[Skiboot] [PATCH v2 0/5] secvar cleanups and fixes
Daniel Axtens
dja at axtens.net
Mon Jun 21 18:26:36 AEST 2021
We recently found that our mbedtls PKCS#7 implementation has a potentially
nasty bug. It turns out we don't use the affected function in skiboot,
but we want to fix it anyway in case we use it in future.
v1: https://lists.ozlabs.org/pipermail/skiboot/2021-May/017534.html
Nayna suggested that we might want to do a more thorough job while we're
at it, and the more I look at things the more I want to change!
The first 3 patches are fairly trivial cleanups. Patch 5 is the mbedtls
fix: it's dead code but is included to prevent any future issues.
The bulk of my changes are in patch 4, where I attempt to make sure we
only handle PKCS#7 messages that embed a sha256 signature. My main
concern is that if we ever were passed an auth structure which embedded
a PKCS#7 message with a sha512 signature, we would end up overreading
our hash buffer because mbedtls has a curious disregard for the supplied
hash length. I also try - not entirely successfully - to future-proof us
against future mbedtls updates.
As usual, I can't test this.
Daniel Axtens (5):
secvar/backend: rename verify_signature parameters
secvar/backend: clarify variables in process_update
secvar/backend: fix comment of get_hash_to_verify
secvar/backend: redo hash algorithm handling for auth structures
secvar/pkcs7: fix a wrong sizeof()
libstb/crypto/pkcs7/pkcs7.c | 2 +-
libstb/secvar/backend/edk2-compat-process.c | 35 ++++++++++++++-------
2 files changed, 24 insertions(+), 13 deletions(-)
--
2.30.2
More information about the Skiboot
mailing list