AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * Copyright (c) 2018 Patrick Wildt <patrick@blueri.se> |
| 4 | * Copyright (c) 2019 Linaro Limited, Author: AKASHI Takahiro |
| 5 | */ |
| 6 | |
| 7 | #include <common.h> |
| 8 | #include <charset.h> |
| 9 | #include <efi_loader.h> |
Heinrich Schuchardt | caeb73b | 2021-09-09 08:25:08 +0200 | [diff] [blame] | 10 | #include <efi_variable.h> |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 11 | #include <image.h> |
| 12 | #include <hexdump.h> |
| 13 | #include <malloc.h> |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 14 | #include <crypto/pkcs7.h> |
AKASHI Takahiro | 6ec6767 | 2020-04-21 09:38:17 +0900 | [diff] [blame] | 15 | #include <crypto/pkcs7_parser.h> |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 16 | #include <crypto/public_key.h> |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 17 | #include <linux/compat.h> |
| 18 | #include <linux/oid_registry.h> |
Masahisa Kojima | 915e427 | 2021-05-14 09:53:36 +0900 | [diff] [blame] | 19 | #include <u-boot/hash-checksum.h> |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 20 | #include <u-boot/rsa.h> |
| 21 | #include <u-boot/sha256.h> |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 22 | |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 23 | const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; |
| 24 | const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; |
| 25 | const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; |
| 26 | const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 27 | const efi_guid_t efi_guid_cert_x509_sha384 = EFI_CERT_X509_SHA384_GUID; |
| 28 | const efi_guid_t efi_guid_cert_x509_sha512 = EFI_CERT_X509_SHA512_GUID; |
AKASHI Takahiro | 5ed9ada | 2020-05-29 15:41:18 +0900 | [diff] [blame] | 29 | const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 30 | |
Sughosh Ganu | ea35008 | 2020-12-30 19:27:07 +0530 | [diff] [blame] | 31 | static u8 pkcs7_hdr[] = { |
| 32 | /* SEQUENCE */ |
| 33 | 0x30, 0x82, 0x05, 0xc7, |
| 34 | /* OID: pkcs7-signedData */ |
| 35 | 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, |
| 36 | /* Context Structured? */ |
| 37 | 0xa0, 0x82, 0x05, 0xb8, |
| 38 | }; |
| 39 | |
| 40 | /** |
| 41 | * efi_parse_pkcs7_header - parse a signature in payload |
| 42 | * @buf: Pointer to payload's value |
| 43 | * @buflen: Length of @buf |
| 44 | * @tmpbuf: Pointer to temporary buffer |
| 45 | * |
| 46 | * Parse a signature embedded in payload's value and instantiate |
| 47 | * a pkcs7_message structure. Since pkcs7_parse_message() accepts only |
| 48 | * pkcs7's signedData, some header needed be prepended for correctly |
| 49 | * parsing authentication data |
| 50 | * A temporary buffer will be allocated if needed, and it should be |
| 51 | * kept valid during the authentication because some data in the buffer |
| 52 | * will be referenced by efi_signature_verify(). |
| 53 | * |
| 54 | * Return: Pointer to pkcs7_message structure on success, NULL on error |
| 55 | */ |
| 56 | struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, |
| 57 | size_t buflen, |
| 58 | u8 **tmpbuf) |
| 59 | { |
| 60 | u8 *ebuf; |
| 61 | size_t ebuflen, len; |
| 62 | struct pkcs7_message *msg; |
| 63 | |
| 64 | /* |
| 65 | * This is the best assumption to check if the binary is |
| 66 | * already in a form of pkcs7's signedData. |
| 67 | */ |
| 68 | if (buflen > sizeof(pkcs7_hdr) && |
| 69 | !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { |
| 70 | msg = pkcs7_parse_message(buf, buflen); |
| 71 | if (IS_ERR(msg)) |
| 72 | return NULL; |
| 73 | return msg; |
| 74 | } |
| 75 | |
| 76 | /* |
| 77 | * Otherwise, we should add a dummy prefix sequence for pkcs7 |
| 78 | * message parser to be able to process. |
| 79 | * NOTE: EDK2 also uses similar hack in WrapPkcs7Data() |
| 80 | * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c |
| 81 | * TODO: |
| 82 | * The header should be composed in a more refined manner. |
| 83 | */ |
| 84 | EFI_PRINT("Makeshift prefix added to authentication data\n"); |
| 85 | ebuflen = sizeof(pkcs7_hdr) + buflen; |
| 86 | if (ebuflen <= 0x7f) { |
| 87 | EFI_PRINT("Data is too short\n"); |
| 88 | return NULL; |
| 89 | } |
| 90 | |
| 91 | ebuf = malloc(ebuflen); |
| 92 | if (!ebuf) { |
| 93 | EFI_PRINT("Out of memory\n"); |
| 94 | return NULL; |
| 95 | } |
| 96 | |
| 97 | memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr)); |
| 98 | memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen); |
| 99 | len = ebuflen - 4; |
| 100 | ebuf[2] = (len >> 8) & 0xff; |
| 101 | ebuf[3] = len & 0xff; |
| 102 | len = ebuflen - 0x13; |
| 103 | ebuf[0x11] = (len >> 8) & 0xff; |
| 104 | ebuf[0x12] = len & 0xff; |
| 105 | |
| 106 | msg = pkcs7_parse_message(ebuf, ebuflen); |
| 107 | |
| 108 | if (IS_ERR(msg)) { |
| 109 | free(ebuf); |
| 110 | return NULL; |
| 111 | } |
| 112 | |
| 113 | *tmpbuf = ebuf; |
| 114 | return msg; |
| 115 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 116 | |
| 117 | /** |
| 118 | * efi_hash_regions - calculate a hash value |
AKASHI Takahiro | ddbfa61 | 2020-07-08 14:01:55 +0900 | [diff] [blame] | 119 | * @regs: Array of regions |
| 120 | * @count: Number of regions |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 121 | * @hash: Pointer to a pointer to buffer holding a hash value |
| 122 | * @size: Size of buffer to be returned |
| 123 | * |
| 124 | * Calculate a sha256 value of @regs and return a value in @hash. |
| 125 | * |
| 126 | * Return: true on success, false on error |
| 127 | */ |
AKASHI Takahiro | ddbfa61 | 2020-07-08 14:01:55 +0900 | [diff] [blame] | 128 | static bool efi_hash_regions(struct image_region *regs, int count, |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 129 | void **hash, const char *hash_algo, int *len) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 130 | { |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 131 | int ret, hash_len; |
| 132 | |
| 133 | if (!hash_algo) |
| 134 | return false; |
| 135 | |
| 136 | hash_len = algo_to_len(hash_algo); |
| 137 | if (!hash_len) |
| 138 | return false; |
| 139 | |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 140 | if (!*hash) { |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 141 | *hash = calloc(1, hash_len); |
AKASHI Takahiro | ddbfa61 | 2020-07-08 14:01:55 +0900 | [diff] [blame] | 142 | if (!*hash) { |
| 143 | EFI_PRINT("Out of memory\n"); |
| 144 | return false; |
| 145 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 146 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 147 | |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 148 | ret = hash_calculate(hash_algo, regs, count, *hash); |
| 149 | if (ret) |
| 150 | return false; |
| 151 | |
| 152 | if (len) |
| 153 | *len = hash_len; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 154 | #ifdef DEBUG |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 155 | EFI_PRINT("hash calculated:\n"); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 156 | print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 157 | *hash, hash_len, false); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 158 | #endif |
| 159 | |
| 160 | return true; |
| 161 | } |
| 162 | |
| 163 | /** |
Ilias Apalodimas | 71eae98 | 2022-01-29 00:20:31 +0200 | [diff] [blame] | 164 | * hash_algo_supported - check if the requested hash algorithm is supported |
| 165 | * @guid: guid of the algorithm |
| 166 | * |
| 167 | * Return: true if supported false otherwise |
| 168 | */ |
| 169 | static bool hash_algo_supported(const efi_guid_t guid) |
| 170 | { |
| 171 | int i; |
| 172 | const efi_guid_t unsupported_hashes[] = { |
| 173 | EFI_CERT_SHA1_GUID, |
| 174 | EFI_CERT_SHA224_GUID, |
| 175 | EFI_CERT_SHA384_GUID, |
| 176 | EFI_CERT_SHA512_GUID, |
| 177 | }; |
| 178 | |
| 179 | for (i = 0; i < ARRAY_SIZE(unsupported_hashes); i++) { |
| 180 | if (!guidcmp(&unsupported_hashes[i], &guid)) |
| 181 | return false; |
| 182 | } |
| 183 | |
| 184 | return true; |
| 185 | } |
| 186 | |
| 187 | /** |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 188 | * efi_signature_lookup_digest - search for an image's digest in sigdb |
| 189 | * @regs: List of regions to be authenticated |
| 190 | * @db: Signature database for trusted certificates |
Ilias Apalodimas | 71eae98 | 2022-01-29 00:20:31 +0200 | [diff] [blame] | 191 | * @dbx Caller needs to set this to true if he is searching dbx |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 192 | * |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 193 | * A message digest of image pointed to by @regs is calculated and |
| 194 | * its hash value is compared to entries in signature database pointed |
| 195 | * to by @db. |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 196 | * |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 197 | * Return: true if found, false if not |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 198 | */ |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 199 | bool efi_signature_lookup_digest(struct efi_image_regions *regs, |
Ilias Apalodimas | 71eae98 | 2022-01-29 00:20:31 +0200 | [diff] [blame] | 200 | struct efi_signature_store *db, |
| 201 | bool dbx) |
| 202 | |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 203 | { |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 204 | struct efi_signature_store *siglist; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 205 | struct efi_sig_data *sig_data; |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 206 | void *hash = NULL; |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 207 | bool found = false; |
Ilias Apalodimas | 81adfff | 2022-01-29 00:20:32 +0200 | [diff] [blame] | 208 | bool hash_done = false; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 209 | |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 210 | EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 211 | |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 212 | if (!regs || !db || !db->sig_data_list) |
| 213 | goto out; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 214 | |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 215 | for (siglist = db; siglist; siglist = siglist->next) { |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 216 | int len = 0; |
| 217 | const char *hash_algo = NULL; |
Ilias Apalodimas | 71eae98 | 2022-01-29 00:20:31 +0200 | [diff] [blame] | 218 | /* |
| 219 | * if the hash algorithm is unsupported and we get an entry in |
| 220 | * dbx reject the image |
| 221 | */ |
| 222 | if (dbx && !hash_algo_supported(siglist->sig_type)) { |
| 223 | found = true; |
| 224 | continue; |
| 225 | }; |
| 226 | /* |
| 227 | * Only support sha256 for now, that's what |
| 228 | * hash-to-efi-sig-list produces |
| 229 | */ |
| 230 | if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) |
| 231 | continue; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 232 | |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 233 | hash_algo = guid_to_sha_str(&efi_guid_sha256); |
| 234 | /* |
| 235 | * We could check size and hash_algo but efi_hash_regions() |
| 236 | * will do that for us |
| 237 | */ |
Ilias Apalodimas | 81adfff | 2022-01-29 00:20:32 +0200 | [diff] [blame] | 238 | if (!hash_done && |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 239 | !efi_hash_regions(regs->reg, regs->num, &hash, hash_algo, |
| 240 | &len)) { |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 241 | EFI_PRINT("Digesting an image failed\n"); |
| 242 | break; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 243 | } |
Ilias Apalodimas | 81adfff | 2022-01-29 00:20:32 +0200 | [diff] [blame] | 244 | hash_done = true; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 245 | |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 246 | for (sig_data = siglist->sig_data_list; sig_data; |
| 247 | sig_data = sig_data->next) { |
| 248 | #ifdef DEBUG |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 249 | EFI_PRINT("Msg digest in database:\n"); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 250 | print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, |
| 251 | sig_data->data, sig_data->size, false); |
| 252 | #endif |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 253 | if (sig_data->size == len && |
| 254 | !memcmp(sig_data->data, hash, len)) { |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 255 | found = true; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 256 | free(hash); |
| 257 | goto out; |
| 258 | } |
| 259 | } |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 260 | |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 261 | free(hash); |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 262 | hash = NULL; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 263 | } |
| 264 | |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 265 | out: |
| 266 | EFI_PRINT("%s: Exit, found: %d\n", __func__, found); |
| 267 | return found; |
| 268 | } |
| 269 | |
| 270 | /** |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 271 | * efi_lookup_certificate - find a certificate within db |
| 272 | * @msg: Signature |
| 273 | * @db: Signature database |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 274 | * |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 275 | * Search signature database pointed to by @db and find a certificate |
| 276 | * pointed to by @cert. |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 277 | * |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 278 | * Return: true if found, false otherwise. |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 279 | */ |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 280 | static bool efi_lookup_certificate(struct x509_certificate *cert, |
| 281 | struct efi_signature_store *db) |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 282 | { |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 283 | struct efi_signature_store *siglist; |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 284 | struct efi_sig_data *sig_data; |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 285 | struct image_region reg[1]; |
| 286 | void *hash = NULL, *hash_tmp = NULL; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 287 | int len = 0; |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 288 | bool found = false; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 289 | const char *hash_algo = NULL; |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 290 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 291 | EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db); |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 292 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 293 | if (!cert || !db || !db->sig_data_list) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 294 | goto out; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 295 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 296 | /* |
| 297 | * TODO: identify a certificate using sha256 digest |
| 298 | * Is there any better way? |
| 299 | */ |
| 300 | /* calculate hash of TBSCertificate */ |
| 301 | reg[0].data = cert->tbs; |
| 302 | reg[0].size = cert->tbs_size; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 303 | |
| 304 | /* We just need any sha256 algo to start the matching */ |
| 305 | hash_algo = guid_to_sha_str(&efi_guid_sha256); |
| 306 | if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 307 | goto out; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 308 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 309 | EFI_PRINT("%s: searching for %s\n", __func__, cert->subject); |
| 310 | for (siglist = db; siglist; siglist = siglist->next) { |
| 311 | /* only with x509 certificate */ |
| 312 | if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) |
| 313 | continue; |
| 314 | |
| 315 | for (sig_data = siglist->sig_data_list; sig_data; |
| 316 | sig_data = sig_data->next) { |
| 317 | struct x509_certificate *cert_tmp; |
| 318 | |
| 319 | cert_tmp = x509_cert_parse(sig_data->data, |
| 320 | sig_data->size); |
| 321 | if (IS_ERR_OR_NULL(cert_tmp)) |
| 322 | continue; |
| 323 | |
AKASHI Takahiro | 1641180 | 2020-08-14 14:39:23 +0900 | [diff] [blame] | 324 | EFI_PRINT("%s: against %s\n", __func__, |
| 325 | cert_tmp->subject); |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 326 | reg[0].data = cert_tmp->tbs; |
| 327 | reg[0].size = cert_tmp->tbs_size; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 328 | if (!efi_hash_regions(reg, 1, &hash_tmp, hash_algo, |
| 329 | NULL)) |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 330 | goto out; |
| 331 | |
| 332 | x509_free_certificate(cert_tmp); |
| 333 | |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 334 | if (!memcmp(hash, hash_tmp, len)) { |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 335 | found = true; |
| 336 | goto out; |
| 337 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 338 | } |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 339 | } |
| 340 | out: |
| 341 | free(hash); |
| 342 | free(hash_tmp); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 343 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 344 | EFI_PRINT("%s: Exit, found: %d\n", __func__, found); |
| 345 | return found; |
| 346 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 347 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 348 | /** |
| 349 | * efi_verify_certificate - verify certificate's signature with database |
| 350 | * @signer: Certificate |
| 351 | * @db: Signature database |
| 352 | * @root: Certificate to verify @signer |
| 353 | * |
| 354 | * Determine if certificate pointed to by @signer may be verified |
| 355 | * by one of certificates in signature database pointed to by @db. |
| 356 | * |
| 357 | * Return: true if certificate is verified, false otherwise. |
| 358 | */ |
| 359 | static bool efi_verify_certificate(struct x509_certificate *signer, |
| 360 | struct efi_signature_store *db, |
| 361 | struct x509_certificate **root) |
| 362 | { |
| 363 | struct efi_signature_store *siglist; |
| 364 | struct efi_sig_data *sig_data; |
| 365 | struct x509_certificate *cert; |
| 366 | bool verified = false; |
| 367 | int ret; |
| 368 | |
| 369 | EFI_PRINT("%s: Enter, %p, %p\n", __func__, signer, db); |
| 370 | |
| 371 | if (!signer || !db || !db->sig_data_list) |
| 372 | goto out; |
| 373 | |
| 374 | for (siglist = db; siglist; siglist = siglist->next) { |
| 375 | /* only with x509 certificate */ |
| 376 | if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) |
| 377 | continue; |
| 378 | |
| 379 | for (sig_data = siglist->sig_data_list; sig_data; |
| 380 | sig_data = sig_data->next) { |
| 381 | cert = x509_cert_parse(sig_data->data, sig_data->size); |
| 382 | if (IS_ERR_OR_NULL(cert)) { |
| 383 | EFI_PRINT("Cannot parse x509 certificate\n"); |
| 384 | continue; |
| 385 | } |
| 386 | |
| 387 | ret = public_key_verify_signature(cert->pub, |
| 388 | signer->sig); |
| 389 | if (!ret) { |
| 390 | verified = true; |
| 391 | if (root) |
| 392 | *root = cert; |
| 393 | else |
| 394 | x509_free_certificate(cert); |
| 395 | goto out; |
| 396 | } |
| 397 | x509_free_certificate(cert); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 398 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 399 | } |
| 400 | |
| 401 | out: |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 402 | EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 403 | return verified; |
| 404 | } |
| 405 | |
| 406 | /** |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 407 | * efi_signature_check_revocation - check revocation with dbx |
| 408 | * @sinfo: Signer's info |
| 409 | * @cert: x509 certificate |
| 410 | * @dbx: Revocation signature database |
| 411 | * |
| 412 | * Search revocation signature database pointed to by @dbx and find |
| 413 | * an entry matching to certificate pointed to by @cert. |
| 414 | * |
| 415 | * While this entry contains revocation time, we don't support timestamp |
| 416 | * protocol at this time and any image will be unconditionally revoked |
| 417 | * when this match occurs. |
| 418 | * |
AKASHI Takahiro | 1641180 | 2020-08-14 14:39:23 +0900 | [diff] [blame] | 419 | * Return: true if check passed (not found), false otherwise. |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 420 | */ |
| 421 | static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, |
| 422 | struct x509_certificate *cert, |
| 423 | struct efi_signature_store *dbx) |
| 424 | { |
| 425 | struct efi_signature_store *siglist; |
| 426 | struct efi_sig_data *sig_data; |
| 427 | struct image_region reg[1]; |
| 428 | void *hash = NULL; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 429 | int len = 0; |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 430 | time64_t revoc_time; |
| 431 | bool revoked = false; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 432 | const char *hash_algo = NULL; |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 433 | |
| 434 | EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx); |
| 435 | |
| 436 | if (!sinfo || !cert || !dbx || !dbx->sig_data_list) |
| 437 | goto out; |
| 438 | |
| 439 | EFI_PRINT("Checking revocation against %s\n", cert->subject); |
| 440 | for (siglist = dbx; siglist; siglist = siglist->next) { |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 441 | hash_algo = guid_to_sha_str(&siglist->sig_type); |
| 442 | if (!hash_algo) |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 443 | continue; |
| 444 | |
| 445 | /* calculate hash of TBSCertificate */ |
| 446 | reg[0].data = cert->tbs; |
| 447 | reg[0].size = cert->tbs_size; |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 448 | if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 449 | goto out; |
| 450 | |
| 451 | for (sig_data = siglist->sig_data_list; sig_data; |
| 452 | sig_data = sig_data->next) { |
| 453 | /* |
| 454 | * struct efi_cert_x509_sha256 { |
| 455 | * u8 tbs_hash[256/8]; |
| 456 | * time64_t revocation_time; |
| 457 | * }; |
| 458 | */ |
| 459 | #ifdef DEBUG |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 460 | if (sig_data->size >= len) { |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 461 | EFI_PRINT("hash in db:\n"); |
| 462 | print_hex_dump(" ", DUMP_PREFIX_OFFSET, |
| 463 | 16, 1, |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 464 | sig_data->data, len, false); |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 465 | } |
| 466 | #endif |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 467 | if ((sig_data->size < len + sizeof(time64_t)) || |
| 468 | memcmp(sig_data->data, hash, len)) |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 469 | continue; |
| 470 | |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 471 | memcpy(&revoc_time, sig_data->data + len, |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 472 | sizeof(revoc_time)); |
| 473 | EFI_PRINT("revocation time: 0x%llx\n", revoc_time); |
| 474 | /* |
| 475 | * TODO: compare signing timestamp in sinfo |
| 476 | * with revocation time |
| 477 | */ |
| 478 | |
| 479 | revoked = true; |
| 480 | free(hash); |
| 481 | goto out; |
| 482 | } |
| 483 | free(hash); |
| 484 | hash = NULL; |
| 485 | } |
| 486 | out: |
| 487 | EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); |
| 488 | return !revoked; |
| 489 | } |
| 490 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 491 | /* |
| 492 | * efi_signature_verify - verify signatures with db and dbx |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 493 | * @regs: List of regions to be authenticated |
| 494 | * @msg: Signature |
| 495 | * @db: Signature database for trusted certificates |
| 496 | * @dbx: Revocation signature database |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 497 | * |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 498 | * All the signature pointed to by @msg against image pointed to by @regs |
| 499 | * will be verified by signature database pointed to by @db and @dbx. |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 500 | * |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 501 | * Return: true if verification for all signatures passed, false otherwise |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 502 | */ |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 503 | bool efi_signature_verify(struct efi_image_regions *regs, |
| 504 | struct pkcs7_message *msg, |
| 505 | struct efi_signature_store *db, |
| 506 | struct efi_signature_store *dbx) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 507 | { |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 508 | struct pkcs7_signed_info *sinfo; |
| 509 | struct x509_certificate *signer, *root; |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 510 | bool verified = false; |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 511 | int ret; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 512 | |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 513 | EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 514 | |
AKASHI Takahiro | de92407 | 2020-07-08 14:01:57 +0900 | [diff] [blame] | 515 | if (!regs || !msg || !db || !db->sig_data_list) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 516 | goto out; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 517 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 518 | for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 519 | EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 520 | sinfo->sig->hash_algo, sinfo->sig->pkey_algo); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 521 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 522 | /* |
| 523 | * only for authenticated variable. |
| 524 | * |
| 525 | * If this function is called for image, |
| 526 | * hash calculation will be done in |
| 527 | * pkcs7_verify_one(). |
| 528 | */ |
| 529 | if (!msg->data && |
| 530 | !efi_hash_regions(regs->reg, regs->num, |
Ilias Apalodimas | 34db9b1 | 2022-05-06 15:36:00 +0300 | [diff] [blame] | 531 | (void **)&sinfo->sig->digest, |
| 532 | guid_to_sha_str(&efi_guid_sha256), |
| 533 | NULL)) { |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 534 | EFI_PRINT("Digesting an image failed\n"); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 535 | goto out; |
| 536 | } |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 537 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 538 | EFI_PRINT("Verifying certificate chain\n"); |
| 539 | signer = NULL; |
| 540 | ret = pkcs7_verify_one(msg, sinfo, &signer); |
| 541 | if (ret == -ENOPKG) |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 542 | continue; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 543 | |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 544 | if (ret < 0 || !signer) |
| 545 | goto out; |
| 546 | |
| 547 | if (sinfo->blacklisted) |
| 548 | goto out; |
| 549 | |
| 550 | EFI_PRINT("Verifying last certificate in chain\n"); |
Ilias Apalodimas | 1ee9c48 | 2022-02-14 11:14:22 +0200 | [diff] [blame] | 551 | if (efi_lookup_certificate(signer, db)) |
| 552 | if (efi_signature_check_revocation(sinfo, signer, dbx)) |
| 553 | break; |
| 554 | if (!signer->self_signed && |
| 555 | efi_verify_certificate(signer, db, &root)) { |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 556 | bool check; |
| 557 | |
| 558 | check = efi_signature_check_revocation(sinfo, root, |
| 559 | dbx); |
| 560 | x509_free_certificate(root); |
| 561 | if (check) |
AKASHI Takahiro | 1641180 | 2020-08-14 14:39:23 +0900 | [diff] [blame] | 562 | break; |
AKASHI Takahiro | 14afd06 | 2020-07-21 19:35:22 +0900 | [diff] [blame] | 563 | } |
| 564 | |
| 565 | EFI_PRINT("Certificate chain didn't reach trusted CA\n"); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 566 | } |
AKASHI Takahiro | 1641180 | 2020-08-14 14:39:23 +0900 | [diff] [blame] | 567 | if (sinfo) |
| 568 | verified = true; |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 569 | out: |
| 570 | EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified); |
| 571 | return verified; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 572 | } |
| 573 | |
| 574 | /** |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 575 | * efi_signature_check_signers - check revocation against all signers with dbx |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 576 | * @msg: Signature |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 577 | * @dbx: Revocation signature database |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 578 | * |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 579 | * Determine if none of signers' certificates in @msg are revoked |
| 580 | * by signature database pointed to by @dbx. |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 581 | * |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 582 | * Return: true if all signers passed, false otherwise. |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 583 | */ |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 584 | bool efi_signature_check_signers(struct pkcs7_message *msg, |
| 585 | struct efi_signature_store *dbx) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 586 | { |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 587 | struct pkcs7_signed_info *sinfo; |
| 588 | bool revoked = false; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 589 | |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 590 | EFI_PRINT("%s: Enter, %p, %p\n", __func__, msg, dbx); |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 591 | |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 592 | if (!msg || !dbx) |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 593 | goto out; |
| 594 | |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 595 | for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { |
| 596 | if (sinfo->signer && |
| 597 | !efi_signature_check_revocation(sinfo, sinfo->signer, |
| 598 | dbx)) { |
| 599 | revoked = true; |
| 600 | break; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 601 | } |
| 602 | } |
| 603 | out: |
AKASHI Takahiro | 4154b64 | 2020-07-08 14:01:56 +0900 | [diff] [blame] | 604 | EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); |
| 605 | return !revoked; |
AKASHI Takahiro | 1faaca4 | 2020-04-14 11:51:39 +0900 | [diff] [blame] | 606 | } |
| 607 | |
| 608 | /** |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 609 | * efi_sigstore_free - free signature store |
| 610 | * @sigstore: Pointer to signature store structure |
| 611 | * |
| 612 | * Feee all the memories held in signature store and itself, |
| 613 | * which were allocated by efi_sigstore_parse_sigdb(). |
| 614 | */ |
| 615 | void efi_sigstore_free(struct efi_signature_store *sigstore) |
| 616 | { |
| 617 | struct efi_signature_store *sigstore_next; |
| 618 | struct efi_sig_data *sig_data, *sig_data_next; |
| 619 | |
| 620 | while (sigstore) { |
| 621 | sigstore_next = sigstore->next; |
| 622 | |
| 623 | sig_data = sigstore->sig_data_list; |
| 624 | while (sig_data) { |
| 625 | sig_data_next = sig_data->next; |
| 626 | free(sig_data->data); |
| 627 | free(sig_data); |
| 628 | sig_data = sig_data_next; |
| 629 | } |
| 630 | |
| 631 | free(sigstore); |
| 632 | sigstore = sigstore_next; |
| 633 | } |
| 634 | } |
| 635 | |
| 636 | /** |
| 637 | * efi_sigstore_parse_siglist - parse a signature list |
| 638 | * @name: Pointer to signature list |
| 639 | * |
| 640 | * Parse signature list and instantiate a signature store structure. |
| 641 | * Signature database is a simple concatenation of one or more |
| 642 | * signature list(s). |
| 643 | * |
| 644 | * Return: Pointer to signature store on success, NULL on error |
| 645 | */ |
| 646 | static struct efi_signature_store * |
| 647 | efi_sigstore_parse_siglist(struct efi_signature_list *esl) |
| 648 | { |
| 649 | struct efi_signature_store *siglist = NULL; |
| 650 | struct efi_sig_data *sig_data, *sig_data_next; |
| 651 | struct efi_signature_data *esd; |
| 652 | size_t left; |
| 653 | |
| 654 | /* |
| 655 | * UEFI specification defines certificate types: |
| 656 | * for non-signed images, |
| 657 | * EFI_CERT_SHA256_GUID |
| 658 | * EFI_CERT_RSA2048_GUID |
| 659 | * EFI_CERT_RSA2048_SHA256_GUID |
| 660 | * EFI_CERT_SHA1_GUID |
| 661 | * EFI_CERT_RSA2048_SHA_GUID |
| 662 | * EFI_CERT_SHA224_GUID |
| 663 | * EFI_CERT_SHA384_GUID |
| 664 | * EFI_CERT_SHA512_GUID |
| 665 | * |
| 666 | * for signed images, |
| 667 | * EFI_CERT_X509_GUID |
| 668 | * NOTE: Each certificate will normally be in a separate |
| 669 | * EFI_SIGNATURE_LIST as the size may vary depending on |
| 670 | * its algo's. |
| 671 | * |
| 672 | * for timestamp revocation of certificate, |
| 673 | * EFI_CERT_X509_SHA512_GUID |
| 674 | * EFI_CERT_X509_SHA256_GUID |
| 675 | * EFI_CERT_X509_SHA384_GUID |
| 676 | */ |
| 677 | |
| 678 | if (esl->signature_list_size |
| 679 | <= (sizeof(*esl) + esl->signature_header_size)) { |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 680 | EFI_PRINT("Siglist in wrong format\n"); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 681 | return NULL; |
| 682 | } |
| 683 | |
| 684 | /* Create a head */ |
| 685 | siglist = calloc(sizeof(*siglist), 1); |
| 686 | if (!siglist) { |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 687 | EFI_PRINT("Out of memory\n"); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 688 | goto err; |
| 689 | } |
| 690 | memcpy(&siglist->sig_type, &esl->signature_type, sizeof(efi_guid_t)); |
| 691 | |
| 692 | /* Go through the list */ |
| 693 | sig_data_next = NULL; |
| 694 | left = esl->signature_list_size |
| 695 | - (sizeof(*esl) + esl->signature_header_size); |
| 696 | esd = (struct efi_signature_data *) |
| 697 | ((u8 *)esl + sizeof(*esl) + esl->signature_header_size); |
| 698 | |
AKASHI Takahiro | a075aa3 | 2020-04-21 09:38:57 +0900 | [diff] [blame] | 699 | while (left > 0) { |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 700 | /* Signature must exist if there is remaining data. */ |
| 701 | if (left < esl->signature_size) { |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 702 | EFI_PRINT("Certificate is too small\n"); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 703 | goto err; |
| 704 | } |
| 705 | |
| 706 | sig_data = calloc(esl->signature_size |
| 707 | - sizeof(esd->signature_owner), 1); |
| 708 | if (!sig_data) { |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 709 | EFI_PRINT("Out of memory\n"); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 710 | goto err; |
| 711 | } |
| 712 | |
| 713 | /* Append signature data */ |
| 714 | memcpy(&sig_data->owner, &esd->signature_owner, |
| 715 | sizeof(efi_guid_t)); |
| 716 | sig_data->size = esl->signature_size |
| 717 | - sizeof(esd->signature_owner); |
| 718 | sig_data->data = malloc(sig_data->size); |
| 719 | if (!sig_data->data) { |
AKASHI Takahiro | 10a9fa8 | 2020-06-09 14:09:33 +0900 | [diff] [blame] | 720 | EFI_PRINT("Out of memory\n"); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 721 | goto err; |
| 722 | } |
| 723 | memcpy(sig_data->data, esd->signature_data, sig_data->size); |
| 724 | |
| 725 | sig_data->next = sig_data_next; |
| 726 | sig_data_next = sig_data; |
| 727 | |
| 728 | /* Next */ |
| 729 | esd = (struct efi_signature_data *) |
| 730 | ((u8 *)esd + esl->signature_size); |
| 731 | left -= esl->signature_size; |
| 732 | } |
| 733 | siglist->sig_data_list = sig_data_next; |
| 734 | |
| 735 | return siglist; |
| 736 | |
| 737 | err: |
| 738 | efi_sigstore_free(siglist); |
| 739 | |
| 740 | return NULL; |
| 741 | } |
| 742 | |
| 743 | /** |
Sughosh Ganu | fa0faa6 | 2020-12-30 19:27:08 +0530 | [diff] [blame] | 744 | * efi_sigstore_parse_sigdb - parse the signature list and populate |
| 745 | * the signature store |
| 746 | * |
| 747 | * @sig_list: Pointer to the signature list |
| 748 | * @size: Size of the signature list |
| 749 | * |
| 750 | * Parse the efi signature list and instantiate a signature store |
| 751 | * structure. |
| 752 | * |
| 753 | * Return: Pointer to signature store on success, NULL on error |
| 754 | */ |
| 755 | struct efi_signature_store *efi_build_signature_store(void *sig_list, |
| 756 | efi_uintn_t size) |
| 757 | { |
| 758 | struct efi_signature_list *esl; |
| 759 | struct efi_signature_store *sigstore = NULL, *siglist; |
| 760 | |
| 761 | esl = sig_list; |
| 762 | while (size > 0) { |
| 763 | /* List must exist if there is remaining data. */ |
| 764 | if (size < sizeof(*esl)) { |
| 765 | EFI_PRINT("Signature list in wrong format\n"); |
| 766 | goto err; |
| 767 | } |
| 768 | |
| 769 | if (size < esl->signature_list_size) { |
| 770 | EFI_PRINT("Signature list in wrong format\n"); |
| 771 | goto err; |
| 772 | } |
| 773 | |
| 774 | /* Parse a single siglist. */ |
| 775 | siglist = efi_sigstore_parse_siglist(esl); |
| 776 | if (!siglist) { |
| 777 | EFI_PRINT("Parsing of signature list of failed\n"); |
| 778 | goto err; |
| 779 | } |
| 780 | |
| 781 | /* Append siglist */ |
| 782 | siglist->next = sigstore; |
| 783 | sigstore = siglist; |
| 784 | |
| 785 | /* Next */ |
| 786 | size -= esl->signature_list_size; |
| 787 | esl = (void *)esl + esl->signature_list_size; |
| 788 | } |
| 789 | free(sig_list); |
| 790 | |
| 791 | return sigstore; |
| 792 | |
| 793 | err: |
| 794 | efi_sigstore_free(sigstore); |
| 795 | free(sig_list); |
| 796 | |
| 797 | return NULL; |
| 798 | } |
| 799 | |
| 800 | /** |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 801 | * efi_sigstore_parse_sigdb - parse a signature database variable |
| 802 | * @name: Variable's name |
| 803 | * |
| 804 | * Read in a value of signature database variable pointed to by |
| 805 | * @name, parse it and instantiate a signature store structure. |
| 806 | * |
| 807 | * Return: Pointer to signature store on success, NULL on error |
| 808 | */ |
| 809 | struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name) |
| 810 | { |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 811 | const efi_guid_t *vendor; |
| 812 | void *db; |
| 813 | efi_uintn_t db_size; |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 814 | |
Heinrich Schuchardt | caeb73b | 2021-09-09 08:25:08 +0200 | [diff] [blame] | 815 | vendor = efi_auth_var_get_guid(name); |
| 816 | db = efi_get_var(name, vendor, &db_size); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 817 | if (!db) { |
Heinrich Schuchardt | caeb73b | 2021-09-09 08:25:08 +0200 | [diff] [blame] | 818 | EFI_PRINT("variable, %ls, not found\n", name); |
| 819 | return calloc(sizeof(struct efi_signature_store), 1); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 820 | } |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 821 | |
Sughosh Ganu | fa0faa6 | 2020-12-30 19:27:08 +0530 | [diff] [blame] | 822 | return efi_build_signature_store(db, db_size); |
AKASHI Takahiro | d2cefc8 | 2020-04-14 11:51:40 +0900 | [diff] [blame] | 823 | } |