[Skiboot] [PATCH] libstb/secvar: export functions used by secvarctl

Nick Child nnac123 at gmail.com
Thu May 13 02:22:36 AEST 2021


Hey Daniel,

Thanks again for helping with this secvarctl-to-skiboot work.
I would imagine some of the syntax we used in secvarctl is not
consistent enough with SkiBoot. For example, I recommend
changing the added error message in `get_esl_signature_list` to:

-       if (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)
+       if (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf) {
+               prlog(PR_ERR, "ESL does not have enough data to be valid\n");
                return NULL;
+       }

I am also wondering what the maintainers will think of the doxygen-esc
function documentation that gets added to edk-compat-process.h.

Thanks again,
Nick Child


On Mon, May 10, 2021 at 9:31 PM Daniel Axtens <dja at axtens.net> wrote:
>
> secvarctl has its own implementations of get_esl_signature_list(),
> get_esl_cert() and get_pkcs7_len(). We would rather use the ones in
> skiboot.
>
> Export the skiboot implementations. Add a print in an error case from
> secvarctl.
>
> Signed-off-by: Daniel Axtens <dja at axtens.net>
> ---
>  libstb/secvar/backend/edk2-compat-process.c | 10 +++++---
>  libstb/secvar/backend/edk2-compat-process.h | 28 +++++++++++++++++++++
>  2 files changed, 34 insertions(+), 4 deletions(-)
>
> diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
> index dfaec137dfb6..90c581f55685 100644
> --- a/libstb/secvar/backend/edk2-compat-process.c
> +++ b/libstb/secvar/backend/edk2-compat-process.c
> @@ -85,12 +85,14 @@ static void get_key_authority(const char *ret[3], const char *key)
>         ret[i] = NULL;
>  }
>
> -static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)
> +EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)
>  {
>         EFI_SIGNATURE_LIST *list = NULL;
>
> -       if (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)
> +       if (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf) {
> +               prlog(PR_ERR, "ERROR: SigList does not have enough data to be valid\n");
>                 return NULL;
> +       }
>
>         list = (EFI_SIGNATURE_LIST *)buf;
>
> @@ -115,7 +117,7 @@ static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)
>   * Copies the certificate from the ESL into cert buffer and returns the size
>   * of the certificate
>   */
> -static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
> +int get_esl_cert(const char *buf, const size_t buflen, char **cert)
>  {
>         size_t sig_data_offset;
>         size_t size;
> @@ -156,7 +158,7 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
>   * Extracts size of the PKCS7 signed data embedded in the
>   * struct Authentication 2 Descriptor Header.
>   */
> -static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)
> +size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)
>  {
>         uint32_t dw_length;
>         size_t size;
> diff --git a/libstb/secvar/backend/edk2-compat-process.h b/libstb/secvar/backend/edk2-compat-process.h
> index 737c7329512d..4fb6d60095d8 100644
> --- a/libstb/secvar/backend/edk2-compat-process.h
> +++ b/libstb/secvar/backend/edk2-compat-process.h
> @@ -60,4 +60,32 @@ int process_update(const struct secvar *update, char **newesl,
>                    int *neweslsize, struct efi_time *timestamp,
>                    struct list_head *bank, char *last_timestamp);
>
> +
> +/* Functions used by external secvarctl */
> +
> +/**
> + * Parse a buffer into a EFI_SIGNATURE_LIST structure
> + * @param buf pointer to a buffer containing an ESL
> + * @param buflen length of buffer
> + * @return NULL if buflen is smaller than size of sig list struct or if buf is NULL
> + * @return EFI_SIGNATURE_LIST struct
> + */
> +EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen);
> +
> +/**
> + * Copies the certificate from the ESL into cert buffer and returns the size
> + * of the certificate.
> + * @param c Buffer containing an EFI Signature List
> + * @param size size of buffer c
> + * @param cert pointer to destination. Memory will be allocated for the certificate
> + * @return size of memory allocated to cert or negative number if allocation fails
> + */
> +int get_esl_cert(const char *buf, const size_t buflen, char **cert);
> +
> +/*
> + * Extracts size of the PKCS7 signed data embedded in the
> + * struct Authentication 2 Descriptor Header.
> + */
> +size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth);
> +
>  #endif
> --
> 2.27.0
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot


More information about the Skiboot mailing list