[Skiboot] [PATCH 0/3] secvar cleanups and fixes

Daniel Axtens dja at axtens.net
Tue May 25 13:34:22 AEST 2021

We recently found that our mbedtls PKCS#7 implementation has a pretty
bad bug. It turns out we don't use the affected function in skiboot,
but we want to fix it anyway in case we use it in future.

In the process of convincing myself that we call the parts of mbedtls
that we do use correctly, I have also added 2 patches renaming things
for clarity. (It turns out we were passing a zero size to mbedtls by
accident, but mbedtls interpreted 0 as "figure out the size yourself"
so we were OK!)

As usual, I can't test this. Patch 1 is a simple cleanup. Ideally
someone would test patch 2 on hardware, but it should be fairly
safe. Patch 3 is dead code at the moment anyway.

As future work, we could add an assert() in verify_signature so that
we only accept valid hash lengths. Or we could drop the parameter
entirely and pass in the length of a sha256 ourselves.

Daniel Axtens (3):
  secvar/backend: rename verify_signature parameters
  secvar/backend: clarify variables in process_update
  secvar/pkcs7: fix a wrong sizeof()

 libstb/crypto/pkcs7/pkcs7.c                 |  2 +-
 libstb/secvar/backend/edk2-compat-process.c | 18 ++++++++----------
 2 files changed, 9 insertions(+), 11 deletions(-)


More information about the Skiboot mailing list