[Skiboot] [PATCH v2 5/6] secvar/edk2: change verify_signature to take in the raw esl data and size
Eric Richter
erichte at linux.ibm.com
Tue Nov 2 09:05:12 AEDT 2021
The helper function verify_signature takes in an auth blob containing a pkcs7
signature, and validates it against a given certificate in ESL form. The ESL
used to validate the signature is typically stored in a secvar, and is why
this helper takes in a secvar rather than raw blobs.
This patch changes the behavior of the verify_signature function to accept the
ESL as raw blob and size parameters, to more easily allow for verifying
signatures using an ESL that may not be in a secvar (and would avoid the
excessive allocation of a new secvar just to verify a signature).
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
libstb/secvar/backend/edk2-compat-process.c | 23 +++++++++------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index cdc95737..4f4b7e71 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -472,7 +472,7 @@ out:
/* Verify the PKCS7 signature on the signed data. */
static int verify_signature(const struct efi_variable_authentication_2 *auth,
const char *hash, const size_t hash_len,
- const struct secvar *avar)
+ const void *aesl, uint64_t aesl_size)
{
mbedtls_pkcs7 *pkcs7 = NULL;
mbedtls_x509_crt x509;
@@ -482,7 +482,6 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
int signing_cert_size;
int rc = 0;
char *errbuf;
- int eslvarsize;
int eslsize;
int offset = 0;
@@ -516,20 +515,18 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
prlog(PR_INFO, "Load the signing certificate from the keystore");
- eslvarsize = avar->data_size;
-
/* Variable is not empty */
- while (eslvarsize > 0) {
- prlog(PR_DEBUG, "esl var size is %d offset is %d\n", eslvarsize, offset);
- if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) {
+ while (aesl_size > 0) {
+ prlog(PR_DEBUG, "esl var size is %lld offset is %d\n", aesl_size, offset);
+ if (aesl_size < sizeof(EFI_SIGNATURE_LIST)) {
rc = OPAL_INTERNAL_ERROR;
prlog(PR_ERR, "ESL data is corrupted\n");
break;
}
/* Calculate the size of the ESL */
- eslsize = get_esl_signature_list_size(avar->data + offset,
- eslvarsize);
+ eslsize = get_esl_signature_list_size(aesl + offset,
+ aesl_size);
/* If could not extract the size */
if (eslsize <= 0) {
rc = OPAL_PARAMETER;
@@ -537,8 +534,8 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
}
/* Extract the certificate from the ESL */
- signing_cert_size = get_esl_cert(avar->data + offset,
- eslvarsize, &signing_cert);
+ signing_cert_size = get_esl_cert(aesl + offset,
+ aesl_size, &signing_cert);
if (signing_cert_size < 0) {
rc = signing_cert_size;
break;
@@ -592,7 +589,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
/* Look for the next ESL */
offset = offset + eslsize;
- eslvarsize = eslvarsize - eslsize;
+ aesl_size = aesl_size - eslsize;
mbedtls_x509_crt_free(&x509);
free(signing_cert);
/* Since we are going to allocate again in the next iteration */
@@ -782,7 +779,7 @@ int process_update(const struct secvar *update, char **newesl,
continue;
/* Verify the signature. sha256 is 32 bytes long. */
- rc = verify_signature(auth, hash, 32, key_authority[i]);
+ rc = verify_signature(auth, hash, 32, key_authority[i]->data, key_authority[i]->data_size);
/* Break if signature verification is successful */
if (rc == OPAL_SUCCESS) {
--
2.29.2
More information about the Skiboot
mailing list