From patchwork Mon Sep 28 22:06:08 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Richter <erichte@linux.ibm.com>
X-Patchwork-Id: 1372911
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4C0c8L6Q4Xz9s1t
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Sep 2020 08:07:46 +1000 (AEST)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256
 header.s=pp1 header.b=Jnouvkxs;
	dkim-atps=neutral
Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 4C0c8L50yZzDqML
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Sep 2020 08:07:46 +1000 (AEST)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5;
 helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
 dmarc=pass (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256
 header.s=pp1 header.b=Jnouvkxs; dkim-atps=neutral
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4C0c6l4xgBzDqLC
 for <skiboot@lists.ozlabs.org>; Tue, 29 Sep 2020 08:06:23 +1000 (AEST)
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
 by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 08SM5QeK160573
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 18:06:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
 h=from : to : cc : subject
 : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding; s=pp1;
 bh=ymxA0DRCy3Ig7NY3+osW16akvtEFqGcMmn1bdGi310k=;
 b=Jnouvkxsfr62YOvS3NzYpunASy047qyGA5W3OLSXFjoWn5ncv2aaJJG+kdaPZh9H1r3O
 sqTM180rsVyDoIKByhjsdXKgqX4uHfo9Yut4vYjyNJe8uShJNzraVP2UqnPsltySzKk/
 rRyMRvIg91Tnac8AlgylBOu8WRYT4tarejD9xpNkqL9hgsBZkCF8ysxxqPleO5plx3gE
 owsSTyKfABqIYqrhkwIndKO6cGJ35AML3b/91rLZ2xF8C7wZYtHfsPCtbGezEMElH23x
 BXznZhfw7Xsa39naQh9vavZ9Uu8MUvIG2vh7dUuQ3+6f4u2iZELN+jpobkIxwQHrZ1+b Vg==
Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com
 [169.51.49.99])
 by mx0b-001b2d01.pphosted.com with ESMTP id 33uqjqh0rp-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 18:06:20 -0400
Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1])
 by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 08SM2ofE031536
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 22:06:19 GMT
Received: from b06avi18626390.portsmouth.uk.ibm.com
 (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192])
 by ppma04ams.nl.ibm.com with ESMTP id 33sw97tk8d-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 28 Sep 2020 22:06:19 +0000
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com
 [9.149.105.62])
 by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP
 id 08SM6GLv24445220
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 28 Sep 2020 22:06:16 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 09D47AE051;
 Mon, 28 Sep 2020 22:06:16 +0000 (GMT)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 1892AAE045;
 Mon, 28 Sep 2020 22:06:15 +0000 (GMT)
Received: from ceres.ibmuc.com (unknown [9.211.92.104])
 by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
 Mon, 28 Sep 2020 22:06:14 +0000 (GMT)
From: Eric Richter <erichte@linux.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Sep 2020 17:06:08 -0500
Message-Id: <20200928220609.10479-4-erichte@linux.ibm.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200928220609.10479-1-erichte@linux.ibm.com>
References: <20200928220609.10479-1-erichte@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687
 definitions=2020-09-28_22:2020-09-28,
 2020-09-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501 mlxscore=0
 suspectscore=3 adultscore=0 mlxlogscore=999 clxscore=1015 malwarescore=0
 spamscore=0 phishscore=0 lowpriorityscore=0 impostorscore=0 bulkscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000
 definitions=main-2009280164
Subject: [Skiboot] [PATCH v6a 3/4] secvar/backend: Bugfixes in edk2 driver
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: klaus@linux.ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Nayna Jain <nayna@linux.ibm.com>

This patch fixes following bugs. Additionally, it improves logs.

* Failure in adding/deleting PK as part of failure of processing any
subsequential update in the queue didn't reset the global variable
setup_mode to the original value. This patch adds the fix to always
set the value of setup_mode as per final contents in variable_bank
before existing process().

* Deletion of HWKH as part of deleting PK was only updating the value of
the variable to be zero. However, this didn't deallocate the variable from
the bank and was getting exposed via sysfs.

* The mismatch in verification of hw-key-hash, was also clearing staging
bank, which isn't initialized in this case. Fix the cleanup tag to only
clear update_bank.

* Fixes a memory leak in validate_esl_list().

* Convert signature verification error code from mbedtls into
opal error code as OPAL_PERMISSION.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c | 24 ++++++++++++++-------
 libstb/secvar/backend/edk2-compat-reset.c   |  7 +++---
 libstb/secvar/backend/edk2-compat.c         | 20 ++++++++++++++---
 3 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 0129023e..dfaec137 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -297,12 +297,14 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 
 		if (key_equals(key, "dbx")) {
 			if (!validate_hash(list->SignatureType, dsize)) {
+				prlog(PR_ERR, "No valid hash is found\n");
 				rc = OPAL_PARAMETER;
 				break;
 			}
 		} else {
 		       if (!uuid_equals(&list->SignatureType, &EFI_CERT_X509_GUID)
 			   || !validate_cert(data, dsize)) {
+				prlog(PR_ERR, "No valid cert is found\n");
 				rc = OPAL_PARAMETER;
 				break;
 		       }
@@ -327,6 +329,8 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 		}
 	}
 
+	free(data);
+
 	prlog(PR_INFO, "Total ESLs are %d\n", rc);
 	return rc;
 }
@@ -513,7 +517,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 
 		/* This should not happen, unless something corrupted in PNOR */
 		if(rc) {
-			prlog(PR_INFO, "X509 certificate parsing failed %04x\n", rc);
+			prlog(PR_ERR, "X509 certificate parsing failed %04x\n", rc);
 			rc = OPAL_INTERNAL_ERROR;
 			break;
 		}
@@ -542,13 +546,15 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 			prlog(PR_INFO, "Signature Verification passed\n");
 			mbedtls_x509_crt_free(&x509);
 			break;
+		} else {
+			errbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);
+			mbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);
+			prlog(PR_ERR, "Signature Verification failed %02x %s\n",
+					rc, errbuf);
+			free(errbuf);
+			rc = OPAL_PERMISSION;
 		}
 
-		errbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);
-		mbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);
-		prlog(PR_INFO, "Signature Verification failed %02x %s\n",
-				rc, errbuf);
-		free(errbuf);
 
 		/* Look for the next ESL */
 		offset = offset + eslsize;
@@ -690,7 +696,7 @@ int process_update(const struct secvar *update, char **newesl,
 	rc = check_timestamp(update->key, timestamp, last_timestamp);
 	/* Failure implies probably an older command being resubmitted */
 	if (rc != OPAL_SUCCESS) {
-		prlog(PR_INFO, "Timestamp verification failed for key %s\n", update->key);
+		prlog(PR_ERR, "Timestamp verification failed for key %s\n", update->key);
 		goto out;
 	}
 
@@ -750,8 +756,10 @@ int process_update(const struct secvar *update, char **newesl,
 				      avar);
 
 		/* Break if signature verification is successful */
-		if (rc == OPAL_SUCCESS)
+		if (rc == OPAL_SUCCESS) {
+			prlog(PR_INFO, "Key %s successfully verified by authority %s\n", update->key, key_authority[i]);
 			break;
+		}
 	}
 
 out:
diff --git a/libstb/secvar/backend/edk2-compat-reset.c b/libstb/secvar/backend/edk2-compat-reset.c
index cc3c6d08..305ea08c 100644
--- a/libstb/secvar/backend/edk2-compat-reset.c
+++ b/libstb/secvar/backend/edk2-compat-reset.c
@@ -77,14 +77,15 @@ int add_hw_key_hash(struct list_head *bank)
 int delete_hw_key_hash(struct list_head *bank)
 {
 	struct secvar *var;
-	int rc;
 
 	var = find_secvar("HWKH", 5, bank);
 	if (!var)
 		return OPAL_SUCCESS;
 
-	rc = update_variable_in_bank(var, NULL, 0, bank);
-	return rc;
+	list_del(&var->link);
+	dealloc_secvar(var);
+
+	return OPAL_SUCCESS;
 }
 
 int verify_hw_key_hash(void)
diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c
index 52631c0b..9e61fbc6 100644
--- a/libstb/secvar/backend/edk2-compat.c
+++ b/libstb/secvar/backend/edk2-compat.c
@@ -112,7 +112,7 @@ static int edk2_compat_process(struct list_head *variable_bank,
 	if (!setup_mode) {
 		rc = verify_hw_key_hash();
 		if (rc != OPAL_SUCCESS) {
-			prlog(PR_ERR, "Hardware key hash verification mismatch\n");
+			prlog(PR_ERR, "Hardware key hash verification mismatch. Keystore and update queue is reset.\n");
 			rc = reset_keystore(variable_bank);
 			if (rc)
 				goto cleanup;
@@ -217,13 +217,27 @@ static int edk2_compat_process(struct list_head *variable_bank,
 		copy_bank_list(variable_bank, &staging_bank);
 	}
 
+	free(newesl);
+	clear_bank_list(&staging_bank);
+
+	/* Set the global variable setup_mode as per final contents in variable_bank */
+	var = find_secvar("PK", 3, variable_bank);
+	if (!var) {
+		/* This should not happen */
+		rc = OPAL_INTERNAL_ERROR;
+		goto cleanup;
+	}
+
+	if (var->data_size == 0)
+		setup_mode = true;
+	else
+		setup_mode = false;
+
 cleanup:
 	/*
 	 * For any failure in processing update queue, we clear the update bank
 	 * and return failure
 	 */
-	free(newesl);
-	clear_bank_list(&staging_bank);
 	clear_bank_list(update_bank);
 
 	return rc;