From patchwork Sun Jun 19 05:20:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Masahisa Kojima <masahisa.kojima@linaro.org>
X-Patchwork-Id: 1645112
X-Patchwork-Delegate: xypron.glpk@gmx.de
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256
 header.s=google header.b=uMexGUs6;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LQh134Nf9z9s5V
	for <incoming@patchwork.ozlabs.org>; Sun, 19 Jun 2022 15:19:51 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id D1B38843F2;
	Sun, 19 Jun 2022 07:19:40 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="uMexGUs6";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 3A74A843F2; Sun, 19 Jun 2022 07:19:40 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com
 [IPv6:2607:f8b0:4864:20::1032])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3AA56843D4
 for <u-boot@lists.denx.de>; Sun, 19 Jun 2022 07:19:35 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=masahisa.kojima@linaro.org
Received: by mail-pj1-x1032.google.com with SMTP id m4so4198954pjv.5
 for <u-boot@lists.denx.de>; Sat, 18 Jun 2022 22:19:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=+XbspnOs8i3+68OKypf3qfPJwXGJSXobwfO9fw8UUf4=;
 b=uMexGUs6coj7bllb6fccR39TFDoRtE6zHrbl0i2SFS8hgQUiA0jYPRzFHHsMr5yQzE
 n1eXCkHEvqfWwbcLk4NR91Iz3xJTUfH9Fqo5c8gNk8foZh4rHSNjWvnb4WewW4ikhmke
 HpLTgOqNHf5qPYRZUYs5jhENkjnKwPyrWface3IWpG8TYslM54CHHv8y3GhZ90jDCnBJ
 W8jAK68fwjyF3F/vaNOsJGpO4Zi5ZhgLUELsVutQS0iMUWfJ4/p5pJ5kIHNPYe8QoZ8E
 +NUOsdDv2C01coU2/vrLi1DNtOc+rIYHfNn8Uk6YORIqzi8uq8MW6aFfjKkDlHY19JZQ
 Y1zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=+XbspnOs8i3+68OKypf3qfPJwXGJSXobwfO9fw8UUf4=;
 b=i4XhU4nt+imirX1mjN3glrnFkgBF6D8C401S8yjVuNepZ8x8j1twstQbs+dyuEn5fm
 Cx2WSa8y6S2GKQKgX7vKykytLQnBot0Psh3v/TSFhEpglLXtKjPubiD7n8R2y608M3LE
 pcdD133pnsSpJC0V5mrR0djjMj3YEcTiSPpEu5Do1nUrwSgzcqYGOxnSr2w1qaoZ4DKt
 DrM0foFqgJZOuT3uC1h0dXmKdhRnGz1GmZgXajY4TUdMZGXxhVKWLbHMn34EvoEyxMkH
 rvhN+xm1KYo3alSK2HW9PVLmi4geLbLAznsvEPnCadxEyLYlo6sW1BJbSQkCzsjjUBb4
 ch6w==
X-Gm-Message-State: AJIora+Psl2fmD36FVWiaIWDqTKvxL0wall5eSC48yWixj3H3CqnZHxY
 6Ug2ENhtizUBhJYG8Qfd0vwhNUH2TJfrZA==
X-Google-Smtp-Source: 
 AGRyM1voRj7IDVJO9FH+Ec6L6SsXFv3wqDGsB5l+JHeV076tobhv62B0KC0YmtCTHnUJJVI+NxuWug==
X-Received: by 2002:a17:90b:341:b0:1e0:cf43:df4f with SMTP id
 fh1-20020a17090b034100b001e0cf43df4fmr19820099pjb.126.1655615973315;
 Sat, 18 Jun 2022 22:19:33 -0700 (PDT)
Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1])
 by smtp.gmail.com with ESMTPSA id
 j3-20020a170903024300b001636c0b98a7sm6087243plh.226.2022.06.18.22.19.31
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 18 Jun 2022 22:19:33 -0700 (PDT)
From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>,
 Francois Ozog <francois.ozog@linaro.org>,
 Mark Kettenis <mark.kettenis@xs4all.nl>,
 Masahisa Kojima <masahisa.kojima@linaro.org>
Subject: [RFC PATCH 2/3] eficonfig: add "Show Signature Database" menu entry
Date: Sun, 19 Jun 2022 14:20:21 +0900
Message-Id: <20220619052022.2694-3-masahisa.kojima@linaro.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220619052022.2694-1-masahisa.kojima@linaro.org>
References: <20220619052022.2694-1-masahisa.kojima@linaro.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

This commit adds the menu-driven interface to show the
signature database.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
---
 cmd/eficonfig_sbkey.c | 283 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 283 insertions(+)

diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
index a5c0dbe9b3..02ab8f8218 100644
--- a/cmd/eficonfig_sbkey.c
+++ b/cmd/eficonfig_sbkey.c
@@ -17,6 +17,64 @@
 #include <efi_variable.h>
 #include <crypto/pkcs7_parser.h>
 
+struct eficonfig_sig_data {
+	struct efi_signature_list *esl;
+	struct efi_signature_data *esd;
+	struct list_head list;
+	struct eficonfig_sig_data **selected;
+	u16 *varname;
+};
+
+enum efi_sbkey_signature_type {
+	SIG_TYPE_X509 = 0,
+	SIG_TYPE_HASH,
+	SIG_TYPE_CRL,
+	SIG_TYPE_RSA2048,
+};
+
+struct eficonfig_sigtype_to_str {
+	efi_guid_t sig_type;
+	char *str;
+	enum efi_sbkey_signature_type type;
+};
+
+static const struct eficonfig_sigtype_to_str sigtype_to_str[] = {
+	{EFI_CERT_X509_GUID,		"X509",			SIG_TYPE_X509},
+	{EFI_CERT_SHA256_GUID,		"SHA256",		SIG_TYPE_HASH},
+	{EFI_CERT_X509_SHA256_GUID,	"X509_SHA256 CRL",	SIG_TYPE_CRL},
+	{EFI_CERT_X509_SHA384_GUID,	"X509_SHA384 CRL",	SIG_TYPE_CRL},
+	{EFI_CERT_X509_SHA512_GUID,	"X509_SHA512 CRL",	SIG_TYPE_CRL},
+	/* U-Boot does not support the following signature types */
+/*	{EFI_CERT_RSA2048_GUID,		"RSA2048",		SIG_TYPE_RSA2048}, */
+/*	{EFI_CERT_RSA2048_SHA256_GUID,	"RSA2048_SHA256",	SIG_TYPE_RSA2048}, */
+/*	{EFI_CERT_SHA1_GUID,		"SHA1",			SIG_TYPE_HASH}, */
+/*	{EFI_CERT_RSA2048_SHA_GUID,	"RSA2048_SHA",		SIG_TYPE_RSA2048 }, */
+/*	{EFI_CERT_SHA224_GUID,		"SHA224",		SIG_TYPE_HASH}, */
+/*	{EFI_CERT_SHA384_GUID,		"SHA384",		SIG_TYPE_HASH}, */
+/*	{EFI_CERT_SHA512_GUID,		"SHA512",		SIG_TYPE_HASH}, */
+};
+
+static void eficonfig_console_wait_enter(void)
+{
+	int esc = 0;
+	enum bootmenu_key key = KEY_NONE;
+
+	while (1) {
+		bootmenu_loop(NULL, &key, &esc);
+
+		switch (key) {
+		case KEY_SELECT:
+			return;
+		default:
+			break;
+		}
+	}
+
+	/* never happens */
+	debug("eficonfig: this should not happen");
+	return;
+}
+
 static bool is_secureboot_enabled(void)
 {
 	efi_status_t ret;
@@ -113,13 +171,238 @@ out:
 	return ret;
 }
 
+static void display_sigdata_info(struct eficonfig_sig_data *sg)
+{
+	u32 i;
+
+	for (i = 0; i < ARRAY_SIZE(sigtype_to_str); i++) {
+		if (!guidcmp(&sg->esl->signature_type, &sigtype_to_str[i].sig_type)) {
+			printf("    Signature Type:\n"
+			       "      %s\n", sigtype_to_str[i].str);
+
+			switch (sigtype_to_str[i].type) {
+			case SIG_TYPE_X509:
+			{
+				struct x509_certificate *cert_tmp;
+
+				cert_tmp = x509_cert_parse(sg->esd->signature_data,
+							   sg->esl->signature_size);
+				printf("    Subject:\n"
+				       "      %s\n"
+				       "    Issuer:\n"
+				       "      %s\n",
+				       cert_tmp->subject, cert_tmp->issuer);
+				break;
+			}
+			case SIG_TYPE_CRL:
+			{
+				u32 hash_size = sg->esl->signature_size - sizeof(efi_guid_t) -
+						sizeof(struct efi_time);
+				struct efi_time *time =
+					(struct efi_time *)((u8 *)sg->esd->signature_data +
+					hash_size);
+
+				printf("    ToBeSignedHash:\n");
+				print_hex_dump("      ", DUMP_PREFIX_NONE, 16, 1,
+					       sg->esd->signature_data, hash_size, false);
+				printf("    TimeOfRevocation:\n"
+				       "      %d-%d-%d %02d:%02d:%02d\n",
+				       time->year, time->month, time->day,
+				       time->hour, time->minute, time->second);
+				break;
+			}
+			case SIG_TYPE_HASH:
+			{
+				u32 hash_size = sg->esl->signature_size - sizeof(efi_guid_t);
+
+				printf("    Hash:\n");
+				print_hex_dump("      ", DUMP_PREFIX_NONE, 16, 1,
+					       sg->esd->signature_data, hash_size, false);
+				break;
+			}
+			default:
+				eficonfig_print_msg("ERROR! Unsupported format.");
+				break;
+			}
+		}
+	}
+}
+
+static void display_sigdata_header(struct eficonfig_sig_data *sg, char *str)
+{
+	puts(ANSI_CURSOR_HIDE);
+	puts(ANSI_CLEAR_CONSOLE);
+	printf(ANSI_CURSOR_POSITION, 1, 1);
+
+	*sg->selected = sg;
+	printf("\n  *** U-Boot Signature Database (%s %ls) ***\n\n"
+	       "    Owner GUID:\n"
+	       "      %pUL\n",
+	       str, sg->varname, sg->esd->signature_owner.b);
+}
+
+static efi_status_t eficonfig_process_sigdata_show(void *data)
+{
+	struct eficonfig_sig_data *sg = data;
+
+	display_sigdata_header(sg, "Show");
+	display_sigdata_info(sg);
+
+	printf("\n\n  Press ENTER to continue");
+	eficonfig_console_wait_enter();
+
+	return EFI_SUCCESS;
+}
+
+static efi_status_t prepare_signature_db_list(struct eficonfig_item **output, void *varname,
+					      void *db, efi_uintn_t db_size,
+					      eficonfig_entry_func func,
+					      struct eficonfig_sig_data **selected,
+					      struct list_head *siglist_list,
+					      u32 *count)
+{
+	u32 num = 0;
+	efi_uintn_t size;
+	struct list_head *pos, *n;
+	struct efi_signature_list *esl;
+	struct efi_signature_data *esd;
+	struct eficonfig_item *menu_item, *iter;
+	struct eficonfig_sig_data *sg;
+
+	INIT_LIST_HEAD(siglist_list);
+	esl = db;
+	size = db_size;
+
+	/*
+	 * parse the signature database and save the pointers to
+	 * efi_signature_list and efi_signature_data.
+	 * We expect the signature list is saved in correct format.
+	 */
+	while (size > 0) {
+		u32 remain;
+
+		esd = (struct efi_signature_data *)((u8 *)esl +
+						    (sizeof(struct efi_signature_list) +
+						    esl->signature_header_size));
+		remain = esl->signature_list_size - (sizeof(struct efi_signature_list) +
+						     esl->signature_header_size);
+		for (; remain > 0; remain -= esl->signature_size) {
+			sg = calloc(1, sizeof(struct eficonfig_sig_data));
+			if (!sg)
+				return EFI_OUT_OF_RESOURCES;
+
+			sg->esl = esl;
+			sg->esd = esd;
+			list_add_tail(&sg->list, siglist_list);
+			esd = (struct efi_signature_data *)((u8 *)esd + esl->signature_size);
+			num++;
+		}
+
+		size -= esl->signature_list_size;
+		esl = (struct efi_signature_list *)((u8 *)esl + esl->signature_list_size);
+	}
+
+	menu_item = calloc(num + 1, sizeof(struct eficonfig_item));
+	if (!menu_item)
+		return EFI_OUT_OF_RESOURCES;
+
+	iter = menu_item;
+	list_for_each_safe(pos, n, siglist_list) {
+		char buf[40] = {0};
+		char *title;
+
+		sg = list_entry(pos, struct eficonfig_sig_data, list);
+
+		snprintf(buf, sizeof(buf), "%pUL", &sg->esd->signature_owner);
+		title = calloc(1, (strlen(buf) + 1));
+		if (!title)
+			return EFI_OUT_OF_RESOURCES;
+
+		strlcpy(title, buf, strlen(buf) + 1);
+		iter->title = title;
+		sg->selected = selected;
+		sg->varname = varname;
+		iter->func = func;
+		iter->data = sg;
+		iter++;
+	}
+
+	/* add "Quit" entry */
+	iter->title = "Quit";
+	iter->func = eficonfig_process_quit;
+	iter->data = NULL;
+	num += 1;
+
+	*count = num;
+	*output = menu_item;
+
+	return EFI_SUCCESS;
+}
+
+static efi_status_t process_show_signature_db(void *varname)
+{
+	u32 i, count = 0;
+	efi_status_t ret;
+	struct eficonfig_item *menu_item = NULL, *iter;
+	void *db = NULL;
+	efi_uintn_t db_size;
+	struct list_head siglist_list;
+	struct eficonfig_sig_data *selected;
+
+	db = efi_get_var(varname, efi_auth_var_get_guid(varname), &db_size);
+	if (!db) {
+		eficonfig_print_msg("There is no entry in the signature database.");
+		return EFI_NOT_FOUND;
+	}
+
+	ret = prepare_signature_db_list(&menu_item, varname, db, db_size,
+					eficonfig_process_sigdata_show, &selected,
+					&siglist_list, &count);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = eficonfig_process_common(menu_item, count, "  ** Show Signature Database **");
+
+out:
+	if (menu_item) {
+		iter = menu_item;
+		for (i = 0; i < count - 1; iter++, i++) {
+			free(iter->title);
+			free(iter->data);
+		}
+	}
+
+	free(menu_item);
+	free(db);
+
+	return ret;
+}
+
+static efi_status_t eficonfig_process_show_signature_db(void *data)
+{
+	efi_status_t ret;
+
+	while (1) {
+		ret = process_show_signature_db(data);
+		if (ret != EFI_SUCCESS)
+			break;
+	}
+
+	/* to stay the parent menu */
+	ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret;
+
+	return ret;
+}
+
 static struct eficonfig_item key_config_pk_menu_items[] = {
 	{"Enroll New Key", eficonfig_process_enroll_key},
+	{"Show Signature Database", eficonfig_process_show_signature_db},
 	{"Quit", eficonfig_process_quit},
 };
 
 static struct eficonfig_item key_config_menu_items[] = {
 	{"Enroll New Key", eficonfig_process_enroll_key},
+	{"Show Signature Database", eficonfig_process_show_signature_db},
 	{"Quit", eficonfig_process_quit},
 };