Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Kernel:tools
qemu
0012-require-signed-binary-if-32bit-and-secureb...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0012-require-signed-binary-if-32bit-and-secureboot.patch of Package qemu
From dff5f9e4a9d5e9016b0b5e3966fe183a20c06bc1 Mon Sep 17 00:00:00 2001 From: Daniel Axtens <dja@axtens.net> Date: Wed, 7 Oct 2020 23:02:13 +1100 Subject: [PATCH 12/12] require signed binary if 32bit and secureboot Signed-off-by: Daniel Axtens <dja@axtens.net> --- board-qemu/llfw/stage2.c | 6 +++++- lib/libcrypto/appended_sig.c | 20 +++++++++++++------- lib/libcrypto/libcrypto.h | 2 ++ lib/libelf/elf32.c | 8 ++++++++ 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/roms/SLOF/board-qemu/llfw/stage2.c b/roms/SLOF/board-qemu/llfw/stage2.c index 47cfbbe..39043c2 100644 --- a/roms/SLOF/board-qemu/llfw/stage2.c +++ b/roms/SLOF/board-qemu/llfw/stage2.c @@ -206,4 +206,8 @@ void early_c_entry(uint64_t start_addr, uint64_t fdt_addr) int verify_appended_signature(void * ptr, size_t s) { return 1; -} \ No newline at end of file +} + +int is_secureboot() { + return 0; +} diff --git a/roms/SLOF/lib/libcrypto/appended_sig.c b/roms/SLOF/lib/libcrypto/appended_sig.c index 8a76457..6b7c0cd 100644 --- a/roms/SLOF/lib/libcrypto/appended_sig.c +++ b/roms/SLOF/lib/libcrypto/appended_sig.c @@ -20,6 +20,18 @@ struct module_signature { uint32_t sig_len; /* Length of signature data */ }; +int is_secureboot() { + // only verify if in secure-boot mode. + // todo - oh so much, especially error handling + forth_eval("s\" /\" find-device s\" ibm,secure-boot\" get-node get-property"); + if (forth_pop() == -1) + return 0; + forth_pop(); + if (*(int32_t *)forth_pop() < 2) + return 0; + return 1; +} + int verify_appended_signature(void *blob, size_t len) { void *ptr; mbedtls_pkcs7 *pkcs7; @@ -27,13 +39,7 @@ int verify_appended_signature(void *blob, size_t len) { int rc = 0; struct module_signature *modsig; - // only verify if in secure-boot mode. - // todo - oh so much, especially error handling - forth_eval("s\" /\" find-device s\" ibm,secure-boot\" get-node get-property"); - if (forth_pop() == -1) - return 1; - forth_pop(); - if (*(int32_t *)forth_pop() < 2) + if (!is_secureboot()) return 1; // go to start of magic diff --git a/roms/SLOF/lib/libcrypto/libcrypto.h b/roms/SLOF/lib/libcrypto/libcrypto.h index 2980ca0..002123a 100644 --- a/roms/SLOF/lib/libcrypto/libcrypto.h +++ b/roms/SLOF/lib/libcrypto/libcrypto.h @@ -2,4 +2,6 @@ #include <stddef.h> +int is_secureboot(void); + int verify_appended_signature(void *blob, size_t len); \ No newline at end of file diff --git a/roms/SLOF/lib/libelf/elf32.c b/roms/SLOF/lib/libelf/elf32.c index 6896e64..aea89eb 100644 --- a/roms/SLOF/lib/libelf/elf32.c +++ b/roms/SLOF/lib/libelf/elf32.c @@ -118,6 +118,7 @@ elf_load_segments32(void *file_addr, signed long offset, /* Calculate program header address */ struct phdr32 *phdr = get_phdr32(file_addr); int i; + int seen_appsig = 0; /* loop e_phnum times */ for (i = 0; i <= ehdr->e_phnum; i++) { @@ -154,12 +155,19 @@ elf_load_segments32(void *file_addr, signed long offset, if (!verify_appended_signature(file_addr, size)) { return 0; } + + seen_appsig = 1; } } /* step to next header */ phdr = (struct phdr32 *)(((uint8_t *)phdr) + ehdr->e_phentsize); } + if (is_secureboot() && !seen_appsig) { + printf("Booted in secure-boot mode but no appended signature found, aborting.\n"); + return 0; + } + /* Entry point is always a virtual address, so translate it * to physical before returning it */ return ehdr->e_entry; -- 2.33.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor