On Tue, 2019-12-17 at 20:06 +0000, Paul Moore (pmoore2) wrote: > On Fri, 2019-12-06 at 21:28 +0000, Paul Moore (pmoore2) via tboot-devel > wrote: > > On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote: > > > On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote: > > > > Can you elaborate a bit more on what you mean by "the root of > > > > certificate"? Alternatively, could you upload the kernel and > > > > signing > > > > certificate somewhere I could grab so I can play with it? > > > > > > Maybe I used wrong words, I am talking about pkcs1_search_signer > > > function and following lines: > > > > > > if (!asn1_blob_cmp(&entry->cert.serial, serial) && > > > !asn1_blob_cmp(&entry->cert.ca->subject, subject)) > > > > > > If I change them to > > > > > > if (!asn1_blob_cmp(&entry->cert.serial, serial) && > > > !asn1_blob_cmp(&entry->cert.subject, subject)) > > > > > > it will find my certificate. > > > > Thanks, that makes it much more clear. One of the benefits of sharing > > code is that it helps remove any uncertainties. :) > > > > > Could you please explain me why are you > > > using serial from root of entry and subject from sub-element? Is it > > > connected with certificate chain? What if there is just the simplest > > > possible certificate that is not signed by anybody? > > > > That does look a little odd, doesn't it? > > It turns out it wasn't quite as odd as originally thought. While wrong, > it wasn't far from the truth; the PKCS #7 blob in the signed PECOFF > kernel image doesn't contain the signer's subject name, but rather the > issuer's subject name. This explains why the code worked: in the self- > signed (Lukasz's test case) and one intermediate CA cases (the Fedora > test case) using the CA would result in the signer being found, anything > with more than one intermediate CA would fail. > > I've corrected the code and pushed it to the repo/branch below: > > * > https://github.com/pcmoore/misc-tboot/tree/working-txtsig > > > > > > I have uploaded certificate and key that I have generated here: > > > https://cloud.hawrylko.pl/s/ivHd7HZpuLIjQ88 > > > there is also a signed > > > bzImage that I am using. > > > > Great, thank you. I'll take a closer look. > > It turns out this was due to a limitation in libtomfastmath. Your test > key/certificate used a 4k RSA key, but libtomfastmath had a restriction > on keys larger than 2k (it turns out the Fedora keys are 2k). I > increased the libtomfastmath number limit to support 4k keys, and > increased the tboot stack size accordingly. The updated misc- > tboot/working-txtsig code should now work for your self-signed test > case, if not please let me know. > > Thanks, > -Paul > >
Great, I will test it after Christmas break. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
