From patchwork Mon Jun 28 19:37:29 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1498108
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=Qc0DsbGN;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GDHvY0VMZz9sWQ
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:00 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GDHvW6B1rz30HD
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:37:59 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=Qc0DsbGN;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::f2c;
 helo=mail-qv1-xf2c.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=Qc0DsbGN; dkim-atps=neutral
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com
 [IPv6:2607:f8b0:4864:20::f2c])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GDHvP50BXz30BK
 for <skiboot@lists.ozlabs.org>; Tue, 29 Jun 2021 05:37:52 +1000 (AEST)
Received: by mail-qv1-xf2c.google.com with SMTP id x6so9872223qvx.4
 for <skiboot@lists.ozlabs.org>; Mon, 28 Jun 2021 12:37:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=90FeGLhyLJUaz1+5TGUxDOPVZ6gOIVhtgb0oBbAiAqQ=;
 b=Qc0DsbGNiDaXKXzhUBJBgdIPDdgUwS20DevdbRkDyVn7bb6UDKw538t0erDS/6xHHY
 ELueC3x7BU7JRzRU728JrUrnsBdDycIjX7Omc+7RXWG7lwXA9aSbT2re3MIfr5I6x9sT
 9rdtOFKKbTgS3Cvg9BToJNalTx+awL6tt0h5a1ct4lrH3GaO8wCW0iocE35tucLo5Dei
 geZ/UYuNZLcT8Kv/MKSmDnBrwXEjZAXQSq1EgCDVakJVnvPQGkdNqp/ryhHqeVeWj6ZV
 aUMuap7phyOhW9XFcsLNW7QnqbFUaxNSnet6GBIebGP74fwD0tTECPBQ835EUYC2V2q5
 xMyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=90FeGLhyLJUaz1+5TGUxDOPVZ6gOIVhtgb0oBbAiAqQ=;
 b=QSP53GP2Llnwlyx/yt5btqlMC4exBvn6jaH77azmh67vPE08xngSOlp9pU/S4lTCNQ
 vh+wtIhhWV2eCZ6rOfpaHYRwD5dbHqI2Nrh11iKGFxrKhu4xzbE8OrkIhuIM9VhvO4rz
 LJwdOTL4yTe94uMrHh6H2ubT/0B8bRzjk0VuUi3FqVNR1qQQQeGCe0dqk1hoI0azua5Q
 9hf9vKoZ2TFpAS3MqV4aii8KI33D1z+WSACpi0/oM/iE2cRNN24gRXd2dqpPiKmWZnz7
 xwXsHel6DMdCv5NqkryF+MEZPEjGwgwND0z1kAPZiSNaq3vvTSymOBbTt577Lf4xktNw
 CYhA==
X-Gm-Message-State: AOAM530exdenRewTLHZnKoFw+GQN0O3PopFVpZsdZveNkI04hD/Kn0/R
 vT+OdCIo7LigXkVSBZ8biN3T6YcYdxVltNfZ
X-Google-Smtp-Source: 
 ABdhPJznSj59OTLZIMTZJdSwJP2pDkjWy4F0AVY9hY5UyEcQIwouaTWA+JKasL3E17dS7tsgtnJ0iw==
X-Received: by 2002:a0c:e782:: with SMTP id x2mr3210794qvn.42.1624909069818;
 Mon, 28 Jun 2021 12:37:49 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:b4d4:de16:4d03:ea43])
 by smtp.gmail.com with ESMTPSA id x9sm8729457qtf.76.2021.06.28.12.37.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jun 2021 12:37:48 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Jun 2021 15:37:29 -0400
Message-Id: <20210628193732.109871-2-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210628193732.109871-1-nick.child@ibm.com>
References: <20210628193732.109871-1-nick.child@ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v2 1/4] secvar: ensure ESL buf size is at least
 what ESL header expects
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Currently, `get_esl_cert` receives a data buffer containing an ESL and its
length. It is to return a data buffer of the certificate that is contained
inside the ESL. The ESL has header info that contains the certificates
`size`  and the size of the header (`sig_data_offset`). We use this
information to copy `size` bytes starting `sig_data_offset` bytes after the
given ESL buffer. Currently we are checking that the length of the ESL
buffer is at least `sig_data_offset` bytes but we are not checking that it
also has enough bytes to also contain `size` bytes of the certificate. This
becomes problematic if some data at the end of the ESL gets lost. Since the
ESL claims it has more than it actually does, this will lead to a buffer
over-read. What is even worse, is that this buffer over-read can go
unnoticed since the last 256 bytes of the ESL are usually the x509 2048 bit
signature so the extra garbage bytes that are copied will appear to be a
valid rsa signature.

To resolve this, this commit ensures that the ESL buffer length is large
enough to hold the data that it claims it contains.

Lastly, a new test case is added to test the described condition. It
includes a new test file `trimmedKEK.h` which contains a struct a valid KEK
auth file minus 5 bytes, therefore making it invalid.

Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |   4 +-
 libstb/secvar/test/data/trimmedKEK.h         | 161 +++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c |  16 ++
 3 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 libstb/secvar/test/data/trimmedKEK.h

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 244f2340..e1101a4c 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -135,8 +135,10 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 	sig_data_offset = sizeof(EFI_SIGNATURE_LIST)
 			  + le32_to_cpu(list->SignatureHeaderSize)
 			  + 16 * sizeof(uint8_t);
-	if (sig_data_offset > buflen)
+	if (sig_data_offset + size > buflen) {
+		prlog(PR_ERR, "Number of bytes of ESL data is less than size specified\n");
 		return OPAL_PARAMETER;
+	}
 
 	*cert = zalloc(size);
 	if (!(*cert))
diff --git a/libstb/secvar/test/data/trimmedKEK.h b/libstb/secvar/test/data/trimmedKEK.h
new file mode 100644
index 00000000..6600d254
--- /dev/null
+++ b/libstb/secvar/test/data/trimmedKEK.h
@@ -0,0 +1,161 @@
+unsigned char trimmedKEK_auth[]  = {
+0xe4 ,0x07 ,0x09 ,0x0e ,0x0e ,0x22 ,0x2e ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0xd3 ,0x05 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e  ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49
+,0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7  ,0x30 ,0x82 ,0x05 ,0xb7 ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0  ,0x82 ,0x05 ,0xa8 ,0x30 ,0x82 ,0x05 ,0xa4 ,0x02
+,0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09  ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02
+,0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01
+,0xa0 ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x03 ,0xc6  ,0x30 ,0x82 ,0x02 ,0xae ,0xa0 ,0x03 ,0x02 ,0x01
+,0x02 ,0x02 ,0x09 ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20  ,0x41 ,0x00 ,0xa8 ,0xeb ,0x30 ,0x0d ,0x06 ,0x09
+,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01  ,0x0b ,0x05 ,0x00 ,0x30 ,0x78 ,0x31 ,0x0b ,0x30
+,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02  ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03
+,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78  ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03
+,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73  ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06
+,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42  ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55
+,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x03
+,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d  ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d
+,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79  ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62
+,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x1e ,0x17  ,0x0d ,0x32 ,0x30 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31
+,0x35 ,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x17 ,0x0d  ,0x32 ,0x31 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x35
+,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x30 ,0x78 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06
+,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c  ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54
+,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d  ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41
+,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30  ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03
+,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06  ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54
+,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55  ,0x04 ,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f
+,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e
+,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40  ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30
+,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01
+,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30  ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00
+,0xaf ,0xca ,0xd3 ,0xaa ,0xb0 ,0xc7 ,0xb5 ,0x2e  ,0x3b ,0x12 ,0x27 ,0x68 ,0x2d ,0x90 ,0x17 ,0xc4
+,0x21 ,0x93 ,0x58 ,0x53 ,0xd7 ,0xa6 ,0x2f ,0x40  ,0xfa ,0x37 ,0x8e ,0x7a ,0x85 ,0x5b ,0xd3 ,0xa8
+,0x9d ,0xac ,0xa1 ,0x6a ,0x52 ,0xeb ,0x07 ,0x05  ,0x8c ,0x74 ,0x00 ,0xbe ,0xa6 ,0x54 ,0x1b ,0x1d
+,0x73 ,0xa9 ,0x41 ,0x67 ,0xfd ,0xd4 ,0xdb ,0xcd  ,0x49 ,0xed ,0x63 ,0x29 ,0x97 ,0xb5 ,0x6d ,0xea
+,0x69 ,0xbc ,0x24 ,0x2c ,0x1b ,0x09 ,0x32 ,0x09  ,0x65 ,0x99 ,0xc4 ,0xd0 ,0x76 ,0x9a ,0x07 ,0xd9
+,0x69 ,0x5e ,0x30 ,0xbe ,0x6f ,0x67 ,0x0b ,0xa4  ,0x90 ,0xe0 ,0x3e ,0xd7 ,0xf9 ,0xe8 ,0xb6 ,0x20
+,0xc6 ,0xd8 ,0x4e ,0xfd ,0x7e ,0x3f ,0x6f ,0xf3  ,0x97 ,0x09 ,0x82 ,0xec ,0x81 ,0x53 ,0x10 ,0x32
+,0x8c ,0xa8 ,0xfe ,0xf4 ,0x77 ,0x48 ,0x0d ,0x84  ,0x83 ,0x14 ,0xeb ,0xa4 ,0x75 ,0xaa ,0x30 ,0x03
+,0x3a ,0xa5 ,0x54 ,0x7e ,0xb3 ,0x2e ,0x2b ,0x95  ,0xcf ,0x4d ,0x8c ,0x67 ,0x6d ,0xf1 ,0x48 ,0xc1
+,0x96 ,0x0b ,0xb2 ,0x2d ,0x07 ,0x27 ,0x65 ,0xa3  ,0x3b ,0x96 ,0x76 ,0xc4 ,0xa9 ,0x2c ,0x65 ,0xcb
+,0xa4 ,0xaf ,0x75 ,0xec ,0x7c ,0x90 ,0x3a ,0x8e  ,0x78 ,0xa6 ,0xa5 ,0x4a ,0x99 ,0x79 ,0x51 ,0x20
+,0x60 ,0x67 ,0x9a ,0xc8 ,0x96 ,0x03 ,0xa1 ,0x98  ,0xfc ,0x88 ,0x24 ,0x50 ,0xaf ,0xb7 ,0x30 ,0xb7
+,0x68 ,0x8a ,0x83 ,0xbc ,0x62 ,0xff ,0x93 ,0x70  ,0xc7 ,0x72 ,0xf3 ,0x95 ,0x48 ,0xf1 ,0x9c ,0x5e
+,0x1a ,0x66 ,0x2e ,0xa1 ,0x1d ,0x4a ,0xf7 ,0x9d  ,0x04 ,0x52 ,0xdd ,0x19 ,0xfe ,0x1e ,0x4e ,0x2d
+,0x9b ,0x9e ,0x6f ,0x7f ,0x0b ,0x93 ,0x0b ,0x3b  ,0x08 ,0x81 ,0x68 ,0x9b ,0x0d ,0x45 ,0xf7 ,0xd6
+,0x75 ,0xf7 ,0xb6 ,0xbf ,0xa9 ,0x63 ,0x24 ,0xab  ,0x92 ,0x38 ,0x3a ,0xac ,0x04 ,0x69 ,0x14 ,0x7f
+,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30  ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e
+,0x04 ,0x16 ,0x04 ,0x14 ,0x89 ,0x84 ,0xb5 ,0xcf  ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d ,0xfe
+,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc ,0xe5  ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04
+,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0x89 ,0x84 ,0xb5  ,0xcf ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d
+,0xfe ,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc  ,0xe5 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13
+,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01  ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x37 ,0xba
+,0x93 ,0xe4 ,0x7e ,0xcd ,0xb2 ,0xa4 ,0xe2 ,0x75  ,0x37 ,0x53 ,0xbc ,0x43 ,0x47 ,0xc9 ,0x94 ,0x51
+,0xa9 ,0x14 ,0x28 ,0x0a ,0xa6 ,0xa1 ,0x90 ,0x0a  ,0xbc ,0x50 ,0x67 ,0x85 ,0x47 ,0xb7 ,0xfc ,0xe3
+,0xd5 ,0x45 ,0xde ,0x89 ,0x99 ,0x46 ,0xba ,0xff  ,0x32 ,0x45 ,0x70 ,0x22 ,0x84 ,0x9e ,0x35 ,0x9c
+,0x0a ,0xea ,0x63 ,0xf5 ,0xc7 ,0x7c ,0xe0 ,0xc1  ,0x9f ,0xb1 ,0xb6 ,0xe0 ,0xc1 ,0x1c ,0xb1 ,0xba
+,0xeb ,0x6d ,0x53 ,0xde ,0xb2 ,0xf9 ,0xf8 ,0x4a  ,0x2c ,0x48 ,0xf4 ,0x12 ,0xcb ,0x26 ,0x3c ,0xe9
+,0x1c ,0xb1 ,0xd3 ,0x36 ,0x48 ,0xa4 ,0xec ,0x24  ,0x35 ,0xf3 ,0x47 ,0xa9 ,0xf7 ,0xe1 ,0xfb ,0x38
+,0xf0 ,0x23 ,0x46 ,0x02 ,0xf5 ,0x76 ,0xd1 ,0x39  ,0xf9 ,0x58 ,0x50 ,0x5c ,0xe9 ,0x39 ,0xa8 ,0x97
+,0x41 ,0x66 ,0xa0 ,0x8a ,0xb2 ,0xd9 ,0x83 ,0x2d  ,0xed ,0xb0 ,0x49 ,0x2b ,0x6a ,0xc4 ,0xd8 ,0x37
+,0xc0 ,0x6f ,0x51 ,0xab ,0x46 ,0x26 ,0x0f ,0x90  ,0x2b ,0x63 ,0xc2 ,0x87 ,0x75 ,0xaa ,0x47 ,0xbc
+,0xbe ,0x9d ,0x54 ,0x17 ,0x54 ,0xa0 ,0x7c ,0x1b  ,0x58 ,0x82 ,0x3f ,0x44 ,0x0b ,0xc1 ,0xa6 ,0xcc
+,0xe2 ,0x53 ,0xde ,0x6e ,0xf7 ,0x52 ,0x0d ,0x83  ,0xb7 ,0x03 ,0xfd ,0xed ,0x4c ,0xc3 ,0x76 ,0xe6
+,0x14 ,0xb9 ,0xc9 ,0x45 ,0xc0 ,0x40 ,0x45 ,0x4a  ,0x70 ,0x40 ,0xe6 ,0x1a ,0x10 ,0x76 ,0x0c ,0xab
+,0x2b ,0x9e ,0xe9 ,0xfd ,0x29 ,0xcb ,0xf8 ,0xce  ,0x11 ,0xf7 ,0x27 ,0x43 ,0xbb ,0xcd ,0xba ,0x22
+,0x5b ,0x61 ,0x5f ,0x63 ,0x16 ,0xb3 ,0x2b ,0x83  ,0x75 ,0x98 ,0x2e ,0xca ,0x0a ,0x9e ,0x8c ,0x5a
+,0xd5 ,0x77 ,0xb5 ,0xa2 ,0x74 ,0xeb ,0x94 ,0x4f  ,0x8f ,0xf6 ,0xc3 ,0x30 ,0x9c ,0xf4 ,0x6e ,0x9b
+,0x5d ,0xd7 ,0x0f ,0x43 ,0x16 ,0xba ,0x5e ,0xa3  ,0xe3 ,0x8b ,0x8f ,0x74 ,0x27 ,0xaf ,0x31 ,0x82
+,0x01 ,0xb1 ,0x30 ,0x82 ,0x01 ,0xad ,0x02 ,0x01  ,0x01 ,0x30 ,0x81 ,0x85 ,0x30 ,0x78 ,0x31 ,0x0b
+,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13  ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06
+,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65  ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06
+,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75  ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49  ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x02 ,0x09  ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20 ,0x41 ,0x00 ,0xa8
+,0xeb ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48  ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 ,0x00
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x04
+,0x82 ,0x01 ,0x00 ,0x9a ,0x63 ,0x09 ,0xe0 ,0x7f  ,0xb8 ,0x20 ,0xd5 ,0x19 ,0x63 ,0x05 ,0x37 ,0x22
+,0x8d ,0xe4 ,0x03 ,0x0e ,0xd1 ,0x62 ,0x05 ,0x90  ,0xb4 ,0x49 ,0x9b ,0x03 ,0x1c ,0x4b ,0xd8 ,0x0f
+,0x0f ,0xf5 ,0x43 ,0x17 ,0xe9 ,0xf6 ,0xb4 ,0x5f  ,0x41 ,0x0f ,0xc1 ,0x7e ,0x92 ,0x5d ,0x39 ,0x53
+,0xd7 ,0x5c ,0x7a ,0x0b ,0x00 ,0x71 ,0x62 ,0x29  ,0x7c ,0xb2 ,0xf7 ,0x85 ,0xc6 ,0x77 ,0x34 ,0x9c
+,0x6c ,0xdc ,0x08 ,0x8d ,0x11 ,0x93 ,0x5c ,0x8c  ,0x0d ,0x76 ,0xc0 ,0x27 ,0xc2 ,0x1f ,0x15 ,0x32
+,0x72 ,0xdc ,0xff ,0xfc ,0xf1 ,0x56 ,0xbd ,0x82  ,0xe4 ,0xe4 ,0xc0 ,0xbd ,0x76 ,0xaa ,0x99 ,0x16
+,0x89 ,0x26 ,0x43 ,0x2c ,0xef ,0xa8 ,0xd4 ,0x2e  ,0x01 ,0x77 ,0x13 ,0x32 ,0xbe ,0xdc ,0xea ,0xaf
+,0xc0 ,0x18 ,0x4d ,0x90 ,0xb5 ,0x8d ,0x07 ,0xd7  ,0x86 ,0x21 ,0x71 ,0x3f ,0xf7 ,0x18 ,0xa9 ,0x41
+,0x3b ,0x97 ,0xf9 ,0x4f ,0xe8 ,0x3a ,0x91 ,0x8b  ,0xe8 ,0xf1 ,0xae ,0x99 ,0x63 ,0x5d ,0xc1 ,0x63
+,0xc2 ,0x74 ,0xdf ,0xeb ,0x3e ,0x10 ,0xa5 ,0x34  ,0x24 ,0x95 ,0x1d ,0xba ,0xd2 ,0xa0 ,0xae ,0x78
+,0x94 ,0x0b ,0xfd ,0x75 ,0x4b ,0x55 ,0x4c ,0x1d  ,0x75 ,0x91 ,0xc9 ,0xd0 ,0x1c ,0x48 ,0x01 ,0x84
+,0x35 ,0xbd ,0xcd ,0xbf ,0xbc ,0x5b ,0xd0 ,0x83  ,0xf4 ,0x0d ,0x19 ,0x4f ,0x9c ,0xa7 ,0xfe ,0x60
+,0x24 ,0x9b ,0x06 ,0x9d ,0x7e ,0xe5 ,0x3b ,0x69  ,0x7f ,0x6a ,0x09 ,0x73 ,0xb9 ,0x7d ,0x23 ,0x70
+,0x6e ,0x70 ,0x5e ,0x20 ,0x67 ,0xda ,0x65 ,0xfe  ,0x27 ,0x07 ,0x27 ,0xee ,0x38 ,0x22 ,0xd1 ,0x12
+,0x94 ,0xf6 ,0x8c ,0x14 ,0x95 ,0xd7 ,0x8e ,0xc6  ,0x43 ,0x71 ,0xc1 ,0xcf ,0x96 ,0xcb ,0x7b ,0xa7
+,0x98 ,0x7b ,0x83 ,0x65 ,0x2c ,0xd9 ,0x9f ,0xb3  ,0xff ,0x05 ,0xa3 ,0x70 ,0xc0 ,0x52 ,0x8c ,0xf3
+,0x2c ,0x2e ,0x3d ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4  ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c
+,0x2b ,0xf0 ,0x72 ,0xf8 ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0xdc ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30
+,0x82 ,0x03 ,0xc8 ,0x30 ,0x82 ,0x02 ,0xb0 ,0xa0  ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xb0
+,0x40 ,0xaf ,0x25 ,0xfd ,0xbc ,0xd9 ,0xb1 ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x79  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30  ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05
+,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30  ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06
+,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c  ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c
+,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a  ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c
+,0x54 ,0x43 ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03  ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b
+,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86  ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16
+,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69  ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f
+,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30 ,0x30  ,0x39 ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35
+,0x35 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30 ,0x39  ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35 ,0x35
+,0x5a ,0x30 ,0x79 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06  ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55 ,0x53
+,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55 ,0x04  ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61 ,0x73
+,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55 ,0x04  ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74 ,0x69
+,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55  ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d ,0x31
+,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b  ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0c ,0x30
+,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03  ,0x4b ,0x45 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d ,0x06
+,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01  ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e
+,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d  ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82 ,0x01 ,0x22
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03
+,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a  ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xc1 ,0xeb ,0xb8
+,0xf7 ,0x3f ,0x53 ,0xb6 ,0xa1 ,0x8a ,0x3f ,0xca  ,0x99 ,0x56 ,0xbc ,0x3b ,0xdf ,0xbf ,0x70 ,0x0a
+,0x78 ,0x5b ,0x06 ,0xc1 ,0xeb ,0xbe ,0x4e ,0xd7  ,0xd9 ,0xe9 ,0x57 ,0x1f ,0xc4 ,0xf4 ,0xe5 ,0x78
+,0xb6 ,0x14 ,0xda ,0x87 ,0x43 ,0x31 ,0xad ,0x6d  ,0x9f ,0xae ,0x6c ,0x44 ,0xe3 ,0x12 ,0xe4 ,0xf1
+,0xa4 ,0x81 ,0xf8 ,0x7d ,0x09 ,0x0e ,0xa6 ,0x6a  ,0xe1 ,0xf7 ,0xcb ,0xe9 ,0x63 ,0xd6 ,0xd6 ,0x58
+,0x28 ,0x10 ,0xf2 ,0xb9 ,0xcf ,0xd7 ,0x85 ,0x95  ,0x0b ,0x24 ,0x51 ,0xe8 ,0x5a ,0x08 ,0x74 ,0xbc
+,0x42 ,0x9b ,0xd6 ,0x84 ,0xcd ,0x5e ,0xe5 ,0x61  ,0x83 ,0x7c ,0x5f ,0x0e ,0x3a ,0x9d ,0x3d ,0x6d
+,0x84 ,0xe2 ,0xc0 ,0x26 ,0x64 ,0x35 ,0x80 ,0x6c  ,0xb1 ,0x37 ,0x72 ,0x38 ,0x00 ,0xa0 ,0x90 ,0x51
+,0xd3 ,0x64 ,0x01 ,0x62 ,0x70 ,0xf8 ,0xa4 ,0xe4  ,0xc8 ,0x87 ,0x4c ,0xe1 ,0x76 ,0xd7 ,0xe6 ,0xbf
+,0xed ,0x08 ,0xba ,0xde ,0x42 ,0x90 ,0x00 ,0xb7  ,0x19 ,0x81 ,0x91 ,0xd0 ,0x18 ,0xcb ,0x03 ,0xe6
+,0xf5 ,0xf9 ,0x31 ,0x2b ,0x56 ,0xc3 ,0x21 ,0x39  ,0x4d ,0x9a ,0x63 ,0x0a ,0xb7 ,0x1c ,0xa9 ,0xdc
+,0xce ,0xa9 ,0xc4 ,0xe0 ,0x0a ,0xa4 ,0x53 ,0x8f  ,0x78 ,0xd1 ,0xc0 ,0x3f ,0xc2 ,0x8e ,0x8a ,0x37
+,0x52 ,0x42 ,0x60 ,0x97 ,0xb3 ,0x53 ,0xaa ,0xa4  ,0x4f ,0x98 ,0x7e ,0xa5 ,0x2a ,0xe1 ,0x52 ,0xfa
+,0x9f ,0xc1 ,0x32 ,0xf7 ,0x15 ,0x12 ,0x62 ,0x6b  ,0x5a ,0x4d ,0xfe ,0x22 ,0x8d ,0x88 ,0x87 ,0xfd
+,0x83 ,0x2f ,0xaa ,0x1a ,0xb8 ,0xad ,0x3d ,0x4f  ,0xdc ,0xe0 ,0x39 ,0x8b ,0x88 ,0xed ,0xc6 ,0xf5
+,0xee ,0x32 ,0xea ,0xd6 ,0x25 ,0xcf ,0x91 ,0x66  ,0x77 ,0x4c ,0xa1 ,0x0c ,0x6a ,0x7b ,0x6e ,0xb2
+,0x72 ,0xa8 ,0xf4 ,0xc7 ,0xeb ,0xa4 ,0x91 ,0xda  ,0x5d ,0x14 ,0xf9 ,0x9e ,0xe9 ,0x02 ,0x03 ,0x01
+,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d  ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04
+,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25 ,0xcf  ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad ,0xb1
+,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x1f ,0x06  ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16
+,0x80 ,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25  ,0xcf ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad
+,0xb1 ,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x0f  ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff
+,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82  ,0x01 ,0x01 ,0x00 ,0x7a ,0xc8 ,0xc9 ,0x0e ,0x45
+,0x1c ,0xa6 ,0xce ,0xd5 ,0xdb ,0x9c ,0x5d ,0x95  ,0x8b ,0x8b ,0xbc ,0x90 ,0xca ,0x98 ,0xd1 ,0xe9
+,0x4b ,0xfb ,0xf3 ,0xef ,0x48 ,0xb0 ,0x9e ,0x0d  ,0x95 ,0x0f ,0x3a ,0xa0 ,0xb6 ,0x93 ,0x9f ,0xc6
+,0xf7 ,0xca ,0xca ,0xf1 ,0x04 ,0x90 ,0x4d ,0x6b  ,0x57 ,0xc1 ,0xe5 ,0x85 ,0xfd ,0x87 ,0x09 ,0xe5
+,0xaf ,0x98 ,0x89 ,0x32 ,0x27 ,0x35 ,0x85 ,0xcf  ,0xe1 ,0x1f ,0xaf ,0xc0 ,0x8c ,0x3f ,0x2a ,0xba
+,0xa4 ,0xfc ,0xaa ,0x40 ,0x02 ,0x7c ,0x57 ,0xd9  ,0x73 ,0xc6 ,0xc0 ,0x59 ,0xcb ,0x47 ,0x71 ,0x07
+,0x1a ,0xfe ,0x46 ,0xb1 ,0x81 ,0x14 ,0x6b ,0xa5  ,0xeb ,0xe7 ,0x9c ,0x2b ,0x87 ,0xee ,0x72 ,0x96
+,0xe0 ,0xb0 ,0x11 ,0x86 ,0x33 ,0x95 ,0xdf ,0x6e  ,0x9c ,0x3f ,0x0f ,0xc1 ,0x46 ,0x8c ,0x53 ,0x12
+,0xf1 ,0xd9 ,0xa8 ,0xee ,0x04 ,0xc5 ,0x71 ,0x52  ,0x22 ,0x13 ,0x0f ,0x91 ,0x0c ,0x73 ,0xca ,0x34
+,0xb1 ,0x36 ,0x5f ,0x8c ,0x2e ,0x0f ,0x3a ,0x04  ,0x42 ,0xfe ,0x45 ,0x82 ,0x29 ,0x56 ,0x5e ,0xe5
+,0x4c ,0xeb ,0x4b ,0xa6 ,0xe5 ,0xe0 ,0x1d ,0x74  ,0xc0 ,0x5a ,0x2f ,0x42 ,0xa5 ,0xf2 ,0x65 ,0xd5
+,0x4d ,0x3b ,0x22 ,0xd2 ,0x96 ,0x42 ,0xcf ,0xbd  ,0xd7 ,0x8b ,0x37 ,0x7a ,0xb6 ,0xd9 ,0xd4 ,0xd7
+,0x45 ,0x47 ,0x3b ,0x3c ,0xb3 ,0xd9 ,0x29 ,0x69  ,0x91 ,0x7d ,0x4c ,0x06 ,0xad ,0x6c ,0xea ,0x62
+,0xf1 ,0xf7 ,0xec ,0x67 ,0xae ,0xd5 ,0x43 ,0xd0  ,0xab ,0xb8 ,0xbf ,0xa4 ,0x28 ,0xd4 ,0x75 ,0xd2
+,0x3f ,0x53 ,0x5d ,0xa8 ,0x09 ,0x46 ,0x89 ,0x7f  ,0x84 ,0x36 ,0xad ,0x78 ,0x41 ,0x03 ,0xf4 ,0xc4
+,0x43 ,0x43 ,0xdc ,0x52 ,0xc6 ,0xff ,0xab ,0xd6  ,0x8c ,0x7f ,0xc0 ,0xab ,0x67 ,0x5b ,0x0b ,0xa9
+,0x6a ,0xd2 ,0x85 ,0x71 ,0x9f ,0xc2};
+
+unsigned int trimmedKEK_auth_len = 2518;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 8259ffa1..a769863b 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -12,6 +12,7 @@
 #include "./data/KEK.h"
 #include "./data/invalidkek.h"
 #include "./data/malformedkek.h"
+#include "./data/trimmedKEK.h"
 #include "./data/db.h"
 #include "./data/dbsigneddata.h"
 #include "./data/OldTSKEK.h"
@@ -196,6 +197,21 @@ int run_test()
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 
+	/* Add trimmed KEK, .process(), should fail. */
+	printf("Add trimmed KEK\n");
+	tmp = new_secvar("KEK", 4, trimmedKEK_auth, trimmedKEK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+
 	/* Add valid KEK, .process(), succeeds. */
 	printf("Add KEK");
 	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);

From patchwork Mon Jun 28 19:37:30 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1498110
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=d/FxLkbe;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GDHvj3HjMz9sWd
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:09 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GDHvj2H8bz3bZ4
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:09 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=d/FxLkbe;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::72d;
 helo=mail-qk1-x72d.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=d/FxLkbe; dkim-atps=neutral
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com
 [IPv6:2607:f8b0:4864:20::72d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GDHvQ3FGRz306c
 for <skiboot@lists.ozlabs.org>; Tue, 29 Jun 2021 05:37:54 +1000 (AEST)
Received: by mail-qk1-x72d.google.com with SMTP id 65so11217992qko.5
 for <skiboot@lists.ozlabs.org>; Mon, 28 Jun 2021 12:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=v7oJNK4V8UOLNsuOmtFNiOA9U4IoF9un1dLu1ADIdyQ=;
 b=d/FxLkbetzejM7eqJNx5yqYtKdKFS9vQT4uuD9L9n2BPVNZ7WVHEIk0uPFgmWfUlhI
 OQ0pr6oOpkU50tKIpGqG4gAFQY59Ma/+WUji111y/98vGzKNwWRde78Bjko/MT5hikBj
 9pDR3E3uKKnLfUbvg/ivdAfhkKDQgVM/KcaBjTXs8cj6Vj17+HqjulFoENGw/lDohcHU
 aXaGFDR/6C2BpjK/jHh8evm0ppMqq0or+/kpwC8Yll3tXrRGijPIi0eMVBzQWOwo+Ucx
 pSWyhZ2aLhPdKKXX/lptCECSpMqFI6RgwKJwqYaBcyNrz9lcLsk7zPyfI94XnU2mEbmB
 lwzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=v7oJNK4V8UOLNsuOmtFNiOA9U4IoF9un1dLu1ADIdyQ=;
 b=Z/SZZoGRo6RdNrJpZC1aXuZYVa9RvAkVZcIe3MEPlOgl/IszCrhy/l/SXDgw/7Punz
 MJb6fgnNEGaTbd+91UUIffkdmRnpa67KYAiyzZaFWTRyz4LdS8TvYa1tmKhQ21wJFWwp
 hvWJ016s7i8RbkgsbNVncpn/TkKXJEN+RPslrq84j32kBUP60lWdPYy+Ry5GKkCpLNXr
 xooI422l6JA7LofuizJHUA3IL13IcG38RMrrfdnFxHT4ge/gcge1/2p09v13uWLpk2gO
 IiUTBYjDi/xTh6Kico66M4xYxKKWIj1EtnTwNmCZw4MT2QZGh+K7PH/CRkhkhxLNEMdb
 SNsA==
X-Gm-Message-State: AOAM531r9CqDw3ehOuey5/i8uEsxhHS3tdV5cBIDOA57GPCy2bSBS9jR
 l4CjW9r9s1JqH8VuTQ2LtJfH1FnleatEp65O
X-Google-Smtp-Source: 
 ABdhPJwVypLoTLh0x3I1rwgepxVvL1szbviA+iMzQgfZALr4WFo8hfqB+zZSZa58fb6jl7My8Z36qA==
X-Received: by 2002:a37:64cf:: with SMTP id
 y198mr15639914qkb.498.1624909070878;
 Mon, 28 Jun 2021 12:37:50 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:b4d4:de16:4d03:ea43])
 by smtp.gmail.com with ESMTPSA id x9sm8729457qtf.76.2021.06.28.12.37.49
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jun 2021 12:37:50 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Jun 2021 15:37:30 -0400
Message-Id: <20210628193732.109871-3-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210628193732.109871-1-nick.child@ibm.com>
References: <20210628193732.109871-1-nick.child@ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v2 2/4] secvar: Make `validate_esl_list` iterate
 through esl chain
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Currently, the loop in validate_esl_list is not iterating through the ESL
entries. As a consequence, all of entries after the first are not being
validated and can contain any data. In order to iterate, the pointer to the
esl buffer must be incremented by the amount of already read bytes.

This commit also adds a new test case and file. The file is
`multipletrimmedKEK.h` the array is very similar to the one in `trimmedKEK.h`
except this one only has an invalid ESL as the second ESL in the chain. This
then tests the condition that this commit tests because only the second ESL
is invalid.

Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |   5 +-
 libstb/secvar/test/data/multipletrimmedKEK.h | 225 +++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c |  16 ++
 3 files changed, 243 insertions(+), 3 deletions(-)
 create mode 100644 libstb/secvar/test/data/multipletrimmedKEK.h

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index e1101a4c..7d83c912 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -260,11 +260,10 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 	int eslvarsize = size;
 	int eslsize;
 	int rc = OPAL_SUCCESS;
-	int offset = 0;
 	EFI_SIGNATURE_LIST *list = NULL;
 
 	while (eslvarsize > 0) {
-		prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset);
+		prlog(PR_DEBUG, "esl var size size is %d offset is %lu\n", eslvarsize, size - eslvarsize);
 		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
 			break;
 
@@ -310,7 +309,7 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 		count++;
 
 		/* Look for the next ESL */
-		offset = offset + eslsize;
+		esl = esl + eslsize;
 		eslvarsize = eslvarsize - eslsize;
 		free(data);
 		/* Since we are going to allocate again in the next iteration */
diff --git a/libstb/secvar/test/data/multipletrimmedKEK.h b/libstb/secvar/test/data/multipletrimmedKEK.h
new file mode 100644
index 00000000..bff93bf0
--- /dev/null
+++ b/libstb/secvar/test/data/multipletrimmedKEK.h
@@ -0,0 +1,225 @@
+unsigned char multipletrimmedKEK_auth[] = {
+0xe4 ,0x07 ,0x09 ,0x0e ,0x0e ,0x37 ,0x12 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0xd3 ,0x05 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e  ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49
+,0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7  ,0x30 ,0x82 ,0x05 ,0xb7 ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0  ,0x82 ,0x05 ,0xa8 ,0x30 ,0x82 ,0x05 ,0xa4 ,0x02
+,0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09  ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02
+,0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01
+,0xa0 ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x03 ,0xc6  ,0x30 ,0x82 ,0x02 ,0xae ,0xa0 ,0x03 ,0x02 ,0x01
+,0x02 ,0x02 ,0x09 ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20  ,0x41 ,0x00 ,0xa8 ,0xeb ,0x30 ,0x0d ,0x06 ,0x09
+,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01  ,0x0b ,0x05 ,0x00 ,0x30 ,0x78 ,0x31 ,0x0b ,0x30
+,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02  ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03
+,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78  ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03
+,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73  ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06
+,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42  ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55
+,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x03
+,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d  ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d
+,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79  ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62
+,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x1e ,0x17  ,0x0d ,0x32 ,0x30 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31
+,0x35 ,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x17 ,0x0d  ,0x32 ,0x31 ,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x35
+,0x35 ,0x30 ,0x32 ,0x30 ,0x5a ,0x30 ,0x78 ,0x31  ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06
+,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c  ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54
+,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d  ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41
+,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30  ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03
+,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06  ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54
+,0x43 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55  ,0x04 ,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f
+,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e
+,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40  ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30
+,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a  ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01
+,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30  ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00
+,0xaf ,0xca ,0xd3 ,0xaa ,0xb0 ,0xc7 ,0xb5 ,0x2e  ,0x3b ,0x12 ,0x27 ,0x68 ,0x2d ,0x90 ,0x17 ,0xc4
+,0x21 ,0x93 ,0x58 ,0x53 ,0xd7 ,0xa6 ,0x2f ,0x40  ,0xfa ,0x37 ,0x8e ,0x7a ,0x85 ,0x5b ,0xd3 ,0xa8
+,0x9d ,0xac ,0xa1 ,0x6a ,0x52 ,0xeb ,0x07 ,0x05  ,0x8c ,0x74 ,0x00 ,0xbe ,0xa6 ,0x54 ,0x1b ,0x1d
+,0x73 ,0xa9 ,0x41 ,0x67 ,0xfd ,0xd4 ,0xdb ,0xcd  ,0x49 ,0xed ,0x63 ,0x29 ,0x97 ,0xb5 ,0x6d ,0xea
+,0x69 ,0xbc ,0x24 ,0x2c ,0x1b ,0x09 ,0x32 ,0x09  ,0x65 ,0x99 ,0xc4 ,0xd0 ,0x76 ,0x9a ,0x07 ,0xd9
+,0x69 ,0x5e ,0x30 ,0xbe ,0x6f ,0x67 ,0x0b ,0xa4  ,0x90 ,0xe0 ,0x3e ,0xd7 ,0xf9 ,0xe8 ,0xb6 ,0x20
+,0xc6 ,0xd8 ,0x4e ,0xfd ,0x7e ,0x3f ,0x6f ,0xf3  ,0x97 ,0x09 ,0x82 ,0xec ,0x81 ,0x53 ,0x10 ,0x32
+,0x8c ,0xa8 ,0xfe ,0xf4 ,0x77 ,0x48 ,0x0d ,0x84  ,0x83 ,0x14 ,0xeb ,0xa4 ,0x75 ,0xaa ,0x30 ,0x03
+,0x3a ,0xa5 ,0x54 ,0x7e ,0xb3 ,0x2e ,0x2b ,0x95  ,0xcf ,0x4d ,0x8c ,0x67 ,0x6d ,0xf1 ,0x48 ,0xc1
+,0x96 ,0x0b ,0xb2 ,0x2d ,0x07 ,0x27 ,0x65 ,0xa3  ,0x3b ,0x96 ,0x76 ,0xc4 ,0xa9 ,0x2c ,0x65 ,0xcb
+,0xa4 ,0xaf ,0x75 ,0xec ,0x7c ,0x90 ,0x3a ,0x8e  ,0x78 ,0xa6 ,0xa5 ,0x4a ,0x99 ,0x79 ,0x51 ,0x20
+,0x60 ,0x67 ,0x9a ,0xc8 ,0x96 ,0x03 ,0xa1 ,0x98  ,0xfc ,0x88 ,0x24 ,0x50 ,0xaf ,0xb7 ,0x30 ,0xb7
+,0x68 ,0x8a ,0x83 ,0xbc ,0x62 ,0xff ,0x93 ,0x70  ,0xc7 ,0x72 ,0xf3 ,0x95 ,0x48 ,0xf1 ,0x9c ,0x5e
+,0x1a ,0x66 ,0x2e ,0xa1 ,0x1d ,0x4a ,0xf7 ,0x9d  ,0x04 ,0x52 ,0xdd ,0x19 ,0xfe ,0x1e ,0x4e ,0x2d
+,0x9b ,0x9e ,0x6f ,0x7f ,0x0b ,0x93 ,0x0b ,0x3b  ,0x08 ,0x81 ,0x68 ,0x9b ,0x0d ,0x45 ,0xf7 ,0xd6
+,0x75 ,0xf7 ,0xb6 ,0xbf ,0xa9 ,0x63 ,0x24 ,0xab  ,0x92 ,0x38 ,0x3a ,0xac ,0x04 ,0x69 ,0x14 ,0x7f
+,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30  ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e
+,0x04 ,0x16 ,0x04 ,0x14 ,0x89 ,0x84 ,0xb5 ,0xcf  ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d ,0xfe
+,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc ,0xe5  ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04
+,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0x89 ,0x84 ,0xb5  ,0xcf ,0x3e ,0x9d ,0xde ,0xca ,0x8c ,0xc8 ,0x2d
+,0xfe ,0x7e ,0xee ,0x66 ,0x79 ,0xeb ,0x21 ,0xfc  ,0xe5 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13
+,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01  ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x37 ,0xba
+,0x93 ,0xe4 ,0x7e ,0xcd ,0xb2 ,0xa4 ,0xe2 ,0x75  ,0x37 ,0x53 ,0xbc ,0x43 ,0x47 ,0xc9 ,0x94 ,0x51
+,0xa9 ,0x14 ,0x28 ,0x0a ,0xa6 ,0xa1 ,0x90 ,0x0a  ,0xbc ,0x50 ,0x67 ,0x85 ,0x47 ,0xb7 ,0xfc ,0xe3
+,0xd5 ,0x45 ,0xde ,0x89 ,0x99 ,0x46 ,0xba ,0xff  ,0x32 ,0x45 ,0x70 ,0x22 ,0x84 ,0x9e ,0x35 ,0x9c
+,0x0a ,0xea ,0x63 ,0xf5 ,0xc7 ,0x7c ,0xe0 ,0xc1  ,0x9f ,0xb1 ,0xb6 ,0xe0 ,0xc1 ,0x1c ,0xb1 ,0xba
+,0xeb ,0x6d ,0x53 ,0xde ,0xb2 ,0xf9 ,0xf8 ,0x4a  ,0x2c ,0x48 ,0xf4 ,0x12 ,0xcb ,0x26 ,0x3c ,0xe9
+,0x1c ,0xb1 ,0xd3 ,0x36 ,0x48 ,0xa4 ,0xec ,0x24  ,0x35 ,0xf3 ,0x47 ,0xa9 ,0xf7 ,0xe1 ,0xfb ,0x38
+,0xf0 ,0x23 ,0x46 ,0x02 ,0xf5 ,0x76 ,0xd1 ,0x39  ,0xf9 ,0x58 ,0x50 ,0x5c ,0xe9 ,0x39 ,0xa8 ,0x97
+,0x41 ,0x66 ,0xa0 ,0x8a ,0xb2 ,0xd9 ,0x83 ,0x2d  ,0xed ,0xb0 ,0x49 ,0x2b ,0x6a ,0xc4 ,0xd8 ,0x37
+,0xc0 ,0x6f ,0x51 ,0xab ,0x46 ,0x26 ,0x0f ,0x90  ,0x2b ,0x63 ,0xc2 ,0x87 ,0x75 ,0xaa ,0x47 ,0xbc
+,0xbe ,0x9d ,0x54 ,0x17 ,0x54 ,0xa0 ,0x7c ,0x1b  ,0x58 ,0x82 ,0x3f ,0x44 ,0x0b ,0xc1 ,0xa6 ,0xcc
+,0xe2 ,0x53 ,0xde ,0x6e ,0xf7 ,0x52 ,0x0d ,0x83  ,0xb7 ,0x03 ,0xfd ,0xed ,0x4c ,0xc3 ,0x76 ,0xe6
+,0x14 ,0xb9 ,0xc9 ,0x45 ,0xc0 ,0x40 ,0x45 ,0x4a  ,0x70 ,0x40 ,0xe6 ,0x1a ,0x10 ,0x76 ,0x0c ,0xab
+,0x2b ,0x9e ,0xe9 ,0xfd ,0x29 ,0xcb ,0xf8 ,0xce  ,0x11 ,0xf7 ,0x27 ,0x43 ,0xbb ,0xcd ,0xba ,0x22
+,0x5b ,0x61 ,0x5f ,0x63 ,0x16 ,0xb3 ,0x2b ,0x83  ,0x75 ,0x98 ,0x2e ,0xca ,0x0a ,0x9e ,0x8c ,0x5a
+,0xd5 ,0x77 ,0xb5 ,0xa2 ,0x74 ,0xeb ,0x94 ,0x4f  ,0x8f ,0xf6 ,0xc3 ,0x30 ,0x9c ,0xf4 ,0x6e ,0x9b
+,0x5d ,0xd7 ,0x0f ,0x43 ,0x16 ,0xba ,0x5e ,0xa3  ,0xe3 ,0x8b ,0x8f ,0x74 ,0x27 ,0xaf ,0x31 ,0x82
+,0x01 ,0xb1 ,0x30 ,0x82 ,0x01 ,0xad ,0x02 ,0x01  ,0x01 ,0x30 ,0x81 ,0x85 ,0x30 ,0x78 ,0x31 ,0x0b
+,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13  ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06
+,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65  ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06
+,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75  ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49  ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x03 ,0x0c ,0x02 ,0x50 ,0x4b ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x02 ,0x09  ,0x00 ,0xda ,0xf3 ,0xf9 ,0x20 ,0x41 ,0x00 ,0xa8
+,0xeb ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48  ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 ,0x00
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x04
+,0x82 ,0x01 ,0x00 ,0x3d ,0x69 ,0xc6 ,0x7f ,0x96  ,0xd3 ,0x00 ,0x22 ,0x16 ,0x28 ,0x56 ,0xd0 ,0x56
+,0x8d ,0xfe ,0xd2 ,0xed ,0xa0 ,0x36 ,0x05 ,0xb5  ,0xac ,0xd6 ,0xf6 ,0x45 ,0x5a ,0x40 ,0x47 ,0xfb
+,0x47 ,0xc2 ,0x71 ,0xaa ,0x5d ,0xc8 ,0x52 ,0xcf  ,0x46 ,0x44 ,0xfe ,0x0e ,0x64 ,0x82 ,0xda ,0x3a
+,0x23 ,0xaf ,0x79 ,0x90 ,0x2b ,0xcc ,0x3a ,0x66  ,0x29 ,0x8e ,0x78 ,0x0b ,0xdc ,0xdc ,0x06 ,0xa2
+,0xd4 ,0x87 ,0x19 ,0x7a ,0xae ,0x60 ,0xba ,0xaa  ,0xa1 ,0xca ,0x34 ,0x4f ,0x1c ,0x84 ,0xf6 ,0x26
+,0xb7 ,0xc1 ,0xe5 ,0xf4 ,0x3d ,0x3c ,0x08 ,0x42  ,0x14 ,0x8a ,0xec ,0xeb ,0x02 ,0x27 ,0x83 ,0x06
+,0x09 ,0x1c ,0xaa ,0x19 ,0x26 ,0xa5 ,0x47 ,0xc9  ,0xaa ,0x28 ,0x08 ,0xea ,0xb2 ,0x0f ,0x9a ,0x2f
+,0x06 ,0x8f ,0x68 ,0xea ,0xbe ,0x39 ,0x0d ,0x37  ,0x8c ,0xc5 ,0x42 ,0xc4 ,0xe2 ,0xba ,0x7e ,0xf1
+,0xf6 ,0x76 ,0x28 ,0x8c ,0xf3 ,0x21 ,0x97 ,0x02  ,0xf4 ,0x94 ,0xb6 ,0xc3 ,0xa8 ,0xe2 ,0x2d ,0x4b
+,0x30 ,0x05 ,0x6c ,0xd5 ,0x91 ,0xb5 ,0xaa ,0xd2  ,0xff ,0x06 ,0xd9 ,0xde ,0xa9 ,0x04 ,0xad ,0xd5
+,0x02 ,0x83 ,0x12 ,0x5a ,0x0b ,0x8f ,0xf7 ,0xfe  ,0x75 ,0x86 ,0xd0 ,0xc0 ,0xb2 ,0xd6 ,0x7d ,0xb9
+,0xa4 ,0xfa ,0x0a ,0xf0 ,0xd3 ,0x28 ,0xe7 ,0x04  ,0x41 ,0x98 ,0x49 ,0x96 ,0xa5 ,0x24 ,0xd0 ,0xc5
+,0x12 ,0xa0 ,0xec ,0xe6 ,0x68 ,0xd7 ,0x71 ,0x52  ,0x7b ,0x09 ,0x06 ,0xe6 ,0xbd ,0xa5 ,0xb4 ,0xc5
+,0x1c ,0x27 ,0x3a ,0xeb ,0xa3 ,0x0c ,0x9b ,0x20  ,0x65 ,0x1c ,0x31 ,0x62 ,0xcf ,0x53 ,0x7f ,0xec
+,0xa6 ,0x0a ,0x40 ,0xd7 ,0xab ,0xcf ,0x3c ,0x30  ,0xf3 ,0x36 ,0x03 ,0x53 ,0xff ,0x81 ,0x5d ,0xcd
+,0x22 ,0x66 ,0xec ,0x92 ,0x63 ,0xd8 ,0x57 ,0x17  ,0xda ,0x58 ,0xf2 ,0x53 ,0x43 ,0x5e ,0x10 ,0x19
+,0x53 ,0x6e ,0xfb ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4  ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c
+,0x2b ,0xf0 ,0x72 ,0xf8 ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0xdc ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30
+,0x82 ,0x03 ,0xc8 ,0x30 ,0x82 ,0x02 ,0xb0 ,0xa0  ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xb0
+,0x40 ,0xaf ,0x25 ,0xfd ,0xbc ,0xd9 ,0xb1 ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x79  ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04
+,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30  ,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05
+,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30  ,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06
+,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c  ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c
+,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a  ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c
+,0x54 ,0x43 ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03  ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b
+,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a ,0x86  ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01 ,0x16
+,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61 ,0x69  ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63 ,0x6f
+,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30 ,0x30  ,0x39 ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35
+,0x35 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30 ,0x39  ,0x31 ,0x34 ,0x31 ,0x35 ,0x35 ,0x30 ,0x35 ,0x35
+,0x5a ,0x30 ,0x79 ,0x31 ,0x0b ,0x30 ,0x09 ,0x06  ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55 ,0x53
+,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55 ,0x04  ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61 ,0x73
+,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55 ,0x04  ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74 ,0x69
+,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55  ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d ,0x31
+,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0b  ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0c ,0x30
+,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03  ,0x4b ,0x45 ,0x4b ,0x31 ,0x1f ,0x30 ,0x1d ,0x06
+,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01  ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e
+,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d  ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82 ,0x01 ,0x22
+,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86  ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03
+,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a  ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xc1 ,0xeb ,0xb8
+,0xf7 ,0x3f ,0x53 ,0xb6 ,0xa1 ,0x8a ,0x3f ,0xca  ,0x99 ,0x56 ,0xbc ,0x3b ,0xdf ,0xbf ,0x70 ,0x0a
+,0x78 ,0x5b ,0x06 ,0xc1 ,0xeb ,0xbe ,0x4e ,0xd7  ,0xd9 ,0xe9 ,0x57 ,0x1f ,0xc4 ,0xf4 ,0xe5 ,0x78
+,0xb6 ,0x14 ,0xda ,0x87 ,0x43 ,0x31 ,0xad ,0x6d  ,0x9f ,0xae ,0x6c ,0x44 ,0xe3 ,0x12 ,0xe4 ,0xf1
+,0xa4 ,0x81 ,0xf8 ,0x7d ,0x09 ,0x0e ,0xa6 ,0x6a  ,0xe1 ,0xf7 ,0xcb ,0xe9 ,0x63 ,0xd6 ,0xd6 ,0x58
+,0x28 ,0x10 ,0xf2 ,0xb9 ,0xcf ,0xd7 ,0x85 ,0x95  ,0x0b ,0x24 ,0x51 ,0xe8 ,0x5a ,0x08 ,0x74 ,0xbc
+,0x42 ,0x9b ,0xd6 ,0x84 ,0xcd ,0x5e ,0xe5 ,0x61  ,0x83 ,0x7c ,0x5f ,0x0e ,0x3a ,0x9d ,0x3d ,0x6d
+,0x84 ,0xe2 ,0xc0 ,0x26 ,0x64 ,0x35 ,0x80 ,0x6c  ,0xb1 ,0x37 ,0x72 ,0x38 ,0x00 ,0xa0 ,0x90 ,0x51
+,0xd3 ,0x64 ,0x01 ,0x62 ,0x70 ,0xf8 ,0xa4 ,0xe4  ,0xc8 ,0x87 ,0x4c ,0xe1 ,0x76 ,0xd7 ,0xe6 ,0xbf
+,0xed ,0x08 ,0xba ,0xde ,0x42 ,0x90 ,0x00 ,0xb7  ,0x19 ,0x81 ,0x91 ,0xd0 ,0x18 ,0xcb ,0x03 ,0xe6
+,0xf5 ,0xf9 ,0x31 ,0x2b ,0x56 ,0xc3 ,0x21 ,0x39  ,0x4d ,0x9a ,0x63 ,0x0a ,0xb7 ,0x1c ,0xa9 ,0xdc
+,0xce ,0xa9 ,0xc4 ,0xe0 ,0x0a ,0xa4 ,0x53 ,0x8f  ,0x78 ,0xd1 ,0xc0 ,0x3f ,0xc2 ,0x8e ,0x8a ,0x37
+,0x52 ,0x42 ,0x60 ,0x97 ,0xb3 ,0x53 ,0xaa ,0xa4  ,0x4f ,0x98 ,0x7e ,0xa5 ,0x2a ,0xe1 ,0x52 ,0xfa
+,0x9f ,0xc1 ,0x32 ,0xf7 ,0x15 ,0x12 ,0x62 ,0x6b  ,0x5a ,0x4d ,0xfe ,0x22 ,0x8d ,0x88 ,0x87 ,0xfd
+,0x83 ,0x2f ,0xaa ,0x1a ,0xb8 ,0xad ,0x3d ,0x4f  ,0xdc ,0xe0 ,0x39 ,0x8b ,0x88 ,0xed ,0xc6 ,0xf5
+,0xee ,0x32 ,0xea ,0xd6 ,0x25 ,0xcf ,0x91 ,0x66  ,0x77 ,0x4c ,0xa1 ,0x0c ,0x6a ,0x7b ,0x6e ,0xb2
+,0x72 ,0xa8 ,0xf4 ,0xc7 ,0xeb ,0xa4 ,0x91 ,0xda  ,0x5d ,0x14 ,0xf9 ,0x9e ,0xe9 ,0x02 ,0x03 ,0x01
+,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d  ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04
+,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25 ,0xcf  ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad ,0xb1
+,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x1f ,0x06  ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16
+,0x80 ,0x14 ,0x78 ,0x48 ,0xa9 ,0x71 ,0x20 ,0x25  ,0xcf ,0x26 ,0xe8 ,0x18 ,0x91 ,0x75 ,0xd6 ,0xad
+,0xb1 ,0x5f ,0x7f ,0x6b ,0x7f ,0x6d ,0x30 ,0x0f  ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff
+,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30  ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82  ,0x01 ,0x01 ,0x00 ,0x7a ,0xc8 ,0xc9 ,0x0e ,0x45
+,0x1c ,0xa6 ,0xce ,0xd5 ,0xdb ,0x9c ,0x5d ,0x95  ,0x8b ,0x8b ,0xbc ,0x90 ,0xca ,0x98 ,0xd1 ,0xe9
+,0x4b ,0xfb ,0xf3 ,0xef ,0x48 ,0xb0 ,0x9e ,0x0d  ,0x95 ,0x0f ,0x3a ,0xa0 ,0xb6 ,0x93 ,0x9f ,0xc6
+,0xf7 ,0xca ,0xca ,0xf1 ,0x04 ,0x90 ,0x4d ,0x6b  ,0x57 ,0xc1 ,0xe5 ,0x85 ,0xfd ,0x87 ,0x09 ,0xe5
+,0xaf ,0x98 ,0x89 ,0x32 ,0x27 ,0x35 ,0x85 ,0xcf  ,0xe1 ,0x1f ,0xaf ,0xc0 ,0x8c ,0x3f ,0x2a ,0xba
+,0xa4 ,0xfc ,0xaa ,0x40 ,0x02 ,0x7c ,0x57 ,0xd9  ,0x73 ,0xc6 ,0xc0 ,0x59 ,0xcb ,0x47 ,0x71 ,0x07
+,0x1a ,0xfe ,0x46 ,0xb1 ,0x81 ,0x14 ,0x6b ,0xa5  ,0xeb ,0xe7 ,0x9c ,0x2b ,0x87 ,0xee ,0x72 ,0x96
+,0xe0 ,0xb0 ,0x11 ,0x86 ,0x33 ,0x95 ,0xdf ,0x6e  ,0x9c ,0x3f ,0x0f ,0xc1 ,0x46 ,0x8c ,0x53 ,0x12
+,0xf1 ,0xd9 ,0xa8 ,0xee ,0x04 ,0xc5 ,0x71 ,0x52  ,0x22 ,0x13 ,0x0f ,0x91 ,0x0c ,0x73 ,0xca ,0x34
+,0xb1 ,0x36 ,0x5f ,0x8c ,0x2e ,0x0f ,0x3a ,0x04  ,0x42 ,0xfe ,0x45 ,0x82 ,0x29 ,0x56 ,0x5e ,0xe5
+,0x4c ,0xeb ,0x4b ,0xa6 ,0xe5 ,0xe0 ,0x1d ,0x74  ,0xc0 ,0x5a ,0x2f ,0x42 ,0xa5 ,0xf2 ,0x65 ,0xd5
+,0x4d ,0x3b ,0x22 ,0xd2 ,0x96 ,0x42 ,0xcf ,0xbd  ,0xd7 ,0x8b ,0x37 ,0x7a ,0xb6 ,0xd9 ,0xd4 ,0xd7
+,0x45 ,0x47 ,0x3b ,0x3c ,0xb3 ,0xd9 ,0x29 ,0x69  ,0x91 ,0x7d ,0x4c ,0x06 ,0xad ,0x6c ,0xea ,0x62
+,0xf1 ,0xf7 ,0xec ,0x67 ,0xae ,0xd5 ,0x43 ,0xd0  ,0xab ,0xb8 ,0xbf ,0xa4 ,0x28 ,0xd4 ,0x75 ,0xd2
+,0x3f ,0x53 ,0x5d ,0xa8 ,0x09 ,0x46 ,0x89 ,0x7f  ,0x84 ,0x36 ,0xad ,0x78 ,0x41 ,0x03 ,0xf4 ,0xc4
+,0x43 ,0x43 ,0xdc ,0x52 ,0xc6 ,0xff ,0xab ,0xd6  ,0x8c ,0x7f ,0xc0 ,0xab ,0x67 ,0x5b ,0x0b ,0xa9
+,0x6a ,0xd2 ,0x85 ,0x71 ,0x9f ,0xc2 ,0xf1 ,0x96  ,0xd2 ,0x41 ,0xb0 ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4
+,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 ,0x5c  ,0x2b ,0xf0 ,0x72 ,0xfa ,0x03 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0xde ,0x03 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
+,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30  ,0x82 ,0x03 ,0xca ,0x30 ,0x82 ,0x02 ,0xb2 ,0xa0
+,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 ,0xee  ,0x9a ,0xcd ,0x6d ,0x46 ,0xac ,0xda ,0xd7 ,0x30
+,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7  ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x7a
+,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04  ,0x06 ,0x13 ,0x02 ,0x55 ,0x53 ,0x31 ,0x0e ,0x30
+,0x0c ,0x06 ,0x03 ,0x55 ,0x04 ,0x08 ,0x0c ,0x05  ,0x54 ,0x65 ,0x78 ,0x61 ,0x73 ,0x31 ,0x0f ,0x30
+,0x0d ,0x06 ,0x03 ,0x55 ,0x04 ,0x07 ,0x0c ,0x06  ,0x41 ,0x75 ,0x73 ,0x74 ,0x69 ,0x6e ,0x31 ,0x0c
+,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x0a ,0x0c  ,0x03 ,0x49 ,0x42 ,0x4d ,0x31 ,0x0c ,0x30 ,0x0a
+,0x06 ,0x03 ,0x55 ,0x04 ,0x0b ,0x0c ,0x03 ,0x4c  ,0x54 ,0x43 ,0x31 ,0x0d ,0x30 ,0x0b ,0x06 ,0x03
+,0x55 ,0x04 ,0x03 ,0x0c ,0x04 ,0x4b ,0x45 ,0x4b  ,0x31 ,0x31 ,0x1f ,0x30 ,0x1d ,0x06 ,0x09 ,0x2a
+,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x09 ,0x01  ,0x16 ,0x10 ,0x6e ,0x61 ,0x79 ,0x6e ,0x6a ,0x61
+,0x69 ,0x6e ,0x40 ,0x69 ,0x62 ,0x6d ,0x2e ,0x63  ,0x6f ,0x6d ,0x30 ,0x1e ,0x17 ,0x0d ,0x32 ,0x30
+,0x30 ,0x39 ,0x31 ,0x34 ,0x31 ,0x38 ,0x34 ,0x38  ,0x30 ,0x39 ,0x5a ,0x17 ,0x0d ,0x32 ,0x31 ,0x30
+,0x39 ,0x31 ,0x34 ,0x31 ,0x38 ,0x34 ,0x38 ,0x30  ,0x39 ,0x5a ,0x30 ,0x7a ,0x31 ,0x0b ,0x30 ,0x09
+,0x06 ,0x03 ,0x55 ,0x04 ,0x06 ,0x13 ,0x02 ,0x55  ,0x53 ,0x31 ,0x0e ,0x30 ,0x0c ,0x06 ,0x03 ,0x55
+,0x04 ,0x08 ,0x0c ,0x05 ,0x54 ,0x65 ,0x78 ,0x61  ,0x73 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x03 ,0x55
+,0x04 ,0x07 ,0x0c ,0x06 ,0x41 ,0x75 ,0x73 ,0x74  ,0x69 ,0x6e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03
+,0x55 ,0x04 ,0x0a ,0x0c ,0x03 ,0x49 ,0x42 ,0x4d  ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 ,0x04
+,0x0b ,0x0c ,0x03 ,0x4c ,0x54 ,0x43 ,0x31 ,0x0d  ,0x30 ,0x0b ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c
+,0x04 ,0x4b ,0x45 ,0x4b ,0x31 ,0x31 ,0x1f ,0x30  ,0x1d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7
+,0x0d ,0x01 ,0x09 ,0x01 ,0x16 ,0x10 ,0x6e ,0x61  ,0x79 ,0x6e ,0x6a ,0x61 ,0x69 ,0x6e ,0x40 ,0x69
+,0x62 ,0x6d ,0x2e ,0x63 ,0x6f ,0x6d ,0x30 ,0x82  ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86
+,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05  ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82
+,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xad  ,0xd0 ,0x43 ,0x6b ,0x3c ,0xa2 ,0xbd ,0xb8 ,0x30
+,0x26 ,0xa9 ,0x2a ,0xa7 ,0x63 ,0xb6 ,0x59 ,0x27  ,0xfb ,0x28 ,0xd5 ,0x5a ,0x3c ,0x2f ,0x8b ,0x8f
+,0x71 ,0xda ,0x2a ,0x15 ,0x30 ,0x3c ,0x07 ,0xd5  ,0x6c ,0x4e ,0xe4 ,0xff ,0x30 ,0x24 ,0x6c ,0x72
+,0x26 ,0xf6 ,0x5b ,0x22 ,0xea ,0x12 ,0x96 ,0xf8  ,0x20 ,0x71 ,0xb5 ,0xa8 ,0x9e ,0xdc ,0xd8 ,0xbf
+,0x5c ,0xa3 ,0xd6 ,0x5a ,0xa6 ,0x17 ,0xe3 ,0x91  ,0x92 ,0x31 ,0x25 ,0x1f ,0x36 ,0x76 ,0x21 ,0x15
+,0x04 ,0x4c ,0xdd ,0x77 ,0x09 ,0xd6 ,0xe2 ,0x71  ,0x2e ,0x85 ,0x43 ,0x4d ,0x5e ,0x37 ,0x30 ,0x01
+,0x03 ,0x6b ,0x61 ,0xce ,0x08 ,0xd8 ,0xa9 ,0xaa  ,0x6b ,0x24 ,0x41 ,0x64 ,0xd3 ,0x6a ,0x8a ,0xb7
+,0x4f ,0xf4 ,0xaf ,0x92 ,0x6e ,0x39 ,0x35 ,0x6a  ,0x5c ,0xeb ,0xbb ,0x91 ,0xff ,0xa3 ,0x28 ,0xee
+,0xde ,0x13 ,0xfb ,0x9d ,0xae ,0x6e ,0x00 ,0xb5  ,0x32 ,0xc8 ,0xcf ,0x17 ,0x9a ,0xef ,0x6b ,0xcd
+,0x4c ,0x23 ,0xf7 ,0xc6 ,0x00 ,0x87 ,0x66 ,0xac  ,0xb6 ,0x41 ,0x07 ,0x97 ,0x14 ,0x9e ,0x48 ,0x1f
+,0x74 ,0xde ,0x05 ,0xe4 ,0x46 ,0xc3 ,0xb9 ,0xc3  ,0x72 ,0xeb ,0xca ,0x43 ,0x08 ,0x41 ,0x1f ,0x16
+,0xa8 ,0x3e ,0x5b ,0xd3 ,0x22 ,0xa7 ,0x7f ,0xdf  ,0x57 ,0xc0 ,0x7d ,0x52 ,0x2a ,0xfb ,0xcb ,0xbe
+,0x78 ,0xfa ,0x8f ,0x71 ,0x08 ,0x7e ,0x41 ,0x8a  ,0x0e ,0xe1 ,0x6a ,0x2f ,0x94 ,0xe3 ,0x46 ,0xbc
+,0x1b ,0xe9 ,0xd2 ,0x9c ,0x86 ,0x7a ,0xf8 ,0xe6  ,0x0d ,0x27 ,0x53 ,0x94 ,0x08 ,0x21 ,0x72 ,0xb0
+,0x33 ,0x8f ,0xcf ,0x40 ,0xc9 ,0x5e ,0x26 ,0x36  ,0xc2 ,0xcd ,0x41 ,0x7c ,0x58 ,0x25 ,0x7c ,0xed
+,0xf2 ,0x73 ,0x34 ,0xb8 ,0xf6 ,0x16 ,0x75 ,0x80  ,0xe7 ,0x63 ,0x91 ,0xe5 ,0x1c ,0x24 ,0x15 ,0xf3
+,0xf5 ,0xca ,0x38 ,0x28 ,0x1e ,0xa5 ,0x0d ,0x02  ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51
+,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04  ,0x16 ,0x04 ,0x14 ,0xce ,0x7d ,0xc6 ,0x2c ,0x19
+,0x32 ,0xfe ,0x51 ,0x4a ,0x06 ,0x17 ,0x4b ,0xe7  ,0x8c ,0x2e ,0x30 ,0x35 ,0xf2 ,0xfc ,0xab ,0x30
+,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18  ,0x30 ,0x16 ,0x80 ,0x14 ,0xce ,0x7d ,0xc6 ,0x2c
+,0x19 ,0x32 ,0xfe ,0x51 ,0x4a ,0x06 ,0x17 ,0x4b  ,0xe7 ,0x8c ,0x2e ,0x30 ,0x35 ,0xf2 ,0xfc ,0xab
+,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01  ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01
+,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48  ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00
+,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x9e ,0x63 ,0xd0  ,0xd8 ,0x70 ,0x78 ,0x42 ,0x2d ,0xc9 ,0xdb ,0xc9
+,0x8d ,0x47 ,0xda ,0x72 ,0x7b ,0xa9 ,0xb2 ,0x26  ,0x67 ,0x98 ,0xb6 ,0x17 ,0xe6 ,0xf3 ,0x0f ,0xd8
+,0xc9 ,0x10 ,0x95 ,0xb0 ,0x99 ,0xee ,0x76 ,0x74  ,0x24 ,0x7f ,0xce ,0x49 ,0x28 ,0x46 ,0xfd ,0x66
+,0x9a ,0x3e ,0x66 ,0x0d ,0xed ,0x6e ,0x54 ,0xc7  ,0xb9 ,0x64 ,0xc3 ,0xb3 ,0xa6 ,0xb8 ,0xb2 ,0x71
+,0xa5 ,0x00 ,0x33 ,0xf4 ,0xed ,0x44 ,0x38 ,0xa1  ,0x28 ,0xcc ,0x88 ,0xe7 ,0xc8 ,0x53 ,0x47 ,0x90
+,0xc2 ,0x37 ,0xe7 ,0xbb ,0x37 ,0x61 ,0x36 ,0x96  ,0x96 ,0x96 ,0x3a ,0xe9 ,0x63 ,0xfc ,0xc2 ,0x98
+,0xc4 ,0x75 ,0x62 ,0x60 ,0xc5 ,0x19 ,0x98 ,0xf0  ,0xd3 ,0x03 ,0xc2 ,0x45 ,0x06 ,0x54 ,0xa3 ,0x75
+,0x29 ,0x92 ,0x91 ,0x1c ,0xef ,0x42 ,0xba ,0x9f  ,0x65 ,0x87 ,0xb0 ,0x9a ,0xbb ,0xbf ,0x09 ,0xde
+,0xe3 ,0x28 ,0xce ,0xb3 ,0x72 ,0xb0 ,0x64 ,0xec  ,0xf3 ,0x3e ,0x64 ,0xe6 ,0x62 ,0x40 ,0xbd ,0x6b
+,0x16 ,0xd3 ,0xac ,0x94 ,0x2a ,0x15 ,0x27 ,0xa6  ,0x54 ,0x31 ,0xa9 ,0x05 ,0xae ,0xb5 ,0x72 ,0xe5
+,0x8e ,0x0e ,0x93 ,0xe9 ,0xd6 ,0x67 ,0xd1 ,0xba  ,0x86 ,0xa1 ,0x2c ,0x84 ,0x43 ,0xa6 ,0x8b ,0x43
+,0x6f ,0x5f ,0x2c ,0x6c ,0xcc ,0x91 ,0x60 ,0x29  ,0x45 ,0xdf ,0x95 ,0x4e ,0x82 ,0xee ,0xea ,0x1e
+,0x5d ,0x34 ,0x5a ,0xc0 ,0x65 ,0x07 ,0x85 ,0x00  ,0x4c ,0x4c ,0x42 ,0x8f ,0x28 ,0x3a ,0x95 ,0xfb
+,0x96 ,0xa0 ,0x1c ,0x97 ,0xfc ,0x42 ,0x78 ,0x11  ,0x77 ,0xdf ,0xdf ,0x6c ,0xdc ,0x61 ,0xaf ,0x2a
+,0x00 ,0x93 ,0xa6 ,0xca ,0x81 ,0xb4 ,0x9f ,0x3e  ,0x9b ,0x61 ,0x89 ,0xdb ,0x36 ,0x1d ,0x99 ,0x4e
+,0xbc ,0x50 ,0xcb ,0x55 ,0xbc ,0xe7 ,0x34 ,0x70  ,0xf7 ,0x31 ,0x3a ,0xf2 ,0xca ,0xb2 ,0x83 ,0x1a
+,0xb4 ,0xe7 ,0x20 ,0x2d};
+
+unsigned int multipletrimmedKEK_auth_len =  3540;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index a769863b..93ade920 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -17,6 +17,7 @@
 #include "./data/dbsigneddata.h"
 #include "./data/OldTSKEK.h"
 #include "./data/multipleKEK.h"
+#include "./data/multipletrimmedKEK.h"
 #include "./data/multipleDB.h"
 #include "./data/multiplePK.h"
 #include "./data/dbx.h"
@@ -336,6 +337,21 @@ int run_test()
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(0 == list_length(&update_bank));
 
+	/* Add multiple KEK ESLs with one w one missing 5 bytes */
+	printf("Add multiple KEK with one trimmed\n");
+	tmp = new_secvar("KEK", 4, multipletrimmedKEK_auth, multipletrimmedKEK_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_PARAMETER == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 != tmp->data_size);
+
 	/* Add multiple KEK ESLs, one of them should sign the db. */
 	printf("Add multiple KEK\n");
 	tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);

From patchwork Mon Jun 28 19:37:31 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1498111
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=V8Co2SPf;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GDHvn6T9Fz9sWQ
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:13 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GDHvn5LPRz3bYr
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:13 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=V8Co2SPf;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::733;
 helo=mail-qk1-x733.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=V8Co2SPf; dkim-atps=neutral
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com
 [IPv6:2607:f8b0:4864:20::733])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GDHvR3VGXz306c
 for <skiboot@lists.ozlabs.org>; Tue, 29 Jun 2021 05:37:55 +1000 (AEST)
Received: by mail-qk1-x733.google.com with SMTP id y29so27110503qky.12
 for <skiboot@lists.ozlabs.org>; Mon, 28 Jun 2021 12:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=KeAQRv9/iE7S3FnDYkqljS6dNZU/ESmvoDXnB83ePGg=;
 b=V8Co2SPfxmnjVPn8FK6uphAbWuPbAN9XFXpPsWrH/u+aEpKB6BkfEo/nnvp2lSjsXI
 XzK6E145Sh5/Z0q/5RPnCO4K8yAeaU7E78z+MuYG+jjpnNcnxnmy420GH8FUw7W7fMgH
 PKKEwLoGqQxh/upYtkwbvvjjZKsVVIxni90soaVBHgCldb029QbtS9FsK8JegH7ftGW1
 x3Q+hftCO4JLZQPQfdcwdb0CBAYWYl5knprqwPA3f59tBtiv47G8Pn0nf9euvL+Z7cE9
 axIq+Vnkf1l6HdrYiK3/82hZzptmBsC7iTnScETYEwSaoXQymRljZ4f4hjNTjlLHXafl
 mvsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=KeAQRv9/iE7S3FnDYkqljS6dNZU/ESmvoDXnB83ePGg=;
 b=ecSOo84gvrpB/pYHRiEVhfvG5wCTokVDK9fpWxLkUTZcnXHaTuYQkvUuVGySK5VBbm
 O811wrnb/vKX0/gHkFige//OTc8ytlejgruvyDuwLY7CPdlYaiPGbC8ZqK5JPqScrQt4
 u+jYD36N6yiBuGm94RKEkQ2G/j76wmatk6d4SYqRzmKbCYP6T7YPuSdBWU3iami1McCM
 febNXIQfiSZL72FX/v92OwW/zbv2/S42I7ewDiR668Zh2amVH/tG/whnDmQ1Ib8iQJOr
 1hbTRQlsF2vKdbYFsM0Z5Zul581ownOLexYTEis/Xk8GsVpKbPY9M2/xMqG1Vw4UxUif
 ju+g==
X-Gm-Message-State: AOAM533Zb54uXkXG/KXUSKsX2CiJRW03z2h6qqqSxJ/S8M6lahBKixGr
 LgCnlDBQ6w7R51cpg7b8wqvmJFvf+jhGgNbx
X-Google-Smtp-Source: 
 ABdhPJxiRs1/qXxbBInv0qigaTKlTmbCHcrl8ohZjDS+gGfRUcxmRzFFwbWI4iNVANblppQMRCL3Jw==
X-Received: by 2002:ae9:ef88:: with SMTP id
 d130mr22511302qkg.166.1624909072123;
 Mon, 28 Jun 2021 12:37:52 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:b4d4:de16:4d03:ea43])
 by smtp.gmail.com with ESMTPSA id x9sm8729457qtf.76.2021.06.28.12.37.51
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jun 2021 12:37:51 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Jun 2021 15:37:31 -0400
Message-Id: <20210628193732.109871-4-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210628193732.109871-1-nick.child@ibm.com>
References: <20210628193732.109871-1-nick.child@ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v2 3/4] secvar: return error if validate_esl has
 extra data
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Currently, in `validate_esl_list`, the return code is initialized to zero
(our success value). While looping though the ESL's in the submitted ESL
chain, the loop will break if there is not enough data to meet minimum ESL
requirements. This condition was not setting a return code, meaning that the
successful return code can pass to the end of the function if there is extra
data at the end of the ESL. As a consequence, any properly signed update can
successfully commit any data (as long as it is less than the min size of an
ESL) to the secvars.

This commit will return an error if the described condition is met. This
means all data in the appended ESL of an auth file must be accounted for. No
extra bytes can be added to the end since, on success, this data will become
the updated secvar.

Also, a test case has been added to ensure that this commit
addresses the issue correctly.

Additionally, some changes have been made in `get_esl_signature_list` that
adds a check to the ESL size (which was being done outside of all of the
functions calls) and also combines its functionality with
`get_esl_signature_list_size`. The purpose of this is to have for
`get_esl_signature_list` to have at least some data checks and save
repetitive code. The function now has a new set of input and output parameters
as well as a different return value. All calling functions have been edited to
respond to this change appropriately.

Lastly, some size variables in `verify_signature` and `validate_esl_list`
have been edited from being type integer to an unsigned type that better matches their specifications.

Signed-off-by: Nick Child <nick.child@ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  | 82 +++++++++-----------
 libstb/secvar/test/secvar-test-edk2-compat.c | 15 ++++
 2 files changed, 52 insertions(+), 45 deletions(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index 7d83c912..ff445d45 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -85,27 +85,28 @@ static void get_key_authority(const char *ret[3], const char *key)
 	ret[i] = NULL;
 }
 
-static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)
+static int get_esl_signature_list(const char *buf, size_t buflen, EFI_SIGNATURE_LIST** list, uint32_t *list_size)
 {
-	EFI_SIGNATURE_LIST *list = NULL;
+	EFI_SIGNATURE_LIST *list_tmp = NULL;
 
 	if (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)
-		return NULL;
-
-	list = (EFI_SIGNATURE_LIST *)buf;
-
-	return list;
-}
+		return OPAL_PARAMETER;
 
-/* Returns the size of the complete ESL. */
-static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)
-{
-	EFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);
+	list_tmp = (EFI_SIGNATURE_LIST *)buf;
+	/* Calculate the size of the ESL */
+	*list_size = le32_to_cpu(list_tmp->SignatureListSize);
 
-	if (!list)
+	/* If could not extract the size or it is larger than available data */
+	if (*list_size == 0 || *list_size > (uint32_t) buflen) {
+		prlog(PR_ERR, "Invalid size of the ESL: %u\n",
+				*list_size);
 		return OPAL_PARAMETER;
+	}
+
+	if (list != NULL)
+		*list = list_tmp;
 
-	return le32_to_cpu(list->SignatureListSize);
+	return OPAL_SUCCESS;
 }
 
 /* 
@@ -116,17 +117,20 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 {
 	size_t sig_data_offset;
 	size_t size;
-	EFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);
+	uint32_t list_size;
+	int rc;
+	EFI_SIGNATURE_LIST *list;
 
-	if (!list)
-		return OPAL_PARAMETER;
+	rc = get_esl_signature_list(buf, buflen, &list, &list_size);
+	if (rc)
+		return rc;
 
 	assert(cert != NULL);
 
 	size = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);
 
 	prlog(PR_DEBUG,"size of signature list size is %u\n",
-			le32_to_cpu(list->SignatureListSize));
+			list_size);
 	prlog(PR_DEBUG, "size of signature header size is %u\n",
 			le32_to_cpu(list->SignatureHeaderSize));
 	prlog(PR_DEBUG, "size of signature size is %u\n",
@@ -257,33 +261,24 @@ int validate_esl_list(const char *key, const char *esl, const size_t size)
 	int count = 0;
 	int dsize;
 	char *data = NULL;
-	int eslvarsize = size;
-	int eslsize;
+	size_t eslvarsize = size;
+	uint32_t eslsize;
 	int rc = OPAL_SUCCESS;
 	EFI_SIGNATURE_LIST *list = NULL;
 
 	while (eslvarsize > 0) {
-		prlog(PR_DEBUG, "esl var size size is %d offset is %lu\n", eslvarsize, size - eslvarsize);
-		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
-			break;
-
-		/* Check Supported ESL Type */
-		list = get_esl_signature_list(esl, eslvarsize);
-
-		if (!list)
-			return OPAL_PARAMETER;
-
-		/* Calculate the size of the ESL */
-		eslsize = le32_to_cpu(list->SignatureListSize);
-
-		/* If could not extract the size */
-		if (eslsize <= 0) {
-			prlog(PR_ERR, "Invalid size of the ESL: %u\n",
-					le32_to_cpu(list->SignatureListSize));
+		prlog(PR_DEBUG, "esl var size size is %zu offset is %zu\n", eslvarsize, size - eslvarsize);
+		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) {
+			prlog(PR_ERR, "ESL has %zu unknown extra bytes\n", eslvarsize);
 			rc = OPAL_PARAMETER;
 			break;
 		}
 
+		/* Check Supported ESL Type */
+		rc = get_esl_signature_list(esl, eslvarsize, &list, &eslsize);
+		if (rc)
+			return rc;
+
 		/* Extract the certificate from the ESL */
 		dsize = get_esl_cert(esl, eslvarsize, &data);
 		if (dsize < 0) {
@@ -466,9 +461,9 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 	int signing_cert_size;
 	int rc = 0;
 	char *errbuf;
-	int eslvarsize;
+	size_t eslvarsize;
 	int eslsize;
-	int offset = 0;
+	size_t offset = 0;
 
 	if (!auth)
 		return OPAL_PARAMETER;
@@ -485,18 +480,15 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 
 	/* Variable is not empty */
 	while (eslvarsize > 0) {
-		prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset);
+		prlog(PR_DEBUG, "esl var size size is %zu offset is %zu\n", eslvarsize, offset);
 		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
 			break;
 
 		/* Calculate the size of the ESL */
-		eslsize = get_esl_signature_list_size(avar->data + offset,
-						      eslvarsize);
+		rc = get_esl_signature_list(avar->data + offset, eslvarsize, NULL, &eslsize);
 		/* If could not extract the size */
-		if (eslsize <= 0) {
-			rc = OPAL_PARAMETER;
+		if (rc)
 			break;
-		}
 
 		/* Extract the certificate from the ESL */
 		signing_cert_size = get_esl_cert(avar->data + offset,
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 93ade920..d401f952 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -165,6 +165,21 @@ int run_test()
 	ASSERT(5 == list_length(&variable_bank));
 	ASSERT(setup_mode);
 
+	/* Add PK with bad ESL. should fail since data is not big enough to be ESL*/
+	printf("Add PK with invalid appended ESL");
+	/* 1014 is length of appended ESL Header and its data */
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len - 1014 + sizeof(EFI_SIGNATURE_LIST) - 1, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(setup_mode);
+
+
 	/* Add PK to update and .process(). */
 	printf("Add PK");
 	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);

From patchwork Mon Jun 28 19:37:32 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Child <nnac123@gmail.com>
X-Patchwork-Id: 1498112
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=BRIoaNr9;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GDHvt1jjZz9sWd
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:18 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GDHvt0ZMpz3bZJ
	for <incoming@patchwork.ozlabs.org>; Tue, 29 Jun 2021 05:38:18 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=BRIoaNr9;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::734;
 helo=mail-qk1-x734.google.com; envelope-from=nnac123@gmail.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=BRIoaNr9; dkim-atps=neutral
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com
 [IPv6:2607:f8b0:4864:20::734])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GDHvS1XV3z306c
 for <skiboot@lists.ozlabs.org>; Tue, 29 Jun 2021 05:37:56 +1000 (AEST)
Received: by mail-qk1-x734.google.com with SMTP id bj15so28617761qkb.11
 for <skiboot@lists.ozlabs.org>; Mon, 28 Jun 2021 12:37:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=IjWos2U2qSegt7ImSxnUhSMhL/f7m8JOdyYCiN+v8EQ=;
 b=BRIoaNr9DQHHtxb6VcST618V+7yzdq4MzGvizG6oaTAdCyVCaL2n3uvnkWE2Wn2WdQ
 g03sT8YIrXaZBYWWfYtU3sovcBSefIwsxsJ2uZINblxVPEhTOtq1tqZrBVcEMuIE3xul
 WUrgaqzuSg3XLoxopH4fKoPn1nfVuy/+qHyKEryVhhGl7U95xcXVUQCh7ga6tI36jvp+
 bODWt/g2q94rZRjS23K+vQ5pmtTG1wJKflQ1TKj0imXg7U10deTqtJUPMiVxqTelO2Ka
 l0ZZEB6lcRfW6Z8hExQ4bEFm2nUqFD4TqBR5LQDBDiO+imhwaon+F2VeiLfbToRJSnu0
 zrKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=IjWos2U2qSegt7ImSxnUhSMhL/f7m8JOdyYCiN+v8EQ=;
 b=oi3+aEjw5xR6ra+v2tTVcgZe5fILQwQ1XNeX8gcJ/MRh0amnJKgOygi4bmgQdr5YVQ
 2MpmnIZvsIOZw1leZ2husnhK8/GJbJshiQj3D5iftA/6x/zj9MffSWH+tGRb1X1a5mdf
 /qrf7ugYxbYZb/iOvH2/RiRwwdBu/eb3N+lhv6Tg7T9uiv60a4tMPpqlEPnYVxLjUgKk
 MCnTmQg2cvzGik2I1BJJyQUcdVLoPq+t9Md5MBmy+FNt7g5vXGTGNcdRVFIig7a0/cJi
 HskSCPJsPkMaPae+aBSc5JToOg84P7VqLb0gWKWwOEgUuepPQb98ZbhItj2UOs5Ay3uR
 y2iw==
X-Gm-Message-State: AOAM530HjogAoUDhz9yCQhAtiCHIVEwxPsnpdN6ZzTPUzVbD//c9IqZ5
 IckwSq6tKRqM1Pi+wfNI20XXWZheb7KMKsL9
X-Google-Smtp-Source: 
 ABdhPJymysoTqBZ/8kieXaWYCmprnRHnLl9yztbY7kWvp5D0sgr5EGslLUUxSuLdlLgDEdmDC5YRAQ==
X-Received: by 2002:a37:7042:: with SMTP id
 l63mr26087333qkc.110.1624909073227;
 Mon, 28 Jun 2021 12:37:53 -0700 (PDT)
Received: from starship-12.hsd1.fl.comcast.net
 ([2601:589:4a00:1ed0:b4d4:de16:4d03:ea43])
 by smtp.gmail.com with ESMTPSA id x9sm8729457qtf.76.2021.06.28.12.37.52
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jun 2021 12:37:52 -0700 (PDT)
From: Nick Child <nnac123@gmail.com>
X-Google-Original-From: Nick Child <nick.child@ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 28 Jun 2021 15:37:32 -0400
Message-Id: <20210628193732.109871-5-nick.child@ibm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210628193732.109871-1-nick.child@ibm.com>
References: <20210628193732.109871-1-nick.child@ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v2 4/4] secvar: return error if verify_signature
 runs out of ESLs
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Currently, in `verify_signature`, the return code `rc` is initialized
as 0 (our success value). While looping through the ESL's in the given
secvar, the function will break if the remaining data in the secvar is
not enough to contain another ESL. This break from the loop was not
setting a return code, this means that the successful return code
can pass to the end of the function if the first iteration meets
this condition. In other words, if a current secvar has a size that
is less than minimum size for an ESL, than it will approve any update.

In response to this bug, this commit will return an error code if
the described condition is met. Additionally, a test case has been
added to ensure that this unlikely event is handled correctly.

Signed-off-by: Nick Child <nick.child@ibm.com>
---
 libstb/secvar/backend/edk2-compat-process.c  |  5 +++-
 libstb/secvar/test/secvar-test-edk2-compat.c | 25 ++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index ff445d45..056367ee 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -481,8 +481,11 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth,
 	/* Variable is not empty */
 	while (eslvarsize > 0) {
 		prlog(PR_DEBUG, "esl var size size is %zu offset is %zu\n", eslvarsize, offset);
-		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
+		if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) {
+			rc = OPAL_INTERNAL_ERROR;
+			prlog(PR_ERR, "ESL data is corrupted\n");
 			break;
+		}
 
 		/* Calculate the size of the ESL */
 		rc = get_esl_signature_list(avar->data + offset, eslvarsize, NULL, &eslsize);
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index d401f952..f1420200 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -89,6 +89,7 @@ int run_test()
 {
 	int rc = -1;
 	struct secvar *tmp;
+	size_t tmp_size;
 	char empty[64] = {0};
 
 	/* The sequence of test cases here is important to ensure that
@@ -213,6 +214,30 @@ int run_test()
 	tmp = find_secvar("db", 3, &variable_bank);
 	ASSERT(NULL != tmp);
 
+	/* Add db, should fail with no KEK and invalid PK size */
+	printf("Add db, corrupt PK");
+	/* Somehow PK gets assigned wrong size */
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	tmp_size = tmp->data_size;
+	tmp->data_size = sizeof(EFI_SIGNATURE_LIST) - 1;
+	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+	ASSERT(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(OPAL_INTERNAL_ERROR == rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+	/* Restore PK data size */
+	tmp = find_secvar("PK", 3, &variable_bank);
+	ASSERT(NULL != tmp);
+	tmp->data_size = tmp_size;
+
 	/* Add trimmed KEK, .process(), should fail. */
 	printf("Add trimmed KEK\n");
 	tmp = new_secvar("KEK", 4, trimmedKEK_auth, trimmedKEK_auth_len, 0);