Message ID | 38e14531-46c6-4d15-8fa1-a1da65ff7282n@googlegroups.com |
---|---|
State | Changes Requested |
Delegated to: | Stefano Babic |
Headers | show |
Series | swupdate_decrypt: add option to harden logging | expand |
Hi Raimar, the patch is malformed and I cannot apply, I get errors: patching file Kconfig patch: **** malformed patch at line 134: in It looks like thois is caused by the mail client. Can you resend it just using "git send e-mail --to swupdate@googlegroups.com <your patch> Best regards, Stefano Babic On 18.07.23 16:51, 'R' via swupdate wrote: > For streamed AES-CBC encrypted images, an adversary can target each > 16-byte block of encrypted data within an image and decrypt it, if they > can apply a huge amount of manipulated firmware updates and observe the > logged messages. On average, 2048 update attempts are needed for each > block. > > For use cases where this scenario poses a risk, a config option is > introduced to suppress logging messages related to a hash mismatch and > errors in the decryption finalization (padding) of a streamed image. > > Signed-off-by: Raimar Sandner <raimar.sandner@sick.de> > --- > Kconfig | 14 ++++++++++++++ > core/cpio_utils.c | 2 ++ > corelib/swupdate_decrypt.c | 2 ++ > corelib/swupdate_decrypt_mbedtls.c | 2 ++ > corelib/swupdate_decrypt_pkcs11.c | 4 ++++ > 5 files changed, 24 insertions(+) > > diff --git a/Kconfig b/Kconfig > index 85fa5fd..97bad2a 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -488,6 +488,20 @@ config ENCRYPTED_SW_DESCRIPTION > if this is set. It is a compile time option, and mix of plain and > encrypted sw-descriptions is not possible. > > +config ENCRYPTED_IMAGES_HARDEN_LOGGING > +bool "Harden logging for encrypted images" > +default n > +depends on ENCRYPTED_IMAGES > +help > + This option addresses a theoretical weakness of the AES-CBC encryption in > + combination with streamed images. An adversary can target each 16-byte > + block of encrypted data within an image and decrypt it, if they can > apply a > + huge amount of manipulated firmware updates and observe the logged > + messages. On average, 2048 update attempts are needed for each block. > + Select if this scenario poses a risk. If set, log messages related to a > + hash mismatch and errors in the decryption finalization (padding) of a > + streamed image are suppressed. > + > config PKCS11 > bool "Enable PKCS#11 cryptographic operations" > default n > diff --git a/core/cpio_utils.c b/core/cpio_utils.c > index a31f254..6f3a8c8 100644 > --- a/core/cpio_utils.c > +++ b/core/cpio_utils.c > @@ -632,8 +632,10 @@ static int __swupdate_copy(int fdin, unsigned char > *inbuf, void *out, size_t nby > hash_to_ascii(hash, hashstring); > hash_to_ascii(md_value, newhashstring); > > +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING > ERROR("HASH mismatch : %s <--> %s", > hashstring, newhashstring); > +#endif > ret = -EFAULT; > goto copyfile_exit; > } > diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c > index 9fa8dcb..dadf92a 100644 > --- a/corelib/swupdate_decrypt.c > +++ b/corelib/swupdate_decrypt.c > @@ -98,9 +98,11 @@ int swupdate_DECRYPT_final(struct swupdate_digest > *dgst, unsigned char *buf, > return -EINVAL; > > if (EVP_DecryptFinal_ex(SSL_GET_CTXDEC(dgst), buf, outlen) != 1) { > +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING > const char *reason = ERR_reason_error_string(ERR_peek_error()); > ERROR("Final: Decryption error 0x%lx, reason: %s", ERR_get_error(), > reason != NULL ? reason : "unknown"); > +#endif > return -EFAULT; > } > > diff --git a/corelib/swupdate_decrypt_mbedtls.c > b/corelib/swupdate_decrypt_mbedtls.c > index ffc6d9b..cccbe8d 100644 > --- a/corelib/swupdate_decrypt_mbedtls.c > +++ b/corelib/swupdate_decrypt_mbedtls.c > @@ -103,7 +103,9 @@ int swupdate_DECRYPT_final(struct swupdate_digest > *dgst, unsigned char *buf, > > error = mbedtls_cipher_finish(&dgst->mbedtls_cipher_context, buf, &olen); > if (error) { > +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING > ERROR("mbedtls_cipher_finish: %d", error); > +#endif > return -EFAULT; > } > *outlen = olen; > diff --git a/corelib/swupdate_decrypt_pkcs11.c > b/corelib/swupdate_decrypt_pkcs11.c > index 8a20ed4..63672c5 100644 > --- a/corelib/swupdate_decrypt_pkcs11.c > +++ b/corelib/swupdate_decrypt_pkcs11.c > @@ -156,13 +156,17 @@ int swupdate_DECRYPT_final(struct swupdate_digest > *dgst, unsigned char *buf, int > { > unsigned char last_oct = dgst->last_decr[AES_BLK_SIZE - 1]; > if (last_oct > AES_BLK_SIZE || last_oct == 0) { > +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING > ERROR("AES: Invalid PKCS#7 padding."); > +#endif > return -EFAULT; > } > > for (int i = 2; i <= last_oct; i++) { > if (dgst->last_decr[AES_BLK_SIZE - i] != last_oct) { > +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING > ERROR("AES: Invalid PKCS#7 padding."); > +#endif > return -EFAULT; > } > } > -- > 2.25.1 > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate+unsubscribe@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/swupdate/38e14531-46c6-4d15-8fa1-a1da65ff7282n%40googlegroups.com <https://groups.google.com/d/msgid/swupdate/38e14531-46c6-4d15-8fa1-a1da65ff7282n%40googlegroups.com?utm_medium=email&utm_source=footer>.
diff --git a/Kconfig b/Kconfig index 85fa5fd..97bad2a 100644 --- a/Kconfig +++ b/Kconfig @@ -488,6 +488,20 @@ config ENCRYPTED_SW_DESCRIPTION if this is set. It is a compile time option, and mix of plain and encrypted sw-descriptions is not possible. +config ENCRYPTED_IMAGES_HARDEN_LOGGING + bool "Harden logging for encrypted images" + default n + depends on ENCRYPTED_IMAGES + help + This option addresses a theoretical weakness of the AES-CBC encryption in + combination with streamed images. An adversary can target each 16-byte + block of encrypted data within an image and decrypt it, if they can apply a + huge amount of manipulated firmware updates and observe the logged + messages. On average, 2048 update attempts are needed for each block. + Select if this scenario poses a risk. If set, log messages related to a + hash mismatch and errors in the decryption finalization (padding) of a + streamed image are suppressed. + config PKCS11 bool "Enable PKCS#11 cryptographic operations" default n diff --git a/core/cpio_utils.c b/core/cpio_utils.c index a31f254..6f3a8c8 100644 --- a/core/cpio_utils.c +++ b/core/cpio_utils.c @@ -632,8 +632,10 @@ static int __swupdate_copy(int fdin, unsigned char *inbuf, void *out, size_t nby hash_to_ascii(hash, hashstring); hash_to_ascii(md_value, newhashstring); +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING ERROR("HASH mismatch : %s <--> %s", hashstring, newhashstring); +#endif ret = -EFAULT; goto copyfile_exit; } diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c index 9fa8dcb..dadf92a 100644 --- a/corelib/swupdate_decrypt.c +++ b/corelib/swupdate_decrypt.c @@ -98,9 +98,11 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, return -EINVAL; if (EVP_DecryptFinal_ex(SSL_GET_CTXDEC(dgst), buf, outlen) != 1) { +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING const char *reason = ERR_reason_error_string(ERR_peek_error()); ERROR("Final: Decryption error 0x%lx, reason: %s", ERR_get_error(), reason != NULL ? reason : "unknown"); +#endif return -EFAULT; } diff --git a/corelib/swupdate_decrypt_mbedtls.c b/corelib/swupdate_decrypt_mbedtls.c index ffc6d9b..cccbe8d 100644 --- a/corelib/swupdate_decrypt_mbedtls.c +++ b/corelib/swupdate_decrypt_mbedtls.c @@ -103,7 +103,9 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, error = mbedtls_cipher_finish(&dgst->mbedtls_cipher_context, buf, &olen); if (error) { +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING ERROR("mbedtls_cipher_finish: %d", error); +#endif return -EFAULT; } *outlen = olen; diff --git a/corelib/swupdate_decrypt_pkcs11.c b/corelib/swupdate_decrypt_pkcs11.c index 8a20ed4..63672c5 100644 --- a/corelib/swupdate_decrypt_pkcs11.c +++ b/corelib/swupdate_decrypt_pkcs11.c @@ -156,13 +156,17 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int { unsigned char last_oct = dgst->last_decr[AES_BLK_SIZE - 1]; if (last_oct > AES_BLK_SIZE || last_oct == 0) { +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING ERROR("AES: Invalid PKCS#7 padding."); +#endif return -EFAULT; } for (int i = 2; i <= last_oct; i++) { if (dgst->last_decr[AES_BLK_SIZE - i] != last_oct) { +#ifndef CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING ERROR("AES: Invalid PKCS#7 padding."); +#endif return -EFAULT; }
For streamed AES-CBC encrypted images, an adversary can target each 16-byte block of encrypted data within an image and decrypt it, if they can apply a huge amount of manipulated firmware updates and observe the logged messages. On average, 2048 update attempts are needed for each block. For use cases where this scenario poses a risk, a config option is introduced to suppress logging messages related to a hash mismatch and errors in the decryption finalization (padding) of a streamed image. Signed-off-by: Raimar Sandner <raimar.sandner@sick.de> --- Kconfig | 14 ++++++++++++++ core/cpio_utils.c | 2 ++ corelib/swupdate_decrypt.c | 2 ++ corelib/swupdate_decrypt_mbedtls.c | 2 ++ corelib/swupdate_decrypt_pkcs11.c | 4 ++++ 5 files changed, 24 insertions(+) }