On Fri, 4 Oct 2024 at 01:02, Raymond Mao <[email protected]> wrote: > > Previous patch has introduced MbedTLS porting layer for PKCS7 parser, > here to adjust the header and makefiles accordingly. > > Signed-off-by: Raymond Mao <[email protected]> > --- > Changes in v2 > - Move the porting layer to MbedTLS dir. > Changes in v3 > - Update commit message. > Changes in v4 > - Control building legacy library via '_LEGACY' Kconfig. > Changes in v5 > - Correct header file include directories. > Changes in v6 > - None. > Changes in v7 > - None. > Changes in v8 > - None > > include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++ > lib/crypto/Makefile | 7 +++-- > 2 files changed, 60 insertions(+), 3 deletions(-) > > diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h > index 2c45cce5234..469c2711fa6 100644 > --- a/include/crypto/pkcs7_parser.h > +++ b/include/crypto/pkcs7_parser.h > @@ -11,6 +11,12 @@ > #include <linux/oid_registry.h> > #include <crypto/pkcs7.h> > #include <crypto/x509_parser.h> > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +#include <mbedtls/pkcs7.h> > +#include <library/x509_internal.h> > +#include <mbedtls/asn1.h> > +#include <mbedtls/oid.h> > +#endif > #include <linux/printk.h> > > #define kenter(FMT, ...) \ > @@ -18,7 +24,54 @@ > #define kleave(FMT, ...) \ > pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) > > +/* Backup the parsed MedTLS context that we need */ > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +struct pkcs7_mbedtls_ctx { > + void *content_data; > +}; > + > +struct pkcs7_sinfo_mbedtls_ctx { > + void *authattrs_data; > + void *content_data_digest; > +}; > +#endif > + > +/* > + * MbedTLS integration Notes: > + * > + * MbedTLS PKCS#7 library does not originally support parsing MicroSoft > + * Authentication Code which is used for verifying the PE image digest. > + * > + * 1. Authenticated Attributes (authenticatedAttributes) > + * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes > + * fields not exist. > + * See MbedTLS function 'pkcs7_get_signer_info' for details. > + * > + * 2. MicroSoft Authentication Code (mscode) > + * MbedTLS only supports Content Data type defined as > 1.2.840.113549.1.7.1 > + * (MBEDTLS_OID_PKCS7_DATA, aka OID_data). > + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka > + * OID_msIndirectData) is not supported. > + * See MbedTLS function 'pkcs7_get_content_info_type' for details. > + * > + * But the EFI loader assumes that a PKCS#7 message with an EFI image always > + * contains MicroSoft Authentication Code as Content Data (msg->data is NOT > + * NULL), see function 'efi_signature_verify'. > + * > + * MbedTLS patch > "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch" > + * is to support both above features by parsing the Content Data and > + * Authenticate Attributes from a given PKCS#7 message. > + * > + * Other fields we don't need to populate from MbedTLS, which are used > + * internally by pkcs7_verify: > + * 'signer', 'unsupported_crypto', 'blacklisted' > + * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of > + * Content Data or Authenticate Attributes. > + */ > struct pkcs7_signed_info { > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx; > +#endif > struct pkcs7_signed_info *next; > struct x509_certificate *signer; /* Signing certificate (in > msg->certs) */ > unsigned index; > @@ -55,6 +108,9 @@ struct pkcs7_signed_info { > }; > > struct pkcs7_message { > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + struct pkcs7_mbedtls_ctx *mbedtls_ctx; > +#endif > struct x509_certificate *certs; /* Certificate list */ > struct x509_certificate *crl; /* Revocation list */ > struct pkcs7_signed_info *signed_infos; > diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile > index 4302f197297..7129315393f 100644 > --- a/lib/crypto/Makefile > +++ b/lib/crypto/Makefile > @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c > $(obj)/x509_akid.asn1.h > # PKCS#7 message handling > # > obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o > -pkcs7_message-y := \ > +pkcs7_message-y := pkcs7_helper.o > +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ > pkcs7.asn1.o \ > - pkcs7_helper.o \ > pkcs7_parser.o > -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o > > $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h > $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h > > +obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o > + > # > # Signed PE binary-wrapped key handling > # > -- > 2.25.1 >
Acked-by: Ilias Apalodimas <[email protected]>
