Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 34db9b1894d5ad212fdc6becac60c7f16e74a8e1^! / . / lib / efi_loader / efi_helper.c
commit34db9b1894d5ad212fdc6becac60c7f16e74a8e1[log] [tgz]
authorIlias Apalodimas <ilias.apalodimas@linaro.org>Fri May 06 15:36:00 2022 +0300
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>Sat May 07 23:17:26 2022 +0200
treeb109ed047f6936b107e135b04c0e937cd912013a
parent0e1b9967cedae069ab6d36afd85c7f199c73dee4 [diff] [blame]
efi_loader: add sha384/512 on certificate revocation

Currently we don't support sha384/512 for the X.509 certificate
in dbx.  Moreover if we come across such a hash we skip the check
and approve the image,  although the image might needs to be rejected.

Rework the code a bit and fix it by adding an array of structs with the
supported GUIDs, len and literal used in the U-Boot crypto APIs instead
of hardcoding the GUID types.

It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

diff --git a/lib/efi_loader/efi_helper.c b/lib/efi_loader/efi_helper.c
index 802d39e..c4499f6 100644
--- a/lib/efi_loader/efi_helper.c
+++ b/lib/efi_loader/efi_helper.c

@@ -92,3 +92,69 @@
 	free(var_value);
 	return NULL;
 }
+
+const struct guid_to_hash_map {
+	efi_guid_t guid;
+	const char algo[32];
+	u32 bits;
+} guid_to_hash[] = {
+	{
+		EFI_CERT_X509_SHA256_GUID,
+		"sha256",
+		SHA256_SUM_LEN * 8,
+	},
+	{
+		EFI_CERT_SHA256_GUID,
+		"sha256",
+		SHA256_SUM_LEN * 8,
+	},
+	{
+		EFI_CERT_X509_SHA384_GUID,
+		"sha384",
+		SHA384_SUM_LEN * 8,
+	},
+	{
+		EFI_CERT_X509_SHA512_GUID,
+		"sha512",
+		SHA512_SUM_LEN * 8,
+	},
+};
+
+#define MAX_GUID_TO_HASH_COUNT ARRAY_SIZE(guid_to_hash)
+
+/** guid_to_sha_str - return the sha string e.g "sha256" for a given guid
+ *                    used on EFI security databases
+ *
+ * @guid: guid to check
+ *
+ * Return: len or 0 if no match is found
+ */
+const char *guid_to_sha_str(const efi_guid_t *guid)
+{
+	size_t i;
+
+	for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) {
+		if (!guidcmp(guid, &guid_to_hash[i].guid))
+			return guid_to_hash[i].algo;
+	}
+
+	return NULL;
+}
+
+/** algo_to_len - return the sha size in bytes for a given string
+ *
+ * @algo: string indicating hashing algorithm to check
+ *
+ * Return: length of hash in bytes or 0 if no match is found
+ */
+int algo_to_len(const char *algo)
+{
+	size_t i;
+
+	for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) {
+		if (!strcmp(algo, guid_to_hash[i].algo))
+			return guid_to_hash[i].bits / 8;
+	}
+
+	return 0;
+}