dasharo/slimbootloader
0
0
Fork 0
mirror of https://github.com/Dasharo/slimbootloader.git synced 2026-03-06 15:26:20 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
622ad48cff21a0bc9433cde45abd55a36ddb60da
slimbootloader/BootloaderCommonPkg/Library/SecureBootLib/SecureBootRsa.c
T
Mike Crowe 990e3e81e6 Use LF line endings in the repository 
Convert the line endings stored for all text files in the repository to
LF. The majority previously used DOS-style CRLF line endings. Add a
.gitattributes file to enforce this and treat certain extensions as
never being text files.

Update PatchCheck.py to insist on LF line endings rather than CRLF.
However, its other checks fail on this commit due to lots of
pre-existing complaints that it only notices because the line endings
have changed.

Silicon/QemuSocPkg/FspBin/Patches/0001-Build-QEMU-FSP-2.0-binaries.patch
needs to be treated as binary since it contains a mixture of line
endings.

This change has implications depending on the client platform you are
using the repository from:

* Windows

The usual configuration for Git on Windows means that text files will
be checked out to the work tree with DOS-style CRLF line endings. If
that's not the case then you can configure Git to do so for the entire
machine with:

 git config --global core.autocrlf true

or for just the repository with:

 git config core.autocrlf true

Line endings will be normalised to LF when they are committed to the
repository. If you commit a text file with only LF line endings then it
will be converted to CRLF line endings in your work tree.

* Linux, MacOS and other Unices

The usual configuration for Git on such platforms is to check files out
of the repository with LF line endings. This is probably the right thing
for you. In the unlikely even that you are using Git on Unix but editing
or compiling on Windows for some reason then you may need to tweak your
configuration to force the use of CRLF line endings as described above.

* General

For more information see
https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings .

Fixes: https://github.com/slimbootloader/slimbootloader/issues/1400
Signed-off-by: Mike Crowe <mac@mcrowe.com>
2021-11-10 12:46:42 -08:00

132 lines
4.2 KiB
C
Raw Blame History

/** @file
Secure boot library routines to provide RSA signature verification.
Copyright (c) 2017-2020, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Library/DebugLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/CryptoLib.h>
#include <Library/SecureBootLib.h>
#include <Library/BootloaderCommonLib.h>
/**
Verifies the RSA signature with PKCS1-v1_5 encoding scheme defined in RSA PKCS#1.
Also(optional), return the hash of the message to the caller.
@param[in] Data Data buffer pointer.
@param[in] Length Data buffer size.
@param[in] Usage Hash usage.
@param[in] Signature Signature header for singanture data.
@param[in] PubKeyHdr Public key header for key data
@param[in] PubKeyHashAlg Hash Alg for PubKeyHash.
@param[in] PubKeyHash Public key hash value when hash component usage is 0.
@param[out] OutHash Calculated data hash value.
@retval RETURN_SUCCESS RSA verification succeeded.
@retval RETURN_NOT_FOUND Hash data for hash component usage is not found.
@retval RETURN_UNSUPPORTED Hash alg type is not supported.
@retval RETURN_SECURITY_VIOLATION PubKey or Signature verification failed.
**/
RETURN_STATUS
EFIAPI
DoRsaVerify (
IN CONST UINT8 *Data,
IN UINT32 Length,
IN HASH_COMP_USAGE Usage,
IN CONST SIGNATURE_HDR *SignatureHdr,
IN PUB_KEY_HDR *PubKeyHdr,
IN UINT8 PubKeyHashAlg,
IN UINT8 *PubKeyHash OPTIONAL,
OUT UINT8 *OutHash OPTIONAL
)
{
RETURN_STATUS Status;
PUB_KEY_HDR *PublicKey;
UINT8 Digest[HASH_DIGEST_MAX];
UINT8 DigestSize;
PublicKey = PubKeyHdr;
if ((PublicKey->Identifier != PUBKEY_IDENTIFIER) || (SignatureHdr->Identifier != SIGNATURE_IDENTIFIER)){
return RETURN_INVALID_PARAMETER;
}
// Verify public key first
Status = DoHashVerify (PublicKey->KeyData, PublicKey->KeySize, Usage, PubKeyHashAlg, PubKeyHash);
if (RETURN_ERROR (Status)) {
return Status;
}
// Verify payload data
if (SignatureHdr->HashAlg == HASH_TYPE_SHA256) {
DigestSize = SHA256_DIGEST_SIZE;
} else if (SignatureHdr->HashAlg == HASH_TYPE_SHA384) {
DigestSize = SHA384_DIGEST_SIZE;
} else {
return RETURN_INVALID_PARAMETER;
}
DEBUG ((DEBUG_INFO, "SignType (0x%x) SignSize (0x%x) SignHashAlg (0x%x)\n", \
SignatureHdr->SigType, SignatureHdr->SigSize, SignatureHdr->HashAlg));
if(SignatureHdr->SigType == SIGNING_TYPE_RSA_PKCS_1_5) {
Status = CalculateHash (Data, Length, SignatureHdr->HashAlg, Digest);
if (EFI_ERROR(Status)) {
return RETURN_UNSUPPORTED;
}
if (OutHash != NULL) {
CopyMem (OutHash, Digest, DigestSize);
}
Status = RsaVerify_Pkcs_1_5 (PublicKey, SignatureHdr, Digest);
} else if(SignatureHdr->SigType == SIGNING_TYPE_RSA_PSS) {
// Calculate Hash only when OutHash is valid
// RSA PSS requires to pass message to be verified
if (OutHash != NULL) {
Status = CalculateHash (Data, Length, SignatureHdr->HashAlg, Digest);
if (EFI_ERROR(Status)) {
return RETURN_UNSUPPORTED;
}
CopyMem (OutHash, Digest, DigestSize);
}
Status = RsaVerify_PSS (PublicKey, SignatureHdr, Data, Length);
} else {
Status = RETURN_UNSUPPORTED;
}
DEBUG ((DEBUG_INFO, "RSA verification for usage (0x%08X): %r\n", Usage, Status));
if (RETURN_ERROR (Status)) {
DEBUG_CODE_BEGIN();
DEBUG ((DEBUG_INFO, "First %d Bytes Input Data\n", DigestSize));
DumpHex (2, 0, DigestSize, (VOID *)Data);
DEBUG ((DEBUG_INFO, "Last %d Bytes Input Data\n", DigestSize));
DumpHex (2, 0, DigestSize, (VOID *) (Data + Length - DigestSize));
DEBUG ((DEBUG_INFO, "Image Digest\n"));
DumpHex (2, 0, DigestSize, (VOID *)Digest);
DEBUG ((DEBUG_INFO, "Signature\n"));
DumpHex (2, 0, SignatureHdr->SigSize, (VOID *)(SignatureHdr->Signature));
DEBUG ((DEBUG_INFO, "Public Key\n"));
DumpHex (2, 0, PubKeyHdr->KeySize , PubKeyHdr->KeyData);
DEBUG_CODE_END();
}
return Status;
}
Reference in New Issue View Git Blame Copy Permalink