Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN). This patch is temporary set emLen to pks->k, and temporary set EM to pks->S for debugging. We will replace the above values to real signature after implement RSASP1. The naming of EMSA_PKCS1_v1_5_ENCODE and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec. Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph... V2: - Clean up naming of variable: replace _EM by EM, replace EM by EM_tmp. - Add comment to EMSA_PKCS1-v1_5-ENCODE function. Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 163 +++++++++++++++++++++++++++++++++++++++++- include/crypto/public_key.h | 2 + 2 files changed, 164 insertions(+), 1 deletions(-) diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 47f3be4..352ba45 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "public_key.h" #include "private_key.h" @@ -152,6 +153,132 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) } /* + * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] + * @M: message to be signed, an octet string + * @emLen: intended length in octets of the encoded message + * @hash_algo: hash function (option) + * @hash: true means hash M, otherwise M is already a digest + * @EM: encoded message, an octet string of length emLen + * + * This function is a implementation of the EMSA-PKCS1-v1_5 encoding operation + * in RSA PKCS#1 spec. It used by the signautre generation operation of + * RSASSA-PKCS1-v1_5 to encode message M to encoded message EM. + * + * The variables used in this function accord PKCS#1 spec but not follow kernel + * naming convention, it useful when look at them with spec. + */ +static int EMSA_PKCS1_v1_5_ENCODE(const u8 *M, size_t emLen, + enum pkey_hash_algo hash_algo, const bool hash, + u8 **EM, struct public_key_signature *pks) +{ + u8 *digest; + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + size_t tLen; + u8 *T, *PS, *EM_tmp; + int i, ret; + + pr_info("EMSA_PKCS1_v1_5_ENCODE start\n"); + + if (!RSA_ASN1_templates[hash_algo].data) + ret = -ENOTSUPP; + else + pks->pkey_hash_algo = hash_algo; + + /* 1) Apply the hash function to the message M to produce a hash value H */ + tfm = crypto_alloc_shash(pkey_hash_algo[hash_algo], 0, 0); + if (IS_ERR(tfm)) + return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM; + + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) + goto error_digest; + pks->digest = digest; + pks->digest_size = digest_size; + + if (hash) { + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + ret = crypto_shash_finup(desc, M, sizeof(M), pks->digest); + if (ret < 0) + goto error_shash; + } else { + memcpy(pks->digest, M, pks->digest_size); + pks->digest_size = digest_size; + } + crypto_free_shash(tfm); + + /* 2) Encode the algorithm ID for the hash function and the hash value into + * an ASN.1 value of type DigestInfo with the DER. Let T be the DER encoding of + * the DigestInfo value and let tLen be the length in octets of T. + */ + tLen = RSA_ASN1_templates[hash_algo].size + pks->digest_size; + T = kmalloc(tLen, GFP_KERNEL); + if (!T) + goto error_T; + + memcpy(T, RSA_ASN1_templates[hash_algo].data, RSA_ASN1_templates[hash_algo].size); + memcpy(T + RSA_ASN1_templates[hash_algo].size, pks->digest, pks->digest_size); + + /* 3) check If emLen < tLen + 11, output "intended encoded message length too short" */ + if (emLen < tLen + 11) { + ret = -EINVAL; + goto error_emLen; + } + + /* 4) Generate an octet string PS consisting of emLen - tLen - 3 octets with 0xff. */ + PS = kmalloc(emLen - tLen - 3, GFP_KERNEL); + if (!PS) + goto error_P; + + for (i = 0; i < (emLen - tLen - 3); i++) + PS[i] = 0xff; + + /* 5) Concatenate PS, the DER encoding T, and other padding to form the encoded + * message EM as EM = 0x00 || 0x01 || PS || 0x00 || T + */ + EM_tmp = kmalloc(3 + emLen - tLen - 3 + tLen, GFP_KERNEL); + if (!EM_tmp) + goto error_EM; + + EM_tmp[0] = 0x00; + EM_tmp[1] = 0x01; + memcpy(EM_tmp + 2, PS, emLen - tLen - 3); + EM_tmp[2 + emLen - tLen - 3] = 0x00; + memcpy(EM_tmp + 2 + emLen - tLen - 3 + 1, T, tLen); + + *EM = EM_tmp; + + kfree(PS); + kfree(T); + + return 0; + +error_EM: + kfree(PS); +error_P: +error_emLen: + kfree(T); +error_T: +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); + return ret; +} + +/* * Perform the RSA signature verification. * @H: Value of hash of data and metadata * @EM: The computed signature value @@ -275,9 +402,43 @@ static struct public_key_signature *RSA_generate_signature( const struct private_key *key, u8 *M, enum pkey_hash_algo hash_algo, const bool hash) { + struct public_key_signature *pks; + u8 *EM = NULL; + size_t emLen; + int ret; + pr_info("RSA_generate_signature start\n"); - return 0; + ret = -ENOMEM; + pks = kzalloc(sizeof(*pks), GFP_KERNEL); + if (!pks) + goto error_no_pks; + + /* 1): EMSA-PKCS1-v1_5 encoding: */ + /* Use the private key modulus size to be EM length */ + emLen = mpi_get_nbits(key->rsa.n); + emLen = (emLen + 7) / 8; + + ret = EMSA_PKCS1_v1_5_ENCODE(M, emLen, hash_algo, hash, &EM, pks); + if (ret < 0) + goto error_v1_5_encode; + + /* TODO 2): m = OS2IP (EM) */ + + /* TODO 3): s = RSASP1 (K, m) */ + + /* TODO 4): S = I2OSP (s, k) */ + + /* TODO: signature S to a u8* S or set to sig->rsa.s? */ + pks->S = EM; /* TODO: temporary set S to EM */ + + return pks; + +error_v1_5_encode: + kfree(pks); +error_no_pks: + pr_info("<==%s() = %d\n", __func__, ret); + return ERR_PTR(ret); } const struct public_key_algorithm RSA_public_key_algorithm = { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index d44b29f..1cdf457 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -110,6 +110,8 @@ extern void public_key_destroy(void *payload); struct public_key_signature { u8 *digest; u8 digest_size; /* Number of bytes in digest */ + u8 *S; /* signature S of length k octets */ + size_t k; /* length k of signature S */ u8 nr_mpi; /* Occupancy of mpi[] */ enum pkey_hash_algo pkey_hash_algo : 8; union { -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Implement Octet String to Integer conversion [RFC3447 sec 4.2] in rsa.c. It's the second step of signature generation operation. This patch is temporary set non-RSASP1 message to pks->S for debugging. The naming of RSA_OS2IP and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec. Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph... Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 29 ++++++++++++++++++++++++----- 1 files changed, 24 insertions(+), 5 deletions(-) diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index aac8b77..a092aac 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -168,6 +168,20 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) } /* + * Octet String to Integer conversion [RFC3447 sec 4.2] + */ +static int RSA_OS2IP(u8 *X, size_t XLen, MPI *_x) +{ + MPI x; + + x = mpi_alloc((XLen + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB); + mpi_set_buffer(x, X, XLen, 0); + + *_x = x; + return 0; +} + +/* * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] * @M: message to be signed, an octet string * @emLen: intended length in octets of the encoded message @@ -419,6 +433,9 @@ static struct public_key_signature *RSA_generate_signature( { struct public_key_signature *pks; u8 *EM = NULL; + MPI m = NULL; + MPI s = NULL; + unsigned X_size; size_t emLen; int ret; @@ -438,14 +455,16 @@ static struct public_key_signature *RSA_generate_signature( if (ret < 0) goto error_v1_5_encode; - /* TODO 2): m = OS2IP (EM) */ + /* 2): m = OS2IP (EM) */ + ret = RSA_OS2IP(EM, emLen, &m); + if (ret < 0) + goto error_v1_5_encode; /* TODO 3): s = RSASP1 (K, m) */ + s = m; - /* TODO 4): S = I2OSP (s, k) */ - - /* TODO: signature S to a u8* S or set to sig->rsa.s? */ - pks->S = EM; /* TODO: temporary set S to EM */ + /* 4): S = I2OSP (s, k) */ + _RSA_I2OSP(s, &X_size, &pks->S); return pks; -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Add ASN.1 files and parser to support parsing PKCS #8 noncompressed private key information. It's better than direct parsing pure private key because PKCS #8 has a privateKeyAlgorithm to indicate the algorithm of private key, e.g. RSA from PKCS #1 v2: - Removed bitfield declare of privkey_algo in struct pkcs8_info because it does not help on reduce memory space. - Replace privkey_algo by pkey_algo in struct pkcs8_info to simplify naming. Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/Kconfig | 11 ++ crypto/asymmetric_keys/Makefile | 16 +++ crypto/asymmetric_keys/pkcs8.asn1 | 19 ++++ crypto/asymmetric_keys/pkcs8_info_parser.c | 152 ++++++++++++++++++++++++++++ crypto/asymmetric_keys/pkcs8_parser.h | 23 ++++ crypto/asymmetric_keys/pkcs8_private_key.c | 148 +++++++++++++++++++++++++++ crypto/asymmetric_keys/pkcs8_rsakey.asn1 | 29 ++++++ crypto/asymmetric_keys/public_key.c | 1 + include/crypto/public_key.h | 1 + 9 files changed, 400 insertions(+), 0 deletions(-) create mode 100644 crypto/asymmetric_keys/pkcs8.asn1 create mode 100644 crypto/asymmetric_keys/pkcs8_info_parser.c create mode 100644 crypto/asymmetric_keys/pkcs8_parser.h create mode 100644 crypto/asymmetric_keys/pkcs8_private_key.c create mode 100644 crypto/asymmetric_keys/pkcs8_rsakey.asn1 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 6d2c2ea..c0ebd57 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -35,4 +35,15 @@ config X509_CERTIFICATE_PARSER data and provides the ability to instantiate a crypto key from a public key packet found inside the certificate. +config PKCS8_PRIVATE_KEY_INFO_PARSER + tristate "PKCS #8 private key info parser" + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select ASN1 + select OID_REGISTRY + select CRYPTO_SHA256 + help + This option provides support for parsing PKCS #8 RSA private key info + format blobs for key data and provides the ability to instantiate a + crypto key from a private key packet. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index 0727204..65fbc45 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -23,5 +23,21 @@ $(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h +# +# PKCS8 Private Key handling +# +obj-$(CONFIG_PKCS8_PRIVATE_KEY_INFO_PARSER) += pkcs8_key_parser.o +pkcs8_key_parser-y := \ + pkcs8-asn1.o \ + pkcs8_rsakey-asn1.o \ + pkcs8_info_parser.o \ + pkcs8_private_key.o + +$(obj)/pkcs8_info_parser.o: $(obj)/pkcs8-asn1.c $(obj)/pkcs8_rsakey-asn1.h +$(obj)/pkcs8-asn1.o: $(obj)/pkcs8-asn1.c $(obj)/pkcs8-asn1.h +$(obj)/pkcs8_rsakey-asn1.o: $(obj)/pkcs8_rsakey-asn1.c $(obj)/pkcs8_rsakey-asn1.h + clean-files += x509-asn1.c x509-asn1.h clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h +clean-files += pkcs8-asn1.c pkcs8-asn1.h +clean-files += pkcs8_rsakey-asn1.c pkcs8_rsakey-asn1.h diff --git a/crypto/asymmetric_keys/pkcs8.asn1 b/crypto/asymmetric_keys/pkcs8.asn1 new file mode 100644 index 0000000..89e845d --- /dev/null +++ b/crypto/asymmetric_keys/pkcs8.asn1 @@ -0,0 +1,19 @@ +-- +-- Representation of RSA PKCS#8 private key information. +-- + +PrivateKeyInfo ::= SEQUENCE { + version Version, + privateKeyAlgorithm AlgorithmIdentifier, + privateKey OCTET STRING ({ pkcs8_extract_key_data }) + -- Does not support attributes + -- attributes [ 0 ] Attributes OPTIONAL + } + +-- Version ::= INTEGER { two-prime(0), multi(1) } +Version ::= INTEGER + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER ({ pkcs8_note_OID }), + parameters ANY OPTIONAL + } diff --git a/crypto/asymmetric_keys/pkcs8_info_parser.c b/crypto/asymmetric_keys/pkcs8_info_parser.c new file mode 100644 index 0000000..7475732 --- /dev/null +++ b/crypto/asymmetric_keys/pkcs8_info_parser.c @@ -0,0 +1,152 @@ +/* X.509 certificate parser + * + * Copyright (C) 2013 SUSE Linux Products GmbH. All rights reserved. + * Written by Lee, Chun-Yi (jlee@suse.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#define pr_fmt(fmt) "PKCS8: "fmt +#include +#include +#include +#include +#include "public_key.h" +#include "pkcs8_parser.h" +#include "pkcs8-asn1.h" +#include "pkcs8_rsakey-asn1.h" + +struct pkcs8_parse_context { + struct pkcs8_info *info; /* Certificate being constructed */ + unsigned long data; /* Start of data */ + const void *key; /* Key data */ + size_t key_size; /* Size of key data */ + enum OID algo_oid; /* Algorithm OID */ + unsigned char nr_mpi; /* Number of MPIs stored */ +}; + +/* + * Free an PKCS #8 private key info + */ +void pkcs8_free_info(struct pkcs8_info *info) +{ + if (info) { + public_key_destroy(info->priv); + kfree(info); + } +} + +/* + * Parse an PKCS #8 Private Key Info + */ +struct pkcs8_info *pkcs8_info_parse(const void *data, size_t datalen) +{ + struct pkcs8_info *info; + struct pkcs8_parse_context *ctx; + long ret; + + ret = -ENOMEM; + info = kzalloc(sizeof(struct pkcs8_info), GFP_KERNEL); + if (!info) + goto error_no_info; + info->priv = kzalloc(sizeof(struct private_key), GFP_KERNEL); + if (!info->priv) + goto error_no_ctx; + ctx = kzalloc(sizeof(struct pkcs8_parse_context), GFP_KERNEL); + if (!ctx) + goto error_no_ctx; + + ctx->info = info; + ctx->data = (unsigned long)data; + + /* Attempt to decode the private key info */ + ret = asn1_ber_decoder(&pkcs8_decoder, ctx, data, datalen); + if (ret < 0) + goto error_decode; + + /* Decode the private key */ + ret = asn1_ber_decoder(&pkcs8_rsakey_decoder, ctx, + ctx->key, ctx->key_size); + if (ret < 0) + goto error_decode; + + kfree(ctx); + return info; + +error_decode: + kfree(ctx); +error_no_ctx: + pkcs8_free_info(info); +error_no_info: + return ERR_PTR(ret); +} + +/* + * Note an OID when we find one for later processing when we know how + * to interpret it. + */ +int pkcs8_note_OID(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pkcs8_parse_context *ctx = context; + + ctx->algo_oid = look_up_OID(value, vlen); + if (ctx->algo_oid == OID__NR) { + char buffer[50]; + sprint_oid(value, vlen, buffer, sizeof(buffer)); + pr_debug("Unknown OID: [%lu] %s\n", + (unsigned long)value - ctx->data, buffer); + } + return 0; +} + +/* + * Extract the data for the private key algorithm + */ +int pkcs8_extract_key_data(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pkcs8_parse_context *ctx = context; + + if (ctx->algo_oid != OID_rsaEncryption) + return -ENOPKG; + + ctx->info->pkey_algo = PKEY_ALGO_RSA; + ctx->key = value; + ctx->key_size = vlen; + return 0; +} + +/* + * Extract a RSA private key value + */ +int rsa_priv_extract_mpi(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pkcs8_parse_context *ctx = context; + MPI mpi; + + if (ctx->nr_mpi >= ARRAY_SIZE(ctx->info->priv->mpi)) { + /* does not grab exponent1, exponent2 and coefficient */ + if (ctx->nr_mpi > 8) { + pr_err("Too many public key MPIs in pkcs1 private key\n"); + return -EBADMSG; + } else { + ctx->nr_mpi++; + return 0; + } + } + + mpi = mpi_read_raw_data(value, vlen); + if (!mpi) + return -ENOMEM; + + ctx->info->priv->mpi[ctx->nr_mpi++] = mpi; + return 0; +} diff --git a/crypto/asymmetric_keys/pkcs8_parser.h b/crypto/asymmetric_keys/pkcs8_parser.h new file mode 100644 index 0000000..9abaf01 --- /dev/null +++ b/crypto/asymmetric_keys/pkcs8_parser.h @@ -0,0 +1,23 @@ +/* PKCS #8 parser internal definitions + * + * Copyright (C) 2013 SUSE Linux Products GmbH. All rights reserved. + * Written by Lee, Chun-Yi (jlee@suse.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include + +struct pkcs8_info { + enum pkey_algo pkey_algo; /* Private key algorithm */ + struct private_key *priv; /* Private key */ +}; + +/* + * pkcs8_parser.c + */ +extern void pkcs8_free_info(struct pkcs8_info *info); +extern struct pkcs8_info *pkcs8_info_parse(const void *data, size_t datalen); diff --git a/crypto/asymmetric_keys/pkcs8_private_key.c b/crypto/asymmetric_keys/pkcs8_private_key.c new file mode 100644 index 0000000..b52d7aa --- /dev/null +++ b/crypto/asymmetric_keys/pkcs8_private_key.c @@ -0,0 +1,148 @@ +/* Instantiate a private key crypto key + * + * Copyright (C) 2013 SUSE Linux Products GmbH. All rights reserved. + * Written by Chun-Yi Lee (jlee@suse.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#define pr_fmt(fmt) "PKCS8: "fmt +#include +#include +#include +#include +#include +#include "private_key.h" +#include "pkcs8-asn1.h" +#include "pkcs8_parser.h" + +#define KEY_PREFIX "Private Key: " +#define FINGERPRINT_HASH "sha256" + +static const +struct private_key_algorithm *pkcs8_private_key_algorithms[PKEY_ALGO__LAST] = { + [PKEY_ALGO_DSA] = NULL, +#if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \ + defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE) + [PKEY_ALGO_RSA] = &RSA_private_key_algorithm, +#endif +}; + +/* + * Attempt to parse a data blob for a private key. + */ +static int pkcs8_key_preparse(struct key_preparsed_payload *prep) +{ + struct pkcs8_info *info; + struct crypto_shash *tfm; + struct shash_desc *desc; + u8 *digest; + size_t digest_size, desc_size; + char *fingerprint, *description; + int i, ret; + + pr_info("pkcs8_key_preparse start\n"); + + info = pkcs8_info_parse(prep->data, prep->datalen); + if (IS_ERR(info)) + return PTR_ERR(info); + + info->priv->algo = pkcs8_private_key_algorithms[info->pkey_algo]; + info->priv->id_type = PKEY_ID_PKCS8; + + /* Hash the pkcs #8 blob to generate fingerprint */ + tfm = crypto_alloc_shash(FINGERPRINT_HASH, 0, 0); + if (IS_ERR(tfm)) { + ret = PTR_ERR(tfm); + goto error_shash; + } + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM; + + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) + goto error_digest; + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash_init; + ret = crypto_shash_finup(desc, prep->data, prep->datalen, digest); + if (ret < 0) + goto error_shash_finup; + + fingerprint = kzalloc(digest_size * 2 + 1, GFP_KERNEL); + if (!fingerprint) + goto error_fingerprint; + for (i = 0; i < digest_size; i++) + sprintf(fingerprint + i * 2, "%02x", digest[i]); + + /* Propose a description */ + description = kzalloc(strlen(KEY_PREFIX) + strlen(fingerprint) + 1, GFP_KERNEL); + if (!description) + goto error_description; + sprintf(description, "%s", KEY_PREFIX); + memcpy(description + strlen(KEY_PREFIX), fingerprint, strlen(fingerprint)); + + /* We're pinning the module by being linked against it */ + __module_get(private_key_subtype.owner); + prep->type_data[0] = &private_key_subtype; + prep->type_data[1] = fingerprint; + prep->payload = info->priv; + prep->description = description; + + /* size of 4096 bits private key file is 2.3K */ + prep->quotalen = 700; + + pr_info("pkcs8_key_preparse done\n"); + + /* We've finished with the information */ + kfree(digest); + crypto_free_shash(tfm); + info->priv = NULL; + pkcs8_free_info(info); + + return 0; + +error_description: + kfree(fingerprint); +error_fingerprint: +error_shash_finup: +error_shash_init: + kfree(digest); +error_digest: + crypto_free_shash(tfm); +error_shash: + info->priv = NULL; + pkcs8_free_info(info); + return ret; +} + +static struct asymmetric_key_parser pkcs8_private_key_parser = { + .owner = THIS_MODULE, + .name = "pkcs8", + .parse = pkcs8_key_preparse, +}; + +/* + * Module stuff + */ +static int __init pkcs8_private_key_init(void) +{ + return register_asymmetric_key_parser(&pkcs8_private_key_parser); +} + +static void __exit pkcs8_private_key_exit(void) +{ + unregister_asymmetric_key_parser(&pkcs8_private_key_parser); +} + +module_init(pkcs8_private_key_init); +module_exit(pkcs8_private_key_exit); diff --git a/crypto/asymmetric_keys/pkcs8_rsakey.asn1 b/crypto/asymmetric_keys/pkcs8_rsakey.asn1 new file mode 100644 index 0000000..d997c5e --- /dev/null +++ b/crypto/asymmetric_keys/pkcs8_rsakey.asn1 @@ -0,0 +1,29 @@ +-- +-- Representation of RSA private key with information. +-- + +RSAPrivateKey ::= SEQUENCE { + version Version, + modulus INTEGER ({ rsa_priv_extract_mpi }), -- n + publicExponent INTEGER ({ rsa_priv_extract_mpi }), -- e + privateExponent INTEGER ({ rsa_priv_extract_mpi }), -- d + prime1 INTEGER ({ rsa_priv_extract_mpi }), -- p + prime2 INTEGER ({ rsa_priv_extract_mpi }), -- q + exponent1 INTEGER ({ rsa_priv_extract_mpi }), -- d mod (p-1) + exponent2 INTEGER ({ rsa_priv_extract_mpi }), -- d mod (q-1) + coefficient INTEGER ({ rsa_priv_extract_mpi }) -- (inverse of q) mod p + -- Doesn't support multi-prime + -- otherPrimeInfos [ 0 ] OtherPrimeInfos OPTIONAL + } + +-- Version ::= INTEGER { two-prime(0), multi(1) } +Version ::= INTEGER + +-- OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo +OtherPrimeInfos ::= SEQUENCE OF OtherPrimeInfo + +OtherPrimeInfo ::= SEQUENCE { + prime INTEGER, -- ri + exponent INTEGER, -- di + coefficient INTEGER -- ti +} diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index 80c19cd..829788d 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -44,6 +44,7 @@ EXPORT_SYMBOL_GPL(pkey_hash_algo); const char *const pkey_id_type[PKEY_ID_TYPE__LAST] = { [PKEY_ID_PGP] = "PGP", [PKEY_ID_X509] = "X509", + [PKEY_ID_PKCS8] = "PKCS8", }; EXPORT_SYMBOL_GPL(pkey_id_type); diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 1cdf457..e51f294 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -41,6 +41,7 @@ extern const char *const pkey_hash_algo[PKEY_HASH__LAST]; enum pkey_id_type { PKEY_ID_PGP, /* OpenPGP generated key ID */ PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ + PKEY_ID_PKCS8, /* PKCS #8 Private Key */ PKEY_ID_TYPE__LAST }; -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Introduced a hibernate_key.c file to query the key pair from EFI variables and maintain key pair for check signature of S4 snapshot image. We loaded the private key when snapshot image stored success. This patch introduced 2 EFI variables for store the key to sign S4 image and verify signature when S4 wake up. The names and GUID are: S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21 [BOOT SERVICES][NV] S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21 [RUNTIME SERVICES][V] S4SignKey is used by EFI bootloader to pass the RSA private key that packaged by PKCS#8 format, kernel will read and parser it when system boot and reload it when S4 resume. EFI bootloader need gnerate a new private key when every time system boot. S4WakeKey is used to parse the RSA public key that packaged by X.509 certificate, kernel will read and parse it for check the signature of S4 snapshot image when S4 resume. The follow-up patch will remove S4SignKey and S4WakeKey after load them to kernel for avoid anyone can access it through efivarfs. V4: - Removed duplicate cast of params->hdr.setup_data - Declare dummy function of setup_s4_keys() and efi_reserve_s4_skey_data() to avoid ifdef. - Use forward_info structure to maintain the empty of forward information and new sign key from boot kernel to resume target kernel. - Use efivar API to access S4WakeKey variable. V3: - Load S4 sign key before ExitBootServices. Load private key before ExitBootServices() then bootloader doesn't need generate key-pair for each booting: + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices. + Reserve the memory block of sign key data blob in efi.c - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign key before check hibernate image. It makes sure the new sign key will be transfer to resume target kernel. - Set "depends on EFI_STUB" in Kconfig V2: Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on Kconfig. Cc: Matthew Garrett Cc: Takashi Iwai Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- arch/x86/boot/compressed/eboot.c | 92 +++++++++++ arch/x86/include/asm/efi.h | 9 + arch/x86/include/uapi/asm/bootparam.h | 1 + arch/x86/platform/efi/efi.c | 68 ++++++++ include/linux/efi.h | 25 +++ kernel/power/Kconfig | 16 ++- kernel/power/Makefile | 1 + kernel/power/hibernate.c | 2 + kernel/power/hibernate_keys.c | 292 +++++++++++++++++++++++++++++++++ kernel/power/power.h | 30 ++++ 10 files changed, 534 insertions(+), 2 deletions(-) create mode 100644 kernel/power/hibernate_keys.c diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index 53bfe4f..983dc7d 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -369,6 +369,96 @@ free_handle: return status; } +#ifdef CONFIG_SNAPSHOT_VERIFICATION +static efi_status_t setup_s4_keys(struct boot_params *params) +{ + struct setup_data *data; + unsigned long datasize; + u32 attr; + struct efi_s4_key *s4key; + efi_status_t status; + + data = (struct setup_data *)params->hdr.setup_data; + + while (data && data->next) + data = (struct setup_data *)(unsigned long)data->next; + + status = efi_call_phys3(sys_table->boottime->allocate_pool, + EFI_LOADER_DATA, sizeof(*s4key), &s4key); + if (status != EFI_SUCCESS) { + efi_printk("Failed to alloc memory for efi_s4_key\n"); + goto error_setup; + } + + s4key->data.type = SETUP_S4_KEY; + s4key->data.len = sizeof(struct efi_s4_key) - + sizeof(struct setup_data); + s4key->data.next = 0; + s4key->skey_dsize = 0; + s4key->err_status = 0; + + if (data) + data->next = (unsigned long)s4key; + else + params->hdr.setup_data = (unsigned long)s4key; + + /* obtain the size of key data */ + datasize = 0; + status = efi_call_phys5(sys_table->runtime->get_variable, + EFI_S4_SIGN_KEY_NAME, &EFI_HIBERNATE_GUID, + NULL, &datasize, NULL); + if (status != EFI_BUFFER_TOO_SMALL) { + efi_printk("Couldn't get S4 key data size\n"); + goto error_size; + } + if (datasize > SKEY_DBUF_MAX_SIZE) { + efi_printk("The size of S4 sign key is too large\n"); + status = EFI_UNSUPPORTED; + goto error_size; + } + + s4key->skey_dsize = datasize; + status = efi_call_phys3(sys_table->boottime->allocate_pool, + EFI_LOADER_DATA, s4key->skey_dsize, + &s4key->skey_data_addr); + if (status != EFI_SUCCESS) { + efi_printk("Failed to alloc page for S4 key data\n"); + goto error_s4key; + } + + attr = 0; + memset((void *)s4key->skey_data_addr, 0, s4key->skey_dsize); + status = efi_call_phys5(sys_table->runtime->get_variable, + EFI_S4_SIGN_KEY_NAME, &EFI_HIBERNATE_GUID, &attr, + &(s4key->skey_dsize), s4key->skey_data_addr); + if (status) { + efi_printk("Couldn't get S4 key data\n"); + goto error_gets4key; + } + if (attr & EFI_VARIABLE_RUNTIME_ACCESS) { + efi_printk("S4 sign key can not be a runtime variable\n"); + memset((void *)s4key->skey_data_addr, 0, s4key->skey_dsize); + status = EFI_UNSUPPORTED; + goto error_gets4key; + } + + return 0; + +error_gets4key: + efi_call_phys1(sys_table->boottime->free_pool, s4key->skey_data_addr); +error_s4key: +error_size: + s4key->err_status = status; +error_setup: + return status; +} +#else +static inline efi_status_t setup_s4_keys(struct boot_params *params) +{ + return 0; +} +#endif /* CONFIG_SNAPSHOT_VERIFICATION */ + /* * See if we have Graphics Output Protocol */ @@ -1209,6 +1299,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, setup_efi_pci(boot_params); + setup_s4_keys(boot_params); + status = efi_call_phys3(sys_table->boottime->allocate_pool, EFI_LOADER_DATA, sizeof(*gdt), (void **)&gdt); diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h index 0062a01..56ececa 100644 --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -102,6 +102,15 @@ extern void efi_call_phys_epilog(void); extern void efi_unmap_memmap(void); extern void efi_memory_uc(u64 addr, unsigned long size); +#ifdef CONFIG_SNAPSHOT_VERIFICATION +struct efi_s4_key { + struct setup_data data; + unsigned long err_status; + unsigned long skey_dsize; + void *skey_data_addr; +}; +#endif + #ifdef CONFIG_EFI static inline bool efi_is_native(void) diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h index 85d7685..79398ff 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -6,6 +6,7 @@ #define SETUP_E820_EXT 1 #define SETUP_DTB 2 #define SETUP_PCI 3 +#define SETUP_S4_KEY 4 /* ram_size flags */ #define RAMDISK_IMAGE_START_MASK 0x07FF diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c index 90f6ed1..dd807e3 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -704,6 +704,71 @@ static int __init efi_memmap_init(void) return 0; } +#ifdef CONFIG_SNAPSHOT_VERIFICATION +static unsigned long skey_dsize; +static u64 skey_data_addr; +static unsigned long skey_err_status; + +bool efi_s4_key_available(void) +{ + return skey_dsize && skey_data_addr && !skey_err_status; +} + +unsigned long __init efi_copy_skey_data(void *page_addr) +{ + void *key_addr; + + if (efi_s4_key_available()) { + key_addr = early_ioremap(skey_data_addr, skey_dsize); + memcpy(page_addr, key_addr, skey_dsize); + early_iounmap(key_addr, skey_dsize); + } + + return skey_dsize; +} + +void __init efi_erase_s4_skey_data(void) +{ + void *key_addr; + + key_addr = early_ioremap(skey_data_addr, skey_dsize); + memset(key_addr, 0, skey_dsize); + early_iounmap(key_addr, skey_dsize); + memblock_free(skey_data_addr, skey_dsize); + skey_data_addr = 0; + skey_dsize = 0; +} + +static void __init efi_reserve_s4_skey_data(void) +{ + u64 pa_data; + struct setup_data *data; + struct efi_s4_key *s4key; + + skey_err_status = 0; + pa_data = boot_params.hdr.setup_data; + while (pa_data) { + data = early_ioremap(pa_data, sizeof(*s4key)); + if (data->type == SETUP_S4_KEY) { + s4key = (struct efi_s4_key *)data; + if (!s4key->err_status) { + skey_dsize = s4key->skey_dsize; + skey_data_addr = (u64) s4key->skey_data_addr; + memblock_reserve(skey_data_addr, skey_dsize); + } else { + skey_err_status = s4key->err_status; + pr_err("Get S4 sign key from EFI fail: 0x%lx\n", + skey_err_status); + } + } + pa_data = data->next; + early_iounmap(data, sizeof(*s4key)); + } +} +#else +static inline void efi_reserve_s4_skey_data(void) {} +#endif /* CONFIG_SNAPSHOT_VERIFICATION */ + void __init efi_init(void) { efi_char16_t *c16; @@ -729,6 +794,9 @@ void __init efi_init(void) set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); + /* keep s4 key from setup_data */ + efi_reserve_s4_skey_data(); + /* * Show what we know for posterity */ diff --git a/include/linux/efi.h b/include/linux/efi.h index 5f8f176..57e78fc 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -389,6 +389,18 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si #define EFI_FILE_SYSTEM_GUID \ EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) +#ifdef CONFIG_SNAPSHOT_VERIFICATION +#define EFI_HIBERNATE_GUID \ + EFI_GUID(0xfe141863, 0xc070, 0x478e, 0xb8, 0xa3, 0x87, 0x8a, 0x5d, 0xc9, 0xef, 0x21) +/* + * The UEFI variable names of the key-pair to verify S4 snapshot image: + * S4SignKey-EFI_HIBERNATE_GUID: The private key is used to sign snapshot + * S4WakeKey-EFI_HIBERNATE_GUID: The public key is used to verify snapshot + */ +#define EFI_S4_SIGN_KEY_NAME ((efi_char16_t [10]) { 'S', '4', 'S', 'i', 'g', 'n', 'K', 'e', 'y', 0 }) +#define EFI_S4_WAKE_KEY_NAME ((efi_char16_t [10]) { 'S', '4', 'W', 'a', 'k', 'e', 'K', 'e', 'y', 0 }) +#endif /* CONFIG_SNAPSHOT_VERIFICATION */ + typedef struct { efi_guid_t guid; u64 table; @@ -577,6 +589,19 @@ extern void efi_enter_virtual_mode (void); /* switch EFI to virtual mode, if pos extern void efi_late_init(void); extern void efi_free_boot_services(void); extern efi_status_t efi_query_variable_store(u32 attributes, unsigned long size); + +#ifdef CONFIG_SNAPSHOT_VERIFICATION +struct forward_info_head { + bool sig_enforce; + int sig_check_ret; + unsigned long skey_dsize; +} __attribute__((packed)); +#define SKEY_DBUF_MAX_SIZE (PAGE_SIZE - sizeof(struct forward_info_head)) +extern bool efi_s4_key_available(void); +extern unsigned long efi_copy_skey_data(void *page_addr); +extern void efi_erase_s4_skey_data(void); +#endif /* CONFIG_SNAPSHOT_VERIFICATION */ + #else static inline void efi_late_init(void) {} static inline void efi_free_boot_services(void) {} diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig index d444c4e..b592d88 100644 --- a/kernel/power/Kconfig +++ b/kernel/power/Kconfig @@ -66,8 +66,17 @@ config HIBERNATION For more information take a look at file:Documentation/power/swsusp.txt. -config ARCH_SAVE_PAGE_KEYS - bool +config SNAPSHOT_VERIFICATION + bool "Hibernate snapshot verification" + depends on HIBERNATION + depends on EFI_STUB + depends on X86 + select PKCS8_PRIVATE_KEY_INFO_PARSER + help + This option provides support for generate anad verify the signautre by + RSA key-pair against hibernate snapshot image. Current mechanism + dependent on UEFI environment. EFI bootloader should generate the + key-pair. config PM_STD_PARTITION string "Default resume partition" @@ -91,6 +100,9 @@ config PM_STD_PARTITION suspended image to. It will simply pick the first available swap device. +config ARCH_SAVE_PAGE_KEYS + bool + config PM_SLEEP def_bool y depends on SUSPEND || HIBERNATE_CALLBACKS diff --git a/kernel/power/Makefile b/kernel/power/Makefile index 29472bf..46b6422 100644 --- a/kernel/power/Makefile +++ b/kernel/power/Makefile @@ -7,6 +7,7 @@ obj-$(CONFIG_VT_CONSOLE_SLEEP) += console.o obj-$(CONFIG_FREEZER) += process.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PM_TEST_SUSPEND) += suspend_test.o +obj-$(CONFIG_SNAPSHOT_VERIFICATION) += hibernate_keys.o obj-$(CONFIG_HIBERNATION) += hibernate.o snapshot.o swap.o user.o \ block_io.o obj-$(CONFIG_PM_AUTOSLEEP) += autosleep.o diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index b26f5f1..90a25c7 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "power.h" @@ -680,6 +681,7 @@ int hibernate(void) pm_restore_gfp_mask(); } else { pr_debug("PM: Image restored successfully.\n"); + restore_sig_forward_info(); } Thaw: diff --git a/kernel/power/hibernate_keys.c b/kernel/power/hibernate_keys.c new file mode 100644 index 0000000..0bce9ab --- /dev/null +++ b/kernel/power/hibernate_keys.c @@ -0,0 +1,292 @@ +#include +#include +#include +#include +#include +#include + +#include "power.h" + +static unsigned char const_seq = (ASN1_SEQ | (ASN1_CONS << 5)); + +struct forward_info { + struct forward_info_head head; + unsigned char skey_data_buf[SKEY_DBUF_MAX_SIZE]; +}; + +static void *skey_data; +static void *forward_info_buf; +static unsigned long skey_dsize; + +bool swsusp_page_is_sign_key(struct page *page) +{ + unsigned long skey_data_pfn; + bool ret; + + if (!skey_data || IS_ERR(skey_data)) + return false; + + skey_data_pfn = page_to_pfn(virt_to_page(skey_data)); + ret = (page_to_pfn(page) == skey_data_pfn) ? true : false; + if (ret) + pr_info("PM: Avoid snapshot the page of S4 sign key.\n"); + + return ret; +} + +unsigned long get_sig_forward_info_pfn(void) +{ + if (!forward_info_buf) + return 0; + + return page_to_pfn(virt_to_page(forward_info_buf)); +} + +void fill_sig_forward_info(void *page, int sig_check_ret_in) +{ + struct forward_info *info; + + if (!page) + return; + + memset(page, 0, PAGE_SIZE); + info = (struct forward_info *)page; + + info->head.sig_check_ret = sig_check_ret_in; + if (skey_data && !IS_ERR(skey_data) && + skey_dsize <= SKEY_DBUF_MAX_SIZE) { + info->head.skey_dsize = skey_dsize; + memcpy(info->skey_data_buf, skey_data, skey_dsize); + } else + pr_info("PM: Fill S4 sign key fail, size: %ld\n", skey_dsize); + + pr_info("PM: Filled sign information to forward buffer\n"); +} + +void restore_sig_forward_info(void) +{ + struct forward_info *info; + int sig_check_ret; + + if (!forward_info_buf) { + pr_err("PM: Restore S4 sign key fail\n"); + return; + } + info = (struct forward_info *)forward_info_buf; + + sig_check_ret = info->head.sig_check_ret; + if (sig_check_ret) + pr_info("PM: Signature check fail: %d\n", sig_check_ret); + + if (info->head.skey_dsize <= SKEY_DBUF_MAX_SIZE && + info->skey_data_buf[0] == const_seq) { + + /* restore sign key size and data from buffer */ + skey_dsize = info->head.skey_dsize; + memset(skey_data, 0, PAGE_SIZE); + memcpy(skey_data, info->skey_data_buf, skey_dsize); + } + + /* reset skey page buffer */ + memset(forward_info_buf, 0, PAGE_SIZE); +} + +bool skey_data_available(void) +{ + bool ret = false; + + /* Sign key is PKCS#8 format that must be a Constructed SEQUENCE */ + ret = skey_data && !IS_ERR(skey_data) && + (skey_dsize != 0) && + ((unsigned char *)skey_data)[0] == const_seq; + + return ret; +} + +struct key *get_sign_key(void) +{ + const struct cred *cred = current_cred(); + struct key *skey; + int err; + + if (!skey_data || IS_ERR(skey_data)) + return ERR_PTR(-EBADMSG); + + skey = key_alloc(&key_type_asymmetric, "s4_sign_key", + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, + cred, 0, KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(skey)) { + pr_err("PM: Allocate s4 sign key error: %ld\n", PTR_ERR(skey)); + goto error_keyalloc; + } + + err = key_instantiate_and_link(skey, skey_data, skey_dsize, NULL, NULL); + if (err < 0) { + pr_err("PM: S4 sign key instantiate error: %d\n", err); + if (skey) + key_put(skey); + skey = ERR_PTR(err); + goto error_keyinit; + } + + return skey; + +error_keyinit: +error_keyalloc: + return skey; +} + +void erase_skey_data(void) +{ + if (!skey_data || IS_ERR(skey_data)) + return; + + memset(skey_data, 0, PAGE_SIZE); +} + +void destroy_sign_key(struct key *skey) +{ + erase_skey_data(); + if (skey) + key_put(skey); +} + +static void *load_wake_key_data(unsigned long *datasize) +{ + struct efivar_entry *entry; + u32 attr; + void *wkey_data; + int ret; + + entry = kmalloc(sizeof(*entry), GFP_KERNEL); + if (!entry) + return ERR_PTR(-ENOMEM); + + memcpy(entry->var.VariableName, EFI_S4_WAKE_KEY_NAME, sizeof(EFI_S4_WAKE_KEY_NAME)); + memcpy(&(entry->var.VendorGuid), &EFI_HIBERNATE_GUID, sizeof(efi_guid_t)); + + /* obtain the size */ + *datasize = 0; + ret = efivar_entry_size(entry, datasize); + if (ret) + goto error_size; + + wkey_data = kzalloc(*datasize, GFP_KERNEL); + if (!wkey_data) { + ret = -ENOMEM; + goto error_size; + } + + ret = efivar_entry_get(entry, &attr, datasize, wkey_data); + if (ret) { + pr_err("PM: Get wake key data error: %d\n", ret); + goto error_get; + } + /* check attributes */ + if (attr & EFI_VARIABLE_NON_VOLATILE) { + pr_err("PM: Wake key has wrong attributes: 0x%x\n", attr); + goto error_get; + } + + kfree(entry); + + return wkey_data; + +error_get: + memset(wkey_data, 0, *datasize); + kfree(wkey_data); + *datasize = 0; +error_size: + kfree(entry); + + return ERR_PTR(ret); +} + +int wkey_data_available(void) +{ + static int ret = 1; + unsigned long datasize; + void *wkey_data; + + if (ret > 0) { + wkey_data = load_wake_key_data(&datasize); + if (wkey_data && IS_ERR(wkey_data)) { + ret = PTR_ERR(wkey_data); + goto error; + } else { + if (wkey_data) { + memset(wkey_data, 0, datasize); + kfree(wkey_data); + } + ret = 0; + } + } + +error: + return ret; +} + +struct key *get_wake_key(void) +{ + const struct cred *cred = current_cred(); + void *wkey_data; + unsigned long datasize = 0; + struct key *wkey; + int err; + + wkey_data = load_wake_key_data(&datasize); + if (IS_ERR(wkey_data)) { + wkey = (struct key *)wkey_data; + goto error_data; + } + + wkey = key_alloc(&key_type_asymmetric, "s4_wake_key", + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, + cred, 0, KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(wkey)) { + pr_err("PM: Allocate s4 wake key error: %ld\n", PTR_ERR(wkey)); + goto error_keyalloc; + } + err = key_instantiate_and_link(wkey, wkey_data, datasize, NULL, NULL); + if (err < 0) { + pr_err("PM: S4 wake key instantiate error: %d\n", err); + if (wkey) + key_put(wkey); + wkey = ERR_PTR(err); + } + +error_keyalloc: + if (wkey_data && !IS_ERR(wkey_data)) + kfree(wkey_data); +error_data: + return wkey; +} + +size_t get_key_length(const struct key *key) +{ + const struct public_key *pk = key->payload.data; + size_t len; + + /* TODO: better check the RSA type */ + + len = mpi_get_nbits(pk->rsa.n); + len = (len + 7) / 8; + + return len; +} + +static int __init init_sign_key_data(void) +{ + skey_data = (void *)get_zeroed_page(GFP_KERNEL); + forward_info_buf = (void *)get_zeroed_page(GFP_KERNEL); + + if (skey_data && efi_s4_key_available()) { + skey_dsize = efi_copy_skey_data(skey_data); + efi_erase_s4_skey_data(); + pr_info("PM: Load s4 sign key from EFI\n"); + } + + return 0; +} + +late_initcall(init_sign_key_data); diff --git a/kernel/power/power.h b/kernel/power/power.h index 7d4b7ff..661f124 100644 --- a/kernel/power/power.h +++ b/kernel/power/power.h @@ -160,6 +160,36 @@ extern void swsusp_close(fmode_t); extern int swsusp_unmark(void); #endif +/* kernel/power/hibernate_key.c */ +#ifdef CONFIG_SNAPSHOT_VERIFICATION +extern bool skey_data_available(void); +extern struct key *get_sign_key(void); +extern void erase_skey_data(void); +extern void destroy_sign_key(struct key *key); +extern int wkey_data_available(void); +extern struct key *get_wake_key(void); +extern size_t get_key_length(const struct key *key); + +extern void restore_sig_forward_info(void); +extern bool swsusp_page_is_sign_key(struct page *page); +extern unsigned long get_sig_forward_info_pfn(void); +extern void fill_sig_forward_info(void *page_addr, int sig_check_ret); +#else +static inline bool skey_data_available(void) +{ + return false; +} +static inline void restore_sig_forward_info(void) {} +static inline bool swsusp_page_is_sign_key(struct page *page) +{ + return false; +} +static inline unsigned long get_sig_forward_info_pfn(void) +{ + return 0; +} +#endif /* !CONFIG_SNAPSHOT_VERIFICATION */ + /* kernel/power/block_io.c */ extern struct block_device *hib_resume_bdev; -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

This patch add swsusp_page_is_sign_key() method to hibernate_key.c and check the page is S4 sign key data when collect saveable page in snapshot.c to avoid sign key data included in snapshot image. Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- kernel/power/snapshot.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c index edab31f..d3e14aa 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn) BUG_ON(!PageHighMem(page)); + if (swsusp_page_is_sign_key(page)) + return NULL; + if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) || PageReserved(page)) return NULL; @@ -922,6 +925,9 @@ static struct page *saveable_page(struct zone *zone, unsigned long pfn) BUG_ON(PageHighMem(page)); + if (swsusp_page_is_sign_key(page)) + return NULL; + if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page)) return NULL; -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Show the verification time for monitor the performance of SHA256 and RSA verification. Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- kernel/power/snapshot.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c index 8a166e1..804feb6 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -2529,6 +2529,8 @@ static void snapshot_fill_sig_forward_info(int sig_check_ret) int snapshot_image_verify(void) { + struct timeval start; + struct timeval stop; struct crypto_shash *tfm = NULL struct shash_desc *desc; u8 *digest = NULL; @@ -2560,6 +2562,8 @@ int snapshot_image_verify(void) desc->tfm = tfm; desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + do_gettimeofday(&start); + ret = crypto_shash_init(desc); if (ret < 0) goto error_shash; @@ -2580,6 +2584,9 @@ int snapshot_image_verify(void) else pr_info("PM: snapshot signature check SUCCESS!\n"); + do_gettimeofday(&stop); + swsusp_show_speed(&start, &stop, nr_copy_pages, "Verified"); + forward_ret: /* forward check result when pass or not enforce verify success */ if (!ret || !sig_enforced()) { -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

This patch introduced SNAPSHOT_REGEN_KEYS kernel config, enable this option let kernel notify booloader (e.g. shim) to regenerate key-pair of snapshot verification for each hibernate. Kernel loaded S4 sign key in efi stub, so the private key forward from efi bootloader to kernel in UEFI secure environment. Regenerate key-pair for each hibernate will gain more security but it hurt the lifetime of EFI flash memory. Kernel write an non-volatile runtime efi variable, the name is GenS4Key-fe141863-c070-478e-b8a3-878a5dc9ef21, to notify efi bootloader regenerate key-pair for next hibernate cycle. Userland hibernate tool can write GenS4Key at runtime, kernel will respect the value but not overwrite it when S4. This mechanism let userland tool can also notify bootloader to regenerate key-pair through GenS4Key flag. V4: - Use efivar API to access GenS4Key variable. - Call set_key_regen_flag() in hibernate.c and user.c Cc: Matthew Garrett Signed-off-by: Lee, Chun-Yi --- kernel/power/Kconfig | 15 +++++++++ kernel/power/hibernate.c | 4 ++- kernel/power/hibernate_keys.c | 67 +++++++++++++++++++++++++++++++++++++++++ kernel/power/power.h | 5 +++ kernel/power/user.c | 6 +++- 5 files changed, 95 insertions(+), 2 deletions(-) diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig index 79b34fa..63bda98 100644 --- a/kernel/power/Kconfig +++ b/kernel/power/Kconfig @@ -78,6 +78,21 @@ config SNAPSHOT_VERIFICATION dependent on UEFI environment. EFI bootloader should generate the key-pair. +config SNAPSHOT_REGEN_KEYS + bool "Regenerate key-pair for each snapshot verification" + depends on SNAPSHOT_VERIFICATION + help + Enabled this option let kernel notify booloader (e.g. shim) to + regenerate key-pair of snapshot verification for each hibernate. + Linux kernel write an non-volatile runtime EFI variable, the name + is GenS4Key-fe141863-c070-478e-b8a3-878a5dc9ef21, to notify EFI + bootloader regenerate key-pair for next hibernate cycle. + + Userland hibernate tool can write GenS4Key at runtime then kernel + will respect the value but not overwrite it when S4. This mechanism + let userland tool can also notify bootloader to regenerate key-pair + through GenS4Key flag. + choice prompt "Which hash algorithm should snapshot be signed with?" depends on SNAPSHOT_VERIFICATION diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index 90a25c7..6336499 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -675,8 +675,10 @@ int hibernate(void) pr_debug("PM: writing image.\n"); error = swsusp_write(flags); swsusp_free(); - if (!error) + if (!error) { + set_key_regen_flag(); power_down(); + } in_suspend = 0; pm_restore_gfp_mask(); } else { diff --git a/kernel/power/hibernate_keys.c b/kernel/power/hibernate_keys.c index daf08e0..72d5c7a 100644 --- a/kernel/power/hibernate_keys.c +++ b/kernel/power/hibernate_keys.c @@ -14,6 +14,8 @@ struct forward_info { unsigned char skey_data_buf[SKEY_DBUF_MAX_SIZE]; }; +static efi_char16_t efi_gens4key_name[9] = { 'G', 'e', 'n', 'S', '4', 'K', 'e', 'y', 0 }; + static void *skey_data; static void *forward_info_buf; static unsigned long skey_dsize; @@ -301,6 +303,70 @@ bool sig_enforced(void) return sig_enforce; } +int set_key_regen_flag(void) +{ +#ifdef CONFIG_SNAPSHOT_REGEN_KEYS + struct efivar_entry *entry; + unsigned long datasize; + u8 gens4key; + int ret; + + entry = kmalloc(sizeof(*entry), GFP_KERNEL); + if (!entry) + return -ENOMEM; + + memcpy(entry->var.VariableName, efi_gens4key_name, sizeof(efi_gens4key_name)); + memcpy(&(entry->var.VendorGuid), &EFI_HIBERNATE_GUID, sizeof(efi_guid_t)); + + /* existing flag may set by userland, respect it do not overwrite */ + datasize = 0; + ret = efivar_entry_size(entry, &datasize); + if (!ret && datasize > 0) { + kfree(entry); + return 0; + } + + /* set flag of key-pair regeneration */ + gens4key = 1; + ret = efivar_entry_set(entry, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 1, (void *)&gens4key, false); + if (ret) + pr_err("PM: Set GenS4Key flag fail: %d\n", ret); + + kfree(entry); + + return ret; +#else + return 0; +#endif +} + +static int clean_key_regen_flag(void) +{ + struct efivar_entry *entry; + int ret; + + entry = kmalloc(sizeof(*entry), GFP_KERNEL); + if (!entry) + return -ENOMEM; + + memcpy(entry->var.VariableName, efi_gens4key_name, sizeof(efi_gens4key_name)); + memcpy(&(entry->var.VendorGuid), &EFI_HIBERNATE_GUID, sizeof(efi_guid_t)); + + /* clean flag of key-pair regeneration */ + ret = efivar_entry_set(entry, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 0, NULL, false); + kfree(entry); + + return ret; +} + static int __init init_sign_key_data(void) { skey_data = (void *)get_zeroed_page(GFP_KERNEL); @@ -311,6 +377,7 @@ static int __init init_sign_key_data(void) efi_erase_s4_skey_data(); pr_info("PM: Load s4 sign key from EFI\n"); } + clean_key_regen_flag(); return 0; } diff --git a/kernel/power/power.h b/kernel/power/power.h index 4f411ac..da5733f 100644 --- a/kernel/power/power.h +++ b/kernel/power/power.h @@ -188,6 +188,7 @@ extern bool swsusp_page_is_sign_key(struct page *page); extern unsigned long get_sig_forward_info_pfn(void); extern void fill_sig_forward_info(void *page_addr, int sig_check_ret); extern bool sig_enforced(void); +extern int set_key_regen_flag(void); #else static inline bool skey_data_available(void) { @@ -202,6 +203,10 @@ static inline unsigned long get_sig_forward_info_pfn(void) { return 0; } +static inline int set_key_regen_flag(void) +{ + return 0; +} #endif /* !CONFIG_SNAPSHOT_VERIFICATION */ /* kernel/power/block_io.c */ diff --git a/kernel/power/user.c b/kernel/power/user.c index e2088af..3d3632b 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -323,6 +323,8 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, error = -EPERM; break; } + /* set regenerate S4 key flag */ + set_key_regen_flag(); /* * Tasks are frozen and the notifiers have been called with * PM_HIBERNATION_PREPARE @@ -336,8 +338,10 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, break; case SNAPSHOT_POWER_OFF: - if (data->platform_support) + if (data->platform_support) { + set_key_regen_flag(); error = hibernation_platform_enter(); + } break; case SNAPSHOT_SET_SWAP_AREA: -- 1.6.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Hello, On Sat, Sep 14, 2013 at 7:56 PM, Lee, Chun-Yi wrote:

Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).

This patch is temporary set emLen to pks->k, and temporary set EM to pks->S for debugging. We will replace the above values to real signature after implement RSASP1.

The naming of EMSA_PKCS1_v1_5_ENCODE and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec.

Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph...

V2: - Clean up naming of variable: replace _EM by EM, replace EM by EM_tmp. - Add comment to EMSA_PKCS1-v1_5-ENCODE function.

Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 163 +++++++++++++++++++++++++++++++++++++++++- include/crypto/public_key.h | 2 + 2 files changed, 164 insertions(+), 1 deletions(-)

diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 47f3be4..352ba45 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "public_key.h" #include "private_key.h"

@@ -152,6 +153,132 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) }

/* + * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] + * @M: message to be signed, an octet string + * @emLen: intended length in octets of the encoded message + * @hash_algo: hash function (option) + * @hash: true means hash M, otherwise M is already a digest + * @EM: encoded message, an octet string of length emLen + * + * This function is a implementation of the EMSA-PKCS1-v1_5 encoding operation + * in RSA PKCS#1 spec. It used by the signautre generation operation of + * RSASSA-PKCS1-v1_5 to encode message M to encoded message EM. + * + * The variables used in this function accord PKCS#1 spec but not follow kernel + * naming convention, it useful when look at them with spec. + */ +static int EMSA_PKCS1_v1_5_ENCODE(const u8 *M, size_t emLen, + enum pkey_hash_algo hash_algo, const bool hash, + u8 **EM, struct public_key_signature *pks) +{ + u8 *digest; + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + size_t tLen; + u8 *T, *PS, *EM_tmp; + int i, ret; + + pr_info("EMSA_PKCS1_v1_5_ENCODE start\n"); + + if (!RSA_ASN1_templates[hash_algo].data)

What about checking hash_algo against PKEY_HASH__LAST, or it relies on the caller?

+ ret = -ENOTSUPP; + else + pks->pkey_hash_algo = hash_algo; + + /* 1) Apply the hash function to the message M to produce a hash value H */ + tfm = crypto_alloc_shash(pkey_hash_algo[hash_algo], 0, 0); + if (IS_ERR(tfm)) + return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM; + + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) + goto error_digest; + pks->digest = digest; + pks->digest_size = digest_size; +

Ok. You allocated tfm to get hash size, right? But why do you allocate descriptor even it might not be needed?

+ if (hash) { + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + ret = crypto_shash_finup(desc, M, sizeof(M), pks->digest);

This is I completely fail to understand... You expect sizeof(M) to be the message length????? Have you ever tested it?

+ if (ret < 0) + goto error_shash; + } else { + memcpy(pks->digest, M, pks->digest_size); + pks->digest_size = digest_size; + }

Does caller use pks->digest and pks->digest_size after return? I think it needs encoded value, not the hash... So why do you pass pks?

+ crypto_free_shash(tfm); + + /* 2) Encode the algorithm ID for the hash function and the hash value into + * an ASN.1 value of type DigestInfo with the DER. Let T be the DER encoding of + * the DigestInfo value and let tLen be the length in octets of T. + */ + tLen = RSA_ASN1_templates[hash_algo].size + pks->digest_size; + T = kmalloc(tLen, GFP_KERNEL); + if (!T) + goto error_T; +

Why do you need T and PS memory allocations at all? You need only EM_tmp allocation and copy directly to the destination...

+ memcpy(T, RSA_ASN1_templates[hash_algo].data, RSA_ASN1_templates[hash_algo].size); + memcpy(T + RSA_ASN1_templates[hash_algo].size, pks->digest, pks->digest_size); + + /* 3) check If emLen < tLen + 11, output "intended encoded message length too short" */ + if (emLen < tLen + 11) { + ret = -EINVAL; + goto error_emLen; + } + + /* 4) Generate an octet string PS consisting of emLen - tLen - 3 octets with 0xff. */ + PS = kmalloc(emLen - tLen - 3, GFP_KERNEL); + if (!PS) + goto error_P; +

ditto

+ for (i = 0; i < (emLen - tLen - 3); i++) + PS[i] = 0xff; + + /* 5) Concatenate PS, the DER encoding T, and other padding to form the encoded + * message EM as EM = 0x00 || 0x01 || PS || 0x00 || T + */ + EM_tmp = kmalloc(3 + emLen - tLen - 3 + tLen, GFP_KERNEL); + if (!EM_tmp) + goto error_EM; + + EM_tmp[0] = 0x00; + EM_tmp[1] = 0x01; + memcpy(EM_tmp + 2, PS, emLen - tLen - 3); + EM_tmp[2 + emLen - tLen - 3] = 0x00; + memcpy(EM_tmp + 2 + emLen - tLen - 3 + 1, T, tLen); + + *EM = EM_tmp; + + kfree(PS); + kfree(T);

get rid of it... - Dmitry

+ + return 0; + +error_EM: + kfree(PS); +error_P: +error_emLen: + kfree(T); +error_T: +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); + return ret; +} + +/* * Perform the RSA signature verification. * @H: Value of hash of data and metadata * @EM: The computed signature value @@ -275,9 +402,43 @@ static struct public_key_signature *RSA_generate_signature( const struct private_key *key, u8 *M, enum pkey_hash_algo hash_algo, const bool hash) { + struct public_key_signature *pks; + u8 *EM = NULL; + size_t emLen; + int ret; + pr_info("RSA_generate_signature start\n");

- return 0; + ret = -ENOMEM; + pks = kzalloc(sizeof(*pks), GFP_KERNEL); + if (!pks) + goto error_no_pks; + + /* 1): EMSA-PKCS1-v1_5 encoding: */ + /* Use the private key modulus size to be EM length */ + emLen = mpi_get_nbits(key->rsa.n); + emLen = (emLen + 7) / 8; + + ret = EMSA_PKCS1_v1_5_ENCODE(M, emLen, hash_algo, hash, &EM, pks); + if (ret < 0) + goto error_v1_5_encode; + + /* TODO 2): m = OS2IP (EM) */ + + /* TODO 3): s = RSASP1 (K, m) */ + + /* TODO 4): S = I2OSP (s, k) */ + + /* TODO: signature S to a u8* S or set to sig->rsa.s? */ + pks->S = EM; /* TODO: temporary set S to EM */ + + return pks; + +error_v1_5_encode: + kfree(pks); +error_no_pks: + pr_info("<==%s() = %d\n", __func__, ret); + return ERR_PTR(ret); }

const struct public_key_algorithm RSA_public_key_algorithm = { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index d44b29f..1cdf457 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -110,6 +110,8 @@ extern void public_key_destroy(void *payload); struct public_key_signature { u8 *digest; u8 digest_size; /* Number of bytes in digest */ + u8 *S; /* signature S of length k octets */ + size_t k; /* length k of signature S */ u8 nr_mpi; /* Occupancy of mpi[] */ enum pkey_hash_algo pkey_hash_algo : 8; union { -- 1.6.0.2

-- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

-- Thanks, Dmitry -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Hi Dmitry, First, thanks for your time to review my patches! 於 二，2013-09-17 於 16:51 -0500，Dmitry Kasatkin 提到：

Hello,

On Sat, Sep 14, 2013 at 7:56 PM, Lee, Chun-Yi wrote:

...

Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).

This patch is temporary set emLen to pks->k, and temporary set EM to pks->S for debugging. We will replace the above values to real signature after implement RSASP1.

The naming of EMSA_PKCS1_v1_5_ENCODE and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec.

Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph...

V2: - Clean up naming of variable: replace _EM by EM, replace EM by EM_tmp. - Add comment to EMSA_PKCS1-v1_5-ENCODE function.

Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 163 +++++++++++++++++++++++++++++++++++++++++- include/crypto/public_key.h | 2 + 2 files changed, 164 insertions(+), 1 deletions(-)

diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 47f3be4..352ba45 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "public_key.h" #include "private_key.h"

@@ -152,6 +153,132 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) }

/* + * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] + * @M: message to be signed, an octet string + * @emLen: intended length in octets of the encoded message + * @hash_algo: hash function (option) + * @hash: true means hash M, otherwise M is already a digest + * @EM: encoded message, an octet string of length emLen + * + * This function is a implementation of the EMSA-PKCS1-v1_5 encoding operation + * in RSA PKCS#1 spec. It used by the signautre generation operation of + * RSASSA-PKCS1-v1_5 to encode message M to encoded message EM. + * + * The variables used in this function accord PKCS#1 spec but not follow kernel + * naming convention, it useful when look at them with spec. + */ +static int EMSA_PKCS1_v1_5_ENCODE(const u8 *M, size_t emLen, + enum pkey_hash_algo hash_algo, const bool hash, + u8 **EM, struct public_key_signature *pks) +{ + u8 *digest; + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + size_t tLen; + u8 *T, *PS, *EM_tmp; + int i, ret; + + pr_info("EMSA_PKCS1_v1_5_ENCODE start\n"); + + if (!RSA_ASN1_templates[hash_algo].data)

What about checking hash_algo against PKEY_HASH__LAST, or it relies on the caller?

Yes, check PKEY_HASH__LAST is more easy and clear, I will change it. Thanks!

...

+ ret = -ENOTSUPP; + else + pks->pkey_hash_algo = hash_algo; + + /* 1) Apply the hash function to the message M to produce a hash value H */ + tfm = crypto_alloc_shash(pkey_hash_algo[hash_algo], 0, 0); + if (IS_ERR(tfm)) + return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM; + + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) + goto error_digest; + pks->digest = digest; + pks->digest_size = digest_size; +

Ok. You allocated tfm to get hash size, right?

But why do you allocate descriptor even it might not be needed?

You are right, I should skip the code of allocate descriptor when the hash is supported. I will modified it. Thanks!

...

+ if (hash) { + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + ret = crypto_shash_finup(desc, M, sizeof(M), pks->digest);

This is I completely fail to understand... You expect sizeof(M) to be the message length????? Have you ever tested it?

Sigh! I just checked my test program for this code path, this stupid problem causes by my test program doesn't feed the right hash result that should used to verify signature. So, I didn't capture this bug. And, the hibernate signature check mechanism doesn't run into this code path because the hash generation is done by hibernate code but not in here. So, I also didn't find this problem when running hibernate check. Appreciate for your point out! I just fix it in next patch version.

...

+ if (ret < 0) + goto error_shash; + } else { + memcpy(pks->digest, M, pks->digest_size); + pks->digest_size = digest_size; + }

Does caller use pks->digest and pks->digest_size after return? I think it needs encoded value, not the hash... So why do you pass pks?

I put the signature MPI to pks->rsa.s, and put the encoded signature to pks->S. So caller can grab encoded signature. I also pass the pks->digest and pks->digest_size to caller for reference. Then caller can simply feed this pks to RSA_verify_signature() for verify the signature result, don't need generate hash again.

...

+ crypto_free_shash(tfm); + + /* 2) Encode the algorithm ID for the hash function and the hash value into + * an ASN.1 value of type DigestInfo with the DER. Let T be the DER encoding of + * the DigestInfo value and let tLen be the length in octets of T. + */ + tLen = RSA_ASN1_templates[hash_algo].size + pks->digest_size; + T = kmalloc(tLen, GFP_KERNEL); + if (!T) + goto error_T; +

Why do you need T and PS memory allocations at all? You need only EM_tmp allocation and copy directly to the destination...

OK, I will change the code to allocate T and PS size in EM_tmp.

...

+ memcpy(T, RSA_ASN1_templates[hash_algo].data, RSA_ASN1_templates[hash_algo].size); + memcpy(T + RSA_ASN1_templates[hash_algo].size, pks->digest, pks->digest_size); + + /* 3) check If emLen < tLen + 11, output "intended encoded message length too short" */ + if (emLen < tLen + 11) { + ret = -EINVAL; + goto error_emLen; + } + + /* 4) Generate an octet string PS consisting of emLen - tLen - 3 octets with 0xff. */ + PS = kmalloc(emLen - tLen - 3, GFP_KERNEL); + if (!PS) + goto error_P; +

ditto

OK, I will allocate PS with EM_tmp. Thanks!

...

+ for (i = 0; i < (emLen - tLen - 3); i++) + PS[i] = 0xff; + + /* 5) Concatenate PS, the DER encoding T, and other padding to form the encoded + * message EM as EM = 0x00 || 0x01 || PS || 0x00 || T + */ + EM_tmp = kmalloc(3 + emLen - tLen - 3 + tLen, GFP_KERNEL); + if (!EM_tmp) + goto error_EM; + + EM_tmp[0] = 0x00; + EM_tmp[1] = 0x01; + memcpy(EM_tmp + 2, PS, emLen - tLen - 3); + EM_tmp[2 + emLen - tLen - 3] = 0x00; + memcpy(EM_tmp + 2 + emLen - tLen - 3 + 1, T, tLen); + + *EM = EM_tmp; + + kfree(PS); + kfree(T);

get rid of it...

OK!

- Dmitry

...

+ + return 0; + +error_EM: + kfree(PS); +error_P: +error_emLen: + kfree(T); +error_T: +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); + return ret; +} + +/* * Perform the RSA signature verification. * @H: Value of hash of data and metadata * @EM: The computed signature value @@ -275,9 +402,43 @@ static struct public_key_signature *RSA_generate_signature( const struct private_key *key, u8 *M, enum pkey_hash_algo hash_algo, const bool hash) { + struct public_key_signature *pks; + u8 *EM = NULL; + size_t emLen; + int ret; + pr_info("RSA_generate_signature start\n");

- return 0; + ret = -ENOMEM; + pks = kzalloc(sizeof(*pks), GFP_KERNEL); + if (!pks) + goto error_no_pks; + + /* 1): EMSA-PKCS1-v1_5 encoding: */ + /* Use the private key modulus size to be EM length */ + emLen = mpi_get_nbits(key->rsa.n); + emLen = (emLen + 7) / 8; + + ret = EMSA_PKCS1_v1_5_ENCODE(M, emLen, hash_algo, hash, &EM, pks); + if (ret < 0) + goto error_v1_5_encode; + + /* TODO 2): m = OS2IP (EM) */ + + /* TODO 3): s = RSASP1 (K, m) */ + + /* TODO 4): S = I2OSP (s, k) */ + + /* TODO: signature S to a u8* S or set to sig->rsa.s? */ + pks->S = EM; /* TODO: temporary set S to EM */ + + return pks; + +error_v1_5_encode: + kfree(pks); +error_no_pks: + pr_info("<==%s() = %d\n", __func__, ret); + return ERR_PTR(ret); }

const struct public_key_algorithm RSA_public_key_algorithm = { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index d44b29f..1cdf457 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -110,6 +110,8 @@ extern void public_key_destroy(void *payload); struct public_key_signature { u8 *digest; u8 digest_size; /* Number of bytes in digest */ + u8 *S; /* signature S of length k octets */ + size_t k; /* length k of signature S */ u8 nr_mpi; /* Occupancy of mpi[] */ enum pkey_hash_algo pkey_hash_algo : 8; union { -- 1.6.0.2

-- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

On Sun, Sep 15, 2013 at 08:56:48AM +0800, Lee, Chun-Yi wrote:

Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).

This patch is temporary set emLen to pks->k, and temporary set EM to pks->S for debugging. We will replace the above values to real signature after implement RSASP1.

The naming of EMSA_PKCS1_v1_5_ENCODE and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec.

Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph...

V2:

You're now at V4.

- Clean up naming of variable: replace _EM by EM, replace EM by EM_tmp. - Add comment to EMSA_PKCS1-v1_5-ENCODE function.

Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 163 +++++++++++++++++++++++++++++++++++++++++- include/crypto/public_key.h | 2 + 2 files changed, 164 insertions(+), 1 deletions(-)

diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 47f3be4..352ba45 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "public_key.h" #include "private_key.h"

@@ -152,6 +153,132 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) }

/* + * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] + * @M: message to be signed, an octet string + * @emLen: intended length in octets of the encoded message + * @hash_algo: hash function (option) + * @hash: true means hash M, otherwise M is already a digest + * @EM: encoded message, an octet string of length emLen + * + * This function is a implementation of the EMSA-PKCS1-v1_5 encoding operation + * in RSA PKCS#1 spec. It used by the signautre generation operation of + * RSASSA-PKCS1-v1_5 to encode message M to encoded message EM. + * + * The variables used in this function accord PKCS#1 spec but not follow kernel + * naming convention, it useful when look at them with spec. + */ +static int EMSA_PKCS1_v1_5_ENCODE(const u8 *M, size_t emLen, + enum pkey_hash_algo hash_algo, const bool hash, + u8 **EM, struct public_key_signature *pks) +{ + u8 *digest; + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + size_t tLen; + u8 *T, *PS, *EM_tmp; + int i, ret; + + pr_info("EMSA_PKCS1_v1_5_ENCODE start\n"); + + if (!RSA_ASN1_templates[hash_algo].data) + ret = -ENOTSUPP;

...

+ else + pks->pkey_hash_algo = hash_algo; + + /* 1) Apply the hash function to the message M to produce a hash value H */ + tfm = crypto_alloc_shash(pkey_hash_algo[hash_algo], 0, 0); + if (IS_ERR(tfm)) + return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM;

The earlier "ret = -ENOTSUPP;" is either unused because you return at the IS_ERR, or unused because you overwrite it here. I'm a little disappointed that the compiler didn't recognise that something was assigned to a value that is never used. Phil

+ + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) + goto error_digest; + pks->digest = digest; + pks->digest_size = digest_size; + + if (hash) { + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + ret = crypto_shash_finup(desc, M, sizeof(M), pks->digest); + if (ret < 0) + goto error_shash; + } else { + memcpy(pks->digest, M, pks->digest_size); + pks->digest_size = digest_size; + } + crypto_free_shash(tfm); + + /* 2) Encode the algorithm ID for the hash function and the hash value into + * an ASN.1 value of type DigestInfo with the DER. Let T be the DER encoding of + * the DigestInfo value and let tLen be the length in octets of T. + */ + tLen = RSA_ASN1_templates[hash_algo].size + pks->digest_size; + T = kmalloc(tLen, GFP_KERNEL); + if (!T) + goto error_T; + + memcpy(T, RSA_ASN1_templates[hash_algo].data, RSA_ASN1_templates[hash_algo].size); + memcpy(T + RSA_ASN1_templates[hash_algo].size, pks->digest, pks->digest_size); + + /* 3) check If emLen < tLen + 11, output "intended encoded message length too short" */ + if (emLen < tLen + 11) { + ret = -EINVAL; + goto error_emLen; + } + + /* 4) Generate an octet string PS consisting of emLen - tLen - 3 octets with 0xff. */ + PS = kmalloc(emLen - tLen - 3, GFP_KERNEL); + if (!PS) + goto error_P; + + for (i = 0; i < (emLen - tLen - 3); i++) + PS[i] = 0xff; + + /* 5) Concatenate PS, the DER encoding T, and other padding to form the encoded + * message EM as EM = 0x00 || 0x01 || PS || 0x00 || T + */ + EM_tmp = kmalloc(3 + emLen - tLen - 3 + tLen, GFP_KERNEL); + if (!EM_tmp) + goto error_EM; + + EM_tmp[0] = 0x00; + EM_tmp[1] = 0x01; + memcpy(EM_tmp + 2, PS, emLen - tLen - 3); + EM_tmp[2 + emLen - tLen - 3] = 0x00; + memcpy(EM_tmp + 2 + emLen - tLen - 3 + 1, T, tLen); + + *EM = EM_tmp; + + kfree(PS); + kfree(T); + + return 0; + +error_EM: + kfree(PS); +error_P: +error_emLen: + kfree(T); +error_T: +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); + return ret; +} + +/* * Perform the RSA signature verification. * @H: Value of hash of data and metadata * @EM: The computed signature value @@ -275,9 +402,43 @@ static struct public_key_signature *RSA_generate_signature( const struct private_key *key, u8 *M, enum pkey_hash_algo hash_algo, const bool hash) { + struct public_key_signature *pks; + u8 *EM = NULL; + size_t emLen; + int ret; + pr_info("RSA_generate_signature start\n");

- return 0; + ret = -ENOMEM; + pks = kzalloc(sizeof(*pks), GFP_KERNEL); + if (!pks) + goto error_no_pks; + + /* 1): EMSA-PKCS1-v1_5 encoding: */ + /* Use the private key modulus size to be EM length */ + emLen = mpi_get_nbits(key->rsa.n); + emLen = (emLen + 7) / 8; + + ret = EMSA_PKCS1_v1_5_ENCODE(M, emLen, hash_algo, hash, &EM, pks); + if (ret < 0) + goto error_v1_5_encode; + + /* TODO 2): m = OS2IP (EM) */ + + /* TODO 3): s = RSASP1 (K, m) */ + + /* TODO 4): S = I2OSP (s, k) */ + + /* TODO: signature S to a u8* S or set to sig->rsa.s? */ + pks->S = EM; /* TODO: temporary set S to EM */ + + return pks; + +error_v1_5_encode: + kfree(pks); +error_no_pks: + pr_info("<==%s() = %d\n", __func__, ret); + return ERR_PTR(ret); }

const struct public_key_algorithm RSA_public_key_algorithm = { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index d44b29f..1cdf457 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -110,6 +110,8 @@ extern void public_key_destroy(void *payload); struct public_key_signature { u8 *digest; u8 digest_size; /* Number of bytes in digest */ + u8 *S; /* signature S of length k octets */ + size_t k; /* length k of signature S */ u8 nr_mpi; /* Occupancy of mpi[] */ enum pkey_hash_algo pkey_hash_algo : 8; union { -- 1.6.0.2

-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

-- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

Hi Phil, First! Thanks for your time to review my patch! 於 一，2013-09-23 於 19:49 +0300，Phil Carmody 提到：

On Sun, Sep 15, 2013 at 08:56:48AM +0800, Lee, Chun-Yi wrote:

...

Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).

This patch is temporary set emLen to pks->k, and temporary set EM to pks->S for debugging. We will replace the above values to real signature after implement RSASP1.

The naming of EMSA_PKCS1_v1_5_ENCODE and the variables used in this function accord PKCS#1 spec but not follow kernel naming convention, it useful when look at them with spec.

Reference: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/pkcs1ietffinal.txt Reference: http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptograph...

V2:

You're now at V4.

The V4 is for whole patchset, I didn't do any modify in this patch in this version. The version define maybe confuse between separate and whole patchset, I will avoid it.

...

- Clean up naming of variable: replace _EM by EM, replace EM by EM_tmp. - Add comment to EMSA_PKCS1-v1_5-ENCODE function.

Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 163 +++++++++++++++++++++++++++++++++++++++++- include/crypto/public_key.h | 2 + 2 files changed, 164 insertions(+), 1 deletions(-)

diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 47f3be4..352ba45 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "public_key.h" #include "private_key.h"

@@ -152,6 +153,132 @@ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) }

/* + * EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] + * @M: message to be signed, an octet string + * @emLen: intended length in octets of the encoded message + * @hash_algo: hash function (option) + * @hash: true means hash M, otherwise M is already a digest + * @EM: encoded message, an octet string of length emLen + * + * This function is a implementation of the EMSA-PKCS1-v1_5 encoding operation + * in RSA PKCS#1 spec. It used by the signautre generation operation of + * RSASSA-PKCS1-v1_5 to encode message M to encoded message EM. + * + * The variables used in this function accord PKCS#1 spec but not follow kernel + * naming convention, it useful when look at them with spec. + */ +static int EMSA_PKCS1_v1_5_ENCODE(const u8 *M, size_t emLen, + enum pkey_hash_algo hash_algo, const bool hash, + u8 **EM, struct public_key_signature *pks) +{ + u8 *digest; + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + size_t tLen; + u8 *T, *PS, *EM_tmp; + int i, ret; + + pr_info("EMSA_PKCS1_v1_5_ENCODE start\n"); + + if (!RSA_ASN1_templates[hash_algo].data) + ret = -ENOTSUPP;

...

...

+ else + pks->pkey_hash_algo = hash_algo; + + /* 1) Apply the hash function to the message M to produce a hash value H */ + tfm = crypto_alloc_shash(pkey_hash_algo[hash_algo], 0, 0); + if (IS_ERR(tfm)) + return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + + ret = -ENOMEM;

The earlier "ret = -ENOTSUPP;" is either unused because you return at the IS_ERR, or unused because you overwrite it here. I'm a little disappointed that the compiler didn't recognise that something was assigned to a value that is never used.

Phil

Yes, Dmitry also pointed out this issue, I should not go on the hash process if the hash algorithm didn't support. I will change fix this problem in next version. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org