Re: [PATCH v2] Add optional salt to AUTOBOOT_STOP_STR_SHA256

On Fri, 20 Nov 2020 at 12:05, Joel Peshkin joel.peshkin@broadcom.com wrote:

From: Joel Peshkin joel.peshkin@broadcom.com

Adds an optional SALT value to AUTOBOOT_STOP_STR_SHA256. If a string followed by a ":" is prepended to the sha256, the portion to the left of the colon will be used as a salt and the password will be appended to the salt before the sha256 is computed and compared.

Signed-off-by: Joel Peshkin joel.peshkin@broadcom.com Cc: Simon Glass sjg@chromium.org Cc: Bin Meng bmeng.cn@gmail.com Cc: Patrick Delaunay patrick.delaunay@st.com Cc: Heiko Schocher hs@denx.de Cc: trini@konsulko.com Cc: Heinrich Schuchardt xypron.glpk@gmx.de Cc: Joel Peshkin joel.peshkin@broadcom.com To: u-boot@lists.denx.de

---

Changes for v2:

• Increase MAX_DELAY_STOP_STR
• Check salt size against MAX_DELAY_STOP_STR before copying
• Minor cleanup

---

common/Kconfig.boot | 5 ++++- common/autoboot.c | 12 ++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-)

Reviewed-by: Simon Glass sjg@chromium.org

Please see below

diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 3f6d9c1..8a98672 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -819,7 +819,10 @@ config AUTOBOOT_STOP_STR_SHA256 This option adds the feature to only stop the autobooting, and therefore boot into the U-Boot prompt, when the input string / password matches a values that is encypted via

•     a SHA256 hash and saved in the environment.
  

•     a SHA256 hash and saved in the environment variable
  

•     "bootstopkeysha256". If the value in that variable
  

•     includes a ":", the portion prior to the ":" will be treated
  

•     as a salt value.
  
  

config AUTOBOOT_USE_MENUKEY bool "Allow a specify key to run a menu from the environment" diff --git a/common/autoboot.c b/common/autoboot.c index e628baf..982b561 100644 --- a/common/autoboot.c +++ b/common/autoboot.c @@ -25,7 +25,7 @@

DECLARE_GLOBAL_DATA_PTR;

-#define MAX_DELAY_STOP_STR 32 +#define MAX_DELAY_STOP_STR 64

#ifndef DEBUG_BOOTKEYS #define DEBUG_BOOTKEYS 0 @@ -80,6 +80,7 @@ static int passwd_abort_sha256(uint64_t etime) u8 sha_env[SHA256_SUM_LEN]; u8 *sha; char *presskey;

•   char *c;
    const char *algo_name = "sha256";
    u_int presskey_len = 0;
    int abort = 0;
  

@@ -89,6 +90,14 @@ static int passwd_abort_sha256(uint64_t etime) if (sha_env_str == NULL) sha_env_str = AUTOBOOT_STOP_STR_SHA256;

•   presskey = malloc_cache_aligned(MAX_DELAY_STOP_STR);
  

•   c = strstr(sha_env_str, ":");
  

•   if ((c) && (c - sha_env_str < MAX_DELAY_STOP_STR)) {
  

Use c instead of (c)

•           /* preload presskey with salt */
  

•           memcpy(presskey, sha_env_str, c - sha_env_str);
  

•           presskey_len = c - sha_env_str;
  

•           sha_env_str = c + 1;
  

•   }
    /*
     * Generate the binary value from the environment hash value
     * so that we can compare this value with the computed hash
  

@@ -100,7 +109,6 @@ static int passwd_abort_sha256(uint64_t etime) return 0; }

•   presskey = malloc_cache_aligned(MAX_DELAY_STOP_STR);
    sha = malloc_cache_aligned(SHA256_SUM_LEN);
    size = SHA256_SUM_LEN;
    /*
  

-- 1.8.3.1