From patchwork Wed Dec 4 00:06:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203925 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK1q3fqyz9s4Y for ; Wed, 4 Dec 2019 11:08:15 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK1q2WsFzDqM7 for ; Wed, 4 Dec 2019 11:08:15 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0R4x7rzDqSF for ; Wed, 4 Dec 2019 11:07:03 +1100 (AEDT) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWJ1H013147 for ; Tue, 3 Dec 2019 19:07:00 -0500 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wnqn4t9cd-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:00 -0500 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:06:58 -0000 Received: from b06avi18878370.portsmouth.uk.ibm.com (9.149.26.194) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:06:57 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB406sdO33489390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:06:54 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AA1E5A4040; Wed, 4 Dec 2019 00:06:54 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 85424A404D; Wed, 4 Dec 2019 00:06:53 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:06:53 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:44 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-0020-0000-0000-000003935DEB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-0021-0000-0000-000021EA8268 Message-Id: <20191204000650.28649-2-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 impostorscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 suspectscore=1 adultscore=0 lowpriorityscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 1/7] secvar_tpmnv: add high-level tpm nv index abstraction for secvar X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Multiple components, like the storage driver or backend driver, may need to store information in the one TPM NV index assigned for secure boot. This abstraction provides a method for these components to share the index space without stomping on each other's data, and without them needing to understand anything about the other. This is probably an overengineered solution to the problem, but the intent is to keep the drivers as independent from one another as possible. NOTE: At the moment, this implementation does NOT actually utilize the TPM NV space. This patch depends on a forthcoming TSS integration to handle the TPM communication. For now, this patch uses extra space at the end of the SECBOOT PNOR partition as its simulated TPM NVRAM. Temporary code is marked in the comments accordingly. Signed-off-by: Eric Richter --- libstb/secvar/Makefile.inc | 3 +- libstb/secvar/secvar_tpmnv.c | 204 +++++++++++++++++++++++++++++++++++ libstb/secvar/secvar_tpmnv.h | 13 +++ 3 files changed, 218 insertions(+), 2 deletions(-) create mode 100644 libstb/secvar/secvar_tpmnv.c create mode 100644 libstb/secvar/secvar_tpmnv.h diff --git a/libstb/secvar/Makefile.inc b/libstb/secvar/Makefile.inc index f4b196d9..1d68941e 100644 --- a/libstb/secvar/Makefile.inc +++ b/libstb/secvar/Makefile.inc @@ -8,8 +8,7 @@ SUBDIRS += $(SECVAR_DIR) include $(SECVAR_DIR)/storage/Makefile.inc include $(SECVAR_DIR)/backend/Makefile.inc -SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c -SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c secvar_api.c +SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c secvar_api.c secvar_tpmnv.c SECVAR_OBJS = $(SECVAR_SRCS:%.c=%.o) SECVAR = $(SECVAR_DIR)/built-in.a diff --git a/libstb/secvar/secvar_tpmnv.c b/libstb/secvar/secvar_tpmnv.c new file mode 100644 index 00000000..023f77ef --- /dev/null +++ b/libstb/secvar/secvar_tpmnv.c @@ -0,0 +1,204 @@ +// SPDX-License-Identifier: Apache-2.0 +/* Copyright 2019 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "SECVAR_TPMNV: " fmt +#endif + +#include +#include +#include +#include "secvar_tpmnv.h" +//#include + +#define TPM_SECVAR_NV_INDEX 0x01c10191 +#define TPM_SECVAR_MAGIC_NUM 0x53544e56 + +struct tpm_nv_id { + uint32_t id; + uint32_t size; + char data[0]; +} __packed; + +struct tpm_nv { + uint32_t magic_num; + uint32_t version; + struct tpm_nv_id vars[0]; +} __packed; + +int tpm_ready = 0; +int tpm_first_init = 0; +struct tpm_nv *tpm_image; +size_t tpm_nv_size = 0; + +// These are borrowed from secboot_tpm.c for the temporary, pnor-based +// TPM NV storage backing. They should be removed when this file uses +// the actual TPM and TSS +#define SECBOOT_VARIABLE_BANK_SIZE 32000 +#define SECBOOT_UPDATE_BANK_SIZE 32000 +#define SECBOOT_VARIABLE_BANK_NUM 2 +#ifndef _secboot_header_ // stupid fix for the test, delete with the rest +struct secboot_header { + uint32_t magic_number; + uint8_t version; + uint8_t reserved[3]; // Fix alignment +} __packed; +struct secboot { + struct secboot_header header; + char bank[SECBOOT_VARIABLE_BANK_NUM][SECBOOT_VARIABLE_BANK_SIZE]; + char update[SECBOOT_UPDATE_BANK_SIZE]; +} __packed; +#endif + +// This function should be replaced with logic that performs the initial +// TPM NV Index definition, and any first-write logic +static int secvar_tpmnv_format(void) +{ + memset(tpm_image, 0, sizeof(tpm_nv_size)); + + // TSS_NV_Define_Space() + + tpm_image->magic_num = TPM_SECVAR_MAGIC_NUM; + tpm_image->version = 1; + + tpm_first_init = 1; + + return platform.secboot_write(sizeof(struct secboot), tpm_image, tpm_nv_size); +} + + +static int secvar_tpmnv_init(void) +{ + if (tpm_ready) + return OPAL_SUCCESS; + + // Check here if TPM NV Index is defined + // if not, call secvar_tpmnv_format() here + + // Using the minimum defined by the spec for now + // This value should probably be determined by tss_get_capatibility + tpm_nv_size = 1024; + + tpm_image = malloc(tpm_nv_size); + if (!tpm_image) + return OPAL_NO_MEM; + + // Use pnor space for now, stored after the secboot pnor sections + // NOTE: This file should never reference secboot in the future + // Replace with TSS_NV_Read() + if (platform.secboot_read(tpm_image, sizeof(struct secboot), tpm_nv_size)) + return OPAL_HARDWARE; + if (tpm_image->magic_num != TPM_SECVAR_MAGIC_NUM) + if(secvar_tpmnv_format()) + return OPAL_HARDWARE; + tpm_ready = 1; + + return OPAL_SUCCESS; +} + + +static struct tpm_nv_id *find_tpmnv_id(uint32_t id) +{ + struct tpm_nv_id *tmp; + char *cur, *end; + + cur = (char *) tpm_image->vars; + end = ((char *) tpm_image) + tpm_nv_size; + while (cur < end) { + tmp = (struct tpm_nv_id *) cur; + if (tmp->id == 0) + return NULL; + if (tmp->id == id) + return tmp; + cur += sizeof(struct tpm_nv_id) + tmp->size; + } + + return NULL; +} + + +// "Allocate" space within the secvar tpm +int secvar_tpmnv_alloc(uint32_t id, int32_t size) +{ + struct tpm_nv_id *tmp; + char *cur; + char *end; + + if (secvar_tpmnv_init()) + return OPAL_RESOURCE; + + cur = (char *) tpm_image->vars; + end = ((char *) tpm_image) + tpm_nv_size; + while (cur < end) { + tmp = (struct tpm_nv_id *) cur; + if (tmp->id == 0) + goto allocate; + if (tmp->id == id) + return OPAL_SUCCESS; // Already allocated + + cur += sizeof(struct tpm_nv_id) + tmp->size; + } + // We ran out of space... + return OPAL_EMPTY; + +allocate: + tmp->id = id; + + // Special case: size of -1 gives remaining space + if (size == -1) + tmp->size = end - tmp->data; + else + tmp->size = size; + + return OPAL_SUCCESS; +} + + +int secvar_tpmnv_read(uint32_t id, void *buf, size_t size, size_t off) +{ + struct tpm_nv_id *var; + + if (secvar_tpmnv_init()) + return OPAL_RESOURCE; + + var = find_tpmnv_id(id); + if (!var) + return OPAL_EMPTY; + + size = MIN(size, var->size); + memcpy(buf, var->data + off, size); + + return 0; +} + + +int secvar_tpmnv_write(uint32_t id, void *buf, size_t size, size_t off) +{ + struct tpm_nv_id *var; + + if (secvar_tpmnv_init()) + return OPAL_RESOURCE; + + var = find_tpmnv_id(id); + if (!var) + return OPAL_EMPTY; + + size = MIN(size, var->size); + memcpy(var->data, buf + off, size); + + // Replace with: + // TSS_NV_Write(TPM_SECVAR_NV_INDEX, var->data, size + sizeof(struct tpm_nv_id), tpm_image - var) + return platform.secboot_write(sizeof(struct secboot), tpm_image, tpm_nv_size); +} + +int secvar_tpmnv_size(uint32_t id) +{ + struct tpm_nv_id *var; + + if (secvar_tpmnv_init()) + return OPAL_RESOURCE; + + var = find_tpmnv_id(id); + if (!var) + return 0; + return var->size; +} diff --git a/libstb/secvar/secvar_tpmnv.h b/libstb/secvar/secvar_tpmnv.h new file mode 100644 index 00000000..41a4ee82 --- /dev/null +++ b/libstb/secvar/secvar_tpmnv.h @@ -0,0 +1,13 @@ +#ifndef _SECVAR_TPMNV_H_ +#define _SECVAR_TPMNV_H_ +#include + +extern int tpm_first_init; + +int secvar_tpmnv_alloc(uint32_t id, int32_t size); +int secvar_tpmnv_read(uint32_t id, void *buf, size_t size, size_t off); +int secvar_tpmnv_write(uint32_t id, void *buf, size_t size, size_t off); +int secvar_tpmnv_size(uint32_t id); + +#endif + From patchwork Wed Dec 4 00:06:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203926 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK276tkHz9sPL for ; Wed, 4 Dec 2019 11:08:31 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK275VsxzDqM9 for ; Wed, 4 Dec 2019 11:08:31 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0V1b5WzDqLh for ; Wed, 4 Dec 2019 11:07:05 +1100 (AEDT) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWEGC061250 for ; Tue, 3 Dec 2019 19:07:03 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wnsd4cbhg-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:03 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:01 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:06:59 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB406uFi45154326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:06:56 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 67A9EA4059; Wed, 4 Dec 2019 00:06:56 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 01C58A4040; Wed, 4 Dec 2019 00:06:55 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:06:54 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:45 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-0008-0000-0000-0000033CA2FC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-0009-0000-0000-00004A5BC023 Message-Id: <20191204000650.28649-3-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 spamscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 impostorscore=0 suspectscore=1 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 2/7] core/flash.c: add SECBOOT read and write support X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, erpalmer@us.ibm.com, gcwilson@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Claudio Carvalho In secure boot enabled systems, the petitboot linux kernel verifies the OS kernel against x509 certificates that are wrapped in secure variables controlled by OPAL. These secure variables are stored in the PNOR SECBOOT partition, as well as the updates submitted for them using userspace tools. This patch adds read and write support to the PNOR SECBOOT partition in a similar fashion to that of NVRAM, so that OPAL can handle the secure variables. V2: - lowered logging level for secboot_probe CC: Jeremy Kerr Signed-off-by: Claudio Carvalho Signed-off-by: Eric Richter --- core/flash.c | 130 +++++++++++++++++++++++++++++++++++++++++++++ include/platform.h | 4 ++ 2 files changed, 134 insertions(+) diff --git a/core/flash.c b/core/flash.c index 7fbfca22..5fbc395a 100644 --- a/core/flash.c +++ b/core/flash.c @@ -59,6 +59,10 @@ static struct lock flash_lock; static struct flash *nvram_flash; static u32 nvram_offset, nvram_size; +/* secboot-on-flash support */ +static struct flash *secboot_flash; +static u32 secboot_offset, secboot_size; + bool flash_reserve(void) { bool rc = false; @@ -93,6 +97,91 @@ bool flash_unregister(void) return true; } +static int flash_secboot_info(uint32_t *total_size) +{ + int rc; + + lock(&flash_lock); + if (!secboot_flash) { + rc = OPAL_HARDWARE; + } else if (secboot_flash->busy) { + rc = OPAL_BUSY; + } else { + *total_size = secboot_size; + rc = OPAL_SUCCESS; + } + unlock(&flash_lock); + + return rc; +} + +static int flash_secboot_read(void *dst, uint32_t src, uint32_t len) +{ + int rc; + + if (!try_lock(&flash_lock)) + return OPAL_BUSY; + + if (!secboot_flash) { + rc = OPAL_HARDWARE; + goto out; + } + + if (secboot_flash->busy) { + rc = OPAL_BUSY; + goto out; + } + + if ((src + len) > secboot_size) { + prerror("FLASH_SECBOOT: read out of bound (0x%x,0x%x)\n", + src, len); + rc = OPAL_PARAMETER; + goto out; + } + + secboot_flash->busy = true; + unlock(&flash_lock); + + rc = blocklevel_read(secboot_flash->bl, secboot_offset + src, dst, len); + + lock(&flash_lock); + secboot_flash->busy = false; +out: + unlock(&flash_lock); + return rc; +} + +static int flash_secboot_write(uint32_t dst, void *src, uint32_t len) +{ + int rc; + + if (!try_lock(&flash_lock)) + return OPAL_BUSY; + + if (secboot_flash->busy) { + rc = OPAL_BUSY; + goto out; + } + + if ((dst + len) > secboot_size) { + prerror("FLASH_SECBOOT: write out of bound (0x%x,0x%x)\n", + dst, len); + rc = OPAL_PARAMETER; + goto out; + } + + secboot_flash->busy = true; + unlock(&flash_lock); + + rc = blocklevel_write(secboot_flash->bl, secboot_offset + dst, src, len); + + lock(&flash_lock); + secboot_flash->busy = false; +out: + unlock(&flash_lock); + return rc; +} + static int flash_nvram_info(uint32_t *total_size) { int rc; @@ -182,6 +271,46 @@ out: return rc; } + +static int flash_secboot_probe(struct flash *flash, struct ffs_handle *ffs) +{ + uint32_t start, size, part; + bool ecc; + int rc; + + prlog(PR_DEBUG, "FLASH: probing for SECBOOT\n"); + + rc = ffs_lookup_part(ffs, "SECBOOT", &part); + if (rc) { + prlog(PR_WARNING, "FLASH: no SECBOOT partition found\n"); + return OPAL_HARDWARE; + } + + rc = ffs_part_info(ffs, part, NULL, + &start, &size, NULL, &ecc); + if (rc) { + /** + * @fwts-label SECBOOTNoPartition + * @fwts-advice OPAL could not find an SECBOOT partition + * on the system flash. Check that the system flash + * has a valid partition table, and that the firmware + * build process has added a SECBOOT partition. + */ + prlog(PR_ERR, "FLASH: Can't parse ffs info for SECBOOT\n"); + return OPAL_HARDWARE; + } + + secboot_flash = flash; + secboot_offset = start; + secboot_size = ecc ? ecc_buffer_size_minus_ecc(size) : size; + + platform.secboot_info = flash_secboot_info; + platform.secboot_read = flash_secboot_read; + platform.secboot_write = flash_secboot_write; + + return 0; +} + static int flash_nvram_probe(struct flash *flash, struct ffs_handle *ffs) { uint32_t start, size, part; @@ -332,6 +461,7 @@ static void setup_system_flash(struct flash *flash, struct dt_node *node, prlog(PR_INFO, "registered system flash device %s\n", name); flash_nvram_probe(flash, ffs); + flash_secboot_probe(flash, ffs); } static int num_flashes(void) diff --git a/include/platform.h b/include/platform.h index 412f8fc8..cdc64e0a 100644 --- a/include/platform.h +++ b/include/platform.h @@ -212,6 +212,10 @@ struct platform { int (*secvar_init)(void); + int (*secboot_info)(uint32_t *total_size); + int (*secboot_read)(void *dst, uint32_t src, uint32_t len); + int (*secboot_write)(uint32_t dst, void *src, uint32_t len); + /* * OCC timeout. This return how long we should wait for the OCC * before timing out. This lets us use a high value on larger FSP From patchwork Wed Dec 4 00:06:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203928 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK2j05mbz9s4Y for ; Wed, 4 Dec 2019 11:09:01 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK2h699qzDqST for ; Wed, 4 Dec 2019 11:09:00 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0X4x74zDqLd for ; Wed, 4 Dec 2019 11:07:08 +1100 (AEDT) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWEdK090521 for ; Tue, 3 Dec 2019 19:07:05 -0500 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wnsvhapbx-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:05 -0500 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:03 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:07:01 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB406wnG52756700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:06:58 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0A3C2A4053; Wed, 4 Dec 2019 00:06:58 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BD07AA404D; Wed, 4 Dec 2019 00:06:56 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:06:56 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:46 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-4275-0000-0000-0000038AC492 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-4276-0000-0000-0000389E646C Message-Id: <20191204000650.28649-4-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 impostorscore=0 priorityscore=1501 bulkscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 adultscore=0 suspectscore=3 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 3/7] secvar/storage: add secvar storage driver for pnor-based p9 platforms X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch implements the platform specific logic for persisting the secure variable storage banks across reboots via the SECBOOT PNOR partition. For POWER 9, all secure variables and updates are stored in the in the SECBOOT PNOR partition. The partition is split into three sections: two variable bank sections, and a section for storing updates. The driver alternates writes between the two variable sections, so that the final switch from one set of variables to the next can be as atomic as possible by flipping an "active bit" stored in TPM NV. PNOR space provides no lock protection, so prior to writing the variable bank, a sha256 hash is calculated and stored in TPM NV. This hash is compared against the hash of the variables loaded from PNOR to ensure consistency -- otherwise a failure is reported, no keys are loaded (which should cause skiroot to refuse to boot if secure boot support is enabled). Signed-off-by: Eric Richter --- include/secvar.h | 1 + libstb/secvar/storage/Makefile.inc | 4 +- libstb/secvar/storage/secboot_tpm.c | 293 +++++++++++++++++++ libstb/secvar/test/secvar-test-secboot-tpm.c | 134 +++++++++ 4 files changed, 430 insertions(+), 2 deletions(-) create mode 100644 libstb/secvar/storage/secboot_tpm.c create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c diff --git a/include/secvar.h b/include/secvar.h index c41fb739..2875c700 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -23,6 +23,7 @@ struct secvar_backend_driver { const char *compatible; // String to use for compatible in secvar node }; +extern struct secvar_storage_driver secboot_tpm_driver; int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver); diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc index b7a821ec..5926e2f5 100644 --- a/libstb/secvar/storage/Makefile.inc +++ b/libstb/secvar/storage/Makefile.inc @@ -1,11 +1,11 @@ # SPDX-License-Identifier: Apache-2.0 # -*-Makefile-*- -SECVAR_STORAGE_DIR = libstb/secvar/storage +SECVAR_STORAGE_DIR = $(SRC)/libstb/secvar/storage SUBDIRS += $(SECVAR_STORAGE_DIR) -SECVAR_STORAGE_SRCS = +SECVAR_STORAGE_SRCS = secboot_tpm.c SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o) SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a diff --git a/libstb/secvar/storage/secboot_tpm.c b/libstb/secvar/storage/secboot_tpm.c new file mode 100644 index 00000000..97b59b98 --- /dev/null +++ b/libstb/secvar/storage/secboot_tpm.c @@ -0,0 +1,293 @@ +// SPDX-License-Identifier: Apache-2.0 +/* Copyright 2019 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "SECBOOT_TPM: " fmt +#endif + +#include +#include +#include +#include +#include "../secvar.h" +#include "../secvar_tpmnv.h" + +//#define CYCLE_BIT(b) (((((b-1)%SECBOOT_VARIABLE_BANK_NUM)+1)%SECBOOT_VARIABLE_BANK_NUM)+1) +#define CYCLE_BIT(b) (b^0x1) + +#define TPMNV_ID_ACTIVE_BIT 0x53414242 // SABB +#define TPMNV_ID_HASH_BANK_0 0x53484230 // SHB0 +#define TPMNV_ID_HASH_BANK_1 0x53484231 // SHB1 + +#define GET_HASH_BANK_ID(bit) ((bit)?TPMNV_ID_HASH_BANK_1:TPMNV_ID_HASH_BANK_0) + +// TODO: Determine reasonable values for these, or have platform set it? +#define SECBOOT_VARIABLE_BANK_SIZE 32000 +#define SECBOOT_UPDATE_BANK_SIZE 32000 + +#define SECBOOT_VARIABLE_BANK_NUM 2 + +// Because mbedtls doesn't define this? +#define SHA256_DIGEST_LENGTH 32 + +/* 0x5053424b = "PSBK" or Power Secure Boot Keystore */ +#define SECBOOT_MAGIC_NUMBER 0x5053424b +#define SECBOOT_VERSION 1 + +struct secboot_header { + uint32_t magic_number; + uint8_t version; + uint8_t reserved[3]; // Fix alignment +} __packed; + +struct secboot { + struct secboot_header header; + char bank[SECBOOT_VARIABLE_BANK_NUM][SECBOOT_VARIABLE_BANK_SIZE]; + char update[SECBOOT_UPDATE_BANK_SIZE]; +} __packed; + +// TODO: This should be deleted when the TSS is added +// Only here to fix a collision that occurs in the test case where the +// temporary copy of the above in secvar_tpmnv.c conflicts +#define _secboot_header_ + +struct secboot *secboot_image; + +static void calc_bank_hash(char *target_hash, char *source_buf, uint64_t size) +{ + mbedtls_sha256_context ctx; + + mbedtls_sha256_init(&ctx); + mbedtls_sha256_update_ret(&ctx, source_buf, size); + mbedtls_sha256_finish_ret(&ctx, target_hash); +} + +static int secboot_format(void) +{ + char bank_hash[SHA256_DIGEST_LENGTH]; + + if (!platform.secboot_write) + return OPAL_UNSUPPORTED; + + memset(secboot_image, 0x00, sizeof(struct secboot)); + + secboot_image->header.magic_number = SECBOOT_MAGIC_NUMBER; + secboot_image->header.version = SECBOOT_VERSION; + + // Write the empty hash to the tpm so loads work in the future + calc_bank_hash(bank_hash, secboot_image->bank[0], SECBOOT_VARIABLE_BANK_SIZE); + secvar_tpmnv_write(TPMNV_ID_HASH_BANK_0, bank_hash, SHA256_DIGEST_LENGTH, 0); + + return platform.secboot_write(0, secboot_image, sizeof(struct secboot)); +} + +// Flattens a linked-list bank into a contiguous buffer for writing +static int secboot_serialize_bank(struct list_head *bank, char *target, size_t target_size, int flags) +{ + struct secvar_node *node; + char *tmp = target; + + if (!bank) + return OPAL_INTERNAL_ERROR; + if (!target) + return OPAL_INTERNAL_ERROR; + + list_for_each(bank, node, link) { + if (node->flags != flags) + continue; + + // Bail early if we are out of storage space + if ((target - tmp) + sizeof(struct secvar) + node->var->data_size > target_size) { + return OPAL_EMPTY; + } + + memcpy(target, node->var, sizeof(struct secvar) + node->var->data_size); + + target += sizeof(struct secvar) + node->var->data_size; + } + + return OPAL_SUCCESS; +} + + +static int secboot_load_from_pnor(struct list_head *bank, char *source, size_t max_size) +{ + char *src; + struct secvar_node *tmp; + struct secvar *hdr; + + src = source; + + while (src < (source + max_size)) { + // Load in the header first to get the size, and check if we are at the end + hdr = (struct secvar *) src; + if (hdr->key_len == 0) { + break; + } + + tmp = alloc_secvar(hdr->data_size); + if (!tmp) { + prlog(PR_ERR, "Could not allocate memory for loading secvar from image\n"); + return OPAL_NO_MEM; + } + + memcpy(tmp->var, src, sizeof(struct secvar) + hdr->data_size); + + list_add_tail(bank, &tmp->link); + src += sizeof(struct secvar) + hdr->data_size; + } + + return OPAL_SUCCESS; +} + + +static int secboot_tpm_write_bank(struct list_head *bank, int section) +{ + int rc; + uint64_t bit; + char bank_hash[SHA256_DIGEST_LENGTH]; + + switch(section) { + case SECVAR_VARIABLE_BANK: + // Get the current bit and flip it + secvar_tpmnv_read(TPMNV_ID_ACTIVE_BIT, &bit, sizeof(bit), 0); + bit = CYCLE_BIT(bit); + + // Calculate the bank hash, and write to TPM NV + rc = secboot_serialize_bank(bank, secboot_image->bank[bit], SECBOOT_VARIABLE_BANK_SIZE, 0); + if (rc) + break; + + calc_bank_hash(bank_hash, secboot_image->bank[bit], SECBOOT_VARIABLE_BANK_SIZE); + rc = secvar_tpmnv_write(GET_HASH_BANK_ID(bit), bank_hash, SHA256_DIGEST_LENGTH, 0); + if (rc) + break; + + // Write new variable bank to pnor + rc = platform.secboot_write(0, secboot_image, sizeof(struct secboot)); + if (rc) + break; + + // Flip the bit, and write to TPM NV + rc = secvar_tpmnv_write(TPMNV_ID_ACTIVE_BIT, &bit, sizeof(bit), 0); + break; + case SECVAR_UPDATE_BANK: + memset(secboot_image->update, 0, SECBOOT_UPDATE_BANK_SIZE); + rc = secboot_serialize_bank(bank, secboot_image->update, SECBOOT_UPDATE_BANK_SIZE, 0); + if (rc) + break; + + rc = platform.secboot_write(0, secboot_image, sizeof(struct secboot)); + break; + default: + rc = OPAL_HARDWARE; + } + + return rc; +} + + +static int secboot_tpm_load_variable_bank(struct list_head *bank) +{ + char bank_hash[SHA256_DIGEST_LENGTH]; + char tpm_bank_hash[SHA256_DIGEST_LENGTH]; + uint64_t bit; + + secvar_tpmnv_read(TPMNV_ID_ACTIVE_BIT, &bit, sizeof(bit), 0); + secvar_tpmnv_read(GET_HASH_BANK_ID(bit), tpm_bank_hash, SHA256_DIGEST_LENGTH, 0); + + calc_bank_hash(bank_hash, secboot_image->bank[bit], SECBOOT_VARIABLE_BANK_SIZE); + if (memcmp(bank_hash, tpm_bank_hash, SHA256_DIGEST_LENGTH)) + return OPAL_PERMISSION; // Tampered pnor space detected, abandon ship + + return secboot_load_from_pnor(bank, secboot_image->bank[bit], SECBOOT_VARIABLE_BANK_SIZE); +} + + +static int secboot_tpm_load_bank(struct list_head *bank, int section) +{ + switch(section) { + case SECVAR_VARIABLE_BANK: + return secboot_tpm_load_variable_bank(bank); + case SECVAR_UPDATE_BANK: + return secboot_load_from_pnor(bank, secboot_image->update, SECBOOT_UPDATE_BANK_SIZE); + default: + return OPAL_HARDWARE; + } + + return OPAL_HARDWARE; +} + + +static int secboot_tpm_store_init(void) +{ + int rc; + unsigned secboot_size; + + // Already initialized + if (secboot_image) + return OPAL_SUCCESS; + + if (!platform.secboot_info) + return OPAL_UNSUPPORTED; + + prlog(PR_DEBUG, "Initializing for pnor+tpm based platform\n"); + + rc = secvar_tpmnv_alloc(TPMNV_ID_ACTIVE_BIT, sizeof(uint64_t)); + rc |= secvar_tpmnv_alloc(TPMNV_ID_HASH_BANK_0, SHA256_DIGEST_LENGTH); + rc |= secvar_tpmnv_alloc(TPMNV_ID_HASH_BANK_1, SHA256_DIGEST_LENGTH); + if (rc) { + prlog(PR_ERR, "unable to alloc or find the tpmnv space\n"); + return rc; + } + + rc = platform.secboot_info(&secboot_size); + if (rc) { + prlog(PR_ERR, "error %d retrieving keystore info\n", rc); + return rc; + } + if (sizeof(struct secboot) > secboot_size) { + prlog(PR_ERR, "secboot partition %d KB too small. min=%ld\n", + secboot_size >> 10, sizeof(struct secboot)); + return OPAL_RESOURCE; + } + + secboot_image = memalign(0x1000, sizeof(struct secboot)); + if (!secboot_image) { + prlog(PR_ERR, "Failed to allocate space for the secboot image\n"); + return OPAL_NO_MEM; + } + + /* Read it in */ + rc = platform.secboot_read(secboot_image, 0, sizeof(struct secboot)); + if (rc) { + prlog(PR_ERR, "failed to read the secboot partition, rc=%d\n", rc); + goto out_free; + } + + if ((secboot_image->header.magic_number != SECBOOT_MAGIC_NUMBER) + || tpm_first_init ) { + prlog(PR_INFO, "Formatting secboot partition...\n"); + rc = secboot_format(); + if (rc) { + prlog(PR_ERR, "Failed to format secboot!\n"); + goto out_free; + } + } + + return OPAL_SUCCESS; + +out_free: + if (secboot_image) { + free(secboot_image); + secboot_image = NULL; + } + + return rc; +} + +struct secvar_storage_driver secboot_tpm_driver = { + .load_bank = secboot_tpm_load_bank, + .write_bank = secboot_tpm_write_bank, + .store_init = secboot_tpm_store_init, + .max_var_size = 8192, +}; diff --git a/libstb/secvar/test/secvar-test-secboot-tpm.c b/libstb/secvar/test/secvar-test-secboot-tpm.c new file mode 100644 index 00000000..9a433f92 --- /dev/null +++ b/libstb/secvar/test/secvar-test-secboot-tpm.c @@ -0,0 +1,134 @@ +#include "secvar_common_test.c" +#include "../storage/secboot_tpm.c" +#include "../../crypto/mbedtls/library/sha256.c" +#include "../../crypto/mbedtls/library/platform_util.c" +#include "../secvar_tpmnv.c" +#include "../secvar_util.c" + +char *secboot_buffer; + +#define ARBITRARY_SECBOOT_SIZE 128000 + +const char *secvar_test_name = "secboot_tpm"; + +static int secboot_read(void *dst, uint32_t src, uint32_t len) +{ + memcpy(dst, secboot_buffer + src, len); + return 0; +} + +static int secboot_write(uint32_t dst, void *src, uint32_t len) +{ + memcpy(secboot_buffer + dst, src, len); + return 0; +} + +static int secboot_info(uint32_t *total_size) +{ + *total_size = ARBITRARY_SECBOOT_SIZE; + return 0; +} + +struct platform platform; + +int run_test(void) +{ + int rc; + struct secvar_node *tmp; + + platform.secboot_read = secboot_read; + platform.secboot_write = secboot_write; + platform.secboot_info = secboot_info; + + secboot_buffer = zalloc(ARBITRARY_SECBOOT_SIZE); + + // Initialize and format the storage + rc = secboot_tpm_store_init(); + ASSERT(OPAL_SUCCESS == rc); + + // Load the just-formatted empty section + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(0 == list_length(&variable_bank)); + + // Add some test variables + tmp = alloc_secvar(8); + tmp->var->key_len = 5; + memcpy(tmp->var->key, "test", 5); + tmp->var->data_size = 8; + memcpy(tmp->var->data, "testdata", 8); + list_add_tail(&variable_bank, &tmp->link); + + tmp = alloc_secvar(8); + tmp->var->key_len = 4; + memcpy(tmp->var->key, "foo", 4); + tmp->var->data_size = 8; + memcpy(tmp->var->data, "moredata", 8); + list_add_tail(&variable_bank, &tmp->link); + + // Write the bank + rc = secboot_tpm_write_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + // should write to bank 1 first + ASSERT(secboot_image->bank[1][0] != 0); + ASSERT(secboot_image->bank[0][0] == 0); + + // Clear the variable list + clear_bank_list(&variable_bank); + ASSERT(0 == list_length(&variable_bank)); + + // Load the bank + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(2 == list_length(&variable_bank)); + + // Change a variable + tmp = list_top(&variable_bank, struct secvar_node, link); + memcpy(tmp->var->data, "somethin", 8); + + // Write the bank + rc = secboot_tpm_write_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + // should have data in both now + ASSERT(secboot_image->bank[0][0] != 0); + ASSERT(secboot_image->bank[1][0] != 0); + + clear_bank_list(&variable_bank); + + // Tamper with pnor, hash check should catch this + secboot_image->bank[0][0] = ~secboot_image->bank[0][0]; + + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(rc != OPAL_SUCCESS); // TODO: permission? + + // Fix it back... + secboot_image->bank[0][0] = ~secboot_image->bank[0][0]; + + // Should be ok again + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(rc == OPAL_SUCCESS); + + clear_bank_list(&variable_bank); + free(secboot_buffer); + + return 0; +} + +int main(void) +{ + int rc = 0; + + list_head_init(&variable_bank); + + rc = run_test(); + + if (rc) + printf(COLOR_RED "FAILED" COLOR_RESET "\n"); + else + printf(COLOR_GREEN "OK" COLOR_RESET "\n"); + + free(tpm_image); + free(secboot_image); + + return rc; +} From patchwork Wed Dec 4 00:06:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203927 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK2Q0L3Nz9s4Y for ; Wed, 4 Dec 2019 11:08:46 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK2P6Pd8zDqM7 for ; Wed, 4 Dec 2019 11:08:45 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0Y3Rm6zDqSD for ; Wed, 4 Dec 2019 11:07:09 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWED6046503 for ; Tue, 3 Dec 2019 19:07:05 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wnp666hrh-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:05 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:03 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:07:02 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB406xgj58654942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:06:59 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 810C9A405B; Wed, 4 Dec 2019 00:06:59 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 659D8A4051; Wed, 4 Dec 2019 00:06:58 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:06:58 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:47 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-0028-0000-0000-000003C45FF9 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-0029-0000-0000-000024877BF2 Message-Id: <20191204000650.28649-5-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 clxscore=1015 bulkscore=0 phishscore=0 impostorscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 4/7] crypto: add mbedtls build integration via git submodule X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Secure variable support requires more crypto support than skiboot currently has. Since mbedtls' x509, etc implementations have rather tight dependencies which prevent easy cherry picking (unlike the existing sha512.c), it is easier to integrate and maintain the whole mbedtls library as a submodule. Signed-off-by: Eric Richter --- .gitmodules | 4 ++ Makefile.main | 1 + libstb/Makefile.inc | 5 +- libstb/crypto/Makefile.inc | 20 +++++++ libstb/crypto/mbedtls | 1 + libstb/crypto/mbedtls-config.h | 98 ++++++++++++++++++++++++++++++++++ 6 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 .gitmodules create mode 100644 libstb/crypto/Makefile.inc create mode 160000 libstb/crypto/mbedtls create mode 100644 libstb/crypto/mbedtls-config.h diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..78998dae --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "libstb/crypto/mbedtls"] + path = libstb/crypto/mbedtls + url = https://github.com/ARMmbed/mbedtls + branch = mbedtls-2.16 diff --git a/Makefile.main b/Makefile.main index 2d60bbbf..31e3018d 100644 --- a/Makefile.main +++ b/Makefile.main @@ -356,6 +356,7 @@ clean: $(RM) include/asm-offsets.h version.c .version $(RM) skiboot.info external/gard/gard.info external/pflash/pflash.info $(RM) extract-gcov $(TARGET).lid.stb $(TARGET).lid.xz.stb + $(MAKE) -C libstb/crypto/mbedtls clean distclean: clean $(RM) *~ $(SUBDIRS:%=%/*~) include/*~ diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc index d3f68496..c727518c 100644 --- a/libstb/Makefile.inc +++ b/libstb/Makefile.inc @@ -12,8 +12,11 @@ include $(SRC)/$(LIBSTB_DIR)/secvar/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/mbedtls/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc +include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc -$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(MBEDTLS) +CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include + +$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) libstb/create-container: libstb/create-container.c libstb/container-utils.c $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \ diff --git a/libstb/crypto/Makefile.inc b/libstb/crypto/Makefile.inc new file mode 100644 index 00000000..1e153ed2 --- /dev/null +++ b/libstb/crypto/Makefile.inc @@ -0,0 +1,20 @@ +CRYPTO_DIR = $(LIBSTB_DIR)/crypto + +SUBDIRS += $(CRYPTO_DIR) + +MBEDTLS=$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedcrypto.a +MBEDTLS+= $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedx509.a + +MBEDTLS_CFLAGS = $(CFLAGS) +MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR) +MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto -DMBEDTLS_CONFIG_FILE='' +MBEDTLS_CFLAGS += -Wno-suggest-attribute=const +MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include +MBEDTLS_CFLAGS += $(CPPFLAGS) + +$(MBEDTLS): + @$(MAKE) -C $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/ CFLAGS="$(MBEDTLS_CFLAGS)" CC=$(CC) AR=$(AR) libmbedcrypto.a libmbedx509.a + +CRYPTO = $(CRYPTO_DIR)/built-in.a + +$(CRYPTO): $(MBEDTLS) diff --git a/libstb/crypto/mbedtls b/libstb/crypto/mbedtls new file mode 160000 index 00000000..d81c11b8 --- /dev/null +++ b/libstb/crypto/mbedtls @@ -0,0 +1 @@ +Subproject commit d81c11b8ab61fd5b2da8133aa73c5fe33a0633eb diff --git a/libstb/crypto/mbedtls-config.h b/libstb/crypto/mbedtls-config.h new file mode 100644 index 00000000..edf4acc2 --- /dev/null +++ b/libstb/crypto/mbedtls-config.h @@ -0,0 +1,98 @@ +/** + * \file config-no-entropy.h + * + * \brief Minimal configuration of features that do not require an entropy source + */ +/* + * Copyright (C) 2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +/* + * Minimal configuration of features that do not require an entropy source + * Distinguishing reatures: + * - no entropy module + * - no TLS protocol implementation available due to absence of an entropy + * source + * + * See README.txt for usage instructions. + */ + +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +/* System support */ +#define MBEDTLS_HAVE_ASM +#define MBEDTLS_HAVE_TIME + +/* mbed TLS feature support */ +#define MBEDTLS_CIPHER_MODE_CBC +#define MBEDTLS_CIPHER_PADDING_PKCS7 +#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_PK_RSA_ALT_SUPPORT +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V21 +#define MBEDTLS_SELF_TEST +#define MBEDTLS_VERSION_FEATURES +#define MBEDTLS_X509_CHECK_KEY_USAGE +#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + +/* mbed TLS modules */ +#define MBEDTLS_AES_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_GCM_C +#define MBEDTLS_MD_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_RSA_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA512_C +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C +//#define MBEDTLS_CMAC_C + +/* Settings to reduce/remove warnings */ +#define MBEDTLS_MPI_WINDOW_SIZE 3 // (max/default is 6) Increase for speed, may introduce warnings +#define MBEDTLS_MPI_MAX_SIZE 512 // (default is 1024) increase for more bits in user-MPIs +#define SIZE_MAX 65535 // this might need to be in libc? + +/* Disableable to mitigate warnings */ +#define MBEDTLS_ASN1_WRITE_C // Expects SIZE_MAX +#define MBEDTLS_VERSION_C // Possible 'const' function +#define MBEDTLS_HMAC_DRBG_C + +/* Miscellaneous options and fixes*/ +#define MBEDTLS_AES_ROM_TABLES +#define MBEDTLS_NO_UDBL_DIVISION // Disabled due to unsupported operation + +#endif /* MBEDTLS_CONFIG_H */ From patchwork Wed Dec 4 00:06:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203929 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK303p5Wz9s4Y for ; Wed, 4 Dec 2019 11:09:16 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK302qBjzDqHq for ; Wed, 4 Dec 2019 11:09:16 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0b2b1tzDqMX for ; Wed, 4 Dec 2019 11:07:11 +1100 (AEDT) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWE5h068402 for ; Tue, 3 Dec 2019 19:07:08 -0500 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wntc7fpmg-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:07 -0500 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:06 -0000 Received: from b06avi18878370.portsmouth.uk.ibm.com (9.149.26.194) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:07:04 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB4071DF41615756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:07:01 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 25CEDA404D; Wed, 4 Dec 2019 00:07:01 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CDD4AA4040; Wed, 4 Dec 2019 00:06:59 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:06:59 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:48 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-0020-0000-0000-000003935DED X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-0021-0000-0000-000021EA826A Message-Id: <20191204000650.28649-6-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 phishscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 mlxscore=0 adultscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 5/7] crypto: add out-of-tree mbedtls pkcs7 parser X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain This patch adds a pkcs7 parser for mbedtls that hasn't yet gone upstream. Once/if that implementation is accepted, this patch can be removed. Signed-off-by: Eric Richter --- libstb/crypto/Makefile.inc | 4 +- libstb/crypto/pkcs7/Makefile.inc | 10 + libstb/crypto/pkcs7/pkcs7.c | 476 +++++++++++++++++++++++++++++++ libstb/crypto/pkcs7/pkcs7.h | 176 ++++++++++++ 4 files changed, 665 insertions(+), 1 deletion(-) create mode 100644 libstb/crypto/pkcs7/Makefile.inc create mode 100644 libstb/crypto/pkcs7/pkcs7.c create mode 100644 libstb/crypto/pkcs7/pkcs7.h diff --git a/libstb/crypto/Makefile.inc b/libstb/crypto/Makefile.inc index 1e153ed2..954bd66d 100644 --- a/libstb/crypto/Makefile.inc +++ b/libstb/crypto/Makefile.inc @@ -15,6 +15,8 @@ MBEDTLS_CFLAGS += $(CPPFLAGS) $(MBEDTLS): @$(MAKE) -C $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/ CFLAGS="$(MBEDTLS_CFLAGS)" CC=$(CC) AR=$(AR) libmbedcrypto.a libmbedx509.a +include $(CRYPTO_DIR)/pkcs7/Makefile.inc + CRYPTO = $(CRYPTO_DIR)/built-in.a -$(CRYPTO): $(MBEDTLS) +$(CRYPTO): $(MBEDTLS) $(PKCS7) diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc new file mode 100644 index 00000000..6acf6c68 --- /dev/null +++ b/libstb/crypto/pkcs7/Makefile.inc @@ -0,0 +1,10 @@ + +PKCS7_DIR = libstb/crypto/pkcs7 + +SUBDIRS += $(PKCS7_DIR) + +PKCS7_SRCS = pkcs7.c +PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o) +PKCS7 = $(PKCS7_DIR)/built-in.a + +$(PKCS7): $(PKCS7_OBJS:%=$(PKCS7_DIR)/%) diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c new file mode 100644 index 00000000..c5ed897d --- /dev/null +++ b/libstb/crypto/pkcs7/pkcs7.c @@ -0,0 +1,476 @@ +/* Copyright 2019 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include +#else +#include MBEDTLS_CONFIG_FILE +#endif +//#if defined(MBEDTLS_PKCS7_USE_C) + +#include +#include +#include "pkcs7.h" +#include +#include + +#include +#include +#include + +#if defined(MBEDTLS_PLATFORM_C) +#include +#else +#include +#include +#define mbedtls_free free +#define mbedtls_calloc calloc +#define mbedtls_printf printf +#define mbedtls_snprintf snprintf +#endif + +#if defined(MBEDTLS_HAVE_TIME) +#include +#endif +#if defined(MBEDTLS_HAVE_TIME_DATE) +#include +#include +#endif + +/* + * Load all data from a file into a given buffer. + * + * The file is expected to contain DER encoded data. + * A terminating null byte is always appended. + */ + +#if 0 +int mbedtls_pkcs7_load_file( const char *path, unsigned char **buf, size_t *n ) +{ + FILE *f; + long size; + + + if( ( f = fopen( path, "rb" ) ) == NULL ) + return( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + + fseek( f, 0, SEEK_END ); + if( ( size = ftell( f ) ) == -1 ) + { + fclose( f ); + return( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + } + fseek( f, 0, SEEK_SET ); + + *n = (size_t) size; + + if( *n + 1 == 0 || + ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) + { + fclose( f ); + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + + if( fread( *buf, 1, *n, f ) != *n ) + { + fclose( f ); + + mbedtls_platform_zeroize( *buf, *n + 1 ); + mbedtls_free( *buf ); + + return( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + } + + fclose( f ); + + (*buf)[*n] = '\0'; + + return( 0 ); +} +#endif + +/** + * Initializes the pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) +{ + memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); +} + + +static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, size_t *len ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + return ( 0 ); +} + +/** + * version Version + * Version ::= INTEGER + **/ +static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + return ( 0 ); +} + +/** + * ContentInfo ::= SEQUENCE { + * contentType ContentType, + * content + * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + **/ +static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *pkcs7 ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); + if ( ret ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + pkcs7->tag = MBEDTLS_ASN1_OID; + pkcs7->len = len; + pkcs7->p = *p; + + return ret; +} + +/** + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * + * This is from x509.h + **/ +static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, mbedtls_x509_buf *alg ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + return ( 0 ); +} + +/** + * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier + **/ +static int pkcs7_get_digest_algorithm_set( unsigned char **p, unsigned char *end, + mbedtls_x509_buf *alg ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + end = *p + len; + + /** For now, it assumes there is only one digest algorithm specified **/ + ret = mbedtls_asn1_get_alg_null( p, end, alg ); + if ( ret ) + return ret; + + return ( 0 ); +} + +/** + * certificates :: SET OF ExtendedCertificateOrCertificate, + * ExtendedCertificateOrCertificate ::= CHOICE { + * certificate Certificate -- x509, + * extendedCertificate[0] IMPLICIT ExtendedCertificate } + **/ +static int pkcs7_get_certificates( unsigned char **buf, size_t buflen, + mbedtls_x509_crt *certs ) +{ + int ret; + + if ( ( ret = mbedtls_x509_crt_parse( certs, *buf, buflen ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + return ( 0 ); +} + +/** + * EncryptedDigest ::= OCTET STRING + **/ +static int pkcs7_get_signature( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *signature ) +{ + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + signature->tag = MBEDTLS_ASN1_OCTET_STRING; + signature->len = len; + signature->p = *p; + + return ( 0 ); +} + +/** + * SignerInfo ::= SEQUENCE { + * version Version; + * issuerAndSerialNumber IssuerAndSerialNumber, + * digestAlgorithm DigestAlgorithmIdentifier, + * authenticatedAttributes + * [0] IMPLICIT Attributes OPTIONAL, + * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, + * encryptedDigest EncryptedDigest, + * unauthenticatedAttributes + * [1] IMPLICIT Attributes OPTIONAL, + **/ +static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signers_set ) +{ + unsigned char *end_set; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + end_set = *p + len; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + signers_set->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = pkcs7_get_digest_algorithm( p, end_set, + &signers_set->alg_identifier ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = pkcs7_get_digest_algorithm( p, end_set, + &signers_set->sig_alg_identifier ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + ret = pkcs7_get_signature( p, end, &signers_set->sig ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + signers_set->next = NULL; + + return ( 0 ); +} + +/** + * SignedData ::= SEQUENCE { + * version Version, + * digestAlgorithms DigestAlgorithmIdentifiers, + * contentInfo ContentInfo, + * certificates + * [0] IMPLICIT ExtendedCertificatesAndCertificates + * OPTIONAL, + * crls + * [0] IMPLICIT CertificateRevocationLists OPTIONAL, + * signerInfos SignerInfos } + */ +static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, + mbedtls_pkcs7_signed_data *signed_data ) +{ + unsigned char *p = buf; + unsigned char *end = buf + buflen; + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + /* Get version of signed data */ + ret = pkcs7_get_version( &p, end, &signed_data->version ); + if ( ret != 0 ) + return ( ret ); + + /* If version != 1, return invalid version */ + if ( signed_data->version != MBEDTLS_PKCS7_SUPPORTED_VERSION ) { + mbedtls_printf("Invalid version\n"); + return ( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + } + + /* Get digest algorithm */ + ret = pkcs7_get_digest_algorithm_set( &p, end, + &signed_data->digest_alg_identifiers ); + if ( ret != 0 ) { + mbedtls_printf("error getting digest algorithms\n"); + return ( ret ); + } + + if ( signed_data->digest_alg_identifiers.len != strlen( MBEDTLS_OID_DIGEST_ALG_SHA256 ) ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + if ( memcmp( signed_data->digest_alg_identifiers.p, MBEDTLS_OID_DIGEST_ALG_SHA256, + signed_data->digest_alg_identifiers.len ) ) { + mbedtls_fprintf(stdout, "Digest Algorithm other than SHA256 is not supported\n"); + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + } + + /* Do not expect any content */ + ret = pkcs7_get_content_info_type( &p, end, &signed_data->content.oid ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + + if ( memcmp( signed_data->content.oid.p, MBEDTLS_OID_PKCS7_DATA, + signed_data->content.oid.len ) ) { + mbedtls_printf("Invalid PKCS7 data\n"); + return ( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ) ; + } + + p = p + signed_data->content.oid.len; + + ret = pkcs7_get_next_content_len( &p, end, &len ); + if ( ret != 0 ) + return ( ret ); + + /* Get certificates */ + mbedtls_x509_crt_init( &signed_data->certs ); + ret = pkcs7_get_certificates( &p, len, &signed_data->certs ); + if ( ret != 0 ) + return ( ret ) ; + + p = p + len; + + /* Get signers info */ + ret = pkcs7_get_signers_info_set( &p, end, &signed_data->signers ); + if ( ret != 0 ) + return ( ret ); + + return ( ret ); +} + +int mbedtls_pkcs7_parse_der( const unsigned char *buf, const int buflen, + mbedtls_pkcs7 *pkcs7 ) +{ + unsigned char *start; + unsigned char *end; + size_t len = 0; + int ret; + + /* use internal buffer for parsing */ + start = ( unsigned char * )buf; + end = start + buflen; + + ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + if ( ret != 0 ) + goto out; + + if ( ( !memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENVELOPED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_DIGESTED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, + pkcs7->content_type_oid.len ) ) ) { + mbedtls_printf("Unsupported PKCS7 data type\n"); + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + goto out; + } + + if ( ( memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_SIGNED_DATA, + pkcs7->content_type_oid.len ) ) ) { + mbedtls_printf("Invalid PKCS7 data type\n"); + ret = MBEDTLS_ERR_PKCS7_INVALID_ALG; + goto out; + } + mbedtls_printf("Content type is SignedData, continue...\n"); + + start = start + pkcs7->content_type_oid.len; + + ret = pkcs7_get_next_content_len( &start, end, &len ); + if ( ret != 0 ) + goto out; + + ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + if ( ret != 0 ) + goto out; + +out: + return ( ret ); +} + +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, mbedtls_x509_crt *cert, const unsigned char *data, int datalen ) +{ + + int ret; + unsigned char hash[32]; + mbedtls_pk_context pk_cxt = cert->pk; + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); + + mbedtls_md( md_info, data, datalen, hash ); + ret = mbedtls_pk_verify( &pk_cxt, MBEDTLS_MD_SHA256,hash, 32, pkcs7->signed_data.signers.sig.p, pkcs7->signed_data.signers.sig.len ); + + printf("rc is %02x\n", ret); + + return ( ret ); +} + +//#endif diff --git a/libstb/crypto/pkcs7/pkcs7.h b/libstb/crypto/pkcs7/pkcs7.h new file mode 100644 index 00000000..1aacd6ef --- /dev/null +++ b/libstb/crypto/pkcs7/pkcs7.h @@ -0,0 +1,176 @@ +/** + * \file pkcs7.h + * + * \brief PKCS7 generic defines and structures + */ +/* + * Copyright (C) 2019, IBM Corp, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_PKCS7_H +#define MBEDTLS_PKCS7_H + +//#if !defined(MBEDTLS_CONFIG_FILE) +//#include "config.h" +//#else +//#include MBEDTLS_CONFIG_FILE +//#endif + +#include "mbedtls/asn1.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" + +/** + * \name PKCS7 Error codes + * \{ + */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x7080 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_UNKNOWN_OID -0x7100 /**< Requested OID is unknown. */ +#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x7180 /**< The CRT/CRL format is invalid, e.g. different type expected. */ +#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x7200 /**< The PKCS7 version element is invalid. */ +#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x7280 /**< The algorithm tag or value is invalid. */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIG_ALG -0x7300 /**< Signature algorithm (oid) is unsupported. */ +#define MBEDTLS_ERR_PKCS7_SIG_MISMATCH -0x7380 /**< Signature verification fails. (see \c ::mbedtls_x509_crt sig_oid) */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x7400 /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x7480 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_FILE_IO_ERROR -0x7500 /**< File Read/Write Error */ +/* \} name */ + + +/** + * \name PKCS7 Supported Version + * \{ + */ +#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01 +/* \} name */ + + + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Type-length-value structure that allows for ASN1 using DER. + */ +typedef mbedtls_asn1_buf mbedtls_pkcs7_buf; + +/** + * Container for ASN1 named information objects. + * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). + */ +typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; + +/** + * Container for a sequence of ASN.1 items + */ +typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; + +/** + * Structure holding PKCS7 signer info + */ +typedef struct mbedtls_pkcs7_signer_info { + int version; + mbedtls_x509_buf serial; + mbedtls_x509_name issuer; + mbedtls_x509_buf issuer_raw; + mbedtls_x509_buf alg_identifier; + mbedtls_x509_buf sig_alg_identifier; + mbedtls_x509_buf sig; + struct mbedtls_pkcs7_signer_info *next; +} +mbedtls_pkcs7_signer_info; + +/** + * Structure holding attached data as part of PKCS7 signed data format + */ +typedef struct mbedtls_pkcs7_data { + mbedtls_pkcs7_buf oid; + mbedtls_pkcs7_buf data; +} +mbedtls_pkcs7_data; + +/** + * Structure holding the signed data section + */ +typedef struct mbedtls_pkcs7_signed_data { + int version; + mbedtls_pkcs7_buf digest_alg_identifiers; + struct mbedtls_pkcs7_data content; + mbedtls_x509_crt certs; + mbedtls_x509_crl crl; + struct mbedtls_pkcs7_signer_info signers; +} +mbedtls_pkcs7_signed_data; + +/** + * Structure holding PKCS7 structure, only signed data for now + */ +typedef struct mbedtls_pkcs7 { + mbedtls_pkcs7_buf content_type_oid; + struct mbedtls_pkcs7_signed_data signed_data; +} +mbedtls_pkcs7; + +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); + +int mbedtls_pkcs7_parse_der(const unsigned char *buf, const int buflen, mbedtls_pkcs7 *pkcs7); + +int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7, mbedtls_x509_crt *cert, const unsigned char *data, int datalen); + +int mbedtls_pkcs7_load_file( const char *path, unsigned char **buf, size_t *n ); + +#if defined(MBEDTLS_SELF_TEST) + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int mbedtls_x509_self_test( int verbose ); + +#endif /* MBEDTLS_SELF_TEST */ + +#define MBEDTLS_X509_SAFE_SNPRINTF \ + do { \ + if( ret < 0 || (size_t) ret >= n ) \ + return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); \ + \ + n -= (size_t) ret; \ + p += (size_t) ret; \ + } while( 0 ) + +#ifdef __cplusplus +} +#endif + +/* + * PKCS#7 OIDs + */ +#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 */ + +#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ + + + + +#endif /* pkcs7.h */ From patchwork Wed Dec 4 00:06:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203930 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK3G6VdTz9s4Y for ; Wed, 4 Dec 2019 11:09:30 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK3G4fcVzDqQh for ; Wed, 4 Dec 2019 11:09:30 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0c2m9hzDqSD for ; Wed, 4 Dec 2019 11:07:12 +1100 (AEDT) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWFYP005758 for ; Tue, 3 Dec 2019 19:07:10 -0500 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wn3pedp7t-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:09 -0500 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:07 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:07:06 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB4073we56426590 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:07:03 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 03CFFA404D; Wed, 4 Dec 2019 00:07:03 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 79CA0A4051; Wed, 4 Dec 2019 00:07:01 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:07:01 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:49 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-4275-0000-0000-0000038AC493 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-4276-0000-0000-0000389E646D Message-Id: <20191204000650.28649-7-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 priorityscore=1501 mlxscore=0 adultscore=0 impostorscore=0 suspectscore=0 bulkscore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 6/7] secvar/backend: add edk2 derived key updates processing X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain As part of secureboot key management, the scheme for key updates processing is derived from tianocore reference implementation[1]. This includes the verification of key updates signed in the form of PKCS7 structure. This patch adds the PKCS7 verification support for the signed updates processed by the user. It also adds the preprocessing code which initializes the empty non-volatile variables. This patch is still a work-in-progress, for example. it still needs to add the support for any additional post-processing steps and better failure handling. V2: - fixed memcpy based on sizeof(keylen) rather than the value - added version and compatible values to driver struct - renamed to edk2-compat V4: - added draft document for general concepts - stores PK in the tpm - empty variables don't attempt to preallocate space - many malloc->zalloc changes - removed hard coded example variables - removed most printfs, converted some to prlog - updated for new pkcs7 implementation - removed unnecessary "SecureBoot", and "SecureMode" variables, handled by devtree entry [1] https://github.com/tianocore/edk2-staging.git Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- doc/secvar/edk2.rst | 49 ++ include/secvar.h | 1 + libstb/secvar/backend/Makefile.inc | 4 +- libstb/secvar/backend/edk2-compat.c | 667 ++++++++++++++++ libstb/secvar/backend/edk2.h | 243 ++++++ libstb/secvar/test/Makefile.check | 6 +- libstb/secvar/test/edk2_test_data.h | 764 +++++++++++++++++++ libstb/secvar/test/secvar-test-edk2-compat.c | 260 +++++++ libstb/secvar/test/secvar_common_test.c | 2 + 9 files changed, 1992 insertions(+), 4 deletions(-) create mode 100644 doc/secvar/edk2.rst create mode 100644 libstb/secvar/backend/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2.h create mode 100644 libstb/secvar/test/edk2_test_data.h create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c diff --git a/doc/secvar/edk2.rst b/doc/secvar/edk2.rst new file mode 100644 index 00000000..e0c29457 --- /dev/null +++ b/doc/secvar/edk2.rst @@ -0,0 +1,49 @@ +.. _secvar/edk2: + +Skiboot edk2-compatible Secure Variable Backend +=============================================== + +Overview +-------- + +The edk2 secure variable backend for skiboot borrows from edk2 concepts +such as the three key hierarchy (PK, KEK, and db), and a similar +structure. In general, variable updates must be signed with a key +of a higher level. So, updates to the db must be signed with a key stored +in the KEK; updates to the KEK must be signed with the PK. Updates to the +PK must be signed with the previous PK (if any). + +Variables are stored in the efi signature list format, and updates are a +signed variant that includes an authentication header. + +If no PK is currently enrolled, the system is considered to be in "Setup +Mode". Any key can be enrolled without signature checks. However, once a +PK is enrolled, the system switches to "User Mode", and each update must +now be signed according to the hierarchy. Furthermore, when in "User +Mode", the backend initialized the ``os-secure-mode`` device tree flag, +signaling to the kernel that we are in secure mode. + +Updates are processed sequentially, in the order that they were provided +in the update queue. If any update fails to validate, appears to be +malformed, or any other error occurs, NO updates will not be applied. +This includes updates that may have successfully applied prior to the +error. The system will continue in an error state, reporting the error +reason via the ``update-status`` device tree property. + +P9 Special Case for the Platform Key +------------------------------------ + +Due to the powerful nature of the platform key and the lack of lockable +flash, the edk2 backend will store the PK in TPM NV rather than PNOR on +P9 systems. (TODO expand on this) + +Update Status Return Codes +-------------------------- + +TODO, edk2 driver needs to actually return these properly first + + +Device Tree Bindings +-------------------- + +TODO diff --git a/include/secvar.h b/include/secvar.h index 2875c700..8b701e00 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -24,6 +24,7 @@ struct secvar_backend_driver { }; extern struct secvar_storage_driver secboot_tpm_driver; +extern struct secvar_backend_driver edk2_compatible_v1; int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver); diff --git a/libstb/secvar/backend/Makefile.inc b/libstb/secvar/backend/Makefile.inc index cc1a49fa..1c1896ab 100644 --- a/libstb/secvar/backend/Makefile.inc +++ b/libstb/secvar/backend/Makefile.inc @@ -1,11 +1,11 @@ # SPDX-License-Identifier: Apache-2.0 # -*-Makefile-*- -SECVAR_BACKEND_DIR = libstb/secvar/backend +SECVAR_BACKEND_DIR = $(SRC)/libstb/secvar/backend SUBDIRS += $(SECVAR_BACKEND_DIR) -SECVAR_BACKEND_SRCS = +SECVAR_BACKEND_SRCS = edk2-compat.c SECVAR_BACKEND_OBJS = $(SECVAR_BACKEND_SRCS:%.c=%.o) SECVAR_BACKEND = $(SECVAR_BACKEND_DIR)/built-in.a diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c new file mode 100644 index 00000000..8ee73dc0 --- /dev/null +++ b/libstb/secvar/backend/edk2-compat.c @@ -0,0 +1,667 @@ +// SPDX-License-Identifier: Apache-2.0 +/* Copyright 2019 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt +#endif + +#include +#include +#include +#include +#include +#include +#include "libstb/crypto/pkcs7/pkcs7.h" +#include "edk2.h" +#include "opal-api.h" +#include "../secvar.h" +#include "../secvar_devtree.h" +#include "../secvar_tpmnv.h" +#include + +#define TPMNV_ID_EDK2_PK 0x4532504b // E2PK + +static bool setup_mode; + +/* + * Converts utf8 string to ucs2 + */ +static char *utf8_to_ucs2(const char *key, const char keylen) +{ + int i; + char *str; + str = zalloc(keylen * 2); + + for (i = 0; i < keylen*2; key++) { + str[i++] = *key; + str[i++] = '\0'; + } + return str; +} + +/* + * Returns true if key1 = key2 + */ +static bool key_equals(const char *key1, const char *key2) +{ + if (memcmp(key1, key2, strlen(key2)+1) == 0) + return true; + + return false; +} + +/** + * Returns the authority that can sign the given key update + */ +static void get_key_authority(const char *ret[3], const char *key) +{ + int i = 0; + + memset(ret, 0, sizeof(char *) * 3); + if (key_equals(key, "PK")) + ret[i++] = "PK"; + if (key_equals(key, "KEK")) + ret[i++] = "PK"; + if (key_equals(key, "db") || key_equals(key, "dbx")) { + ret[i++] = "KEK"; + ret[i++] = "PK"; + } + ret[i] = NULL; +} + +/* + * PK needs to be stored in the TPMNV space if on p9 + * We store it using the form , the + * extra secvar headers are unnecessary + */ +static int edk2_p9_load_pk(void) +{ + struct secvar_node *pkvar; + uint64_t size; + int rc; + + // Ensure it exists + rc = secvar_tpmnv_alloc(TPMNV_ID_EDK2_PK, -1); + + // Peek to get the size + rc = secvar_tpmnv_read(TPMNV_ID_EDK2_PK, &size, sizeof(size), 0); + if (rc == OPAL_EMPTY) + return 0; + else if (rc) + return -1; + + if (size > secvar_storage.max_var_size) + return OPAL_RESOURCE; + + pkvar = alloc_secvar(size); + memcpy(pkvar->var->key, "PK", 3); + pkvar->var->key_len = 3; + pkvar->var->data_size = size; + pkvar->flags |= SECVAR_FLAG_VOLATILE; + + rc = secvar_tpmnv_read(TPMNV_ID_EDK2_PK, pkvar->var->data, pkvar->var->data_size, sizeof(pkvar->var->data_size)); + if (rc) + return rc; + + list_add_tail(&variable_bank, &pkvar->link); + + return OPAL_SUCCESS; +} + +/* + * Writes the PK to the TPM. + */ +static int edk2_p9_write_pk(void) +{ + char *tmp; + int32_t tmpsize; + struct secvar_node *pkvar; + int rc; + + pkvar = find_secvar("PK", 3, &variable_bank); + + // Should not happen + if (!pkvar) + return OPAL_INTERNAL_ERROR; + + // Reset the pk flag to volatile on p9 + pkvar->flags |= SECVAR_FLAG_VOLATILE; + + tmpsize = secvar_tpmnv_size(TPMNV_ID_EDK2_PK); + if (tmpsize < 0) { + prlog(PR_ERR, "TPMNV space for PK was not allocated properly\n"); + return OPAL_RESOURCE; + } + if (tmpsize < pkvar->var->data_size + sizeof(pkvar->var->data_size)) { + prlog(PR_ERR, "TPMNV PK space is insufficient, %d < %llu\n", tmpsize, + // Cast needed because x86 compiler complains building the test + (long long unsigned) pkvar->var->data_size + sizeof(pkvar->var->data_size)); + return OPAL_RESOURCE; + } + + tmp = zalloc(tmpsize); + if (!tmp) + return OPAL_NO_MEM; + + memcpy(tmp, &pkvar->var->data_size, sizeof(pkvar->var->data_size)); + memcpy(tmp + sizeof(pkvar->var->data_size), + pkvar->var->data, + pkvar->var->data_size); + + tmpsize = pkvar->var->data_size + sizeof(pkvar->var->data_size); + + rc = secvar_tpmnv_write(TPMNV_ID_EDK2_PK, tmp, tmpsize, 0); + + free(tmp); + + return rc; +} + +/* + * Returns the size of the certificate contained in the ESL. + */ +static int get_esl_cert_size(char *buf) +{ + EFI_SIGNATURE_LIST list; + uint32_t sigsize; + + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST)); + + sigsize = le32_to_cpu(list.SignatureListSize) - sizeof(list) + - le32_to_cpu(list.SignatureHeaderSize); + + return sigsize; +} + +/* + * Copies the certificate from the ESL into cert buffer. + */ +static int get_esl_cert(char *buf, char **cert) +{ + int sig_data_offset; + int size; + EFI_SIGNATURE_LIST list; + + memset(&list, 0, sizeof(EFI_SIGNATURE_LIST)); + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST)); + + sig_data_offset = sizeof(list.SignatureType) + + sizeof(list.SignatureListSize) + + sizeof(list.SignatureHeaderSize) + + sizeof(list.SignatureSize) + + le32_to_cpu(list.SignatureHeaderSize) + + 16 * sizeof(uint8_t); + + size = le32_to_cpu(list.SignatureSize) - sizeof(EFI_SIGNATURE_LIST); + memcpy(*cert, buf + sig_data_offset, size); + + return 0; +} + +/* + * Extracts size of the PKCS7 signed data embedded in the + * struct Authentication 2 Descriptor Header. + */ +static int get_pkcs7_len(struct efi_variable_authentication_2 *auth) +{ + uint32_t dw_length = le32_to_cpu(auth->auth_info.hdr.dw_length); + int size; + + size = dw_length - (sizeof(auth->auth_info.hdr.dw_length) + + sizeof(auth->auth_info.hdr.w_revision) + + sizeof(auth->auth_info.hdr.w_certificate_type) + + sizeof(auth->auth_info.cert_type)); + + return size; +} + +/* + * Return the timestamp from the Authentication 2 Descriptor. + */ +static int get_timestamp_from_auth(char *data, char **timestamp) +{ + if (!timestamp) + return OPAL_PARAMETER; + + *timestamp = zalloc(sizeof(struct efi_time)); + if (!(*timestamp)) + return OPAL_NO_MEM; + + memcpy(*timestamp, data, sizeof(struct efi_time)); + + return 0; +} + +/* + * This function outputs the Authentication 2 Descriptor in the + * auth_buffer and returns the size of the buffer. + */ +static int get_auth_descriptor2(void *data, char **auth_buffer) +{ + struct efi_variable_authentication_2 *auth = data; + uint64_t auth_buffer_size; + int len; + + if (!auth_buffer) + return OPAL_PARAMETER; + + len = get_pkcs7_len(auth); + if (len < 0) + return OPAL_NO_MEM; + + auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr) + + sizeof(auth->auth_info.cert_type) + len; + + *auth_buffer = zalloc(auth_buffer_size); + if (!(*auth_buffer)) + return OPAL_NO_MEM; + + memcpy(*auth_buffer, data, auth_buffer_size); + + return auth_buffer_size; +} + +/* + * Initializes supported variables as empty if not loaded from + * storage. Variables are initialized as volatile if not found. + * Updates should clear this flag. + * + * Returns OPAL Error if anything fails in initialization + */ +static int edk2_compat_pre_process(void) +{ + struct secvar_node *pkvar; + struct secvar_node *kekvar; + struct secvar_node *dbvar; + struct secvar_node *dbxvar; + + // If we are on p9, we need to store the PK in write-lockable + // TPMNV space, as we determine our secure mode based on if this + // variable exists. + // NOTE: Activation of this behavior is subject to change in a later + // patch version, ideally the platform should be able to configure + // whether it wants this extra protection, or to instead store + // everything via the storage driver. + if (proc_gen == proc_gen_p9) + edk2_p9_load_pk(); + + pkvar = find_secvar("PK", 3, &variable_bank); + if (!pkvar) { + pkvar = alloc_secvar(0); + if (!pkvar) + return OPAL_NO_MEM; + + memcpy(pkvar->var->key, "PK", 3); + pkvar->var->key_len = 3; + pkvar->flags |= SECVAR_FLAG_VOLATILE; + list_add_tail(&variable_bank, &pkvar->link); + } + + kekvar = find_secvar("KEK", 4, &variable_bank); + if (!kekvar) { + kekvar = alloc_secvar(0); + if (!kekvar) + return OPAL_NO_MEM; + + memcpy(kekvar->var->key, "KEK", 4); + kekvar->var->key_len = 4; + kekvar->flags |= SECVAR_FLAG_VOLATILE; + list_add_tail(&variable_bank, &kekvar->link); + } + + dbvar = find_secvar("db", 3, &variable_bank); + if (!dbvar) { + dbvar = alloc_secvar(0); + if (!dbvar) + return OPAL_NO_MEM; + + memcpy(dbvar->var->key, "db", 3); + dbvar->var->key_len = 3; + dbvar->flags |= SECVAR_FLAG_VOLATILE; + list_add_tail(&variable_bank, &dbvar->link); + } + + dbxvar = find_secvar("dbx", 4, &variable_bank); + if (!dbxvar) { + dbxvar = alloc_secvar(0); + if (!dbxvar) + return OPAL_NO_MEM; + + memcpy(dbxvar->var->key, "dbx", 4); + dbxvar->var->key_len = 4; + dbxvar->flags |= SECVAR_FLAG_VOLATILE; + list_add_tail(&variable_bank, &dbxvar->link); + } + + return OPAL_SUCCESS; +}; + +/** + * Returns true if we are in Setup Mode + * + * Setup Mode is active if we have no PK. + * Otherwise, we are in user mode. + */ +static int is_setup_mode(void) +{ + struct secvar_node *setup; + + setup = find_secvar((char *)"PK", 3, &variable_bank); + + // Not sure why this wouldn't exist + if (!setup) + return 1; + + return !setup->var->data_size; +} + +/** + * Update the variable with the new value. + */ +static int add_to_variable_bank(struct secvar *secvar, void *data, uint64_t dsize) +{ + struct secvar_node *node; + + node = find_secvar(secvar->key, secvar->key_len, &variable_bank); + if (!node) + return OPAL_INTERNAL_ERROR; + + // Expand the secvar allocated memory if needed + if (node->size < dsize) + if (realloc_secvar(node, dsize)) + return OPAL_NO_MEM; + + node->var->data_size = dsize; + memcpy(node->var->data, data, dsize); + node->flags &= ~SECVAR_FLAG_VOLATILE; // Clear the volatile bit when updated + + return 0; +} + +/* + * Verify the PKCS7 signature on the signed data. + */ +static int verify_signature(void *auth_buffer, char *newcert, + uint64_t new_data_size, struct secvar *avar) +{ + struct efi_variable_authentication_2 *auth; + mbedtls_pkcs7 *pkcs7; + mbedtls_x509_crt x509; + char *checkpkcs7cert; + char *signing_cert; + char *x509_buf; + int len; + int signing_cert_size; + int rc; + char *errbuf; + + auth = auth_buffer; + + len = get_pkcs7_len(auth); + + pkcs7 = malloc(sizeof(struct mbedtls_pkcs7)); + mbedtls_pkcs7_init(pkcs7); + + rc = mbedtls_pkcs7_parse_der( + (const unsigned char *)auth->auth_info.cert_data, + (const unsigned int)len, pkcs7); + if (rc) { + prlog(PR_ERR, "Parsing pkcs7 failed %04x\n", rc); + goto pkcs7out; + } + + checkpkcs7cert = zalloc(2048); + mbedtls_x509_crt_info(checkpkcs7cert, 2048, "CRT:", &(pkcs7->signed_data.certs)); + prlog(PR_DEBUG, "%s \n", checkpkcs7cert); + free(checkpkcs7cert); + + prlog(PR_INFO, "Load the signing certificate from the keystore"); + + signing_cert_size = get_esl_cert_size(avar->data); + signing_cert = zalloc(signing_cert_size); + get_esl_cert(avar->data, &signing_cert); + + mbedtls_x509_crt_init(&x509); + rc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size); + if(rc) { + prlog(PR_INFO, "X509 certificate parsing failed %04x\n", rc); + goto signout; + } + + x509_buf = zalloc(2048); + mbedtls_x509_crt_info(x509_buf, 2048, "CRT:", &x509); + prlog(PR_INFO, "%s \n", x509_buf); + free(x509_buf); + + rc = mbedtls_pkcs7_signed_data_verify(pkcs7, &x509, newcert, new_data_size); + + if (rc) { + errbuf = zalloc(1024); + mbedtls_strerror(rc, errbuf, 1024); + prlog(PR_INFO, "Signature Verification failed %02x %s\n", rc, errbuf); + free(errbuf); + goto signout; + } + + prlog(PR_INFO, "Signature Verification passed\n"); + +signout: + free(signing_cert); + +pkcs7out: + free(pkcs7); + + return rc; +} + + +/** + * Create the single buffer + * name || vendor guid || attributes || timestamp || newcontent + * which is submitted as signed by the user. + */ +static int get_data_to_verify(char *key, char *new_data, + uint64_t new_data_size, + char **buffer, + uint64_t *buffer_size, char *timestamp) +{ + le32 attr = cpu_to_le32(SECVAR_ATTRIBUTES); + int size = 0; + int varlen; + char *wkey; + uuid_t guid; + + if (key_equals(key, "PK") + || key_equals(key, "KEK")) + guid = EFI_GLOBAL_VARIABLE_GUID; + + if (key_equals(key, "db") + || key_equals(key, "dbx")) + guid = EFI_IMAGE_SECURITY_DATABASE_GUID; + + // Convert utf8 name to ucs2 width + varlen = strlen(key) * 2; + wkey = utf8_to_ucs2(key, strlen(key)); + + // Prepare the single buffer + *buffer_size = varlen + UUID_SIZE + sizeof(attr) + + sizeof(struct efi_time) + new_data_size; + *buffer = zalloc(*buffer_size); + + memcpy(*buffer + size, wkey, varlen); + size = size + varlen; + memcpy(*buffer + size, &guid, sizeof(guid)); + size = size + sizeof(guid); + memcpy(*buffer + size, &attr, sizeof(attr)); + size = size + sizeof(attr); + memcpy(*buffer + size, timestamp , sizeof(struct efi_time)); + size = size + sizeof(struct efi_time); + + memcpy(*buffer + size, new_data, new_data_size); + size = size + new_data_size; + + free(wkey); + + return 0; +} + +static int edk2_compat_process(void) +{ + char *auth_buffer = NULL; + uint64_t auth_buffer_size = 0; + char *timestamp = NULL; + const char *key_authority[3]; + char *newesl = NULL; + uint64_t new_data_size = 0; + char *tbhbuffer = NULL; + uint64_t tbhbuffersize = 0; + struct secvar_node *anode = NULL; + struct secvar_node *node = NULL; + int rc = 0; + int pk_updated = 0; + int i; + + setup_mode = is_setup_mode(); + + prlog(PR_INFO, "Setup mode = %d\n", setup_mode); + + /* Loop through each command in the update bank. + * If any command fails, it just loops out of the update bank. + * It should also clear the update bank. + */ + list_for_each(&update_bank, node, link) { + + /* Submitted data is auth_2 descriptor + new ESL data + * Extract the auth_2 2 descriptor + */ + prlog(PR_INFO, "update for %s\n", node->var->key); + auth_buffer_size = get_auth_descriptor2(node->var->data, &auth_buffer); + if (auth_buffer_size <= 0) + return OPAL_PARAMETER; + + if (node->var->data_size < auth_buffer_size) { + rc = OPAL_PARAMETER; + goto out; + } + + rc = get_timestamp_from_auth(auth_buffer, ×tamp); + if (rc < 0) + goto out; + + /* Calculate the size of new ESL data */ + new_data_size = node->var->data_size - auth_buffer_size; + newesl = zalloc(new_data_size); + memcpy(newesl, node->var->data + auth_buffer_size, new_data_size); + + if (!setup_mode) { + /* Prepare the data to be verified */ + rc = get_data_to_verify(node->var->key, newesl, + new_data_size, &tbhbuffer, + &tbhbuffersize, timestamp); + + /* Get the authority to verify the signature */ + get_key_authority(key_authority, node->var->key); + i = 0; + + /* Try for all the authorities that are allowed to sign. + * For eg. db/dbx can be signed by both PK or KEK + */ + while (key_authority[i] != NULL) { + prlog(PR_DEBUG, "key is %s\n", node->var->key); + prlog(PR_DEBUG, "key authority is %s\n", key_authority[i]); + anode = find_secvar(key_authority[i], strlen(key_authority[i]) + 1, + &variable_bank); + if (!anode) { + rc = OPAL_PERMISSION; + goto out; + } + if (anode->var->data_size == 0) { + rc = OPAL_PERMISSION; + goto out; + } + + /* Verify the signature */ + rc = verify_signature(auth_buffer, tbhbuffer, + tbhbuffersize, anode->var); + + /* Break if signature verification is successful */ + if (!rc) + break; + i++; + } + } + + if (rc) + goto out; + + /* + * If reached here means, signature is verified so update the + * value in the variable bank + */ + add_to_variable_bank(node->var, newesl, new_data_size); + + /* If the PK is updated, update the secure boot state of the + * system at the end of processing */ + if (key_equals(node->var->key, "PK")) { + pk_updated = 1; + setup_mode = 0; + } + } + + if (pk_updated) { + // Store the updated pk in TPMNV on p9 + if (proc_gen == proc_gen_p9) { + rc = edk2_p9_write_pk(); + prlog(PR_INFO, "edk2_p9_write rc=%d\n", rc); + } + } + +out: + if (auth_buffer) + free(auth_buffer); + if (newesl) + free(newesl); + if (tbhbuffer) + free(tbhbuffer); + if (timestamp) + free(timestamp); + + clear_bank_list(&update_bank); + + return rc; +} + +static int edk2_compat_post_process(void) +{ + if (!setup_mode) { + secvar_set_secure_mode(); + prlog(PR_INFO, "Enforcing OS secure mode\n"); + } + + return 0; +} + +static int edk2_compat_validate(struct secvar *var) +{ + + //Checks if the update is for supported + //Non-volatile secure variales + if (key_equals(var->key, "PK") + || key_equals(var->key, "KEK") + || key_equals(var->key, "db") + || key_equals(var->key, "dbx")) + return 1; + //Some more checks needs to be added: + // - check guid + // - check auth struct + // - possibly check signature? can't add but can validate + + return 0; +}; + +struct secvar_backend_driver edk2_compatible_v1 = { + .pre_process = edk2_compat_pre_process, + .process = edk2_compat_process, + .post_process = edk2_compat_post_process, + .validate = edk2_compat_validate, + .compatible = "ibm,edk2-compat-v1", +}; diff --git a/libstb/secvar/backend/edk2.h b/libstb/secvar/backend/edk2.h new file mode 100644 index 00000000..f6ab2e85 --- /dev/null +++ b/libstb/secvar/backend/edk2.h @@ -0,0 +1,243 @@ +/* Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. This + * program and the accompanying materials are licensed and made available + * under the terms and conditions of the 2-Clause BSD License which + * accompanies this distribution. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * This file is derived from the following files referred from edk2-staging[1] repo + * of tianocore + * + * MdePkg/Include/Guid/GlobalVariable.h + * MdePkg/Include/Guid/WinCertificate.h + * MdePkg/Include/Uefi/UefiMultiPhase.h + * MdePkg/Include/Uefi/UefiBaseType.h + * MdePkg/Include/Guid/ImageAuthentication.h + * + * [1] https://github.com/tianocore/edk2-staging + * + * Copyright 2019 IBM Corp. + */ + +#ifndef __EDK2_H__ +#define __EDK2_H__ + +#define UUID_SIZE 16 + +typedef struct { + u8 b[UUID_SIZE]; +} uuid_t; + +#define EFI_GLOBAL_VARIABLE_GUID (uuid_t){{0x61, 0xDF, 0xe4, 0x8b, 0xca, 0x93, 0xd2, 0x11, 0xaa, \ + 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}} + +#define EFI_IMAGE_SECURITY_DATABASE_GUID (uuid_t){{0xcb, 0xb2, 0x19, 0xd7, 0x3a, 0x3d, 0x96, 0x45, \ + 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f}} + +#define SECVAR_ATTRIBUTES 39 + +/// +/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 +/// certificate then verification of the signature of an image should validate the public +/// key certificate in the image using certificate path verification, up to this X.509 +/// certificate as a trusted root. The SignatureHeader size shall always be 0. The +/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) + +/// the size of the certificate itself. +/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST. +/// + +#define EFI_CERT_RSA2048_GUID \ + (UUID_INIT) (0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6) + +#define EFI_CERT_TYPE_PKCS7_GUID (uuid_t){{0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, \ + 0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7}} + +#define EFI_VARIABLE_NON_VOLATILE 0x00000001 +#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 +#define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 + +/* + * Attributes of Authenticated Variable + */ +#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 +#define EFI_VARIABLE_APPEND_WRITE 0x00000040 +/* + * NOTE: EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated and should be + * considered reserved. + */ +#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 + +/* + * win_certificate.w_certificate_type + */ +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 + +#define SECURE_BOOT_MODE_ENABLE 1 +#define SECURE_BOOT_MODE_DISABLE 0 +/// +/// Depricated value definition for SetupMode variable +/// +#define SETUP_MODE 1 +#define USER_MODE 0 + +/* + * EFI Time Abstraction: + * Year: 1900 - 9999 + * Month: 1 - 12 + * Day: 1 - 31 + * Hour: 0 - 23 + * Minute: 0 - 59 + * Second: 0 - 59 + * Nanosecond: 0 - 999,999,999 + * TimeZone: -1440 to 1440 or 2047 + */ +struct efi_time { + u16 year; + u8 month; + u8 day; + u8 hour; + u8 minute; + u8 second; + u8 pad1; + u32 nanosecond; + s16 timezone; + u8 daylight; + u8 pad2; +}; +//*********************************************************************** +// Signature Database +//*********************************************************************** +/// +/// The format of a signature database. +/// +#pragma pack(1) + +typedef struct { + /// + /// An identifier which identifies the agent which added the signature to the list. + /// + uuid_t SignatureOwner; + /// + /// The format of the signature is defined by the SignatureType. + /// + unsigned char SignatureData[1]; +} EFI_SIGNATURE_DATA; + +typedef struct { + /// + /// Type of the signature. GUID signature types are defined in below. + /// + uuid_t SignatureType; + /// + /// Total size of the signature list, including this header. + /// + uint32_t SignatureListSize; + /// + /// Size of the signature header which precedes the array of signatures. + /// + uint32_t SignatureHeaderSize; + /// + /// Size of each signature. + /// + uint32_t SignatureSize; + /// + /// Header before the array of signatures. The format of this header is specified + /// by the SignatureType. + /// UINT8 SignatureHeader[SignatureHeaderSize]; + /// + /// An array of signatures. Each signature is SignatureSize bytes in length. + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; + /// +} EFI_SIGNATURE_LIST; + + +/* + * The win_certificate structure is part of the PE/COFF specification. + */ +struct win_certificate { + /* + * The length of the entire certificate, including the length of the + * header, in bytes. + */ + u32 dw_length; + /* + * The revision level of the WIN_CERTIFICATE structure. The current + * revision level is 0x0200. + */ + u16 w_revision; + /* + * The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate + * types. The UEFI specification reserves the range of certificate type + * values from 0x0EF0 to 0x0EFF. + */ + u16 w_certificate_type; + /* + * The following is the actual certificate. The format of + * the certificate depends on wCertificateType. + */ + /// UINT8 bCertificate[ANYSIZE_ARRAY]; +}; + +/* + * Certificate which encapsulates a GUID-specific digital signature + */ +struct win_certificate_uefi_guid { + /* + * This is the standard win_certificate header, where w_certificate_type + * is set to WIN_CERT_TYPE_EFI_GUID. + */ + struct win_certificate hdr; + /* + * This is the unique id which determines the format of the cert_data. + */ + uuid_t cert_type; + /* + * The following is the certificate data. The format of the data is + * determined by the @cert_type. If @cert_type is + * EFI_CERT_TYPE_RSA2048_SHA256_GUID, the @cert_data will be + * EFI_CERT_BLOCK_RSA_2048_SHA256 structure. + */ + u8 cert_data[1]; +}; +/* + * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set, + * then the Data buffer shall begin with an instance of a complete (and + * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be + * followed by the new variable value and DataSize shall reflect the combined + * size of the descriptor and the new variable value. The authentication + * descriptor is not part of the variable data and is not returned by subsequent + * calls to GetVariable(). + */ +struct efi_variable_authentication_2 { + /* + * For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and + * Pad2 shall be set to 0. This means that the time shall always be expressed in GMT. + */ + struct efi_time timestamp; + /* + * Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted. + */ + struct win_certificate_uefi_guid auth_info; +}; + +#endif diff --git a/libstb/secvar/test/Makefile.check b/libstb/secvar/test/Makefile.check index 6dc24f1e..969b5630 100644 --- a/libstb/secvar/test/Makefile.check +++ b/libstb/secvar/test/Makefile.check @@ -29,13 +29,15 @@ $(SECVAR_TEST:%=%-check) : %-check: % $(call QTEST, RUN-TEST ,$(VALGRIND) $<, $<) @$(RM) -f secboot.img +HOSTMBEDFLAGS += -lmbedcrypto -lmbedx509 + $(SECVAR_TEST) : core/test/stubs.o $(SECVAR_TEST) : % : %.c - $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $< core/test/stubs.o, $<) + $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTMBEDFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $< core/test/stubs.o, $<) $(SECVAR_TEST:%=%-gcov): %-gcov : %.c % - $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTGCOVCFLAGS) -I include -I . -I libfdt -lgcov -o $@ $< core/test/stubs.o, $<) + $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTGCOVCFLAGS) $(HOSTMBEDFLAGS) -I include -I . -I libfdt -lgcov -o $@ $< core/test/stubs.o, $<) -include $(wildcard libstb/secvar/test/*.d) diff --git a/libstb/secvar/test/edk2_test_data.h b/libstb/secvar/test/edk2_test_data.h new file mode 100644 index 00000000..13d4cc80 --- /dev/null +++ b/libstb/secvar/test/edk2_test_data.h @@ -0,0 +1,764 @@ +unsigned char PK_auth[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x21, 0xa2, 0xb4, 0x87, 0x9c, 0xa0, 0xe7, + 0x62, 0x82, 0x2a, 0x50, 0x0f, 0x59, 0xf0, 0x0e, 0xe4, 0xd8, 0xf1, 0x99, + 0xa1, 0x6f, 0x70, 0x76, 0x14, 0xe6, 0x59, 0xa1, 0x7f, 0xc7, 0xf6, 0xfa, + 0x6f, 0x7d, 0x43, 0xb9, 0x4c, 0x0a, 0x6f, 0x2e, 0xc3, 0x46, 0xe5, 0xbd, + 0xea, 0xa8, 0xaa, 0x88, 0x09, 0x99, 0x93, 0xb5, 0x31, 0x41, 0x3e, 0x30, + 0xdb, 0x2f, 0xad, 0x34, 0x45, 0x84, 0xaa, 0xac, 0xd5, 0xa0, 0x1a, 0x16, + 0x55, 0x7c, 0x12, 0xa9, 0x24, 0x0e, 0x5b, 0xc1, 0x28, 0x4b, 0x77, 0x70, + 0x6f, 0xc3, 0x7a, 0xf5, 0x98, 0x32, 0xe2, 0x0d, 0x24, 0x87, 0x70, 0x65, + 0x0c, 0xb1, 0x72, 0x3f, 0xde, 0x07, 0xcb, 0x35, 0x1b, 0x88, 0x0e, 0x4c, + 0x3b, 0x18, 0x65, 0x0e, 0x6c, 0xa9, 0x99, 0x5d, 0xa0, 0x13, 0x99, 0xaa, + 0x91, 0xc4, 0xbd, 0x1a, 0x77, 0x47, 0x2d, 0x0d, 0x0c, 0xda, 0x82, 0xd6, + 0x29, 0xc2, 0x08, 0x3c, 0x7e, 0x2a, 0x3b, 0x38, 0x99, 0x44, 0x51, 0xb1, + 0x41, 0x86, 0xb7, 0xe3, 0x31, 0xe4, 0x0c, 0x1b, 0xb4, 0xfb, 0x53, 0x7b, + 0xb1, 0x32, 0x04, 0x02, 0x40, 0x26, 0xfa, 0x67, 0xfa, 0xc0, 0xb5, 0x9a, + 0xd7, 0x86, 0x33, 0xfa, 0x5a, 0x88, 0x78, 0xf4, 0x45, 0x07, 0xdb, 0x6c, + 0x91, 0x4a, 0x4d, 0x61, 0x4a, 0x8f, 0x14, 0x63, 0x2a, 0x4a, 0xc9, 0x37, + 0x1c, 0xf3, 0xb0, 0x87, 0xd1, 0x1b, 0x10, 0xe2, 0x1e, 0x9b, 0x7b, 0xd6, + 0x44, 0xf2, 0x09, 0x88, 0xdc, 0x82, 0x52, 0x35, 0xec, 0xd7, 0x76, 0xc0, + 0xcc, 0xb4, 0x90, 0x66, 0x29, 0xd5, 0x18, 0xf9, 0xb3, 0x44, 0x70, 0x94, + 0x80, 0x10, 0xd0, 0x33, 0x7e, 0xfa, 0xe7, 0xfc, 0x6b, 0x3e, 0x81, 0x64, + 0xdb, 0xaa, 0x2f, 0x9f, 0x18, 0xc1, 0xae, 0x4a, 0x50, 0x59, 0x9f, 0xd4, + 0x1a, 0x3f, 0xc3, 0x08, 0x08, 0x1c, 0xbf, 0x61, 0xe7, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, + 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, + 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, + 0x2d, 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, + 0x61, 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, + 0xd3, 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, + 0xb4, 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, + 0x0d, 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, + 0x8d, 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, + 0x5f, 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, + 0xf0, 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, + 0x75, 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, + 0x91, 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, + 0xbf, 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, + 0x21, 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, + 0x41, 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, + 0x87, 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, + 0x0e, 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, + 0xac, 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, + 0x2c, 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, + 0xed, 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, + 0x8d, 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, + 0xee, 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, + 0x2a, 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, + 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, + 0xef, 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, + 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, + 0x37, 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, + 0x9c, 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, + 0xb1, 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, + 0x9f, 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, + 0xe5, 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, + 0xe1, 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, + 0xed, 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, + 0xd4, 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, + 0xe0, 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, + 0xcc, 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, + 0x14, 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, + 0x23, 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, + 0xe2, 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, + 0x7f, 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, + 0xfa, 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, + 0x52, 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, + 0xe7, 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, + 0xb7, 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, + 0x0c, 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, + 0x8b, 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, + 0xe7, 0x12, 0xe1, 0x66, 0x15, +}; +unsigned int PK_auth_len = 1985; + +unsigned char ValidKEK_auth[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0xbf, 0xe8, 0x0c, 0x4c, 0x32, 0x9a, 0x6e, + 0x05, 0x20, 0x92, 0xa5, 0x65, 0x4e, 0xc3, 0x46, 0x24, 0x8d, 0xaf, 0x84, + 0xd5, 0xe6, 0x43, 0xa0, 0x12, 0xa1, 0x4b, 0x98, 0x71, 0x5e, 0xe6, 0xed, + 0x2c, 0x1d, 0x83, 0xeb, 0x67, 0xb5, 0x85, 0x57, 0xce, 0x1a, 0x01, 0x20, + 0x2b, 0x79, 0xe0, 0x07, 0x8f, 0x25, 0x8e, 0xf4, 0xdf, 0x17, 0x83, 0xe6, + 0x4f, 0xf0, 0xba, 0x98, 0xb7, 0xc4, 0x82, 0xae, 0x8b, 0x63, 0xa0, 0x77, + 0x6b, 0xe2, 0x63, 0x36, 0x0a, 0xce, 0x7c, 0x0a, 0xb9, 0x25, 0xa7, 0xf6, + 0x26, 0x06, 0x40, 0x49, 0xeb, 0x40, 0x7b, 0xff, 0xb0, 0xc7, 0xf6, 0xd2, + 0x7f, 0x5e, 0x17, 0xf5, 0x28, 0x37, 0x0d, 0x82, 0x32, 0x22, 0xfb, 0xdd, + 0x52, 0x00, 0xc4, 0x63, 0xda, 0x4c, 0x81, 0x88, 0xc3, 0xda, 0x36, 0x40, + 0x18, 0xea, 0x8e, 0x6e, 0x2f, 0xeb, 0xc1, 0xb7, 0x69, 0x0d, 0xe3, 0xd6, + 0xda, 0xca, 0x10, 0xac, 0x88, 0x4a, 0x88, 0x13, 0xfe, 0x93, 0x48, 0xf5, + 0x00, 0x6e, 0x98, 0xb4, 0x9c, 0xc9, 0x24, 0xfc, 0xfb, 0x6a, 0x72, 0x40, + 0x76, 0x79, 0x10, 0x5c, 0xa1, 0x96, 0x95, 0x15, 0x7e, 0x6d, 0x07, 0x2c, + 0x02, 0xb1, 0xf8, 0xa9, 0x07, 0x1a, 0xba, 0x67, 0xc5, 0x7d, 0x6a, 0xdf, + 0x0c, 0xa1, 0xee, 0x6f, 0xbc, 0xac, 0x8e, 0xee, 0x43, 0x1f, 0xb2, 0xac, + 0xaf, 0x43, 0x67, 0xef, 0x6e, 0xac, 0x7a, 0x72, 0x85, 0xb3, 0x64, 0x93, + 0xde, 0x16, 0x13, 0x10, 0xd9, 0x98, 0x13, 0xec, 0x71, 0xb0, 0xef, 0x67, + 0x7d, 0x0c, 0x10, 0xde, 0x98, 0xe0, 0xc7, 0x56, 0x00, 0xbf, 0x21, 0x38, + 0x99, 0x2f, 0xf6, 0x52, 0x9b, 0x7e, 0x44, 0xd7, 0x85, 0x49, 0xd1, 0x2b, + 0x4f, 0xcb, 0x6e, 0x9d, 0x63, 0x93, 0xe0, 0xd2, 0xcb, 0x8b, 0x28, 0xb6, + 0x43, 0xc6, 0x12, 0x1f, 0xd6, 0x94, 0xad, 0xc7, 0xf2, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x22, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf2, 0x30, 0x82, 0x01, + 0xda, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xfe, 0xdd, 0x2e, + 0xec, 0xe0, 0x22, 0xdd, 0xf9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, + 0x35, 0x36, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, + 0x39, 0x31, 0x38, 0x35, 0x36, 0x33, 0x31, 0x5a, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0xf8, 0xab, + 0xdb, 0xc2, 0xf5, 0x51, 0xde, 0x7b, 0x9f, 0x28, 0xff, 0xae, 0xdb, 0xa5, + 0xbf, 0x73, 0x63, 0x99, 0x5e, 0x04, 0xa5, 0x9d, 0xfd, 0xcd, 0x24, 0x2e, + 0xdd, 0x0b, 0x02, 0x88, 0xe9, 0x71, 0x7b, 0xf2, 0x89, 0x90, 0xae, 0xaf, + 0x0d, 0xa0, 0x68, 0x4d, 0x31, 0x1b, 0x30, 0xe8, 0x19, 0x2e, 0xfc, 0x33, + 0x8f, 0xee, 0x6d, 0x2a, 0x0a, 0x09, 0x42, 0x34, 0xc1, 0x40, 0xa8, 0xe8, + 0xb6, 0xc7, 0x92, 0x5d, 0xa5, 0x96, 0x14, 0xd7, 0xaf, 0x8c, 0x71, 0x6b, + 0x4e, 0x7d, 0x6e, 0xfa, 0x73, 0x1c, 0x40, 0x4c, 0x05, 0x9e, 0xfa, 0xb2, + 0x4c, 0x8c, 0xcb, 0x9d, 0xe2, 0xa9, 0x04, 0x01, 0x91, 0x5b, 0xbf, 0xff, + 0x85, 0x54, 0x2a, 0x65, 0x96, 0x84, 0x6f, 0xfa, 0x99, 0x1c, 0x9e, 0xe0, + 0x77, 0x68, 0x4d, 0x58, 0x2a, 0xc7, 0xc0, 0x8f, 0x71, 0x5a, 0x8f, 0xa9, + 0xff, 0x44, 0xed, 0xf7, 0xe4, 0x47, 0xd8, 0x4c, 0x9c, 0xf4, 0x78, 0xa0, + 0xb3, 0x37, 0xaf, 0x43, 0x0b, 0x03, 0x6f, 0xe4, 0xe1, 0x2d, 0x52, 0x0b, + 0x4b, 0x62, 0xc6, 0x2f, 0xe3, 0xfc, 0x32, 0xf2, 0xe2, 0x11, 0x1c, 0xac, + 0xdf, 0x5a, 0xe8, 0xdd, 0x55, 0x65, 0xa4, 0x6f, 0x61, 0xb7, 0x0f, 0x1c, + 0xc6, 0x08, 0x2a, 0xaf, 0x5d, 0x36, 0x50, 0x06, 0x7b, 0x49, 0xa0, 0x8b, + 0x1c, 0x93, 0xdc, 0x72, 0x69, 0x7b, 0xf1, 0xcc, 0xee, 0xa4, 0xe8, 0xd0, + 0x7b, 0x5f, 0x61, 0xbc, 0xbe, 0x20, 0xfb, 0x0b, 0xaa, 0x54, 0xf6, 0xe0, + 0x13, 0xad, 0xe8, 0x96, 0x53, 0x6a, 0xa9, 0x4b, 0xa1, 0xcf, 0x56, 0x10, + 0xbc, 0x2a, 0x09, 0xc9, 0x0a, 0xcc, 0x8d, 0x20, 0xdd, 0x4d, 0x14, 0xc7, + 0x08, 0xab, 0xc1, 0xc3, 0xaf, 0x0b, 0x35, 0x40, 0x57, 0x34, 0x97, 0x3b, + 0xa2, 0x2d, 0xa3, 0x46, 0xc1, 0x30, 0x14, 0x88, 0xa8, 0x74, 0x79, 0xdd, + 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd7, 0x75, 0xfc, + 0xed, 0xb7, 0xc8, 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, + 0xbe, 0x57, 0x0d, 0x94, 0xa8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, + 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, + 0x94, 0xa8, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0x58, 0xd2, 0x25, 0xa3, 0xe6, 0xaa, 0xb9, 0x56, 0x67, + 0xc3, 0xa6, 0x4b, 0x88, 0x99, 0xfe, 0xde, 0xc6, 0x16, 0x4c, 0x43, 0x1b, + 0xb8, 0xea, 0xe3, 0x77, 0xc4, 0xe4, 0x66, 0x15, 0x9f, 0x92, 0x6d, 0xe3, + 0x7f, 0x3c, 0xac, 0x88, 0x8b, 0xb9, 0xc5, 0x5c, 0x39, 0x4f, 0x02, 0x75, + 0x5a, 0x3d, 0xc5, 0xaf, 0xad, 0x8f, 0x32, 0xd4, 0x5a, 0x44, 0xc8, 0xcb, + 0x1f, 0x40, 0xa1, 0x44, 0xef, 0xa8, 0x2a, 0xa4, 0x0d, 0x7a, 0x25, 0xe1, + 0x6c, 0x09, 0x4b, 0x96, 0x6a, 0x73, 0x0f, 0xe0, 0x9b, 0x0e, 0x26, 0xff, + 0x61, 0x96, 0xc4, 0xb6, 0x10, 0xe1, 0x90, 0x36, 0xfd, 0x96, 0xb5, 0x90, + 0xb0, 0x76, 0xed, 0xc2, 0x17, 0xc0, 0xfe, 0xd4, 0x38, 0xff, 0x7f, 0xc3, + 0xa0, 0x88, 0x60, 0xe8, 0x27, 0x10, 0x34, 0x35, 0x93, 0x59, 0xcb, 0x12, + 0xe5, 0x25, 0xaf, 0x2d, 0x1d, 0x7d, 0x3f, 0x16, 0x95, 0x71, 0x57, 0x8e, + 0x3f, 0xc2, 0xad, 0x8e, 0xc4, 0x0e, 0xe1, 0xed, 0x46, 0xf9, 0xd7, 0x07, + 0x85, 0xb3, 0x05, 0xbe, 0xf1, 0x4c, 0xba, 0xf1, 0x34, 0xe5, 0xd5, 0x26, + 0x9b, 0x6c, 0x15, 0x9e, 0x35, 0xa2, 0xd5, 0x81, 0x09, 0x36, 0x05, 0xa6, + 0x99, 0x1f, 0xa2, 0x17, 0x35, 0x3a, 0x38, 0x18, 0x52, 0x44, 0xcf, 0x22, + 0xb3, 0x69, 0xba, 0x07, 0x74, 0x48, 0x1c, 0x8e, 0x4c, 0xa7, 0xb0, 0xc2, + 0x65, 0x6c, 0x1d, 0x30, 0xe2, 0x82, 0xc2, 0x35, 0x60, 0x25, 0xf2, 0xb1, + 0x05, 0x18, 0x0a, 0x73, 0x87, 0x27, 0xee, 0x6e, 0xc2, 0x5f, 0xff, 0xd8, + 0xfc, 0x77, 0x06, 0x2e, 0x3d, 0x4f, 0xa1, 0x14, 0x04, 0x5d, 0xae, 0x38, + 0x28, 0xf9, 0x3d, 0x82, 0x5f, 0xc6, 0xd0, 0x31, 0x21, 0x88, 0xda, 0x7f, + 0x78, 0xe3, 0xb7, 0xed, 0x52, 0x37, 0xf4, 0x29, 0x08, 0x88, 0x50, 0x54, + 0x56, 0x67, 0xc0, 0xe1, 0xf4, 0xe7, 0xcf, +}; +unsigned int ValidKEK_auth_len = 1987; + +unsigned char InvalidKEK_auth[] = { + 0x00, 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x91, 0x04 , 0x00 , 0x00 , 0x00 , 0x02 , 0xf1 , 0x0e , 0x9d , 0xd2 , 0xaf , 0x4a , 0xdf , 0x68 , 0xee , 0x49 , + 0x8a, 0xa9 , 0x34 , 0x7d , 0x37 , 0x56 , 0x65 , 0xa7 , 0x30 , 0x82 , 0x04 , 0x75 , 0x06 , 0x09 , 0x2a , 0x86 , + 0x48, 0x86 , 0xf7 , 0x0d , 0x01 , 0x07 , 0x02 , 0xa0 , 0x82 , 0x04 , 0x66 , 0x30 , 0x82 , 0x04 , 0x62 , 0x02 , + 0x01, 0x01 , 0x31 , 0x0f , 0x30 , 0x0d , 0x06 , 0x09 , 0x60 , 0x86 , 0x48 , 0x01 , 0x65 , 0x03 , 0x04 , 0x02 , + 0x01, 0x05 , 0x00 , 0x30 , 0x0b , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x07 , 0x01 , + 0xa0, 0x82 , 0x02 , 0xf4 , 0x30 , 0x82 , 0x02 , 0xf0 , 0x30 , 0x82 , 0x01 , 0xd8 , 0xa0 , 0x03 , 0x02 , 0x01 , + 0x02, 0x02 , 0x09 , 0x00 , 0xec , 0x89 , 0x21 , 0xbe , 0xc3 , 0xb0 , 0x04 , 0xc6 , 0x30 , 0x0d , 0x06 , 0x09 , + 0x2a, 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x0b , 0x05 , 0x00 , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , + 0x09, 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , 0x02 , 0x50 , 0x4b , 0x30 , 0x1e , 0x17 , 0x0d , 0x31 , 0x39 , + 0x30, 0x31 , 0x31 , 0x32 , 0x31 , 0x38 , 0x35 , 0x36 , 0x32 , 0x39 , 0x5a , 0x17 , 0x0d , 0x32 , 0x39 , 0x30 , + 0x31, 0x30 , 0x39 , 0x31 , 0x38 , 0x35 , 0x36 , 0x32 , 0x39 , 0x5a , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , 0x09 , + 0x06, 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , 0x02 , 0x50 , 0x4b , 0x30 , 0x82 , 0x01 , 0x22 , 0x30 , 0x0d , 0x06 , + 0x09, 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x0f , + 0x00, 0x30 , 0x82 , 0x01 , 0x0a , 0x02 , 0x82 , 0x01 , 0x01 , 0x00 , 0xee , 0xa9 , 0xd0 , 0x47 , 0xf4 , 0x2d , + 0xfd, 0xff , 0x21 , 0x6f , 0x11 , 0x89 , 0x9d , 0x54 , 0xe8 , 0xb1 , 0x97 , 0x61 , 0x10 , 0x21 , 0xe1 , 0x9e , + 0x51, 0x09 , 0x66 , 0xea , 0x23 , 0xdb , 0x01 , 0xd3 , 0x5d , 0xa6 , 0xce , 0xc5 , 0x75 , 0x52 , 0xec , 0x2f , + 0xb4, 0x1f , 0x36 , 0xb4 , 0x35 , 0xca , 0x30 , 0xfd , 0xd9 , 0xed , 0x14 , 0x63 , 0xa3 , 0x9e , 0xc6 , 0x0d , + 0xc0, 0x8d , 0xca , 0x7a , 0x1b , 0x9a , 0xcd , 0xbf , 0xb4 , 0x4c , 0x21 , 0x8d , 0xe0 , 0xf6 , 0xbc , 0x74 , + 0xbc, 0xef , 0xc6 , 0x8f , 0xc1 , 0x81 , 0x33 , 0x5f , 0x1e , 0xe6 , 0xed , 0x69 , 0x68 , 0x49 , 0x4c , 0xd7 , + 0x0f, 0x84 , 0x70 , 0xf0 , 0xf6 , 0x1b , 0x07 , 0x35 , 0xa4 , 0x09 , 0xae , 0x5e , 0xdd , 0x42 , 0xa2 , 0x75 , + 0x48, 0xd4 , 0xfa , 0x3c , 0x28 , 0xe7 , 0xaa , 0xc9 , 0x2b , 0xbf , 0xc1 , 0x91 , 0x65 , 0x19 , 0x99 , 0x3b , + 0x56, 0x80 , 0x1a , 0xee , 0x90 , 0x43 , 0xae , 0xbf , 0x1f , 0xff , 0xd2 , 0x55 , 0x1d , 0x18 , 0xff , 0x49 , + 0x38, 0xd8 , 0xdc , 0x21 , 0xe1 , 0x86 , 0xfb , 0xf2 , 0x86 , 0x43 , 0x37 , 0x2e , 0x93 , 0xe8 , 0xd0 , 0x41 , + 0xdb, 0xc9 , 0x73 , 0xd8 , 0x0f , 0xf5 , 0x11 , 0x18 , 0xa9 , 0x93 , 0xb2 , 0x87 , 0x90 , 0xc2 , 0x58 , 0x96 , + 0x93, 0xff , 0x69 , 0xb2 , 0x05 , 0xec , 0xaa , 0x0e , 0xcc , 0xfe , 0x1a , 0x78 , 0x6c , 0x31 , 0xfa , 0x6b , + 0x0d, 0xb6 , 0xeb , 0xac , 0xaf , 0xc9 , 0xa5 , 0x09 , 0xbb , 0xdd , 0x01 , 0x16 , 0x6d , 0x31 , 0x53 , 0x2c , + 0xcb, 0xc1 , 0x82 , 0x87 , 0x81 , 0x99 , 0x7f , 0xc1 , 0xee , 0x86 , 0x6a , 0xed , 0x50 , 0xfc , 0x39 , 0xc1 , + 0x51, 0x71 , 0x04 , 0xe0 , 0x66 , 0x63 , 0x6f , 0x8d , 0x17 , 0x35 , 0x63 , 0x56 , 0x4b , 0x90 , 0x20 , 0x7a , + 0x5f, 0xc8 , 0x63 , 0xee , 0xf4 , 0x82 , 0xe1 , 0x61 , 0xbf , 0x41 , 0x46 , 0x04 , 0xfd , 0x96 , 0x46 , 0x2a , + 0x8b, 0x8d , 0xa2 , 0x4c , 0x82 , 0xe3 , 0xf0 , 0x6e , 0x24 , 0x8b , 0x02 , 0x03 , 0x01 , 0x00 , 0x01 , 0xa3 , + 0x53, 0x30 , 0x51 , 0x30 , 0x1d , 0x06 , 0x03 , 0x55 , 0x1d , 0x0e , 0x04 , 0x16 , 0x04 , 0x14 , 0x14 , 0xb2 , + 0x26, 0xdc , 0xe0 , 0x99 , 0x4b , 0xb1 , 0x3e , 0xc4 , 0xc8 , 0xeb , 0xe3 , 0xc9 , 0x8b , 0x69 , 0x78 , 0xef , + 0x55, 0xbd , 0x30 , 0x1f , 0x06 , 0x03 , 0x55 , 0x1d , 0x23 , 0x04 , 0x18 , 0x30 , 0x16 , 0x80 , 0x14 , 0x14 , + 0xb2, 0x26 , 0xdc , 0xe0 , 0x99 , 0x4b , 0xb1 , 0x3e , 0xc4 , 0xc8 , 0xeb , 0xe3 , 0xc9 , 0x8b , 0x69 , 0x78 , + 0xef, 0x55 , 0xbd , 0x30 , 0x0f , 0x06 , 0x03 , 0x55 , 0x1d , 0x13 , 0x01 , 0x01 , 0xff , 0x04 , 0x05 , 0x30 , + 0x03, 0x01 , 0x01 , 0xff , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , + 0x0b, 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x01 , 0x00 , 0x8f , 0x4b , 0x0e , 0x4d , 0xd6 , 0xed , 0x73 , 0xb0 , + 0xe6, 0xa5 , 0xcf , 0x37 , 0xed , 0x7b , 0x89 , 0x82 , 0xc4 , 0x67 , 0x95 , 0x16 , 0x03 , 0x19 , 0x3d , 0x9c , + 0xbf, 0x10 , 0x8e , 0x23 , 0x71 , 0xcb , 0x53 , 0xa2 , 0xb0 , 0xa1 , 0x88 , 0xb1 , 0x9b , 0x2e , 0x68 , 0xda , + 0x1e, 0x74 , 0xfe , 0x32 , 0x6f , 0xa1 , 0xda , 0x9f , 0x5b , 0x52 , 0x6b , 0x10 , 0x11 , 0x48 , 0x0d , 0x71 , + 0xec, 0x08 , 0x24 , 0xe5 , 0x0b , 0xb4 , 0x60 , 0x52 , 0x47 , 0x64 , 0xfb , 0xf5 , 0x99 , 0x45 , 0x15 , 0xe1 , + 0x35, 0x6c , 0x43 , 0xe3 , 0x9c , 0xeb , 0xe4 , 0xfd , 0x5b , 0x91 , 0x5d , 0xed , 0xa9 , 0x98 , 0x13 , 0x79 , + 0x6d, 0xcd , 0x8a , 0x8f , 0xae , 0x09 , 0x42 , 0xd4 , 0xa1 , 0x46 , 0x89 , 0xd1 , 0x95 , 0x20 , 0x27 , 0x82 , + 0x80, 0x93 , 0x3d , 0xe0 , 0x32 , 0xb2 , 0x07 , 0x2e , 0xee , 0x89 , 0xbf , 0x08 , 0xca , 0x3c , 0xc5 , 0xcc , + 0x1d, 0x64 , 0x61 , 0x4c , 0xdd , 0x26 , 0x99 , 0x3d , 0xee , 0x0f , 0xad , 0x14 , 0xbe , 0x8f , 0x70 , 0x9e , + 0xb1, 0x31 , 0xd1 , 0xb2 , 0x7d , 0xdf , 0xbc , 0x23 , 0xc6 , 0x36 , 0x23 , 0xfc , 0xa1 , 0x77 , 0xdb , 0x80 , + 0xaf, 0x41 , 0xaf , 0xe2 , 0xb2 , 0x37 , 0x8c , 0x74 , 0xff , 0x19 , 0x04 , 0x96 , 0x6a , 0x40 , 0x37 , 0x7f , + 0x5e, 0x76 , 0x9b , 0xee , 0x84 , 0x7e , 0x4e , 0x2f , 0x75 , 0x7d , 0x76 , 0xfa , 0x90 , 0x76 , 0x08 , 0x41 , + 0x61, 0x63 , 0xa4 , 0x9e , 0x79 , 0x2e , 0xb0 , 0x52 , 0xec , 0xc7 , 0xa0 , 0x47 , 0x16 , 0x76 , 0x4f , 0x01 , + 0xb1, 0x58 , 0x67 , 0xe7 , 0x59 , 0x6a , 0x9a , 0xe9 , 0xf8 , 0x59 , 0x33 , 0x52 , 0x98 , 0x52 , 0xc8 , 0xb7 , + 0x6f, 0xc8 , 0x44 , 0x52 , 0x8b , 0xa2 , 0x30 , 0x1e , 0xb6 , 0xd2 , 0xc2 , 0x0c , 0x43 , 0x9f , 0x13 , 0x1f , + 0x0f, 0xef , 0x16 , 0xa6 , 0xc0 , 0xf7 , 0x09 , 0x8b , 0x2e , 0xa7 , 0x7d , 0x6a , 0x30 , 0x0b , 0x09 , 0xbb , + 0x69, 0x2f , 0xaf , 0xe7 , 0x12 , 0xe1 , 0x66 , 0x15 , 0x31 , 0x82 , 0x01 , 0x45 , 0x30 , 0x82 , 0x01 , 0x41 , + 0x02, 0x01 , 0x01 , 0x30 , 0x1a , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , 0x09 , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , + 0x0c, 0x02 , 0x50 , 0x4b , 0x02 , 0x09 , 0x00 , 0xec , 0x89 , 0x21 , 0xbe , 0xc3 , 0xb0 , 0x04 , 0xc6 , 0x30 , + 0x0d, 0x06 , 0x09 , 0x60 , 0x86 , 0x48 , 0x01 , 0x65 , 0x03 , 0x04 , 0x02 , 0x01 , 0x05 , 0x00 , 0x30 , 0x0d , + 0x06, 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x04 , 0x82 , 0x01 , + 0x00, 0x0d , 0x5c , 0x86 , 0xe2 , 0xe1 , 0x7e , 0x1c , 0x1d , 0x8a , 0x4b , 0x57 , 0xd8 , 0x68 , 0x78 , 0x34 , + 0x8b, 0xd9 , 0xaa , 0xc5 , 0x67 , 0xbc , 0xf4 , 0x9f , 0x16 , 0xfe , 0x2c , 0xba , 0x5b , 0xe3 , 0x35 , 0x9a , + 0xb1, 0xec , 0x57 , 0x12 , 0x26 , 0x1f , 0x5b , 0xd0 , 0x15 , 0x28 , 0x25 , 0xa9 , 0x09 , 0xd9 , 0x1a , 0x56 , + 0xe7, 0xb2 , 0xd1 , 0x04 , 0x0f , 0x83 , 0x70 , 0x99 , 0xff , 0x6f , 0x5f , 0xa4 , 0x89 , 0x91 , 0xa9 , 0x2a , + 0xe7, 0xb0 , 0x30 , 0xbd , 0x07 , 0xcf , 0x8d , 0x93 , 0xd2 , 0x5a , 0xf0 , 0x16 , 0x13 , 0x7c , 0xc3 , 0xef , + 0x27, 0xbb , 0x4d , 0x72 , 0x04 , 0x9f , 0xbb , 0x49 , 0xf3 , 0x7c , 0x18 , 0x1a , 0xcd , 0x12 , 0x99 , 0xea , + 0x3a, 0x41 , 0x0a , 0xa1 , 0x55 , 0x74 , 0xa3 , 0x30 , 0x17 , 0xfd , 0x4e , 0x8d , 0x4a , 0x3d , 0x5f , 0x0f , + 0x08, 0x7c , 0x1a , 0x39 , 0xc5 , 0xc4 , 0xd7 , 0xb6 , 0xf6 , 0x3b , 0xa7 , 0x3e , 0x6c , 0x68 , 0xf9 , 0x69 , + 0xcd, 0x7a , 0x47 , 0x43 , 0xc5 , 0x68 , 0x56 , 0x74 , 0xde , 0x4c , 0x38 , 0xf5 , 0x6d , 0xf6 , 0x96 , 0xac , + 0xf3, 0x5c , 0x6a , 0xc9 , 0x7d , 0x45 , 0x44 , 0x4e , 0x98 , 0xcc , 0xd9 , 0xbe , 0x5f , 0xbd , 0xa3 , 0x0a , + 0x34, 0x0e , 0x53 , 0x4b , 0x08 , 0x93 , 0x8b , 0xf9 , 0x46 , 0x49 , 0xca , 0x6a , 0x98 , 0x26 , 0x90 , 0x86 , + 0x51, 0xee , 0x24 , 0x2f , 0xcb , 0xa0 , 0x7f , 0x94 , 0xd8 , 0x6d , 0xee , 0x58 , 0xf9 , 0xe3 , 0x4e , 0x6d , + 0xaf, 0xa2 , 0x00 , 0xb6 , 0xeb , 0x70 , 0x8c , 0x9d , 0x90 , 0xfe , 0x58 , 0xdd , 0x48 , 0xf6 , 0x99 , 0x09 , + 0x41, 0xdd , 0xde , 0x7c , 0xae , 0xd7 , 0x8c , 0x57 , 0x4e , 0x47 , 0x79 , 0x38 , 0x03 , 0x42 , 0xeb , 0xb4 , + 0x2d, 0xb8 , 0x9e , 0xcf , 0x58 , 0xa4 , 0x32 , 0x00 , 0x2a , 0x66 , 0x4e , 0xf5 , 0xde , 0x96 , 0x9b , 0x60 , + 0xc7, 0xc5 , 0xcf , 0xe2 , 0xa2 , 0x9b , 0x0f , 0x39 , 0x64 , 0x13 , 0x12 , 0x41 , 0x77 , 0xb2 , 0xd2 , 0x50 , + 0x5c, 0xa1 , 0x59 , 0xc0 , 0xa5 , 0xe4 , 0x94 , 0xa7 , 0x4a , 0x87 , 0xb5 , 0xab , 0x15 , 0x5c , 0x2b , 0xf0 , + 0x72, 0x22 , 0x03 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x06 , 0x03 , 0x00 , 0x00 , 0x11 , 0x11 , 0x11 , + 0x11, 0x22 , 0x22 , 0x33 , 0x33 , 0x44 , 0x44 , 0x12 , 0x34 , 0x56 , 0x78 , 0x9a , 0xbc , 0x30 , 0x82 , 0x02 , + 0xf2, 0x30 , 0x82 , 0x01 , 0xda , 0xa0 , 0x03 , 0x02 , 0x01 , 0x02 , 0x02 , 0x09 , 0x00 , 0xfe , 0xdd , 0x2e , + 0xec, 0xe0 , 0x22 , 0xdd , 0xf9 , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , + 0x01, 0x0b , 0x05 , 0x00 , 0x30 , 0x0e , 0x31 , 0x0c , 0x30 , 0x0a , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , + 0x03, 0x4b , 0x45 , 0x4b , 0x30 , 0x1e , 0x17 , 0x0d , 0x31 , 0x39 , 0x30 , 0x31 , 0x31 , 0x32 , 0x31 , 0x38 , + 0x35, 0x36 , 0x33 , 0x31 , 0x5a , 0x17 , 0x0d , 0x32 , 0x39 , 0x30 , 0x31 , 0x30 , 0x39 , 0x31 , 0x38 , 0x35 , + 0x36, 0x33 , 0x31 , 0x5a , 0x30 , 0x0e , 0x31 , 0x0c , 0x30 , 0x0a , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , + 0x03, 0x4b , 0x45 , 0x4b , 0x30 , 0x82 , 0x01 , 0x22 , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , + 0xf7, 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x0f , 0x00 , 0x30 , 0x82 , 0x01 , 0x0a , + 0x02, 0x82 , 0x01 , 0x01 , 0x00 , 0xd1 , 0xf8 , 0xab , 0xdb , 0xc2 , 0xf5 , 0x51 , 0xde , 0x7b , 0x9f , 0x28 , + 0xff, 0xae , 0xdb , 0xa5 , 0xbf , 0x73 , 0x63 , 0x99 , 0x5e , 0x04 , 0xa5 , 0x9d , 0xfd , 0xcd , 0x24 , 0x2e , + 0xdd, 0x0b , 0x02 , 0x88 , 0xe9 , 0x71 , 0x7b , 0xf2 , 0x89 , 0x90 , 0xae , 0xaf , 0x0d , 0xa0 , 0x68 , 0x4d , + 0x31, 0x1b , 0x30 , 0xe8 , 0x19 , 0x2e , 0xfc , 0x33 , 0x8f , 0xee , 0x6d , 0x2a , 0x0a , 0x09 , 0x42 , 0x34 , + 0xc1, 0x40 , 0xa8 , 0xe8 , 0xb6 , 0xc7 , 0x92 , 0x5d , 0xa5 , 0x96 , 0x14 , 0xd7 , 0xaf , 0x8c , 0x71 , 0x6b , + 0x4e, 0x7d , 0x6e , 0xfa , 0x73 , 0x1c , 0x40 , 0x4c , 0x05 , 0x9e , 0xfa , 0xb2 , 0x4c , 0x8c , 0xcb , 0x9d , + 0xe2, 0xa9 , 0x04 , 0x01 , 0x91 , 0x5b , 0xbf , 0xff , 0x85 , 0x54 , 0x2a , 0x65 , 0x96 , 0x84 , 0x6f , 0xfa , + 0x99, 0x1c , 0x9e , 0xe0 , 0x77 , 0x68 , 0x4d , 0x58 , 0x2a , 0xc7 , 0xc0 , 0x8f , 0x71 , 0x5a , 0x8f , 0xa9 , + 0xff, 0x44 , 0xed , 0xf7 , 0xe4 , 0x47 , 0xd8 , 0x4c , 0x9c , 0xf4 , 0x78 , 0xa0 , 0xb3 , 0x37 , 0xaf , 0x43 , + 0x0b, 0x03 , 0x6f , 0xe4 , 0xe1 , 0x2d , 0x52 , 0x0b , 0x4b , 0x62 , 0xc6 , 0x2f , 0xe3 , 0xfc , 0x32 , 0xf2 , + 0xe2, 0x11 , 0x1c , 0xac , 0xdf , 0x5a , 0xe8 , 0xdd , 0x55 , 0x65 , 0xa4 , 0x6f , 0x61 , 0xb7 , 0x0f , 0x1c , + 0xc6, 0x08 , 0x2a , 0xaf , 0x5d , 0x36 , 0x50 , 0x06 , 0x7b , 0x49 , 0xa0 , 0x8b , 0x1c , 0x93 , 0xdc , 0x72 , + 0x69, 0x7b , 0xf1 , 0xcc , 0xee , 0xa4 , 0xe8 , 0xd0 , 0x7b , 0x5f , 0x61 , 0xbc , 0xbe , 0x20 , 0xfb , 0x0b , + 0xaa, 0x54 , 0xf6 , 0xe0 , 0x13 , 0xad , 0xe8 , 0x96 , 0x53 , 0x6a , 0xa9 , 0x4b , 0xa1 , 0xcf , 0x56 , 0x10 , + 0xbc, 0x2a , 0x09 , 0xc9 , 0x0a , 0xcc , 0x8d , 0x20 , 0xdd , 0x4d , 0x14 , 0xc7 , 0x08 , 0xab , 0xc1 , 0xc3 , + 0xaf, 0x0b , 0x35 , 0x40 , 0x57 , 0x34 , 0x97 , 0x3b , 0xa2 , 0x2d , 0xa3 , 0x46 , 0xc1 , 0x30 , 0x14 , 0x88 , + 0xa8, 0x74 , 0x79 , 0xdd , 0xb1 , 0x02 , 0x03 , 0x01 , 0x00 , 0x01 , 0xa3 , 0x53 , 0x30 , 0x51 , 0x30 , 0x1d , + 0x06, 0x03 , 0x55 , 0x1d , 0x0e , 0x04 , 0x16 , 0x04 , 0x14 , 0xd7 , 0x75 , 0xfc , 0xed , 0xb7 , 0xc8 , 0xb5 , + 0xf8, 0x7d , 0x28 , 0xc5 , 0x13 , 0x34 , 0xcd , 0x0b , 0xbe , 0x57 , 0x0d , 0x94 , 0xa8 , 0x30 , 0x1f , 0x06 , + 0x03, 0x55 , 0x1d , 0x23 , 0x04 , 0x18 , 0x30 , 0x16 , 0x80 , 0x14 , 0xd7 , 0x75 , 0xfc , 0xed , 0xb7 , 0xc8 , + 0xb5, 0xf8 , 0x7d , 0x28 , 0xc5 , 0x13 , 0x34 , 0xcd , 0x0b , 0xbe , 0x57 , 0x0d , 0x94 , 0xa8 , 0x30 , 0x0f , + 0x06, 0x03 , 0x55 , 0x1d , 0x13 , 0x01 , 0x01 , 0xff , 0x04 , 0x05 , 0x30 , 0x03 , 0x01 , 0x01 , 0xff , 0x30 , + 0x0d, 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x0b , 0x05 , 0x00 , 0x03 , 0x82 , + 0x01, 0x01 , 0x00 , 0x58 , 0xd2 , 0x25 , 0xa3 , 0xe6 , 0xaa , 0xb9 , 0x56 , 0x67 , 0xc3 , 0xa6 , 0x4b , 0x88 , + 0x99, 0xfe , 0xde , 0xc6 , 0x16 , 0x4c , 0x43 , 0x1b , 0xb8 , 0xea , 0xe3 , 0x77 , 0xc4 , 0xe4 , 0x66 , 0x15 , + 0x9f, 0x92 , 0x6d , 0xe3 , 0x7f , 0x3c , 0xac , 0x88 , 0x8b , 0xb9 , 0xc5 , 0x5c , 0x39 , 0x4f , 0x02 , 0x75 , + 0x5a, 0x3d , 0xc5 , 0xaf , 0xad , 0x8f , 0x32 , 0xd4 , 0x5a , 0x44 , 0xc8 , 0xcb , 0x1f , 0x40 , 0xa1 , 0x44 , + 0xef, 0xa8 , 0x2a , 0xa4 , 0x0d , 0x7a , 0x25 , 0xe1 , 0x6c , 0x09 , 0x4b , 0x96 , 0x6a , 0x73 , 0x0f , 0xe0 , + 0x9b, 0x0e , 0x26 , 0xff , 0x61 , 0x96 , 0xc4 , 0xb6 , 0x10 , 0xe1 , 0x90 , 0x36 , 0xfd , 0x96 , 0xb5 , 0x90 , + 0xb0, 0x76 , 0xed , 0xc2 , 0x17 , 0xc0 , 0xfe , 0xd4 , 0x38 , 0xff , 0x7f , 0xc3 , 0xa0 , 0x88 , 0x60 , 0xe8 , + 0x27, 0x10 , 0x34 , 0x35 , 0x93 , 0x59 , 0xcb , 0x12 , 0xe5 , 0x25 , 0xaf , 0x2d , 0x1d , 0x7d , 0x3f , 0x16 , + 0x95, 0x71 , 0x57 , 0x8e , 0x3f , 0xc2 , 0xad , 0x8e , 0xc4 , 0x0e , 0xe1 , 0xed , 0x46 , 0xf9 , 0xd7 , 0x07 , + 0x85, 0xb3 , 0x05 , 0xbe , 0xf1 , 0x4c , 0xba , 0xf1 , 0x34 , 0xe5 , 0xd5 , 0x26 , 0x9b , 0x6c , 0x15 , 0x9e , + 0x35, 0xa2 , 0xd5 , 0x81 , 0x09 , 0x36 , 0x05 , 0xa6 , 0x99 , 0x1f , 0xa2 , 0x17 , 0x35 , 0x3a , 0x38 , 0x18 , + 0x52, 0x44 , 0xcf , 0x22 , 0xb3 , 0x69 , 0xba , 0x07 , 0x74 , 0x48 , 0x1c , 0x8e , 0x4c , 0xa7 , 0xb0 , 0xc2 , + 0x65, 0x6c , 0x1d , 0x30 , 0xe2 , 0x82 , 0xc2 , 0x35 , 0x60 , 0x25 , 0xf2 , 0xb1 , 0x05 , 0x18 , 0x0a , 0x73 , + 0x87, 0x27 , 0xee , 0x6e , 0xc2 , 0x5f , 0xff , 0xd8 , 0xfc , 0x77 , 0x06 , 0x2e , 0x3d , 0x4f , 0xa1 , 0x14 , + 0x04, 0x5d , 0xae , 0x38 , 0x28 , 0xf9 , 0x3d , 0x82 , 0x5f , 0xc6 , 0xd0 , 0x31 , 0x21 , 0x88 , 0xda , 0x7f , + 0x78, 0xe3 , 0xb7 , 0xed , 0x52 , 0x37 , 0xf4 , 0x29 , 0x08 , 0x88 , 0x50 , 0x54 , 0x56 , 0x67 , 0xc0 , 0xe1 , + 0xf4, 0xe7 , 0xcf }; + +unsigned char DB_auth[] = { + 0xe3 ,0x07 ,0x0b ,0x19 ,0x0a ,0x1a ,0x35 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 , + 0x94 ,0x04 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49 , + 0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7 ,0x30 ,0x82 ,0x04 ,0x78 ,0x06 ,0x09 ,0x2a ,0x86 , + 0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0 ,0x82 ,0x04 ,0x69 ,0x30 ,0x82 ,0x04 ,0x65 ,0x02 , + 0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 , + 0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01 , + 0xa0 ,0x82 ,0x02 ,0xf6 ,0x30 ,0x82 ,0x02 ,0xf2 ,0x30 ,0x82 ,0x01 ,0xda ,0xa0 ,0x03 ,0x02 ,0x01 , + 0x02 ,0x02 ,0x09 ,0x00 ,0xfe ,0xdd ,0x2e ,0xec ,0xe0 ,0x22 ,0xdd ,0xf9 ,0x30 ,0x0d ,0x06 ,0x09 , + 0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 , + 0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x30 ,0x1e ,0x17 ,0x0d ,0x31 , + 0x39 ,0x30 ,0x31 ,0x31 ,0x32 ,0x31 ,0x38 ,0x35 ,0x36 ,0x33 ,0x31 ,0x5a ,0x17 ,0x0d ,0x32 ,0x39 , + 0x30 ,0x31 ,0x30 ,0x39 ,0x31 ,0x38 ,0x35 ,0x36 ,0x33 ,0x31 ,0x5a ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 , + 0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x30 ,0x82 ,0x01 ,0x22 ,0x30 , + 0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03 ,0x82 , + 0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xd1 ,0xf8 ,0xab ,0xdb , + 0xc2 ,0xf5 ,0x51 ,0xde ,0x7b ,0x9f ,0x28 ,0xff ,0xae ,0xdb ,0xa5 ,0xbf ,0x73 ,0x63 ,0x99 ,0x5e , + 0x04 ,0xa5 ,0x9d ,0xfd ,0xcd ,0x24 ,0x2e ,0xdd ,0x0b ,0x02 ,0x88 ,0xe9 ,0x71 ,0x7b ,0xf2 ,0x89 , + 0x90 ,0xae ,0xaf ,0x0d ,0xa0 ,0x68 ,0x4d ,0x31 ,0x1b ,0x30 ,0xe8 ,0x19 ,0x2e ,0xfc ,0x33 ,0x8f , + 0xee ,0x6d ,0x2a ,0x0a ,0x09 ,0x42 ,0x34 ,0xc1 ,0x40 ,0xa8 ,0xe8 ,0xb6 ,0xc7 ,0x92 ,0x5d ,0xa5 , + 0x96 ,0x14 ,0xd7 ,0xaf ,0x8c ,0x71 ,0x6b ,0x4e ,0x7d ,0x6e ,0xfa ,0x73 ,0x1c ,0x40 ,0x4c ,0x05 , + 0x9e ,0xfa ,0xb2 ,0x4c ,0x8c ,0xcb ,0x9d ,0xe2 ,0xa9 ,0x04 ,0x01 ,0x91 ,0x5b ,0xbf ,0xff ,0x85 , + 0x54 ,0x2a ,0x65 ,0x96 ,0x84 ,0x6f ,0xfa ,0x99 ,0x1c ,0x9e ,0xe0 ,0x77 ,0x68 ,0x4d ,0x58 ,0x2a , + 0xc7 ,0xc0 ,0x8f ,0x71 ,0x5a ,0x8f ,0xa9 ,0xff ,0x44 ,0xed ,0xf7 ,0xe4 ,0x47 ,0xd8 ,0x4c ,0x9c , + 0xf4 ,0x78 ,0xa0 ,0xb3 ,0x37 ,0xaf ,0x43 ,0x0b ,0x03 ,0x6f ,0xe4 ,0xe1 ,0x2d ,0x52 ,0x0b ,0x4b , + 0x62 ,0xc6 ,0x2f ,0xe3 ,0xfc ,0x32 ,0xf2 ,0xe2 ,0x11 ,0x1c ,0xac ,0xdf ,0x5a ,0xe8 ,0xdd ,0x55 , + 0x65 ,0xa4 ,0x6f ,0x61 ,0xb7 ,0x0f ,0x1c ,0xc6 ,0x08 ,0x2a ,0xaf ,0x5d ,0x36 ,0x50 ,0x06 ,0x7b , + 0x49 ,0xa0 ,0x8b ,0x1c ,0x93 ,0xdc ,0x72 ,0x69 ,0x7b ,0xf1 ,0xcc ,0xee ,0xa4 ,0xe8 ,0xd0 ,0x7b , + 0x5f ,0x61 ,0xbc ,0xbe ,0x20 ,0xfb ,0x0b ,0xaa ,0x54 ,0xf6 ,0xe0 ,0x13 ,0xad ,0xe8 ,0x96 ,0x53 , + 0x6a ,0xa9 ,0x4b ,0xa1 ,0xcf ,0x56 ,0x10 ,0xbc ,0x2a ,0x09 ,0xc9 ,0x0a ,0xcc ,0x8d ,0x20 ,0xdd , + 0x4d ,0x14 ,0xc7 ,0x08 ,0xab ,0xc1 ,0xc3 ,0xaf ,0x0b ,0x35 ,0x40 ,0x57 ,0x34 ,0x97 ,0x3b ,0xa2 , + 0x2d ,0xa3 ,0x46 ,0xc1 ,0x30 ,0x14 ,0x88 ,0xa8 ,0x74 ,0x79 ,0xdd ,0xb1 ,0x02 ,0x03 ,0x01 ,0x00 , + 0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04 ,0x14 , + 0xd7 ,0x75 ,0xfc ,0xed ,0xb7 ,0xc8 ,0xb5 ,0xf8 ,0x7d ,0x28 ,0xc5 ,0x13 ,0x34 ,0xcd ,0x0b ,0xbe , + 0x57 ,0x0d ,0x94 ,0xa8 ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16 ,0x80 , + 0x14 ,0xd7 ,0x75 ,0xfc ,0xed ,0xb7 ,0xc8 ,0xb5 ,0xf8 ,0x7d ,0x28 ,0xc5 ,0x13 ,0x34 ,0xcd ,0x0b , + 0xbe ,0x57 ,0x0d ,0x94 ,0xa8 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff ,0x04 , + 0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d , + 0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x58 ,0xd2 ,0x25 ,0xa3 ,0xe6 ,0xaa , + 0xb9 ,0x56 ,0x67 ,0xc3 ,0xa6 ,0x4b ,0x88 ,0x99 ,0xfe ,0xde ,0xc6 ,0x16 ,0x4c ,0x43 ,0x1b ,0xb8 , + 0xea ,0xe3 ,0x77 ,0xc4 ,0xe4 ,0x66 ,0x15 ,0x9f ,0x92 ,0x6d ,0xe3 ,0x7f ,0x3c ,0xac ,0x88 ,0x8b , + 0xb9 ,0xc5 ,0x5c ,0x39 ,0x4f ,0x02 ,0x75 ,0x5a ,0x3d ,0xc5 ,0xaf ,0xad ,0x8f ,0x32 ,0xd4 ,0x5a , + 0x44 ,0xc8 ,0xcb ,0x1f ,0x40 ,0xa1 ,0x44 ,0xef ,0xa8 ,0x2a ,0xa4 ,0x0d ,0x7a ,0x25 ,0xe1 ,0x6c , + 0x09 ,0x4b ,0x96 ,0x6a ,0x73 ,0x0f ,0xe0 ,0x9b ,0x0e ,0x26 ,0xff ,0x61 ,0x96 ,0xc4 ,0xb6 ,0x10 , + 0xe1 ,0x90 ,0x36 ,0xfd ,0x96 ,0xb5 ,0x90 ,0xb0 ,0x76 ,0xed ,0xc2 ,0x17 ,0xc0 ,0xfe ,0xd4 ,0x38 , + 0xff ,0x7f ,0xc3 ,0xa0 ,0x88 ,0x60 ,0xe8 ,0x27 ,0x10 ,0x34 ,0x35 ,0x93 ,0x59 ,0xcb ,0x12 ,0xe5 , + 0x25 ,0xaf ,0x2d ,0x1d ,0x7d ,0x3f ,0x16 ,0x95 ,0x71 ,0x57 ,0x8e ,0x3f ,0xc2 ,0xad ,0x8e ,0xc4 , + 0x0e ,0xe1 ,0xed ,0x46 ,0xf9 ,0xd7 ,0x07 ,0x85 ,0xb3 ,0x05 ,0xbe ,0xf1 ,0x4c ,0xba ,0xf1 ,0x34 , + 0xe5 ,0xd5 ,0x26 ,0x9b ,0x6c ,0x15 ,0x9e ,0x35 ,0xa2 ,0xd5 ,0x81 ,0x09 ,0x36 ,0x05 ,0xa6 ,0x99 , + 0x1f ,0xa2 ,0x17 ,0x35 ,0x3a ,0x38 ,0x18 ,0x52 ,0x44 ,0xcf ,0x22 ,0xb3 ,0x69 ,0xba ,0x07 ,0x74 , + 0x48 ,0x1c ,0x8e ,0x4c ,0xa7 ,0xb0 ,0xc2 ,0x65 ,0x6c ,0x1d ,0x30 ,0xe2 ,0x82 ,0xc2 ,0x35 ,0x60 , + 0x25 ,0xf2 ,0xb1 ,0x05 ,0x18 ,0x0a ,0x73 ,0x87 ,0x27 ,0xee ,0x6e ,0xc2 ,0x5f ,0xff ,0xd8 ,0xfc , + 0x77 ,0x06 ,0x2e ,0x3d ,0x4f ,0xa1 ,0x14 ,0x04 ,0x5d ,0xae ,0x38 ,0x28 ,0xf9 ,0x3d ,0x82 ,0x5f , + 0xc6 ,0xd0 ,0x31 ,0x21 ,0x88 ,0xda ,0x7f ,0x78 ,0xe3 ,0xb7 ,0xed ,0x52 ,0x37 ,0xf4 ,0x29 ,0x08 , + 0x88 ,0x50 ,0x54 ,0x56 ,0x67 ,0xc0 ,0xe1 ,0xf4 ,0xe7 ,0xcf ,0x31 ,0x82 ,0x01 ,0x46 ,0x30 ,0x82 , + 0x01 ,0x42 ,0x02 ,0x01 ,0x01 ,0x30 ,0x1b ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 , + 0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x02 ,0x09 ,0x00 ,0xfe ,0xdd ,0x2e ,0xec ,0xe0 ,0x22 , + 0xdd ,0xf9 ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 , + 0x00 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 , + 0x04 ,0x82 ,0x01 ,0x00 ,0x28 ,0x9f ,0xc0 ,0xf5 ,0x52 ,0x8b ,0x45 ,0x8a ,0xaf ,0x43 ,0x39 ,0xd9 , + 0x39 ,0x1d ,0xde ,0x1f ,0x20 ,0x82 ,0x44 ,0x08 ,0xf7 ,0x68 ,0x02 ,0x17 ,0xdb ,0x9f ,0xdf ,0x1e , + 0x2d ,0x88 ,0x6a ,0x9b ,0xe8 ,0xb1 ,0xbb ,0x8f ,0x0b ,0xe1 ,0x45 ,0x64 ,0xf3 ,0xb7 ,0xae ,0x90 , + 0x69 ,0x5c ,0xa7 ,0x0c ,0x98 ,0xb2 ,0x09 ,0x77 ,0xda ,0x24 ,0x1d ,0x01 ,0x94 ,0x1f ,0x95 ,0xbf , + 0x77 ,0xe5 ,0x0e ,0xe4 ,0xd4 ,0x5b ,0x89 ,0x9b ,0xa2 ,0x87 ,0x97 ,0x41 ,0xd4 ,0xb4 ,0xae ,0xb4 , + 0x47 ,0x8a ,0x6e ,0x3f ,0x6b ,0xe7 ,0x8c ,0x04 ,0x04 ,0x0e ,0x27 ,0xcd ,0x4a ,0xd6 ,0x65 ,0x72 , + 0x26 ,0x91 ,0xc9 ,0xb0 ,0x51 ,0x2d ,0x1e ,0x19 ,0xb8 ,0x85 ,0xef ,0x63 ,0x23 ,0xd7 ,0xde ,0x26 , + 0x3d ,0xdb ,0x59 ,0x18 ,0xd3 ,0x80 ,0xc0 ,0xdf ,0xde ,0xe9 ,0x6d ,0x7a ,0xd4 ,0x19 ,0x83 ,0x60 , + 0x96 ,0xe8 ,0x3e ,0xb7 ,0x9a ,0xf5 ,0x69 ,0xe1 ,0xc9 ,0x57 ,0xa6 ,0xad ,0x7f ,0x23 ,0x2f ,0xdd , + 0x5e ,0x15 ,0x38 ,0xc3 ,0x18 ,0xc8 ,0x0a ,0x5d ,0x8e ,0xe9 ,0x6c ,0x20 ,0xad ,0x12 ,0x47 ,0xc9 , + 0x67 ,0x15 ,0xb7 ,0x72 ,0x43 ,0x3e ,0x16 ,0x77 ,0xa6 ,0x2f ,0x72 ,0xfe ,0x34 ,0x45 ,0x2d ,0xa1 , + 0x53 ,0xeb ,0x9e ,0xc4 ,0xfd ,0x2c ,0xf5 ,0x58 ,0xac ,0x05 ,0xbc ,0x57 ,0xd4 ,0xbe ,0x3d ,0xcd , + 0x97 ,0x1d ,0xc5 ,0x14 ,0x29 ,0x17 ,0x19 ,0x4d ,0x0d ,0x2b ,0x28 ,0x87 ,0x14 ,0x02 ,0x1b ,0x6b , + 0x0e ,0xfd ,0x55 ,0xdd ,0x95 ,0x99 ,0x4c ,0xc4 ,0x0c ,0xb3 ,0x68 ,0x1d ,0x71 ,0x64 ,0x1f ,0x48 , + 0xab ,0x34 ,0xa5 ,0xa5 ,0xb7 ,0x1e ,0xb7 ,0xac ,0x86 ,0x2e ,0x0e ,0x7f ,0xb9 ,0xb9 ,0x10 ,0x72 , + 0x76 ,0x07 ,0x8d ,0x6f ,0xc9 ,0xe5 ,0x14 ,0x6e ,0xef ,0x04 ,0x7f ,0xad ,0x33 ,0x98 ,0xf2 ,0x13 , + 0x5c ,0x12 ,0xf1 ,0x48 ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4 ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 , + 0x5c ,0x2b ,0xf0 ,0x72 ,0x20 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x04 ,0x03 ,0x00 ,0x00 , + 0x11 ,0x11 ,0x11 ,0x11 ,0x22 ,0x22 ,0x33 ,0x33 ,0x44 ,0x44 ,0x12 ,0x34 ,0x56 ,0x78 ,0x9a ,0xbc , + 0x30 ,0x82 ,0x02 ,0xf0 ,0x30 ,0x82 ,0x01 ,0xd8 ,0xa0 ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 , + 0x89 ,0x65 ,0xe1 ,0xbe ,0x1d ,0x33 ,0xea ,0xb7 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 , + 0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x0d ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 , + 0x04 ,0x03 ,0x0c ,0x02 ,0x44 ,0x42 ,0x30 ,0x1e ,0x17 ,0x0d ,0x31 ,0x39 ,0x30 ,0x31 ,0x31 ,0x32 , + 0x31 ,0x38 ,0x35 ,0x36 ,0x32 ,0x39 ,0x5a ,0x17 ,0x0d ,0x32 ,0x39 ,0x30 ,0x31 ,0x30 ,0x39 ,0x31 , + 0x38 ,0x35 ,0x36 ,0x32 ,0x39 ,0x5a ,0x30 ,0x0d ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 , + 0x03 ,0x0c ,0x02 ,0x44 ,0x42 ,0x30 ,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 , + 0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 , + 0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xce ,0x70 ,0xf2 ,0x2d ,0xa0 ,0x56 ,0xac ,0xc0 ,0xc0 ,0x33 , + 0x9a ,0xa6 ,0x2c ,0x89 ,0x3c ,0x88 ,0xa9 ,0x9c ,0x67 ,0xaf ,0xeb ,0x0d ,0x44 ,0x7b ,0xe7 ,0x85 , + 0xf1 ,0x3d ,0xc4 ,0x71 ,0xdd ,0xb4 ,0xa7 ,0x51 ,0xac ,0x87 ,0xfa ,0x85 ,0xf0 ,0x3c ,0x80 ,0x0a , + 0x33 ,0x43 ,0x02 ,0xd6 ,0xa8 ,0x59 ,0xe3 ,0xc3 ,0x42 ,0x22 ,0xe0 ,0x0c ,0xbc ,0xc7 ,0x02 ,0x60 , + 0xff ,0x09 ,0x81 ,0x1c ,0x73 ,0x76 ,0x22 ,0x29 ,0xb8 ,0x67 ,0x2a ,0x76 ,0x17 ,0xd2 ,0x9a ,0x33 , + 0x78 ,0x6d ,0x40 ,0x60 ,0x24 ,0x07 ,0xfb ,0x1f ,0xf6 ,0xf5 ,0xb2 ,0xac ,0x44 ,0x77 ,0xd2 ,0x5e , + 0x9d ,0xd7 ,0x24 ,0xe2 ,0x6e ,0xa1 ,0xf2 ,0xb8 ,0x08 ,0x18 ,0x61 ,0x77 ,0x83 ,0xe8 ,0x82 ,0x72 , + 0x6d ,0xf6 ,0xb3 ,0x98 ,0x39 ,0x43 ,0xb8 ,0xaa ,0x97 ,0x03 ,0xc7 ,0x68 ,0x2e ,0x1d ,0xf8 ,0xaf , + 0x75 ,0xad ,0x9e ,0x18 ,0x48 ,0xa3 ,0x24 ,0x3e ,0x04 ,0x30 ,0xe2 ,0xa7 ,0x30 ,0xf7 ,0xf7 ,0xb3 , + 0x05 ,0xac ,0x11 ,0xf4 ,0x20 ,0x47 ,0x36 ,0xcf ,0xca ,0xe0 ,0x8c ,0x52 ,0x0d ,0x4b ,0x30 ,0xf0 , + 0x7e ,0x6f ,0x48 ,0x83 ,0xe1 ,0xb9 ,0xd1 ,0x1d ,0x27 ,0x5d ,0xd3 ,0x10 ,0x9d ,0x63 ,0xdb ,0xe0 , + 0x87 ,0x53 ,0x75 ,0xae ,0xdd ,0xc0 ,0x6c ,0x89 ,0x33 ,0xeb ,0x3e ,0x87 ,0x33 ,0x58 ,0x11 ,0xe5 , + 0x04 ,0xcd ,0xeb ,0x8e ,0xfe ,0x48 ,0x7b ,0xd1 ,0x37 ,0xb4 ,0x41 ,0x9a ,0x3b ,0xab ,0x99 ,0x03 , + 0xfc ,0x72 ,0x4f ,0x39 ,0xb2 ,0x0c ,0x34 ,0x7d ,0x4f ,0xa7 ,0x5e ,0x8b ,0x1e ,0x13 ,0xea ,0xab , + 0x37 ,0x28 ,0x34 ,0x6a ,0x91 ,0xb9 ,0x21 ,0x79 ,0x1b ,0x82 ,0xc0 ,0x61 ,0x4d ,0xb7 ,0xa0 ,0xc5 , + 0x73 ,0xe7 ,0x11 ,0x75 ,0x88 ,0x41 ,0x36 ,0xf7 ,0x55 ,0x94 ,0x87 ,0x6e ,0x25 ,0x82 ,0xf7 ,0xf9 , + 0xcf ,0xc3 ,0x3c ,0x24 ,0xa2 ,0xcb ,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 , + 0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04 ,0x14 ,0xe6 ,0xb8 ,0x4e ,0x62 ,0xdb ,0xbd , + 0x98 ,0x8a ,0xbb ,0xfd ,0xa0 ,0x08 ,0x35 ,0x5a ,0xa6 ,0xa0 ,0x80 ,0x01 ,0xc5 ,0x8c ,0x30 ,0x1f , + 0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0xe6 ,0xb8 ,0x4e ,0x62 ,0xdb , + 0xbd ,0x98 ,0x8a ,0xbb ,0xfd ,0xa0 ,0x08 ,0x35 ,0x5a ,0xa6 ,0xa0 ,0x80 ,0x01 ,0xc5 ,0x8c ,0x30 , + 0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff , + 0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 , + 0x82 ,0x01 ,0x01 ,0x00 ,0x6e ,0xb3 ,0x79 ,0x61 ,0xeb ,0xa5 ,0xa6 ,0x6b ,0x77 ,0xcd ,0x6a ,0x76 , + 0xb7 ,0xbf ,0x86 ,0xcf ,0x4c ,0xa2 ,0xa5 ,0xa5 ,0x01 ,0xb7 ,0xb7 ,0x61 ,0x71 ,0x85 ,0x92 ,0x02 , + 0xee ,0x5a ,0xaa ,0xd7 ,0x4a ,0xcf ,0x87 ,0x2a ,0xa2 ,0x70 ,0x8c ,0x49 ,0xe9 ,0x05 ,0x49 ,0x46 , + 0x3d ,0xc1 ,0xe6 ,0xe9 ,0x59 ,0x95 ,0xd4 ,0xc8 ,0x0e ,0xb6 ,0x6d ,0x01 ,0xfb ,0x74 ,0x01 ,0x69 , + 0xb2 ,0xb4 ,0x9b ,0xe8 ,0x2c ,0x99 ,0xb3 ,0x96 ,0x7f ,0xd9 ,0x96 ,0xa6 ,0x28 ,0x02 ,0x10 ,0x07 , + 0x6a ,0xc2 ,0x19 ,0x27 ,0x63 ,0x9c ,0x35 ,0x0a ,0x9a ,0xda ,0x5c ,0x9c ,0x91 ,0xb5 ,0xc6 ,0xe5 , + 0x7c ,0x64 ,0x76 ,0x07 ,0xf6 ,0x56 ,0x7a ,0xf0 ,0xf6 ,0x09 ,0xaf ,0x3b ,0x4b ,0x40 ,0xd6 ,0x80 , + 0xd5 ,0x3e ,0x7f ,0xea ,0x11 ,0xe4 ,0xe1 ,0x78 ,0xac ,0x1e ,0x4b ,0xc4 ,0xdf ,0xb9 ,0xd6 ,0x5f , + 0x68 ,0xba ,0x77 ,0x40 ,0xf5 ,0x1d ,0xb7 ,0x35 ,0xaf ,0xcd ,0x37 ,0xc4 ,0xc9 ,0xb4 ,0x22 ,0x37 , + 0xac ,0x2d ,0xf3 ,0xc3 ,0xf7 ,0x94 ,0x74 ,0x70 ,0xfc ,0xc8 ,0x13 ,0xb2 ,0xdf ,0x98 ,0xa1 ,0x9c , + 0x10 ,0xba ,0x14 ,0x34 ,0xb5 ,0x1b ,0x4a ,0x50 ,0x00 ,0x22 ,0x83 ,0x88 ,0x79 ,0x1e ,0xac ,0xa4 , + 0xe4 ,0x6f ,0xbf ,0x96 ,0x8e ,0xf1 ,0x20 ,0x53 ,0x60 ,0x9d ,0x63 ,0x74 ,0x40 ,0x30 ,0x72 ,0x5e , + 0x56 ,0x75 ,0xf3 ,0x0b ,0x60 ,0x6a ,0xe8 ,0xab ,0x45 ,0x81 ,0xe9 ,0x7b ,0x32 ,0x31 ,0x5b ,0x28 , + 0x3e ,0xc1 ,0x96 ,0x9f ,0x28 ,0x2d ,0x74 ,0xbe ,0xfb ,0x4d ,0xe1 ,0x15 ,0x21 ,0x5a ,0x89 ,0xde , + 0x02 ,0x0f ,0x83 ,0x18 ,0x33 ,0xa4 ,0x0e ,0x58 ,0x20 ,0xaa ,0xea ,0xcf ,0xb0 ,0xbc ,0x35 ,0xfa , + 0x0c ,0x8a ,0x2d ,0x66 ,0xfa ,0x2a ,0xc6 ,0xae ,0xe0 ,0x07 ,0x99 ,0xfa ,0xb3 ,0x44 ,0x61 ,0x61 , + 0x60 ,0x6e ,0xd4 ,0x70 }; + +unsigned char IllformatKEK_auth[] = { + 0xe3, 0x07, 0x0b, 0x13, 0x0a, 0x28, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x94, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x78, 0x02, 0x01, 0x01, 0x31, + 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, + 0x02, 0x01, 0x05, 0x00, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x02, 0xff, 0x30, 0x82, 0x02, + 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, + 0x65, 0x75, 0x53, 0x72, 0x12, 0x66, 0xdd, 0x35, 0x15, 0x7c, 0xe8, 0x6c, + 0x53, 0x88, 0xd2, 0x01, 0x81, 0x62, 0xe7, 0x36, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, + 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, + 0x50, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x31, 0x31, 0x39, + 0x31, 0x36, 0x34, 0x30, 0x35, 0x32, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x31, + 0x31, 0x31, 0x36, 0x31, 0x36, 0x34, 0x30, 0x35, 0x32, 0x5a, 0x30, 0x0d, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, + 0x4b, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd0, 0xe5, + 0xb4, 0x7c, 0x37, 0xec, 0x22, 0xf1, 0xae, 0x68, 0xf8, 0x50, 0xcd, 0x00, + 0xb6, 0xa9, 0xc8, 0x56, 0x47, 0xe1, 0x2f, 0xdc, 0xd0, 0x48, 0x9a, 0x18, + 0x01, 0x59, 0xa1, 0x02, 0x02, 0xd4, 0x2c, 0xbd, 0x46, 0x28, 0xa2, 0x6b, + 0x27, 0x5e, 0xa4, 0x53, 0x6d, 0x17, 0xd5, 0x8f, 0x8d, 0x56, 0x9e, 0xf3, + 0x79, 0x4d, 0x74, 0x1c, 0xb5, 0xff, 0xb5, 0x50, 0xf2, 0x50, 0x7d, 0x2d, + 0x13, 0x1c, 0x4f, 0xd9, 0xf7, 0x2c, 0x25, 0x42, 0xa1, 0xcb, 0x91, 0x8e, + 0x10, 0x43, 0x1f, 0xac, 0x14, 0x23, 0x6b, 0x40, 0x40, 0xa5, 0x48, 0x40, + 0x34, 0xdd, 0x40, 0xdf, 0xc3, 0x29, 0x2a, 0xc3, 0x38, 0xcc, 0x6b, 0x00, + 0xa3, 0xac, 0x63, 0x03, 0x38, 0x75, 0x59, 0xab, 0x5c, 0xbc, 0x98, 0x44, + 0xf6, 0x2c, 0xd5, 0x9d, 0x11, 0x2f, 0xae, 0x2f, 0x11, 0xeb, 0x4d, 0xc4, + 0xbd, 0x86, 0xe0, 0xe9, 0xbb, 0x8d, 0x46, 0x62, 0xbd, 0x33, 0xf4, 0xf4, + 0x78, 0x32, 0xda, 0xcf, 0xd3, 0x35, 0x13, 0x95, 0x55, 0x39, 0xc0, 0x10, + 0x9d, 0xcb, 0x98, 0xa9, 0x6a, 0x31, 0x2e, 0x6b, 0xcb, 0xc8, 0x9a, 0xc6, + 0xaa, 0x48, 0xd6, 0x6e, 0xf3, 0xc0, 0x4b, 0x57, 0x06, 0x51, 0xa3, 0xad, + 0x82, 0xe7, 0xeb, 0x8c, 0x40, 0x64, 0x32, 0xf1, 0xee, 0x1e, 0xe4, 0xae, + 0x81, 0x06, 0x5b, 0x6a, 0x06, 0xbc, 0x96, 0xfc, 0xe6, 0xbc, 0x62, 0x0b, + 0x02, 0x8d, 0x27, 0xa2, 0x9c, 0x44, 0x5e, 0x9e, 0x60, 0x35, 0xa2, 0xc2, + 0x2e, 0xfe, 0x34, 0x53, 0xd8, 0x31, 0xe4, 0xca, 0xa1, 0xb3, 0x99, 0x11, + 0xd5, 0xd3, 0x1b, 0x00, 0x76, 0x8a, 0x2d, 0x9a, 0x94, 0xdc, 0x43, 0xdd, + 0xb0, 0x14, 0x41, 0xb3, 0x70, 0x56, 0x85, 0x31, 0x01, 0x6b, 0xf6, 0x82, + 0x9a, 0x8a, 0x89, 0x5e, 0x72, 0xfe, 0xec, 0x53, 0x04, 0x16, 0x79, 0xa0, + 0xb3, 0xfd, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x70, + 0xbe, 0x22, 0xf9, 0x09, 0xbf, 0xce, 0x96, 0x5a, 0xb6, 0xe7, 0xdb, 0x1a, + 0xa4, 0x5f, 0x84, 0xbf, 0x2c, 0x5b, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, + 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x50, 0x70, 0xbe, 0x22, 0xf9, + 0x09, 0xbf, 0xce, 0x96, 0x5a, 0xb6, 0xe7, 0xdb, 0x1a, 0xa4, 0x5f, 0x84, + 0xbf, 0x2c, 0x5b, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0xcd, 0xca, 0xa3, 0xd4, 0xc9, 0x11, 0xdf, 0x4f, + 0x42, 0x13, 0xdf, 0xcd, 0x5a, 0x13, 0x07, 0x47, 0x16, 0xae, 0x6b, 0xb2, + 0xca, 0xec, 0x70, 0x71, 0x45, 0x5c, 0x61, 0x29, 0x17, 0x63, 0x2c, 0xe9, + 0x75, 0x6f, 0x8a, 0xb7, 0xd5, 0x8d, 0xc8, 0x23, 0x2e, 0xe2, 0x39, 0x1b, + 0xf3, 0x1a, 0xb1, 0xec, 0xf4, 0xc4, 0x88, 0x5a, 0xfe, 0xe2, 0x97, 0x3f, + 0xcb, 0x86, 0x22, 0x8e, 0x58, 0x99, 0x5d, 0x83, 0x46, 0xad, 0x97, 0xbe, + 0x11, 0x13, 0xf0, 0x4b, 0x64, 0x8c, 0x22, 0xca, 0x1f, 0xa4, 0x5d, 0xd7, + 0xf2, 0xc0, 0xc7, 0x1e, 0x57, 0x97, 0x51, 0x26, 0x8d, 0x2b, 0xbb, 0x32, + 0x0e, 0x52, 0xa0, 0xdc, 0xde, 0x4f, 0x85, 0x6e, 0x48, 0xe5, 0x0d, 0xf0, + 0x9e, 0xad, 0xa2, 0xda, 0x69, 0xe0, 0x71, 0x06, 0x63, 0xb1, 0x82, 0x20, + 0xcc, 0x55, 0x08, 0x2f, 0x1b, 0xf9, 0x0b, 0xdd, 0xda, 0xa4, 0xe0, 0xfe, + 0xd6, 0xc2, 0xc3, 0xf1, 0xf8, 0xe1, 0x14, 0xf6, 0xd3, 0xbc, 0x82, 0x53, + 0x06, 0xca, 0xf6, 0x4e, 0x40, 0x88, 0x50, 0x51, 0x33, 0xe2, 0x2a, 0x8b, + 0xa6, 0x1a, 0x37, 0x89, 0xa7, 0xbf, 0x35, 0x2c, 0x4b, 0xf5, 0x7d, 0xc9, + 0x6a, 0x59, 0xb8, 0x62, 0x23, 0x16, 0xf1, 0xd7, 0x2d, 0x67, 0x2d, 0xae, + 0x52, 0x5e, 0x7d, 0x5f, 0xf6, 0x77, 0x9a, 0xed, 0x9c, 0xd0, 0xbd, 0x85, + 0x11, 0xf7, 0xd6, 0x13, 0xbd, 0x49, 0x55, 0x66, 0xc5, 0xa7, 0x88, 0xee, + 0xb3, 0x52, 0x39, 0x43, 0xfa, 0x9e, 0x43, 0xe4, 0x0b, 0x8f, 0xad, 0x7e, + 0x6c, 0xb8, 0xf5, 0x27, 0x7d, 0x29, 0x7b, 0xb1, 0x1a, 0xb3, 0x24, 0x8a, + 0xff, 0xfe, 0x3f, 0x17, 0xfe, 0x17, 0xb7, 0x20, 0x0a, 0xb5, 0x98, 0x32, + 0x72, 0x55, 0xd4, 0xfa, 0x94, 0x09, 0x28, 0xdf, 0x67, 0xc9, 0x61, 0x90, + 0xab, 0x03, 0x79, 0xcf, 0x00, 0xa1, 0x0a, 0x4c, 0x31, 0x82, 0x01, 0x50, + 0x30, 0x82, 0x01, 0x4c, 0x02, 0x01, 0x01, 0x30, 0x25, 0x30, 0x0d, 0x31, + 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, + 0x02, 0x14, 0x65, 0x75, 0x53, 0x72, 0x12, 0x66, 0xdd, 0x35, 0x15, 0x7c, + 0xe8, 0x6c, 0x53, 0x88, 0xd2, 0x01, 0x81, 0x62, 0xe7, 0x36, 0x30, 0x0d, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xca, 0x5f, 0x9a, 0xc7, + 0x7d, 0xc6, 0x89, 0xab, 0xec, 0x1c, 0xc6, 0xdd, 0x79, 0xf7, 0xee, 0x53, + 0xbd, 0xc4, 0xed, 0x59, 0x82, 0xa0, 0xe1, 0x98, 0x86, 0x20, 0xd0, 0xac, + 0x76, 0x45, 0x44, 0x0e, 0x20, 0xf9, 0x96, 0xf5, 0xcf, 0x60, 0x43, 0x3a, + 0x05, 0x31, 0xf8, 0xe4, 0x6b, 0x75, 0xe3, 0x11, 0x8f, 0x9b, 0x4b, 0x4a, + 0xd9, 0x60, 0xc2, 0x03, 0xdf, 0x06, 0xef, 0x3c, 0x85, 0x03, 0x81, 0x61, + 0x6a, 0x0f, 0xa4, 0x72, 0x02, 0xf9, 0x3a, 0x25, 0xa7, 0x7e, 0xf5, 0x6c, + 0x36, 0x02, 0x6c, 0x47, 0x3e, 0x8d, 0x27, 0x5e, 0x79, 0xc6, 0xaa, 0x67, + 0x74, 0x6a, 0x77, 0x0f, 0x21, 0x95, 0x0d, 0xfe, 0xa2, 0x90, 0x2a, 0x54, + 0x90, 0xff, 0x3d, 0x6a, 0x5d, 0x4d, 0x43, 0xa5, 0xa3, 0xd1, 0x04, 0xcb, + 0x75, 0xd1, 0x2a, 0xf5, 0xa7, 0x27, 0x1e, 0x74, 0xbd, 0xef, 0x47, 0xae, + 0xb5, 0x42, 0xb5, 0x24, 0x9f, 0xc0, 0x01, 0x9b, 0xca, 0x7e, 0xda, 0xa9, + 0x76, 0x7c, 0xf1, 0x2e, 0x43, 0xdc, 0x6c, 0x21, 0x1c, 0x7e, 0xe2, 0x6b, + 0x2b, 0x1a, 0x41, 0x00, 0x95, 0xbe, 0x8a, 0xb9, 0x88, 0x6f, 0x2b, 0xaf, + 0x64, 0x75, 0xb8, 0xa1, 0xe6, 0xf5, 0x03, 0x8a, 0x7f, 0xd9, 0x7d, 0x94, + 0x36, 0xa4, 0x37, 0xba, 0xaa, 0xc1, 0xb1, 0xae, 0xe6, 0xbf, 0x32, 0x79, + 0x2e, 0x27, 0xbf, 0xfd, 0x41, 0x98, 0x3d, 0xe3, 0x6e, 0x25, 0x0a, 0xaf, + 0xfd, 0x37, 0xef, 0x68, 0xc3, 0xdc, 0xb9, 0x9c, 0xa0, 0xb9, 0xa4, 0x92, + 0x01, 0xfb, 0x87, 0x18, 0x89, 0xf2, 0xc7, 0x8e, 0xb1, 0xdb, 0x4b, 0xf0, + 0xca, 0xf6, 0x1e, 0x8c, 0x19, 0x82, 0xa8, 0x1e, 0xe9, 0xfc, 0x12, 0xdd, + 0xe2, 0x57, 0x5f, 0x1b, 0xe2, 0xd9, 0x63, 0xbb, 0x16, 0x99, 0x46, 0x03, + 0x8c, 0x09, 0x9a, 0xd5, 0x87, 0x32, 0x9c, 0x57, 0x84, 0xd9, 0xf4, 0x0f, + 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, + 0x5c, 0x2b, 0xf0, 0x72, 0x2d, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x11, 0x03, 0x00, 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, + 0x44, 0x44, 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xfd, + 0x30, 0x82, 0x01, 0xe5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x35, + 0xa7, 0x5b, 0x54, 0x85, 0x3a, 0x10, 0xbd, 0x95, 0xed, 0x28, 0xda, 0x7e, + 0xc5, 0x26, 0x7d, 0xb7, 0xc5, 0x9c, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, + 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, + 0x45, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x31, 0x31, 0x39, + 0x31, 0x36, 0x34, 0x30, 0x35, 0x34, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x31, + 0x31, 0x31, 0x36, 0x31, 0x36, 0x34, 0x30, 0x35, 0x34, 0x5a, 0x30, 0x0e, + 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, + 0x45, 0x4b, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc9, + 0x9e, 0x2a, 0x8a, 0x23, 0x86, 0xe1, 0x81, 0xff, 0xeb, 0x0f, 0x4d, 0x9a, + 0xf9, 0x67, 0x63, 0xb4, 0x8a, 0x43, 0x12, 0x7d, 0xf8, 0x27, 0x32, 0x9f, + 0xd8, 0xcd, 0x88, 0xd8, 0xf3, 0x28, 0xa8, 0x7a, 0xb8, 0xdf, 0x5f, 0x23, + 0xcc, 0x8a, 0x02, 0x4f, 0xe3, 0xc1, 0xe6, 0x5d, 0xbe, 0x68, 0xeb, 0x15, + 0x8c, 0x8d, 0x15, 0x1d, 0xd6, 0x4e, 0x4f, 0xe2, 0x77, 0xc3, 0xb0, 0x1d, + 0x9c, 0x46, 0xa8, 0x14, 0x9f, 0x6e, 0x30, 0x0f, 0x88, 0x0a, 0x6d, 0xa7, + 0x88, 0x8a, 0xeb, 0xa8, 0xcf, 0xe9, 0xb7, 0x12, 0xc8, 0x40, 0x09, 0xa1, + 0xe9, 0x0a, 0xc6, 0xe4, 0x55, 0xf4, 0x30, 0x85, 0x5d, 0x25, 0x4b, 0x4c, + 0xf8, 0x37, 0xf5, 0x94, 0x38, 0x20, 0x21, 0x54, 0x29, 0xe1, 0xd8, 0xdf, + 0x36, 0xf4, 0xad, 0xaa, 0x1c, 0x90, 0x82, 0xbf, 0xfa, 0x3e, 0xcc, 0xf9, + 0x6a, 0x04, 0x59, 0xa6, 0xf8, 0xb4, 0x22, 0x11, 0x60, 0xcf, 0xa7, 0x41, + 0x6b, 0xce, 0x0e, 0xdf, 0xfa, 0xa6, 0x39, 0x6a, 0x6f, 0x27, 0x7e, 0x13, + 0x44, 0x23, 0xc5, 0x2b, 0x6d, 0x76, 0xb6, 0x1c, 0x5c, 0x4d, 0x07, 0x1a, + 0x53, 0x23, 0x39, 0x65, 0x3b, 0x10, 0xfc, 0xd3, 0x7d, 0x50, 0xb4, 0x13, + 0x62, 0x0d, 0x0f, 0x11, 0x50, 0x1d, 0x9f, 0x25, 0x00, 0xff, 0x9f, 0x8c, + 0xb8, 0x57, 0x45, 0x67, 0x6a, 0x41, 0x2f, 0x6b, 0xff, 0x8f, 0x12, 0x04, + 0x0c, 0xcd, 0xf9, 0xf4, 0x92, 0x0a, 0xea, 0xf6, 0x48, 0x38, 0x4a, 0x9f, + 0xdf, 0x92, 0xb4, 0x84, 0xcf, 0x49, 0x6e, 0xb5, 0x88, 0x7d, 0x7b, 0x33, + 0x86, 0xc3, 0x84, 0x08, 0x08, 0x8b, 0x16, 0x9f, 0x4d, 0x82, 0xb5, 0x15, + 0x03, 0x7e, 0x98, 0x4a, 0xb8, 0xe4, 0xee, 0xf6, 0x01, 0xea, 0x0e, 0x9f, + 0x41, 0x91, 0x2c, 0x37, 0xf2, 0xab, 0xaf, 0xa0, 0x85, 0x9c, 0x31, 0xfa, + 0x3f, 0xe9, 0x33, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x88, + 0xf1, 0x79, 0xea, 0xd8, 0xf9, 0xbe, 0xc7, 0x96, 0x92, 0xa9, 0x08, 0xf3, + 0x75, 0x67, 0x6f, 0xf8, 0x42, 0x0f, 0xc4, 0x30, 0x1f, 0x06, 0x03, 0x55, + 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x88, 0xf1, 0x79, 0xea, + 0xd8, 0xf9, 0xbe, 0xc7, 0x96, 0x92, 0xa9, 0x08, 0xf3, 0x75, 0x67, 0x6f, + 0xf8, 0x42, 0x0f, 0xc4, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, + 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x70, 0xec, 0x6a, 0x52, 0x39, 0xb8, 0xe4, + 0x5e, 0x05, 0xbb, 0xef, 0x4b, 0x8d, 0xfa, 0xb8, 0x3d, 0xc0, 0x11, 0x32, + 0xda, 0xe8, 0x51, 0xfd, 0x70, 0x93, 0x0e, 0x90, 0x01, 0x16, 0x78, 0x39, + 0xb6, 0xc5, 0x03, 0x13, 0x93, 0xb1, 0x5d, 0x76, 0xb9, 0x16, 0xcd, 0xfb, + 0x50, 0x43, 0x67, 0x0b, 0xa1, 0x5a, 0x8f, 0x01, 0xdf, 0x98, 0xbf, 0x9c, + 0xaa, 0x04, 0xf3, 0x2d, 0xeb, 0x3d, 0x8c, 0x7c, 0x0d, 0xcd, 0x41, 0x30, + 0x89, 0x47, 0xd4, 0x50, 0x36, 0x8f, 0x44, 0x8e, 0x63, 0x9d, 0x0d, 0x16, + 0x39, 0xf0, 0xf9, 0x42, 0xac, 0x50, 0x79, 0x0e, 0xa1, 0xe4, 0x96, 0x3b, + 0x23, 0xf1, 0x7c, 0xe4, 0x9a, 0xc3, 0x9a, 0x35, 0x6f, 0x83, 0xb1, 0x78, + 0x24, 0xf4, 0x07, 0xdd, 0x38, 0xa1, 0x54, 0xe3, 0x39, 0x3e, 0x86, 0x67, + 0x19, 0xe4, 0xb8, 0x2b, 0x87, 0xf9, 0x9e, 0x78, 0x7f, 0x8c, 0x8f, 0xf2, + 0x64, 0x75, 0xc2, 0x93, 0xd2, 0x18, 0xf9, 0x6d, 0xdc, 0x6e, 0x18, 0x27, + 0xfe, 0x49, 0xce, 0x96, 0x7b, 0xb4, 0x17, 0xd8, 0xbc, 0x19, 0x81, 0x9a, + 0x18, 0x31, 0xbd, 0x78, 0xdb, 0xcd, 0xca, 0x08, 0xe2, 0x54, 0x7d, 0x15, + 0xc5, 0x79, 0x97, 0xbf, 0xab, 0x14, 0xdf, 0x61, 0x10, 0x1d, 0x1c, 0xae, + 0x10, 0x00, 0x0c, 0x06, 0x8b, 0x72, 0xdc, 0xff, 0xbe, 0xf7, 0x1f, 0xac, + 0x9c, 0x87, 0x36, 0x47, 0x72, 0x1f, 0x7f, 0x61, 0x3c, 0xee, 0xc8, 0x2b, + 0xaa, 0x24, 0x58, 0x93, 0xdb, 0x71, 0x47, 0x81, 0xeb, 0xa5, 0x42, 0xfc, + 0x61, 0x2a, 0xf1, 0x70, 0xab, 0xdc, 0xe8, 0x94, 0x10, 0xcc, 0x0e, 0xb8, + 0xea, 0xaa, 0x1e, 0x62, 0xb4, 0x10, 0xc6, 0xa2, 0x25, 0xe7, 0x21, 0xff, + 0x71, 0x61, 0x04, 0xad, 0x54, 0x7c, 0x60, 0x60, 0x56, 0x4a, 0x0d, 0x1d, + 0x2d, 0x9e, 0x7c, 0x59, 0x4b, 0x8a, 0x40, 0xd3, 0x76, +}; +unsigned int IllformatKEK_auth_len = 2001; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c new file mode 100644 index 00000000..72bc0366 --- /dev/null +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -0,0 +1,260 @@ +/* Copyright 2019 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "secvar_common_test.c" +#include "../backend/edk2-compat.c" +#include "../secvar_util.c" +#include "../secvar_tpmnv.c" +#include "../../crypto/pkcs7/pkcs7.c" +#include +#include "edk2_test_data.h" + +const char *secvar_test_name = "edk2-compat"; + +struct platform platform; + +// Change to TSS-intercepting wrappers +#define ARBITRARY_TPMNV_SIZE 2048 +char *secboot_buffer; +static int secboot_read(void *dst, uint32_t src, uint32_t len) +{ + (void) src; // Don't need to use offset here + memcpy(dst, secboot_buffer, len); + return 0; +} + +static int secboot_write(uint32_t dst, void *src, uint32_t len) +{ + (void) dst; + memcpy(secboot_buffer, src, len); + return 0; +} + +int secvar_set_secure_mode(void) { return 0; }; + +int run_test() +{ + int rc = -1; + struct secvar_node *tmp; + int keksize; + int dbsize; + + // Check pre-process creates the empty variables + ASSERT(0 == list_length(&variable_bank)); + rc = edk2_compat_pre_process(); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(4 == list_length(&variable_bank)); + + // Add PK to update and .process() + printf("Add PK"); + tmp = alloc_secvar(PK_auth_len); + memcpy(tmp->var->key, "PK", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, PK_auth, PK_auth_len); + tmp->var->data_size = PK_auth_len; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("PK", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + ASSERT(PK_auth_len > tmp->var->data_size); // esl should be smaller without auth + ASSERT(!is_setup_mode()); + + // Add db, should fail with no KEK + printf("Add db"); + dbsize = sizeof(DB_auth); + tmp = alloc_secvar(dbsize); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, DB_auth, dbsize); + tmp->var->data_size = dbsize; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("db", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->var->data_size); // Should still be empty + + printf("Add KEK"); + // Add valid KEK, .process(), should succeed + + tmp = alloc_secvar(ValidKEK_auth_len); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, ValidKEK_auth, ValidKEK_auth_len); + tmp->var->data_size = ValidKEK_auth_len; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add db, .process(), should succeed + printf("Add db again\n"); + dbsize = sizeof(DB_auth); + tmp = alloc_secvar(dbsize); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, DB_auth, dbsize); + tmp->var->data_size = dbsize; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("db", 3, &variable_bank); + printf("tmp is %s\n", tmp->var->key); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add invalid KEK, .process(), should fail + printf("Add invalid KEK\n"); + keksize = sizeof(InvalidKEK_auth); + tmp = alloc_secvar(keksize); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, InvalidKEK_auth, keksize); + tmp->var->data_size = keksize; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add ill formatted KEK, .process(), should fail + printf("Add invalid KEK\n"); + keksize = sizeof(IllformatKEK_auth); + tmp = alloc_secvar(keksize); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, IllformatKEK_auth, keksize); + tmp->var->data_size = keksize; + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(4 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + return 0; +} + +static int run_edk2_tpmnv_test(void) +{ + int size, rc; + char *tmp; + + size = secvar_tpmnv_size(TPMNV_ID_EDK2_PK); + ASSERT(size > 0); + ASSERT(size < 1024); + tmp = malloc(size); + rc = secvar_tpmnv_read(TPMNV_ID_EDK2_PK, tmp, size, 0); + ASSERT(OPAL_SUCCESS == rc); + // memcmp here? + + free(tmp); + tmp = NULL; // Going to reuse this pointer later... + + clear_bank_list(&variable_bank); + ASSERT(0 == list_length(&variable_bank)); + + rc = edk2_p9_load_pk(); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(1 == list_length(&variable_bank)); + + // Now lets double check that write is working... + memset(secboot_buffer, 0, ARBITRARY_TPMNV_SIZE); + + rc = edk2_p9_write_pk(); + ASSERT(OPAL_SUCCESS == rc); + + for (tmp = secboot_buffer; + tmp <= secboot_buffer + ARBITRARY_TPMNV_SIZE; + tmp++) + if (*tmp != '\0') + return 0; // Something was written + + // Buffer was still empty + return 1; +} + +int main(void) +{ + int rc; + + list_head_init(&variable_bank); + list_head_init(&update_bank); + + secvar_storage.max_var_size = 4096; + + // Run as a generic platform using whatever storage + proc_gen = 0; + rc = run_test(); + if (rc) + goto out_bank; + + clear_bank_list(&variable_bank); + clear_bank_list(&update_bank); + ASSERT(0 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + printf("PASSED FIRST TEST\n"); + + // Run as "p9" and use the TPM for pk + // TODO: Change to TSS stubs when this matters + platform.secboot_read = secboot_read; + platform.secboot_write = secboot_write; + secboot_buffer = zalloc(ARBITRARY_TPMNV_SIZE); + + proc_gen = proc_gen_p9; + rc = run_test(); + if (rc) + goto out; + + // Check that PK was actually written to "TPM" and load it + rc = run_edk2_tpmnv_test(); + +out: + free(secboot_buffer); +out_bank: + clear_bank_list(&variable_bank); + clear_bank_list(&update_bank); + + return rc; +} diff --git a/libstb/secvar/test/secvar_common_test.c b/libstb/secvar/test/secvar_common_test.c index fbc23145..13371bd6 100644 --- a/libstb/secvar/test/secvar_common_test.c +++ b/libstb/secvar/test/secvar_common_test.c @@ -4,6 +4,8 @@ #define SECBOOT_FILE "secboot.img" #define SECBOOT_SIZE 128000 +#define HAVE_LITTLE_ENDIAN 1 + #include #include #include From patchwork Wed Dec 4 00:06:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1203931 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47SK3Z2zBVz9s4Y for ; Wed, 4 Dec 2019 11:09:46 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47SK3Z1plmzDqLw for ; Wed, 4 Dec 2019 11:09:46 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47SK0g34c8zDqMd for ; Wed, 4 Dec 2019 11:07:15 +1100 (AEDT) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB3NWEij114579 for ; Tue, 3 Dec 2019 19:07:12 -0500 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wntcsr1k0-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Dec 2019 19:07:12 -0500 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 4 Dec 2019 00:07:10 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 4 Dec 2019 00:07:07 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xB4074Ms40042666 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Dec 2019 00:07:04 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8ADC2A4053; Wed, 4 Dec 2019 00:07:04 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5DB13A4040; Wed, 4 Dec 2019 00:07:03 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.225.147]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 4 Dec 2019 00:07:03 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 3 Dec 2019 18:06:50 -0600 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191204000650.28649-1-erichte@linux.ibm.com> References: <20191204000650.28649-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19120400-0016-0000-0000-000002D0A7C5 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19120400-0017-0000-0000-00003332A481 Message-Id: <20191204000650.28649-8-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-03_07:2019-12-02, 2019-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 bulkscore=0 adultscore=0 mlxlogscore=804 clxscore=1015 priorityscore=1501 spamscore=0 mlxscore=0 malwarescore=0 suspectscore=1 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912030171 Subject: [Skiboot] [PATCH 7/7] witherspoon: enable secvar for witherspoon platform X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com, gcwilson@linux.ibm.com, erpalmer@us.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Secure variable support needs to be enabled for each platform, and each platform needs to select which storage and backend drivers to use (or alternatively implement their own). This patch adds secure variable support to the witherspoon platform. Signed-off-by: Eric Richter --- platforms/astbmc/witherspoon.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/platforms/astbmc/witherspoon.c b/platforms/astbmc/witherspoon.c index 8aaed975..5fcb4fb4 100644 --- a/platforms/astbmc/witherspoon.c +++ b/platforms/astbmc/witherspoon.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "astbmc.h" #include "ast.h" @@ -481,6 +482,11 @@ static void witherspoon_finalise_dt(bool is_reboot) } } +static int witherspoon_secvar_init(void) +{ + return secvar_main(secboot_tpm_driver, edk2_compatible_v1); +} + /* The only difference between these is the PCI slot handling */ DECLARE_PLATFORM(witherspoon) = { @@ -502,4 +508,5 @@ DECLARE_PLATFORM(witherspoon) = { .ocapi = &witherspoon_ocapi, .npu2_device_detect = witherspoon_npu2_device_detect, .op_display = op_display_lpc, + .secvar_init = witherspoon_secvar_init, };