkcs7 parser
>> is not fully implemented, but limited to the OpenPOWER key update
>> authentication requirements (eg. single certificate, no CRLs, single
>> signer info, NULL content data, NULL parametes for digest algorithms).
>>
>> It currently supports the following validation checks:
>> * Supports only signed data
>> * Version should be 1
>> * Supports only SHA256 hash algorithm
> Two questions:
>
> a) What is going to be producing the PKCS#7 blob?

That is produced by the edk2-compatible userspace tools.


> b) How are the restrictions of our parser communicated to that?


These are inferred by the backend type (edk2-compatible-v1) exposed in 
the device-tree, which specifies a format, algorithm, etc to use for the 
updates. Use of unsupported formats, etc will be rejected during update 
processing.


>
> I'm a little concerned that you are creating an ABI problem but the
> functionality is spread across OPAL, the kernel and userspace so it's
> hard to tell what's going.


Do the answers above address your concerns, or are we missing something 
in understanding your concerns ?


Thanks for the code feedback as well. We will address them in the next 
version.


Thanks & Regards,
         - Nayna





More information about the Skiboot mailing list