[Skiboot] [PATCH v2 0/5] secvar cleanups and fixes

Daniel Axtens dja at axtens.net
Mon Jun 21 18:26:36 AEST 2021

We recently found that our mbedtls PKCS#7 implementation has a potentially
nasty bug. It turns out we don't use the affected function in skiboot,
but we want to fix it anyway in case we use it in future.

v1: https://lists.ozlabs.org/pipermail/skiboot/2021-May/017534.html

Nayna suggested that we might want to do a more thorough job while we're
at it, and the more I look at things the more I want to change!

The first 3 patches are fairly trivial cleanups. Patch 5 is the mbedtls
fix: it's dead code but is included to prevent any future issues.

The bulk of my changes are in patch 4, where I attempt to make sure we
only handle PKCS#7 messages that embed a sha256 signature. My main
concern is that if we ever were passed an auth structure which embedded
a PKCS#7 message with a sha512 signature, we would end up overreading
our hash buffer because mbedtls has a curious disregard for the supplied
hash length. I also try - not entirely successfully - to future-proof us
against future mbedtls updates.

As usual, I can't test this.

Daniel Axtens (5):
  secvar/backend: rename verify_signature parameters
  secvar/backend: clarify variables in process_update
  secvar/backend: fix comment of get_hash_to_verify
  secvar/backend: redo hash algorithm handling for auth structures
  secvar/pkcs7: fix a wrong sizeof()

 libstb/crypto/pkcs7/pkcs7.c                 |  2 +-
 libstb/secvar/backend/edk2-compat-process.c | 35 ++++++++++++++-------
 2 files changed, 24 insertions(+), 13 deletions(-)


More information about the Skiboot mailing list