From patchwork Tue Jul 5 05:48:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 587431 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:1ec:0:0:0:0 with SMTP id 12csp1446603map; Mon, 4 Jul 2022 22:49:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sZo+VDBQkJjcgayLU0nvqNkmfpQfNsrIyr9E7d/hXz1WqOd/L6R6AeGvj2V56Xqn/stu6c X-Received: by 2002:a05:6512:3b09:b0:483:7ec3:cba1 with SMTP id f9-20020a0565123b0900b004837ec3cba1mr1113695lfv.113.1657000159043; Mon, 04 Jul 2022 22:49:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657000159; cv=none; d=google.com; s=arc-20160816; b=p5SuS8XaWSQ9XByzJ8K0Ogipps6b5uX4r8udm2/Mgik/GuaY+rkhnZasCXR6fEi4XN bLS1cYZ6cRmc+fDbKUW+wiWoyYbKl7UYBJG1z7MhBv0DGb/VnnQ1jMUcGmn3JM+1OP0d 6ghK40s1jy0wyXatiDCZje3NuWcw6ES/OGJMueyhYTdtm4gA47GQqkSUKsJlllapvYI8 FRfvDJYtz/vXQ6ZuzdVA1gToFcin+HHU/0OGbau0VaJzepGG7SB0cIHi+XQord69qBBN NmDOkWaAipEo0mEEjYRA/3jIwxlia33518qNyYFWxpQkJcIUqHY9AwKe+3vdc2emF+xd TFwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aEcAnmHh6ljtJqaZr1tnJhonpKpBFRfyfO/h7+HnFqQ=; b=McJtQLIM7mWD0nSrlQhsb5j3emUyE4LWeQHp9DQ7y8WuaXkFjtn3dlZVSTXQXM/4OK f9UvLyXz2+yjeC+3sPbhEJLCagGef9MNjmg6/BwPAIkdUapKEtAjj0dPyHGqUt9YO4FF hNy6arFxC1MEvRVBmcrPzyAfDABdrYpxR4+PHh5rVQqpFUXPHGvTSmd8opnixBjr9xo7 NiaWkdRI3SQuwmmBLmTdSqJr7zRCyPFzT86lbAWdjGh7xdPlsGHbwrQ06cLm3bgXfh7o SBdYaHd0NsIpQ5JXvAfcIxaKsaTT5Nf30VuZpiz9YOXJREEVrVlu1sfJ/m5purHuUW+l k/6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=u0NXsfaw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id cf26-20020a056512281a00b0047fa39244e7si37491228lfb.495.2022.07.04.22.49.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Jul 2022 22:49:19 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=u0NXsfaw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B4B118451B; Tue, 5 Jul 2022 07:49:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="u0NXsfaw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9BFEF8451A; Tue, 5 Jul 2022 07:49:07 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3702684510 for ; Tue, 5 Jul 2022 07:49:03 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id s21so6591380pjq.4 for ; Mon, 04 Jul 2022 22:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aEcAnmHh6ljtJqaZr1tnJhonpKpBFRfyfO/h7+HnFqQ=; b=u0NXsfawK+/kkUfty1F1OX4okBQK5/YPss4bRxracCRt7pDRkJRjbZlsUWMRzaWesG ANJT/RTpXVyw5b66qeNy9Ob/0TVpR3rc43/9Ua+uYNcaWRWWikks5mlnrv613GCpIwN7 IXsj7N2PTFw5cX7NmQIhHbAFr/pKZYhdoa7uJ4Kc8f4chlNxmTNaImwrkJHro9EaZSty k2loAmQBOIIQYsYD4knfz3jxHFCu0tw+z5htxBsNsxPVjikgGhhjfa7j1DLatXxVyKiC DVUhyBN6RegHEqbA+FO2194dEHvPcP+y8BWkNnApQnR78MoFCJEZPD+kfVqdxt2dek9p Yilg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aEcAnmHh6ljtJqaZr1tnJhonpKpBFRfyfO/h7+HnFqQ=; b=MM1ksFYya7PA2r5OJLwOydFKrzofhn5Gh05D5yKQm24qGLStJcc603vYQ01Lp+eoDA zfoutN9gpppySoeGweOK5GtUZeiu3IAzRLUp9jcIekMDaWMtTxSZ7/hx/wumbIHDuetM PVManmw6Cgw6kMZ2jmghU0z8bWvcppqK9t2tjC+0bvF02u9Y6b8RDsdgEE98ehMmZwLv iRgnxYJ+lO4RhCeabD/WEMXEV97DWUekMOJmGmYobxbl9TqvsDqdcnFc65CmZSZYvbnY h14JfuxYHk1aGt4YUt5GR0pe88GRaYfPq6H3yhufBSNJBFfNlZlazuq8L2HBW3FkBo2k JieA== X-Gm-Message-State: AJIora9RSI89n0jtc6WWrjxg7OmIuHTVZfsCQfGigVsqbluqmm88wyni xyPJgGUhFefzcyRDj35U+mJyH/bMjpwOmQ== X-Received: by 2002:a17:903:11c9:b0:16b:8293:c599 with SMTP id q9-20020a17090311c900b0016b8293c599mr39171709plh.136.1657000141453; Mon, 04 Jul 2022 22:49:01 -0700 (PDT) Received: from localhost.localdomain ([2400:4050:c3e1:100:8c42:b67b:3e2f:7653]) by smtp.gmail.com with ESMTPSA id a5-20020a1709027e4500b0016784c93f23sm22149390pln.197.2022.07.04.22.48.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Jul 2022 22:49:00 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de Cc: ilias.apalodimas@linaro.org, baocheng.su@siemens.com, jan.kiszka@siemens.com, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH 1/5] lib: crypto: add mscode_parser Date: Tue, 5 Jul 2022 14:48:11 +0900 Message-Id: <20220705054815.30318-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220705054815.30318-1-takahiro.akashi@linaro.org> References: <20220705054815.30318-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean In MS authenticode, pkcs7 should have data in its contentInfo field. This data is tagged with SpcIndirectData type and, for a signed PE image, provides a image's message digest as SpcPeImageData. This parser is used in image authentication to parse the field and retrieve a message digest. Imported from linux v5.19-rc, crypto/asymmetric_keys/mscode*. Checkpatch.pl generates tones of warnings, but those are not fixed for the sake of maintainability (importing from another source). Signed-off-by: AKASHI Takahiro --- include/crypto/mscode.h | 43 ++++++++++++ lib/crypto/Kconfig | 9 +++ lib/crypto/Makefile | 12 ++++ lib/crypto/mscode.asn1 | 28 ++++++++ lib/crypto/mscode_parser.c | 135 +++++++++++++++++++++++++++++++++++++ 5 files changed, 227 insertions(+) create mode 100644 include/crypto/mscode.h create mode 100644 lib/crypto/mscode.asn1 create mode 100644 lib/crypto/mscode_parser.c diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h new file mode 100644 index 000000000000..551058b96e60 --- /dev/null +++ b/include/crypto/mscode.h @@ -0,0 +1,43 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* PE Binary parser bits + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#include +#ifndef __UBOOT__ +#include +#endif + +struct pefile_context { +#ifndef __UBOOT__ + unsigned header_size; + unsigned image_checksum_offset; + unsigned cert_dirent_offset; + unsigned n_data_dirents; + unsigned n_sections; + unsigned certs_size; + unsigned sig_offset; + unsigned sig_len; + const struct section_header *secs; +#endif + + /* PKCS#7 MS Individual Code Signing content */ + const void *digest; /* Digest */ + unsigned digest_len; /* Digest length */ + const char *digest_algo; /* Digest algorithm */ +}; + +#ifndef __UBOOT__ +#define kenter(FMT, ...) \ + pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) +#define kleave(FMT, ...) \ + pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) +#endif + +/* + * mscode_parser.c + */ +extern int mscode_parse(void *_ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 1c04a7ec5f48..c3f563b2e174 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -82,4 +82,13 @@ config PKCS7_MESSAGE_PARSER config PKCS7_VERIFY bool +config MSCODE_PARSER + bool "MS authenticode parser" + select ASN1_DECODER + select ASN1_COMPILER + select OID_REGISTRY + help + This option provides support for parsing MicroSoft's Authenticode + in pkcs7 message. + endif # ASYMMETRIC_KEY_TYPE diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 6792b1d4f007..bec1bc95a658 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -55,3 +55,15 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h + +# +# Signed PE binary-wrapped key handling +# +obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o + +mscode-y := \ + mscode_parser.o \ + mscode.asn1.o + +$(obj)/mscode_parser.o: $(obj)/mscode.asn1.h $(obj)/mscode.asn1.h +$(obj)/mscode.asn1.o: $(obj)/mscode.asn1.c $(obj)/mscode.asn1.h diff --git a/lib/crypto/mscode.asn1 b/lib/crypto/mscode.asn1 new file mode 100644 index 000000000000..6d09ba48c41c --- /dev/null +++ b/lib/crypto/mscode.asn1 @@ -0,0 +1,28 @@ +--- Microsoft individual code signing data blob parser +--- +--- Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. +--- Written by David Howells (dhowells@redhat.com) +--- +--- This program is free software; you can redistribute it and/or +--- modify it under the terms of the GNU General Public Licence +--- as published by the Free Software Foundation; either version +--- 2 of the Licence, or (at your option) any later version. +--- + +MSCode ::= SEQUENCE { + type SEQUENCE { + contentType ContentType, + parameters ANY + }, + content SEQUENCE { + digestAlgorithm DigestAlgorithmIdentifier, + digest OCTET STRING ({ mscode_note_digest }) + } +} + +ContentType ::= OBJECT IDENTIFIER ({ mscode_note_content_type }) + +DigestAlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER ({ mscode_note_digest_algo }), + parameters ANY OPTIONAL +} diff --git a/lib/crypto/mscode_parser.c b/lib/crypto/mscode_parser.c new file mode 100644 index 000000000000..90d5b37a6cf2 --- /dev/null +++ b/lib/crypto/mscode_parser.c @@ -0,0 +1,135 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* Parse a Microsoft Individual Code Signing blob + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#define pr_fmt(fmt) "MSCODE: "fmt +#include +#ifndef __UBOOT__ +#include +#endif +#include +#include +#include +#ifdef __UBOOT__ +#include +#else +#include "verify_pefile.h" +#endif +#include "mscode.asn1.h" + +/* + * Parse a Microsoft Individual Code Signing blob + */ +int mscode_parse(void *_ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *ctx = _ctx; + + content_data -= asn1hdrlen; + data_len += asn1hdrlen; + pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len), + content_data); + + return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len); +} + +/* + * Check the content type OID + */ +int mscode_note_content_type(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + enum OID oid; + + oid = look_up_OID(value, vlen); + if (oid == OID__NR) { + char buffer[50]; + + sprint_oid(value, vlen, buffer, sizeof(buffer)); + pr_err("Unknown OID: %s\n", buffer); + return -EBADMSG; + } + + /* + * pesign utility had a bug where it was putting + * OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId + * So allow both OIDs. + */ + if (oid != OID_msPeImageDataObjId && + oid != OID_msIndividualSPKeyPurpose) { + pr_err("Unexpected content type OID %u\n", oid); + return -EBADMSG; + } + + return 0; +} + +/* + * Note the digest algorithm OID + */ +int mscode_note_digest_algo(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pefile_context *ctx = context; + char buffer[50]; + enum OID oid; + + oid = look_up_OID(value, vlen); + switch (oid) { + case OID_md4: + ctx->digest_algo = "md4"; + break; + case OID_md5: + ctx->digest_algo = "md5"; + break; + case OID_sha1: + ctx->digest_algo = "sha1"; + break; + case OID_sha256: + ctx->digest_algo = "sha256"; + break; + case OID_sha384: + ctx->digest_algo = "sha384"; + break; + case OID_sha512: + ctx->digest_algo = "sha512"; + break; + case OID_sha224: + ctx->digest_algo = "sha224"; + break; + + case OID__NR: + sprint_oid(value, vlen, buffer, sizeof(buffer)); + pr_err("Unknown OID: %s\n", buffer); + return -EBADMSG; + + default: + pr_err("Unsupported content type: %u\n", oid); + return -ENOPKG; + } + + return 0; +} + +/* + * Note the digest we're guaranteeing with this certificate + */ +int mscode_note_digest(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pefile_context *ctx = context; + + ctx->digest = kmemdup(value, vlen, GFP_KERNEL); + if (!ctx->digest) + return -ENOMEM; + + ctx->digest_len = vlen; + + return 0; +}