Support authentication of uefi priv. variables
To authenticate private uefi variables a fingerprint has to be
calculated based on the common name of the signing certificate's
Subject field and the tbsCertificate of the top-level issuer
certificate.
These variables have a public key certificate attached so the
verify_pkcs7_signature_handler is also reorganized to be able
to verify its own signature with its internal public key.
This commit implements the changes needed for the described
functionality.
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: Ida22977f3ef1a730ea95834ca5c9f9e4ed78d927
diff --git a/components/common/mbedtls/component.cmake b/components/common/mbedtls/component.cmake
new file mode 100644
index 0000000..e04a42f
--- /dev/null
+++ b/components/common/mbedtls/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/mbedtls_utils.c"
+)
diff --git a/components/common/mbedtls/mbedtls_utils.c b/components/common/mbedtls/mbedtls_utils.c
new file mode 100644
index 0000000..e7c97e9
--- /dev/null
+++ b/components/common/mbedtls/mbedtls_utils.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <string.h>
+#include "mbedtls_utils.h"
+
+/*
+ * Official value: http://www.oid-info.com/get/2.5.4.3
+ * Hex converter: https://misc.daniel-marschall.de/asn.1/oid-converter/online.php
+ */
+#define CN_OID_TAG (0x06)
+#define CN_OID_LEN (0x03)
+#define CN_OID_VAL {0x55, 0x04, 0x03}
+
+/* Searches for the common name field in an mbedtls_asn1_named_data object */
+const mbedtls_asn1_buf* findCommonName(const mbedtls_asn1_named_data *name)
+{
+ static const uint8_t cn_oid_values[CN_OID_LEN] = CN_OID_VAL;
+
+ while (name)
+ {
+ if (name->oid.tag == CN_OID_TAG && name->oid.len == CN_OID_LEN) {
+ if (name->oid.p != NULL) {
+ if (!memcmp(name->oid.p, cn_oid_values, (size_t) CN_OID_LEN))
+ return &name->val;
+ }
+ }
+
+ name = name->next;
+ }
+
+ return NULL;
+}
diff --git a/components/common/mbedtls/mbedtls_utils.h b/components/common/mbedtls/mbedtls_utils.h
new file mode 100644
index 0000000..0e2f396
--- /dev/null
+++ b/components/common/mbedtls/mbedtls_utils.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef MBEDTLS_UTILS_H
+#define MBEDTLS_UTILS_H
+
+#include <mbedtls/asn1.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+const mbedtls_asn1_buf* findCommonName(const mbedtls_asn1_named_data *name);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_UTILS_H */
diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller.h b/components/service/crypto/client/caller/packed-c/crypto_caller.h
index d834bc2..d5dd0f7 100644
--- a/components/service/crypto/client/caller/packed-c/crypto_caller.h
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller.h
@@ -31,5 +31,6 @@
#include "crypto_caller_sign_hash.h"
#include "crypto_caller_verify_hash.h"
#include "crypto_caller_verify_pkcs7_signature.h"
+#include "crypto_caller_get_uefi_priv_auth_var_fingerprint.h"
#endif /* PACKEDC_CRYPTO_CALLER_H */
diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h b/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
new file mode 100644
index 0000000..73825b9
--- /dev/null
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+#define PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+
+#include <common/tlv/tlv.h>
+#include <protocols/common/efi/efi_status.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <protocols/service/crypto/packed-c/opcodes.h>
+#include <protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h>
+#include <service/common/client/service_client.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+static inline int crypto_caller_get_uefi_priv_auth_var_fingerprint(struct service_client *context,
+ const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ efi_status_t efi_status = EFI_INVALID_PARAMETER;
+ size_t req_len = 0;
+
+ if (signature_cert_len > UINT16_MAX)
+ return efi_status;
+
+ struct tlv_record signature_record = {
+ .tag = TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE,
+ .length = (uint16_t)signature_cert_len,
+ .value = signature_cert
+ };
+
+ req_len += tlv_required_space(signature_record.length);
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_session_begin(context->session, &req_buf, req_len, 0);
+
+ if (call_handle) {
+ uint8_t *resp_buf;
+ size_t resp_len;
+ service_status_t service_status;
+ struct tlv_iterator req_iter;
+
+ tlv_iterator_begin(&req_iter, req_buf, req_len);
+ if (!tlv_encode(&req_iter, &signature_record))
+ return efi_status;
+
+ context->rpc_status = rpc_caller_session_invoke(
+ call_handle, TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT, &resp_buf, &resp_len,
+ &service_status);
+
+ efi_status = (efi_status_t)service_status;
+
+ if (context->rpc_status == RPC_SUCCESS) {
+
+ if (efi_status == EFI_SUCCESS) {
+
+ struct tlv_const_iterator resp_iter;
+ struct tlv_record decoded_record;
+ tlv_const_iterator_begin(&resp_iter, resp_buf, resp_len);
+
+ if (tlv_find_decode(&resp_iter,
+ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER, &decoded_record)) {
+
+ memcpy(output, decoded_record.value, PSA_HASH_MAX_SIZE);
+ efi_status = EFI_SUCCESS;
+ } else {
+ /* Mandatory response parameter missing */
+ efi_status = EFI_PROTOCOL_ERROR;
+ }
+ }
+ }
+
+ rpc_caller_session_end(call_handle);
+ }
+
+ return efi_status;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */
diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h
index 68d489f..5821f13 100644
--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller.h
+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h
@@ -23,6 +23,7 @@
#include "crypto_caller_generate_key.h"
#include "crypto_caller_generate_random.h"
#include "crypto_caller_get_key_attributes.h"
+#include "crypto_caller_get_uefi_priv_auth_var_fingerprint.h"
#include "crypto_caller_hash.h"
#include "crypto_caller_import_key.h"
#include "crypto_caller_key_derivation.h"
diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_uefi_priv_auth_var_fingerprint.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
new file mode 100644
index 0000000..04e87ad
--- /dev/null
+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PSA_IPC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+#define PSA_IPC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+
+#include <rpc/common/interface/rpc_status.h>
+#include <service/common/client/service_client.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+static inline int crypto_caller_get_uefi_priv_auth_var_fingerprint(struct service_client *context,
+ const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ (void)context;
+ (void)signature_cert;
+ (void)signature_cert_len;
+ (void)output;
+
+ return RPC_ERROR_INTERNAL;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_IPC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */
diff --git a/components/service/crypto/client/caller/stub/crypto_caller.h b/components/service/crypto/client/caller/stub/crypto_caller.h
index 1931d02..0e88a13 100644
--- a/components/service/crypto/client/caller/stub/crypto_caller.h
+++ b/components/service/crypto/client/caller/stub/crypto_caller.h
@@ -26,6 +26,7 @@
#include "crypto_caller_asymmetric_encrypt.h"
#include "crypto_caller_export_key.h"
#include "crypto_caller_get_key_attributes.h"
+#include "crypto_caller_get_uefi_priv_auth_var_fingerprint.h"
#include "crypto_caller_sign_hash.h"
#include "crypto_caller_cipher.h"
#include "crypto_caller_export_public_key.h"
diff --git a/components/service/crypto/client/caller/stub/crypto_caller_get_uefi_priv_auth_var_fingerprint.h b/components/service/crypto/client/caller/stub/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
new file mode 100644
index 0000000..d8c286b
--- /dev/null
+++ b/components/service/crypto/client/caller/stub/crypto_caller_get_uefi_priv_auth_var_fingerprint.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef STUB_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+#define STUB_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+
+#include <rpc/common/interface/rpc_status.h>
+#include <service/common/client/service_client.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+static inline int crypto_caller_get_uefi_priv_auth_var_fingerprint(struct service_client *context,
+ const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ (void)context;
+ (void)signature_cert;
+ (void)signature_cert_len;
+ (void)output;
+
+ return RPC_ERROR_INTERNAL;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* STUB_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */
diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index 6792a17..80fbe24 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h
@@ -240,6 +240,10 @@
uint64_t hash_len, const uint8_t *public_key_cert,
uint64_t public_key_cert_len) = 0;
+ virtual int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output) = 0;
+
protected:
crypto_client();
crypto_client(struct rpc_caller_session *session);
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index aaa71f0..4791feb 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
@@ -428,3 +428,12 @@
hash, hash_len, public_key_cert,
public_key_cert_len);
}
+
+int packedc_crypto_client::get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ return crypto_caller_get_uefi_priv_auth_var_fingerprint(&m_client, signature_cert,
+ signature_cert_len,
+ output);
+}
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index 8d4f60c..ec6c51c 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
@@ -236,6 +236,10 @@
int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
const uint8_t *hash, uint64_t hash_len,
const uint8_t *public_key_cert, uint64_t public_key_cert_len);
+
+ int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output);
};
#endif /* PACKEDC_CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index 6bae7a8..1170255 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
@@ -1174,3 +1174,14 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+
+int protobuf_crypto_client::get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ (void)signature_cert;
+ (void)signature_cert_len;
+ (void)output;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 9ad43f7..52f8a02 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
@@ -237,6 +237,10 @@
const uint8_t *hash, uint64_t hash_len,
const uint8_t *public_key_cert, uint64_t public_key_cert_len);
+ int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output);
+
private:
psa_status_t asym_sign(uint32_t opcode,
diff --git a/components/service/crypto/client/psa/component.cmake b/components/service/crypto/client/psa/component.cmake
index 359db3b..5bee0c6 100644
--- a/components/service/crypto/client/psa/component.cmake
+++ b/components/service/crypto/client/psa/component.cmake
@@ -32,4 +32,5 @@
"${CMAKE_CURRENT_LIST_DIR}/psa_sign_message.c"
"${CMAKE_CURRENT_LIST_DIR}/psa_verify_message.c"
"${CMAKE_CURRENT_LIST_DIR}/verify_pkcs7_signature.c"
+ "${CMAKE_CURRENT_LIST_DIR}/get_uefi_priv_auth_var_fingerprint.c"
)
diff --git a/components/service/crypto/client/psa/crypto_client.h b/components/service/crypto/client/psa/crypto_client.h
index 4b59bbe..af04df1 100644
--- a/components/service/crypto/client/psa/crypto_client.h
+++ b/components/service/crypto/client/psa/crypto_client.h
@@ -7,10 +7,15 @@
#ifndef CRYPTO_CLIENT_H
#define CRYPTO_CLIENT_H
+#include <stddef.h>
#include <stdint.h>
int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
uint64_t public_key_cert_len);
+int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output);
+
#endif /* CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c b/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c
new file mode 100644
index 0000000..702aaa0
--- /dev/null
+++ b/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "crypto_caller_selector.h"
+#include "crypto_client.h"
+#include "psa_crypto_client.h"
+
+int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+ return psa_crypto_client_instance.init_status;
+
+ return crypto_caller_get_uefi_priv_auth_var_fingerprint(&psa_crypto_client_instance.base,
+ signature_cert, signature_cert_len,
+ output);
+}
diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c
index 9cd5208..f94b47e 100644
--- a/components/service/crypto/provider/crypto_provider.c
+++ b/components/service/crypto/provider/crypto_provider.c
@@ -3,16 +3,23 @@
*
* SPDX-License-Identifier: BSD-3-Clause
*/
+#include <protocols/common/efi/efi_status.h>
#include <protocols/rpc/common/packed-c/status.h>
#include <protocols/service/crypto/packed-c/opcodes.h>
#include <service/crypto/backend/crypto_backend.h>
#include <service/crypto/provider/crypto_provider.h>
+#include <compiler.h>
#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#include "crypto_partition.h"
#include "crypto_uuid.h"
+#if defined(MBEDTLS_PKCS7_C) && defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "common/mbedtls/mbedtls_utils.h"
+#endif
+
/* Service request handlers */
static rpc_status_t generate_key_handler(void *context, struct rpc_request *req);
static rpc_status_t destroy_key_handler(void *context, struct rpc_request *req);
@@ -28,25 +35,27 @@
static rpc_status_t purge_key_handler(void *context, struct rpc_request *req);
static rpc_status_t get_key_attributes_handler(void *context, struct rpc_request *req);
static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req);
+static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req);
/* Handler mapping table for service */
static const struct service_handler handler_table[] = {
- { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler },
- { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler },
- { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler },
- { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler },
- { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler },
- { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler },
- { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler },
- { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler },
- { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler },
- { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler },
- { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler },
- { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler },
- { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler },
- { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler },
- { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler },
- { TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, verify_pkcs7_signature_handler },
+ { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler },
+ { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler },
+ { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler },
+ { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler },
+ { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler },
+ { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler },
+ { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler },
+ { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler },
+ { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler },
+ { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler },
+ { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler },
+ { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler },
+ { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, verify_pkcs7_signature_handler },
+ { TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT, get_uefi_priv_auth_var_fingerprint_handler },
};
struct rpc_service_interface *
@@ -664,33 +673,44 @@
}
if (rpc_status == RPC_SUCCESS) {
- /* Parse the public key certificate */
- mbedtls_x509_crt signer_certificate;
+ /* Parse the PKCS#7 DER encoded signature block */
+ mbedtls_pkcs7 pkcs7_structure;
- mbedtls_x509_crt_init(&signer_certificate);
+ mbedtls_pkcs7_init(&pkcs7_structure);
- mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert,
- public_key_cert_len);
+ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
+ signature_cert_len);
- if (mbedtls_status == 0) {
- /* Parse the PKCS#7 DER encoded signature block */
- mbedtls_pkcs7 pkcs7_structure;
+ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
- mbedtls_pkcs7_init(&pkcs7_structure);
+ /*
+ * If a separate public key is provided, verify the signature with it,
+ * else use the key from the pkcs7 signature structure, because it is
+ * a self-signed certificate.
+ */
+ if(public_key_cert_len) {
+ /* Parse the public key certificate */
+ mbedtls_x509_crt signer_certificate;
- mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
- signature_cert_len);
+ mbedtls_x509_crt_init(&signer_certificate);
- if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
- /* Verify hash against signed hash */
+ mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert,
+ public_key_cert_len);
+
+ if (mbedtls_status == 0) {
+ /* Verify hash against signed hash */
+ mbedtls_status = mbedtls_pkcs7_signed_hash_verify(
+ &pkcs7_structure, &signer_certificate, hash, hash_len);
+ }
+
+ mbedtls_x509_crt_free(&signer_certificate);
+ } else {
mbedtls_status = mbedtls_pkcs7_signed_hash_verify(
- &pkcs7_structure, &signer_certificate, hash, hash_len);
+ &pkcs7_structure, &pkcs7_structure.private_signed_data.private_certs, hash, hash_len);
}
-
- mbedtls_pkcs7_free(&pkcs7_structure);
}
- mbedtls_x509_crt_free(&signer_certificate);
+ mbedtls_pkcs7_free(&pkcs7_structure);
}
free(signature_cert);
@@ -702,6 +722,111 @@
return rpc_status;
}
+
+static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req)
+{
+ rpc_status_t rpc_status = RPC_ERROR_INTERNAL;
+ struct rpc_buffer *req_buf = &req->request;
+ const struct crypto_provider_serializer *serializer = get_crypto_serializer(context, req);
+
+ int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
+ uint8_t *signature_cert = NULL;
+ uint64_t signature_cert_len = 0;
+
+ if (serializer) {
+ /* First collect the lengths of the field */
+ rpc_status = serializer->deserialize_get_uefi_priv_auth_var_fingerprint_req(
+ req_buf, NULL, &signature_cert_len);
+
+ if (rpc_status == RPC_SUCCESS) {
+ /* Allocate the needed space and get the data */
+ signature_cert = (uint8_t *)malloc(signature_cert_len);
+
+ if (signature_cert) {
+ rpc_status = serializer->deserialize_get_uefi_priv_auth_var_fingerprint_req(
+ req_buf, signature_cert, &signature_cert_len);
+ } else {
+ rpc_status = RPC_ERROR_RESOURCE_FAILURE;
+ }
+ }
+ }
+
+ if (rpc_status == RPC_SUCCESS) {
+ /* Parse the PKCS#7 DER encoded signature block */
+ mbedtls_pkcs7 pkcs7_structure;
+
+ mbedtls_pkcs7_init(&pkcs7_structure);
+
+ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
+ signature_cert_len);
+
+ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
+
+ uint8_t output_buffer[PSA_HASH_MAX_SIZE] = { 0 };
+ size_t __maybe_unused output_size = 0;
+ const mbedtls_asn1_buf *signerCertCN = NULL;
+ const mbedtls_x509_crt *topLevelCert = &pkcs7_structure.private_signed_data.private_certs;
+ const mbedtls_x509_buf *toplevelCertTbs = NULL;
+ struct rpc_buffer *resp_buf = &req->response;;
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+
+ /* Find common name field of the signing certificate, which is the first in the chain */
+ signerCertCN = findCommonName(&topLevelCert->subject);
+ if (!signerCertCN) {
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ /* Get the TopLevel certificate which is the last in the chain */
+ while(topLevelCert->next)
+ topLevelCert = topLevelCert->next;
+ toplevelCertTbs = &topLevelCert->tbs;
+
+ /* Hash the data to create the fingerprint */
+ op = psa_hash_operation_init();
+
+ if (psa_hash_setup(&op, PSA_ALG_SHA_256) != PSA_SUCCESS) {
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_update(&op, signerCertCN->p, signerCertCN->len)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_update(&op, toplevelCertTbs->p, toplevelCertTbs->len)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_finish(&op, (uint8_t*)&output_buffer, PSA_HASH_MAX_SIZE, &output_size)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ /* Clear the remaining part of the buffer for consistency */
+ memset(&output_buffer[output_size], 0, PSA_HASH_MAX_SIZE - output_size);
+
+ rpc_status = serializer->serialize_get_uefi_priv_auth_var_fingerprint_resp(
+ resp_buf, (uint8_t*)&output_buffer);
+ }
+
+end:
+ mbedtls_pkcs7_free(&pkcs7_structure);
+ }
+
+ free(signature_cert);
+
+ /* Provide the result of the verification */
+ req->service_status = (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) ? EFI_SUCCESS : EFI_COMPROMISED_DATA;
+
+ return rpc_status;
+}
#else
static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req)
{
@@ -710,4 +835,12 @@
return RPC_ERROR_INTERNAL;
}
+
+static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req)
+{
+ (void)context;
+ (void)req;
+
+ return RPC_ERROR_INTERNAL;
+}
#endif
diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
index bd5336c..2b965af 100644
--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h
+++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
@@ -126,6 +126,14 @@
uint8_t *hash, uint64_t *hash_len,
uint8_t *public_key_cert,
uint64_t *public_key_cert_len);
+
+ /* Operation: get_uefi_priv_auth_var_fingerprintentifier */
+ rpc_status_t (*deserialize_get_uefi_priv_auth_var_fingerprint_req)(const struct rpc_buffer *req_buf,
+ uint8_t *signed_data,
+ uint64_t *signed_data_len);
+
+ rpc_status_t (*serialize_get_uefi_priv_auth_var_fingerprint_resp)(struct rpc_buffer *resp_buf,
+ const uint8_t *output);
};
#endif /* CRYPTO_PROVIDER_SERIALIZER_H */
diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
index 050ef2f..89e07e2 100644
--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
+++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
@@ -22,6 +22,7 @@
#include <protocols/service/crypto/packed-c/sign_hash.h>
#include <protocols/service/crypto/packed-c/verify_hash.h>
#include <protocols/service/crypto/packed-c/verify_pkcs7_signature.h>
+#include <protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h>
#include <service/crypto/backend/crypto_backend.h>
#include <stdlib.h>
#include <string.h>
@@ -675,6 +676,57 @@
return rpc_status;
}
+/* Operation: get_uefi_priv_auth_var_fingerprintentifier */
+static rpc_status_t deserialize_get_uefi_priv_auth_var_fingerprint_req(const struct rpc_buffer *req_buf,
+ uint8_t *signed_data,
+ uint64_t *signed_data_len)
+{
+ rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY;
+
+ if (req_buf->data_length) {
+ struct tlv_const_iterator req_iter;
+ struct tlv_record decoded_record;
+
+ rpc_status = RPC_SUCCESS;
+
+ tlv_const_iterator_begin(&req_iter, (uint8_t *)req_buf->data, req_buf->data_length);
+
+ if (tlv_find_decode(&req_iter, TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE,
+ &decoded_record)) {
+ *signed_data_len = decoded_record.length;
+
+ if (signed_data)
+ memcpy(signed_data, decoded_record.value, decoded_record.length);
+ } else {
+ /* Default to a zero length */
+ *signed_data_len = 0;
+ }
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t serialize_get_uefi_priv_auth_var_fingerprint_resp(struct rpc_buffer *resp_buf,
+ const uint8_t *output)
+{
+ rpc_status_t rpc_status = RPC_ERROR_INTERNAL;
+ struct tlv_iterator resp_iter;
+ struct tlv_record out_record;
+
+ out_record.tag = TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER;
+ out_record.length = PSA_HASH_MAX_SIZE;
+ out_record.value = output;
+
+ tlv_iterator_begin(&resp_iter, resp_buf->data, resp_buf->size);
+
+ if (tlv_encode(&resp_iter, &out_record)) {
+ resp_buf->data_length = tlv_required_space(PSA_HASH_MAX_SIZE);
+ rpc_status = RPC_SUCCESS;
+ }
+
+ return rpc_status;
+}
+
/* Singleton method to provide access to the serializer instance */
const struct crypto_provider_serializer *packedc_crypto_provider_serializer_instance(void)
{
@@ -704,6 +756,8 @@
deserialize_generate_random_req,
serialize_generate_random_resp,
deserialize_verify_pkcs7_signature_req,
+ deserialize_get_uefi_priv_auth_var_fingerprint_req,
+ serialize_get_uefi_priv_auth_var_fingerprint_resp
};
return &instance;
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.cpp b/components/service/crypto/test/service/crypto_service_scenarios.cpp
index db7d691..6f9fcda 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.cpp
+++ b/components/service/crypto/test/service/crypto_service_scenarios.cpp
@@ -10,6 +10,7 @@
#include <vector>
#include <CppUTest/TestHarness.h>
#include "crypto_service_scenarios.h"
+#include "protocols/common/efi/efi_status.h"
crypto_service_scenarios::crypto_service_scenarios(crypto_client *crypto_client) :
m_crypto_client(crypto_client)
@@ -774,4 +775,119 @@
sizeof(public_key));
CHECK(status == 0);
-}
\ No newline at end of file
+}
+
+void crypto_service_scenarios::getUefiPrivAuthVarFingerprint(void)
+{
+ efi_status_t status = EFI_SUCCESS;
+
+ unsigned char certificate[] = {
+ 0x30, 0x82, 0x04, 0x8a, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x03, 0x0b, 0x30, 0x82, 0x03, 0x07, 0x30, 0x82, 0x01,
+ 0xef, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x5d, 0x64, 0x33, 0x8a, 0xce, 0x28, 0x15, 0x7f,
+ 0x0f, 0x0f, 0x6c, 0xb2, 0xe2, 0x39, 0x97, 0x03, 0xd4, 0x91, 0xc2, 0x1b, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73, 0x74, 0x20, 0x56, 0x41, 0x52,
+ 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x31, 0x33, 0x30, 0x39, 0x31, 0x39, 0x32, 0x30,
+ 0x5a, 0x17, 0x0d, 0x33, 0x34, 0x30, 0x35, 0x31, 0x31, 0x30, 0x39, 0x31, 0x39, 0x32, 0x30, 0x5a,
+ 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x56, 0x41, 0x52, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0x46, 0x38, 0x19, 0x44, 0xc8, 0x9b, 0xf8, 0xaf, 0xc0,
+ 0xdd, 0x1b, 0x09, 0x3a, 0x01, 0xa8, 0xab, 0x7b, 0x36, 0x8f, 0xcf, 0x69, 0xbf, 0x1e, 0x9e, 0xd0,
+ 0x97, 0x3e, 0x77, 0xe2, 0xe9, 0x13, 0x13, 0xbc, 0x98, 0x7b, 0xea, 0x1f, 0xf0, 0x0a, 0x79, 0x62,
+ 0xcc, 0x09, 0x58, 0x03, 0x3b, 0x33, 0x91, 0xa7, 0xcf, 0xb5, 0x1c, 0xa6, 0xc0, 0x92, 0x06, 0x96,
+ 0xf1, 0x08, 0xcb, 0xbc, 0x8e, 0xee, 0xe2, 0x16, 0xf7, 0x8f, 0x73, 0x82, 0x23, 0x51, 0x8b, 0x6c,
+ 0x0e, 0x7c, 0xad, 0x8c, 0x51, 0x4f, 0x50, 0x1d, 0x10, 0xf7, 0xcd, 0x28, 0xb7, 0x3f, 0x71, 0x4d,
+ 0x65, 0xcc, 0x20, 0x42, 0x59, 0x66, 0xff, 0x13, 0xd2, 0xef, 0x0d, 0xe4, 0xbd, 0xe3, 0x9d, 0x4a,
+ 0x90, 0x0b, 0xd1, 0xfb, 0x6c, 0xd4, 0x3c, 0x0e, 0x39, 0xee, 0x56, 0x6b, 0x16, 0xe8, 0xb0, 0xfe,
+ 0xb3, 0xa7, 0xc2, 0x2c, 0x0a, 0xe9, 0x2f, 0xcb, 0x5c, 0x0d, 0x39, 0xd8, 0xeb, 0x00, 0x88, 0xa4,
+ 0xea, 0xc6, 0x31, 0x3a, 0xd1, 0xa8, 0x2f, 0x05, 0x05, 0xae, 0xe5, 0x75, 0xb8, 0xc9, 0x0e, 0x45,
+ 0x62, 0x89, 0xd7, 0x78, 0x7d, 0x51, 0x31, 0xae, 0x94, 0x91, 0x14, 0x75, 0xed, 0x6e, 0x1c, 0x9e,
+ 0x51, 0x72, 0xe5, 0x76, 0x02, 0x77, 0x65, 0x15, 0xe9, 0x23, 0xd4, 0x1f, 0x27, 0x0b, 0x18, 0xff,
+ 0xca, 0x9a, 0x44, 0x54, 0x8e, 0xcb, 0xf5, 0x80, 0xfe, 0x36, 0x96, 0x31, 0x70, 0x7e, 0x19, 0x3a,
+ 0xc7, 0x0d, 0xc7, 0x81, 0x97, 0x61, 0x87, 0x5a, 0x60, 0x0b, 0x8c, 0xcf, 0x6e, 0x02, 0xc2, 0x61,
+ 0x60, 0x25, 0x7b, 0x27, 0x21, 0x0d, 0x25, 0x82, 0x20, 0x52, 0xaa, 0x96, 0x8a, 0xd6, 0xe0, 0xc4,
+ 0x5a, 0x2a, 0xa1, 0xd8, 0x9f, 0x4b, 0x86, 0x06, 0x85, 0xe2, 0x09, 0xad, 0x6d, 0x81, 0x12, 0x1c,
+ 0x2a, 0x9c, 0xc3, 0x49, 0xdc, 0x7b, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30,
+ 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3f, 0xe5, 0x0f, 0xd8, 0x0d, 0x9c,
+ 0x5f, 0x61, 0x4e, 0x39, 0x30, 0x75, 0x1f, 0x47, 0x8e, 0xef, 0x6f, 0xe4, 0xe6, 0x28, 0x30, 0x1f,
+ 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3f, 0xe5, 0x0f, 0xd8, 0x0d,
+ 0x9c, 0x5f, 0x61, 0x4e, 0x39, 0x30, 0x75, 0x1f, 0x47, 0x8e, 0xef, 0x6f, 0xe4, 0xe6, 0x28, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x57, 0xb5, 0x65, 0x9e, 0x19, 0x88, 0x0a, 0x98, 0x92, 0xdd, 0x8c, 0x4b,
+ 0x72, 0x2b, 0xf2, 0x3e, 0xe3, 0x9e, 0xcb, 0x06, 0x1f, 0xc3, 0x64, 0xc9, 0xdd, 0xf4, 0xb9, 0xa6,
+ 0x25, 0x66, 0x00, 0xa1, 0x11, 0x98, 0x09, 0xcd, 0xf2, 0x82, 0x30, 0x03, 0xe6, 0xf6, 0x9d, 0x54,
+ 0x38, 0x06, 0x75, 0x36, 0xce, 0x00, 0x7d, 0x7a, 0xb8, 0xb9, 0xbf, 0x9b, 0xa0, 0xd3, 0xa7, 0x59,
+ 0x01, 0x21, 0xc4, 0x78, 0x6f, 0x5d, 0x72, 0xf2, 0xa2, 0x3a, 0xe9, 0xe9, 0xd0, 0xfb, 0x0e, 0xc1,
+ 0x18, 0x37, 0x5b, 0x58, 0xa4, 0xc6, 0x0d, 0x0b, 0x42, 0xbb, 0x80, 0x8f, 0x64, 0xf5, 0x74, 0x22,
+ 0x5a, 0xeb, 0x19, 0x52, 0xb5, 0x09, 0x06, 0x91, 0x13, 0x29, 0x41, 0x3d, 0x60, 0xfd, 0x1d, 0x95,
+ 0x13, 0x7e, 0x49, 0xdc, 0x4b, 0x39, 0x3d, 0xda, 0x59, 0x85, 0xc1, 0xf7, 0xc1, 0x5a, 0x19, 0xc8,
+ 0xf5, 0xdc, 0x6b, 0xf0, 0xa7, 0xcd, 0x1d, 0xd3, 0xbc, 0xf5, 0x51, 0x58, 0x86, 0x3a, 0x0a, 0x76,
+ 0xc0, 0x30, 0x73, 0x3b, 0x8a, 0x89, 0x26, 0xfd, 0x36, 0x9a, 0xdb, 0x6f, 0x7b, 0x39, 0x16, 0x44,
+ 0x41, 0xb9, 0x6e, 0xd6, 0x82, 0x05, 0xff, 0xf6, 0x9e, 0x51, 0xf4, 0x7d, 0xb5, 0x5b, 0xc1, 0x37,
+ 0x16, 0xfa, 0x7f, 0x49, 0x69, 0xa1, 0x93, 0x9f, 0xd5, 0x55, 0x7b, 0xdf, 0xcc, 0xb1, 0x2c, 0xd3,
+ 0xe7, 0x5a, 0x14, 0x95, 0x96, 0xc0, 0x73, 0x63, 0x65, 0xc8, 0x94, 0xe6, 0x16, 0xbb, 0x3e, 0x76,
+ 0x56, 0xf9, 0x73, 0x23, 0x97, 0xb2, 0xb8, 0xae, 0xe0, 0x8c, 0x78, 0xd7, 0x42, 0x61, 0xbc, 0x07,
+ 0x80, 0x40, 0x7e, 0xcd, 0x47, 0x90, 0x45, 0x9b, 0xba, 0x7a, 0xeb, 0xd2, 0xa8, 0x09, 0xfc, 0x38,
+ 0xee, 0x0c, 0xe9, 0xf9, 0x40, 0x12, 0x36, 0xa7, 0xfd, 0xbf, 0xc8, 0xa3, 0x47, 0x99, 0x4a, 0x49,
+ 0x49, 0x54, 0x11, 0x42, 0x31, 0x82, 0x01, 0x56, 0x30, 0x82, 0x01, 0x52, 0x02, 0x01, 0x01, 0x30,
+ 0x2b, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65,
+ 0x73, 0x74, 0x20, 0x56, 0x41, 0x52, 0x02, 0x14, 0x5d, 0x64, 0x33, 0x8a, 0xce, 0x28, 0x15, 0x7f,
+ 0x0f, 0x0f, 0x6c, 0xb2, 0xe2, 0x39, 0x97, 0x03, 0xd4, 0x91, 0xc2, 0x1b, 0x30, 0x0d, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x97, 0x77,
+ 0x54, 0x3e, 0xdd, 0x8c, 0x08, 0xb9, 0x08, 0xa3, 0x49, 0x1a, 0x40, 0x85, 0x10, 0x41, 0x11, 0x8e,
+ 0xb5, 0x55, 0xd5, 0x1c, 0x26, 0x48, 0x70, 0x7a, 0xa1, 0xd6, 0x9a, 0xb9, 0xdc, 0xcf, 0x94, 0x94,
+ 0x5a, 0xc8, 0xc6, 0x9a, 0x9b, 0xe8, 0x6d, 0xce, 0x7c, 0x73, 0x57, 0x23, 0x29, 0x60, 0x43, 0x0c,
+ 0x42, 0x6a, 0x60, 0x5b, 0xf0, 0x07, 0x30, 0x85, 0xe9, 0x03, 0x3f, 0x50, 0x3e, 0x42, 0xdd, 0xf6,
+ 0xf6, 0x3a, 0xad, 0x01, 0xa4, 0x4b, 0x9b, 0xe2, 0xc3, 0xa0, 0xac, 0x9a, 0xa8, 0xbf, 0xcd, 0xff,
+ 0xf2, 0xae, 0x7c, 0x0e, 0x10, 0xd2, 0x82, 0x72, 0xbb, 0x2b, 0x7e, 0x11, 0x70, 0x70, 0xac, 0x1a,
+ 0x55, 0xf2, 0x75, 0xd8, 0x6b, 0xcc, 0xed, 0x8c, 0x56, 0xcc, 0xaf, 0x00, 0x4c, 0x40, 0x6a, 0xa5,
+ 0x3b, 0xc3, 0xa2, 0x9e, 0x53, 0xb1, 0x69, 0xad, 0x25, 0x49, 0x0b, 0x95, 0x46, 0x69, 0xd0, 0x07,
+ 0xc1, 0xb6, 0x08, 0x1b, 0xef, 0x7f, 0x72, 0x0c, 0xb3, 0xbb, 0x09, 0x64, 0x2c, 0xd4, 0xf9, 0x41,
+ 0x8f, 0x09, 0x60, 0xfe, 0x08, 0x56, 0x1c, 0x6d, 0x31, 0xda, 0x48, 0xeb, 0xde, 0x2d, 0x4d, 0xb1,
+ 0x53, 0x09, 0x7f, 0x23, 0x43, 0x9b, 0x78, 0xc1, 0x9c, 0x67, 0x71, 0xda, 0xf5, 0xa3, 0x84, 0xa8,
+ 0x8c, 0xa6, 0x71, 0x62, 0x6c, 0x1f, 0x92, 0xff, 0xc7, 0x38, 0x39, 0x00, 0x50, 0x73, 0x8c, 0x68,
+ 0x8a, 0x13, 0x47, 0xec, 0x0e, 0x3d, 0xef, 0xf5, 0xfb, 0xb0, 0xfc, 0x88, 0xe1, 0xdf, 0x48, 0x0f,
+ 0xf2, 0x6b, 0x21, 0xb8, 0x2d, 0x13, 0x9f, 0x23, 0x54, 0x5d, 0x7e, 0xe3, 0xf0, 0xfb, 0x7a, 0x7e,
+ 0x7b, 0x01, 0xdb, 0x3b, 0xda, 0x9f, 0x4a, 0xbe, 0xb7, 0xa1, 0x1e, 0x40, 0x57, 0x44, 0x12, 0x75,
+ 0x97, 0xe7, 0xb8, 0x59, 0x57, 0x9e, 0x38, 0x4f, 0xfa, 0x20, 0x03, 0x2b, 0x11, 0xe2
+ };
+
+ unsigned char expected_fingerprint[PSA_HASH_MAX_SIZE] =
+ {
+ 0x88, 0x46, 0xFC, 0x97, 0xDC, 0x48, 0x88, 0x71,
+ 0xEB, 0x8A, 0x6A, 0x6A, 0xA2, 0x27, 0xF2, 0x90,
+ 0x70, 0xA2, 0x51, 0xD4, 0x29, 0xF3, 0xE9, 0x7A,
+ 0x18, 0x2D, 0x25, 0x59, 0x2A, 0x3C, 0x9A, 0xE5
+ };
+
+ unsigned char fingerprint[PSA_HASH_MAX_SIZE] = { 0 };
+
+ /* Inject error into the public key format and expect failure */
+ certificate[0] = ~certificate[0];
+ status = m_crypto_client->get_uefi_priv_auth_var_fingerprint((const uint8_t *)certificate,
+ sizeof(certificate),
+ (uint8_t *)&fingerprint);
+ certificate[0] = ~certificate[0];
+
+ CHECK(status != EFI_SUCCESS);
+
+ /* Try with wrong length */
+ status = m_crypto_client->get_uefi_priv_auth_var_fingerprint((const uint8_t *)certificate,
+ sizeof(certificate) / 2,
+ (uint8_t *)&fingerprint);
+
+ CHECK(status != EFI_SUCCESS);
+
+ /* Verify correct signature */
+ status = m_crypto_client->get_uefi_priv_auth_var_fingerprint((const uint8_t *)certificate,
+ sizeof(certificate),
+ (uint8_t *)&fingerprint);
+
+ CHECK(status == EFI_SUCCESS);
+ MEMCMP_EQUAL(expected_fingerprint, fingerprint, PSA_HASH_MAX_SIZE);
+}
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.h b/components/service/crypto/test/service/crypto_service_scenarios.h
index 8081877..348c2c9 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.h
+++ b/components/service/crypto/test/service/crypto_service_scenarios.h
@@ -33,6 +33,7 @@
void copyKey();
void purgeKey();
void verifypkcs7signature(void);
+ void getUefiPrivAuthVarFingerprint(void);
private:
crypto_client *m_crypto_client;
diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
index bc0f908..17a9b8a 100644
--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
@@ -117,3 +117,8 @@
{
m_scenarios->verifypkcs7signature();
}
+
+TEST(CryptoServicePackedcTests, getUefiPrivAuthVarFingerprint)
+{
+ m_scenarios->getUefiPrivAuthVarFingerprint();
+}
diff --git a/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c b/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c
index bf978c5..aed3b9d 100644
--- a/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c
+++ b/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c
@@ -8,7 +8,11 @@
#include <mbedtls/build_info.h>
#include <mbedtls/pkcs7.h>
#include <mbedtls/x509_crt.h>
+#include "common/mbedtls/mbedtls_utils.h"
+#include <protocols/common/efi/efi_status.h>
#include <stdint.h>
+#include <string.h>
+#include <compiler.h>
int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
@@ -16,33 +20,115 @@
{
int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- /* Parse the public key certificate */
- mbedtls_x509_crt signer_certificate;
+ /* Parse the PKCS#7 DER encoded signature block */
+ mbedtls_pkcs7 pkcs7_structure;
- mbedtls_x509_crt_init(&signer_certificate);
+ mbedtls_pkcs7_init(&pkcs7_structure);
- mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert,
- public_key_cert_len);
+ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
+ signature_cert_len);
- if (mbedtls_status == 0) {
- /* Parse the PKCS#7 DER encoded signature block */
- mbedtls_pkcs7 pkcs7_structure;
+ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
- mbedtls_pkcs7_init(&pkcs7_structure);
+ /*
+ * If a separate public key is provided, verify the signature with it,
+ * else use the key from the pkcs7 signature structure, because it is
+ * a self-signed certificate.
+ */
+ if(public_key_cert_len) {
+ /* Parse the public key certificate */
+ mbedtls_x509_crt signer_certificate;
- mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
- signature_cert_len);
+ mbedtls_x509_crt_init(&signer_certificate);
- if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
- /* Verify hash against signed hash */
+ mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert,
+ public_key_cert_len);
+
+ if (mbedtls_status == 0) {
+ /* Verify hash against signed hash */
+ mbedtls_status = mbedtls_pkcs7_signed_hash_verify(
+ &pkcs7_structure, &signer_certificate, hash, hash_len);
+ }
+
+ mbedtls_x509_crt_free(&signer_certificate);
+ } else {
mbedtls_status = mbedtls_pkcs7_signed_hash_verify(
- &pkcs7_structure, &signer_certificate, hash, hash_len);
+ &pkcs7_structure, &pkcs7_structure.private_signed_data.private_certs, hash, hash_len);
}
-
- mbedtls_pkcs7_free(&pkcs7_structure);
}
- mbedtls_x509_crt_free(&signer_certificate);
+ mbedtls_pkcs7_free(&pkcs7_structure);
return mbedtls_status;
}
+
+int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ uint8_t *output)
+{
+ int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
+ /* Parse the PKCS#7 DER encoded signature block */
+ mbedtls_pkcs7 pkcs7_structure;
+
+ mbedtls_pkcs7_init(&pkcs7_structure);
+
+ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
+ signature_cert_len);
+
+ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
+
+ //uint8_t output_buffer[PSA_HASH_MAX_SIZE] = { 0 };
+ size_t __maybe_unused output_size = 0;
+ const mbedtls_asn1_buf *signerCertCN = NULL;
+ const mbedtls_x509_crt *topLevelCert = &pkcs7_structure.private_signed_data.private_certs;
+ const mbedtls_x509_buf *toplevelCertTbs = NULL;
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+
+ /* Find common name field of the signing certificate, which is the first in the chain */
+ signerCertCN = findCommonName(&topLevelCert->subject);
+ if (!signerCertCN) {
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ /* Get the TopLevel certificate which is the last in the chain */
+ while(topLevelCert->next)
+ topLevelCert = topLevelCert->next;
+ toplevelCertTbs = &topLevelCert->tbs;
+
+ /* Hash the data to create the fingerprint */
+ op = psa_hash_operation_init();
+
+ if (psa_hash_setup(&op, PSA_ALG_SHA_256) != PSA_SUCCESS) {
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_update(&op, signerCertCN->p, signerCertCN->len)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_update(&op, toplevelCertTbs->p, toplevelCertTbs->len)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ if (psa_hash_finish(&op, output, PSA_HASH_MAX_SIZE, &output_size)) {
+ psa_hash_abort(&op);
+ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ goto end;
+ }
+
+ /* Clear the remaining part of the buffer for consistency */
+ memset(output + output_size, 0, PSA_HASH_MAX_SIZE - output_size);
+ }
+
+end:
+ mbedtls_pkcs7_free(&pkcs7_structure);
+
+ return (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) ? EFI_SUCCESS : EFI_COMPROMISED_DATA;
+}
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 64f7543..b733d9c 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -38,6 +38,7 @@
"components/common/endian/test"
"components/common/crc32"
"components/common/crc32/test"
+ "components/common/mbedtls"
"components/config/ramstore"
"components/config/ramstore/test"
"components/messaging/ffa/libsp/mock"
diff --git a/deployments/crypto/crypto.cmake b/deployments/crypto/crypto.cmake
index 098861c..963dde5 100644
--- a/deployments/crypto/crypto.cmake
+++ b/deployments/crypto/crypto.cmake
@@ -8,6 +8,7 @@
add_components(TARGET "crypto"
BASE_DIR ${TS_ROOT}
COMPONENTS
+ "components/common/mbedtls"
"components/common/tlv"
"components/rpc/common/interface"
"components/rpc/common/endpoint"
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index 24b89d4..300f77d 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -65,6 +65,7 @@
"components/common/utils"
"components/common/trace"
"components/common/crc32"
+ "components/common/mbedtls"
"components/config/ramstore"
"components/service/common/include"
"components/service/common/client"
diff --git a/deployments/smm-gateway/smm-gateway.cmake b/deployments/smm-gateway/smm-gateway.cmake
index e5ee03b..562d9d1 100644
--- a/deployments/smm-gateway/smm-gateway.cmake
+++ b/deployments/smm-gateway/smm-gateway.cmake
@@ -17,6 +17,12 @@
target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedcrypto)
target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedx509)
+# Pass the mbedtls config file to C preprocessor so the uefi
+# direct backend will access the mbedtls headers
+target_compile_definitions(smm-gateway PRIVATE
+ MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+)
+
target_compile_definitions(smm-gateway PRIVATE
-DUEFI_INTERNAL_CRYPTO
)
@@ -24,6 +30,7 @@
add_components(TARGET "smm-gateway"
BASE_DIR ${TS_ROOT}
COMPONENTS
+ "components/common/mbedtls"
"components/service/uefi/smm_variable/backend/direct"
)
diff --git a/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h b/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h
new file mode 100644
index 0000000..29964b3
--- /dev/null
+++ b/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+#define TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H
+
+#include <stdint.h>
+
+/* Variable length output parameter tags */
+enum {
+ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER = 1,
+};
+
+/* Variable length input parameter tags */
+enum {
+ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE = 1,
+};
+
+#endif /* TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */
diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h
index 35b8159..8bc2b49 100644
--- a/protocols/service/crypto/packed-c/opcodes.h
+++ b/protocols/service/crypto/packed-c/opcodes.h
@@ -28,6 +28,7 @@
#define TS_CRYPTO_OPCODE_SIGN_MESSAGE (TS_CRYPTO_OPCODE_BASE + 16)
#define TS_CRYPTO_OPCODE_VERIFY_MESSAGE (TS_CRYPTO_OPCODE_BASE + 17)
#define TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE (TS_CRYPTO_OPCODE_BASE + 18)
+#define TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT (TS_CRYPTO_OPCODE_BASE + 19)
/* Hash operations */
#define TS_CRYPTO_OPCODE_HASH_BASE (0x0200)