[Skiboot] [PATCH v3] secvar/backend: require sha256 in our PKCS#7 messages

Daniel Axtens dja at axtens.net
Thu Jun 24 18:43:57 AEST 2021 

We only handle sha256 hashes in auth structures.

In the process of verifying an auth structure, we extract the pkcs7
message and we calculate the hopefully-matching hash, which is
sha256(name || vendor guid || attributes || timestamp || newcontent)
We then verify that the PKCS#7 signature matches that calculated hash.

However, at no point do we check that the PKCS#7 hash algorithm is
sha256. So if the PKCS#7 message says that it is a signature on a sha512,
mbedtls will compare 64 bytes of hash from the signature with 64 bytes
from our hash, resulting in a 32 byte overread.

Verify that the hash algorithm in the PKCS#7 message is sha256.

Add a test.

Signed-off-by: Daniel Axtens <dja at axtens.net>

---

This is the minimal fix for the underlying bug. It should probably
go in ahead of any potential future reworking of the area.

v3: add a test. Without the fix, valgrind observes overreads when
    running the test. Thanks Nayna.

    The test reveals that the pkcs is checked for each potential
    authority key rather than just once, but that can be dealt with via
    refactor at another point.

v2: thanks Nick and Nayna for your feedback. Added error messages
    and properly cleaned up the pkcs7 structure.
---
 libstb/secvar/backend/edk2-compat-process.c  |  22 +++
 libstb/secvar/test/data/pkcs7_sha512.h       | 181 +++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c |  13 ++
 3 files changed, 216 insertions(+)
 create mode 100644 libstb/secvar/test/data/pkcs7_sha512.h

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 244f23403fe0..df9753245014 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -11,6 +11,7 @@
 #include <stdint.h>
 #include <ccan/endian/endian.h>
 #include <mbedtls/error.h>
+#include <mbedtls/oid.h>
 #include <device.h>
 #include <assert.h>
 #include "libstb/crypto/pkcs7/pkcs7.h"
@@ -460,6 +461,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 {
 	mbedtls_pkcs7 *pkcs7 = NULL;
 	mbedtls_x509_crt x509;
+	mbedtls_md_type_t md_alg;
 	char *signing_cert = NULL;
 	char *x509_buf = NULL;
 	int signing_cert_size;
@@ -478,6 +480,25 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 	if (!pkcs7)
 		return OPAL_PARAMETER;
 
+	/*
+	 * We only support sha256, which has a hash length of 32.
+	 * If the alg is not sha256, then we should bail now.
+	 */
+	rc = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers,
+				    &md_alg);
+	if (rc != 0) {
+		prlog(PR_ERR, "Failed to get the Digest Algorithm Identifier: %d\n", rc);
+		rc = OPAL_PARAMETER;
+		goto err_pkcs7;
+	}
+
+	if (md_alg != MBEDTLS_MD_SHA256) {
+		prlog(PR_ERR, "Unexpected digest algorithm: expected %d (SHA-256), got %d\n",
+		      MBEDTLS_MD_SHA256, md_alg);
+		rc = OPAL_PARAMETER;
+		goto err_pkcs7;
+	}
+
 	prlog(PR_INFO, "Load the signing certificate from the keystore");
 
 	eslvarsize = avar->data_size;
@@ -562,6 +583,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 	}
 
 	free(signing_cert);
+err_pkcs7:
 	mbedtls_pkcs7_free(pkcs7);
 	free(pkcs7);
 
diff --git a/libstb/secvar/test/data/pkcs7_sha512.h b/libstb/secvar/test/data/pkcs7_sha512.h
new file mode 100644
index 000000000000..bd120b11e042
--- /dev/null
+++ b/libstb/secvar/test/data/pkcs7_sha512.h
@@ -0,0 +1,181 @@
+unsigned char pkcs7_sha512[] = {
+  0xe5, 0x07, 0x06, 0x18, 0x12, 0x0e, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0xe8, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e,
+  0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d,
+  0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0xcc, 0x06, 0x09, 0x2a, 0x86,
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0xbd, 0x30,
+  0x82, 0x04, 0xb9, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09,
+  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06,
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
+  0x03, 0x2d, 0x30, 0x82, 0x03, 0x29, 0x30, 0x82, 0x02, 0x11, 0xa0, 0x03,
+  0x02, 0x01, 0x02, 0x02, 0x14, 0x6b, 0x7b, 0x12, 0xf0, 0xc6, 0x66, 0x78,
+  0x78, 0xa1, 0xa2, 0xe8, 0x79, 0x4b, 0x31, 0xa5, 0xa8, 0x9e, 0x58, 0x7a,
+  0x41, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+  0x01, 0x0b, 0x05, 0x00, 0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06,
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e,
+  0x67, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30,
+  0x31, 0x30, 0x31, 0x36, 0x31, 0x39, 0x30, 0x38, 0x30, 0x35, 0x5a, 0x17,
+  0x0d, 0x32, 0x30, 0x31, 0x31, 0x31, 0x35, 0x31, 0x39, 0x30, 0x38, 0x30,
+  0x35, 0x5a, 0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+  0x06, 0x13, 0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55,
+  0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20,
+  0x63, 0x6f, 0x72, 0x70, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
+  0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
+  0x00, 0xcf, 0xf3, 0x6e, 0xc9, 0xaf, 0x12, 0x42, 0xdb, 0xa9, 0x59, 0x6d,
+  0xef, 0xf6, 0x0e, 0x54, 0xe8, 0x21, 0x57, 0xc4, 0x78, 0x3f, 0x6d, 0x83,
+  0x37, 0x1a, 0x29, 0x10, 0xd2, 0xb8, 0xb7, 0x24, 0x49, 0x5f, 0x5f, 0x32,
+  0xc9, 0x39, 0xdc, 0x40, 0xa4, 0x5d, 0xea, 0x7b, 0xb7, 0xb3, 0x42, 0xab,
+  0x43, 0x47, 0x3d, 0x91, 0x6e, 0xf1, 0x5d, 0x3f, 0xf9, 0x2d, 0x9e, 0x88,
+  0xc4, 0x05, 0x73, 0x9b, 0x0a, 0xa8, 0xf7, 0xb2, 0x8e, 0x24, 0x69, 0x13,
+  0xf0, 0xbc, 0x5d, 0xde, 0x32, 0x40, 0x42, 0x31, 0x58, 0x9e, 0x48, 0x76,
+  0x1f, 0x6b, 0x10, 0x19, 0x1c, 0x4e, 0x45, 0x82, 0x19, 0xc0, 0xed, 0xfc,
+  0x5c, 0x7c, 0x19, 0xfd, 0x85, 0x13, 0x2b, 0xf0, 0x38, 0x83, 0x7b, 0xe5,
+  0x1d, 0x86, 0x70, 0xed, 0x8f, 0x52, 0x16, 0x60, 0x14, 0xfb, 0xaf, 0x23,
+  0x19, 0xa5, 0x45, 0x44, 0x91, 0x54, 0xd0, 0xe8, 0x79, 0x34, 0xbe, 0x4f,
+  0xb3, 0x8c, 0x56, 0x8c, 0x7c, 0xbf, 0x6a, 0xa2, 0x44, 0x04, 0x51, 0xe5,
+  0x0f, 0x30, 0x04, 0xe9, 0x90, 0xb1, 0x8a, 0xe3, 0x9b, 0x95, 0xb1, 0xd6,
+  0xde, 0x9e, 0x98, 0x14, 0x07, 0x63, 0xbd, 0x88, 0x94, 0x54, 0xb6, 0x03,
+  0x8d, 0xf5, 0x8e, 0xca, 0x82, 0xc8, 0xb1, 0x78, 0xba, 0xb4, 0x21, 0x45,
+  0x6f, 0xd4, 0x0c, 0xda, 0xcb, 0x81, 0x1a, 0x9b, 0xb2, 0x0c, 0xa9, 0x7c,
+  0x48, 0x84, 0xc8, 0xbd, 0xce, 0x46, 0x1b, 0x8b, 0x38, 0xe2, 0x67, 0x50,
+  0x3c, 0x3e, 0x3e, 0x32, 0xec, 0x0b, 0x39, 0xc7, 0xe0, 0xd5, 0x00, 0xc5,
+  0x7a, 0xd3, 0x1c, 0xd1, 0xfb, 0x0a, 0xc7, 0x5b, 0x1d, 0x21, 0x3d, 0x50,
+  0x53, 0x87, 0xa1, 0xb4, 0x16, 0x5b, 0x1e, 0x80, 0x80, 0xaa, 0xe5, 0xf9,
+  0x69, 0x6c, 0x48, 0xab, 0x45, 0x66, 0x05, 0x04, 0xc7, 0xad, 0xc1, 0x24,
+  0x4a, 0xde, 0xad, 0x14, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53,
+  0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
+  0x14, 0x69, 0x73, 0x3b, 0xcc, 0xa5, 0x2b, 0x5b, 0xd1, 0xfe, 0xe9, 0x73,
+  0xa3, 0xcb, 0x90, 0x84, 0x0a, 0xa3, 0x60, 0x5f, 0xbb, 0x30, 0x1f, 0x06,
+  0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x69, 0x73,
+  0x3b, 0xcc, 0xa5, 0x2b, 0x5b, 0xd1, 0xfe, 0xe9, 0x73, 0xa3, 0xcb, 0x90,
+  0x84, 0x0a, 0xa3, 0x60, 0x5f, 0xbb, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d,
+  0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x99, 0xdd, 0xbb, 0x72, 0xf5,
+  0x8e, 0xdc, 0x7b, 0xe7, 0x9c, 0x6d, 0x47, 0x37, 0x01, 0xc9, 0xc2, 0xc9,
+  0x90, 0x01, 0x5d, 0x26, 0x80, 0xce, 0x2b, 0xd3, 0xdd, 0x26, 0x67, 0x2a,
+  0x77, 0x41, 0x06, 0x78, 0xed, 0xe7, 0xb0, 0x58, 0x93, 0x44, 0xe5, 0x79,
+  0xc0, 0xa6, 0x52, 0x1d, 0x2c, 0x10, 0x16, 0xaa, 0xee, 0x97, 0x05, 0x80,
+  0x6d, 0xba, 0x45, 0xd8, 0xd3, 0xf5, 0x98, 0x8d, 0xd1, 0x66, 0x9a, 0x1c,
+  0x96, 0xf5, 0x2e, 0xb4, 0x4d, 0xa3, 0x79, 0x5f, 0x81, 0xb9, 0x5c, 0xcd,
+  0x45, 0x80, 0xa4, 0x15, 0xb3, 0x3e, 0x05, 0xf9, 0x12, 0x62, 0x41, 0x7b,
+  0x97, 0x08, 0x90, 0x13, 0xd3, 0x1a, 0xe7, 0xe5, 0x68, 0x1d, 0x24, 0xdb,
+  0x7c, 0x78, 0xd7, 0x3a, 0x4a, 0x5d, 0x7c, 0xb7, 0xf8, 0x5d, 0xa4, 0xe2,
+  0x40, 0x86, 0x26, 0xc0, 0x45, 0x00, 0x80, 0x16, 0x88, 0x97, 0x3e, 0x8c,
+  0x5c, 0x38, 0x6b, 0xa6, 0x3f, 0x7d, 0x80, 0xb4, 0xec, 0x1f, 0x89, 0x0a,
+  0xd3, 0x64, 0x3a, 0x85, 0xab, 0xd7, 0x0b, 0x17, 0x68, 0xc1, 0x41, 0xfc,
+  0xe6, 0xa0, 0x2d, 0xc8, 0x0e, 0xfd, 0xf0, 0x28, 0xf3, 0xe0, 0xb7, 0x98,
+  0xf3, 0xc9, 0x93, 0x97, 0xeb, 0x7f, 0x81, 0x13, 0x86, 0x95, 0x17, 0x45,
+  0x0d, 0x3e, 0x0d, 0x35, 0x5d, 0x2d, 0xa4, 0xa4, 0x04, 0xaa, 0x22, 0x7b,
+  0x40, 0x47, 0xc7, 0x31, 0x88, 0x99, 0x03, 0xaf, 0xf7, 0xe6, 0x14, 0x1b,
+  0xcf, 0xf7, 0x3b, 0x5d, 0xc6, 0x48, 0x24, 0x42, 0xcf, 0xfe, 0x10, 0x10,
+  0xc0, 0x2b, 0x23, 0x28, 0xb8, 0x4a, 0x3a, 0xff, 0x21, 0xd4, 0xa3, 0x15,
+  0x51, 0xbc, 0xd4, 0xd2, 0x09, 0x77, 0x77, 0x3e, 0x65, 0xb4, 0x3d, 0x1e,
+  0xd6, 0xc0, 0xe9, 0x3b, 0x0e, 0xee, 0xa8, 0x68, 0x46, 0x25, 0x47, 0x57,
+  0x08, 0x2e, 0x80, 0x99, 0x9b, 0x49, 0xfb, 0xd9, 0xc5, 0x46, 0xd7, 0x31,
+  0x82, 0x01, 0x65, 0x30, 0x82, 0x01, 0x61, 0x02, 0x01, 0x01, 0x30, 0x3c,
+  0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+  0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a,
+  0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f,
+  0x72, 0x70, 0x02, 0x14, 0x6b, 0x7b, 0x12, 0xf0, 0xc6, 0x66, 0x78, 0x78,
+  0xa1, 0xa2, 0xe8, 0x79, 0x4b, 0x31, 0xa5, 0xa8, 0x9e, 0x58, 0x7a, 0x41,
+  0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
+  0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+  0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xbe, 0xa2, 0xf0, 0x8e,
+  0x02, 0x81, 0x48, 0x13, 0xfa, 0x48, 0x63, 0x1a, 0x92, 0xc1, 0x8f, 0xdd,
+  0x5e, 0xaa, 0xb8, 0xdb, 0x0c, 0xe0, 0x60, 0xb4, 0xfe, 0xf3, 0xc3, 0xb6,
+  0x78, 0xa1, 0x59, 0xaf, 0x3b, 0xaf, 0x73, 0x64, 0x16, 0x7f, 0x0e, 0x00,
+  0x24, 0x73, 0x50, 0x2f, 0x7e, 0x75, 0xde, 0x96, 0xe9, 0xe0, 0x5e, 0xb4,
+  0x26, 0x18, 0x31, 0x54, 0xdf, 0x56, 0x3e, 0x95, 0x40, 0xc6, 0xa0, 0xdd,
+  0x3e, 0xb1, 0x10, 0x63, 0x2b, 0xb2, 0x9d, 0x4f, 0xee, 0xce, 0x47, 0xf1,
+  0x52, 0xcf, 0x8c, 0x5e, 0x94, 0xc5, 0xa0, 0xb7, 0x0f, 0xb4, 0x41, 0x2e,
+  0x00, 0x48, 0xeb, 0x22, 0x1b, 0x6a, 0x52, 0x18, 0x02, 0x08, 0xc3, 0x64,
+  0xcf, 0x62, 0x84, 0x0e, 0xa1, 0xfc, 0x60, 0xe2, 0x75, 0xe5, 0x87, 0x7d,
+  0x4e, 0xa0, 0x2b, 0x91, 0x00, 0xec, 0x44, 0x67, 0x36, 0x83, 0x45, 0x76,
+  0x64, 0xd4, 0xa5, 0xf1, 0xec, 0xba, 0x9b, 0x5f, 0xa8, 0x4e, 0x4b, 0xdf,
+  0xe3, 0x51, 0xf1, 0xba, 0x65, 0x66, 0x3f, 0x60, 0xe2, 0xee, 0xb6, 0xc1,
+  0xc8, 0xb3, 0xdb, 0xc9, 0x0a, 0x53, 0x43, 0xb1, 0x73, 0xb6, 0x8a, 0xcc,
+  0xa0, 0x22, 0x7c, 0x54, 0xbb, 0xf9, 0x71, 0x83, 0x1f, 0xd4, 0xd4, 0x4c,
+  0xb9, 0xfc, 0x99, 0xf4, 0x07, 0xe2, 0x94, 0x6d, 0x82, 0xdc, 0x98, 0x31,
+  0x8f, 0x5b, 0xba, 0x39, 0x12, 0x58, 0xa4, 0x88, 0x92, 0x2f, 0xb0, 0x62,
+  0x43, 0x7a, 0xc6, 0x46, 0x83, 0xde, 0x95, 0x2a, 0x46, 0x2b, 0x91, 0x72,
+  0x14, 0x93, 0x3d, 0xed, 0xbb, 0xbd, 0x0b, 0x79, 0x80, 0x96, 0x9e, 0x36,
+  0x38, 0x2a, 0xf7, 0x13, 0x0d, 0xcc, 0xb7, 0x95, 0xcc, 0x59, 0x4b, 0x8f,
+  0x59, 0xc1, 0xf1, 0xc7, 0x5d, 0x70, 0xcf, 0x73, 0x92, 0xf5, 0x4d, 0x6f,
+  0xd5, 0x41, 0x1d, 0x3b, 0x73, 0x11, 0x96, 0xb8, 0xdb, 0x84, 0xd6, 0x6e,
+  0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15,
+  0x5c, 0x2b, 0xf0, 0x72, 0x59, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x3d, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x82, 0x03, 0x29,
+  0x30, 0x82, 0x02, 0x11, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x1a,
+  0x6b, 0x6e, 0x57, 0x9b, 0xe1, 0x3b, 0x0a, 0x61, 0xca, 0x88, 0xa1, 0x22,
+  0x67, 0x1f, 0xdd, 0x0f, 0x43, 0xc3, 0x86, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x24,
+  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e,
+  0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c,
+  0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f, 0x72, 0x70,
+  0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x30, 0x31, 0x36, 0x31, 0x39,
+  0x30, 0x38, 0x30, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x31, 0x31,
+  0x35, 0x31, 0x39, 0x30, 0x38, 0x30, 0x37, 0x5a, 0x30, 0x24, 0x31, 0x0b,
+  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x43, 0x31,
+  0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65,
+  0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x30, 0x82,
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xde, 0x05, 0xb4, 0x0a, 0x74,
+  0x02, 0x1d, 0x88, 0x92, 0x6b, 0x58, 0x72, 0x77, 0xf4, 0xa0, 0x71, 0x69,
+  0xf4, 0x9f, 0x24, 0x00, 0xab, 0x7f, 0x62, 0x39, 0xfb, 0x56, 0xd0, 0x4c,
+  0xc5, 0xb1, 0x7e, 0x16, 0x7f, 0x44, 0xfb, 0xc9, 0x9d, 0xb6, 0x7c, 0x9e,
+  0x86, 0x38, 0xc2, 0x56, 0x4e, 0x39, 0x7a, 0x2b, 0x79, 0xbf, 0x4b, 0x2e,
+  0xe1, 0x49, 0xd6, 0xce, 0x62, 0x44, 0xc1, 0xbc, 0xbe, 0x12, 0x98, 0xfd,
+  0x62, 0x51, 0x29, 0x1d, 0x66, 0xd1, 0x71, 0x6e, 0x2c, 0xfb, 0xa9, 0x19,
+  0x11, 0xac, 0x01, 0xee, 0x3a, 0xd4, 0xd2, 0x69, 0x5d, 0x47, 0x12, 0x74,
+  0x9a, 0xc6, 0x6a, 0x71, 0x6e, 0xbe, 0x4b, 0x72, 0x68, 0x41, 0xec, 0x38,
+  0x12, 0x45, 0xf2, 0x1d, 0xbe, 0x97, 0xfd, 0xc5, 0x1a, 0xdf, 0xc7, 0xd1,
+  0x10, 0xf1, 0x15, 0xe7, 0x68, 0x3d, 0xc2, 0x65, 0xc9, 0x1d, 0xe7, 0x55,
+  0x2e, 0x51, 0xc6, 0xc9, 0xde, 0x94, 0x59, 0x8a, 0x2b, 0xf0, 0x84, 0xc3,
+  0x02, 0x79, 0xbb, 0x21, 0x46, 0x7c, 0xbb, 0x30, 0x91, 0xa0, 0x5b, 0x96,
+  0xf0, 0x27, 0x37, 0x70, 0x13, 0x97, 0x2e, 0x8b, 0x10, 0xb7, 0x7b, 0xf8,
+  0x46, 0xa7, 0x8c, 0xb7, 0x4d, 0x82, 0xc4, 0xa4, 0x14, 0xd5, 0x7e, 0x10,
+  0xb0, 0xf6, 0xca, 0xf8, 0xc1, 0xe7, 0xa5, 0x65, 0x32, 0xf5, 0x1e, 0xa9,
+  0x8a, 0x3d, 0x8c, 0xa6, 0x43, 0xa5, 0x82, 0x2a, 0xb5, 0xf3, 0x88, 0x06,
+  0xb4, 0x36, 0x94, 0x3a, 0x17, 0x9a, 0x6f, 0x9d, 0x2c, 0x7c, 0xee, 0x29,
+  0x47, 0x01, 0x6b, 0xf7, 0x6b, 0x1e, 0xd8, 0x2c, 0xe4, 0xb3, 0xea, 0x38,
+  0x5e, 0x00, 0xc1, 0xae, 0x7f, 0x8e, 0x1f, 0xef, 0xc1, 0x53, 0x65, 0x9b,
+  0x52, 0xce, 0x37, 0x91, 0xe7, 0x3b, 0x0e, 0x66, 0x79, 0x6d, 0xd1, 0xd9,
+  0xbd, 0x45, 0x2e, 0x35, 0x7c, 0xc7, 0x81, 0x14, 0x7e, 0x2e, 0xd5, 0x02,
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03,
+  0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x54, 0x7d, 0x90, 0xdc, 0xd8,
+  0xb0, 0x52, 0x83, 0x4e, 0x07, 0xa4, 0x89, 0xab, 0x03, 0x78, 0xe4, 0x7b,
+  0x58, 0xeb, 0x05, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+  0x30, 0x16, 0x80, 0x14, 0x54, 0x7d, 0x90, 0xdc, 0xd8, 0xb0, 0x52, 0x83,
+  0x4e, 0x07, 0xa4, 0x89, 0xab, 0x03, 0x78, 0xe4, 0x7b, 0x58, 0xeb, 0x05,
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+  0x00, 0xa2, 0xd2, 0xd9, 0x88, 0x48, 0x0c, 0x93, 0x51, 0xed, 0xe2, 0xe6,
+  0x05, 0xdf, 0xd9, 0x85, 0x7f, 0x8a, 0x50, 0xaf, 0x23, 0xe4, 0xba, 0x7f,
+  0xf2, 0xc4, 0xe8, 0xa2, 0x8e, 0x45, 0xfa, 0x98, 0x83, 0x95, 0x0d, 0xaa,
+  0xc8, 0x7f, 0x36, 0x8c, 0x0b, 0xfc, 0x0f, 0x24, 0x52, 0xde, 0x0b, 0x3c,
+  0x08, 0xa7, 0x4c, 0x63, 0x66, 0x04, 0x87, 0x49, 0xcb, 0x2c, 0xd7, 0x13,
+  0x33, 0x07, 0x35, 0x08, 0x79, 0xd1, 0x63, 0x1a, 0x50, 0x69, 0x66, 0xdf,
+  0x29, 0xe5, 0xa8, 0x09, 0xa0, 0xb6, 0x9c, 0xed, 0x9c, 0xa5, 0xf7, 0x30,
+  0x9d, 0x73, 0x14, 0x04, 0x68, 0x2c, 0x8b, 0xa2, 0x34, 0x50, 0x59, 0xc2,
+  0x62, 0xbf, 0xf4, 0xda, 0xa3, 0xff, 0x7b, 0x3d, 0x7b, 0x15, 0xe6, 0xad,
+  0x02, 0xc1, 0x8a, 0x54, 0xa7, 0x4f, 0x42, 0xb5, 0xc3, 0xa2, 0x22, 0xe6,
+  0x92, 0xad, 0x8b, 0xc1, 0x37, 0x4f, 0xd1, 0xca, 0xa4, 0xf3, 0x01, 0xa7,
+  0xb0, 0xdd, 0x0d, 0xb4, 0x11, 0x1b, 0x07, 0x9f, 0x5d, 0x7a, 0x2a, 0x0c,
+  0xf8, 0xf2, 0x01, 0xb0, 0x4c, 0x69, 0xf7, 0x6c, 0x33, 0x65, 0x03, 0x29,
+  0x8a, 0x19, 0xbb, 0x54, 0xfe, 0xfb, 0xb7, 0x1f, 0x9e, 0x99, 0x56, 0x1d,
+  0x71, 0x0d, 0x1d, 0x5d, 0x33, 0x3e, 0x0f, 0xbf, 0xc0, 0x0b, 0xcc, 0x56,
+  0x74, 0x3f, 0xb2, 0x1f, 0xaf, 0x75, 0xe4, 0x5b, 0xc1, 0xd8, 0x5f, 0x83,
+  0xbf, 0x21, 0xa4, 0xd5, 0xe9, 0xa2, 0x14, 0xfc, 0xd8, 0x9e, 0x6b, 0x33,
+  0x58, 0x5c, 0x20, 0x79, 0xc7, 0x09, 0x01, 0x32, 0x80, 0xa8, 0x34, 0x14,
+  0xe2, 0x8f, 0x8e, 0x59, 0x3d, 0x8a, 0x31, 0xd4, 0x60, 0x3a, 0x14, 0x5f,
+  0x57, 0x22, 0x05, 0xe4, 0x42, 0xe3, 0x97, 0xd5, 0x24, 0x10, 0xcc, 0xe6,
+  0x38, 0x95, 0x82, 0xf0, 0xfb, 0xdf, 0x72, 0x67, 0x8a, 0x9b, 0x86, 0x22,
+  0xed, 0x9f, 0xea, 0x87, 0x6c
+};
+unsigned int pkcs7_sha512_len = 2129;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 8259ffa172d2..87c3fe34d4a8 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -22,6 +22,7 @@
 #include "./data/dbxcert.h"
 #include "./data/dbxsha512.h"
 #include "./data/dbxmalformed.h"
+#include "./data/pkcs7_sha512.h"
 
 bool test_hw_key_hash = false;
 
@@ -383,6 +384,18 @@ int run_test()
 	ASSERT(0 != tmp->data_size);
 	ASSERT(!setup_mode);
 
+	/* updates with pkcs#7 messages with sha512 hashes should be rejected */
+	printf("Add db where auth has sha512 in PKCS#7\n");
+	tmp = new_secvar("db", 3, pkcs7_sha512, pkcs7_sha512_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+
 	/* Delete PK. */
 	printf("Delete PK\n");
 	/* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */
-- 
2.30.2

More information about the Skiboot mailing list