[Skiboot] [PATCH v2 5/6] secvar/edk2: change verify_signature to take in the raw esl data and size

Daniel Axtens dja at axtens.net
Wed Nov 3 16:11:28 AEDT 2021 

Eric Richter <erichte at linux.ibm.com> writes:

> The helper function verify_signature takes in an auth blob containing a pkcs7
> signature, and validates it against a given certificate in ESL form. The ESL
> used to validate the signature is typically stored in a secvar, and is why
> this helper takes in a secvar rather than raw blobs.
>
> This patch changes the behavior of the verify_signature function to accept the
> ESL as raw blob and size parameters, to more easily allow for verifying
> signatures using an ESL that may not be in a secvar (and would avoid the
> excessive allocation of a new secvar just to verify a signature).
>
> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
> ---
>  libstb/secvar/backend/edk2-compat-process.c | 23 +++++++++------------
>  1 file changed, 10 insertions(+), 13 deletions(-)
>
> diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
> index cdc95737..4f4b7e71 100644
> --- a/libstb/secvar/backend/edk2-compat-process.c
> +++ b/libstb/secvar/backend/edk2-compat-process.c
> @@ -472,7 +472,7 @@ out:
>  /* Verify the PKCS7 signature on the signed data. */
>  static int verify_signature(const struct efi_variable_authentication_2 *auth,
>  			    const char *hash, const size_t hash_len,
> -			    const struct secvar *avar)
> +			    const void *aesl, uint64_t aesl_size)

Pretty please could you add a comment that spells out what 'aesl' and
'aesl_size' are? I think it's the ESLs containing potentially
authorising keys? I don't really care if you can't come up with a more
descriptive variable name, but given that you're changing the function
signature I feel like a doxygen style comment isn't too big an ask!

Apart from that the conversion seems sufficiently mechanical that if it
compiles and passes tests I am happy enough that it will be correct.

When you add a comment, you can add:
 Reviewed-by: Daniel Axtens <dja at axtens.net>

Kind regards,
Daniel

More information about the Skiboot mailing list