Re: [PATCH v8 20/27] lib/crypto: Adapt PKCS7 parser to MbedTLS

On Fri, 4 Oct 2024 at 01:02, Raymond Mao raymond.mao@linaro.org wrote:

Previous patch has introduced MbedTLS porting layer for PKCS7 parser, here to adjust the header and makefiles accordingly.

Signed-off-by: Raymond Mao raymond.mao@linaro.org

Changes in v2

• Move the porting layer to MbedTLS dir.

Changes in v3

• Update commit message.

Changes in v4

• Control building legacy library via '_LEGACY' Kconfig.

Changes in v5

• Correct header file include directories.

Changes in v6

• None.

Changes in v7

• None.

Changes in v8

• None

include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++ lib/crypto/Makefile | 7 +++-- 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 2c45cce5234..469c2711fa6 100644 --- a/include/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -11,6 +11,12 @@ #include <linux/oid_registry.h> #include <crypto/pkcs7.h> #include <crypto/x509_parser.h> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include <mbedtls/pkcs7.h> +#include <library/x509_internal.h> +#include <mbedtls/asn1.h> +#include <mbedtls/oid.h> +#endif #include <linux/printk.h>

#define kenter(FMT, ...) \ @@ -18,7 +24,54 @@ #define kleave(FMT, ...) \ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)

+/* Backup the parsed MedTLS context that we need */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +struct pkcs7_mbedtls_ctx {

•   void *content_data;
  

+};

+struct pkcs7_sinfo_mbedtls_ctx {

•   void *authattrs_data;
  

•   void *content_data_digest;
  

+}; +#endif

+/*

• • MbedTLS integration Notes:
• • MbedTLS PKCS#7 library does not originally support parsing MicroSoft
• • Authentication Code which is used for verifying the PE image digest.
• • 1. Authenticated Attributes (authenticatedAttributes)

• • MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
    

• • fields not exist.
    

• • See MbedTLS function 'pkcs7_get_signer_info' for details.
    

• • 2. MicroSoft Authentication Code (mscode)

• • MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
    

• • (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
    

• • 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
    

• • OID_msIndirectData) is not supported.
    

• • See MbedTLS function 'pkcs7_get_content_info_type' for details.
    

• • But the EFI loader assumes that a PKCS#7 message with an EFI image always
• • contains MicroSoft Authentication Code as Content Data (msg->data is NOT
• • NULL), see function 'efi_signature_verify'.
• • MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
• • is to support both above features by parsing the Content Data and
• • Authenticate Attributes from a given PKCS#7 message.
• • Other fields we don't need to populate from MbedTLS, which are used
• • internally by pkcs7_verify:
• • 'signer', 'unsupported_crypto', 'blacklisted'
• • 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
• • Content Data or Authenticate Attributes.
• */

struct pkcs7_signed_info { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)

•   struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
  

+#endif struct pkcs7_signed_info *next; struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ unsigned index; @@ -55,6 +108,9 @@ struct pkcs7_signed_info { };

struct pkcs7_message { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)

•   struct pkcs7_mbedtls_ctx *mbedtls_ctx;
  

+#endif struct x509_certificate *certs; /* Certificate list */ struct x509_certificate *crl; /* Revocation list */ struct pkcs7_signed_info *signed_infos; diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 4302f197297..7129315393f 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h # PKCS#7 message handling # obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o -pkcs7_message-y := \ +pkcs7_message-y := pkcs7_helper.o +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ pkcs7.asn1.o \

•   pkcs7_helper.o \
    pkcs7_parser.o
  

-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o

$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h

+obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o

# # Signed PE binary-wrapped key handling

#

2.25.1

Acked-by: Ilias Apalodimas ilias.apalodimas@linaro.org