From patchwork Mon May 11 21:31:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288077 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ0m3rdJz9sRf for ; Tue, 12 May 2020 07:32:56 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ0l4PsFzDqkK for ; Tue, 12 May 2020 07:32:55 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzm34zZzDqjY for ; Tue, 12 May 2020 07:32:03 +1000 (AEST) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLC70f151980 for ; Mon, 11 May 2020 17:32:00 -0400 Received: from ppma03fra.de.ibm.com (6b.4a.5195.ip4.static.sl-reverse.com [149.81.74.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 30xa4hnm0e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:00 -0400 Received: from pps.filterd (ppma03fra.de.ibm.com [127.0.0.1]) by ppma03fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPlSm027391 for ; Mon, 11 May 2020 21:31:58 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma03fra.de.ibm.com with ESMTP id 30wm56a2r2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:31:58 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLVt6P60358744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:31:55 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7D3A4A405B; Mon, 11 May 2020 21:31:55 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D1E04A4054; Mon, 11 May 2020 21:31:54 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:54 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:35 -0500 Message-Id: <20200511213152.24952-2-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 malwarescore=0 mlxscore=0 bulkscore=0 phishscore=0 impostorscore=0 spamscore=0 mlxlogscore=514 suspectscore=1 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [PATCH v4 01/18] libstb/secureboot: use platform.terminate instead of hard abort X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Halting the boot via an abort() call will cause the BMC to keep restarting the machine indefinitely. Ending via platform.terminate() should be cleaner and prevent needless bootloops. This patch also exposes secureboot_enforce() for future secvar use to cease the boot. Signed-off-by: Eric Richter --- libstb/secureboot.c | 5 ++--- libstb/secureboot.h | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libstb/secureboot.c b/libstb/secureboot.c index c8697216..2a4b975e 100644 --- a/libstb/secureboot.c +++ b/libstb/secureboot.c @@ -27,7 +27,7 @@ static struct { { IBM_SECUREBOOT_V2, "ibm,secureboot-v2" }, }; -static void secureboot_enforce(void) +void secureboot_enforce(void) { /* Sanity check */ if (!secure_mode) @@ -39,8 +39,7 @@ static void secureboot_enforce(void) * extra info to BMC other than just abort. Terminate Immediate * Attention ? (TI) */ - prlog(PR_EMERG, "secure mode enforced, aborting.\n"); - abort(); + platform.terminate("secure mode enforced, aborting.\n"); } bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat) diff --git a/libstb/secureboot.h b/libstb/secureboot.h index 0792dd5a..721b28de 100644 --- a/libstb/secureboot.h +++ b/libstb/secureboot.h @@ -15,6 +15,7 @@ enum secureboot_version { IBM_SECUREBOOT_V2, }; +void secureboot_enforce(void); bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat); void secureboot_init(void); From patchwork Mon May 11 21:31:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288078 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ1G34wQz9sRK for ; Tue, 12 May 2020 07:33:22 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ1G2chkzDql9 for ; Tue, 12 May 2020 07:33:22 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzm32rRzDqgN for ; Tue, 12 May 2020 07:32:03 +1000 (AEST) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCWW9077196 for ; Mon, 11 May 2020 17:32:01 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ws5as3g7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:01 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPLZm000480 for ; Mon, 11 May 2020 21:31:59 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4s6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:31:59 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLVueP32440496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:31:56 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 62ED1A405F; Mon, 11 May 2020 21:31:56 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B8204A405B; Mon, 11 May 2020 21:31:55 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:55 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:36 -0500 Message-Id: <20200511213152.24952-3-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=1 adultscore=0 impostorscore=0 malwarescore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [PATCH v4 02/18] libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain Secure variables are initialized and processed only if FW secureboot is enabled. This ensures that underlying verification chain is satisfied and secure variables cannot be faked by a malicious skiboot. Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- core/init.c | 2 +- libstb/secureboot.c | 5 +++++ libstb/secureboot.h | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/core/init.c b/core/init.c index 63e3f97a..892b4740 100644 --- a/core/init.c +++ b/core/init.c @@ -1263,7 +1263,7 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt) trustedboot_init(); /* Secure variables init, handled by platform */ - if (platform.secvar_init) + if (platform.secvar_init && is_fw_secureboot()) platform.secvar_init(); /* diff --git a/libstb/secureboot.c b/libstb/secureboot.c index 2a4b975e..f2892400 100644 --- a/libstb/secureboot.c +++ b/libstb/secureboot.c @@ -61,6 +61,11 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c return false; } +bool is_fw_secureboot(void) +{ + return secure_mode; +} + void secureboot_init(void) { struct dt_node *node; diff --git a/libstb/secureboot.h b/libstb/secureboot.h index 721b28de..74e93c84 100644 --- a/libstb/secureboot.h +++ b/libstb/secureboot.h @@ -18,6 +18,7 @@ enum secureboot_version { void secureboot_enforce(void); bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat); void secureboot_init(void); +bool is_fw_secureboot(void); /** * secureboot_verify - verify a PNOR partition content From patchwork Mon May 11 21:31:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288079 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ1v55Bpz9sRK for ; Tue, 12 May 2020 07:33:55 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ1v2V6FzDqmf for ; Tue, 12 May 2020 07:33:55 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzm4HwczDqkJ for ; Tue, 12 May 2020 07:32:04 +1000 (AEST) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLVsWj133337 for ; Mon, 11 May 2020 17:32:02 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 30ws44y9bt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:02 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPXs4001909 for ; Mon, 11 May 2020 21:32:00 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma03ams.nl.ibm.com with ESMTP id 30wm55n4tm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:31:59 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLVvUo64946420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:31:57 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 49D05A405B; Mon, 11 May 2020 21:31:57 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9EB73A4054; Mon, 11 May 2020 21:31:56 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:56 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:37 -0500 Message-Id: <20200511213152.24952-4-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=990 priorityscore=1501 suspectscore=1 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 adultscore=0 phishscore=0 mlxscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 03/18] secvar_main: increase error verbosity, restyle all comments X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This commit converts all the "//" style comments to the appropriate C-style, adds a few comments, and also adds a couple error log outputs. The following commits performs a minor refactor of the secvar_main flow. This commit has been separated out to reduce the amount of noise in those commits, and can likely be squashed if necessary. Signed-off-by: Eric Richter --- V4: - adjusted lines to 80 columns libstb/secvar/secvar_main.c | 41 ++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/libstb/secvar/secvar_main.c b/libstb/secvar/secvar_main.c index b40dd646..3b842d16 100644 --- a/libstb/secvar/secvar_main.c +++ b/libstb/secvar/secvar_main.c @@ -14,10 +14,10 @@ struct list_head variable_bank; struct list_head update_bank; -int secvar_enabled = 0; // Set to 1 if secvar is supported -int secvar_ready = 0; // Set to 1 when base secvar inits correctly +int secvar_enabled = 0; /* Set to 1 if secvar is supported */ +int secvar_ready = 0; /* Set to 1 when base secvar inits correctly */ -// To be filled in by platform.secvar_init +/* To be filled in by platform.secvar_init */ struct secvar_storage_driver secvar_storage = {0}; struct secvar_backend_driver secvar_backend = {0}; @@ -43,7 +43,7 @@ int secvar_main(struct secvar_storage_driver storage_driver, if (rc) goto fail; - // Failures here should indicate some kind of hardware problem + /* Failures here should indicate some kind of hardware problem */ rc = secvar_storage.load_bank(&variable_bank, SECVAR_VARIABLE_BANK); if (rc) goto fail; @@ -52,21 +52,35 @@ int secvar_main(struct secvar_storage_driver storage_driver, if (rc) goto fail; - // At this point, base secvar is functional. Rest is up to the backend + /* At this point, base secvar is functional. + * The rest is up to the backend */ secvar_ready = 1; secvar_set_status("okay"); - if (secvar_backend.pre_process) + if (secvar_backend.pre_process) { rc = secvar_backend.pre_process(); + if (rc) { + prlog(PR_ERR, "Error in backend pre_process = %d\n", rc); + goto out; + } + } - // Process is required, error if it doesn't exist + /* Process is required, error if it doesn't exist */ if (!secvar_backend.process) goto out; + /* Process variable updates from the update bank. */ rc = secvar_backend.process(); - secvar_set_update_status(rc); + + /* Create and set the update-status device tree property */ + secvar_set_update_status(rc); + + /* Only write to the storage if we actually processed updates + * OPAL_EMPTY implies no updates were processed + * Refer to full table in doc/device-tree/ibm,opal/secvar.rst */ if (rc == OPAL_SUCCESS) { - rc = secvar_storage.write_bank(&variable_bank, SECVAR_VARIABLE_BANK); + rc = secvar_storage.write_bank(&variable_bank, + SECVAR_VARIABLE_BANK); if (rc) goto out; @@ -75,10 +89,13 @@ int secvar_main(struct secvar_storage_driver storage_driver, goto out; } - if (secvar_backend.post_process) + if (secvar_backend.post_process) { rc = secvar_backend.post_process(); - if (rc) - goto out; + if (rc) { + prlog(PR_ERR, "Error in backend post_process = %d\n", rc); + goto out; + } + } prlog(PR_INFO, "secvar initialized successfully\n"); From patchwork Mon May 11 21:31:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288084 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ2Q4Z5gz9sRK for ; Tue, 12 May 2020 07:34:22 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ2Q3hHfzDqsJ for ; Tue, 12 May 2020 07:34:22 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzn34DWzDqgN for ; Tue, 12 May 2020 07:32:05 +1000 (AEST) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLVll2124303 for ; Mon, 11 May 2020 17:32:03 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 30y8wstjkg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:03 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPQxL001899 for ; Mon, 11 May 2020 21:32:01 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma03ams.nl.ibm.com with ESMTP id 30wm55n4tn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:00 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLVwOj61800920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:31:58 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2FDA2A4054; Mon, 11 May 2020 21:31:58 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 851B6A405B; Mon, 11 May 2020 21:31:57 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:57 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:38 -0500 Message-Id: <20200511213152.24952-5-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=3 malwarescore=0 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=3 suspectscore=1 lowpriorityscore=0 adultscore=0 mlxlogscore=144 spamscore=3 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 04/18] secvar_main: rework secvar_main error flow, make storage locking explicit X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adjusts the behavior of secvar_main to actually halt the boot in some form if there is an issue initializing secure variables. We halt in skiboot if the secvar storage driver fails to initialize, as this should only happen due to unresolvable hardware issues, and contains our secure boot state. For all other cases we enforce secure boot in the bootloader (secure mode flag is set, but there will be no keys). Previously, the storage driver was expected to handle any locking procedures implicitly as part of the write operation. This patch makes the locking behavior now explicit, and part of the secvar_main flow. The storage driver is now locked unconditionally when exiting secvar_main, and the lock() call should halt the boot if it encounters any sign of struggle. Signed-off-by: Eric Richter --- V4: - adjusted lines to 80 columns - calls secureboot_enforce() instead of abort() libstb/secvar/secvar_main.c | 38 +++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/libstb/secvar/secvar_main.c b/libstb/secvar/secvar_main.c index 3b842d16..f4b98925 100644 --- a/libstb/secvar/secvar_main.c +++ b/libstb/secvar/secvar_main.c @@ -8,6 +8,7 @@ #include #include #include +#include #include "secvar.h" #include "secvar_devtree.h" @@ -39,11 +40,15 @@ int secvar_main(struct secvar_storage_driver storage_driver, list_head_init(&variable_bank); list_head_init(&update_bank); + /* Failures here should indicate some kind of hardware problem, + * therefore we don't even attempt to continue */ rc = secvar_storage.store_init(); if (rc) - goto fail; + secureboot_enforce(); - /* Failures here should indicate some kind of hardware problem */ + /* Failures here may be recoverable, + * (PNOR was corrupted, restore from backup) + * so we want to boot up to skiroot to give the user a chance to fix */ rc = secvar_storage.load_bank(&variable_bank, SECVAR_VARIABLE_BANK); if (rc) goto fail; @@ -61,6 +66,8 @@ int secvar_main(struct secvar_storage_driver storage_driver, rc = secvar_backend.pre_process(); if (rc) { prlog(PR_ERR, "Error in backend pre_process = %d\n", rc); + /* Early failure state, lock the storage */ + secvar_storage.lock(); goto out; } } @@ -83,11 +90,20 @@ int secvar_main(struct secvar_storage_driver storage_driver, SECVAR_VARIABLE_BANK); if (rc) goto out; - - rc = secvar_storage.write_bank(&update_bank, SECVAR_UPDATE_BANK); + } + /* Write (and probably clear) the update bank if .process() actually + * detected and handled updates in the update bank. Unlike above, this + * includes error cases, where the backend should probably be clearing + * the bank. + */ + if (rc != OPAL_EMPTY) { + rc = secvar_storage.write_bank(&update_bank, + SECVAR_UPDATE_BANK); if (rc) goto out; } + /* Unconditionally lock the storage at this point */ + secvar_storage.lock(); if (secvar_backend.post_process) { rc = secvar_backend.post_process(); @@ -100,9 +116,23 @@ int secvar_main(struct secvar_storage_driver storage_driver, prlog(PR_INFO, "secvar initialized successfully\n"); return OPAL_SUCCESS; + fail: + /* Early failure, base secvar support failed to initialize */ secvar_set_status("fail"); + secvar_storage.lock(); + secvar_set_secure_mode(); + + prerror("secvar failed to initialize, rc = %04x\n", rc); + return rc; + out: + /* Soft-failure, enforce secure boot in bootloader for debug/recovery */ + clear_bank_list(&variable_bank); + clear_bank_list(&update_bank); + secvar_storage.lock(); + secvar_set_secure_mode(); + prerror("secvar failed to initialize, rc = %04x\n", rc); return rc; } From patchwork Mon May 11 21:31:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288085 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ2w4535z9sRK for ; Tue, 12 May 2020 07:34:48 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ2w2d5PzDqvl for ; Tue, 12 May 2020 07:34:48 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzn6HLYzDqjY for ; Tue, 12 May 2020 07:32:05 +1000 (AEST) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCXKp077274 for ; Mon, 11 May 2020 17:32:03 -0400 Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ws5as3h9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:03 -0400 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPQp0013886 for ; Mon, 11 May 2020 21:32:02 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma05fra.de.ibm.com with ESMTP id 30wm55j2wy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:01 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLUmSh15270360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:30:48 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1616CA405F; Mon, 11 May 2020 21:31:59 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6B742A405C; Mon, 11 May 2020 21:31:58 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:58 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:39 -0500 Message-Id: <20200511213152.24952-6-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=1 adultscore=0 impostorscore=0 malwarescore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [PATCH v4 05/18] secvar: change backend hook interface to take in bank references X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain Previously, backends were implicitly expected to operate on global references to the variable and update banks. This patch changes the interface for this driver to instead take the banks in as an argument. This removes the implict dependency on these references, makes the design consistent with the storage driver, and also will simplify unit testing of these functions. Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- V4: - squashed in a whitespace fix for the storage driver struct include/secvar.h | 20 ++++++++++++-------- libstb/secvar/secvar_main.c | 6 +++--- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/include/secvar.h b/include/secvar.h index ec812b85..75730b2e 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -9,18 +9,22 @@ struct secvar; struct secvar_storage_driver { - int (*load_bank)(struct list_head *bank, int section); - int (*write_bank)(struct list_head *bank, int section); - int (*store_init)(void); + int (*load_bank)(struct list_head *bank, int section); + int (*write_bank)(struct list_head *bank, int section); + int (*store_init)(void); + void (*lock)(void); uint64_t max_var_size; }; struct secvar_backend_driver { - int (*pre_process)(void); // Perform any pre-processing stuff (e.g. determine secure boot state) - int (*process)(void); // Process all updates - int (*post_process)(void); // Perform any post-processing stuff (e.g. derive/update variables) - int (*validate)(struct secvar *var); // Validate a single variable, return boolean - const char *compatible; // String to use for compatible in secvar node + int (*pre_process)(struct list_head *variable_bank, + struct list_head *update_bank); // Perform any pre-processing stuff (e.g. determine secure boot state) + int (*process)(struct list_head *variable_bank, + struct list_head *update_bank); // Process all updates + int (*post_process)(struct list_head *variable_bank, + struct list_head *update_bank); // Perform any post-processing stuff (e.g. derive/update variables) + int (*validate)(struct secvar *var); // Validate a single variable, return boolean + const char *compatible; // String to use for compatible in secvar node }; diff --git a/libstb/secvar/secvar_main.c b/libstb/secvar/secvar_main.c index f4b98925..4eb9ae66 100644 --- a/libstb/secvar/secvar_main.c +++ b/libstb/secvar/secvar_main.c @@ -63,7 +63,7 @@ int secvar_main(struct secvar_storage_driver storage_driver, secvar_set_status("okay"); if (secvar_backend.pre_process) { - rc = secvar_backend.pre_process(); + rc = secvar_backend.pre_process(&variable_bank, &update_bank); if (rc) { prlog(PR_ERR, "Error in backend pre_process = %d\n", rc); /* Early failure state, lock the storage */ @@ -77,7 +77,7 @@ int secvar_main(struct secvar_storage_driver storage_driver, goto out; /* Process variable updates from the update bank. */ - rc = secvar_backend.process(); + rc = secvar_backend.process(&variable_bank, &update_bank); /* Create and set the update-status device tree property */ secvar_set_update_status(rc); @@ -106,7 +106,7 @@ int secvar_main(struct secvar_storage_driver storage_driver, secvar_storage.lock(); if (secvar_backend.post_process) { - rc = secvar_backend.post_process(); + rc = secvar_backend.post_process(&variable_bank, &update_bank); if (rc) { prlog(PR_ERR, "Error in backend post_process = %d\n", rc); goto out; From patchwork Mon May 11 21:31:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288086 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ3F1Mgyz9sRK for ; Tue, 12 May 2020 07:35:05 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ3F0BCczDr3p for ; Tue, 12 May 2020 07:35:05 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzp6zstzDqgN for ; Tue, 12 May 2020 07:32:06 +1000 (AEST) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLVrKm133324 for ; Mon, 11 May 2020 17:32:05 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 30ws44y9cg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:05 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPMVn000485 for ; Mon, 11 May 2020 21:32:02 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:02 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW0Sw65077358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:00 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F19BFA405C; Mon, 11 May 2020 21:31:59 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51FB5A4054; Mon, 11 May 2020 21:31:59 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:31:59 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:40 -0500 Message-Id: <20200511213152.24952-7-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=418 priorityscore=1501 suspectscore=3 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 adultscore=0 phishscore=0 mlxscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 06/18] secvar_util: add new helper functions X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adds the following helper functions: - dealloc_secvar() - new_secvar() - copy_bank_list() dealloc_secvar() frees a whole secvar_node reference including its children allocations. This also updates the clear_bank_list() helper function to use this destructor. new_secvar() allocates a secvar_node, and fills it with data provided via arguments. copy_bank_list() creates a deep copy of a secvar bank list Signed-off-by: Eric Richter --- libstb/secvar/secvar.h | 5 +++ libstb/secvar/secvar_util.c | 63 +++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/libstb/secvar/secvar.h b/libstb/secvar/secvar.h index a0cafbb0..b141b705 100644 --- a/libstb/secvar/secvar.h +++ b/libstb/secvar/secvar.h @@ -43,8 +43,13 @@ extern struct secvar_backend_driver secvar_backend; // Helper functions void clear_bank_list(struct list_head *bank); +int copy_bank_list(struct list_head *dst, struct list_head *src); struct secvar_node *alloc_secvar(uint64_t size); +struct secvar_node *new_secvar(const char *key, uint64_t key_len, + const char *data, uint64_t data_size, + uint64_t flags); int realloc_secvar(struct secvar_node *node, uint64_t size); +void dealloc_secvar(struct secvar_node *node); struct secvar_node *find_secvar(const char *key, uint64_t key_len, struct list_head *bank); int is_key_empty(const char *key, uint64_t key_len); int list_length(struct list_head *bank); diff --git a/libstb/secvar/secvar_util.c b/libstb/secvar/secvar_util.c index 2005de58..3aadbd98 100644 --- a/libstb/secvar/secvar_util.c +++ b/libstb/secvar/secvar_util.c @@ -20,11 +20,31 @@ void clear_bank_list(struct list_head *bank) list_for_each_safe(bank, node, next, link) { list_del(&node->link); + dealloc_secvar(node); + } +} + +int copy_bank_list(struct list_head *dst, struct list_head *src) +{ + struct secvar_node *node, *tmp; - if (node->var) - free(node->var); - free(node); + list_for_each(src, node, link) { + /* Allocate new secvar using actual data size */ + tmp = alloc_secvar(node->var->data_size); + if (!tmp) + return OPAL_NO_MEM; + + /* Copy over flags metadata */ + tmp->flags = node->flags; + + /* Full-clone over the secvar struct */ + memcpy(tmp->var, node->var, tmp->size + sizeof(struct secvar)); + + /* Append to new list */ + list_add_tail(dst, &tmp->link); } + + return OPAL_SUCCESS; } struct secvar_node *alloc_secvar(uint64_t size) @@ -46,6 +66,34 @@ struct secvar_node *alloc_secvar(uint64_t size) return ret; } +struct secvar_node *new_secvar(const char *key, uint64_t key_len, + const char *data, uint64_t data_size, + uint64_t flags) +{ + struct secvar_node *ret; + + if (!key) + return NULL; + if ((!key_len) || (key_len > SECVAR_MAX_KEY_LEN)) + return NULL; + if ((!data) && (data_size)) + return NULL; + + ret = alloc_secvar(data_size); + if (!ret) + return NULL; + + ret->var->key_len = key_len; + ret->var->data_size = data_size; + memcpy(ret->var->key, key, key_len); + ret->flags = flags; + + if (data) + memcpy(ret->var->data, data, data_size); + + return ret; +} + int realloc_secvar(struct secvar_node *node, uint64_t size) { void *tmp; @@ -64,6 +112,15 @@ int realloc_secvar(struct secvar_node *node, uint64_t size) return 0; } +void dealloc_secvar(struct secvar_node *node) +{ + if (!node) + return; + + free(node->var); + free(node); +} + struct secvar_node *find_secvar(const char *key, uint64_t key_len, struct list_head *bank) { struct secvar_node *node = NULL; From patchwork Mon May 11 21:31:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288094 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ6D37qrz9sRf for ; Tue, 12 May 2020 07:37:40 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ6D2HMhzDqtN for ; Tue, 12 May 2020 07:37:40 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzz5QrKzDqgN for ; Tue, 12 May 2020 07:32:15 +1000 (AEST) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLWDHi020435 for ; Mon, 11 May 2020 17:32:13 -0400 Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 30xa4hnm27-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:13 -0400 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPQp1013886 for ; Mon, 11 May 2020 21:32:03 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma05fra.de.ibm.com with ESMTP id 30wm55j2x0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:03 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW0ac196970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:00 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8DF8A405B; Mon, 11 May 2020 21:32:00 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 39548A405C; Mon, 11 May 2020 21:32:00 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:00 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:41 -0500 Message-Id: <20200511213152.24952-8-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 malwarescore=0 mlxscore=0 bulkscore=0 phishscore=0 impostorscore=0 spamscore=0 mlxlogscore=999 suspectscore=1 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 07/18] hdata/spira: add physical presence flags X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain This patch reads the hdata bits to check for physical presence assertion, and creates device tree entries to be consumed later in the boot. Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- hdata/spira.c | 11 +++++++++++ hdata/spira.h | 7 ++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/hdata/spira.c b/hdata/spira.c index 35d6109d..deb2dea4 100644 --- a/hdata/spira.c +++ b/hdata/spira.c @@ -921,6 +921,7 @@ static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams) struct dt_node *node; u16 sys_sec_setting; u16 hw_key_hash_size; + u16 host_fw_key_clear; node = dt_new(dt_root, "ibm,secureboot"); assert(node); @@ -933,6 +934,16 @@ static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams) dt_add_property(node, "secure-enabled", NULL, 0); if (sys_sec_setting & SEC_HASHES_EXTENDED_TO_TPM) dt_add_property(node, "trusted-enabled", NULL, 0); + if (sys_sec_setting & PHYSICAL_PRESENCE_ASSERTED) + dt_add_property(node, "physical-presence-asserted", NULL, 0); + + host_fw_key_clear = be16_to_cpu(sysparams->host_fw_key_clear); + if (host_fw_key_clear & KEY_CLEAR_OS_KEYS) + dt_add_property(node, "clear-os-keys", NULL, 0); + if (host_fw_key_clear & KEY_CLEAR_MFG) + dt_add_property(node, "clear-mfg-keys", NULL, 0); + if (host_fw_key_clear & KEY_CLEAR_ALL) + dt_add_property(node, "clear-all-keys", NULL, 0); hw_key_hash_size = be16_to_cpu(sysparams->hw_key_hash_size); diff --git a/hdata/spira.h b/hdata/spira.h index ffe53942..f7a1b823 100644 --- a/hdata/spira.h +++ b/hdata/spira.h @@ -364,10 +364,15 @@ struct iplparams_sysparams { __be16 hv_disp_wheel; /* >= 0x58 */ __be32 nest_freq_mhz; /* >= 0x5b */ uint8_t split_core_mode; /* >= 0x5c */ - uint8_t reserved[3]; + uint8_t reserved[1]; +#define KEY_CLEAR_ALL PPC_BIT16(0) +#define KEY_CLEAR_OS_KEYS PPC_BIT16(1) +#define KEY_CLEAR_MFG PPC_BIT16(7) + __be16 host_fw_key_clear; uint8_t sys_vendor[64]; /* >= 0x5f */ #define SEC_CONTAINER_SIG_CHECKING PPC_BIT16(0) #define SEC_HASHES_EXTENDED_TO_TPM PPC_BIT16(1) +#define PHYSICAL_PRESENCE_ASSERTED PPC_BIT16(3) __be16 sys_sec_setting; /* >= 0x60 */ __be16 tpm_config_bit; /* >= 0x60 */ __be16 tpm_drawer; /* >= 0x60 */ From patchwork Mon May 11 21:31:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288095 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ6Y2C8mz9sRK for ; Tue, 12 May 2020 07:37:57 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ6Y1LwHzDrHb for ; Tue, 12 May 2020 07:37:57 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzz6S1kzDqkD for ; Tue, 12 May 2020 07:32:15 +1000 (AEST) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLWBGG001677 for ; Mon, 11 May 2020 17:32:14 -0400 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wrvpag4t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:13 -0400 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPP1D030928 for ; Mon, 11 May 2020 21:32:04 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma02fra.de.ibm.com with ESMTP id 30wm55a375-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:04 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW1Fx43909162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:01 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF6B7A405C; Mon, 11 May 2020 21:32:01 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1FEC8A4054; Mon, 11 May 2020 21:32:01 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:00 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:42 -0500 Message-Id: <20200511213152.24952-9-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=1 mlxscore=0 bulkscore=0 malwarescore=0 adultscore=0 phishscore=0 mlxlogscore=909 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 08/18] secvar_devtree: add physical presence mode helper X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adds a simple function to detect whether or not physical presence has been asserted. In the current implementation, all physical presence assertion modes are treated the same. Signed-off-by: Eric Richter --- libstb/secvar/secvar_devtree.c | 15 +++++++++++++++ libstb/secvar/secvar_devtree.h | 2 ++ 2 files changed, 17 insertions(+) diff --git a/libstb/secvar/secvar_devtree.c b/libstb/secvar/secvar_devtree.c index 998093f7..5903ee34 100644 --- a/libstb/secvar/secvar_devtree.c +++ b/libstb/secvar/secvar_devtree.c @@ -64,3 +64,18 @@ void secvar_set_update_status(uint64_t val) dt_add_property_u64(secvar_node, "update-status", val); } +bool secvar_check_physical_presence(void) +{ + struct dt_node *secureboot; + + secureboot = dt_find_by_path(dt_root, "ibm,secureboot"); + if (!secureboot) + return false; + + if (dt_find_property(secureboot, "clear-os-keys") + || dt_find_property(secureboot, "clear-all-keys") + || dt_find_property(secureboot, "clear-mfg-keys")) + return true; + + return false; +} diff --git a/libstb/secvar/secvar_devtree.h b/libstb/secvar/secvar_devtree.h index c1c923d9..04eb00de 100644 --- a/libstb/secvar/secvar_devtree.h +++ b/libstb/secvar/secvar_devtree.h @@ -10,4 +10,6 @@ void secvar_init_devnode(const char *compatible); void secvar_set_status(const char *status); void secvar_set_update_status(uint64_t val); +bool secvar_check_physical_presence(void); + #endif From patchwork Mon May 11 21:31:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288087 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ3W4R1nz9sRK for ; Tue, 12 May 2020 07:35:19 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ3W35MJzDr7k for ; Tue, 12 May 2020 07:35:19 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzt0F22zDqgN for ; Tue, 12 May 2020 07:32:09 +1000 (AEST) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLV2D3194843 for ; Mon, 11 May 2020 17:32:07 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ydxt18fa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:07 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNRD000488 for ; Mon, 11 May 2020 21:32:05 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:05 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW2Dr65077416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:02 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C5F87A405B; Mon, 11 May 2020 21:32:02 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 086BEA4054; Mon, 11 May 2020 21:32:02 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:01 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:43 -0500 Message-Id: <20200511213152.24952-10-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 impostorscore=0 suspectscore=1 mlxscore=0 phishscore=0 priorityscore=1501 mlxlogscore=999 malwarescore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 09/18] core/flash.c: add SECBOOT read and write support X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Claudio Carvalho In secure boot enabled systems, the petitboot linux kernel verifies the OS kernel against x509 certificates that are wrapped in secure variables controlled by OPAL. These secure variables are stored in the PNOR SECBOOT partition, as well as the updates submitted for them using userspace tools. This patch adds read and write support to the PNOR SECBOOT partition in a similar fashion to that of NVRAM, so that OPAL can handle the secure variables. Signed-off-by: Claudio Carvalho Signed-off-by: Eric Richter --- core/flash.c | 130 +++++++++++++++++++++++++++++++++++++++++++++ include/platform.h | 4 ++ 2 files changed, 134 insertions(+) diff --git a/core/flash.c b/core/flash.c index de748641..33d7f648 100644 --- a/core/flash.c +++ b/core/flash.c @@ -59,6 +59,10 @@ static struct lock flash_lock; static struct flash *nvram_flash; static u32 nvram_offset, nvram_size; +/* secboot-on-flash support */ +static struct flash *secboot_flash; +static u32 secboot_offset, secboot_size; + bool flash_reserve(void) { bool rc = false; @@ -93,6 +97,91 @@ bool flash_unregister(void) return true; } +static int flash_secboot_info(uint32_t *total_size) +{ + int rc; + + lock(&flash_lock); + if (!secboot_flash) { + rc = OPAL_HARDWARE; + } else if (secboot_flash->busy) { + rc = OPAL_BUSY; + } else { + *total_size = secboot_size; + rc = OPAL_SUCCESS; + } + unlock(&flash_lock); + + return rc; +} + +static int flash_secboot_read(void *dst, uint32_t src, uint32_t len) +{ + int rc; + + if (!try_lock(&flash_lock)) + return OPAL_BUSY; + + if (!secboot_flash) { + rc = OPAL_HARDWARE; + goto out; + } + + if (secboot_flash->busy) { + rc = OPAL_BUSY; + goto out; + } + + if ((src + len) > secboot_size) { + prerror("FLASH_SECBOOT: read out of bound (0x%x,0x%x)\n", + src, len); + rc = OPAL_PARAMETER; + goto out; + } + + secboot_flash->busy = true; + unlock(&flash_lock); + + rc = blocklevel_read(secboot_flash->bl, secboot_offset + src, dst, len); + + lock(&flash_lock); + secboot_flash->busy = false; +out: + unlock(&flash_lock); + return rc; +} + +static int flash_secboot_write(uint32_t dst, void *src, uint32_t len) +{ + int rc; + + if (!try_lock(&flash_lock)) + return OPAL_BUSY; + + if (secboot_flash->busy) { + rc = OPAL_BUSY; + goto out; + } + + if ((dst + len) > secboot_size) { + prerror("FLASH_SECBOOT: write out of bound (0x%x,0x%x)\n", + dst, len); + rc = OPAL_PARAMETER; + goto out; + } + + secboot_flash->busy = true; + unlock(&flash_lock); + + rc = blocklevel_write(secboot_flash->bl, secboot_offset + dst, src, len); + + lock(&flash_lock); + secboot_flash->busy = false; +out: + unlock(&flash_lock); + return rc; +} + static int flash_nvram_info(uint32_t *total_size) { int rc; @@ -182,6 +271,46 @@ out: return rc; } + +static int flash_secboot_probe(struct flash *flash, struct ffs_handle *ffs) +{ + uint32_t start, size, part; + bool ecc; + int rc; + + prlog(PR_DEBUG, "FLASH: probing for SECBOOT\n"); + + rc = ffs_lookup_part(ffs, "SECBOOT", &part); + if (rc) { + prlog(PR_WARNING, "FLASH: no SECBOOT partition found\n"); + return OPAL_HARDWARE; + } + + rc = ffs_part_info(ffs, part, NULL, + &start, &size, NULL, &ecc); + if (rc) { + /** + * @fwts-label SECBOOTNoPartition + * @fwts-advice OPAL could not find an SECBOOT partition + * on the system flash. Check that the system flash + * has a valid partition table, and that the firmware + * build process has added a SECBOOT partition. + */ + prlog(PR_ERR, "FLASH: Can't parse ffs info for SECBOOT\n"); + return OPAL_HARDWARE; + } + + secboot_flash = flash; + secboot_offset = start; + secboot_size = ecc ? ecc_buffer_size_minus_ecc(size) : size; + + platform.secboot_info = flash_secboot_info; + platform.secboot_read = flash_secboot_read; + platform.secboot_write = flash_secboot_write; + + return 0; +} + static int flash_nvram_probe(struct flash *flash, struct ffs_handle *ffs) { uint32_t start, size, part; @@ -332,6 +461,7 @@ static void setup_system_flash(struct flash *flash, struct dt_node *node, prlog(PR_INFO, "registered system flash device %s\n", name); flash_nvram_probe(flash, ffs); + flash_secboot_probe(flash, ffs); } static int num_flashes(void) diff --git a/include/platform.h b/include/platform.h index 6aa263ae..db1a6e97 100644 --- a/include/platform.h +++ b/include/platform.h @@ -221,6 +221,10 @@ struct platform { int (*secvar_init)(void); + int (*secboot_info)(uint32_t *total_size); + int (*secboot_read)(void *dst, uint32_t src, uint32_t len); + int (*secboot_write)(uint32_t dst, void *src, uint32_t len); + /* * OCC timeout. This return how long we should wait for the OCC * before timing out. This lets us use a high value on larger FSP From patchwork Mon May 11 21:31:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288088 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ3r0txXz9sRf for ; Tue, 12 May 2020 07:35:36 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ3q4pjSzDrBJ for ; Tue, 12 May 2020 07:35:35 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzt4s0BzDqjY for ; Tue, 12 May 2020 07:32:10 +1000 (AEST) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCVic077121 for ; Mon, 11 May 2020 17:32:08 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ws5as3k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:08 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPM7M001896 for ; Mon, 11 May 2020 21:32:06 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma03ams.nl.ibm.com with ESMTP id 30wm55n4tu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:06 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW3no19464240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:03 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD578A405C; Mon, 11 May 2020 21:32:03 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E1BFA4054; Mon, 11 May 2020 21:32:03 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:02 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:44 -0500 Message-Id: <20200511213152.24952-11-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=1 adultscore=0 impostorscore=0 malwarescore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [PATCH v4 10/18] doc/secvar: add document detailing secvar driver API X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adds a reference document that explains the intended use for each of the secvar driver API functions to aid in future secvar driver implementations. Signed-off-by: Eric Richter --- doc/secvar/driver-api.rst | 312 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 312 insertions(+) create mode 100644 doc/secvar/driver-api.rst diff --git a/doc/secvar/driver-api.rst b/doc/secvar/driver-api.rst new file mode 100644 index 00000000..32ca5785 --- /dev/null +++ b/doc/secvar/driver-api.rst @@ -0,0 +1,312 @@ +.. _secvar-driver-api: + +Secvar Drivers +============== + +This document will attempt to define the expected behavior of the two secvar +drivers, and how a developer should implement a new one. + + +Storage vs Backend drivers +-------------------------- + +There are two types of drivers for secure variable support, storage and backend +drivers. Storage drivers are the most simple: they control how and where secure +variables are stored for a given platform. Backend drivers on the other hand, +can be bit more complex. They control the overall scheme of OS secureboot -- +from what variables are used, what format the variables are intended to be, how +they are updated, and how to determine the platform's OS secure boot state. + +These drivers are intended to be as self-contained as possible, so that ideally +any combination of storage and backend drivers in the future should be +compatible. + + +Storage Driver API +------------------ + +The storage driver is expected to: + * persist secure variables in a tamper-resistant manner + * handle two logical types of variable lists (referred to as "banks") + * the "variable bank" stores the active list of variables + * the "update bank" stores proposed updates to the variable bank + * handle variables using a specific secvar flag in a sensible manner + +Storage drivers must implement the following hooks for secvar to properly +utilize: + +.. code-block:: c + + struct secvar_storage_driver { + int (*load_bank)(struct list_head *bank, int section); + int (*write_bank)(struct list_head *bank, int section); + int (*store_init)(void); + void (*lock)(void); + uint64_t max_var_size; + }; + +The following subsections will give a summary of each hook, when they are used, +and their expected behavior. + + +store_init +^^^^^^^^^^ + +The ``store_init`` hook is called at the beginning of secure variable +intialization. This hook should perform any initialization logic required for +the other hooks to operate. + +IMPORTANT: If this hook returns an error (non-zero) code, secvar will +immediately halt the boot. When implementing this hook, consider the +implications of any errors in initialization, and whether they may affect the +secure state. For example, if secure state is indeterminable due to some +hardware failure, this is grounds for a halt. + +This hook should only be called once. Subsequent calls should have no effect, +or raise an error. + + +load_bank +^^^^^^^^^ + +The ``load_bank`` hook should load variables from persistent storage into the +in-memory linked lists, for the rest of secvar to operate on. + +The ``bank`` parameter should be an initialized linked list. This list may not +be empty, and this hook should only append variables to the list. + +The variables this hook loads should depend on the ``section`` flag: + * if ``SECVAR_VARIABLE_BANK``, load the active variables + * if ``SECVAR_UPDATE_BANK``, load the proposed updates + +This hook is called twice at the beginning of secure variable initialization, +one for loading each bank type into their respective lists. This hook may be +called again afterwards (e.g. a reset mechanism by a backend). + + +write_bank +^^^^^^^^^^ + +The ``write_bank`` hook should persist variables using some non-volatile +storage (e.g. flash). + +The ``bank`` parameter should be an initialized linked list. This list may be +empty. It is up to the storage driver to determine how to handle this, but it is +strongly recommended to zeroize the storage location. + +The ``section`` parameter indicates which list of variables is to be written +following the same pattern as in ``load_bank``. + +This hook is called for the variable bank if the backend driver reports that +updates were processed. This hook is called for the update bank in all cases +EXCEPT where no updates were found by the backend (this includes error cases). + +This hook should not be called more than once for the variable bank. This hook +is called once in the secvar initialization procedure, and then each time +``opal_secvar_enqueue_update()`` is successfully called. + + +lock +^^^^ + +The ``lock`` hook may perform any write-lock protections as necessary by the +platform. This hook is unconditionally called after the processing step +performed in the main secure variable logic, and should only be called once. +Subsequent calls should have no effect, or raise an error. + +This hook MUST also be called in any error cases that may interrupt the regular +secure variable initialization flow, to prevent leaving the storage mechanism +open to unauthorized writes. + +This hook MUST halt the boot if any internal errors arise that may compromise +the protection of the storage. + +If locking is not applicable to the storage mechanism, this hook may be +implemented as a no-op. + + +max_var_size +^^^^^^^^^^^^ + +The ``max_var_size`` field is not a function hook, but a value to be referenced +by other components to determine the maximum variable size. As this driver is +responsible for persisting variables somewhere, it has the option to determine +the maximum size to use. + + +A Quick Note on Secvar Flags +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +While "communication" between the storage and backend drivers has been +minimized as best as possible, there are a few cases where the storage driver +may need to take a few hints from the backend. + +The ``flags`` field in ``struct secvar_node`` may contain one of the following +values: + +.. code-block:: c + + #define SECVAR_FLAG_VOLATILE 0x1 + #define SECVAR_FLAG_PROTECTED 0x2 + +At time of writing this document, the flags are mutually exclusive, however +this may change in the future. + +``VOLATILE`` indicates that the storage driver should NOT persist this variable +to storage. + +``PROTECTED`` indicates that this variable has a heightened importance than +other variables, and if applicable to the storage driver, stored in a more +secure/tamper-resistant region (e.g. store variables important to secureboot +state in TPM NV rather than PNOR on p9). + + +Backend Driver API +------------------ + +The backend driver at the core defines how secure variables are defined and +processed, and by extension, also how operate the platform's secure boot modes. + +.. code-block:: c + + struct secvar_backend_driver { + int (*pre_process)(struct list_head *variable_bank + struct list_head *update_bank); + int (*process)(struct list_head *variable_bank + struct list_head *update_bank); + int (*post_process)(struct list_head *variable_bank + struct list_head *update_bank); + int (*validate)(struct secvar *var); + const char *compatible; + }; + +The following subsections will give a summary of each hook, when they are used, +and their expected behaviors. + + +pre_process +^^^^^^^^^^^ + +The ``pre_process`` hook is an optional hook that a backend driver may implement +to handle any early logic prior to processing. If this hook is set to ``NULL``, +it is skipped. + +As this hook is called just after loading the variables from the storage driver +but just before ``process``, this hook is provided for convenience to do any +early initialization logic as necessary. + +Any error code returned by this hook will be treated as a failure, and halt +secure variable initialization. + +Example usage: + * initialize empty variables that were not loaded from storage + * allocate any internal structures that may be needed for processing + + +process +^^^^^^^ + +The ``process`` hook is the only required hook, and should contain all variable +update process logic. Unlike the other two hooks, this hook must be defined, or +secure variable initialization will halt. + +This hook is expected to iterate through any variables contained in the +``update_bank`` list argument, and perform any action on the +``variable_bank`` list argument as the backend seems appropriate for the given +update (e.g. add/remove/update variable) + +NOTE: the state of these bank lists will be written to persistent storage as-is, +so for example, if the update bank should be cleared, it should be done prior to +returning from this hook. + +Unlike the other two hooks, this hook may return a series of return codes +indicating various status situations. This return code is exposed in the device +tree at ``secvar/update-status``. See the table below for an expected definition +of the return code meanings. Backends SHOULD document any deviations or +extensions to these definitions for their specific implementation. + +To prevent excessive writes to flash, the main secure variable flow will only +perform writes when the ``process`` hook returns a status that declares +something has been changed. The variable bank is only written to storage if +``process`` returns ``OPAL_SUCCESS``. + +On the other hand, the update bank is written to storage if the return code is +anything other than ``OPAL_EMPTY`` (which signals that there were no updates to +process). This includes all error cases, therefore the backend is responsible +for emptying the update bank prior to exiting with an error, if the bank is to +be cleared. + + +Status codes +"""""""""""" + ++-----------------+-----------------------------------------------+ +| update-status | Generic Reason | ++-----------------+-----------------------------------------------+ +| OPAL_SUCCESS | Updates were found and processed successfully | ++-----------------+-----------------------------------------------+ +| OPAL_EMPTY | No updates were found, none processed | ++-----------------+-----------------------------------------------+ +| OPAL_PARAMETER | Malformed, or unexpected update data blob | ++-----------------+-----------------------------------------------+ +| OPAL_PERMISSION | Update failed to apply, possible auth failure | ++-----------------+-----------------------------------------------+ +| OPAL_HARDWARE | Misc. storage-related error | ++-----------------+-----------------------------------------------+ +| OPAL_RESOURCE | Out of space (reported by storage) | ++-----------------+-----------------------------------------------+ +| OPAL_NO_MEM | Out of memory | ++-----------------+-----------------------------------------------+ + +See also: ``device-tree/ibm,opal/secvar/secvar.rst``. + + +post_process +^^^^^^^^^^^^ + +The ``post_process`` hook is an optional hook that a backend driver may +implement to handle any additional logic after the processing step. Like +``pre_process``, it may be set to ``NULL`` if unused. + +This hook is called AFTER performing any writes to storage, and AFTER locking +the persistant storage. Any changes to the variable bank list in this hook will +NOT be persisted to storage. + +Any error code returned by this hook will be treated as a failure, and halt +secure variable initialization. + +Example usage: + * determine secure boot state (and set ``os-secure-enforcing``) + * remove any variables from the variable bank that do not need to be exposed + * append any additional volatile variables + + +validate +^^^^^^^^ + +!!NOTE!! This is not currently implemented, and the detail below is subject to +change. + +The ``validate`` hook is an optional hook that a backend may implement to check +if a single variable is valid. If implemented, this hook is called during +``opal_secvar_enqueue_update`` to provide more immediate feedback to the caller +on proposed variable validity. + +This hook should return ``OPAL_SUCCESS`` if the validity check passes. Any +other return code is treated as a failure, and will be passed through the +``enqueue_update`` call. + +Example usage: + * check for valid payload data structure + * check for valid signature format + * validate the signature against current variables + * implement a variable white/blacklist + + +compatible +^^^^^^^^^^ + +The compatible field is a required field that declares the compatibility of +this backend driver. This compatible field is exposed in the +``secvar/compatible`` device tree node for subsequent kernels, etc to +determine how to interact with the secure variables. From patchwork Mon May 11 21:31:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288090 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ4l6Tnpz9sRK for ; Tue, 12 May 2020 07:36:23 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ4l55dlzDqnV for ; Tue, 12 May 2020 07:36:23 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzx0RQDzDqjY for ; Tue, 12 May 2020 07:32:12 +1000 (AEST) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCH8G094662 for ; Mon, 11 May 2020 17:32:11 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wrvysr8h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:10 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNPf000491 for ; Mon, 11 May 2020 21:32:08 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:07 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW4qI6488432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:04 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B239CA405B; Mon, 11 May 2020 21:32:04 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E9D40A405C; Mon, 11 May 2020 21:32:03 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:03 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:45 -0500 Message-Id: <20200511213152.24952-12-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 mlxscore=0 impostorscore=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 suspectscore=4 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 11/18] secvar/storage: add secvar storage driver for pnor-based p9 X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch implements the platform specific logic for persisting the secure variable storage banks across reboots via the SECBOOT PNOR partition. For POWER 9, all secure variables and updates are stored in the in the SECBOOT PNOR partition. The partition is split into three sections: two variable bank sections, and a section for storing updates. The driver alternates writes between the two variable sections, so that the final switch from one set of variables to the next can be as atomic as possible by flipping an "active bit" stored in TPM NV. PNOR space provides no lock protection, so prior to writing the variable bank, a sha256 hash is calculated and stored in TPM NV. This hash is compared against the hash of the variables loaded from PNOR to ensure consistency -- otherwise a failure is reported, no keys are loaded (which should cause skiroot to refuse to boot if secure boot support is enabled). Signed-off-by: Eric Richter --- V4: - add documentation for this driver - removed unused SECURE_STORAGE flag, renamed PRIORITY to PROTECTED This is still open to suggestions, PROTECTED sounded more clear) - fixed missing pointer advancement when writing protected variables - updated the NV public name hashes to match the current set of attributes used to define the indices - moved the expected NV public name hashes to seperate header - cleaned up most line lengths to under 80 columns, with the exception of prlog statements and possibly a few others. doc/secvar/secboot_tpm.rst | 175 +++++ include/secvar.h | 1 + libstb/secvar/secvar.h | 4 +- libstb/secvar/storage/Makefile.inc | 5 +- libstb/secvar/storage/secboot_tpm.c | 678 ++++++++++++++++++ libstb/secvar/storage/secboot_tpm.h | 61 ++ .../secvar/storage/secboot_tpm_public_name.h | 18 + libstb/secvar/storage/tpmnv_ops.c | 15 + 8 files changed, 953 insertions(+), 4 deletions(-) create mode 100644 doc/secvar/secboot_tpm.rst create mode 100644 libstb/secvar/storage/secboot_tpm.c create mode 100644 libstb/secvar/storage/secboot_tpm.h create mode 100644 libstb/secvar/storage/secboot_tpm_public_name.h create mode 100644 libstb/secvar/storage/tpmnv_ops.c diff --git a/doc/secvar/secboot_tpm.rst b/doc/secvar/secboot_tpm.rst new file mode 100644 index 00000000..8da0c2f0 --- /dev/null +++ b/doc/secvar/secboot_tpm.rst @@ -0,0 +1,175 @@ +.. _secvar/secboot_tpm: + +secboot_tpm secvar storage driver for P9 platforms +================================================== + +Overview +-------- + +This storage driver utilizes the SECBOOT PNOR partition and TPM NV space to +persist secure variables across reboots in a tamper-resistant manner. While +writes to PNOR cannot be completely prevented, writes CAN be prevented to TPM +NV. On the other hand, there is limited available space in TPM NV. + +Therefore, this driver uses both in conjunction: large variable data is written +to SECBOOT, and a hash of the variable data is stored in TPM NV. When the +variables are loaded from SECBOOT, this hash is recalculated and compared +against the value stored in the TPM. If they do not match, then the variables +must have been altered and are not loaded. + +See the following sections for more information on the internals of the driver. + + +Storage Layouts +--------------- + +At a high-level, there are a few major logical components: + + - (PNOR) Variable storage (split in half, active/staging) + - (PNOR) Update storage + - (TPM) Protected variable storage + - (TPM) Bank hashes & active bit + +Variable storage consists of two smaller banks, variable bank 0 and variable +bank 1. Either of the banks may be designated "active" by setting the active +bank bit to either 0 or 1, indicating that the corresponding bank is now +"active". The other bank is then considered "staging". See the "Persisting +Variable Bank Updates" for more on the active/staging bank logic. + +Protected variable storage is stored in ``VARS`` TPM NV index. Unlike the other +variable storage, there is only one bank due to limited storage space. See the +TPM NV Indices section for more. + + +Persisting the Variable Bank +---------------------------- + +When writing a new variable bank to storage, this is (roughly) the procedure the +driver will follow: + +1. write variables to the staging bank +2. calculate hash of the staging bank +3. store the staging bank hash in the TPM NV +4. flip the active bank bit + +This procedure ensures that the switch-over from the old variables to the +new variables is as atomic as possible. This should prevent any possible +issues caused by an interruption during the writing process, such as power loss. + +The bank hashes are a SHA256 hash calculated over the whole region of +storage space allocated to the bank, including unused storage. For consistency, +unused space is always written as zeroes. Like the active/staging variable +banks, there are also two corresponding active/staging bank hashes stored in +the TPM. + + +TPM NV Indices +-------------- + +The driver utilizes two TPM NV indices: + +.. code-block:: c + + # size). datadefine SECBOOT_TPMNV_VARS_INDEX 0x01c10190 + #define SECBOOT_TPMNV_CONTROL_INDEX 0x01c10191 + +The ``VARS`` index stores variables flagged with ``SECVAR_FLAG_PROTECTED``. +These variables are critical to the state of OS secure boot, and therefore +cannot be safely stored in the SECBOOT partition. This index is defined to be +1024 bytes in size, which is enough for the current implementation on P9. It +is kept small by default to preserve the very limited NV index space. + +The ``CONTROL`` index stores the bank hashes, and the bit to determine which +bank is active. See the Active/Staging Bank Swapping section for more. + +Both indices are defined on first boot with the same set of attributes. If the +indices are already defined but not in the expected state, (different +attributes, size, etc), then the driver will halt the boot. Asserting physical +presence will redefine the indices in the correct state. + + +Locking +------- + +PNOR cannot be locked, however the TPM can be. The TPM NV indices are double +protected via two locking mechanisms: + + - The driver's ``.lock()`` hook sends the ``TSS_NV_WriteLock`` TPM command. +This sets the ``WRITELOCKED`` attribute, which is cleared on the next +TPM reset. + + - The TPM NV indices are defined under the platform hierarchy. Skiboot will add +a global lock to all the NV indices under this hierarchy prior to loading a +kernel. This is also reset on the next TPM reset. + +NOTE: The TPM is only reset during a cold reboot. Fast reboots or kexecs will +NOT unlock the TPM. + + +Resetting Storage / Physical Presence +------------------------------------- + +In the case that secure boot/secvar has been rendered unusable, (for example: +corrupted data, lost/compromised private key, improperly defined NV indices, etc) +this storage driver responds to physical presence assertion as a last-resort +method to recover the system. + +Asserting physical presence undefines, and immediately redefines the TPM NV +indices. Defining the NV indices then causes a cascading set of reformats for +the remaining components of storage, similar to a first-boot scenario. + +This driver considers physical presence to be asserted if any of the following +device tree nodes are present in ``ibm,secureboot``: + - ``clear-os-keys`` + - ``clear-all-keys`` + - ``clear-mfg-keys`` + + +Storage Formats/Layouts +======================= + +SECBOOT (PNOR) +-------------- + +Partition Format: + - 8b secboot header + - 4b: u32. magic number, always 0x5053424b + - 1b: u8. version, always 1 + - 3b: unused padding + - 32k: secvars. variable bank 0 + - 32k: secvars. variable bank 1 + - 32k: secvars. update bank + +Variable Format (secvar): + - 8b: u64. key length + - 8b: u64. data size + - 1k: string. key + - (data size). data + +TPM VARS (NV) +------------- + +NV Index Format: + - 8b secboot header + - 4b: u32. magic number, always 0x5053424b + - 1b: u8. version, always 1 + - 3b: unused padding + - 1016b: packed secvars. protected variable storage + +Variable Format (packed secvar): + - 8b: u64. key length + - 8b: u64. data size + - (key length): string. key + - (data size). data + +TPM CONTROL (NV) +---------------- + + - 8b secboot header + - 4b: u32. magic number, always 0x5053424b + - 1b: u8. version, always 1 + - 3b: unused padding + - 1b: u8. active bit, 0 or 1 + - 32b: sha256 hash of variable bank 0 + - 32b: sha256 hash of variable bank 1 + diff --git a/include/secvar.h b/include/secvar.h index 75730b2e..7a45db2b 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -27,6 +27,7 @@ struct secvar_backend_driver { const char *compatible; // String to use for compatible in secvar node }; +extern struct secvar_storage_driver secboot_tpm_driver; int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver); diff --git a/libstb/secvar/secvar.h b/libstb/secvar/secvar.h index b141b705..7e23dcc3 100644 --- a/libstb/secvar/secvar.h +++ b/libstb/secvar/secvar.h @@ -23,8 +23,8 @@ struct secvar_node { uint64_t size; // How much space was allocated for data }; -#define SECVAR_FLAG_VOLATILE 0x1 // Instructs storage driver to ignore variable on writes -#define SECVAR_FLAG_SECURE_STORAGE 0x2 // Hint for storage driver to select storage location +#define SECVAR_FLAG_VOLATILE 0x1 // Instructs storage driver to ignore variable on writes +#define SECVAR_FLAG_PROTECTED 0x2 // Hint for storage driver to store in lockable flash struct secvar { uint64_t key_len; diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc index 3fd9543a..35fba723 100644 --- a/libstb/secvar/storage/Makefile.inc +++ b/libstb/secvar/storage/Makefile.inc @@ -1,11 +1,12 @@ # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # -*-Makefile-*- -SECVAR_STORAGE_DIR = libstb/secvar/storage +SECVAR_STORAGE_DIR = $(SRC)/libstb/secvar/storage SUBDIRS += $(SECVAR_STORAGE_DIR) -SECVAR_STORAGE_SRCS = +SECVAR_STORAGE_SRCS = secboot_tpm.c tpmnv_ops.c +#SECVAR_STORAGE_SRCS = secboot_tpm.c fakenv_ops.c SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o) SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a diff --git a/libstb/secvar/storage/secboot_tpm.c b/libstb/secvar/storage/secboot_tpm.c new file mode 100644 index 00000000..012da294 --- /dev/null +++ b/libstb/secvar/storage/secboot_tpm.c @@ -0,0 +1,678 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "SECBOOT_TPM: " fmt +#endif + +#include +#include +#include +#include +#include "../secvar.h" +#include "../secvar_devtree.h" +#include "secboot_tpm.h" +#include +#include + +#define CYCLE_BIT(b) (b^0x1) + +#define SECBOOT_TPM_MAX_VAR_SIZE 8192 + +struct secboot *secboot_image = NULL; +struct tpmnv_vars *tpmnv_vars_image = NULL; +struct tpmnv_control *tpmnv_control_image = NULL; + +const size_t tpmnv_vars_size = 1024; + +/* Expected TPM NV index name field from NV_ReadPublic given our known + * set of attributes. + * See Part 1 Section 16, and Part 2 Section 13.5 of the TPM Specification + * for how this is calculated + */ +#include "secboot_tpm_public_name.h" + +/* Calculate a SHA256 hash over the supplied buffer */ +static int calc_bank_hash(char *target_hash, char *source_buf, uint64_t size) +{ + mbedtls_sha256_context ctx; + int rc; + + mbedtls_sha256_init(&ctx); + + rc = mbedtls_sha256_update_ret(&ctx, source_buf, size); + if (rc) + goto out; + + mbedtls_sha256_finish_ret(&ctx, target_hash); + if (rc) + goto out; + +out: + mbedtls_sha256_free(&ctx); + return rc; +} + +/* Reformat the TPMNV space */ +static int tpmnv_format(void) +{ + int rc; + + memset(tpmnv_vars_image, 0x00, tpmnv_vars_size); + memset(tpmnv_control_image, 0x00, sizeof(struct tpmnv_control)); + + tpmnv_vars_image->header.magic_number = SECBOOT_MAGIC_NUMBER; + tpmnv_vars_image->header.version = SECBOOT_VERSION; + tpmnv_control_image->header.magic_number = SECBOOT_MAGIC_NUMBER; + tpmnv_control_image->header.version = SECBOOT_VERSION; + + /* Counts as first write to the TPM NV, which sets the + * TPMA_NVA_WRITTEN attribute */ + rc = tpmnv_ops.write(SECBOOT_TPMNV_VARS_INDEX, + tpmnv_vars_image, + tpmnv_vars_size, 0); + if (rc) { + prlog(PR_ERR, "Could not write new formatted data to VARS index, rc=%d\n", rc); + return rc; + } + + rc = tpmnv_ops.write(SECBOOT_TPMNV_CONTROL_INDEX, + tpmnv_control_image, + sizeof(struct tpmnv_control), 0); + if (rc) + prlog(PR_ERR, "Could not write new formatted data to CONTROL index, rc=%d\n", rc); + + return rc; +} + +/* Reformat the secboot PNOR space */ +static int secboot_format(void) +{ + int rc; + + memset(secboot_image, 0x00, sizeof(struct secboot)); + + secboot_image->header.magic_number = SECBOOT_MAGIC_NUMBER; + secboot_image->header.version = SECBOOT_VERSION; + + /* Write the hash of the empty bank to the tpm so future loads work */ + rc = calc_bank_hash(tpmnv_control_image->bank_hash[0], + secboot_image->bank[0], + SECBOOT_VARIABLE_BANK_SIZE); + if (rc) { + prlog(PR_ERR, "Bank hash failed to calculate somehow\n"); + return rc; + } + + rc = tpmnv_ops.write(SECBOOT_TPMNV_CONTROL_INDEX, + tpmnv_control_image->bank_hash[0], + SHA256_DIGEST_SIZE, + offsetof(struct tpmnv_control, + bank_hash[0])); + if (rc) { + prlog(PR_ERR, "Could not write fresh formatted bank hashes to CONTROL index, rc=%d\n", rc); + return rc; + } + + rc = platform.secboot_write(0, secboot_image, sizeof(struct secboot)); + if (rc) + prlog(PR_ERR, "Could not write formatted data to PNOR, rc=%d\n", rc); + + return rc; +} + + +/* Serialize one priority variable using a tighter packing scheme + * Returns the advanced target pointer */ +static char *secboot_serialize_priority(char *target, struct secvar_node *node, char *end) +{ + if ((target + + node->var->key_len + + node->var->data_size + + offsetof(struct secvar, key)) > end) + return NULL; + + memcpy(target, &node->var->key_len, sizeof(node->var->key_len)); + target += sizeof(node->var->key_len); + memcpy(target, &node->var->data_size, sizeof(node->var->data_size)); + target += sizeof(node->var->data_size); + memcpy(target, node->var->key, node->var->key_len); + target += node->var->key_len; + memcpy(target, node->var->data, node->var->data_size); + target += node->var->data_size; + + return target; +} + + +/* Flattens a linked-list bank into a contiguous buffer for writing */ +static int secboot_serialize_bank(struct list_head *bank, char *target, size_t target_size, int flags) +{ + struct secvar_node *node; + char *tmp = target; + char *end = target + target_size; + + if (!bank) + return OPAL_INTERNAL_ERROR; + if (!target) + return OPAL_INTERNAL_ERROR; + + memset(target, 0x00, target_size); + + list_for_each(bank, node, link) { + if (node->flags != flags) + continue; + + /* Priority variable has a different packing scheme */ + if (flags & SECVAR_FLAG_PROTECTED) { + target = secboot_serialize_priority(target, node, end); + if (!target) + return OPAL_EMPTY; + continue; + } + + /* Bail early if we are out of storage space */ + if ((target - tmp) + + sizeof(struct secvar) + + node->var->data_size > target_size) { + prlog(PR_ERR, "Ran out of PNOR space, giving up!\n"); + return OPAL_EMPTY; + } + + memcpy(target, node->var, + sizeof(struct secvar) + node->var->data_size); + + target += sizeof(struct secvar) + node->var->data_size; + } + + return OPAL_SUCCESS; +} + +/* Loads in a flattened list of variables from a buffer into a linked list */ +static int secboot_load_from_pnor(struct list_head *bank, char *source, size_t max_size) +{ + char *src; + struct secvar_node *tmp; + struct secvar *hdr; + + src = source; + + while (src < (source + max_size)) { + /* Load in the header first to get the size, and check if we + * are at the end. + * + * Banks are zeroized after each write, thus key_len == 0 + * indicates end of the list */ + hdr = (struct secvar *) src; + if (hdr->key_len == 0) { + break; + } else if (hdr->key_len > SECVAR_MAX_KEY_LEN) { + prlog(PR_ERR, "Attempted to load a key larger than max, len = %llu\n", hdr->key_len); + return OPAL_INTERNAL_ERROR; + } + + if (hdr->data_size > SECBOOT_TPM_MAX_VAR_SIZE) { + prlog(PR_ERR, "Attempted to load a data payload larger than max, " + "size = %llu\n", hdr->data_size); + return OPAL_INTERNAL_ERROR; + } + + tmp = alloc_secvar(hdr->data_size); + if (!tmp) { + prlog(PR_ERR, "Could not allocate memory for loading secvar from image\n"); + return OPAL_NO_MEM; + } + + memcpy(tmp->var, src, sizeof(struct secvar) + hdr->data_size); + + list_add_tail(bank, &tmp->link); + src += sizeof(struct secvar) + hdr->data_size; + } + + return OPAL_SUCCESS; +} + + +/* Helper for the variable-bank specific writing logic */ +static int secboot_tpm_write_variable_bank(struct list_head *bank) +{ + int rc; + uint64_t bit; + + bit = CYCLE_BIT(tpmnv_control_image->active_bit); + rc = secboot_serialize_bank(bank, tpmnv_vars_image->vars, + tpmnv_vars_size - sizeof(struct tpmnv_vars), + SECVAR_FLAG_PROTECTED); + if (rc) + goto out; + + rc = tpmnv_ops.write(SECBOOT_TPMNV_VARS_INDEX, + tpmnv_vars_image, + tpmnv_vars_size, 0); + if (rc) + goto out; + + /* Calculate the bank hash, and write to TPM NV */ + rc = secboot_serialize_bank(bank, secboot_image->bank[bit], + SECBOOT_VARIABLE_BANK_SIZE, 0); + if (rc) + goto out; + + rc = calc_bank_hash(tpmnv_control_image->bank_hash[bit], + secboot_image->bank[bit], + SECBOOT_VARIABLE_BANK_SIZE); + if (rc) + goto out; + + rc = tpmnv_ops.write(SECBOOT_TPMNV_CONTROL_INDEX, + tpmnv_control_image->bank_hash[bit], + SHA256_DIGEST_LENGTH, + offsetof(struct tpmnv_control, bank_hash[bit])); + if (rc) + goto out; + + /* Write new variable bank to pnor */ + rc = platform.secboot_write(0, secboot_image, sizeof(struct secboot)); + if (rc) + goto out; + + /* Flip the bit, and write to TPM NV */ + tpmnv_control_image->active_bit = bit; + rc = tpmnv_ops.write(SECBOOT_TPMNV_CONTROL_INDEX, + &tpmnv_control_image->active_bit, + sizeof(tpmnv_control_image->active_bit), + offsetof(struct tpmnv_control, active_bit)); +out: + + return rc; +} + +static int secboot_tpm_write_bank(struct list_head *bank, int section) +{ + int rc; + + switch (section) { + case SECVAR_VARIABLE_BANK: + rc = secboot_tpm_write_variable_bank(bank); + break; + case SECVAR_UPDATE_BANK: + memset(secboot_image->update, 0, SECBOOT_UPDATE_BANK_SIZE); + rc = secboot_serialize_bank(bank, secboot_image->update, + SECBOOT_UPDATE_BANK_SIZE, 0); + if (rc) + break; + + rc = platform.secboot_write(0, secboot_image, + sizeof(struct secboot)); + break; + default: + rc = OPAL_HARDWARE; + } + + return rc; +} + +/* Priority variables stored in TPMNV have to be packed tighter to make the + * most out of the small amount of space available */ +static int secboot_tpm_load_from_tpmnv(struct list_head *bank) +{ + struct secvar *hdr; + struct secvar_node *node; + char *cur; + char *end; + + cur = tpmnv_vars_image->vars; + end = ((char *) tpmnv_vars_image) + tpmnv_vars_size; + + while (cur < end) { + /* Ensure there is enough space to even check for another + * var header */ + if ((end - cur) < offsetof(struct secvar, key)) + break; + + /* Temporary cast to check sizes in the header */ + hdr = (struct secvar *) cur; + + /* Check if we have a priority variable to load + * Should be zeroes if nonexistent */ + if ((hdr->key_len == 0) && (hdr->data_size == 0)) + break; + + /* Sanity check our potential priority variables */ + if ((hdr->key_len > SECVAR_MAX_KEY_LEN) + || (hdr->data_size > SECBOOT_TPM_MAX_VAR_SIZE)) { + prlog(PR_ERR, "TPM NV Priority variable has impossible sizes, probably internal bug. " + "len = %llu, size = %llu\n", + hdr->key_len, hdr->data_size); + return OPAL_INTERNAL_ERROR; + } + + /* Advance cur over the two size values */ + cur += sizeof(hdr->key_len); + cur += sizeof(hdr->data_size); + + /* Ensure the expected key/data size doesn't exceed + * the remaining buffer */ + if ((end - cur) < (hdr->data_size + hdr->key_len)) + return OPAL_INTERNAL_ERROR; + + node = alloc_secvar(hdr->data_size); + if (!node) + return OPAL_NO_MEM; + + node->var->key_len = hdr->key_len; + node->var->data_size = hdr->data_size; + node->flags |= SECVAR_FLAG_PROTECTED; + + memcpy(node->var->key, cur, hdr->key_len); + cur += hdr->key_len; + memcpy(node->var->data, cur, hdr->data_size); + cur += hdr->data_size; + + list_add_tail(bank, &node->link); + } + + return OPAL_SUCCESS; +} + +static int secboot_tpm_load_variable_bank(struct list_head *bank) +{ + char bank_hash[SHA256_DIGEST_LENGTH]; + uint64_t bit = tpmnv_control_image->active_bit; + int rc; + + /* Check the hash of the bank we loaded from PNOR + * versus the expected hash in TPM NV */ + rc = calc_bank_hash(bank_hash, + secboot_image->bank[bit], + SECBOOT_VARIABLE_BANK_SIZE); + if (rc) + return rc; + + if (memcmp(bank_hash, + tpmnv_control_image->bank_hash[bit], + SHA256_DIGEST_LENGTH)) + /* Tampered pnor space detected, abandon ship */ + return OPAL_PERMISSION; + + rc = secboot_tpm_load_from_tpmnv(bank); + if (rc) + return rc; + + return secboot_load_from_pnor(bank, + secboot_image->bank[bit], + SECBOOT_VARIABLE_BANK_SIZE); +} + + +static int secboot_tpm_load_bank(struct list_head *bank, int section) +{ + switch (section) { + case SECVAR_VARIABLE_BANK: + return secboot_tpm_load_variable_bank(bank); + case SECVAR_UPDATE_BANK: + return secboot_load_from_pnor(bank, + secboot_image->update, + SECBOOT_UPDATE_BANK_SIZE); + } + + return OPAL_HARDWARE; +} + + +/* Ensure the NV indices were defined with the correct set of attributes */ +static int secboot_tpm_check_tpmnv_attrs(void) +{ + TPMS_NV_PUBLIC nv_public; /* Throwaway, we only want the name field */ + TPM2B_NAME nv_vars_name; + TPM2B_NAME nv_control_name; + int rc; + + rc = tpmnv_ops.readpublic(SECBOOT_TPMNV_VARS_INDEX, + &nv_public, + &nv_vars_name); + if (rc) { + prlog(PR_ERR, "Failed to readpublic from the VARS index, rc=%d\n", rc); + return rc; + } + rc = tpmnv_ops.readpublic(SECBOOT_TPMNV_CONTROL_INDEX, + &nv_public, + &nv_control_name); + if (rc) { + prlog(PR_ERR, "Failed to readpublic from the CONTROL index, rc=%d\n", rc); + return rc; + } + + if (memcmp(tpmnv_vars_name, + nv_vars_name.t.name, + sizeof(tpmnv_vars_name))) { + prlog(PR_ERR, "VARS index not defined with the correct attributes\n"); + return OPAL_RESOURCE; + } + if (memcmp(tpmnv_control_name, + nv_control_name.t.name, + sizeof(tpmnv_control_name))) { + prlog(PR_ERR, "CONTROL index not defined with the correct attributes\n"); + return OPAL_RESOURCE; + } + + return OPAL_SUCCESS; +} + + +static int secboot_tpm_define_indices(void) +{ + int rc = OPAL_SUCCESS; + + rc = tpmnv_ops.definespace(SECBOOT_TPMNV_VARS_INDEX, tpmnv_vars_size); + if (rc) { + prlog(PR_ERR, "Failed to define the VARS index, rc=%d\n", rc); + return rc; + } + + rc = tpmnv_ops.definespace(SECBOOT_TPMNV_CONTROL_INDEX, sizeof(struct tpmnv_control)); + if (rc) { + prlog(PR_ERR, "Failed to define the CONTROL index, rc=%d\n", rc); + return rc; + } + + rc = tpmnv_format(); + if (rc) + return rc; + + /* TPM NV just got redefined, so unconditionally format the SECBOOT partition */ + return secboot_format(); +} + +static int secboot_tpm_store_init(void) +{ + int rc; + unsigned int secboot_size; + + TPMI_RH_NV_INDEX *indices = NULL; + size_t count = 0; + bool control_defined = false; + bool vars_defined = false; + int i; + + if (secboot_image) + return OPAL_SUCCESS; + + if (!platform.secboot_info) + return OPAL_UNSUPPORTED; + + prlog(PR_DEBUG, "Initializing for pnor+tpm based platform\n"); + + /* Initialize SECBOOT first, we may need to format this later */ + rc = platform.secboot_info(&secboot_size); + if (rc) { + prlog(PR_ERR, "error %d retrieving keystore info\n", rc); + goto error; + } + if (sizeof(struct secboot) > secboot_size) { + prlog(PR_ERR, "secboot partition %d KB too small. min=%ld\n", + secboot_size >> 10, sizeof(struct secboot)); + rc = OPAL_RESOURCE; + goto error; + } + + secboot_image = memalign(0x1000, sizeof(struct secboot)); + if (!secboot_image) { + prlog(PR_ERR, "Failed to allocate space for the secboot image\n"); + rc = OPAL_NO_MEM; + goto error; + } + + /* Read in the PNOR data, bank hash is checked on call to .load_bank() */ + rc = platform.secboot_read(secboot_image, 0, sizeof(struct secboot)); + if (rc) { + prlog(PR_ERR, "failed to read the secboot partition, rc=%d\n", rc); + goto error; + } + + /* Allocate the tpmnv data buffers */ + tpmnv_vars_image = zalloc(tpmnv_vars_size); + if (!tpmnv_vars_image) + return OPAL_NO_MEM; + tpmnv_control_image = zalloc(sizeof(struct tpmnv_control)); + if (!tpmnv_control_image) + return OPAL_NO_MEM; + + /* Check if the NV indices have been defined already */ + rc = tpmnv_ops.getindices(&indices, &count); + if (rc) { + prlog(PR_ERR, "Could not load defined indicies from TPM, rc=%d\n", rc); + goto error; + } + + for (i = 0; i < count; i++) { + if (indices[i] == SECBOOT_TPMNV_VARS_INDEX) + vars_defined = true; + else if (indices[i] == SECBOOT_TPMNV_CONTROL_INDEX) + control_defined = true; + } + free(indices); + + /* Undefine the NV indices if physical presence has been asserted */ + if (secvar_check_physical_presence()) { + prlog(PR_INFO, "Physical presence asserted, redefining NV indices, and resetting keystore\n"); + + if (vars_defined) { + rc = tpmnv_ops.undefinespace(SECBOOT_TPMNV_VARS_INDEX); + if (rc) { + prlog(PR_ERR, "Physical presence failed to undefine VARS, something is seriously wrong\n"); + goto error; + } + } + + if (control_defined) { + rc = tpmnv_ops.undefinespace(SECBOOT_TPMNV_CONTROL_INDEX); + if (rc) { + prlog(PR_ERR, "Physical presence failed to undefine CONTROL, something is seriously wrong\n"); + goto error; + } + } + + vars_defined = control_defined = false; + } + + /* Determine if we need to define the indices. These should BOTH be false or true */ + if (!vars_defined && !control_defined) { + rc = secboot_tpm_define_indices(); + if (rc) + goto error; + + /* Indicies got defined and formatted, we're done here */ + goto done; + } else if (vars_defined ^ control_defined) { + /* This should never happen. Both indices should be defined at the same + * time. Otherwise something seriously went wrong. */ + prlog(PR_ERR, "NV indices defined with unexpected attributes. Assert physical presence to clear\n"); + goto error; + } + + /* Ensure the NV indices were defined with the correct set of attributes */ + rc = secboot_tpm_check_tpmnv_attrs(); + if (rc) + goto error; + + /* TPMNV indices exist, are correct, and weren't just formatted, so read them in */ + rc = tpmnv_ops.read(SECBOOT_TPMNV_VARS_INDEX, + tpmnv_vars_image, + tpmnv_vars_size, 0); + if (rc) { + prlog(PR_ERR, "Failed to read from the VARS index\n"); + goto error; + } + + rc = tpmnv_ops.read(SECBOOT_TPMNV_CONTROL_INDEX, + tpmnv_control_image, + sizeof(struct tpmnv_control), 0); + if (rc) { + prlog(PR_ERR, "Failed to read from the CONTROL index\n"); + goto error; + } + + /* Verify the header information is correct */ + if (tpmnv_vars_image->header.magic_number != SECBOOT_MAGIC_NUMBER || + tpmnv_control_image->header.magic_number != SECBOOT_MAGIC_NUMBER || + tpmnv_vars_image->header.version != SECBOOT_VERSION || + tpmnv_control_image->header.version != SECBOOT_VERSION) { + prlog(PR_ERR, "TPMNV indices defined, but contain bad data. Assert physical presence to clear\n"); + goto error; + } + + /* Verify the secboot partition header information, + * reformat if incorrect + * Note: Future variants should attempt to handle older versions safely + */ + if (secboot_image->header.magic_number != SECBOOT_MAGIC_NUMBER || + secboot_image->header.version != SECBOOT_VERSION) { + rc = secboot_format(); + if (rc) + goto error; + } + +done: + return OPAL_SUCCESS; + +error: + free(secboot_image); + secboot_image = NULL; + free(tpmnv_vars_image); + tpmnv_vars_image = NULL; + free(tpmnv_control_image); + tpmnv_control_image = NULL; + + return rc; +} + + +static void secboot_tpm_lock(void) +{ + /* Note: While write lock is called here on the two NV indices, + * both indices are also defined on the platform hierarchy. + * The platform hierarchy auth is set later in the skiboot + * initialization process, and not by any secvar-related code. + */ + int rc; + + rc = tpmnv_ops.writelock(SECBOOT_TPMNV_VARS_INDEX); + if (rc) { + prlog(PR_EMERG, "TSS Write Lock failed on VARS index, halting.\n"); + abort(); + } + + rc = tpmnv_ops.writelock(SECBOOT_TPMNV_CONTROL_INDEX); + if (rc) { + prlog(PR_EMERG, "TSS Write Lock failed on CONTROL index, halting.\n"); + abort(); + } +} + +struct secvar_storage_driver secboot_tpm_driver = { + .load_bank = secboot_tpm_load_bank, + .write_bank = secboot_tpm_write_bank, + .store_init = secboot_tpm_store_init, + .lock = secboot_tpm_lock, + .max_var_size = SECBOOT_TPM_MAX_VAR_SIZE, +}; diff --git a/libstb/secvar/storage/secboot_tpm.h b/libstb/secvar/storage/secboot_tpm.h new file mode 100644 index 00000000..30a747a7 --- /dev/null +++ b/libstb/secvar/storage/secboot_tpm.h @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#ifndef _SECBOOT_TPM_H_ +#define _SECBOOT_TPM_H_ + +#include + +#define SECBOOT_VARIABLE_BANK_SIZE 32000 +#define SECBOOT_UPDATE_BANK_SIZE 32000 + +#define SECBOOT_VARIABLE_BANK_NUM 2 + +/* Because mbedtls doesn't define this? */ +#define SHA256_DIGEST_LENGTH 32 + +/* 0x5053424b = "PSBK" or Power Secure Boot Keystore */ +#define SECBOOT_MAGIC_NUMBER 0x5053424b +#define SECBOOT_VERSION 1 + +#define SECBOOT_TPMNV_VARS_INDEX 0x01c10190 +#define SECBOOT_TPMNV_CONTROL_INDEX 0x01c10191 + +struct secboot_header { + uint32_t magic_number; + uint8_t version; + uint8_t reserved[3]; /* Fix alignment */ +} __attribute__((packed)); + +struct secboot { + struct secboot_header header; + char bank[SECBOOT_VARIABLE_BANK_NUM][SECBOOT_VARIABLE_BANK_SIZE]; + char update[SECBOOT_UPDATE_BANK_SIZE]; +} __attribute__((packed)); + +struct tpmnv_vars { + struct secboot_header header; + char vars[0]; +} __attribute__((packed)); + +struct tpmnv_control { + struct secboot_header header; + uint8_t active_bit; + char bank_hash[SECBOOT_VARIABLE_BANK_NUM][SHA256_DIGEST_LENGTH]; +} __attribute__((packed)); + +struct tpmnv_ops_s { + int (*read)(TPMI_RH_NV_INDEX nv, void*, size_t, uint16_t); + int (*write)(TPMI_RH_NV_INDEX nv, void*, size_t, uint16_t); + int (*writelock)(TPMI_RH_NV_INDEX); + int (*definespace)(TPMI_RH_NV_INDEX, uint16_t); + int (*getindices)(TPMI_RH_NV_INDEX**, size_t*); + int (*undefinespace)(TPMI_RH_NV_INDEX); + int (*readpublic)(TPMI_RH_NV_INDEX, TPMS_NV_PUBLIC*, TPM2B_NAME*); +}; + +extern struct tpmnv_ops_s tpmnv_ops; + +extern const uint8_t tpmnv_vars_name[]; +extern const uint8_t tpmnv_control_name[]; + +#endif diff --git a/libstb/secvar/storage/secboot_tpm_public_name.h b/libstb/secvar/storage/secboot_tpm_public_name.h new file mode 100644 index 00000000..d0c7fdc1 --- /dev/null +++ b/libstb/secvar/storage/secboot_tpm_public_name.h @@ -0,0 +1,18 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#ifndef _SECBOOT_TPM_PUBLIC_NAME_H_ +#define _SECBOOT_TPM_PUBLIC_NAME_H_ + +const uint8_t tpmnv_vars_name[] = { + 0x00, 0x0b, 0x94, 0x64, 0x36, 0x25, 0xfc, 0xc1, 0x1d, 0xc1, 0x0e, 0x28, 0xe7, + 0xac, 0xaf, 0xc6, 0x08, 0x8e, 0xda, 0x21, 0xd6, 0x43, 0xd2, 0x77, 0xe7, 0x2d, + 0x83, 0x39, 0x0f, 0xa6, 0xdf, 0xc0, 0x59, 0x37, +}; + +const uint8_t tpmnv_control_name[] = { + 0x00, 0x0b, 0xad, 0x47, 0x6b, 0xa5, 0xdf, 0xb1, 0xe2, 0x18, 0x50, 0xf6, 0x05, + 0x67, 0xe8, 0x8b, 0xa9, 0x0f, 0x86, 0x1f, 0x06, 0xab, 0x43, 0x96, 0x7f, 0x6e, + 0x85, 0x33, 0x5b, 0xa6, 0xf0, 0x63, 0x73, 0xd0, +}; + +#endif diff --git a/libstb/secvar/storage/tpmnv_ops.c b/libstb/secvar/storage/tpmnv_ops.c new file mode 100644 index 00000000..d6135c31 --- /dev/null +++ b/libstb/secvar/storage/tpmnv_ops.c @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#include +#include "secboot_tpm.h" + +struct tpmnv_ops_s tpmnv_ops = { + .read = tss_nv_read, + .write = tss_nv_write, + .writelock = tss_nv_write_lock, + .definespace = tss_nv_define_space, + .getindices = tss_get_defined_nv_indices, + .undefinespace = tss_nv_undefine_space, + .readpublic = tss_nv_read_public, +}; + From patchwork Mon May 11 21:31:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288089 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ4H4hQpz9sRK for ; Tue, 12 May 2020 07:35:59 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ4H3flczDr28 for ; Tue, 12 May 2020 07:35:59 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzw3QDjzDqgN for ; Tue, 12 May 2020 07:32:12 +1000 (AEST) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCSBj020591 for ; Mon, 11 May 2020 17:32:10 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wry0tx0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:09 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNRE000488 for ; Mon, 11 May 2020 21:32:08 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:08 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW5PV59834832 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:05 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 991F3A405B; Mon, 11 May 2020 21:32:05 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EE00AA4054; Mon, 11 May 2020 21:32:04 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:04 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:46 -0500 Message-Id: <20200511213152.24952-13-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 mlxscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 suspectscore=1 mlxlogscore=999 malwarescore=0 impostorscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 12/18] secvar/storage/fakenv: add fake tpm operations for testing X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" The secboot_tpm storage driver heavily relies on the TPM to ensure data integrity, which makes it difficult to test in userspace or on hardware without a TPM. This patch adds a bunch of functions that implement the tssskiboot interface, and simulates the expected TPM behavior utilizing PNOR space instead. THIS IS NOT INTENDED FOR PRODUCTION USE. Signed-off-by: Eric Richter --- libstb/secvar/storage/Makefile.inc | 3 + libstb/secvar/storage/fakenv_ops.c | 175 +++++++++++++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 libstb/secvar/storage/fakenv_ops.c diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc index 35fba723..99f7b073 100644 --- a/libstb/secvar/storage/Makefile.inc +++ b/libstb/secvar/storage/Makefile.inc @@ -5,8 +5,11 @@ SECVAR_STORAGE_DIR = $(SRC)/libstb/secvar/storage SUBDIRS += $(SECVAR_STORAGE_DIR) +# Swap the comment on these two lines to use the fake TPM NV +# implementation hardware without a TPM SECVAR_STORAGE_SRCS = secboot_tpm.c tpmnv_ops.c #SECVAR_STORAGE_SRCS = secboot_tpm.c fakenv_ops.c + SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o) SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a diff --git a/libstb/secvar/storage/fakenv_ops.c b/libstb/secvar/storage/fakenv_ops.c new file mode 100644 index 00000000..4e341536 --- /dev/null +++ b/libstb/secvar/storage/fakenv_ops.c @@ -0,0 +1,175 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#include +#include "secboot_tpm.h" + +/* Offset into the SECBOOT PNOR partition to write "TPMNV" data */ +static size_t fakenv_offset = sizeof(struct secboot); + +struct fake_tpmnv { + struct { + struct secboot_header header; + char vars[1024]; // Hardcode the size to 1024 for now + } vars; + struct tpmnv_control control; + int defined[2]; +} __attribute__((packed)); + +static struct fake_tpmnv fakenv = {0}; +static int tpm_ready = 0; + + +static inline void *nv_index_address(int index) +{ + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + return &fakenv.vars; + case SECBOOT_TPMNV_CONTROL_INDEX: + return &fakenv.control; + default: + return 0; + } +} + + +static int tpm_init(void) +{ + int rc; + + if (tpm_ready) + return 0; + + rc = platform.secboot_read(&fakenv, fakenv_offset, sizeof(struct fake_tpmnv)); + if (rc) + return rc; + + tpm_ready = 1; + + return 0; +} + +static int fakenv_read(TPMI_RH_NV_INDEX nvIndex, void *buf, + size_t bufsize, uint16_t off) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + memcpy(buf, nv_index_address(nvIndex) + off, bufsize); + + return 0; +} + +static int fakenv_write(TPMI_RH_NV_INDEX nvIndex, void *buf, + size_t bufsize, uint16_t off) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + memcpy(nv_index_address(nvIndex) + off, buf, bufsize); + + /* Just write the whole NV struct for now */ + return platform.secboot_write(fakenv_offset, &fakenv, sizeof(struct fake_tpmnv)); +} + +static int fakenv_definespace(TPMI_RH_NV_INDEX nvIndex, uint16_t dataSize) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) dataSize; + + switch (nvIndex) { + case SECBOOT_TPMNV_VARS_INDEX: + fakenv.defined[0] = 1; + return 0; + case SECBOOT_TPMNV_CONTROL_INDEX: + fakenv.defined[1] = 1; + return 0; + } + + return OPAL_INTERNAL_ERROR; +} + +static int fakenv_writelock(TPMI_RH_NV_INDEX nvIndex) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) nvIndex; + + return 0; +} + +static int fakenv_get_defined_indices(TPMI_RH_NV_INDEX **indices, size_t *count) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + *indices = zalloc(sizeof(fakenv.defined)); + if (*indices == NULL) + return OPAL_NO_MEM; + + *count = 0; + + if (fakenv.defined[0]) { + *indices[0] = SECBOOT_TPMNV_VARS_INDEX; + (*count)++; + } + if (fakenv.defined[1]) { + *indices[1] = SECBOOT_TPMNV_CONTROL_INDEX; + (*count)++; + } + + return 0; +} + +static int fakenv_undefinespace(TPMI_RH_NV_INDEX index) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + fakenv.defined[0] = 0; + memset(&fakenv.vars, 0, sizeof(fakenv.vars)); + return 0; + case SECBOOT_TPMNV_CONTROL_INDEX: + fakenv.defined[1] = 0; + memset(&fakenv.control, 0, sizeof(fakenv.control)); + return 0; + } + + return -1; +} + +static int fakenv_readpublic(TPMI_RH_NV_INDEX index, TPMS_NV_PUBLIC *nv_public, + TPM2B_NAME *nv_name) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) nv_public; + + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME)); + break; + case SECBOOT_TPMNV_CONTROL_INDEX: + memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME)); + break; + default: + return OPAL_INTERNAL_ERROR; + } + + return 0; +} + +struct tpmnv_ops_s tpmnv_ops = { + .read = fakenv_read, + .write = fakenv_write, + .writelock = fakenv_writelock, + .definespace = fakenv_definespace, + .getindices = fakenv_get_defined_indices, + .undefinespace = fakenv_undefinespace, + .readpublic = fakenv_readpublic, +}; From patchwork Mon May 11 21:31:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288091 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ5567Swz9sRK for ; Tue, 12 May 2020 07:36:41 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ5558NJzDqnp for ; Tue, 12 May 2020 07:36:41 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzx4bxlzDqgN for ; Tue, 12 May 2020 07:32:13 +1000 (AEST) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLVnev124424 for ; Mon, 11 May 2020 17:32:12 -0400 Received: from ppma04fra.de.ibm.com (6a.4a.5195.ip4.static.sl-reverse.com [149.81.74.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 30y8wstjq2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:11 -0400 Received: from pps.filterd (ppma04fra.de.ibm.com [127.0.0.1]) by ppma04fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPRhO015453 for ; Mon, 11 May 2020 21:32:09 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma04fra.de.ibm.com with ESMTP id 30wm55j2xt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:09 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLUtBm58654990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:30:55 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 802ACA4060; Mon, 11 May 2020 21:32:06 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D4D8EA4054; Mon, 11 May 2020 21:32:05 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:05 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:47 -0500 Message-Id: <20200511213152.24952-14-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 suspectscore=3 lowpriorityscore=0 adultscore=0 mlxlogscore=999 spamscore=0 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 13/18] secvar/test: add secboot_tpm storage driver test cases X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adds some simple unit cases to exercise the storage driver, using the fake TPM NV implementation. Signed-off-by: Eric Richter --- libstb/secvar/test/Makefile.check | 4 +- libstb/secvar/test/secvar-test-secboot-tpm.c | 163 +++++++++++++++++++ 2 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c diff --git a/libstb/secvar/test/Makefile.check b/libstb/secvar/test/Makefile.check index b41eaf48..5999b2a9 100644 --- a/libstb/secvar/test/Makefile.check +++ b/libstb/secvar/test/Makefile.check @@ -5,7 +5,9 @@ SECVAR_TEST_DIR = libstb/secvar/test SECVAR_TEST = $(patsubst %.c, %, $(wildcard $(SECVAR_TEST_DIR)/secvar-test-*.c)) -HOSTCFLAGS+=-I . -I include +HOSTCFLAGS+=-I . -I include -I libstb/tss2 -I libstb/tss2/ibmtpm20tss/utils +# Needed because x86 and POWER disagree on the type for uint64_t, causes printf issues +HOSTCFLAGS+= -Wno-format .PHONY : secvar-check secvar-check: $(SECVAR_TEST:%=%-check) $(SECVAR_TEST:%=%-gcov-run) diff --git a/libstb/secvar/test/secvar-test-secboot-tpm.c b/libstb/secvar/test/secvar-test-secboot-tpm.c new file mode 100644 index 00000000..6b202a54 --- /dev/null +++ b/libstb/secvar/test/secvar-test-secboot-tpm.c @@ -0,0 +1,163 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#define TPM_SKIBOOT +#include "secvar_common_test.c" +#include "../storage/secboot_tpm.c" +#include "../storage/fakenv_ops.c" +#include "../../crypto/mbedtls/library/sha256.c" +#include "../../crypto/mbedtls/library/platform_util.c" +#include "../secvar_util.c" + +char *secboot_buffer; + +#define ARBITRARY_SECBOOT_SIZE 128000 + +const char *secvar_test_name = "secboot_tpm"; + +static int secboot_read(void *dst, uint32_t src, uint32_t len) +{ + memcpy(dst, secboot_buffer + src, len); + return 0; +} + +static int secboot_write(uint32_t dst, void *src, uint32_t len) +{ + memcpy(secboot_buffer + dst, src, len); + return 0; +} + +static int secboot_info(uint32_t *total_size) +{ + *total_size = ARBITRARY_SECBOOT_SIZE; + return 0; +} + +/* Toggle this to test the physical presence resetting */ +bool phys_presence = false; +bool secvar_check_physical_presence(void) +{ + return phys_presence; +} + +struct platform platform; + +int run_test(void) +{ + int rc; + struct secvar_node *tmp; + + platform.secboot_read = secboot_read; + platform.secboot_write = secboot_write; + platform.secboot_info = secboot_info; + + secboot_buffer = zalloc(ARBITRARY_SECBOOT_SIZE); + + // Initialize and format the storage + rc = secboot_tpm_store_init(); + ASSERT(OPAL_SUCCESS == rc); + + // Load the just-formatted empty section + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(0 == list_length(&variable_bank)); + + // Add some test variables + tmp = alloc_secvar(8); + tmp->var->key_len = 5; + memcpy(tmp->var->key, "test", 5); + tmp->var->data_size = 8; + memcpy(tmp->var->data, "testdata", 8); + list_add_tail(&variable_bank, &tmp->link); + + tmp = alloc_secvar(8); + tmp->var->key_len = 4; + memcpy(tmp->var->key, "foo", 4); + tmp->var->data_size = 8; + memcpy(tmp->var->data, "moredata", 8); + list_add_tail(&variable_bank, &tmp->link); + + // Add a priority variable, ensure that works + tmp = alloc_secvar(4); + tmp->var->key_len = 9; + memcpy(tmp->var->key, "priority", 9); + tmp->var->data_size = 4; + memcpy(tmp->var->data, "meep", 4); + tmp->flags |= SECVAR_FLAG_PROTECTED; + list_add_tail(&variable_bank, &tmp->link); + + // Add another one + tmp = alloc_secvar(4); + tmp->var->key_len = 10; + memcpy(tmp->var->key, "priority2", 9); + tmp->var->data_size = 4; + memcpy(tmp->var->data, "meep", 4); + tmp->flags |= SECVAR_FLAG_PROTECTED; + list_add_tail(&variable_bank, &tmp->link); + + // Write the bank + rc = secboot_tpm_write_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + // should write to bank 1 first + ASSERT(secboot_image->bank[1][0] != 0); + ASSERT(secboot_image->bank[0][0] == 0); + + // Clear the variable list + clear_bank_list(&variable_bank); + ASSERT(0 == list_length(&variable_bank)); + + // Load the bank + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(4 == list_length(&variable_bank)); + + // Change a variable + tmp = list_tail(&variable_bank, struct secvar_node, link); + memcpy(tmp->var->data, "somethin", 8); + + // Write the bank + rc = secboot_tpm_write_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(OPAL_SUCCESS == rc); + // should have data in both now + ASSERT(secboot_image->bank[0][0] != 0); + ASSERT(secboot_image->bank[1][0] != 0); + + clear_bank_list(&variable_bank); + + // Tamper with pnor, hash check should catch this + secboot_image->bank[0][0] = ~secboot_image->bank[0][0]; + + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(rc != OPAL_SUCCESS); // TODO: permission? + + // Fix it back... + secboot_image->bank[0][0] = ~secboot_image->bank[0][0]; + + // Should be ok again + rc = secboot_tpm_load_bank(&variable_bank, SECVAR_VARIABLE_BANK); + ASSERT(rc == OPAL_SUCCESS); + + clear_bank_list(&variable_bank); + free(secboot_buffer); + + return 0; +} + +int main(void) +{ + int rc = 0; + + list_head_init(&variable_bank); + + rc = run_test(); + + if (rc) + printf(COLOR_RED "FAILED" COLOR_RESET "\n"); + else + printf(COLOR_GREEN "OK" COLOR_RESET "\n"); + + free(tpmnv_vars_image); + free(tpmnv_control_image); + free(secboot_image); + + return rc; +} From patchwork Mon May 11 21:31:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288092 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ5S247Gz9sRK for ; Tue, 12 May 2020 07:37:00 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ5S06dRzDr6q for ; Tue, 12 May 2020 07:37:00 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzy5StKzDqgN for ; Tue, 12 May 2020 07:32:14 +1000 (AEST) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCbE7151635 for ; Mon, 11 May 2020 17:32:12 -0400 Received: from ppma03fra.de.ibm.com (6b.4a.5195.ip4.static.sl-reverse.com [149.81.74.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wsc3jgw6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:11 -0400 Received: from pps.filterd (ppma03fra.de.ibm.com [127.0.0.1]) by ppma03fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPlSn027391 for ; Mon, 11 May 2020 21:32:10 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma03fra.de.ibm.com with ESMTP id 30wm56a2r5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:10 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW7dn52363422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:07 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66943A4060; Mon, 11 May 2020 21:32:07 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BBCCFA4054; Mon, 11 May 2020 21:32:06 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:06 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:48 -0500 Message-Id: <20200511213152.24952-15-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 impostorscore=0 adultscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 spamscore=0 bulkscore=0 suspectscore=3 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [RFC PATCH v4 14/18] secvar/storage: add utility tool to generate NV public name hashes X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch adds a small userspace utility to locally generate the expected hash returned by a TSS_NV_ReadPublic command for the NV indices as defined by the secboot_tpm storage driver. This removes the need for manually copying in the hash from the ReadPublic output if for some reason the set of attributes used when defining the NV indices changes in the future. As this is an auxiliary tool, it is not built by default and must be manually built using `make gen_tpmnv_public_name`. This patch has been marked as RFC as it is a draft implementation that I'm looking for feedback on whether it is worth keeping in-tree, and if so, what a more proper integration should look like. Signed-off-by: Eric Richter --- libstb/secvar/storage/Makefile.inc | 3 + libstb/secvar/storage/gen_tpmnv_public_name.c | 107 ++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc index 99f7b073..dc5353ff 100644 --- a/libstb/secvar/storage/Makefile.inc +++ b/libstb/secvar/storage/Makefile.inc @@ -14,3 +14,6 @@ SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o) SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a $(SECVAR_STORAGE): $(SECVAR_STORAGE_OBJS:%=$(SECVAR_STORAGE_DIR)/%) + +gen_tpmnv_public_name: $@ + gcc -o $@ $(SECVAR_STORAGE_DIR)/$@.c -I $(SRC)/libstb/tss2/ibmtpm20tss/utils/ -lmbedcrypto diff --git a/libstb/secvar/storage/gen_tpmnv_public_name.c b/libstb/secvar/storage/gen_tpmnv_public_name.c new file mode 100644 index 00000000..bfeb9743 --- /dev/null +++ b/libstb/secvar/storage/gen_tpmnv_public_name.c @@ -0,0 +1,107 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +#define TPM_TPM20 +#include "../../tss2/ibmtpm20tss/utils/tssmarshal.c" +#include "../../tss2/ibmtpm20tss/utils/Unmarshal.c" + +#define zalloc(a) calloc(1,a) +// Silence linking complaints +int verbose; + +#define COPYRIGHT_YEAR "2020" + + +TPMS_NV_PUBLIC vars = { + .nvIndex = 0x01c10190, + .nameAlg = TPM_ALG_SHA256, + .dataSize = 1024, + .attributes.val = TPMA_NVA_PPWRITE | + TPMA_NVA_ORDINARY | + TPMA_NVA_WRITE_STCLEAR | + TPMA_NVA_AUTHREAD | + TPMA_NVA_NO_DA | + TPMA_NVA_WRITTEN | + TPMA_NVA_PLATFORMCREATE, +}; + +TPMS_NV_PUBLIC control = { + .nvIndex = 0x01c10191, + .nameAlg = TPM_ALG_SHA256, + .dataSize = 73, + .attributes.val = TPMA_NVA_PPWRITE | + TPMA_NVA_ORDINARY | + TPMA_NVA_WRITE_STCLEAR | + TPMA_NVA_AUTHREAD | + TPMA_NVA_NO_DA | + TPMA_NVA_WRITTEN | + TPMA_NVA_PLATFORMCREATE, +}; + +int calc_hash(TPMS_NV_PUBLIC *public, char *name) +{ + uint16_t written = 0; + uint32_t size = 4096; + unsigned char *buffer = zalloc(size); + unsigned char *buffer_tmp = buffer; + char output[34]; + mbedtls_sha256_context cxt; + int ret = 0; + int i; + + // Output hash includes the hash algorithm in the first two bytes + *((uint16_t *) output) = htons(public->nameAlg); + + // Serialize the NV Public struct + ret = TSS_TPMS_NV_PUBLIC_Marshalu(public, &written, &buffer_tmp, &size); + if (ret) return ret; + + // Hash it + mbedtls_sha256_init(&cxt); + ret = mbedtls_sha256_starts_ret(&cxt, 0); + if (ret) return ret; + + ret = mbedtls_sha256_update_ret(&cxt, buffer, written); + if (ret) return ret; + + mbedtls_sha256_finish_ret(&cxt, output+2); + mbedtls_sha256_free(&cxt); + + free(buffer); + + // Print it + printf("\nconst uint8_t tpmnv_%s_name[] = {", name); + for (i = 0; i < sizeof(output); i++) { + if (!(i % 13)) + printf("\n\t"); + printf("0x%02x, ", output[i] & 0xff); + } + printf("\n};\n"); + + return 0; +} + + +int main() +{ + printf("// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\n"); + printf("/* Copyright " COPYRIGHT_YEAR " IBM Corp. */\n"); + + printf("#ifndef _SECBOOT_TPM_PUBLIC_NAME_H_\n"); + printf("#define _SECBOOT_TPM_PUBLIC_NAME_H_\n"); + + calc_hash(&vars, "vars"); + calc_hash(&control, "control"); + + printf("\n"); + printf("#endif\n"); + + return 0; +} + From patchwork Mon May 11 21:31:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288093 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ5w5kLSz9sRf for ; Tue, 12 May 2020 07:37:24 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ5w2ZmdzDrBg for ; Tue, 12 May 2020 07:37:24 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzz3D1GzDqjY for ; Tue, 12 May 2020 07:32:15 +1000 (AEST) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCGie025288 for ; Mon, 11 May 2020 17:32:13 -0400 Received: from ppma01fra.de.ibm.com (46.49.7a9f.ip4.static.sl-reverse.com [159.122.73.70]) by mx0a-001b2d01.pphosted.com with ESMTP id 30ws5easjy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:13 -0400 Received: from pps.filterd (ppma01fra.de.ibm.com [127.0.0.1]) by ppma01fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPwnB005547 for ; Mon, 11 May 2020 21:32:11 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma01fra.de.ibm.com with ESMTP id 30wm55a370-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:11 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW8I750593796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:08 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4CE5EA4060; Mon, 11 May 2020 21:32:08 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A2233A405B; Mon, 11 May 2020 21:32:07 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:07 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:49 -0500 Message-Id: <20200511213152.24952-16-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 phishscore=0 spamscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 lowpriorityscore=0 bulkscore=0 adultscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 15/18] crypto: add out-of-tree mbedtls pkcs7 parser X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain This patch adds a pkcs7 parser for mbedtls that hasn't yet gone upstream. Once/if that implementation is accepted, this patch can be removed. Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- libstb/crypto/Makefile.inc | 4 +- libstb/crypto/mbedtls-config.h | 1 + libstb/crypto/pkcs7/Makefile.inc | 12 + libstb/crypto/pkcs7/pkcs7.c | 508 +++++++++++++++++++++++++++++++ libstb/crypto/pkcs7/pkcs7.h | 151 +++++++++ 5 files changed, 675 insertions(+), 1 deletion(-) create mode 100644 libstb/crypto/pkcs7/Makefile.inc create mode 100644 libstb/crypto/pkcs7/pkcs7.c create mode 100644 libstb/crypto/pkcs7/pkcs7.h diff --git a/libstb/crypto/Makefile.inc b/libstb/crypto/Makefile.inc index 42b5d8b9..ed2387e3 100644 --- a/libstb/crypto/Makefile.inc +++ b/libstb/crypto/Makefile.inc @@ -42,6 +42,8 @@ MBEDTLS_SRCS = $(addprefix mbedtls/library/,$(MBED_CRYPTO_SRCS) $(MBED_X509_SRCS MBEDTLS_OBJS = $(MBEDTLS_SRCS:%.c=%.o) +include $(CRYPTO_DIR)/pkcs7/Makefile.inc + CRYPTO = $(CRYPTO_DIR)/built-in.a -$(CRYPTO): $(MBEDTLS_OBJS:%=$(CRYPTO_DIR)/%) +$(CRYPTO): $(MBEDTLS_OBJS:%=$(CRYPTO_DIR)/%) $(PKCS7) diff --git a/libstb/crypto/mbedtls-config.h b/libstb/crypto/mbedtls-config.h index 414bbfd8..b1952aef 100644 --- a/libstb/crypto/mbedtls-config.h +++ b/libstb/crypto/mbedtls-config.h @@ -72,6 +72,7 @@ //#define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PKCS7_USE_C //#define MBEDTLS_PK_WRITE_C #define MBEDTLS_PLATFORM_C #define MBEDTLS_RSA_C diff --git a/libstb/crypto/pkcs7/Makefile.inc b/libstb/crypto/pkcs7/Makefile.inc new file mode 100644 index 00000000..bef339b5 --- /dev/null +++ b/libstb/crypto/pkcs7/Makefile.inc @@ -0,0 +1,12 @@ + +PKCS7_DIR = libstb/crypto/pkcs7 + +SUBDIRS += $(PKCS7_DIR) + +PKCS7_SRCS = pkcs7.c +PKCS7_OBJS = $(PKCS7_SRCS:%.c=%.o) +PKCS7 = $(PKCS7_DIR)/built-in.a + +CFLAGS_$(PKCS7_DIR)/ = -I$(SRC)/$(LIBSTB_DIR)/crypto -DMBEDTLS_CONFIG_FILE='' + +$(PKCS7): $(PKCS7_OBJS:%=$(PKCS7_DIR)/%) diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c new file mode 100644 index 00000000..f8097720 --- /dev/null +++ b/libstb/crypto/pkcs7/pkcs7.c @@ -0,0 +1,508 @@ +/* Copyright 2019 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif +#if defined(MBEDTLS_PKCS7_USE_C) + +#include "mbedtls/x509.h" +#include "mbedtls/asn1.h" +#include "pkcs7.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" + +#include +#include +#include +#if defined(MBEDTLS_FS_IO) +#include +#include +#endif +#include + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#include "mbedtls/platform_util.h" +#else +#include +#include +#define mbedtls_free free +#define mbedtls_calloc calloc +#define mbedtls_printf printf +#define mbedtls_snprintf snprintf +#endif + +#if defined(MBEDTLS_HAVE_TIME) +#include "mbedtls/platform_time.h" +#endif +#if defined(MBEDTLS_HAVE_TIME_DATE) +#include +#endif + +#if defined(MBEDTLS_FS_IO) +/* + * Load all data from a file into a given buffer. + * + * The file is expected to contain DER encoded data. + * A terminating null byte is always appended. + */ + +int mbedtls_pkcs7_load_file( const char *path, unsigned char **buf, size_t *n ) +{ + FILE *file; + struct stat st; + int rc; + + rc = stat( path, &st ); + if ( rc ) + return ( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + + if( ( file = fopen( path, "rb" ) ) == NULL ) + return ( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + + mbedtls_printf( "file size is %lu\n", st.st_size ); + + *n = (size_t) st.st_size; + + *buf = mbedtls_calloc( 1, *n + 1 ); + if ( *buf == NULL ) + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + + if( fread( *buf, 1, *n, file ) != *n ) + { + fclose( file ); + + mbedtls_platform_zeroize( *buf, *n + 1 ); + mbedtls_free( *buf ); + + return( MBEDTLS_ERR_PKCS7_FILE_IO_ERROR ); + } + + fclose( file ); + + (*buf)[*n] = '\0'; + + return( 0 ); +} +#endif + +/** + * Initializes the pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) +{ + memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); +} + + +static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, size_t *len ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + return ( 0 ); +} + +/** + * version Version + * Version ::= INTEGER + **/ +static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_VERSION + ret ); + + return ( 0 ); +} + +/** + * ContentInfo ::= SEQUENCE { + * contentType ContentType, + * content + * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + **/ +static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *pkcs7 ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret ) + return ( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); + if ( ret ) + return ( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + pkcs7->tag = MBEDTLS_ASN1_OID; + pkcs7->len = len; + pkcs7->p = *p; + + return ret; +} + +/** + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * + * This is from x509.h + **/ +static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, mbedtls_x509_buf *alg ) +{ + int ret; + + if ( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + return ( 0 ); +} + +/** + * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier + **/ +static int pkcs7_get_digest_algorithm_set( unsigned char **p, unsigned char *end, + mbedtls_x509_buf *alg ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + end = *p + len; + + /** For now, it assumes there is only one digest algorithm specified **/ + ret = mbedtls_asn1_get_alg_null( p, end, alg ); + if ( ret ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + return ( 0 ); +} + +/** + * certificates :: SET OF ExtendedCertificateOrCertificate, + * ExtendedCertificateOrCertificate ::= CHOICE { + * certificate Certificate -- x509, + * extendedCertificate[0] IMPLICIT ExtendedCertificate } + **/ +static int pkcs7_get_certificates( unsigned char **buf, size_t buflen, + mbedtls_x509_crt *certs ) +{ + int ret; + + if ( ( ret = mbedtls_x509_crt_parse( certs, *buf, buflen ) ) < 0 ) + return ( ret ); + + /** + * Currently we do not check for certificate chain, so we are not handling "> 0" case. + * Might have to revisit soon. + **/ + + return ( 0 ); +} + +/** + * EncryptedDigest ::= OCTET STRING + **/ +static int pkcs7_get_signature( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *signature ) +{ + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE + ret ); + + signature->tag = MBEDTLS_ASN1_OCTET_STRING; + signature->len = len; + signature->p = *p; + + return ( 0 ); +} + +/** + * SignerInfo ::= SEQUENCE { + * version Version; + * issuerAndSerialNumber IssuerAndSerialNumber, + * digestAlgorithm DigestAlgorithmIdentifier, + * authenticatedAttributes + * [0] IMPLICIT Attributes OPTIONAL, + * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, + * encryptedDigest EncryptedDigest, + * unauthenticatedAttributes + * [1] IMPLICIT Attributes OPTIONAL, + **/ +static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signers_set ) +{ + unsigned char *end_set; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_set = *p + len; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + signers_set->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); + if ( ret != 0 ) + return ( ret ); + + signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); + if ( ret != 0 ) + return ( ret ); + + ret = pkcs7_get_digest_algorithm( p, end_set, + &signers_set->alg_identifier ); + if ( ret != 0 ) + return ( ret ); + + ret = pkcs7_get_digest_algorithm( p, end_set, + &signers_set->sig_alg_identifier ); + if ( ret != 0 ) + return ( ret ); + + ret = pkcs7_get_signature( p, end, &signers_set->sig ); + if ( ret != 0 ) + return ( ret ); + + signers_set->next = NULL; + + return ( 0 ); +} + +/** + * SignedData ::= SEQUENCE { + * version Version, + * digestAlgorithms DigestAlgorithmIdentifiers, + * contentInfo ContentInfo, + * certificates + * [0] IMPLICIT ExtendedCertificatesAndCertificates + * OPTIONAL, + * crls + * [0] IMPLICIT CertificateRevocationLists OPTIONAL, + * signerInfos SignerInfos } + */ +static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, + mbedtls_pkcs7_signed_data *signed_data ) +{ + unsigned char *p = buf; + unsigned char *end = buf + buflen; + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if ( ret != 0 ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + /* Get version of signed data */ + ret = pkcs7_get_version( &p, end, &signed_data->version ); + if ( ret != 0 ) + return ( ret ); + + /* If version != 1, return invalid version */ + if ( signed_data->version != MBEDTLS_PKCS7_SUPPORTED_VERSION ) { + mbedtls_printf("Invalid version\n"); + return ( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + } + + /* Get digest algorithm */ + ret = pkcs7_get_digest_algorithm_set( &p, end, + &signed_data->digest_alg_identifiers ); + if ( ret != 0 ) { + mbedtls_printf("error getting digest algorithms\n"); + return ( ret ); + } + + if ( signed_data->digest_alg_identifiers.len != strlen( MBEDTLS_OID_DIGEST_ALG_SHA256 ) ) + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + if ( memcmp( signed_data->digest_alg_identifiers.p, MBEDTLS_OID_DIGEST_ALG_SHA256, + signed_data->digest_alg_identifiers.len ) ) { + mbedtls_fprintf(stdout, "Digest Algorithm other than SHA256 is not supported\n"); + return ( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + } + + /* Do not expect any content */ + ret = pkcs7_get_content_info_type( &p, end, &signed_data->content.oid ); + if ( ret != 0 ) + return ( ret ); + + if ( memcmp( signed_data->content.oid.p, MBEDTLS_OID_PKCS7_DATA, + signed_data->content.oid.len ) ) { + mbedtls_printf("Invalid PKCS7 data\n"); + return ( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ) ; + } + + p = p + signed_data->content.oid.len; + + ret = pkcs7_get_next_content_len( &p, end, &len ); + if ( ret != 0 ) + return ( ret ); + + /* Get certificates */ + mbedtls_x509_crt_init( &signed_data->certs ); + ret = pkcs7_get_certificates( &p, len, &signed_data->certs ); + if ( ret != 0 ) + return ( ret ) ; + + p = p + len; + + /* Get signers info */ + ret = pkcs7_get_signers_info_set( &p, end, &signed_data->signers ); + if ( ret != 0 ) + return ( ret ); + + return ( ret ); +} + +int mbedtls_pkcs7_parse_der( const unsigned char *buf, const int buflen, + mbedtls_pkcs7 *pkcs7 ) +{ + unsigned char *start; + unsigned char *end; + size_t len = 0; + int ret; + + /* use internal buffer for parsing */ + start = ( unsigned char * )buf; + end = start + buflen; + + if (!pkcs7) + return ( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + + ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + if ( ret != 0 ) + goto out; + + if ( ( !memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENVELOPED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_DIGESTED_DATA, + pkcs7->content_type_oid.len ) ) + || ( !memcmp(pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, + pkcs7->content_type_oid.len ) ) ) { + mbedtls_printf("Unsupported PKCS7 data type\n"); + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + goto out; + } + + if ( ( memcmp( pkcs7->content_type_oid.p, MBEDTLS_OID_PKCS7_SIGNED_DATA, + pkcs7->content_type_oid.len ) ) ) { + mbedtls_printf("Invalid PKCS7 data type\n"); + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } + mbedtls_printf("Content type is SignedData\n"); + + start = start + pkcs7->content_type_oid.len; + + ret = pkcs7_get_next_content_len( &start, end, &len ); + if ( ret != 0 ) + goto out; + + ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + if ( ret != 0 ) + goto out; + +out: + return ( ret ); +} + +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, mbedtls_x509_crt *cert, const unsigned char *data, int datalen ) +{ + + int ret; + unsigned char hash[32]; + mbedtls_pk_context pk_cxt = cert->pk; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); + + mbedtls_md( md_info, data, datalen, hash ); + ret = mbedtls_pk_verify( &pk_cxt, MBEDTLS_MD_SHA256, hash, sizeof(hash), pkcs7->signed_data.signers.sig.p, pkcs7->signed_data.signers.sig.len ); + + mbedtls_printf("Verification return code is %04x\n", ret); + + return ( ret ); +} + +/* + * Unallocate all pkcs7 data + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if (pkcs7 == NULL) + return; + + mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); + mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); + + name_cur = pkcs7->signed_data.signers.issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); + mbedtls_free( name_prv ); + } +} + +#endif diff --git a/libstb/crypto/pkcs7/pkcs7.h b/libstb/crypto/pkcs7/pkcs7.h new file mode 100644 index 00000000..7f14b4b8 --- /dev/null +++ b/libstb/crypto/pkcs7/pkcs7.h @@ -0,0 +1,151 @@ +/** + * \file pkcs7.h + * + * \brief PKCS7 generic defines and structures + */ +/* + * Copyright (C) 2019, IBM Corp, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_PKCS7_H +#define MBEDTLS_PKCS7_H + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#include "mbedtls/asn1.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" + +/** + * \name PKCS7 Error codes + * \{ + */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x7080 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x7100 /**< The CRT/CRL format is invalid, e.g. different type expected. */ +#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x7180 /**< The PKCS7 version element is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x7200 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x7280 /**< The algorithm tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x7300 /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x7380 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x7400 /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x7480 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_FILE_IO_ERROR -0x7500 /**< File Read/Write Error */ +/* \} name */ + +/** + * \name PKCS7 Supported Version + * \{ + */ +#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01 +/* \} name */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Type-length-value structure that allows for ASN1 using DER. + */ +typedef mbedtls_asn1_buf mbedtls_pkcs7_buf; + +/** + * Container for ASN1 named information objects. + * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). + */ +typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; + +/** + * Container for a sequence of ASN.1 items + */ +typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; + +/** + * Structure holding PKCS7 signer info + */ +typedef struct mbedtls_pkcs7_signer_info { + int version; + mbedtls_x509_buf serial; + mbedtls_x509_name issuer; + mbedtls_x509_buf issuer_raw; + mbedtls_x509_buf alg_identifier; + mbedtls_x509_buf sig_alg_identifier; + mbedtls_x509_buf sig; + struct mbedtls_pkcs7_signer_info *next; +} +mbedtls_pkcs7_signer_info; + +/** + * Structure holding attached data as part of PKCS7 signed data format + */ +typedef struct mbedtls_pkcs7_data { + mbedtls_pkcs7_buf oid; + mbedtls_pkcs7_buf data; +} +mbedtls_pkcs7_data; + +/** + * Structure holding the signed data section + */ +typedef struct mbedtls_pkcs7_signed_data { + int version; + mbedtls_pkcs7_buf digest_alg_identifiers; + struct mbedtls_pkcs7_data content; + mbedtls_x509_crt certs; + mbedtls_x509_crl crl; + struct mbedtls_pkcs7_signer_info signers; +} +mbedtls_pkcs7_signed_data; + +/** + * Structure holding PKCS7 structure, only signed data for now + */ +typedef struct mbedtls_pkcs7 { + mbedtls_pkcs7_buf content_type_oid; + struct mbedtls_pkcs7_signed_data signed_data; +} +mbedtls_pkcs7; + +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); + +int mbedtls_pkcs7_parse_der(const unsigned char *buf, const int buflen, mbedtls_pkcs7 *pkcs7); + +int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7, mbedtls_x509_crt *cert, const unsigned char *data, int datalen); + +int mbedtls_pkcs7_load_file( const char *path, unsigned char **buf, size_t *n ); + +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ); + +/* + * PKCS#7 OIDs + */ +#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 */ +#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ +#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */ + +#ifdef __cplusplus +} +#endif + +#endif /* pkcs7.h */ From patchwork Mon May 11 21:31:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288096 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ6r0kxtz9sRK for ; Tue, 12 May 2020 07:38:12 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ6q5fN5zDrFl for ; Tue, 12 May 2020 07:38:11 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LZ006gVhzDqgN for ; Tue, 12 May 2020 07:32:16 +1000 (AEST) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCUF0020774 for ; Mon, 11 May 2020 17:32:15 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wry0tx2k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:14 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNRH000488 for ; Mon, 11 May 2020 21:32:12 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:12 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW9Bk26083544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:09 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 518B0A4064; Mon, 11 May 2020 21:32:09 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 89201A405C; Mon, 11 May 2020 21:32:08 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:08 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:50 -0500 Message-Id: <20200511213152.24952-17-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 mlxscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 impostorscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 16/18] secvar/backend: add edk2 derived key updates processing X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" From: Nayna Jain As part of secureboot key management, the scheme for handling key updates is derived from tianocore reference implementation[1]. The wrappers for holding the signed update is the Authentication Header and for holding the public key certificate is ESL (EFI Signature List), both derived from tianocore reference implementation[1]. This patch adds the support to process update queue. This involves: 1. Verification of the update signature using the key authorized as per the key hierarchy 2. Handling addition/deletion of the keys 3. Support for dbx (blacklisting of hashes) 4. Validation checks for the updates 5. Supporting multiple ESLs for single variable both for update/verification 6. Timestamp check 7. Allowing only single PK 8. Failure Handling 9. Resetting keystore if the hardware key hash changes [1] https://github.com/tianocore/edk2-staging.git Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- V4: - fixed a typo in the hw-key-hash mismatch prlog - replace PRIORITY with PROTECTED - adjust most lines to 80 columns, some exceptions and prlog statements may still run over doc/secvar/edk2.rst | 49 ++ include/secvar.h | 1 + libstb/secvar/backend/Makefile.inc | 4 +- libstb/secvar/backend/edk2-compat-process.c | 717 ++++++++++++++++++++ libstb/secvar/backend/edk2-compat-process.h | 61 ++ libstb/secvar/backend/edk2-compat-reset.c | 115 ++++ libstb/secvar/backend/edk2-compat-reset.h | 24 + libstb/secvar/backend/edk2-compat.c | 262 +++++++ libstb/secvar/backend/edk2.h | 243 +++++++ 9 files changed, 1474 insertions(+), 2 deletions(-) create mode 100644 doc/secvar/edk2.rst create mode 100644 libstb/secvar/backend/edk2-compat-process.c create mode 100644 libstb/secvar/backend/edk2-compat-process.h create mode 100644 libstb/secvar/backend/edk2-compat-reset.c create mode 100644 libstb/secvar/backend/edk2-compat-reset.h create mode 100644 libstb/secvar/backend/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2.h diff --git a/doc/secvar/edk2.rst b/doc/secvar/edk2.rst new file mode 100644 index 00000000..1e4cc9e3 --- /dev/null +++ b/doc/secvar/edk2.rst @@ -0,0 +1,49 @@ +.. _secvar/edk2: + +Skiboot edk2-compatible Secure Variable Backend +=============================================== + +Overview +-------- + +The edk2 secure variable backend for skiboot borrows from edk2 concepts +such as the three key hierarchy (PK, KEK, and db), and a similar +structure. In general, variable updates must be signed with a key +of a higher level. So, updates to the db must be signed with a key stored +in the KEK; updates to the KEK must be signed with the PK. Updates to the +PK must be signed with the previous PK (if any). + +Variables are stored in the efi signature list format, and updates are a +signed variant that includes an authentication header. + +If no PK is currently enrolled, the system is considered to be in "Setup +Mode". Any key can be enrolled without signature checks. However, once a +PK is enrolled, the system switches to "User Mode", and each update must +now be signed according to the hierarchy. Furthermore, when in "User +Mode", the backend initialized the ``os-secure-mode`` device tree flag, +signaling to the kernel that we are in secure mode. + +Updates are processed sequentially, in the order that they were provided +in the update queue. If any update fails to validate, appears to be +malformed, or any other error occurs, NO updates will not be applied. +This includes updates that may have successfully applied prior to the +error. The system will continue in an error state, reporting the error +reason via the ``update-status`` device tree property. + +P9 Special Case for the Platform Key +------------------------------------ + +Due to the powerful nature of the platform key and the lack of lockable +flash, the edk2 backend will store the PK in TPM NV rather than PNOR on +P9 systems. (TODO expand on this) + +Update Status Return Codes +-------------------------- + +TODO, edk2 driver needs to actually return these properly first + + +Device Tree Bindings +-------------------- + +TODO diff --git a/include/secvar.h b/include/secvar.h index 7a45db2b..4f40c115 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -28,6 +28,7 @@ struct secvar_backend_driver { }; extern struct secvar_storage_driver secboot_tpm_driver; +extern struct secvar_backend_driver edk2_compatible_v1; int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver); diff --git a/libstb/secvar/backend/Makefile.inc b/libstb/secvar/backend/Makefile.inc index 6f491a63..bc987f69 100644 --- a/libstb/secvar/backend/Makefile.inc +++ b/libstb/secvar/backend/Makefile.inc @@ -1,11 +1,11 @@ # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # -*-Makefile-*- -SECVAR_BACKEND_DIR = libstb/secvar/backend +SECVAR_BACKEND_DIR = $(SRC)/libstb/secvar/backend SUBDIRS += $(SECVAR_BACKEND_DIR) -SECVAR_BACKEND_SRCS = +SECVAR_BACKEND_SRCS = edk2-compat.c edk2-compat-process.c edk2-compat-reset.c SECVAR_BACKEND_OBJS = $(SECVAR_BACKEND_SRCS:%.c=%.o) SECVAR_BACKEND = $(SECVAR_BACKEND_DIR)/built-in.a diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c new file mode 100644 index 00000000..60ebb0b2 --- /dev/null +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -0,0 +1,717 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include "libstb/crypto/pkcs7/pkcs7.h" +#include "edk2.h" +#include "../secvar.h" +#include "edk2-compat-process.h" + +bool setup_mode; + +int update_variable_in_bank(struct secvar *secvar, const char *data, + uint64_t dsize, struct list_head *bank) +{ + struct secvar_node *node; + + node = find_secvar(secvar->key, secvar->key_len, bank); + if (!node) + return OPAL_EMPTY; + + /* Reallocate the data memory, if there is change in data size */ + if (node->size < dsize) + if (realloc_secvar(node, dsize)) + return OPAL_NO_MEM; + + if (dsize && data) + memcpy(node->var->data, data, dsize); + node->var->data_size = dsize; + + /* Clear the volatile bit only if updated with positive data size */ + if (dsize) + node->flags &= ~SECVAR_FLAG_VOLATILE; + else + node->flags |= SECVAR_FLAG_VOLATILE; + + /* Is it required to be set everytime ? */ + if ((!strncmp(secvar->key, "PK", 3)) + || (!strncmp(secvar->key, "HWKH", 5))) + node->flags |= SECVAR_FLAG_PROTECTED; + + return 0; +} + +/* Converts utf8 string to ucs2 */ +static char *utf8_to_ucs2(const char *key, size_t keylen) +{ + int i; + char *str; + + str = zalloc(keylen * 2); + if (!str) + return NULL; + + for (i = 0; i < keylen*2; key++) { + str[i++] = *key; + str[i++] = '\0'; + } + + return str; +} + +/* Returns the authority that can sign the given key update */ +static void get_key_authority(const char *ret[3], const char *key) +{ + int i = 0; + + if (key_equals(key, "PK")) { + ret[i++] = "PK"; + } else if (key_equals(key, "KEK")) { + ret[i++] = "PK"; + } else if (key_equals(key, "db") || key_equals(key, "dbx")) { + ret[i++] = "KEK"; + ret[i++] = "PK"; + } + + ret[i] = NULL; +} + +/* Returns the size of the complete ESL. */ +static int get_esl_signature_list_size(char *buf, size_t buflen) +{ + EFI_SIGNATURE_LIST list; + + if (buflen < sizeof(EFI_SIGNATURE_LIST)) + return OPAL_PARAMETER; + + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST)); + + prlog(PR_DEBUG, "size of signature list size is %u\n", + le32_to_cpu(list.SignatureListSize)); + + return le32_to_cpu(list.SignatureListSize); +} + +/* Copies the certificate from the ESL into cert buffer and returns the size + * of the certificate + */ +static int get_esl_cert(char *buf, size_t buflen, char **cert) +{ + size_t sig_data_offset; + size_t size; + EFI_SIGNATURE_LIST list; + + if (buflen < sizeof(EFI_SIGNATURE_LIST)) + return OPAL_PARAMETER; + + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST)); + + size = le32_to_cpu(list.SignatureSize) - sizeof(uuid_t); + /* No certificate in the ESL */ + if (size <= 0) + return OPAL_PERMISSION; + + if (!cert) + return OPAL_PARAMETER; + + *cert = zalloc(size); + if (!(*cert)) + return OPAL_NO_MEM; + + prlog(PR_DEBUG,"size of signature list size is %u\n", + le32_to_cpu(list.SignatureListSize)); + prlog(PR_DEBUG, "size of signature header size is %u\n", + le32_to_cpu(list.SignatureHeaderSize)); + prlog(PR_DEBUG, "size of signature size is %u\n", + le32_to_cpu(list.SignatureSize)); + + sig_data_offset = sizeof(list) + le32_to_cpu(list.SignatureHeaderSize) + + 16 * sizeof(uint8_t); + if (sig_data_offset > buflen) { + free(*cert); + return OPAL_PARAMETER; + } + + memcpy(*cert, buf + sig_data_offset, size); + + return size; +} + +/* Extracts size of the PKCS7 signed data embedded in the + * struct Authentication 2 Descriptor Header. + */ +static int get_pkcs7_len(struct efi_variable_authentication_2 *auth) +{ + uint32_t dw_length; + size_t size; + + if (!auth) + return OPAL_PARAMETER; + + dw_length = le32_to_cpu(auth->auth_info.hdr.dw_length); + size = dw_length - (sizeof(auth->auth_info.hdr.dw_length) + + sizeof(auth->auth_info.hdr.w_revision) + + sizeof(auth->auth_info.hdr.w_certificate_type) + + sizeof(auth->auth_info.cert_type)); + + return size; +} + +int get_auth_descriptor2(void *buf, size_t buflen, char **auth_buffer) +{ + struct efi_variable_authentication_2 *auth = NULL; + size_t auth_buffer_size; + int len; + + if (buflen < sizeof(struct efi_variable_authentication_2)) + return OPAL_PARAMETER; + + auth = buf; + + len = get_pkcs7_len(auth); + + /* We need PKCS7 data else there is no signature */ + if (len <= 0) + return OPAL_PARAMETER; + + if (!auth_buffer) + return OPAL_PARAMETER; + + auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr) + + sizeof(auth->auth_info.cert_type) + len; + + if (auth_buffer_size <= 0) + return OPAL_PARAMETER; + + *auth_buffer = zalloc(auth_buffer_size); + if (!(*auth_buffer)) + return OPAL_NO_MEM; + + memcpy(*auth_buffer, buf, auth_buffer_size); + + return auth_buffer_size; +} + +int validate_esl_list(char *key, char *esl, size_t size) +{ + int count = 0; + int signing_cert_size; + char *signing_cert = NULL; + mbedtls_x509_crt x509; + char *x509_buf = NULL; + int eslvarsize = size; + int rc = OPAL_SUCCESS; + int eslsize; + int offset = 0; + + while (eslvarsize > 0) { + prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset); + if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) + break; + + /* Calculate the size of the ESL */ + eslsize = get_esl_signature_list_size(esl, eslvarsize); + /* If could not extract the size */ + if (eslsize <= 0) { + prlog(PR_ERR, "Invalid size of the ESL\n"); + rc = OPAL_PARAMETER; + break; + } + + /* Extract the certificate from the ESL */ + signing_cert_size = get_esl_cert(esl, + eslvarsize, + &signing_cert); + if (signing_cert_size < 0) { + rc = signing_cert_size; + break; + } + + mbedtls_x509_crt_init(&x509); + rc = mbedtls_x509_crt_parse(&x509, + signing_cert, + signing_cert_size); + + /* If failure in parsing the certificate, exit */ + if(rc) { + prlog(PR_INFO, "X509 certificate parsing failed %04x\n", rc); + rc = OPAL_PARAMETER; + break; + } + + x509_buf = zalloc(CERT_BUFFER_SIZE); + rc = mbedtls_x509_crt_info(x509_buf, + CERT_BUFFER_SIZE, + "CRT:", + &x509); + prlog(PR_INFO, "%s ", x509_buf); + + /* If failure in reading the certificate, exit */ + if (rc < 0) { + prlog(PR_INFO, "Failed to show X509 certificate info %04x\n", rc); + rc = OPAL_PARAMETER; + free(x509_buf); + break; + } + rc = 0; + + free(x509_buf); + x509_buf = NULL; + count++; + + /* Look for the next ESL */ + offset = offset + eslsize; + eslvarsize = eslvarsize - eslsize; + mbedtls_x509_crt_free(&x509); + free(signing_cert); + /* Since we are going to allocate again in the next iteration */ + signing_cert = NULL; + } + + if (rc == OPAL_SUCCESS) { + if (key_equals(key, "PK") && (count > 1)) { + prlog(PR_ERR, "PK can only be one\n"); + rc = OPAL_PARAMETER; + } else { + rc = count; + } + } + + prlog(PR_INFO, "Total ESLs are %d\n", rc); + return rc; +} + +/* Get the timestamp for the last update of the give key */ +static struct efi_time *get_last_timestamp(const char *key, char *last_timestamp) +{ + u8 off; + + if (!last_timestamp) + return NULL; + + if (!strncmp(key, "PK", 3)) + off = 0; + else if (!strncmp(key, "KEK", 4)) + off = 1; + else if (!strncmp(key, "db", 3)) + off = 2; + else if (!strncmp(key, "dbx", 4)) + off = 3; + else + return NULL; + + return &((struct efi_time *)last_timestamp)[off]; +} + +int update_timestamp(char *key, struct efi_time *timestamp, char *last_timestamp) +{ + struct efi_time *prev; + + prev = get_last_timestamp(key, last_timestamp); + if (prev == NULL) + return OPAL_INTERNAL_ERROR; + + memcpy(prev, timestamp, sizeof(struct efi_time)); + + prlog(PR_DEBUG, "updated prev year is %d month %d day %d\n", + le16_to_cpu(prev->year), prev->month, prev->day); + + return OPAL_SUCCESS; +} + +int check_timestamp(char *key, struct efi_time *timestamp, + char *last_timestamp) +{ + struct efi_time *prev; + + prev = get_last_timestamp(key, last_timestamp); + if (prev == NULL) + return OPAL_INTERNAL_ERROR; + + prlog(PR_DEBUG, "timestamp year is %d month %d day %d\n", + le16_to_cpu(timestamp->year), timestamp->month, + timestamp->day); + prlog(PR_DEBUG, "prev year is %d month %d day %d\n", + le16_to_cpu(prev->year), prev->month, prev->day); + if (le16_to_cpu(timestamp->year) > le16_to_cpu(prev->year)) + return OPAL_SUCCESS; + if (le16_to_cpu(timestamp->year) < le16_to_cpu(prev->year)) + return OPAL_PERMISSION; + + if (timestamp->month > prev->month) + return OPAL_SUCCESS; + if (timestamp->month < prev->month) + return OPAL_PERMISSION; + + if (timestamp->day > prev->day) + return OPAL_SUCCESS; + if (timestamp->day < prev->day) + return OPAL_PERMISSION; + + if (timestamp->hour > prev->hour) + return OPAL_SUCCESS; + if (timestamp->hour < prev->hour) + return OPAL_PERMISSION; + + if (timestamp->minute > prev->minute) + return OPAL_SUCCESS; + if (timestamp->minute < prev->minute) + return OPAL_PERMISSION; + + if (timestamp->second > prev->second) + return OPAL_SUCCESS; + + /* Time less than or equal to is considered as replay*/ + if (timestamp->second <= prev->second) + return OPAL_PERMISSION; + + /* nanosecond, timezone, daylight and pad2 are meant to be zero */ + + return OPAL_SUCCESS; +} + +/* Extract PKCS7 from the authentication header */ +static int get_pkcs7(struct efi_variable_authentication_2 *auth, + mbedtls_pkcs7 **pkcs7) +{ + char *checkpkcs7cert = NULL; + int len; + int rc; + + len = get_pkcs7_len(auth); + if (len <= 0) + return OPAL_PARAMETER; + + if (!pkcs7) + return OPAL_PARAMETER; + + *pkcs7 = malloc(sizeof(struct mbedtls_pkcs7)); + if (!(*pkcs7)) + return OPAL_NO_MEM; + + mbedtls_pkcs7_init(*pkcs7); + rc = mbedtls_pkcs7_parse_der( + (const unsigned char *)auth->auth_info.cert_data, + (const unsigned int)len, *pkcs7); + if (rc) { + prlog(PR_ERR, "Parsing pkcs7 failed %04x\n", rc); + mbedtls_pkcs7_free(*pkcs7); + return rc; + } + + checkpkcs7cert = zalloc(CERT_BUFFER_SIZE); + if (!checkpkcs7cert) { + mbedtls_pkcs7_free(*pkcs7); + return OPAL_NO_MEM; + } + + rc = mbedtls_x509_crt_info(checkpkcs7cert, CERT_BUFFER_SIZE, "CRT:", + &((*pkcs7)->signed_data.certs)); + if (rc < 0) { + prlog(PR_ERR, "Failed to parse the certificate in PKCS7 structure\n"); + rc = OPAL_PARAMETER; + } else { + rc = OPAL_SUCCESS; + prlog(PR_DEBUG, "%s \n", checkpkcs7cert); + } + + free(checkpkcs7cert); + mbedtls_pkcs7_free(*pkcs7); + + return rc; +} + +/* Verify the PKCS7 signature on the signed data. */ +static int verify_signature(struct efi_variable_authentication_2 *auth, + char *newcert, size_t new_data_size, + struct secvar *avar) +{ + mbedtls_pkcs7 *pkcs7 = NULL; + mbedtls_x509_crt x509; + char *signing_cert = NULL; + char *x509_buf = NULL; + int signing_cert_size; + int rc; + char *errbuf; + int eslvarsize; + int eslsize; + int offset = 0; + + if (!auth) + return OPAL_PARAMETER; + + /* Extract the pkcs7 from the auth structure */ + rc = get_pkcs7(auth, &pkcs7); + /* Failure to parse pkcs7 implies bad input. */ + if (rc != OPAL_SUCCESS) + return OPAL_PARAMETER; + + prlog(PR_INFO, "Load the signing certificate from the keystore"); + + eslvarsize = avar->data_size; + + /* Variable is not empty */ + while (eslvarsize > 0) { + prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset); + if (eslvarsize < sizeof(EFI_SIGNATURE_LIST)) + break; + + /* Calculate the size of the ESL */ + eslsize = get_esl_signature_list_size(avar->data + offset, + eslvarsize); + /* If could not extract the size */ + if (eslsize <= 0) { + rc = OPAL_PARAMETER; + break; + } + + /* Extract the certificate from the ESL */ + signing_cert_size = get_esl_cert(avar->data + offset, + eslvarsize, &signing_cert); + if (signing_cert_size < 0) { + rc = signing_cert_size; + break; + } + + mbedtls_x509_crt_init(&x509); + rc = mbedtls_x509_crt_parse(&x509, + signing_cert, + signing_cert_size); + + /* This should not happen, unless something corrupted in PNOR */ + if(rc) { + prlog(PR_INFO, "X509 certificate parsing failed %04x\n", rc); + rc = OPAL_INTERNAL_ERROR; + break; + } + + x509_buf = zalloc(CERT_BUFFER_SIZE); + rc = mbedtls_x509_crt_info(x509_buf, + CERT_BUFFER_SIZE, + "CRT:", + &x509); + + /* This should not happen, unless something corrupted in PNOR */ + if (rc < 0) { + free(x509_buf); + rc = OPAL_INTERNAL_ERROR; + break; + } + + prlog(PR_INFO, "%s \n", x509_buf); + free(x509_buf); + x509_buf = NULL; + + /* Verify the signature */ + rc = mbedtls_pkcs7_signed_data_verify(pkcs7, &x509, newcert, + new_data_size); + + /* If you find a signing certificate, you are done */ + if (rc == 0) { + prlog(PR_INFO, "Signature Verification passed\n"); + mbedtls_x509_crt_free(&x509); + break; + } + + errbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE); + mbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE); + prlog(PR_INFO, "Signature Verification failed %02x %s\n", + rc, errbuf); + free(errbuf); + + /* Look for the next ESL */ + offset = offset + eslsize; + eslvarsize = eslvarsize - eslsize; + mbedtls_x509_crt_free(&x509); + free(signing_cert); + /* Since we are going to allocate again in the next iteration */ + signing_cert = NULL; + + } + + free(signing_cert); + mbedtls_pkcs7_free(pkcs7); + free(pkcs7); + + return rc; +} + +/* Create the single buffer + * name || vendor guid || attributes || timestamp || newcontent + * which is submitted as signed by the user. + * Returns number of bytes in the new buffer, else negative error + * code. + */ +static int get_data_to_verify(char *key, char *new_data, size_t new_data_size, + char **buffer, size_t *buffer_size, + struct efi_time *timestamp) +{ + le32 attr = cpu_to_le32(SECVAR_ATTRIBUTES); + size_t offset = 0; + size_t varlen; + char *wkey; + uuid_t guid; + + if (key_equals(key, "PK") + || key_equals(key, "KEK")) + guid = EFI_GLOBAL_VARIABLE_GUID; + else if (key_equals(key, "db") + || key_equals(key, "dbx")) + guid = EFI_IMAGE_SECURITY_DATABASE_GUID; + else + return OPAL_INTERNAL_ERROR; + + /* Convert utf8 name to ucs2 width */ + varlen = strlen(key) * 2; + wkey = utf8_to_ucs2(key, strlen(key)); + + /* Prepare the single buffer */ + *buffer_size = varlen + UUID_SIZE + sizeof(attr) + + sizeof(struct efi_time) + new_data_size; + *buffer = zalloc(*buffer_size); + if (!*buffer) + return OPAL_NO_MEM; + + memcpy(*buffer + offset, wkey, varlen); + offset = offset + varlen; + memcpy(*buffer + offset, &guid, sizeof(guid)); + offset = offset + sizeof(guid); + memcpy(*buffer + offset, &attr, sizeof(attr)); + offset = offset + sizeof(attr); + memcpy(*buffer + offset, timestamp , sizeof(struct efi_time)); + offset = offset + sizeof(struct efi_time); + + memcpy(*buffer + offset, new_data, new_data_size); + offset = offset + new_data_size; + + free(wkey); + + return offset; +} + +bool is_pkcs7_sig_format(void *data) +{ + struct efi_variable_authentication_2 *auth = data; + uuid_t pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; + + if(!(memcmp(&auth->auth_info.cert_type, &pkcs7_guid, 16) == 0)) + return false; + + return true; +} + +int process_update(struct secvar_node *update, char **newesl, + int *new_data_size, struct efi_time *timestamp, + struct list_head *bank, char *last_timestamp) +{ + struct efi_variable_authentication_2 *auth = NULL; + char *auth_buffer = NULL; + int auth_buffer_size = 0; + const char *key_authority[3]; + char *tbhbuffer = NULL; + size_t tbhbuffersize = 0; + struct secvar_node *anode = NULL; + int rc = 0; + int i; + + auth_buffer_size = get_auth_descriptor2(update->var->data, + update->var->data_size, + &auth_buffer); + if ((auth_buffer_size < 0) + || (update->var->data_size < auth_buffer_size)) { + prlog(PR_ERR, "Invalid auth buffer size\n"); + rc = auth_buffer_size; + goto out; + } + + auth = (struct efi_variable_authentication_2 *)auth_buffer; + + if (!timestamp) { + rc = OPAL_INTERNAL_ERROR; + goto out; + } + + memcpy(timestamp, auth_buffer, sizeof(struct efi_time)); + + rc = check_timestamp(update->var->key, timestamp, last_timestamp); + /* Failure implies probably an older command being resubmitted */ + if (rc != OPAL_SUCCESS) { + prlog(PR_INFO, "Timestamp verification failed for key %s\n", update->var->key); + goto out; + } + + /* Calculate the size of new ESL data */ + *new_data_size = update->var->data_size - auth_buffer_size; + if (*new_data_size < 0) { + prlog(PR_ERR, "Invalid new ESL (new data content) size\n"); + rc = OPAL_PARAMETER; + goto out; + } + *newesl = zalloc(*new_data_size); + if (!(*newesl)) { + rc = OPAL_NO_MEM; + goto out; + } + memcpy(*newesl, update->var->data + auth_buffer_size, *new_data_size); + + /* Validate the new ESL is in right format */ + rc = validate_esl_list(update->var->key, *newesl, *new_data_size); + if (rc < 0) { + prlog(PR_ERR, "ESL validation failed for key %s with error %04x\n", + update->var->key, rc); + goto out; + } + + if (setup_mode) { + rc = OPAL_SUCCESS; + goto out; + } + + /* Prepare the data to be verified */ + rc = get_data_to_verify(update->var->key, *newesl, *new_data_size, + &tbhbuffer, &tbhbuffersize, timestamp); + + /* Get the authority to verify the signature */ + get_key_authority(key_authority, update->var->key); + i = 0; + + /* Try for all the authorities that are allowed to sign. + * For eg. db/dbx can be signed by both PK or KEK + */ + while (key_authority[i] != NULL) { + prlog(PR_DEBUG, "key is %s\n", update->var->key); + prlog(PR_DEBUG, "key authority is %s\n", key_authority[i]); + anode = find_secvar(key_authority[i], + strlen(key_authority[i]) + 1, + bank); + if (!anode || !anode->var->data_size) { + i++; + continue; + } + + /* Verify the signature */ + rc = verify_signature(auth, tbhbuffer, tbhbuffersize, + anode->var); + + /* Break if signature verification is successful */ + if (rc == OPAL_SUCCESS) + break; + i++; + } + +out: + free(auth_buffer); + free(tbhbuffer); + + return rc; +} diff --git a/libstb/secvar/backend/edk2-compat-process.h b/libstb/secvar/backend/edk2-compat-process.h new file mode 100644 index 00000000..94059ee3 --- /dev/null +++ b/libstb/secvar/backend/edk2-compat-process.h @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ + +#ifndef __SECVAR_EDK2_COMPAT_PROCESS__ +#define __SECVAR_EDK2_COMPAT_PROCESS__ + +#ifndef pr_fmt +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include "libstb/crypto/pkcs7/pkcs7.h" +#include "edk2.h" +#include "opal-api.h" +#include "../secvar.h" +#include "../secvar_devtree.h" + +#define CERT_BUFFER_SIZE 2048 +#define MBEDTLS_ERR_BUFFER_SIZE 1024 + +#define EDK2_MAX_KEY_LEN SECVAR_MAX_KEY_LEN +#define key_equals(a,b) (!strncmp(a, b, EDK2_MAX_KEY_LEN)) + +extern bool setup_mode; +extern struct list_head staging_bank; + +/* Update the variable in the variable bank with the new value. */ +int update_variable_in_bank(struct secvar *secvar, const char *data, + uint64_t dsize, struct list_head *bank); + +/* This function outputs the Authentication 2 Descriptor in the + * auth_buffer and returns the size of the buffer. Please refer to + * edk2.h for details on Authentication 2 Descriptor + */ +int get_auth_descriptor2(void *buf, size_t buflen, char **auth_buffer); + +/* Check the format of the ESL */ +int validate_esl_list(char *key, char *esl, size_t size); + +/* Update the TS variable with the new timestamp */ +int update_timestamp(char *key, struct efi_time *timestamp, char *last_timestamp); + +/* Check the new timestamp against the timestamp last update was done */ +int check_timestamp(char *key, struct efi_time *timestamp, char *last_timestamp); + +/* Check the GUID of the data type */ +bool is_pkcs7_sig_format(void *data); + +/* Process the update */ +int process_update(struct secvar_node *update, char **newesl, int *neweslsize, + struct efi_time *timestamp, struct list_head *bank, + char *last_timestamp); + +#endif diff --git a/libstb/secvar/backend/edk2-compat-reset.c b/libstb/secvar/backend/edk2-compat-reset.c new file mode 100644 index 00000000..c23235b2 --- /dev/null +++ b/libstb/secvar/backend/edk2-compat-reset.c @@ -0,0 +1,115 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#include +#include +#include "edk2-compat-process.h" +#include "edk2-compat-reset.h" +#include "../secvar.h" + +int reset_keystore(struct list_head *bank) +{ + struct secvar_node *node; + int rc = 0; + + node = find_secvar("PK", 3, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + if (rc) + return rc; + + node = find_secvar("KEK", 4, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + if (rc) + return rc; + + node = find_secvar("db", 3, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + if (rc) + return rc; + + node = find_secvar("dbx", 4, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + if (rc) + return rc; + + node = find_secvar("TS", 3, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + if (rc) + return rc; + + node = find_secvar("HWKH", 5, bank); + if (node) + rc = update_variable_in_bank(node->var, NULL, 0, bank); + + return rc; +} + + +int add_hw_key_hash(struct list_head *bank) +{ + struct secvar_node *node; + uint32_t hw_key_hash_size; + const char *hw_key_hash; + struct dt_node *secureboot; + + secureboot = dt_find_by_path(dt_root, "ibm,secureboot"); + if (!secureboot) + return false; + + hw_key_hash_size = dt_prop_get_u32(secureboot, "hw-key-hash-size"); + + hw_key_hash = dt_prop_get(secureboot, "hw-key-hash"); + + if (!hw_key_hash) + return OPAL_PERMISSION; + + node = new_secvar("HWKH", 5, hw_key_hash, + hw_key_hash_size, SECVAR_FLAG_PROTECTED); + list_add_tail(bank, &node->link); + + return OPAL_SUCCESS; +} + +int delete_hw_key_hash(struct list_head *bank) +{ + struct secvar_node *node; + int rc; + + node = find_secvar("HWKH", 5, bank); + if (!node) + return OPAL_SUCCESS; + + rc = update_variable_in_bank(node->var, NULL, 0, bank); + return rc; +} + +int verify_hw_key_hash(void) +{ + const char *hw_key_hash; + struct dt_node *secureboot; + struct secvar_node *node; + + secureboot = dt_find_by_path(dt_root, "ibm,secureboot"); + if (!secureboot) + return OPAL_INTERNAL_ERROR; + + hw_key_hash = dt_prop_get(secureboot, "hw-key-hash"); + + if (!hw_key_hash) + return OPAL_INTERNAL_ERROR; + + /* This value is from the protected storage */ + node = find_secvar("HWKH", 5, &variable_bank); + if (!node) + return OPAL_PERMISSION; + + if (memcmp(hw_key_hash, node->var->data, node->var->data_size) != 0) + return OPAL_PERMISSION; + + return OPAL_SUCCESS; +} + diff --git a/libstb/secvar/backend/edk2-compat-reset.h b/libstb/secvar/backend/edk2-compat-reset.h new file mode 100644 index 00000000..bede9c9d --- /dev/null +++ b/libstb/secvar/backend/edk2-compat-reset.h @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ + +#ifndef __SECVAR_EDK2_COMPAT_CLEAR_KEYS__ +#define __SECVAR_EDK2_COMPAT_CLEAR_KEYS__ + +#ifndef pr_fmt +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt +#endif + +/* clear all os keys and the timestamp*/ +int reset_keystore(struct list_head *bank); + +/* Compares the hw-key-hash from device tree to the value stored in + * the protected storage to ensure it is not modified */ +int verify_hw_key_hash(void); + +/* Adds hw-key-hash */ +int add_hw_key_hash(struct list_head *bank); + +/* Delete hw-key-hash */ +int delete_hw_key_hash(struct list_head *bank); + +#endif diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c new file mode 100644 index 00000000..334aca3e --- /dev/null +++ b/libstb/secvar/backend/edk2-compat.c @@ -0,0 +1,262 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#ifndef pr_fmt +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include "libstb/crypto/pkcs7/pkcs7.h" +#include "edk2.h" +#include "../secvar.h" +#include "edk2-compat-process.h" +#include "edk2-compat-reset.h" + +struct list_head staging_bank; + +/* + * Initializes supported variables as empty if not loaded from + * storage. Variables are initialized as volatile if not found. + * Updates should clear this flag. + * Returns OPAL Error if anything fails in initialization + */ +static int edk2_compat_pre_process(struct list_head *variable_bank, + struct list_head *update_bank __unused) +{ + struct secvar_node *pkvar; + struct secvar_node *kekvar; + struct secvar_node *dbvar; + struct secvar_node *dbxvar; + struct secvar_node *tsvar; + + pkvar = find_secvar("PK", 3, variable_bank); + if (!pkvar) { + pkvar = new_secvar("PK", 3, NULL, 0, SECVAR_FLAG_VOLATILE + | SECVAR_FLAG_PROTECTED); + if (!pkvar) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &pkvar->link); + } + if (pkvar->var->data_size == 0) + setup_mode = true; + else + setup_mode = false; + + kekvar = find_secvar("KEK", 4, variable_bank); + if (!kekvar) { + kekvar = new_secvar("KEK", 4, NULL, 0, SECVAR_FLAG_VOLATILE); + if (!kekvar) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &kekvar->link); + } + + dbvar = find_secvar("db", 3, variable_bank); + if (!dbvar) { + dbvar = new_secvar("db", 3, NULL, 0, SECVAR_FLAG_VOLATILE); + if (!dbvar) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &dbvar->link); + } + + dbxvar = find_secvar("dbx", 4, variable_bank); + if (!dbxvar) { + dbxvar = new_secvar("dbx", 4, NULL, 0, SECVAR_FLAG_VOLATILE); + if (!dbxvar) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &dbxvar->link); + } + + /* Should only ever happen on first boot. Timestamp is + * initialized with all zeroes. */ + tsvar = find_secvar("TS", 3, variable_bank); + if (!tsvar) { + tsvar = alloc_secvar(sizeof(struct efi_time) * 4); + if (!tsvar) + return OPAL_NO_MEM; + + memcpy(tsvar->var->key, "TS", 3); + tsvar->var->key_len = 3; + tsvar->var->data_size = sizeof(struct efi_time) * 4; + memset(tsvar->var->data, 0, tsvar->var->data_size); + list_add_tail(variable_bank, &tsvar->link); + } + + return OPAL_SUCCESS; +}; + +static int edk2_compat_process(struct list_head *variable_bank, + struct list_head *update_bank) +{ + struct secvar_node *node = NULL; + struct secvar_node *tsvar = NULL; + struct efi_time timestamp; + char *newesl = NULL; + int neweslsize; + int rc = 0; + + prlog(PR_INFO, "Setup mode = %d\n", setup_mode); + + /* Check HW-KEY-HASH */ + if (!setup_mode) { + rc = verify_hw_key_hash(); + if (rc != OPAL_SUCCESS) { + prlog(PR_ERR, "Hardware key hash verification mismatch\n"); + rc = reset_keystore(variable_bank); + if (rc) + goto cleanup; + setup_mode = true; + goto cleanup; + } + } + + /* Return early if we have no updates to process */ + if (list_empty(update_bank)) { + return OPAL_EMPTY; + } + + /* Make a working copy of variable bank that is updated + * during process */ + list_head_init(&staging_bank); + copy_bank_list(&staging_bank, variable_bank); + + /* Loop through each command in the update bank. + * If any command fails, it just loops out of the update bank. + * It should also clear the update bank. + */ + + list_for_each(update_bank, node, link) { + + /* Submitted data is auth_2 descriptor + new ESL data + * Extract the auth_2 2 descriptor + */ + prlog(PR_INFO, "Update for %s\n", node->var->key); + + tsvar = find_secvar("TS", 3, &staging_bank); + + /* We cannot find timestamp variable, did someone tamper it? */ + if (!tsvar) { + rc = OPAL_PERMISSION; + break; + } + + rc = process_update(node, &newesl, + &neweslsize, ×tamp, + &staging_bank, + tsvar->var->data); + if (rc) { + prlog(PR_ERR, "Update processing failed with rc %04x\n", rc); + break; + } + + /* + * If reached here means, signature is verified so update the + * value in the variable bank + */ + rc = update_variable_in_bank(node->var, + newesl, + neweslsize, + &staging_bank); + if (rc) { + prlog(PR_ERR, "Updating the variable data failed %04x\n", rc); + break; + } + + free(newesl); + /* Update the TS variable with the new timestamp */ + rc = update_timestamp(node->var->key, + ×tamp, + tsvar->var->data); + if (rc) { + prlog (PR_ERR, "Variable updated, but timestamp updated failed %04x\n", rc); + break; + } + + /* If the PK is updated, update the secure boot state of the + * system at the end of processing */ + if (key_equals(node->var->key, "PK")) { + /* PK is tied to a particular firmware image by mapping + * it with hw-key-hash of that firmware. When PK is + * updated, hw-key-hash is updated. And when PK is + * deleted, delete hw-key-hash as well */ + if(neweslsize == 0) { + setup_mode = true; + delete_hw_key_hash(&staging_bank); + } else { + setup_mode = false; + add_hw_key_hash(&staging_bank); + } + prlog(PR_DEBUG, "setup mode is %d\n", setup_mode); + } + } + + if (rc == 0) { + /* Update the variable bank with updated working copy */ + clear_bank_list(variable_bank); + copy_bank_list(variable_bank, &staging_bank); + } + +cleanup: + /* For any failure in processing update queue, we clear the update bank + * and return failure */ + clear_bank_list(update_bank); + + return rc; +} + +static int edk2_compat_post_process(struct list_head *variable_bank, + struct list_head *update_bank __unused) +{ + struct secvar_node *hwvar; + if (!setup_mode) { + secvar_set_secure_mode(); + prlog(PR_INFO, "Enforcing OS secure mode\n"); + /* HW KEY HASH is no more needed after this point. It is already + * visible to userspace via device-tree, so exposing via sysfs is + * just a duplication. Remove it from in-memory copy. */ + hwvar = find_secvar("HWKH", 5, variable_bank); + if (!hwvar) { + prlog(PR_ERR, "cannot find hw-key-hash, should not happen\n"); + return OPAL_INTERNAL_ERROR; + } + list_del(&hwvar->link); + dealloc_secvar(hwvar); + } + + return OPAL_SUCCESS; +} + +static int edk2_compat_validate(struct secvar *var) +{ + + /* Checks if the update is for supported + * Non-volatile secure variables */ + if (!key_equals(var->key, "PK") + && !key_equals(var->key, "KEK") + && !key_equals(var->key, "db") + && !key_equals(var->key, "dbx")) + return OPAL_PARAMETER; + + /* Check that signature type is PKCS7 */ + if (!is_pkcs7_sig_format(var->data)) + return OPAL_PARAMETER; + + return OPAL_SUCCESS; +}; + +struct secvar_backend_driver edk2_compatible_v1 = { + .pre_process = edk2_compat_pre_process, + .process = edk2_compat_process, + .post_process = edk2_compat_post_process, + .validate = edk2_compat_validate, + .compatible = "ibm,edk2-compat-v1", +}; diff --git a/libstb/secvar/backend/edk2.h b/libstb/secvar/backend/edk2.h new file mode 100644 index 00000000..fb0121af --- /dev/null +++ b/libstb/secvar/backend/edk2.h @@ -0,0 +1,243 @@ +/* Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. This + * program and the accompanying materials are licensed and made available + * under the terms and conditions of the 2-Clause BSD License which + * accompanies this distribution. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * This file is derived from the following files referred from edk2-staging[1] repo + * of tianocore + * + * MdePkg/Include/Guid/GlobalVariable.h + * MdePkg/Include/Guid/WinCertificate.h + * MdePkg/Include/Uefi/UefiMultiPhase.h + * MdePkg/Include/Uefi/UefiBaseType.h + * MdePkg/Include/Guid/ImageAuthentication.h + * + * [1] https://github.com/tianocore/edk2-staging + * + * Copyright 2020 IBM Corp. + */ + +#ifndef __EDK2_H__ +#define __EDK2_H__ + +#define UUID_SIZE 16 + +typedef struct { + u8 b[UUID_SIZE]; +} uuid_t; + +#define EFI_GLOBAL_VARIABLE_GUID (uuid_t){{0x61, 0xDF, 0xe4, 0x8b, 0xca, 0x93, 0xd2, 0x11, 0xaa, \ + 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}} + +#define EFI_IMAGE_SECURITY_DATABASE_GUID (uuid_t){{0xcb, 0xb2, 0x19, 0xd7, 0x3a, 0x3d, 0x96, 0x45, \ + 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f}} + +#define SECVAR_ATTRIBUTES 39 + +/// +/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 +/// certificate then verification of the signature of an image should validate the public +/// key certificate in the image using certificate path verification, up to this X.509 +/// certificate as a trusted root. The SignatureHeader size shall always be 0. The +/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) + +/// the size of the certificate itself. +/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST. +/// + +#define EFI_CERT_RSA2048_GUID \ + (UUID_INIT) (0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6) + +#define EFI_CERT_TYPE_PKCS7_GUID (uuid_t){{0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, \ + 0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7}} + +#define EFI_VARIABLE_NON_VOLATILE 0x00000001 +#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 +#define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 + +/* + * Attributes of Authenticated Variable + */ +#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 +#define EFI_VARIABLE_APPEND_WRITE 0x00000040 +/* + * NOTE: EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated and should be + * considered reserved. + */ +#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 + +/* + * win_certificate.w_certificate_type + */ +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 + +#define SECURE_BOOT_MODE_ENABLE 1 +#define SECURE_BOOT_MODE_DISABLE 0 +/// +/// Depricated value definition for SetupMode variable +/// +#define SETUP_MODE 1 +#define USER_MODE 0 + +/* + * EFI Time Abstraction: + * Year: 1900 - 9999 + * Month: 1 - 12 + * Day: 1 - 31 + * Hour: 0 - 23 + * Minute: 0 - 59 + * Second: 0 - 59 + * Nanosecond: 0 - 999,999,999 + * TimeZone: -1440 to 1440 or 2047 + */ +struct efi_time { + u16 year; + u8 month; + u8 day; + u8 hour; + u8 minute; + u8 second; + u8 pad1; + u32 nanosecond; + s16 timezone; + u8 daylight; + u8 pad2; +}; +//*********************************************************************** +// Signature Database +//*********************************************************************** +/// +/// The format of a signature database. +/// +#pragma pack(1) + +typedef struct { + /// + /// An identifier which identifies the agent which added the signature to the list. + /// + uuid_t SignatureOwner; + /// + /// The format of the signature is defined by the SignatureType. + /// + unsigned char SignatureData[0]; +} EFI_SIGNATURE_DATA; + +typedef struct { + /// + /// Type of the signature. GUID signature types are defined in below. + /// + uuid_t SignatureType; + /// + /// Total size of the signature list, including this header. + /// + uint32_t SignatureListSize; + /// + /// Size of the signature header which precedes the array of signatures. + /// + uint32_t SignatureHeaderSize; + /// + /// Size of each signature. + /// + uint32_t SignatureSize; + /// + /// Header before the array of signatures. The format of this header is specified + /// by the SignatureType. + /// UINT8 SignatureHeader[SignatureHeaderSize]; + /// + /// An array of signatures. Each signature is SignatureSize bytes in length. + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; + /// +} EFI_SIGNATURE_LIST; + + +/* + * The win_certificate structure is part of the PE/COFF specification. + */ +struct win_certificate { + /* + * The length of the entire certificate, including the length of the + * header, in bytes. + */ + u32 dw_length; + /* + * The revision level of the WIN_CERTIFICATE structure. The current + * revision level is 0x0200. + */ + u16 w_revision; + /* + * The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate + * types. The UEFI specification reserves the range of certificate type + * values from 0x0EF0 to 0x0EFF. + */ + u16 w_certificate_type; + /* + * The following is the actual certificate. The format of + * the certificate depends on wCertificateType. + */ + /// UINT8 bCertificate[ANYSIZE_ARRAY]; +}; + +/* + * Certificate which encapsulates a GUID-specific digital signature + */ +struct win_certificate_uefi_guid { + /* + * This is the standard win_certificate header, where w_certificate_type + * is set to WIN_CERT_TYPE_EFI_GUID. + */ + struct win_certificate hdr; + /* + * This is the unique id which determines the format of the cert_data. + */ + uuid_t cert_type; + /* + * The following is the certificate data. The format of the data is + * determined by the @cert_type. If @cert_type is + * EFI_CERT_TYPE_RSA2048_SHA256_GUID, the @cert_data will be + * EFI_CERT_BLOCK_RSA_2048_SHA256 structure. + */ + u8 cert_data[1]; +}; +/* + * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set, + * then the Data buffer shall begin with an instance of a complete (and + * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be + * followed by the new variable value and DataSize shall reflect the combined + * size of the descriptor and the new variable value. The authentication + * descriptor is not part of the variable data and is not returned by subsequent + * calls to GetVariable(). + */ +struct efi_variable_authentication_2 { + /* + * For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and + * Pad2 shall be set to 0. This means that the time shall always be expressed in GMT. + */ + struct efi_time timestamp; + /* + * Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted. + */ + struct win_certificate_uefi_guid auth_info; +}; + +#endif From patchwork Mon May 11 21:31:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288098 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ7T2xP6z9sSF for ; Tue, 12 May 2020 07:38:45 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ7T1x5jzDr7j for ; Tue, 12 May 2020 07:38:45 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LZ0420YYzDqkK for ; Tue, 12 May 2020 07:32:20 +1000 (AEST) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCGst049058 for ; Mon, 11 May 2020 17:32:17 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ws9yty4d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:16 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNPh000491 for ; Mon, 11 May 2020 21:32:14 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4su-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:13 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLWAKJ52232282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:10 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 77234A405B; Mon, 11 May 2020 21:32:10 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 90927A405C; Mon, 11 May 2020 21:32:09 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:09 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:51 -0500 Message-Id: <20200511213152.24952-18-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=1 bulkscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 adultscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110152 Subject: [Skiboot] [PATCH v4 17/18] secvar/test: add edk2-compat driver test and test data X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This patch contains a set of tests to exercise the edk2 driver using actual properly (and in some cases, improperly) signed binary data. Due to the excessive size of the binary data included in the header files, this test was split into its own patch. Co-developed-by: Nayna Jain Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- libstb/secvar/test/Makefile.check | 6 +- libstb/secvar/test/data/KEK.h | 170 +++++ libstb/secvar/test/data/PK1.h | 170 +++++ libstb/secvar/test/data/edk2_test_data.h | 764 +++++++++++++++++++ libstb/secvar/test/data/multipleDB.h | 246 ++++++ libstb/secvar/test/data/multipleKEK.h | 236 ++++++ libstb/secvar/test/data/multiplePK.h | 236 ++++++ libstb/secvar/test/data/noPK.h | 102 +++ libstb/secvar/test/secvar-test-edk2-compat.c | 297 +++++++ libstb/secvar/test/secvar_common_test.c | 2 + 10 files changed, 2227 insertions(+), 2 deletions(-) create mode 100644 libstb/secvar/test/data/KEK.h create mode 100644 libstb/secvar/test/data/PK1.h create mode 100644 libstb/secvar/test/data/edk2_test_data.h create mode 100644 libstb/secvar/test/data/multipleDB.h create mode 100644 libstb/secvar/test/data/multipleKEK.h create mode 100644 libstb/secvar/test/data/multiplePK.h create mode 100644 libstb/secvar/test/data/noPK.h create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c diff --git a/libstb/secvar/test/Makefile.check b/libstb/secvar/test/Makefile.check index 5999b2a9..4f140455 100644 --- a/libstb/secvar/test/Makefile.check +++ b/libstb/secvar/test/Makefile.check @@ -31,13 +31,15 @@ $(SECVAR_TEST:%=%-check) : %-check: % $(call QTEST, RUN-TEST ,$(VALGRIND) $<, $<) @$(RM) -f secboot.img +HOSTMBEDFLAGS += -lmbedcrypto -lmbedx509 + $(SECVAR_TEST) : core/test/stubs.o $(SECVAR_TEST) : % : %.c - $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $< core/test/stubs.o, $<) + $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTMBEDFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $< core/test/stubs.o, $<) $(SECVAR_TEST:%=%-gcov): %-gcov : %.c % - $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTGCOVCFLAGS) -I include -I . -I libfdt -lgcov -o $@ $< core/test/stubs.o, $<) + $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTGCOVCFLAGS) $(HOSTMBEDFLAGS) -I include -I . -I libfdt -lgcov -o $@ $< core/test/stubs.o, $<) -include $(wildcard libstb/secvar/test/*.d) diff --git a/libstb/secvar/test/data/KEK.h b/libstb/secvar/test/data/KEK.h new file mode 100644 index 00000000..23dc3774 --- /dev/null +++ b/libstb/secvar/test/data/KEK.h @@ -0,0 +1,170 @@ +/* Good KEK */ +unsigned char KEK_auth[] = { + 0xe3, 0x07, 0x0b, 0x16, 0x0e, 0x05, 0x2b, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x32, 0x9b, 0x97, 0xe6, 0xed, 0x49, 0xc7, + 0x0d, 0xa9, 0x5d, 0xdd, 0x22, 0x62, 0xa4, 0x89, 0x11, 0x9e, 0x47, 0x94, + 0x08, 0x55, 0x7b, 0xd8, 0xd0, 0xc7, 0xbf, 0x65, 0x56, 0x9f, 0x31, 0x86, + 0x2e, 0x32, 0x52, 0x7d, 0x2d, 0x1a, 0x3b, 0xbf, 0x21, 0x87, 0xbb, 0x23, + 0xe8, 0xa9, 0xad, 0x2d, 0xa8, 0x6e, 0xea, 0x2d, 0x3a, 0x48, 0xac, 0xf4, + 0xed, 0xcf, 0x9e, 0xba, 0x8b, 0x7e, 0xcc, 0x5a, 0x13, 0x47, 0x88, 0xba, + 0x4e, 0x59, 0xc8, 0xea, 0xf2, 0x17, 0x9f, 0x64, 0x4d, 0x14, 0x73, 0xf5, + 0x49, 0xd3, 0x5e, 0x5b, 0x42, 0x23, 0x73, 0x3e, 0xf4, 0x59, 0xc6, 0x24, + 0x68, 0x53, 0x50, 0xf9, 0x97, 0x6b, 0xfe, 0xad, 0xdd, 0xa1, 0x5a, 0x4d, + 0x43, 0x86, 0xdc, 0x33, 0x22, 0xf5, 0x8e, 0xec, 0xc8, 0xc9, 0xb5, 0xd0, + 0x73, 0xa3, 0x86, 0x50, 0xc0, 0x6d, 0xd1, 0x22, 0xcc, 0xd4, 0x42, 0x58, + 0x52, 0xf6, 0x8b, 0x58, 0x3b, 0x62, 0xe7, 0x27, 0x59, 0xa8, 0xac, 0xf0, + 0x67, 0x33, 0xcf, 0xdf, 0xef, 0x26, 0xf9, 0x08, 0x0b, 0xc2, 0xd3, 0xd8, + 0xcb, 0x9e, 0x05, 0x71, 0x3f, 0x09, 0xac, 0x5d, 0x5f, 0xa9, 0x09, 0x08, + 0xaf, 0xd1, 0xe9, 0x0c, 0x64, 0x85, 0x11, 0xee, 0xc9, 0xb9, 0x7b, 0xfe, + 0x90, 0x5d, 0x5f, 0x42, 0x65, 0xfa, 0xb3, 0xce, 0xae, 0x2f, 0xdd, 0x50, + 0xb9, 0x60, 0xd8, 0x3d, 0xad, 0x39, 0xa8, 0x4f, 0x94, 0xa2, 0x16, 0xef, + 0xee, 0xa5, 0xd4, 0x07, 0xba, 0xb9, 0x00, 0xa6, 0x5c, 0xf6, 0x73, 0x82, + 0xc2, 0x4a, 0xee, 0x6d, 0xdf, 0x1d, 0xdf, 0x30, 0xf4, 0x3b, 0x06, 0x6b, + 0xb5, 0x5a, 0xf4, 0x02, 0x40, 0x15, 0x86, 0xa6, 0xad, 0x68, 0x12, 0xb8, + 0xb8, 0xdc, 0xd4, 0x8d, 0xc0, 0x28, 0x90, 0x34, 0x41, 0xed, 0xce, 0x79, + 0x00, 0x86, 0x50, 0x60, 0xd1, 0xf6, 0x57, 0xd0, 0x4d, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x22, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf2, 0x30, 0x82, 0x01, + 0xda, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xfe, 0xdd, 0x2e, + 0xec, 0xe0, 0x22, 0xdd, 0xf9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, + 0x35, 0x36, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, + 0x39, 0x31, 0x38, 0x35, 0x36, 0x33, 0x31, 0x5a, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0xf8, 0xab, + 0xdb, 0xc2, 0xf5, 0x51, 0xde, 0x7b, 0x9f, 0x28, 0xff, 0xae, 0xdb, 0xa5, + 0xbf, 0x73, 0x63, 0x99, 0x5e, 0x04, 0xa5, 0x9d, 0xfd, 0xcd, 0x24, 0x2e, + 0xdd, 0x0b, 0x02, 0x88, 0xe9, 0x71, 0x7b, 0xf2, 0x89, 0x90, 0xae, 0xaf, + 0x0d, 0xa0, 0x68, 0x4d, 0x31, 0x1b, 0x30, 0xe8, 0x19, 0x2e, 0xfc, 0x33, + 0x8f, 0xee, 0x6d, 0x2a, 0x0a, 0x09, 0x42, 0x34, 0xc1, 0x40, 0xa8, 0xe8, + 0xb6, 0xc7, 0x92, 0x5d, 0xa5, 0x96, 0x14, 0xd7, 0xaf, 0x8c, 0x71, 0x6b, + 0x4e, 0x7d, 0x6e, 0xfa, 0x73, 0x1c, 0x40, 0x4c, 0x05, 0x9e, 0xfa, 0xb2, + 0x4c, 0x8c, 0xcb, 0x9d, 0xe2, 0xa9, 0x04, 0x01, 0x91, 0x5b, 0xbf, 0xff, + 0x85, 0x54, 0x2a, 0x65, 0x96, 0x84, 0x6f, 0xfa, 0x99, 0x1c, 0x9e, 0xe0, + 0x77, 0x68, 0x4d, 0x58, 0x2a, 0xc7, 0xc0, 0x8f, 0x71, 0x5a, 0x8f, 0xa9, + 0xff, 0x44, 0xed, 0xf7, 0xe4, 0x47, 0xd8, 0x4c, 0x9c, 0xf4, 0x78, 0xa0, + 0xb3, 0x37, 0xaf, 0x43, 0x0b, 0x03, 0x6f, 0xe4, 0xe1, 0x2d, 0x52, 0x0b, + 0x4b, 0x62, 0xc6, 0x2f, 0xe3, 0xfc, 0x32, 0xf2, 0xe2, 0x11, 0x1c, 0xac, + 0xdf, 0x5a, 0xe8, 0xdd, 0x55, 0x65, 0xa4, 0x6f, 0x61, 0xb7, 0x0f, 0x1c, + 0xc6, 0x08, 0x2a, 0xaf, 0x5d, 0x36, 0x50, 0x06, 0x7b, 0x49, 0xa0, 0x8b, + 0x1c, 0x93, 0xdc, 0x72, 0x69, 0x7b, 0xf1, 0xcc, 0xee, 0xa4, 0xe8, 0xd0, + 0x7b, 0x5f, 0x61, 0xbc, 0xbe, 0x20, 0xfb, 0x0b, 0xaa, 0x54, 0xf6, 0xe0, + 0x13, 0xad, 0xe8, 0x96, 0x53, 0x6a, 0xa9, 0x4b, 0xa1, 0xcf, 0x56, 0x10, + 0xbc, 0x2a, 0x09, 0xc9, 0x0a, 0xcc, 0x8d, 0x20, 0xdd, 0x4d, 0x14, 0xc7, + 0x08, 0xab, 0xc1, 0xc3, 0xaf, 0x0b, 0x35, 0x40, 0x57, 0x34, 0x97, 0x3b, + 0xa2, 0x2d, 0xa3, 0x46, 0xc1, 0x30, 0x14, 0x88, 0xa8, 0x74, 0x79, 0xdd, + 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd7, 0x75, 0xfc, + 0xed, 0xb7, 0xc8, 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, + 0xbe, 0x57, 0x0d, 0x94, 0xa8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, + 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, + 0x94, 0xa8, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0x58, 0xd2, 0x25, 0xa3, 0xe6, 0xaa, 0xb9, 0x56, 0x67, + 0xc3, 0xa6, 0x4b, 0x88, 0x99, 0xfe, 0xde, 0xc6, 0x16, 0x4c, 0x43, 0x1b, + 0xb8, 0xea, 0xe3, 0x77, 0xc4, 0xe4, 0x66, 0x15, 0x9f, 0x92, 0x6d, 0xe3, + 0x7f, 0x3c, 0xac, 0x88, 0x8b, 0xb9, 0xc5, 0x5c, 0x39, 0x4f, 0x02, 0x75, + 0x5a, 0x3d, 0xc5, 0xaf, 0xad, 0x8f, 0x32, 0xd4, 0x5a, 0x44, 0xc8, 0xcb, + 0x1f, 0x40, 0xa1, 0x44, 0xef, 0xa8, 0x2a, 0xa4, 0x0d, 0x7a, 0x25, 0xe1, + 0x6c, 0x09, 0x4b, 0x96, 0x6a, 0x73, 0x0f, 0xe0, 0x9b, 0x0e, 0x26, 0xff, + 0x61, 0x96, 0xc4, 0xb6, 0x10, 0xe1, 0x90, 0x36, 0xfd, 0x96, 0xb5, 0x90, + 0xb0, 0x76, 0xed, 0xc2, 0x17, 0xc0, 0xfe, 0xd4, 0x38, 0xff, 0x7f, 0xc3, + 0xa0, 0x88, 0x60, 0xe8, 0x27, 0x10, 0x34, 0x35, 0x93, 0x59, 0xcb, 0x12, + 0xe5, 0x25, 0xaf, 0x2d, 0x1d, 0x7d, 0x3f, 0x16, 0x95, 0x71, 0x57, 0x8e, + 0x3f, 0xc2, 0xad, 0x8e, 0xc4, 0x0e, 0xe1, 0xed, 0x46, 0xf9, 0xd7, 0x07, + 0x85, 0xb3, 0x05, 0xbe, 0xf1, 0x4c, 0xba, 0xf1, 0x34, 0xe5, 0xd5, 0x26, + 0x9b, 0x6c, 0x15, 0x9e, 0x35, 0xa2, 0xd5, 0x81, 0x09, 0x36, 0x05, 0xa6, + 0x99, 0x1f, 0xa2, 0x17, 0x35, 0x3a, 0x38, 0x18, 0x52, 0x44, 0xcf, 0x22, + 0xb3, 0x69, 0xba, 0x07, 0x74, 0x48, 0x1c, 0x8e, 0x4c, 0xa7, 0xb0, 0xc2, + 0x65, 0x6c, 0x1d, 0x30, 0xe2, 0x82, 0xc2, 0x35, 0x60, 0x25, 0xf2, 0xb1, + 0x05, 0x18, 0x0a, 0x73, 0x87, 0x27, 0xee, 0x6e, 0xc2, 0x5f, 0xff, 0xd8, + 0xfc, 0x77, 0x06, 0x2e, 0x3d, 0x4f, 0xa1, 0x14, 0x04, 0x5d, 0xae, 0x38, + 0x28, 0xf9, 0x3d, 0x82, 0x5f, 0xc6, 0xd0, 0x31, 0x21, 0x88, 0xda, 0x7f, + 0x78, 0xe3, 0xb7, 0xed, 0x52, 0x37, 0xf4, 0x29, 0x08, 0x88, 0x50, 0x54, + 0x56, 0x67, 0xc0, 0xe1, 0xf4, 0xe7, 0xcf, +}; +unsigned int KEK_auth_len = 1987; diff --git a/libstb/secvar/test/data/PK1.h b/libstb/secvar/test/data/PK1.h new file mode 100644 index 00000000..b85ef13c --- /dev/null +++ b/libstb/secvar/test/data/PK1.h @@ -0,0 +1,170 @@ +/* Validly signed PK generated at 2019 12-13 23:32:28 */ +unsigned char PK1_auth[] = { + 0xe3, 0x07, 0x0c, 0x0d, 0x17, 0x20, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x5a, 0x80, 0x8f, 0x41, 0xa7, 0xad, 0xdb, + 0x5b, 0xe1, 0xd8, 0x9e, 0xe7, 0x53, 0x79, 0x26, 0xf0, 0x37, 0xde, 0x18, + 0xbe, 0x9c, 0xe0, 0x10, 0x3f, 0x63, 0xad, 0x27, 0xfd, 0x56, 0x5a, 0xff, + 0xf9, 0xd0, 0x8c, 0x90, 0x65, 0x28, 0x9d, 0xcf, 0x4d, 0xf1, 0x83, 0x19, + 0x54, 0x70, 0xf0, 0x06, 0x22, 0x6d, 0xc5, 0xeb, 0xc2, 0x50, 0x67, 0x7f, + 0x2a, 0x58, 0xf8, 0xca, 0xe7, 0x1d, 0xc4, 0xb2, 0x3d, 0x51, 0x65, 0x68, + 0x7f, 0x0f, 0x20, 0xab, 0x89, 0xa0, 0x68, 0x67, 0xf7, 0xe4, 0x78, 0xcd, + 0x3a, 0xf5, 0x2a, 0xe1, 0xb5, 0x82, 0x69, 0x17, 0x5c, 0x00, 0xcd, 0x61, + 0xf4, 0xe8, 0x13, 0xf3, 0xf8, 0x80, 0xa6, 0xac, 0x75, 0xde, 0x69, 0x18, + 0xb2, 0x98, 0x57, 0x2d, 0xbf, 0x7f, 0xe0, 0xcf, 0xc3, 0x82, 0x19, 0x89, + 0x4b, 0x56, 0x0e, 0xfe, 0xa6, 0x56, 0x56, 0x14, 0xb8, 0xf2, 0xf7, 0xe1, + 0xd9, 0xc7, 0x7c, 0x1c, 0x0f, 0xe7, 0x2a, 0xa5, 0x22, 0x97, 0xfc, 0x10, + 0x38, 0xab, 0x08, 0x2a, 0x7b, 0x35, 0x17, 0x73, 0x5d, 0x6c, 0x27, 0x98, + 0x79, 0xa8, 0x3e, 0x7a, 0x43, 0xb7, 0x81, 0x94, 0xcd, 0x27, 0x18, 0x0d, + 0xd5, 0x0c, 0xec, 0xd6, 0x35, 0x96, 0x95, 0xd1, 0xe7, 0xbb, 0x0b, 0x27, + 0x39, 0xde, 0x2e, 0x03, 0x83, 0xb1, 0x15, 0x79, 0x59, 0x93, 0xd3, 0x5f, + 0x69, 0x0d, 0x89, 0x5e, 0x0b, 0x3a, 0xe2, 0x5a, 0xff, 0xd6, 0x62, 0x24, + 0x84, 0x37, 0x57, 0xd7, 0x91, 0x38, 0x15, 0x80, 0x08, 0x95, 0x66, 0x96, + 0x33, 0x0f, 0x8c, 0x7e, 0x53, 0x67, 0x1f, 0x65, 0x18, 0x4e, 0x14, 0x4f, + 0xba, 0xc6, 0xe0, 0xaa, 0x8e, 0x7d, 0x90, 0x59, 0xe8, 0x0f, 0x7a, 0xfb, + 0xc0, 0x41, 0xbc, 0x35, 0x2e, 0xca, 0x5f, 0xb5, 0xa6, 0xab, 0xdf, 0xcb, + 0xaa, 0xcc, 0xda, 0x5e, 0x1d, 0xc5, 0xef, 0x64, 0x0a, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, + 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, + 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, + 0x2d, 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, + 0x61, 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, + 0xd3, 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, + 0xb4, 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, + 0x0d, 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, + 0x8d, 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, + 0x5f, 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, + 0xf0, 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, + 0x75, 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, + 0x91, 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, + 0xbf, 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, + 0x21, 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, + 0x41, 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, + 0x87, 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, + 0x0e, 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, + 0xac, 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, + 0x2c, 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, + 0xed, 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, + 0x8d, 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, + 0xee, 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, + 0x2a, 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, + 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, + 0xef, 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, + 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, + 0x37, 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, + 0x9c, 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, + 0xb1, 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, + 0x9f, 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, + 0xe5, 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, + 0xe1, 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, + 0xed, 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, + 0xd4, 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, + 0xe0, 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, + 0xcc, 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, + 0x14, 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, + 0x23, 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, + 0xe2, 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, + 0x7f, 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, + 0xfa, 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, + 0x52, 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, + 0xe7, 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, + 0xb7, 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, + 0x0c, 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, + 0x8b, 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, + 0xe7, 0x12, 0xe1, 0x66, 0x15, +}; +unsigned int PK1_auth_len = 1985; diff --git a/libstb/secvar/test/data/edk2_test_data.h b/libstb/secvar/test/data/edk2_test_data.h new file mode 100644 index 00000000..13d4cc80 --- /dev/null +++ b/libstb/secvar/test/data/edk2_test_data.h @@ -0,0 +1,764 @@ +unsigned char PK_auth[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x21, 0xa2, 0xb4, 0x87, 0x9c, 0xa0, 0xe7, + 0x62, 0x82, 0x2a, 0x50, 0x0f, 0x59, 0xf0, 0x0e, 0xe4, 0xd8, 0xf1, 0x99, + 0xa1, 0x6f, 0x70, 0x76, 0x14, 0xe6, 0x59, 0xa1, 0x7f, 0xc7, 0xf6, 0xfa, + 0x6f, 0x7d, 0x43, 0xb9, 0x4c, 0x0a, 0x6f, 0x2e, 0xc3, 0x46, 0xe5, 0xbd, + 0xea, 0xa8, 0xaa, 0x88, 0x09, 0x99, 0x93, 0xb5, 0x31, 0x41, 0x3e, 0x30, + 0xdb, 0x2f, 0xad, 0x34, 0x45, 0x84, 0xaa, 0xac, 0xd5, 0xa0, 0x1a, 0x16, + 0x55, 0x7c, 0x12, 0xa9, 0x24, 0x0e, 0x5b, 0xc1, 0x28, 0x4b, 0x77, 0x70, + 0x6f, 0xc3, 0x7a, 0xf5, 0x98, 0x32, 0xe2, 0x0d, 0x24, 0x87, 0x70, 0x65, + 0x0c, 0xb1, 0x72, 0x3f, 0xde, 0x07, 0xcb, 0x35, 0x1b, 0x88, 0x0e, 0x4c, + 0x3b, 0x18, 0x65, 0x0e, 0x6c, 0xa9, 0x99, 0x5d, 0xa0, 0x13, 0x99, 0xaa, + 0x91, 0xc4, 0xbd, 0x1a, 0x77, 0x47, 0x2d, 0x0d, 0x0c, 0xda, 0x82, 0xd6, + 0x29, 0xc2, 0x08, 0x3c, 0x7e, 0x2a, 0x3b, 0x38, 0x99, 0x44, 0x51, 0xb1, + 0x41, 0x86, 0xb7, 0xe3, 0x31, 0xe4, 0x0c, 0x1b, 0xb4, 0xfb, 0x53, 0x7b, + 0xb1, 0x32, 0x04, 0x02, 0x40, 0x26, 0xfa, 0x67, 0xfa, 0xc0, 0xb5, 0x9a, + 0xd7, 0x86, 0x33, 0xfa, 0x5a, 0x88, 0x78, 0xf4, 0x45, 0x07, 0xdb, 0x6c, + 0x91, 0x4a, 0x4d, 0x61, 0x4a, 0x8f, 0x14, 0x63, 0x2a, 0x4a, 0xc9, 0x37, + 0x1c, 0xf3, 0xb0, 0x87, 0xd1, 0x1b, 0x10, 0xe2, 0x1e, 0x9b, 0x7b, 0xd6, + 0x44, 0xf2, 0x09, 0x88, 0xdc, 0x82, 0x52, 0x35, 0xec, 0xd7, 0x76, 0xc0, + 0xcc, 0xb4, 0x90, 0x66, 0x29, 0xd5, 0x18, 0xf9, 0xb3, 0x44, 0x70, 0x94, + 0x80, 0x10, 0xd0, 0x33, 0x7e, 0xfa, 0xe7, 0xfc, 0x6b, 0x3e, 0x81, 0x64, + 0xdb, 0xaa, 0x2f, 0x9f, 0x18, 0xc1, 0xae, 0x4a, 0x50, 0x59, 0x9f, 0xd4, + 0x1a, 0x3f, 0xc3, 0x08, 0x08, 0x1c, 0xbf, 0x61, 0xe7, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, + 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, + 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, + 0x2d, 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, + 0x61, 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, + 0xd3, 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, + 0xb4, 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, + 0x0d, 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, + 0x8d, 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, + 0x5f, 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, + 0xf0, 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, + 0x75, 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, + 0x91, 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, + 0xbf, 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, + 0x21, 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, + 0x41, 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, + 0x87, 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, + 0x0e, 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, + 0xac, 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, + 0x2c, 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, + 0xed, 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, + 0x8d, 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, + 0xee, 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, + 0x2a, 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, + 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, + 0xef, 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, + 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, + 0x37, 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, + 0x9c, 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, + 0xb1, 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, + 0x9f, 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, + 0xe5, 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, + 0xe1, 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, + 0xed, 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, + 0xd4, 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, + 0xe0, 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, + 0xcc, 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, + 0x14, 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, + 0x23, 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, + 0xe2, 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, + 0x7f, 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, + 0xfa, 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, + 0x52, 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, + 0xe7, 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, + 0xb7, 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, + 0x0c, 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, + 0x8b, 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, + 0xe7, 0x12, 0xe1, 0x66, 0x15, +}; +unsigned int PK_auth_len = 1985; + +unsigned char ValidKEK_auth[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0xbf, 0xe8, 0x0c, 0x4c, 0x32, 0x9a, 0x6e, + 0x05, 0x20, 0x92, 0xa5, 0x65, 0x4e, 0xc3, 0x46, 0x24, 0x8d, 0xaf, 0x84, + 0xd5, 0xe6, 0x43, 0xa0, 0x12, 0xa1, 0x4b, 0x98, 0x71, 0x5e, 0xe6, 0xed, + 0x2c, 0x1d, 0x83, 0xeb, 0x67, 0xb5, 0x85, 0x57, 0xce, 0x1a, 0x01, 0x20, + 0x2b, 0x79, 0xe0, 0x07, 0x8f, 0x25, 0x8e, 0xf4, 0xdf, 0x17, 0x83, 0xe6, + 0x4f, 0xf0, 0xba, 0x98, 0xb7, 0xc4, 0x82, 0xae, 0x8b, 0x63, 0xa0, 0x77, + 0x6b, 0xe2, 0x63, 0x36, 0x0a, 0xce, 0x7c, 0x0a, 0xb9, 0x25, 0xa7, 0xf6, + 0x26, 0x06, 0x40, 0x49, 0xeb, 0x40, 0x7b, 0xff, 0xb0, 0xc7, 0xf6, 0xd2, + 0x7f, 0x5e, 0x17, 0xf5, 0x28, 0x37, 0x0d, 0x82, 0x32, 0x22, 0xfb, 0xdd, + 0x52, 0x00, 0xc4, 0x63, 0xda, 0x4c, 0x81, 0x88, 0xc3, 0xda, 0x36, 0x40, + 0x18, 0xea, 0x8e, 0x6e, 0x2f, 0xeb, 0xc1, 0xb7, 0x69, 0x0d, 0xe3, 0xd6, + 0xda, 0xca, 0x10, 0xac, 0x88, 0x4a, 0x88, 0x13, 0xfe, 0x93, 0x48, 0xf5, + 0x00, 0x6e, 0x98, 0xb4, 0x9c, 0xc9, 0x24, 0xfc, 0xfb, 0x6a, 0x72, 0x40, + 0x76, 0x79, 0x10, 0x5c, 0xa1, 0x96, 0x95, 0x15, 0x7e, 0x6d, 0x07, 0x2c, + 0x02, 0xb1, 0xf8, 0xa9, 0x07, 0x1a, 0xba, 0x67, 0xc5, 0x7d, 0x6a, 0xdf, + 0x0c, 0xa1, 0xee, 0x6f, 0xbc, 0xac, 0x8e, 0xee, 0x43, 0x1f, 0xb2, 0xac, + 0xaf, 0x43, 0x67, 0xef, 0x6e, 0xac, 0x7a, 0x72, 0x85, 0xb3, 0x64, 0x93, + 0xde, 0x16, 0x13, 0x10, 0xd9, 0x98, 0x13, 0xec, 0x71, 0xb0, 0xef, 0x67, + 0x7d, 0x0c, 0x10, 0xde, 0x98, 0xe0, 0xc7, 0x56, 0x00, 0xbf, 0x21, 0x38, + 0x99, 0x2f, 0xf6, 0x52, 0x9b, 0x7e, 0x44, 0xd7, 0x85, 0x49, 0xd1, 0x2b, + 0x4f, 0xcb, 0x6e, 0x9d, 0x63, 0x93, 0xe0, 0xd2, 0xcb, 0x8b, 0x28, 0xb6, + 0x43, 0xc6, 0x12, 0x1f, 0xd6, 0x94, 0xad, 0xc7, 0xf2, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x22, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf2, 0x30, 0x82, 0x01, + 0xda, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xfe, 0xdd, 0x2e, + 0xec, 0xe0, 0x22, 0xdd, 0xf9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, + 0x35, 0x36, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, + 0x39, 0x31, 0x38, 0x35, 0x36, 0x33, 0x31, 0x5a, 0x30, 0x0e, 0x31, 0x0c, + 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0xf8, 0xab, + 0xdb, 0xc2, 0xf5, 0x51, 0xde, 0x7b, 0x9f, 0x28, 0xff, 0xae, 0xdb, 0xa5, + 0xbf, 0x73, 0x63, 0x99, 0x5e, 0x04, 0xa5, 0x9d, 0xfd, 0xcd, 0x24, 0x2e, + 0xdd, 0x0b, 0x02, 0x88, 0xe9, 0x71, 0x7b, 0xf2, 0x89, 0x90, 0xae, 0xaf, + 0x0d, 0xa0, 0x68, 0x4d, 0x31, 0x1b, 0x30, 0xe8, 0x19, 0x2e, 0xfc, 0x33, + 0x8f, 0xee, 0x6d, 0x2a, 0x0a, 0x09, 0x42, 0x34, 0xc1, 0x40, 0xa8, 0xe8, + 0xb6, 0xc7, 0x92, 0x5d, 0xa5, 0x96, 0x14, 0xd7, 0xaf, 0x8c, 0x71, 0x6b, + 0x4e, 0x7d, 0x6e, 0xfa, 0x73, 0x1c, 0x40, 0x4c, 0x05, 0x9e, 0xfa, 0xb2, + 0x4c, 0x8c, 0xcb, 0x9d, 0xe2, 0xa9, 0x04, 0x01, 0x91, 0x5b, 0xbf, 0xff, + 0x85, 0x54, 0x2a, 0x65, 0x96, 0x84, 0x6f, 0xfa, 0x99, 0x1c, 0x9e, 0xe0, + 0x77, 0x68, 0x4d, 0x58, 0x2a, 0xc7, 0xc0, 0x8f, 0x71, 0x5a, 0x8f, 0xa9, + 0xff, 0x44, 0xed, 0xf7, 0xe4, 0x47, 0xd8, 0x4c, 0x9c, 0xf4, 0x78, 0xa0, + 0xb3, 0x37, 0xaf, 0x43, 0x0b, 0x03, 0x6f, 0xe4, 0xe1, 0x2d, 0x52, 0x0b, + 0x4b, 0x62, 0xc6, 0x2f, 0xe3, 0xfc, 0x32, 0xf2, 0xe2, 0x11, 0x1c, 0xac, + 0xdf, 0x5a, 0xe8, 0xdd, 0x55, 0x65, 0xa4, 0x6f, 0x61, 0xb7, 0x0f, 0x1c, + 0xc6, 0x08, 0x2a, 0xaf, 0x5d, 0x36, 0x50, 0x06, 0x7b, 0x49, 0xa0, 0x8b, + 0x1c, 0x93, 0xdc, 0x72, 0x69, 0x7b, 0xf1, 0xcc, 0xee, 0xa4, 0xe8, 0xd0, + 0x7b, 0x5f, 0x61, 0xbc, 0xbe, 0x20, 0xfb, 0x0b, 0xaa, 0x54, 0xf6, 0xe0, + 0x13, 0xad, 0xe8, 0x96, 0x53, 0x6a, 0xa9, 0x4b, 0xa1, 0xcf, 0x56, 0x10, + 0xbc, 0x2a, 0x09, 0xc9, 0x0a, 0xcc, 0x8d, 0x20, 0xdd, 0x4d, 0x14, 0xc7, + 0x08, 0xab, 0xc1, 0xc3, 0xaf, 0x0b, 0x35, 0x40, 0x57, 0x34, 0x97, 0x3b, + 0xa2, 0x2d, 0xa3, 0x46, 0xc1, 0x30, 0x14, 0x88, 0xa8, 0x74, 0x79, 0xdd, + 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd7, 0x75, 0xfc, + 0xed, 0xb7, 0xc8, 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, + 0xbe, 0x57, 0x0d, 0x94, 0xa8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, + 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, + 0x94, 0xa8, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0x58, 0xd2, 0x25, 0xa3, 0xe6, 0xaa, 0xb9, 0x56, 0x67, + 0xc3, 0xa6, 0x4b, 0x88, 0x99, 0xfe, 0xde, 0xc6, 0x16, 0x4c, 0x43, 0x1b, + 0xb8, 0xea, 0xe3, 0x77, 0xc4, 0xe4, 0x66, 0x15, 0x9f, 0x92, 0x6d, 0xe3, + 0x7f, 0x3c, 0xac, 0x88, 0x8b, 0xb9, 0xc5, 0x5c, 0x39, 0x4f, 0x02, 0x75, + 0x5a, 0x3d, 0xc5, 0xaf, 0xad, 0x8f, 0x32, 0xd4, 0x5a, 0x44, 0xc8, 0xcb, + 0x1f, 0x40, 0xa1, 0x44, 0xef, 0xa8, 0x2a, 0xa4, 0x0d, 0x7a, 0x25, 0xe1, + 0x6c, 0x09, 0x4b, 0x96, 0x6a, 0x73, 0x0f, 0xe0, 0x9b, 0x0e, 0x26, 0xff, + 0x61, 0x96, 0xc4, 0xb6, 0x10, 0xe1, 0x90, 0x36, 0xfd, 0x96, 0xb5, 0x90, + 0xb0, 0x76, 0xed, 0xc2, 0x17, 0xc0, 0xfe, 0xd4, 0x38, 0xff, 0x7f, 0xc3, + 0xa0, 0x88, 0x60, 0xe8, 0x27, 0x10, 0x34, 0x35, 0x93, 0x59, 0xcb, 0x12, + 0xe5, 0x25, 0xaf, 0x2d, 0x1d, 0x7d, 0x3f, 0x16, 0x95, 0x71, 0x57, 0x8e, + 0x3f, 0xc2, 0xad, 0x8e, 0xc4, 0x0e, 0xe1, 0xed, 0x46, 0xf9, 0xd7, 0x07, + 0x85, 0xb3, 0x05, 0xbe, 0xf1, 0x4c, 0xba, 0xf1, 0x34, 0xe5, 0xd5, 0x26, + 0x9b, 0x6c, 0x15, 0x9e, 0x35, 0xa2, 0xd5, 0x81, 0x09, 0x36, 0x05, 0xa6, + 0x99, 0x1f, 0xa2, 0x17, 0x35, 0x3a, 0x38, 0x18, 0x52, 0x44, 0xcf, 0x22, + 0xb3, 0x69, 0xba, 0x07, 0x74, 0x48, 0x1c, 0x8e, 0x4c, 0xa7, 0xb0, 0xc2, + 0x65, 0x6c, 0x1d, 0x30, 0xe2, 0x82, 0xc2, 0x35, 0x60, 0x25, 0xf2, 0xb1, + 0x05, 0x18, 0x0a, 0x73, 0x87, 0x27, 0xee, 0x6e, 0xc2, 0x5f, 0xff, 0xd8, + 0xfc, 0x77, 0x06, 0x2e, 0x3d, 0x4f, 0xa1, 0x14, 0x04, 0x5d, 0xae, 0x38, + 0x28, 0xf9, 0x3d, 0x82, 0x5f, 0xc6, 0xd0, 0x31, 0x21, 0x88, 0xda, 0x7f, + 0x78, 0xe3, 0xb7, 0xed, 0x52, 0x37, 0xf4, 0x29, 0x08, 0x88, 0x50, 0x54, + 0x56, 0x67, 0xc0, 0xe1, 0xf4, 0xe7, 0xcf, +}; +unsigned int ValidKEK_auth_len = 1987; + +unsigned char InvalidKEK_auth[] = { + 0x00, 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x91, 0x04 , 0x00 , 0x00 , 0x00 , 0x02 , 0xf1 , 0x0e , 0x9d , 0xd2 , 0xaf , 0x4a , 0xdf , 0x68 , 0xee , 0x49 , + 0x8a, 0xa9 , 0x34 , 0x7d , 0x37 , 0x56 , 0x65 , 0xa7 , 0x30 , 0x82 , 0x04 , 0x75 , 0x06 , 0x09 , 0x2a , 0x86 , + 0x48, 0x86 , 0xf7 , 0x0d , 0x01 , 0x07 , 0x02 , 0xa0 , 0x82 , 0x04 , 0x66 , 0x30 , 0x82 , 0x04 , 0x62 , 0x02 , + 0x01, 0x01 , 0x31 , 0x0f , 0x30 , 0x0d , 0x06 , 0x09 , 0x60 , 0x86 , 0x48 , 0x01 , 0x65 , 0x03 , 0x04 , 0x02 , + 0x01, 0x05 , 0x00 , 0x30 , 0x0b , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x07 , 0x01 , + 0xa0, 0x82 , 0x02 , 0xf4 , 0x30 , 0x82 , 0x02 , 0xf0 , 0x30 , 0x82 , 0x01 , 0xd8 , 0xa0 , 0x03 , 0x02 , 0x01 , + 0x02, 0x02 , 0x09 , 0x00 , 0xec , 0x89 , 0x21 , 0xbe , 0xc3 , 0xb0 , 0x04 , 0xc6 , 0x30 , 0x0d , 0x06 , 0x09 , + 0x2a, 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x0b , 0x05 , 0x00 , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , + 0x09, 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , 0x02 , 0x50 , 0x4b , 0x30 , 0x1e , 0x17 , 0x0d , 0x31 , 0x39 , + 0x30, 0x31 , 0x31 , 0x32 , 0x31 , 0x38 , 0x35 , 0x36 , 0x32 , 0x39 , 0x5a , 0x17 , 0x0d , 0x32 , 0x39 , 0x30 , + 0x31, 0x30 , 0x39 , 0x31 , 0x38 , 0x35 , 0x36 , 0x32 , 0x39 , 0x5a , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , 0x09 , + 0x06, 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , 0x02 , 0x50 , 0x4b , 0x30 , 0x82 , 0x01 , 0x22 , 0x30 , 0x0d , 0x06 , + 0x09, 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x0f , + 0x00, 0x30 , 0x82 , 0x01 , 0x0a , 0x02 , 0x82 , 0x01 , 0x01 , 0x00 , 0xee , 0xa9 , 0xd0 , 0x47 , 0xf4 , 0x2d , + 0xfd, 0xff , 0x21 , 0x6f , 0x11 , 0x89 , 0x9d , 0x54 , 0xe8 , 0xb1 , 0x97 , 0x61 , 0x10 , 0x21 , 0xe1 , 0x9e , + 0x51, 0x09 , 0x66 , 0xea , 0x23 , 0xdb , 0x01 , 0xd3 , 0x5d , 0xa6 , 0xce , 0xc5 , 0x75 , 0x52 , 0xec , 0x2f , + 0xb4, 0x1f , 0x36 , 0xb4 , 0x35 , 0xca , 0x30 , 0xfd , 0xd9 , 0xed , 0x14 , 0x63 , 0xa3 , 0x9e , 0xc6 , 0x0d , + 0xc0, 0x8d , 0xca , 0x7a , 0x1b , 0x9a , 0xcd , 0xbf , 0xb4 , 0x4c , 0x21 , 0x8d , 0xe0 , 0xf6 , 0xbc , 0x74 , + 0xbc, 0xef , 0xc6 , 0x8f , 0xc1 , 0x81 , 0x33 , 0x5f , 0x1e , 0xe6 , 0xed , 0x69 , 0x68 , 0x49 , 0x4c , 0xd7 , + 0x0f, 0x84 , 0x70 , 0xf0 , 0xf6 , 0x1b , 0x07 , 0x35 , 0xa4 , 0x09 , 0xae , 0x5e , 0xdd , 0x42 , 0xa2 , 0x75 , + 0x48, 0xd4 , 0xfa , 0x3c , 0x28 , 0xe7 , 0xaa , 0xc9 , 0x2b , 0xbf , 0xc1 , 0x91 , 0x65 , 0x19 , 0x99 , 0x3b , + 0x56, 0x80 , 0x1a , 0xee , 0x90 , 0x43 , 0xae , 0xbf , 0x1f , 0xff , 0xd2 , 0x55 , 0x1d , 0x18 , 0xff , 0x49 , + 0x38, 0xd8 , 0xdc , 0x21 , 0xe1 , 0x86 , 0xfb , 0xf2 , 0x86 , 0x43 , 0x37 , 0x2e , 0x93 , 0xe8 , 0xd0 , 0x41 , + 0xdb, 0xc9 , 0x73 , 0xd8 , 0x0f , 0xf5 , 0x11 , 0x18 , 0xa9 , 0x93 , 0xb2 , 0x87 , 0x90 , 0xc2 , 0x58 , 0x96 , + 0x93, 0xff , 0x69 , 0xb2 , 0x05 , 0xec , 0xaa , 0x0e , 0xcc , 0xfe , 0x1a , 0x78 , 0x6c , 0x31 , 0xfa , 0x6b , + 0x0d, 0xb6 , 0xeb , 0xac , 0xaf , 0xc9 , 0xa5 , 0x09 , 0xbb , 0xdd , 0x01 , 0x16 , 0x6d , 0x31 , 0x53 , 0x2c , + 0xcb, 0xc1 , 0x82 , 0x87 , 0x81 , 0x99 , 0x7f , 0xc1 , 0xee , 0x86 , 0x6a , 0xed , 0x50 , 0xfc , 0x39 , 0xc1 , + 0x51, 0x71 , 0x04 , 0xe0 , 0x66 , 0x63 , 0x6f , 0x8d , 0x17 , 0x35 , 0x63 , 0x56 , 0x4b , 0x90 , 0x20 , 0x7a , + 0x5f, 0xc8 , 0x63 , 0xee , 0xf4 , 0x82 , 0xe1 , 0x61 , 0xbf , 0x41 , 0x46 , 0x04 , 0xfd , 0x96 , 0x46 , 0x2a , + 0x8b, 0x8d , 0xa2 , 0x4c , 0x82 , 0xe3 , 0xf0 , 0x6e , 0x24 , 0x8b , 0x02 , 0x03 , 0x01 , 0x00 , 0x01 , 0xa3 , + 0x53, 0x30 , 0x51 , 0x30 , 0x1d , 0x06 , 0x03 , 0x55 , 0x1d , 0x0e , 0x04 , 0x16 , 0x04 , 0x14 , 0x14 , 0xb2 , + 0x26, 0xdc , 0xe0 , 0x99 , 0x4b , 0xb1 , 0x3e , 0xc4 , 0xc8 , 0xeb , 0xe3 , 0xc9 , 0x8b , 0x69 , 0x78 , 0xef , + 0x55, 0xbd , 0x30 , 0x1f , 0x06 , 0x03 , 0x55 , 0x1d , 0x23 , 0x04 , 0x18 , 0x30 , 0x16 , 0x80 , 0x14 , 0x14 , + 0xb2, 0x26 , 0xdc , 0xe0 , 0x99 , 0x4b , 0xb1 , 0x3e , 0xc4 , 0xc8 , 0xeb , 0xe3 , 0xc9 , 0x8b , 0x69 , 0x78 , + 0xef, 0x55 , 0xbd , 0x30 , 0x0f , 0x06 , 0x03 , 0x55 , 0x1d , 0x13 , 0x01 , 0x01 , 0xff , 0x04 , 0x05 , 0x30 , + 0x03, 0x01 , 0x01 , 0xff , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , + 0x0b, 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x01 , 0x00 , 0x8f , 0x4b , 0x0e , 0x4d , 0xd6 , 0xed , 0x73 , 0xb0 , + 0xe6, 0xa5 , 0xcf , 0x37 , 0xed , 0x7b , 0x89 , 0x82 , 0xc4 , 0x67 , 0x95 , 0x16 , 0x03 , 0x19 , 0x3d , 0x9c , + 0xbf, 0x10 , 0x8e , 0x23 , 0x71 , 0xcb , 0x53 , 0xa2 , 0xb0 , 0xa1 , 0x88 , 0xb1 , 0x9b , 0x2e , 0x68 , 0xda , + 0x1e, 0x74 , 0xfe , 0x32 , 0x6f , 0xa1 , 0xda , 0x9f , 0x5b , 0x52 , 0x6b , 0x10 , 0x11 , 0x48 , 0x0d , 0x71 , + 0xec, 0x08 , 0x24 , 0xe5 , 0x0b , 0xb4 , 0x60 , 0x52 , 0x47 , 0x64 , 0xfb , 0xf5 , 0x99 , 0x45 , 0x15 , 0xe1 , + 0x35, 0x6c , 0x43 , 0xe3 , 0x9c , 0xeb , 0xe4 , 0xfd , 0x5b , 0x91 , 0x5d , 0xed , 0xa9 , 0x98 , 0x13 , 0x79 , + 0x6d, 0xcd , 0x8a , 0x8f , 0xae , 0x09 , 0x42 , 0xd4 , 0xa1 , 0x46 , 0x89 , 0xd1 , 0x95 , 0x20 , 0x27 , 0x82 , + 0x80, 0x93 , 0x3d , 0xe0 , 0x32 , 0xb2 , 0x07 , 0x2e , 0xee , 0x89 , 0xbf , 0x08 , 0xca , 0x3c , 0xc5 , 0xcc , + 0x1d, 0x64 , 0x61 , 0x4c , 0xdd , 0x26 , 0x99 , 0x3d , 0xee , 0x0f , 0xad , 0x14 , 0xbe , 0x8f , 0x70 , 0x9e , + 0xb1, 0x31 , 0xd1 , 0xb2 , 0x7d , 0xdf , 0xbc , 0x23 , 0xc6 , 0x36 , 0x23 , 0xfc , 0xa1 , 0x77 , 0xdb , 0x80 , + 0xaf, 0x41 , 0xaf , 0xe2 , 0xb2 , 0x37 , 0x8c , 0x74 , 0xff , 0x19 , 0x04 , 0x96 , 0x6a , 0x40 , 0x37 , 0x7f , + 0x5e, 0x76 , 0x9b , 0xee , 0x84 , 0x7e , 0x4e , 0x2f , 0x75 , 0x7d , 0x76 , 0xfa , 0x90 , 0x76 , 0x08 , 0x41 , + 0x61, 0x63 , 0xa4 , 0x9e , 0x79 , 0x2e , 0xb0 , 0x52 , 0xec , 0xc7 , 0xa0 , 0x47 , 0x16 , 0x76 , 0x4f , 0x01 , + 0xb1, 0x58 , 0x67 , 0xe7 , 0x59 , 0x6a , 0x9a , 0xe9 , 0xf8 , 0x59 , 0x33 , 0x52 , 0x98 , 0x52 , 0xc8 , 0xb7 , + 0x6f, 0xc8 , 0x44 , 0x52 , 0x8b , 0xa2 , 0x30 , 0x1e , 0xb6 , 0xd2 , 0xc2 , 0x0c , 0x43 , 0x9f , 0x13 , 0x1f , + 0x0f, 0xef , 0x16 , 0xa6 , 0xc0 , 0xf7 , 0x09 , 0x8b , 0x2e , 0xa7 , 0x7d , 0x6a , 0x30 , 0x0b , 0x09 , 0xbb , + 0x69, 0x2f , 0xaf , 0xe7 , 0x12 , 0xe1 , 0x66 , 0x15 , 0x31 , 0x82 , 0x01 , 0x45 , 0x30 , 0x82 , 0x01 , 0x41 , + 0x02, 0x01 , 0x01 , 0x30 , 0x1a , 0x30 , 0x0d , 0x31 , 0x0b , 0x30 , 0x09 , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , + 0x0c, 0x02 , 0x50 , 0x4b , 0x02 , 0x09 , 0x00 , 0xec , 0x89 , 0x21 , 0xbe , 0xc3 , 0xb0 , 0x04 , 0xc6 , 0x30 , + 0x0d, 0x06 , 0x09 , 0x60 , 0x86 , 0x48 , 0x01 , 0x65 , 0x03 , 0x04 , 0x02 , 0x01 , 0x05 , 0x00 , 0x30 , 0x0d , + 0x06, 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x04 , 0x82 , 0x01 , + 0x00, 0x0d , 0x5c , 0x86 , 0xe2 , 0xe1 , 0x7e , 0x1c , 0x1d , 0x8a , 0x4b , 0x57 , 0xd8 , 0x68 , 0x78 , 0x34 , + 0x8b, 0xd9 , 0xaa , 0xc5 , 0x67 , 0xbc , 0xf4 , 0x9f , 0x16 , 0xfe , 0x2c , 0xba , 0x5b , 0xe3 , 0x35 , 0x9a , + 0xb1, 0xec , 0x57 , 0x12 , 0x26 , 0x1f , 0x5b , 0xd0 , 0x15 , 0x28 , 0x25 , 0xa9 , 0x09 , 0xd9 , 0x1a , 0x56 , + 0xe7, 0xb2 , 0xd1 , 0x04 , 0x0f , 0x83 , 0x70 , 0x99 , 0xff , 0x6f , 0x5f , 0xa4 , 0x89 , 0x91 , 0xa9 , 0x2a , + 0xe7, 0xb0 , 0x30 , 0xbd , 0x07 , 0xcf , 0x8d , 0x93 , 0xd2 , 0x5a , 0xf0 , 0x16 , 0x13 , 0x7c , 0xc3 , 0xef , + 0x27, 0xbb , 0x4d , 0x72 , 0x04 , 0x9f , 0xbb , 0x49 , 0xf3 , 0x7c , 0x18 , 0x1a , 0xcd , 0x12 , 0x99 , 0xea , + 0x3a, 0x41 , 0x0a , 0xa1 , 0x55 , 0x74 , 0xa3 , 0x30 , 0x17 , 0xfd , 0x4e , 0x8d , 0x4a , 0x3d , 0x5f , 0x0f , + 0x08, 0x7c , 0x1a , 0x39 , 0xc5 , 0xc4 , 0xd7 , 0xb6 , 0xf6 , 0x3b , 0xa7 , 0x3e , 0x6c , 0x68 , 0xf9 , 0x69 , + 0xcd, 0x7a , 0x47 , 0x43 , 0xc5 , 0x68 , 0x56 , 0x74 , 0xde , 0x4c , 0x38 , 0xf5 , 0x6d , 0xf6 , 0x96 , 0xac , + 0xf3, 0x5c , 0x6a , 0xc9 , 0x7d , 0x45 , 0x44 , 0x4e , 0x98 , 0xcc , 0xd9 , 0xbe , 0x5f , 0xbd , 0xa3 , 0x0a , + 0x34, 0x0e , 0x53 , 0x4b , 0x08 , 0x93 , 0x8b , 0xf9 , 0x46 , 0x49 , 0xca , 0x6a , 0x98 , 0x26 , 0x90 , 0x86 , + 0x51, 0xee , 0x24 , 0x2f , 0xcb , 0xa0 , 0x7f , 0x94 , 0xd8 , 0x6d , 0xee , 0x58 , 0xf9 , 0xe3 , 0x4e , 0x6d , + 0xaf, 0xa2 , 0x00 , 0xb6 , 0xeb , 0x70 , 0x8c , 0x9d , 0x90 , 0xfe , 0x58 , 0xdd , 0x48 , 0xf6 , 0x99 , 0x09 , + 0x41, 0xdd , 0xde , 0x7c , 0xae , 0xd7 , 0x8c , 0x57 , 0x4e , 0x47 , 0x79 , 0x38 , 0x03 , 0x42 , 0xeb , 0xb4 , + 0x2d, 0xb8 , 0x9e , 0xcf , 0x58 , 0xa4 , 0x32 , 0x00 , 0x2a , 0x66 , 0x4e , 0xf5 , 0xde , 0x96 , 0x9b , 0x60 , + 0xc7, 0xc5 , 0xcf , 0xe2 , 0xa2 , 0x9b , 0x0f , 0x39 , 0x64 , 0x13 , 0x12 , 0x41 , 0x77 , 0xb2 , 0xd2 , 0x50 , + 0x5c, 0xa1 , 0x59 , 0xc0 , 0xa5 , 0xe4 , 0x94 , 0xa7 , 0x4a , 0x87 , 0xb5 , 0xab , 0x15 , 0x5c , 0x2b , 0xf0 , + 0x72, 0x22 , 0x03 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x06 , 0x03 , 0x00 , 0x00 , 0x11 , 0x11 , 0x11 , + 0x11, 0x22 , 0x22 , 0x33 , 0x33 , 0x44 , 0x44 , 0x12 , 0x34 , 0x56 , 0x78 , 0x9a , 0xbc , 0x30 , 0x82 , 0x02 , + 0xf2, 0x30 , 0x82 , 0x01 , 0xda , 0xa0 , 0x03 , 0x02 , 0x01 , 0x02 , 0x02 , 0x09 , 0x00 , 0xfe , 0xdd , 0x2e , + 0xec, 0xe0 , 0x22 , 0xdd , 0xf9 , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , + 0x01, 0x0b , 0x05 , 0x00 , 0x30 , 0x0e , 0x31 , 0x0c , 0x30 , 0x0a , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , + 0x03, 0x4b , 0x45 , 0x4b , 0x30 , 0x1e , 0x17 , 0x0d , 0x31 , 0x39 , 0x30 , 0x31 , 0x31 , 0x32 , 0x31 , 0x38 , + 0x35, 0x36 , 0x33 , 0x31 , 0x5a , 0x17 , 0x0d , 0x32 , 0x39 , 0x30 , 0x31 , 0x30 , 0x39 , 0x31 , 0x38 , 0x35 , + 0x36, 0x33 , 0x31 , 0x5a , 0x30 , 0x0e , 0x31 , 0x0c , 0x30 , 0x0a , 0x06 , 0x03 , 0x55 , 0x04 , 0x03 , 0x0c , + 0x03, 0x4b , 0x45 , 0x4b , 0x30 , 0x82 , 0x01 , 0x22 , 0x30 , 0x0d , 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , + 0xf7, 0x0d , 0x01 , 0x01 , 0x01 , 0x05 , 0x00 , 0x03 , 0x82 , 0x01 , 0x0f , 0x00 , 0x30 , 0x82 , 0x01 , 0x0a , + 0x02, 0x82 , 0x01 , 0x01 , 0x00 , 0xd1 , 0xf8 , 0xab , 0xdb , 0xc2 , 0xf5 , 0x51 , 0xde , 0x7b , 0x9f , 0x28 , + 0xff, 0xae , 0xdb , 0xa5 , 0xbf , 0x73 , 0x63 , 0x99 , 0x5e , 0x04 , 0xa5 , 0x9d , 0xfd , 0xcd , 0x24 , 0x2e , + 0xdd, 0x0b , 0x02 , 0x88 , 0xe9 , 0x71 , 0x7b , 0xf2 , 0x89 , 0x90 , 0xae , 0xaf , 0x0d , 0xa0 , 0x68 , 0x4d , + 0x31, 0x1b , 0x30 , 0xe8 , 0x19 , 0x2e , 0xfc , 0x33 , 0x8f , 0xee , 0x6d , 0x2a , 0x0a , 0x09 , 0x42 , 0x34 , + 0xc1, 0x40 , 0xa8 , 0xe8 , 0xb6 , 0xc7 , 0x92 , 0x5d , 0xa5 , 0x96 , 0x14 , 0xd7 , 0xaf , 0x8c , 0x71 , 0x6b , + 0x4e, 0x7d , 0x6e , 0xfa , 0x73 , 0x1c , 0x40 , 0x4c , 0x05 , 0x9e , 0xfa , 0xb2 , 0x4c , 0x8c , 0xcb , 0x9d , + 0xe2, 0xa9 , 0x04 , 0x01 , 0x91 , 0x5b , 0xbf , 0xff , 0x85 , 0x54 , 0x2a , 0x65 , 0x96 , 0x84 , 0x6f , 0xfa , + 0x99, 0x1c , 0x9e , 0xe0 , 0x77 , 0x68 , 0x4d , 0x58 , 0x2a , 0xc7 , 0xc0 , 0x8f , 0x71 , 0x5a , 0x8f , 0xa9 , + 0xff, 0x44 , 0xed , 0xf7 , 0xe4 , 0x47 , 0xd8 , 0x4c , 0x9c , 0xf4 , 0x78 , 0xa0 , 0xb3 , 0x37 , 0xaf , 0x43 , + 0x0b, 0x03 , 0x6f , 0xe4 , 0xe1 , 0x2d , 0x52 , 0x0b , 0x4b , 0x62 , 0xc6 , 0x2f , 0xe3 , 0xfc , 0x32 , 0xf2 , + 0xe2, 0x11 , 0x1c , 0xac , 0xdf , 0x5a , 0xe8 , 0xdd , 0x55 , 0x65 , 0xa4 , 0x6f , 0x61 , 0xb7 , 0x0f , 0x1c , + 0xc6, 0x08 , 0x2a , 0xaf , 0x5d , 0x36 , 0x50 , 0x06 , 0x7b , 0x49 , 0xa0 , 0x8b , 0x1c , 0x93 , 0xdc , 0x72 , + 0x69, 0x7b , 0xf1 , 0xcc , 0xee , 0xa4 , 0xe8 , 0xd0 , 0x7b , 0x5f , 0x61 , 0xbc , 0xbe , 0x20 , 0xfb , 0x0b , + 0xaa, 0x54 , 0xf6 , 0xe0 , 0x13 , 0xad , 0xe8 , 0x96 , 0x53 , 0x6a , 0xa9 , 0x4b , 0xa1 , 0xcf , 0x56 , 0x10 , + 0xbc, 0x2a , 0x09 , 0xc9 , 0x0a , 0xcc , 0x8d , 0x20 , 0xdd , 0x4d , 0x14 , 0xc7 , 0x08 , 0xab , 0xc1 , 0xc3 , + 0xaf, 0x0b , 0x35 , 0x40 , 0x57 , 0x34 , 0x97 , 0x3b , 0xa2 , 0x2d , 0xa3 , 0x46 , 0xc1 , 0x30 , 0x14 , 0x88 , + 0xa8, 0x74 , 0x79 , 0xdd , 0xb1 , 0x02 , 0x03 , 0x01 , 0x00 , 0x01 , 0xa3 , 0x53 , 0x30 , 0x51 , 0x30 , 0x1d , + 0x06, 0x03 , 0x55 , 0x1d , 0x0e , 0x04 , 0x16 , 0x04 , 0x14 , 0xd7 , 0x75 , 0xfc , 0xed , 0xb7 , 0xc8 , 0xb5 , + 0xf8, 0x7d , 0x28 , 0xc5 , 0x13 , 0x34 , 0xcd , 0x0b , 0xbe , 0x57 , 0x0d , 0x94 , 0xa8 , 0x30 , 0x1f , 0x06 , + 0x03, 0x55 , 0x1d , 0x23 , 0x04 , 0x18 , 0x30 , 0x16 , 0x80 , 0x14 , 0xd7 , 0x75 , 0xfc , 0xed , 0xb7 , 0xc8 , + 0xb5, 0xf8 , 0x7d , 0x28 , 0xc5 , 0x13 , 0x34 , 0xcd , 0x0b , 0xbe , 0x57 , 0x0d , 0x94 , 0xa8 , 0x30 , 0x0f , + 0x06, 0x03 , 0x55 , 0x1d , 0x13 , 0x01 , 0x01 , 0xff , 0x04 , 0x05 , 0x30 , 0x03 , 0x01 , 0x01 , 0xff , 0x30 , + 0x0d, 0x06 , 0x09 , 0x2a , 0x86 , 0x48 , 0x86 , 0xf7 , 0x0d , 0x01 , 0x01 , 0x0b , 0x05 , 0x00 , 0x03 , 0x82 , + 0x01, 0x01 , 0x00 , 0x58 , 0xd2 , 0x25 , 0xa3 , 0xe6 , 0xaa , 0xb9 , 0x56 , 0x67 , 0xc3 , 0xa6 , 0x4b , 0x88 , + 0x99, 0xfe , 0xde , 0xc6 , 0x16 , 0x4c , 0x43 , 0x1b , 0xb8 , 0xea , 0xe3 , 0x77 , 0xc4 , 0xe4 , 0x66 , 0x15 , + 0x9f, 0x92 , 0x6d , 0xe3 , 0x7f , 0x3c , 0xac , 0x88 , 0x8b , 0xb9 , 0xc5 , 0x5c , 0x39 , 0x4f , 0x02 , 0x75 , + 0x5a, 0x3d , 0xc5 , 0xaf , 0xad , 0x8f , 0x32 , 0xd4 , 0x5a , 0x44 , 0xc8 , 0xcb , 0x1f , 0x40 , 0xa1 , 0x44 , + 0xef, 0xa8 , 0x2a , 0xa4 , 0x0d , 0x7a , 0x25 , 0xe1 , 0x6c , 0x09 , 0x4b , 0x96 , 0x6a , 0x73 , 0x0f , 0xe0 , + 0x9b, 0x0e , 0x26 , 0xff , 0x61 , 0x96 , 0xc4 , 0xb6 , 0x10 , 0xe1 , 0x90 , 0x36 , 0xfd , 0x96 , 0xb5 , 0x90 , + 0xb0, 0x76 , 0xed , 0xc2 , 0x17 , 0xc0 , 0xfe , 0xd4 , 0x38 , 0xff , 0x7f , 0xc3 , 0xa0 , 0x88 , 0x60 , 0xe8 , + 0x27, 0x10 , 0x34 , 0x35 , 0x93 , 0x59 , 0xcb , 0x12 , 0xe5 , 0x25 , 0xaf , 0x2d , 0x1d , 0x7d , 0x3f , 0x16 , + 0x95, 0x71 , 0x57 , 0x8e , 0x3f , 0xc2 , 0xad , 0x8e , 0xc4 , 0x0e , 0xe1 , 0xed , 0x46 , 0xf9 , 0xd7 , 0x07 , + 0x85, 0xb3 , 0x05 , 0xbe , 0xf1 , 0x4c , 0xba , 0xf1 , 0x34 , 0xe5 , 0xd5 , 0x26 , 0x9b , 0x6c , 0x15 , 0x9e , + 0x35, 0xa2 , 0xd5 , 0x81 , 0x09 , 0x36 , 0x05 , 0xa6 , 0x99 , 0x1f , 0xa2 , 0x17 , 0x35 , 0x3a , 0x38 , 0x18 , + 0x52, 0x44 , 0xcf , 0x22 , 0xb3 , 0x69 , 0xba , 0x07 , 0x74 , 0x48 , 0x1c , 0x8e , 0x4c , 0xa7 , 0xb0 , 0xc2 , + 0x65, 0x6c , 0x1d , 0x30 , 0xe2 , 0x82 , 0xc2 , 0x35 , 0x60 , 0x25 , 0xf2 , 0xb1 , 0x05 , 0x18 , 0x0a , 0x73 , + 0x87, 0x27 , 0xee , 0x6e , 0xc2 , 0x5f , 0xff , 0xd8 , 0xfc , 0x77 , 0x06 , 0x2e , 0x3d , 0x4f , 0xa1 , 0x14 , + 0x04, 0x5d , 0xae , 0x38 , 0x28 , 0xf9 , 0x3d , 0x82 , 0x5f , 0xc6 , 0xd0 , 0x31 , 0x21 , 0x88 , 0xda , 0x7f , + 0x78, 0xe3 , 0xb7 , 0xed , 0x52 , 0x37 , 0xf4 , 0x29 , 0x08 , 0x88 , 0x50 , 0x54 , 0x56 , 0x67 , 0xc0 , 0xe1 , + 0xf4, 0xe7 , 0xcf }; + +unsigned char DB_auth[] = { + 0xe3 ,0x07 ,0x0b ,0x19 ,0x0a ,0x1a ,0x35 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 , + 0x94 ,0x04 ,0x00 ,0x00 ,0x00 ,0x02 ,0xf1 ,0x0e ,0x9d ,0xd2 ,0xaf ,0x4a ,0xdf ,0x68 ,0xee ,0x49 , + 0x8a ,0xa9 ,0x34 ,0x7d ,0x37 ,0x56 ,0x65 ,0xa7 ,0x30 ,0x82 ,0x04 ,0x78 ,0x06 ,0x09 ,0x2a ,0x86 , + 0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x02 ,0xa0 ,0x82 ,0x04 ,0x69 ,0x30 ,0x82 ,0x04 ,0x65 ,0x02 , + 0x01 ,0x01 ,0x31 ,0x0f ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 , + 0x01 ,0x05 ,0x00 ,0x30 ,0x0b ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x07 ,0x01 , + 0xa0 ,0x82 ,0x02 ,0xf6 ,0x30 ,0x82 ,0x02 ,0xf2 ,0x30 ,0x82 ,0x01 ,0xda ,0xa0 ,0x03 ,0x02 ,0x01 , + 0x02 ,0x02 ,0x09 ,0x00 ,0xfe ,0xdd ,0x2e ,0xec ,0xe0 ,0x22 ,0xdd ,0xf9 ,0x30 ,0x0d ,0x06 ,0x09 , + 0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 , + 0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x30 ,0x1e ,0x17 ,0x0d ,0x31 , + 0x39 ,0x30 ,0x31 ,0x31 ,0x32 ,0x31 ,0x38 ,0x35 ,0x36 ,0x33 ,0x31 ,0x5a ,0x17 ,0x0d ,0x32 ,0x39 , + 0x30 ,0x31 ,0x30 ,0x39 ,0x31 ,0x38 ,0x35 ,0x36 ,0x33 ,0x31 ,0x5a ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 , + 0x0a ,0x06 ,0x03 ,0x55 ,0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x30 ,0x82 ,0x01 ,0x22 ,0x30 , + 0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03 ,0x82 , + 0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 ,0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xd1 ,0xf8 ,0xab ,0xdb , + 0xc2 ,0xf5 ,0x51 ,0xde ,0x7b ,0x9f ,0x28 ,0xff ,0xae ,0xdb ,0xa5 ,0xbf ,0x73 ,0x63 ,0x99 ,0x5e , + 0x04 ,0xa5 ,0x9d ,0xfd ,0xcd ,0x24 ,0x2e ,0xdd ,0x0b ,0x02 ,0x88 ,0xe9 ,0x71 ,0x7b ,0xf2 ,0x89 , + 0x90 ,0xae ,0xaf ,0x0d ,0xa0 ,0x68 ,0x4d ,0x31 ,0x1b ,0x30 ,0xe8 ,0x19 ,0x2e ,0xfc ,0x33 ,0x8f , + 0xee ,0x6d ,0x2a ,0x0a ,0x09 ,0x42 ,0x34 ,0xc1 ,0x40 ,0xa8 ,0xe8 ,0xb6 ,0xc7 ,0x92 ,0x5d ,0xa5 , + 0x96 ,0x14 ,0xd7 ,0xaf ,0x8c ,0x71 ,0x6b ,0x4e ,0x7d ,0x6e ,0xfa ,0x73 ,0x1c ,0x40 ,0x4c ,0x05 , + 0x9e ,0xfa ,0xb2 ,0x4c ,0x8c ,0xcb ,0x9d ,0xe2 ,0xa9 ,0x04 ,0x01 ,0x91 ,0x5b ,0xbf ,0xff ,0x85 , + 0x54 ,0x2a ,0x65 ,0x96 ,0x84 ,0x6f ,0xfa ,0x99 ,0x1c ,0x9e ,0xe0 ,0x77 ,0x68 ,0x4d ,0x58 ,0x2a , + 0xc7 ,0xc0 ,0x8f ,0x71 ,0x5a ,0x8f ,0xa9 ,0xff ,0x44 ,0xed ,0xf7 ,0xe4 ,0x47 ,0xd8 ,0x4c ,0x9c , + 0xf4 ,0x78 ,0xa0 ,0xb3 ,0x37 ,0xaf ,0x43 ,0x0b ,0x03 ,0x6f ,0xe4 ,0xe1 ,0x2d ,0x52 ,0x0b ,0x4b , + 0x62 ,0xc6 ,0x2f ,0xe3 ,0xfc ,0x32 ,0xf2 ,0xe2 ,0x11 ,0x1c ,0xac ,0xdf ,0x5a ,0xe8 ,0xdd ,0x55 , + 0x65 ,0xa4 ,0x6f ,0x61 ,0xb7 ,0x0f ,0x1c ,0xc6 ,0x08 ,0x2a ,0xaf ,0x5d ,0x36 ,0x50 ,0x06 ,0x7b , + 0x49 ,0xa0 ,0x8b ,0x1c ,0x93 ,0xdc ,0x72 ,0x69 ,0x7b ,0xf1 ,0xcc ,0xee ,0xa4 ,0xe8 ,0xd0 ,0x7b , + 0x5f ,0x61 ,0xbc ,0xbe ,0x20 ,0xfb ,0x0b ,0xaa ,0x54 ,0xf6 ,0xe0 ,0x13 ,0xad ,0xe8 ,0x96 ,0x53 , + 0x6a ,0xa9 ,0x4b ,0xa1 ,0xcf ,0x56 ,0x10 ,0xbc ,0x2a ,0x09 ,0xc9 ,0x0a ,0xcc ,0x8d ,0x20 ,0xdd , + 0x4d ,0x14 ,0xc7 ,0x08 ,0xab ,0xc1 ,0xc3 ,0xaf ,0x0b ,0x35 ,0x40 ,0x57 ,0x34 ,0x97 ,0x3b ,0xa2 , + 0x2d ,0xa3 ,0x46 ,0xc1 ,0x30 ,0x14 ,0x88 ,0xa8 ,0x74 ,0x79 ,0xdd ,0xb1 ,0x02 ,0x03 ,0x01 ,0x00 , + 0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 ,0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04 ,0x14 , + 0xd7 ,0x75 ,0xfc ,0xed ,0xb7 ,0xc8 ,0xb5 ,0xf8 ,0x7d ,0x28 ,0xc5 ,0x13 ,0x34 ,0xcd ,0x0b ,0xbe , + 0x57 ,0x0d ,0x94 ,0xa8 ,0x30 ,0x1f ,0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16 ,0x80 , + 0x14 ,0xd7 ,0x75 ,0xfc ,0xed ,0xb7 ,0xc8 ,0xb5 ,0xf8 ,0x7d ,0x28 ,0xc5 ,0x13 ,0x34 ,0xcd ,0x0b , + 0xbe ,0x57 ,0x0d ,0x94 ,0xa8 ,0x30 ,0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff ,0x04 , + 0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d , + 0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x01 ,0x00 ,0x58 ,0xd2 ,0x25 ,0xa3 ,0xe6 ,0xaa , + 0xb9 ,0x56 ,0x67 ,0xc3 ,0xa6 ,0x4b ,0x88 ,0x99 ,0xfe ,0xde ,0xc6 ,0x16 ,0x4c ,0x43 ,0x1b ,0xb8 , + 0xea ,0xe3 ,0x77 ,0xc4 ,0xe4 ,0x66 ,0x15 ,0x9f ,0x92 ,0x6d ,0xe3 ,0x7f ,0x3c ,0xac ,0x88 ,0x8b , + 0xb9 ,0xc5 ,0x5c ,0x39 ,0x4f ,0x02 ,0x75 ,0x5a ,0x3d ,0xc5 ,0xaf ,0xad ,0x8f ,0x32 ,0xd4 ,0x5a , + 0x44 ,0xc8 ,0xcb ,0x1f ,0x40 ,0xa1 ,0x44 ,0xef ,0xa8 ,0x2a ,0xa4 ,0x0d ,0x7a ,0x25 ,0xe1 ,0x6c , + 0x09 ,0x4b ,0x96 ,0x6a ,0x73 ,0x0f ,0xe0 ,0x9b ,0x0e ,0x26 ,0xff ,0x61 ,0x96 ,0xc4 ,0xb6 ,0x10 , + 0xe1 ,0x90 ,0x36 ,0xfd ,0x96 ,0xb5 ,0x90 ,0xb0 ,0x76 ,0xed ,0xc2 ,0x17 ,0xc0 ,0xfe ,0xd4 ,0x38 , + 0xff ,0x7f ,0xc3 ,0xa0 ,0x88 ,0x60 ,0xe8 ,0x27 ,0x10 ,0x34 ,0x35 ,0x93 ,0x59 ,0xcb ,0x12 ,0xe5 , + 0x25 ,0xaf ,0x2d ,0x1d ,0x7d ,0x3f ,0x16 ,0x95 ,0x71 ,0x57 ,0x8e ,0x3f ,0xc2 ,0xad ,0x8e ,0xc4 , + 0x0e ,0xe1 ,0xed ,0x46 ,0xf9 ,0xd7 ,0x07 ,0x85 ,0xb3 ,0x05 ,0xbe ,0xf1 ,0x4c ,0xba ,0xf1 ,0x34 , + 0xe5 ,0xd5 ,0x26 ,0x9b ,0x6c ,0x15 ,0x9e ,0x35 ,0xa2 ,0xd5 ,0x81 ,0x09 ,0x36 ,0x05 ,0xa6 ,0x99 , + 0x1f ,0xa2 ,0x17 ,0x35 ,0x3a ,0x38 ,0x18 ,0x52 ,0x44 ,0xcf ,0x22 ,0xb3 ,0x69 ,0xba ,0x07 ,0x74 , + 0x48 ,0x1c ,0x8e ,0x4c ,0xa7 ,0xb0 ,0xc2 ,0x65 ,0x6c ,0x1d ,0x30 ,0xe2 ,0x82 ,0xc2 ,0x35 ,0x60 , + 0x25 ,0xf2 ,0xb1 ,0x05 ,0x18 ,0x0a ,0x73 ,0x87 ,0x27 ,0xee ,0x6e ,0xc2 ,0x5f ,0xff ,0xd8 ,0xfc , + 0x77 ,0x06 ,0x2e ,0x3d ,0x4f ,0xa1 ,0x14 ,0x04 ,0x5d ,0xae ,0x38 ,0x28 ,0xf9 ,0x3d ,0x82 ,0x5f , + 0xc6 ,0xd0 ,0x31 ,0x21 ,0x88 ,0xda ,0x7f ,0x78 ,0xe3 ,0xb7 ,0xed ,0x52 ,0x37 ,0xf4 ,0x29 ,0x08 , + 0x88 ,0x50 ,0x54 ,0x56 ,0x67 ,0xc0 ,0xe1 ,0xf4 ,0xe7 ,0xcf ,0x31 ,0x82 ,0x01 ,0x46 ,0x30 ,0x82 , + 0x01 ,0x42 ,0x02 ,0x01 ,0x01 ,0x30 ,0x1b ,0x30 ,0x0e ,0x31 ,0x0c ,0x30 ,0x0a ,0x06 ,0x03 ,0x55 , + 0x04 ,0x03 ,0x0c ,0x03 ,0x4b ,0x45 ,0x4b ,0x02 ,0x09 ,0x00 ,0xfe ,0xdd ,0x2e ,0xec ,0xe0 ,0x22 , + 0xdd ,0xf9 ,0x30 ,0x0d ,0x06 ,0x09 ,0x60 ,0x86 ,0x48 ,0x01 ,0x65 ,0x03 ,0x04 ,0x02 ,0x01 ,0x05 , + 0x00 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 , + 0x04 ,0x82 ,0x01 ,0x00 ,0x28 ,0x9f ,0xc0 ,0xf5 ,0x52 ,0x8b ,0x45 ,0x8a ,0xaf ,0x43 ,0x39 ,0xd9 , + 0x39 ,0x1d ,0xde ,0x1f ,0x20 ,0x82 ,0x44 ,0x08 ,0xf7 ,0x68 ,0x02 ,0x17 ,0xdb ,0x9f ,0xdf ,0x1e , + 0x2d ,0x88 ,0x6a ,0x9b ,0xe8 ,0xb1 ,0xbb ,0x8f ,0x0b ,0xe1 ,0x45 ,0x64 ,0xf3 ,0xb7 ,0xae ,0x90 , + 0x69 ,0x5c ,0xa7 ,0x0c ,0x98 ,0xb2 ,0x09 ,0x77 ,0xda ,0x24 ,0x1d ,0x01 ,0x94 ,0x1f ,0x95 ,0xbf , + 0x77 ,0xe5 ,0x0e ,0xe4 ,0xd4 ,0x5b ,0x89 ,0x9b ,0xa2 ,0x87 ,0x97 ,0x41 ,0xd4 ,0xb4 ,0xae ,0xb4 , + 0x47 ,0x8a ,0x6e ,0x3f ,0x6b ,0xe7 ,0x8c ,0x04 ,0x04 ,0x0e ,0x27 ,0xcd ,0x4a ,0xd6 ,0x65 ,0x72 , + 0x26 ,0x91 ,0xc9 ,0xb0 ,0x51 ,0x2d ,0x1e ,0x19 ,0xb8 ,0x85 ,0xef ,0x63 ,0x23 ,0xd7 ,0xde ,0x26 , + 0x3d ,0xdb ,0x59 ,0x18 ,0xd3 ,0x80 ,0xc0 ,0xdf ,0xde ,0xe9 ,0x6d ,0x7a ,0xd4 ,0x19 ,0x83 ,0x60 , + 0x96 ,0xe8 ,0x3e ,0xb7 ,0x9a ,0xf5 ,0x69 ,0xe1 ,0xc9 ,0x57 ,0xa6 ,0xad ,0x7f ,0x23 ,0x2f ,0xdd , + 0x5e ,0x15 ,0x38 ,0xc3 ,0x18 ,0xc8 ,0x0a ,0x5d ,0x8e ,0xe9 ,0x6c ,0x20 ,0xad ,0x12 ,0x47 ,0xc9 , + 0x67 ,0x15 ,0xb7 ,0x72 ,0x43 ,0x3e ,0x16 ,0x77 ,0xa6 ,0x2f ,0x72 ,0xfe ,0x34 ,0x45 ,0x2d ,0xa1 , + 0x53 ,0xeb ,0x9e ,0xc4 ,0xfd ,0x2c ,0xf5 ,0x58 ,0xac ,0x05 ,0xbc ,0x57 ,0xd4 ,0xbe ,0x3d ,0xcd , + 0x97 ,0x1d ,0xc5 ,0x14 ,0x29 ,0x17 ,0x19 ,0x4d ,0x0d ,0x2b ,0x28 ,0x87 ,0x14 ,0x02 ,0x1b ,0x6b , + 0x0e ,0xfd ,0x55 ,0xdd ,0x95 ,0x99 ,0x4c ,0xc4 ,0x0c ,0xb3 ,0x68 ,0x1d ,0x71 ,0x64 ,0x1f ,0x48 , + 0xab ,0x34 ,0xa5 ,0xa5 ,0xb7 ,0x1e ,0xb7 ,0xac ,0x86 ,0x2e ,0x0e ,0x7f ,0xb9 ,0xb9 ,0x10 ,0x72 , + 0x76 ,0x07 ,0x8d ,0x6f ,0xc9 ,0xe5 ,0x14 ,0x6e ,0xef ,0x04 ,0x7f ,0xad ,0x33 ,0x98 ,0xf2 ,0x13 , + 0x5c ,0x12 ,0xf1 ,0x48 ,0xa1 ,0x59 ,0xc0 ,0xa5 ,0xe4 ,0x94 ,0xa7 ,0x4a ,0x87 ,0xb5 ,0xab ,0x15 , + 0x5c ,0x2b ,0xf0 ,0x72 ,0x20 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x04 ,0x03 ,0x00 ,0x00 , + 0x11 ,0x11 ,0x11 ,0x11 ,0x22 ,0x22 ,0x33 ,0x33 ,0x44 ,0x44 ,0x12 ,0x34 ,0x56 ,0x78 ,0x9a ,0xbc , + 0x30 ,0x82 ,0x02 ,0xf0 ,0x30 ,0x82 ,0x01 ,0xd8 ,0xa0 ,0x03 ,0x02 ,0x01 ,0x02 ,0x02 ,0x09 ,0x00 , + 0x89 ,0x65 ,0xe1 ,0xbe ,0x1d ,0x33 ,0xea ,0xb7 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 , + 0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x30 ,0x0d ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 , + 0x04 ,0x03 ,0x0c ,0x02 ,0x44 ,0x42 ,0x30 ,0x1e ,0x17 ,0x0d ,0x31 ,0x39 ,0x30 ,0x31 ,0x31 ,0x32 , + 0x31 ,0x38 ,0x35 ,0x36 ,0x32 ,0x39 ,0x5a ,0x17 ,0x0d ,0x32 ,0x39 ,0x30 ,0x31 ,0x30 ,0x39 ,0x31 , + 0x38 ,0x35 ,0x36 ,0x32 ,0x39 ,0x5a ,0x30 ,0x0d ,0x31 ,0x0b ,0x30 ,0x09 ,0x06 ,0x03 ,0x55 ,0x04 , + 0x03 ,0x0c ,0x02 ,0x44 ,0x42 ,0x30 ,0x82 ,0x01 ,0x22 ,0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 , + 0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x01 ,0x05 ,0x00 ,0x03 ,0x82 ,0x01 ,0x0f ,0x00 ,0x30 ,0x82 ,0x01 , + 0x0a ,0x02 ,0x82 ,0x01 ,0x01 ,0x00 ,0xce ,0x70 ,0xf2 ,0x2d ,0xa0 ,0x56 ,0xac ,0xc0 ,0xc0 ,0x33 , + 0x9a ,0xa6 ,0x2c ,0x89 ,0x3c ,0x88 ,0xa9 ,0x9c ,0x67 ,0xaf ,0xeb ,0x0d ,0x44 ,0x7b ,0xe7 ,0x85 , + 0xf1 ,0x3d ,0xc4 ,0x71 ,0xdd ,0xb4 ,0xa7 ,0x51 ,0xac ,0x87 ,0xfa ,0x85 ,0xf0 ,0x3c ,0x80 ,0x0a , + 0x33 ,0x43 ,0x02 ,0xd6 ,0xa8 ,0x59 ,0xe3 ,0xc3 ,0x42 ,0x22 ,0xe0 ,0x0c ,0xbc ,0xc7 ,0x02 ,0x60 , + 0xff ,0x09 ,0x81 ,0x1c ,0x73 ,0x76 ,0x22 ,0x29 ,0xb8 ,0x67 ,0x2a ,0x76 ,0x17 ,0xd2 ,0x9a ,0x33 , + 0x78 ,0x6d ,0x40 ,0x60 ,0x24 ,0x07 ,0xfb ,0x1f ,0xf6 ,0xf5 ,0xb2 ,0xac ,0x44 ,0x77 ,0xd2 ,0x5e , + 0x9d ,0xd7 ,0x24 ,0xe2 ,0x6e ,0xa1 ,0xf2 ,0xb8 ,0x08 ,0x18 ,0x61 ,0x77 ,0x83 ,0xe8 ,0x82 ,0x72 , + 0x6d ,0xf6 ,0xb3 ,0x98 ,0x39 ,0x43 ,0xb8 ,0xaa ,0x97 ,0x03 ,0xc7 ,0x68 ,0x2e ,0x1d ,0xf8 ,0xaf , + 0x75 ,0xad ,0x9e ,0x18 ,0x48 ,0xa3 ,0x24 ,0x3e ,0x04 ,0x30 ,0xe2 ,0xa7 ,0x30 ,0xf7 ,0xf7 ,0xb3 , + 0x05 ,0xac ,0x11 ,0xf4 ,0x20 ,0x47 ,0x36 ,0xcf ,0xca ,0xe0 ,0x8c ,0x52 ,0x0d ,0x4b ,0x30 ,0xf0 , + 0x7e ,0x6f ,0x48 ,0x83 ,0xe1 ,0xb9 ,0xd1 ,0x1d ,0x27 ,0x5d ,0xd3 ,0x10 ,0x9d ,0x63 ,0xdb ,0xe0 , + 0x87 ,0x53 ,0x75 ,0xae ,0xdd ,0xc0 ,0x6c ,0x89 ,0x33 ,0xeb ,0x3e ,0x87 ,0x33 ,0x58 ,0x11 ,0xe5 , + 0x04 ,0xcd ,0xeb ,0x8e ,0xfe ,0x48 ,0x7b ,0xd1 ,0x37 ,0xb4 ,0x41 ,0x9a ,0x3b ,0xab ,0x99 ,0x03 , + 0xfc ,0x72 ,0x4f ,0x39 ,0xb2 ,0x0c ,0x34 ,0x7d ,0x4f ,0xa7 ,0x5e ,0x8b ,0x1e ,0x13 ,0xea ,0xab , + 0x37 ,0x28 ,0x34 ,0x6a ,0x91 ,0xb9 ,0x21 ,0x79 ,0x1b ,0x82 ,0xc0 ,0x61 ,0x4d ,0xb7 ,0xa0 ,0xc5 , + 0x73 ,0xe7 ,0x11 ,0x75 ,0x88 ,0x41 ,0x36 ,0xf7 ,0x55 ,0x94 ,0x87 ,0x6e ,0x25 ,0x82 ,0xf7 ,0xf9 , + 0xcf ,0xc3 ,0x3c ,0x24 ,0xa2 ,0xcb ,0x02 ,0x03 ,0x01 ,0x00 ,0x01 ,0xa3 ,0x53 ,0x30 ,0x51 ,0x30 , + 0x1d ,0x06 ,0x03 ,0x55 ,0x1d ,0x0e ,0x04 ,0x16 ,0x04 ,0x14 ,0xe6 ,0xb8 ,0x4e ,0x62 ,0xdb ,0xbd , + 0x98 ,0x8a ,0xbb ,0xfd ,0xa0 ,0x08 ,0x35 ,0x5a ,0xa6 ,0xa0 ,0x80 ,0x01 ,0xc5 ,0x8c ,0x30 ,0x1f , + 0x06 ,0x03 ,0x55 ,0x1d ,0x23 ,0x04 ,0x18 ,0x30 ,0x16 ,0x80 ,0x14 ,0xe6 ,0xb8 ,0x4e ,0x62 ,0xdb , + 0xbd ,0x98 ,0x8a ,0xbb ,0xfd ,0xa0 ,0x08 ,0x35 ,0x5a ,0xa6 ,0xa0 ,0x80 ,0x01 ,0xc5 ,0x8c ,0x30 , + 0x0f ,0x06 ,0x03 ,0x55 ,0x1d ,0x13 ,0x01 ,0x01 ,0xff ,0x04 ,0x05 ,0x30 ,0x03 ,0x01 ,0x01 ,0xff , + 0x30 ,0x0d ,0x06 ,0x09 ,0x2a ,0x86 ,0x48 ,0x86 ,0xf7 ,0x0d ,0x01 ,0x01 ,0x0b ,0x05 ,0x00 ,0x03 , + 0x82 ,0x01 ,0x01 ,0x00 ,0x6e ,0xb3 ,0x79 ,0x61 ,0xeb ,0xa5 ,0xa6 ,0x6b ,0x77 ,0xcd ,0x6a ,0x76 , + 0xb7 ,0xbf ,0x86 ,0xcf ,0x4c ,0xa2 ,0xa5 ,0xa5 ,0x01 ,0xb7 ,0xb7 ,0x61 ,0x71 ,0x85 ,0x92 ,0x02 , + 0xee ,0x5a ,0xaa ,0xd7 ,0x4a ,0xcf ,0x87 ,0x2a ,0xa2 ,0x70 ,0x8c ,0x49 ,0xe9 ,0x05 ,0x49 ,0x46 , + 0x3d ,0xc1 ,0xe6 ,0xe9 ,0x59 ,0x95 ,0xd4 ,0xc8 ,0x0e ,0xb6 ,0x6d ,0x01 ,0xfb ,0x74 ,0x01 ,0x69 , + 0xb2 ,0xb4 ,0x9b ,0xe8 ,0x2c ,0x99 ,0xb3 ,0x96 ,0x7f ,0xd9 ,0x96 ,0xa6 ,0x28 ,0x02 ,0x10 ,0x07 , + 0x6a ,0xc2 ,0x19 ,0x27 ,0x63 ,0x9c ,0x35 ,0x0a ,0x9a ,0xda ,0x5c ,0x9c ,0x91 ,0xb5 ,0xc6 ,0xe5 , + 0x7c ,0x64 ,0x76 ,0x07 ,0xf6 ,0x56 ,0x7a ,0xf0 ,0xf6 ,0x09 ,0xaf ,0x3b ,0x4b ,0x40 ,0xd6 ,0x80 , + 0xd5 ,0x3e ,0x7f ,0xea ,0x11 ,0xe4 ,0xe1 ,0x78 ,0xac ,0x1e ,0x4b ,0xc4 ,0xdf ,0xb9 ,0xd6 ,0x5f , + 0x68 ,0xba ,0x77 ,0x40 ,0xf5 ,0x1d ,0xb7 ,0x35 ,0xaf ,0xcd ,0x37 ,0xc4 ,0xc9 ,0xb4 ,0x22 ,0x37 , + 0xac ,0x2d ,0xf3 ,0xc3 ,0xf7 ,0x94 ,0x74 ,0x70 ,0xfc ,0xc8 ,0x13 ,0xb2 ,0xdf ,0x98 ,0xa1 ,0x9c , + 0x10 ,0xba ,0x14 ,0x34 ,0xb5 ,0x1b ,0x4a ,0x50 ,0x00 ,0x22 ,0x83 ,0x88 ,0x79 ,0x1e ,0xac ,0xa4 , + 0xe4 ,0x6f ,0xbf ,0x96 ,0x8e ,0xf1 ,0x20 ,0x53 ,0x60 ,0x9d ,0x63 ,0x74 ,0x40 ,0x30 ,0x72 ,0x5e , + 0x56 ,0x75 ,0xf3 ,0x0b ,0x60 ,0x6a ,0xe8 ,0xab ,0x45 ,0x81 ,0xe9 ,0x7b ,0x32 ,0x31 ,0x5b ,0x28 , + 0x3e ,0xc1 ,0x96 ,0x9f ,0x28 ,0x2d ,0x74 ,0xbe ,0xfb ,0x4d ,0xe1 ,0x15 ,0x21 ,0x5a ,0x89 ,0xde , + 0x02 ,0x0f ,0x83 ,0x18 ,0x33 ,0xa4 ,0x0e ,0x58 ,0x20 ,0xaa ,0xea ,0xcf ,0xb0 ,0xbc ,0x35 ,0xfa , + 0x0c ,0x8a ,0x2d ,0x66 ,0xfa ,0x2a ,0xc6 ,0xae ,0xe0 ,0x07 ,0x99 ,0xfa ,0xb3 ,0x44 ,0x61 ,0x61 , + 0x60 ,0x6e ,0xd4 ,0x70 }; + +unsigned char IllformatKEK_auth[] = { + 0xe3, 0x07, 0x0b, 0x13, 0x0a, 0x28, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x94, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x78, 0x02, 0x01, 0x01, 0x31, + 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, + 0x02, 0x01, 0x05, 0x00, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x02, 0xff, 0x30, 0x82, 0x02, + 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, + 0x65, 0x75, 0x53, 0x72, 0x12, 0x66, 0xdd, 0x35, 0x15, 0x7c, 0xe8, 0x6c, + 0x53, 0x88, 0xd2, 0x01, 0x81, 0x62, 0xe7, 0x36, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, + 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, + 0x50, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x31, 0x31, 0x39, + 0x31, 0x36, 0x34, 0x30, 0x35, 0x32, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x31, + 0x31, 0x31, 0x36, 0x31, 0x36, 0x34, 0x30, 0x35, 0x32, 0x5a, 0x30, 0x0d, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, + 0x4b, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd0, 0xe5, + 0xb4, 0x7c, 0x37, 0xec, 0x22, 0xf1, 0xae, 0x68, 0xf8, 0x50, 0xcd, 0x00, + 0xb6, 0xa9, 0xc8, 0x56, 0x47, 0xe1, 0x2f, 0xdc, 0xd0, 0x48, 0x9a, 0x18, + 0x01, 0x59, 0xa1, 0x02, 0x02, 0xd4, 0x2c, 0xbd, 0x46, 0x28, 0xa2, 0x6b, + 0x27, 0x5e, 0xa4, 0x53, 0x6d, 0x17, 0xd5, 0x8f, 0x8d, 0x56, 0x9e, 0xf3, + 0x79, 0x4d, 0x74, 0x1c, 0xb5, 0xff, 0xb5, 0x50, 0xf2, 0x50, 0x7d, 0x2d, + 0x13, 0x1c, 0x4f, 0xd9, 0xf7, 0x2c, 0x25, 0x42, 0xa1, 0xcb, 0x91, 0x8e, + 0x10, 0x43, 0x1f, 0xac, 0x14, 0x23, 0x6b, 0x40, 0x40, 0xa5, 0x48, 0x40, + 0x34, 0xdd, 0x40, 0xdf, 0xc3, 0x29, 0x2a, 0xc3, 0x38, 0xcc, 0x6b, 0x00, + 0xa3, 0xac, 0x63, 0x03, 0x38, 0x75, 0x59, 0xab, 0x5c, 0xbc, 0x98, 0x44, + 0xf6, 0x2c, 0xd5, 0x9d, 0x11, 0x2f, 0xae, 0x2f, 0x11, 0xeb, 0x4d, 0xc4, + 0xbd, 0x86, 0xe0, 0xe9, 0xbb, 0x8d, 0x46, 0x62, 0xbd, 0x33, 0xf4, 0xf4, + 0x78, 0x32, 0xda, 0xcf, 0xd3, 0x35, 0x13, 0x95, 0x55, 0x39, 0xc0, 0x10, + 0x9d, 0xcb, 0x98, 0xa9, 0x6a, 0x31, 0x2e, 0x6b, 0xcb, 0xc8, 0x9a, 0xc6, + 0xaa, 0x48, 0xd6, 0x6e, 0xf3, 0xc0, 0x4b, 0x57, 0x06, 0x51, 0xa3, 0xad, + 0x82, 0xe7, 0xeb, 0x8c, 0x40, 0x64, 0x32, 0xf1, 0xee, 0x1e, 0xe4, 0xae, + 0x81, 0x06, 0x5b, 0x6a, 0x06, 0xbc, 0x96, 0xfc, 0xe6, 0xbc, 0x62, 0x0b, + 0x02, 0x8d, 0x27, 0xa2, 0x9c, 0x44, 0x5e, 0x9e, 0x60, 0x35, 0xa2, 0xc2, + 0x2e, 0xfe, 0x34, 0x53, 0xd8, 0x31, 0xe4, 0xca, 0xa1, 0xb3, 0x99, 0x11, + 0xd5, 0xd3, 0x1b, 0x00, 0x76, 0x8a, 0x2d, 0x9a, 0x94, 0xdc, 0x43, 0xdd, + 0xb0, 0x14, 0x41, 0xb3, 0x70, 0x56, 0x85, 0x31, 0x01, 0x6b, 0xf6, 0x82, + 0x9a, 0x8a, 0x89, 0x5e, 0x72, 0xfe, 0xec, 0x53, 0x04, 0x16, 0x79, 0xa0, + 0xb3, 0xfd, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x70, + 0xbe, 0x22, 0xf9, 0x09, 0xbf, 0xce, 0x96, 0x5a, 0xb6, 0xe7, 0xdb, 0x1a, + 0xa4, 0x5f, 0x84, 0xbf, 0x2c, 0x5b, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, + 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x50, 0x70, 0xbe, 0x22, 0xf9, + 0x09, 0xbf, 0xce, 0x96, 0x5a, 0xb6, 0xe7, 0xdb, 0x1a, 0xa4, 0x5f, 0x84, + 0xbf, 0x2c, 0x5b, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0xcd, 0xca, 0xa3, 0xd4, 0xc9, 0x11, 0xdf, 0x4f, + 0x42, 0x13, 0xdf, 0xcd, 0x5a, 0x13, 0x07, 0x47, 0x16, 0xae, 0x6b, 0xb2, + 0xca, 0xec, 0x70, 0x71, 0x45, 0x5c, 0x61, 0x29, 0x17, 0x63, 0x2c, 0xe9, + 0x75, 0x6f, 0x8a, 0xb7, 0xd5, 0x8d, 0xc8, 0x23, 0x2e, 0xe2, 0x39, 0x1b, + 0xf3, 0x1a, 0xb1, 0xec, 0xf4, 0xc4, 0x88, 0x5a, 0xfe, 0xe2, 0x97, 0x3f, + 0xcb, 0x86, 0x22, 0x8e, 0x58, 0x99, 0x5d, 0x83, 0x46, 0xad, 0x97, 0xbe, + 0x11, 0x13, 0xf0, 0x4b, 0x64, 0x8c, 0x22, 0xca, 0x1f, 0xa4, 0x5d, 0xd7, + 0xf2, 0xc0, 0xc7, 0x1e, 0x57, 0x97, 0x51, 0x26, 0x8d, 0x2b, 0xbb, 0x32, + 0x0e, 0x52, 0xa0, 0xdc, 0xde, 0x4f, 0x85, 0x6e, 0x48, 0xe5, 0x0d, 0xf0, + 0x9e, 0xad, 0xa2, 0xda, 0x69, 0xe0, 0x71, 0x06, 0x63, 0xb1, 0x82, 0x20, + 0xcc, 0x55, 0x08, 0x2f, 0x1b, 0xf9, 0x0b, 0xdd, 0xda, 0xa4, 0xe0, 0xfe, + 0xd6, 0xc2, 0xc3, 0xf1, 0xf8, 0xe1, 0x14, 0xf6, 0xd3, 0xbc, 0x82, 0x53, + 0x06, 0xca, 0xf6, 0x4e, 0x40, 0x88, 0x50, 0x51, 0x33, 0xe2, 0x2a, 0x8b, + 0xa6, 0x1a, 0x37, 0x89, 0xa7, 0xbf, 0x35, 0x2c, 0x4b, 0xf5, 0x7d, 0xc9, + 0x6a, 0x59, 0xb8, 0x62, 0x23, 0x16, 0xf1, 0xd7, 0x2d, 0x67, 0x2d, 0xae, + 0x52, 0x5e, 0x7d, 0x5f, 0xf6, 0x77, 0x9a, 0xed, 0x9c, 0xd0, 0xbd, 0x85, + 0x11, 0xf7, 0xd6, 0x13, 0xbd, 0x49, 0x55, 0x66, 0xc5, 0xa7, 0x88, 0xee, + 0xb3, 0x52, 0x39, 0x43, 0xfa, 0x9e, 0x43, 0xe4, 0x0b, 0x8f, 0xad, 0x7e, + 0x6c, 0xb8, 0xf5, 0x27, 0x7d, 0x29, 0x7b, 0xb1, 0x1a, 0xb3, 0x24, 0x8a, + 0xff, 0xfe, 0x3f, 0x17, 0xfe, 0x17, 0xb7, 0x20, 0x0a, 0xb5, 0x98, 0x32, + 0x72, 0x55, 0xd4, 0xfa, 0x94, 0x09, 0x28, 0xdf, 0x67, 0xc9, 0x61, 0x90, + 0xab, 0x03, 0x79, 0xcf, 0x00, 0xa1, 0x0a, 0x4c, 0x31, 0x82, 0x01, 0x50, + 0x30, 0x82, 0x01, 0x4c, 0x02, 0x01, 0x01, 0x30, 0x25, 0x30, 0x0d, 0x31, + 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, + 0x02, 0x14, 0x65, 0x75, 0x53, 0x72, 0x12, 0x66, 0xdd, 0x35, 0x15, 0x7c, + 0xe8, 0x6c, 0x53, 0x88, 0xd2, 0x01, 0x81, 0x62, 0xe7, 0x36, 0x30, 0x0d, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xca, 0x5f, 0x9a, 0xc7, + 0x7d, 0xc6, 0x89, 0xab, 0xec, 0x1c, 0xc6, 0xdd, 0x79, 0xf7, 0xee, 0x53, + 0xbd, 0xc4, 0xed, 0x59, 0x82, 0xa0, 0xe1, 0x98, 0x86, 0x20, 0xd0, 0xac, + 0x76, 0x45, 0x44, 0x0e, 0x20, 0xf9, 0x96, 0xf5, 0xcf, 0x60, 0x43, 0x3a, + 0x05, 0x31, 0xf8, 0xe4, 0x6b, 0x75, 0xe3, 0x11, 0x8f, 0x9b, 0x4b, 0x4a, + 0xd9, 0x60, 0xc2, 0x03, 0xdf, 0x06, 0xef, 0x3c, 0x85, 0x03, 0x81, 0x61, + 0x6a, 0x0f, 0xa4, 0x72, 0x02, 0xf9, 0x3a, 0x25, 0xa7, 0x7e, 0xf5, 0x6c, + 0x36, 0x02, 0x6c, 0x47, 0x3e, 0x8d, 0x27, 0x5e, 0x79, 0xc6, 0xaa, 0x67, + 0x74, 0x6a, 0x77, 0x0f, 0x21, 0x95, 0x0d, 0xfe, 0xa2, 0x90, 0x2a, 0x54, + 0x90, 0xff, 0x3d, 0x6a, 0x5d, 0x4d, 0x43, 0xa5, 0xa3, 0xd1, 0x04, 0xcb, + 0x75, 0xd1, 0x2a, 0xf5, 0xa7, 0x27, 0x1e, 0x74, 0xbd, 0xef, 0x47, 0xae, + 0xb5, 0x42, 0xb5, 0x24, 0x9f, 0xc0, 0x01, 0x9b, 0xca, 0x7e, 0xda, 0xa9, + 0x76, 0x7c, 0xf1, 0x2e, 0x43, 0xdc, 0x6c, 0x21, 0x1c, 0x7e, 0xe2, 0x6b, + 0x2b, 0x1a, 0x41, 0x00, 0x95, 0xbe, 0x8a, 0xb9, 0x88, 0x6f, 0x2b, 0xaf, + 0x64, 0x75, 0xb8, 0xa1, 0xe6, 0xf5, 0x03, 0x8a, 0x7f, 0xd9, 0x7d, 0x94, + 0x36, 0xa4, 0x37, 0xba, 0xaa, 0xc1, 0xb1, 0xae, 0xe6, 0xbf, 0x32, 0x79, + 0x2e, 0x27, 0xbf, 0xfd, 0x41, 0x98, 0x3d, 0xe3, 0x6e, 0x25, 0x0a, 0xaf, + 0xfd, 0x37, 0xef, 0x68, 0xc3, 0xdc, 0xb9, 0x9c, 0xa0, 0xb9, 0xa4, 0x92, + 0x01, 0xfb, 0x87, 0x18, 0x89, 0xf2, 0xc7, 0x8e, 0xb1, 0xdb, 0x4b, 0xf0, + 0xca, 0xf6, 0x1e, 0x8c, 0x19, 0x82, 0xa8, 0x1e, 0xe9, 0xfc, 0x12, 0xdd, + 0xe2, 0x57, 0x5f, 0x1b, 0xe2, 0xd9, 0x63, 0xbb, 0x16, 0x99, 0x46, 0x03, + 0x8c, 0x09, 0x9a, 0xd5, 0x87, 0x32, 0x9c, 0x57, 0x84, 0xd9, 0xf4, 0x0f, + 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, + 0x5c, 0x2b, 0xf0, 0x72, 0x2d, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x11, 0x03, 0x00, 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, + 0x44, 0x44, 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xfd, + 0x30, 0x82, 0x01, 0xe5, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x35, + 0xa7, 0x5b, 0x54, 0x85, 0x3a, 0x10, 0xbd, 0x95, 0xed, 0x28, 0xda, 0x7e, + 0xc5, 0x26, 0x7d, 0xb7, 0xc5, 0x9c, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, + 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, + 0x45, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x31, 0x31, 0x39, + 0x31, 0x36, 0x34, 0x30, 0x35, 0x34, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x31, + 0x31, 0x31, 0x36, 0x31, 0x36, 0x34, 0x30, 0x35, 0x34, 0x5a, 0x30, 0x0e, + 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, + 0x45, 0x4b, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc9, + 0x9e, 0x2a, 0x8a, 0x23, 0x86, 0xe1, 0x81, 0xff, 0xeb, 0x0f, 0x4d, 0x9a, + 0xf9, 0x67, 0x63, 0xb4, 0x8a, 0x43, 0x12, 0x7d, 0xf8, 0x27, 0x32, 0x9f, + 0xd8, 0xcd, 0x88, 0xd8, 0xf3, 0x28, 0xa8, 0x7a, 0xb8, 0xdf, 0x5f, 0x23, + 0xcc, 0x8a, 0x02, 0x4f, 0xe3, 0xc1, 0xe6, 0x5d, 0xbe, 0x68, 0xeb, 0x15, + 0x8c, 0x8d, 0x15, 0x1d, 0xd6, 0x4e, 0x4f, 0xe2, 0x77, 0xc3, 0xb0, 0x1d, + 0x9c, 0x46, 0xa8, 0x14, 0x9f, 0x6e, 0x30, 0x0f, 0x88, 0x0a, 0x6d, 0xa7, + 0x88, 0x8a, 0xeb, 0xa8, 0xcf, 0xe9, 0xb7, 0x12, 0xc8, 0x40, 0x09, 0xa1, + 0xe9, 0x0a, 0xc6, 0xe4, 0x55, 0xf4, 0x30, 0x85, 0x5d, 0x25, 0x4b, 0x4c, + 0xf8, 0x37, 0xf5, 0x94, 0x38, 0x20, 0x21, 0x54, 0x29, 0xe1, 0xd8, 0xdf, + 0x36, 0xf4, 0xad, 0xaa, 0x1c, 0x90, 0x82, 0xbf, 0xfa, 0x3e, 0xcc, 0xf9, + 0x6a, 0x04, 0x59, 0xa6, 0xf8, 0xb4, 0x22, 0x11, 0x60, 0xcf, 0xa7, 0x41, + 0x6b, 0xce, 0x0e, 0xdf, 0xfa, 0xa6, 0x39, 0x6a, 0x6f, 0x27, 0x7e, 0x13, + 0x44, 0x23, 0xc5, 0x2b, 0x6d, 0x76, 0xb6, 0x1c, 0x5c, 0x4d, 0x07, 0x1a, + 0x53, 0x23, 0x39, 0x65, 0x3b, 0x10, 0xfc, 0xd3, 0x7d, 0x50, 0xb4, 0x13, + 0x62, 0x0d, 0x0f, 0x11, 0x50, 0x1d, 0x9f, 0x25, 0x00, 0xff, 0x9f, 0x8c, + 0xb8, 0x57, 0x45, 0x67, 0x6a, 0x41, 0x2f, 0x6b, 0xff, 0x8f, 0x12, 0x04, + 0x0c, 0xcd, 0xf9, 0xf4, 0x92, 0x0a, 0xea, 0xf6, 0x48, 0x38, 0x4a, 0x9f, + 0xdf, 0x92, 0xb4, 0x84, 0xcf, 0x49, 0x6e, 0xb5, 0x88, 0x7d, 0x7b, 0x33, + 0x86, 0xc3, 0x84, 0x08, 0x08, 0x8b, 0x16, 0x9f, 0x4d, 0x82, 0xb5, 0x15, + 0x03, 0x7e, 0x98, 0x4a, 0xb8, 0xe4, 0xee, 0xf6, 0x01, 0xea, 0x0e, 0x9f, + 0x41, 0x91, 0x2c, 0x37, 0xf2, 0xab, 0xaf, 0xa0, 0x85, 0x9c, 0x31, 0xfa, + 0x3f, 0xe9, 0x33, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x88, + 0xf1, 0x79, 0xea, 0xd8, 0xf9, 0xbe, 0xc7, 0x96, 0x92, 0xa9, 0x08, 0xf3, + 0x75, 0x67, 0x6f, 0xf8, 0x42, 0x0f, 0xc4, 0x30, 0x1f, 0x06, 0x03, 0x55, + 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x88, 0xf1, 0x79, 0xea, + 0xd8, 0xf9, 0xbe, 0xc7, 0x96, 0x92, 0xa9, 0x08, 0xf3, 0x75, 0x67, 0x6f, + 0xf8, 0x42, 0x0f, 0xc4, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, + 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x70, 0xec, 0x6a, 0x52, 0x39, 0xb8, 0xe4, + 0x5e, 0x05, 0xbb, 0xef, 0x4b, 0x8d, 0xfa, 0xb8, 0x3d, 0xc0, 0x11, 0x32, + 0xda, 0xe8, 0x51, 0xfd, 0x70, 0x93, 0x0e, 0x90, 0x01, 0x16, 0x78, 0x39, + 0xb6, 0xc5, 0x03, 0x13, 0x93, 0xb1, 0x5d, 0x76, 0xb9, 0x16, 0xcd, 0xfb, + 0x50, 0x43, 0x67, 0x0b, 0xa1, 0x5a, 0x8f, 0x01, 0xdf, 0x98, 0xbf, 0x9c, + 0xaa, 0x04, 0xf3, 0x2d, 0xeb, 0x3d, 0x8c, 0x7c, 0x0d, 0xcd, 0x41, 0x30, + 0x89, 0x47, 0xd4, 0x50, 0x36, 0x8f, 0x44, 0x8e, 0x63, 0x9d, 0x0d, 0x16, + 0x39, 0xf0, 0xf9, 0x42, 0xac, 0x50, 0x79, 0x0e, 0xa1, 0xe4, 0x96, 0x3b, + 0x23, 0xf1, 0x7c, 0xe4, 0x9a, 0xc3, 0x9a, 0x35, 0x6f, 0x83, 0xb1, 0x78, + 0x24, 0xf4, 0x07, 0xdd, 0x38, 0xa1, 0x54, 0xe3, 0x39, 0x3e, 0x86, 0x67, + 0x19, 0xe4, 0xb8, 0x2b, 0x87, 0xf9, 0x9e, 0x78, 0x7f, 0x8c, 0x8f, 0xf2, + 0x64, 0x75, 0xc2, 0x93, 0xd2, 0x18, 0xf9, 0x6d, 0xdc, 0x6e, 0x18, 0x27, + 0xfe, 0x49, 0xce, 0x96, 0x7b, 0xb4, 0x17, 0xd8, 0xbc, 0x19, 0x81, 0x9a, + 0x18, 0x31, 0xbd, 0x78, 0xdb, 0xcd, 0xca, 0x08, 0xe2, 0x54, 0x7d, 0x15, + 0xc5, 0x79, 0x97, 0xbf, 0xab, 0x14, 0xdf, 0x61, 0x10, 0x1d, 0x1c, 0xae, + 0x10, 0x00, 0x0c, 0x06, 0x8b, 0x72, 0xdc, 0xff, 0xbe, 0xf7, 0x1f, 0xac, + 0x9c, 0x87, 0x36, 0x47, 0x72, 0x1f, 0x7f, 0x61, 0x3c, 0xee, 0xc8, 0x2b, + 0xaa, 0x24, 0x58, 0x93, 0xdb, 0x71, 0x47, 0x81, 0xeb, 0xa5, 0x42, 0xfc, + 0x61, 0x2a, 0xf1, 0x70, 0xab, 0xdc, 0xe8, 0x94, 0x10, 0xcc, 0x0e, 0xb8, + 0xea, 0xaa, 0x1e, 0x62, 0xb4, 0x10, 0xc6, 0xa2, 0x25, 0xe7, 0x21, 0xff, + 0x71, 0x61, 0x04, 0xad, 0x54, 0x7c, 0x60, 0x60, 0x56, 0x4a, 0x0d, 0x1d, + 0x2d, 0x9e, 0x7c, 0x59, 0x4b, 0x8a, 0x40, 0xd3, 0x76, +}; +unsigned int IllformatKEK_auth_len = 2001; diff --git a/libstb/secvar/test/data/multipleDB.h b/libstb/secvar/test/data/multipleDB.h new file mode 100644 index 00000000..0c0a5d40 --- /dev/null +++ b/libstb/secvar/test/data/multipleDB.h @@ -0,0 +1,246 @@ +unsigned char multipleDB_auth[] = { + 0xe3, 0x07, 0x0c, 0x0c, 0x0a, 0x2c, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x94, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x78, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x69, 0x30, + 0x82, 0x04, 0x65, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf6, 0x30, 0x82, 0x02, 0xf2, 0x30, 0x82, 0x01, 0xda, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xfe, 0xdd, 0x2e, 0xec, + 0xe0, 0x22, 0xdd, 0xf9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, 0x31, 0x0c, 0x30, + 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x33, 0x31, 0x5a, 0x30, 0x0e, 0x31, 0x0c, 0x30, + 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0xf8, 0xab, 0xdb, + 0xc2, 0xf5, 0x51, 0xde, 0x7b, 0x9f, 0x28, 0xff, 0xae, 0xdb, 0xa5, 0xbf, + 0x73, 0x63, 0x99, 0x5e, 0x04, 0xa5, 0x9d, 0xfd, 0xcd, 0x24, 0x2e, 0xdd, + 0x0b, 0x02, 0x88, 0xe9, 0x71, 0x7b, 0xf2, 0x89, 0x90, 0xae, 0xaf, 0x0d, + 0xa0, 0x68, 0x4d, 0x31, 0x1b, 0x30, 0xe8, 0x19, 0x2e, 0xfc, 0x33, 0x8f, + 0xee, 0x6d, 0x2a, 0x0a, 0x09, 0x42, 0x34, 0xc1, 0x40, 0xa8, 0xe8, 0xb6, + 0xc7, 0x92, 0x5d, 0xa5, 0x96, 0x14, 0xd7, 0xaf, 0x8c, 0x71, 0x6b, 0x4e, + 0x7d, 0x6e, 0xfa, 0x73, 0x1c, 0x40, 0x4c, 0x05, 0x9e, 0xfa, 0xb2, 0x4c, + 0x8c, 0xcb, 0x9d, 0xe2, 0xa9, 0x04, 0x01, 0x91, 0x5b, 0xbf, 0xff, 0x85, + 0x54, 0x2a, 0x65, 0x96, 0x84, 0x6f, 0xfa, 0x99, 0x1c, 0x9e, 0xe0, 0x77, + 0x68, 0x4d, 0x58, 0x2a, 0xc7, 0xc0, 0x8f, 0x71, 0x5a, 0x8f, 0xa9, 0xff, + 0x44, 0xed, 0xf7, 0xe4, 0x47, 0xd8, 0x4c, 0x9c, 0xf4, 0x78, 0xa0, 0xb3, + 0x37, 0xaf, 0x43, 0x0b, 0x03, 0x6f, 0xe4, 0xe1, 0x2d, 0x52, 0x0b, 0x4b, + 0x62, 0xc6, 0x2f, 0xe3, 0xfc, 0x32, 0xf2, 0xe2, 0x11, 0x1c, 0xac, 0xdf, + 0x5a, 0xe8, 0xdd, 0x55, 0x65, 0xa4, 0x6f, 0x61, 0xb7, 0x0f, 0x1c, 0xc6, + 0x08, 0x2a, 0xaf, 0x5d, 0x36, 0x50, 0x06, 0x7b, 0x49, 0xa0, 0x8b, 0x1c, + 0x93, 0xdc, 0x72, 0x69, 0x7b, 0xf1, 0xcc, 0xee, 0xa4, 0xe8, 0xd0, 0x7b, + 0x5f, 0x61, 0xbc, 0xbe, 0x20, 0xfb, 0x0b, 0xaa, 0x54, 0xf6, 0xe0, 0x13, + 0xad, 0xe8, 0x96, 0x53, 0x6a, 0xa9, 0x4b, 0xa1, 0xcf, 0x56, 0x10, 0xbc, + 0x2a, 0x09, 0xc9, 0x0a, 0xcc, 0x8d, 0x20, 0xdd, 0x4d, 0x14, 0xc7, 0x08, + 0xab, 0xc1, 0xc3, 0xaf, 0x0b, 0x35, 0x40, 0x57, 0x34, 0x97, 0x3b, 0xa2, + 0x2d, 0xa3, 0x46, 0xc1, 0x30, 0x14, 0x88, 0xa8, 0x74, 0x79, 0xdd, 0xb1, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd7, 0x75, 0xfc, 0xed, + 0xb7, 0xc8, 0xb5, 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, + 0x57, 0x0d, 0x94, 0xa8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, 0xb5, + 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, 0x94, + 0xa8, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x58, 0xd2, 0x25, 0xa3, 0xe6, 0xaa, 0xb9, 0x56, 0x67, 0xc3, + 0xa6, 0x4b, 0x88, 0x99, 0xfe, 0xde, 0xc6, 0x16, 0x4c, 0x43, 0x1b, 0xb8, + 0xea, 0xe3, 0x77, 0xc4, 0xe4, 0x66, 0x15, 0x9f, 0x92, 0x6d, 0xe3, 0x7f, + 0x3c, 0xac, 0x88, 0x8b, 0xb9, 0xc5, 0x5c, 0x39, 0x4f, 0x02, 0x75, 0x5a, + 0x3d, 0xc5, 0xaf, 0xad, 0x8f, 0x32, 0xd4, 0x5a, 0x44, 0xc8, 0xcb, 0x1f, + 0x40, 0xa1, 0x44, 0xef, 0xa8, 0x2a, 0xa4, 0x0d, 0x7a, 0x25, 0xe1, 0x6c, + 0x09, 0x4b, 0x96, 0x6a, 0x73, 0x0f, 0xe0, 0x9b, 0x0e, 0x26, 0xff, 0x61, + 0x96, 0xc4, 0xb6, 0x10, 0xe1, 0x90, 0x36, 0xfd, 0x96, 0xb5, 0x90, 0xb0, + 0x76, 0xed, 0xc2, 0x17, 0xc0, 0xfe, 0xd4, 0x38, 0xff, 0x7f, 0xc3, 0xa0, + 0x88, 0x60, 0xe8, 0x27, 0x10, 0x34, 0x35, 0x93, 0x59, 0xcb, 0x12, 0xe5, + 0x25, 0xaf, 0x2d, 0x1d, 0x7d, 0x3f, 0x16, 0x95, 0x71, 0x57, 0x8e, 0x3f, + 0xc2, 0xad, 0x8e, 0xc4, 0x0e, 0xe1, 0xed, 0x46, 0xf9, 0xd7, 0x07, 0x85, + 0xb3, 0x05, 0xbe, 0xf1, 0x4c, 0xba, 0xf1, 0x34, 0xe5, 0xd5, 0x26, 0x9b, + 0x6c, 0x15, 0x9e, 0x35, 0xa2, 0xd5, 0x81, 0x09, 0x36, 0x05, 0xa6, 0x99, + 0x1f, 0xa2, 0x17, 0x35, 0x3a, 0x38, 0x18, 0x52, 0x44, 0xcf, 0x22, 0xb3, + 0x69, 0xba, 0x07, 0x74, 0x48, 0x1c, 0x8e, 0x4c, 0xa7, 0xb0, 0xc2, 0x65, + 0x6c, 0x1d, 0x30, 0xe2, 0x82, 0xc2, 0x35, 0x60, 0x25, 0xf2, 0xb1, 0x05, + 0x18, 0x0a, 0x73, 0x87, 0x27, 0xee, 0x6e, 0xc2, 0x5f, 0xff, 0xd8, 0xfc, + 0x77, 0x06, 0x2e, 0x3d, 0x4f, 0xa1, 0x14, 0x04, 0x5d, 0xae, 0x38, 0x28, + 0xf9, 0x3d, 0x82, 0x5f, 0xc6, 0xd0, 0x31, 0x21, 0x88, 0xda, 0x7f, 0x78, + 0xe3, 0xb7, 0xed, 0x52, 0x37, 0xf4, 0x29, 0x08, 0x88, 0x50, 0x54, 0x56, + 0x67, 0xc0, 0xe1, 0xf4, 0xe7, 0xcf, 0x31, 0x82, 0x01, 0x46, 0x30, 0x82, + 0x01, 0x42, 0x02, 0x01, 0x01, 0x30, 0x1b, 0x30, 0x0e, 0x31, 0x0c, 0x30, + 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, 0x02, + 0x09, 0x00, 0xfe, 0xdd, 0x2e, 0xec, 0xe0, 0x22, 0xdd, 0xf9, 0x30, 0x0d, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xb9, 0x54, 0x15, 0x97, + 0x74, 0xe4, 0x9c, 0xc7, 0xf8, 0x45, 0x2a, 0xdb, 0xca, 0x34, 0x58, 0x0a, + 0x82, 0x32, 0x58, 0xaa, 0x82, 0xde, 0xc2, 0x47, 0xda, 0x77, 0xf6, 0x52, + 0xc6, 0x84, 0x55, 0x0b, 0x80, 0x1d, 0x9a, 0xc3, 0x18, 0xb8, 0x73, 0xea, + 0x4d, 0x77, 0x37, 0xa3, 0xa7, 0x44, 0xc3, 0xfc, 0x82, 0x29, 0xeb, 0x39, + 0x9c, 0xb6, 0xb8, 0xdb, 0x3c, 0x77, 0xce, 0x3d, 0xfb, 0x53, 0x5c, 0xd6, + 0x81, 0xd5, 0xca, 0x69, 0x3c, 0x61, 0xec, 0x1a, 0x38, 0xdb, 0x6e, 0x74, + 0xf8, 0xf3, 0xc1, 0xe4, 0x7d, 0x62, 0x35, 0xd0, 0x51, 0xca, 0x02, 0x55, + 0x46, 0x86, 0x03, 0x39, 0x00, 0x1c, 0xa7, 0x3c, 0xe5, 0xcf, 0x46, 0x67, + 0x9a, 0x23, 0x93, 0x6f, 0x58, 0xcb, 0x9b, 0x78, 0xb7, 0x49, 0x7b, 0x5c, + 0x4a, 0x56, 0xf2, 0xdd, 0x78, 0xde, 0x88, 0xd2, 0xeb, 0x4c, 0x4a, 0x2d, + 0xf1, 0x35, 0x66, 0x45, 0x75, 0xfa, 0x62, 0xac, 0xd4, 0xee, 0x7b, 0x5e, + 0x84, 0x08, 0xd6, 0xec, 0xb6, 0xe0, 0xaa, 0x44, 0x78, 0xd5, 0x41, 0x96, + 0x4f, 0xaf, 0x0a, 0xcd, 0x5c, 0x6a, 0x46, 0x48, 0x08, 0x02, 0xf9, 0xfa, + 0xba, 0x01, 0xce, 0x5d, 0xda, 0xbe, 0xcf, 0xf5, 0x51, 0x99, 0x3c, 0x0a, + 0x01, 0xad, 0xbf, 0x92, 0x3f, 0x9e, 0x2c, 0x16, 0x27, 0x0f, 0xc6, 0x47, + 0x07, 0x77, 0x82, 0x17, 0x48, 0x3b, 0xdc, 0xef, 0x99, 0x77, 0x4d, 0x10, + 0xe6, 0x2c, 0xf4, 0x47, 0x6a, 0xe8, 0xe7, 0x82, 0xae, 0x00, 0x3c, 0x4c, + 0xde, 0x76, 0x88, 0xe5, 0x5e, 0xc9, 0xc6, 0x6a, 0x64, 0x5c, 0xf6, 0x44, + 0x60, 0x99, 0x1e, 0xb0, 0x3c, 0x5f, 0x17, 0xba, 0xc9, 0xfc, 0xb6, 0x29, + 0xbf, 0x53, 0x53, 0xca, 0xba, 0x7d, 0x0d, 0xd7, 0x41, 0xc4, 0x43, 0x98, + 0xec, 0xc0, 0xde, 0x5c, 0xeb, 0x04, 0x35, 0x9e, 0x0f, 0x60, 0xe8, 0x31, + 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, + 0x5c, 0x2b, 0xf0, 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x03, 0x00, 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, + 0x44, 0x44, 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, + 0x30, 0x82, 0x01, 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, + 0x89, 0x65, 0xe1, 0xbe, 0x1d, 0x33, 0xea, 0xb7, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, + 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, + 0x44, 0x42, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, + 0x31, 0x30, 0x39, 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x44, + 0x42, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xce, 0x70, + 0xf2, 0x2d, 0xa0, 0x56, 0xac, 0xc0, 0xc0, 0x33, 0x9a, 0xa6, 0x2c, 0x89, + 0x3c, 0x88, 0xa9, 0x9c, 0x67, 0xaf, 0xeb, 0x0d, 0x44, 0x7b, 0xe7, 0x85, + 0xf1, 0x3d, 0xc4, 0x71, 0xdd, 0xb4, 0xa7, 0x51, 0xac, 0x87, 0xfa, 0x85, + 0xf0, 0x3c, 0x80, 0x0a, 0x33, 0x43, 0x02, 0xd6, 0xa8, 0x59, 0xe3, 0xc3, + 0x42, 0x22, 0xe0, 0x0c, 0xbc, 0xc7, 0x02, 0x60, 0xff, 0x09, 0x81, 0x1c, + 0x73, 0x76, 0x22, 0x29, 0xb8, 0x67, 0x2a, 0x76, 0x17, 0xd2, 0x9a, 0x33, + 0x78, 0x6d, 0x40, 0x60, 0x24, 0x07, 0xfb, 0x1f, 0xf6, 0xf5, 0xb2, 0xac, + 0x44, 0x77, 0xd2, 0x5e, 0x9d, 0xd7, 0x24, 0xe2, 0x6e, 0xa1, 0xf2, 0xb8, + 0x08, 0x18, 0x61, 0x77, 0x83, 0xe8, 0x82, 0x72, 0x6d, 0xf6, 0xb3, 0x98, + 0x39, 0x43, 0xb8, 0xaa, 0x97, 0x03, 0xc7, 0x68, 0x2e, 0x1d, 0xf8, 0xaf, + 0x75, 0xad, 0x9e, 0x18, 0x48, 0xa3, 0x24, 0x3e, 0x04, 0x30, 0xe2, 0xa7, + 0x30, 0xf7, 0xf7, 0xb3, 0x05, 0xac, 0x11, 0xf4, 0x20, 0x47, 0x36, 0xcf, + 0xca, 0xe0, 0x8c, 0x52, 0x0d, 0x4b, 0x30, 0xf0, 0x7e, 0x6f, 0x48, 0x83, + 0xe1, 0xb9, 0xd1, 0x1d, 0x27, 0x5d, 0xd3, 0x10, 0x9d, 0x63, 0xdb, 0xe0, + 0x87, 0x53, 0x75, 0xae, 0xdd, 0xc0, 0x6c, 0x89, 0x33, 0xeb, 0x3e, 0x87, + 0x33, 0x58, 0x11, 0xe5, 0x04, 0xcd, 0xeb, 0x8e, 0xfe, 0x48, 0x7b, 0xd1, + 0x37, 0xb4, 0x41, 0x9a, 0x3b, 0xab, 0x99, 0x03, 0xfc, 0x72, 0x4f, 0x39, + 0xb2, 0x0c, 0x34, 0x7d, 0x4f, 0xa7, 0x5e, 0x8b, 0x1e, 0x13, 0xea, 0xab, + 0x37, 0x28, 0x34, 0x6a, 0x91, 0xb9, 0x21, 0x79, 0x1b, 0x82, 0xc0, 0x61, + 0x4d, 0xb7, 0xa0, 0xc5, 0x73, 0xe7, 0x11, 0x75, 0x88, 0x41, 0x36, 0xf7, + 0x55, 0x94, 0x87, 0x6e, 0x25, 0x82, 0xf7, 0xf9, 0xcf, 0xc3, 0x3c, 0x24, + 0xa2, 0xcb, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xe6, 0xb8, + 0x4e, 0x62, 0xdb, 0xbd, 0x98, 0x8a, 0xbb, 0xfd, 0xa0, 0x08, 0x35, 0x5a, + 0xa6, 0xa0, 0x80, 0x01, 0xc5, 0x8c, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, + 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe6, 0xb8, 0x4e, 0x62, 0xdb, + 0xbd, 0x98, 0x8a, 0xbb, 0xfd, 0xa0, 0x08, 0x35, 0x5a, 0xa6, 0xa0, 0x80, + 0x01, 0xc5, 0x8c, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0x6e, 0xb3, 0x79, 0x61, 0xeb, 0xa5, 0xa6, 0x6b, + 0x77, 0xcd, 0x6a, 0x76, 0xb7, 0xbf, 0x86, 0xcf, 0x4c, 0xa2, 0xa5, 0xa5, + 0x01, 0xb7, 0xb7, 0x61, 0x71, 0x85, 0x92, 0x02, 0xee, 0x5a, 0xaa, 0xd7, + 0x4a, 0xcf, 0x87, 0x2a, 0xa2, 0x70, 0x8c, 0x49, 0xe9, 0x05, 0x49, 0x46, + 0x3d, 0xc1, 0xe6, 0xe9, 0x59, 0x95, 0xd4, 0xc8, 0x0e, 0xb6, 0x6d, 0x01, + 0xfb, 0x74, 0x01, 0x69, 0xb2, 0xb4, 0x9b, 0xe8, 0x2c, 0x99, 0xb3, 0x96, + 0x7f, 0xd9, 0x96, 0xa6, 0x28, 0x02, 0x10, 0x07, 0x6a, 0xc2, 0x19, 0x27, + 0x63, 0x9c, 0x35, 0x0a, 0x9a, 0xda, 0x5c, 0x9c, 0x91, 0xb5, 0xc6, 0xe5, + 0x7c, 0x64, 0x76, 0x07, 0xf6, 0x56, 0x7a, 0xf0, 0xf6, 0x09, 0xaf, 0x3b, + 0x4b, 0x40, 0xd6, 0x80, 0xd5, 0x3e, 0x7f, 0xea, 0x11, 0xe4, 0xe1, 0x78, + 0xac, 0x1e, 0x4b, 0xc4, 0xdf, 0xb9, 0xd6, 0x5f, 0x68, 0xba, 0x77, 0x40, + 0xf5, 0x1d, 0xb7, 0x35, 0xaf, 0xcd, 0x37, 0xc4, 0xc9, 0xb4, 0x22, 0x37, + 0xac, 0x2d, 0xf3, 0xc3, 0xf7, 0x94, 0x74, 0x70, 0xfc, 0xc8, 0x13, 0xb2, + 0xdf, 0x98, 0xa1, 0x9c, 0x10, 0xba, 0x14, 0x34, 0xb5, 0x1b, 0x4a, 0x50, + 0x00, 0x22, 0x83, 0x88, 0x79, 0x1e, 0xac, 0xa4, 0xe4, 0x6f, 0xbf, 0x96, + 0x8e, 0xf1, 0x20, 0x53, 0x60, 0x9d, 0x63, 0x74, 0x40, 0x30, 0x72, 0x5e, + 0x56, 0x75, 0xf3, 0x0b, 0x60, 0x6a, 0xe8, 0xab, 0x45, 0x81, 0xe9, 0x7b, + 0x32, 0x31, 0x5b, 0x28, 0x3e, 0xc1, 0x96, 0x9f, 0x28, 0x2d, 0x74, 0xbe, + 0xfb, 0x4d, 0xe1, 0x15, 0x21, 0x5a, 0x89, 0xde, 0x02, 0x0f, 0x83, 0x18, + 0x33, 0xa4, 0x0e, 0x58, 0x20, 0xaa, 0xea, 0xcf, 0xb0, 0xbc, 0x35, 0xfa, + 0x0c, 0x8a, 0x2d, 0x66, 0xfa, 0x2a, 0xc6, 0xae, 0xe0, 0x07, 0x99, 0xfa, + 0xb3, 0x44, 0x61, 0x61, 0x60, 0x6e, 0xd4, 0x70, 0xa1, 0x59, 0xc0, 0xa5, + 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72, + 0x96, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7a, 0x03, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x30, 0x82, 0x03, 0x66, 0x30, 0x82, 0x02, 0x4e, + 0x02, 0x09, 0x00, 0x95, 0x31, 0xa3, 0x02, 0x84, 0x1f, 0x73, 0x3f, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x75, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x02, 0x54, 0x58, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x06, 0x41, 0x55, 0x53, 0x54, 0x49, 0x4e, 0x31, + 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x03, 0x49, 0x42, + 0x4d, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x03, + 0x4c, 0x54, 0x43, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x02, 0x73, 0x62, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x61, 0x79, + 0x6e, 0x6a, 0x61, 0x69, 0x6e, 0x40, 0x69, 0x62, 0x6d, 0x2e, 0x63, 0x6f, + 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x32, 0x31, 0x32, 0x31, + 0x35, 0x32, 0x34, 0x33, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x32, + 0x31, 0x31, 0x31, 0x35, 0x32, 0x34, 0x33, 0x39, 0x5a, 0x30, 0x75, 0x31, + 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x54, + 0x58, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, + 0x41, 0x55, 0x53, 0x54, 0x49, 0x4e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, + 0x55, 0x04, 0x0a, 0x0c, 0x03, 0x49, 0x42, 0x4d, 0x31, 0x0c, 0x30, 0x0a, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x03, 0x4c, 0x54, 0x43, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x73, 0x62, 0x31, + 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x09, 0x01, 0x16, 0x10, 0x6e, 0x61, 0x79, 0x6e, 0x6a, 0x61, 0x69, 0x6e, + 0x40, 0x69, 0x62, 0x6d, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, + 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0xcd, 0x62, 0x15, 0x94, 0xc3, 0x3d, + 0xde, 0x0d, 0xe7, 0xb3, 0xfc, 0x30, 0x4a, 0xbb, 0x72, 0x85, 0xd3, 0x9b, + 0xcc, 0xc2, 0xd5, 0x44, 0xf2, 0x36, 0xea, 0xb8, 0x67, 0x66, 0xba, 0x1d, + 0xf1, 0x60, 0x6e, 0x74, 0xe5, 0xd4, 0x85, 0x9e, 0x2c, 0x28, 0xbe, 0xec, + 0x7a, 0xb5, 0xce, 0xb3, 0x61, 0x41, 0xf4, 0xd6, 0xc6, 0xbb, 0x61, 0xe0, + 0xf1, 0x2d, 0x5f, 0xca, 0xca, 0xc3, 0xb0, 0x4b, 0x70, 0xac, 0x37, 0x31, + 0xcd, 0x33, 0xff, 0x7f, 0xef, 0x90, 0x60, 0x49, 0xf8, 0x93, 0xc9, 0x99, + 0x06, 0x6e, 0xdb, 0xe8, 0x81, 0x51, 0xa9, 0x49, 0xd9, 0x0e, 0xda, 0x3e, + 0xff, 0xfe, 0x69, 0x0a, 0x17, 0x80, 0x90, 0x01, 0xe9, 0x49, 0x6e, 0x6f, + 0x30, 0x50, 0x97, 0xb8, 0xba, 0x05, 0xa2, 0x23, 0x22, 0x44, 0xb8, 0x7b, + 0xcf, 0x1c, 0x02, 0xd4, 0xb8, 0x05, 0x38, 0xd7, 0xa3, 0xde, 0x1f, 0x88, + 0x37, 0x1a, 0x7f, 0xb8, 0x5d, 0x3d, 0x8d, 0x04, 0x0e, 0xbe, 0x85, 0x12, + 0x20, 0x89, 0xbc, 0xe0, 0xea, 0xe7, 0xd8, 0xd1, 0x68, 0xab, 0xc7, 0x50, + 0xc5, 0x42, 0x4d, 0x15, 0xa3, 0xdd, 0x15, 0x80, 0xe5, 0x7d, 0x1f, 0x23, + 0x51, 0xf3, 0x02, 0x79, 0x2e, 0x62, 0x40, 0xf6, 0x74, 0xb0, 0x55, 0x28, + 0x90, 0x6b, 0x3c, 0x97, 0x4d, 0x21, 0x09, 0xd6, 0x44, 0x05, 0xe6, 0xa5, + 0xaf, 0x8c, 0x76, 0x7a, 0x30, 0xc9, 0x08, 0xd4, 0x1c, 0x4a, 0x80, 0xcc, + 0xbe, 0xd4, 0x7c, 0x84, 0xa5, 0x6b, 0xe9, 0x9b, 0x9c, 0xcc, 0x32, 0xb9, + 0xe9, 0x7e, 0xb4, 0x87, 0x2c, 0x3e, 0xc8, 0x5a, 0x18, 0xda, 0xed, 0x9d, + 0x4a, 0xbd, 0xeb, 0xd8, 0xdc, 0x03, 0xc9, 0x08, 0x83, 0x80, 0x71, 0x2b, + 0xca, 0x92, 0x91, 0x9b, 0x33, 0x23, 0x62, 0xd4, 0x2b, 0x0a, 0x89, 0x70, + 0x8e, 0x22, 0xd2, 0x88, 0xa3, 0x89, 0x2f, 0x93, 0xf7, 0x02, 0x03, 0x01, + 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x98, 0x35, + 0x19, 0x40, 0x98, 0xb9, 0x01, 0x27, 0xe3, 0x65, 0x35, 0x5e, 0xef, 0x0d, + 0x0c, 0x17, 0xee, 0x63, 0xe8, 0xc5, 0x60, 0xfd, 0xdf, 0xc0, 0xbc, 0x5b, + 0xaf, 0xd2, 0xbb, 0x2b, 0x23, 0xdb, 0x78, 0x17, 0xc5, 0xdd, 0x89, 0xa6, + 0x1b, 0xd6, 0xe1, 0x75, 0xa6, 0x5c, 0x62, 0xaa, 0x25, 0x6a, 0xbf, 0xd2, + 0xf3, 0x00, 0x71, 0x4d, 0x07, 0x28, 0xac, 0x31, 0x5f, 0x72, 0x78, 0xdb, + 0x50, 0xcc, 0x53, 0x05, 0x72, 0x41, 0x9f, 0x09, 0x8f, 0x33, 0x28, 0x9d, + 0x2f, 0xa9, 0xeb, 0x5d, 0xe8, 0x4d, 0x7f, 0x58, 0x88, 0x69, 0x54, 0x7d, + 0x5f, 0x1a, 0xe4, 0x07, 0x0b, 0x63, 0x71, 0xd6, 0x8e, 0xe3, 0xaa, 0xe7, + 0x09, 0xa7, 0xa7, 0xfe, 0xec, 0xa3, 0x9e, 0xc3, 0x60, 0x07, 0x5d, 0xa8, + 0x01, 0xac, 0x6b, 0xd9, 0x19, 0x57, 0x82, 0x76, 0x0d, 0x5a, 0xdc, 0x40, + 0x82, 0xbb, 0x04, 0xa4, 0xb4, 0xd9, 0x88, 0xab, 0xa2, 0x8f, 0xca, 0xf4, + 0xd7, 0x91, 0x84, 0x46, 0x5a, 0x49, 0x6e, 0xc9, 0xcd, 0xcc, 0xf5, 0x2a, + 0x17, 0xf4, 0xbf, 0xcc, 0x78, 0x0c, 0xe0, 0x18, 0xf9, 0x73, 0xa7, 0x81, + 0x39, 0x08, 0x07, 0xdf, 0x56, 0x95, 0xd0, 0xa5, 0x54, 0xe5, 0xad, 0x85, + 0xc6, 0x51, 0xfd, 0x69, 0x4b, 0xa8, 0x90, 0xdd, 0x3a, 0xf8, 0xe7, 0x57, + 0x93, 0x5e, 0xcd, 0x8e, 0x62, 0x9c, 0x66, 0xd5, 0x86, 0x48, 0xfe, 0x81, + 0xa3, 0xc0, 0xdb, 0x70, 0x01, 0xbd, 0x76, 0xd9, 0x74, 0x95, 0x5c, 0xf1, + 0xce, 0x90, 0x6a, 0xd8, 0x3d, 0x9f, 0x32, 0x24, 0x18, 0x69, 0x55, 0x68, + 0x95, 0x91, 0x54, 0x99, 0xe3, 0x87, 0x47, 0xea, 0x3c, 0xa1, 0xc2, 0x23, + 0x66, 0xf2, 0xf4, 0xcc, 0xb9, 0x57, 0x46, 0x72, 0x73, 0x20, 0x71, 0xd3, + 0x57, 0x56, 0xd4, 0x46, 0x29, 0x54, 0xb8, 0x8c, 0x6e, 0x30, 0x17, 0x38, + 0xcd, 0xdd, +}; +unsigned int multipleDB_auth_len = 2906; diff --git a/libstb/secvar/test/data/multipleKEK.h b/libstb/secvar/test/data/multipleKEK.h new file mode 100644 index 00000000..c7b31971 --- /dev/null +++ b/libstb/secvar/test/data/multipleKEK.h @@ -0,0 +1,236 @@ +unsigned char multipleKEK_auth[] = { + 0xe3, 0x07, 0x0c, 0x0c, 0x16, 0x27, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x61, 0x13, 0xf4, 0x87, 0xad, 0xa5, 0xab, + 0x76, 0x07, 0x49, 0x66, 0x79, 0xcd, 0xe4, 0x64, 0x0b, 0x0c, 0xfe, 0x75, + 0x94, 0xa9, 0xff, 0xc2, 0xbf, 0xc8, 0xbc, 0x00, 0x13, 0x5f, 0x08, 0x08, + 0x89, 0xd8, 0x63, 0x79, 0x19, 0xf0, 0x90, 0x59, 0x0e, 0x6e, 0x53, 0xee, + 0x1a, 0xee, 0x60, 0xcb, 0x26, 0xaf, 0x05, 0xb4, 0xbc, 0x97, 0x0b, 0x91, + 0xd9, 0xad, 0x42, 0xa9, 0x6e, 0x4e, 0xc3, 0xae, 0xad, 0xa4, 0x20, 0x54, + 0x59, 0x64, 0xba, 0xbb, 0x8b, 0x11, 0xfa, 0x45, 0x02, 0xa6, 0xa0, 0xb1, + 0x18, 0x39, 0x8a, 0xc0, 0x5e, 0x44, 0xc3, 0xdc, 0x65, 0x7f, 0xef, 0x18, + 0x03, 0x2a, 0xe2, 0x46, 0xa8, 0xbe, 0xc7, 0xb0, 0xdf, 0x1b, 0x7d, 0xf9, + 0x97, 0xbd, 0x94, 0xd8, 0x38, 0x38, 0x9b, 0x57, 0x35, 0xf8, 0xdb, 0xe9, + 0x27, 0xc7, 0x70, 0xad, 0x10, 0x6d, 0x81, 0xd7, 0xad, 0x7d, 0xfd, 0xdb, + 0x1c, 0x7e, 0x2b, 0x0e, 0x5b, 0xd3, 0xa9, 0x04, 0x7e, 0xcc, 0xc1, 0x50, + 0x6d, 0x51, 0xf6, 0xad, 0x4b, 0xb3, 0x14, 0x29, 0xad, 0x2e, 0xcd, 0xd0, + 0x54, 0x67, 0xa2, 0x88, 0xe6, 0x60, 0x03, 0x62, 0x1a, 0x7e, 0x20, 0x42, + 0xd5, 0xa1, 0x2b, 0x1a, 0xac, 0x69, 0x03, 0xc4, 0x99, 0x92, 0xa0, 0xbd, + 0x3b, 0x8a, 0x0c, 0x12, 0x77, 0x2b, 0x0e, 0xc3, 0xbc, 0x64, 0x9f, 0x73, + 0x7a, 0xa3, 0x4f, 0x1a, 0x0f, 0x1d, 0x92, 0xd0, 0x86, 0x55, 0x1d, 0x73, + 0x87, 0xf2, 0xdd, 0x25, 0xf3, 0x2a, 0x4b, 0x22, 0x64, 0x8d, 0x7d, 0x25, + 0x5b, 0xe6, 0xe4, 0x39, 0x95, 0x32, 0xd9, 0xa9, 0x11, 0xd2, 0x9c, 0x42, + 0xd0, 0x00, 0xa7, 0x02, 0x07, 0x36, 0x64, 0x2b, 0xdc, 0x8a, 0x75, 0x71, + 0xde, 0xa8, 0xf7, 0x3d, 0xdf, 0xe0, 0xcc, 0x90, 0x0f, 0x99, 0x26, 0xd4, + 0x76, 0xc8, 0x03, 0xf4, 0x68, 0xe1, 0x37, 0xc7, 0x8f, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, + 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, + 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, + 0x2d, 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, + 0x61, 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, + 0xd3, 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, + 0xb4, 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, + 0x0d, 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, + 0x8d, 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, + 0x5f, 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, + 0xf0, 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, + 0x75, 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, + 0x91, 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, + 0xbf, 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, + 0x21, 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, + 0x41, 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, + 0x87, 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, + 0x0e, 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, + 0xac, 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, + 0x2c, 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, + 0xed, 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, + 0x8d, 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, + 0xee, 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, + 0x2a, 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, + 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, + 0xef, 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, + 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, + 0x37, 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, + 0x9c, 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, + 0xb1, 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, + 0x9f, 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, + 0xe5, 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, + 0xe1, 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, + 0xed, 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, + 0xd4, 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, + 0xe0, 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, + 0xcc, 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, + 0x14, 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, + 0x23, 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, + 0xe2, 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, + 0x7f, 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, + 0xfa, 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, + 0x52, 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, + 0xe7, 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, + 0xb7, 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, + 0x0c, 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, + 0x8b, 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, + 0xe7, 0x12, 0xe1, 0x66, 0x15, 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, + 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72, 0x22, 0x03, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x03, 0x00, 0x00, 0x11, 0x11, 0x11, + 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, 0x34, 0x56, 0x78, 0x9a, + 0xbc, 0x30, 0x82, 0x02, 0xf2, 0x30, 0x82, 0x01, 0xda, 0xa0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x09, 0x00, 0xfe, 0xdd, 0x2e, 0xec, 0xe0, 0x22, 0xdd, + 0xf9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, 0x30, 0x1e, 0x17, 0x0d, + 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, 0x33, 0x31, + 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, 0x38, 0x35, + 0x36, 0x33, 0x31, 0x5a, 0x30, 0x0e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x03, 0x4b, 0x45, 0x4b, 0x30, 0x82, 0x01, 0x22, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, + 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0xf8, 0xab, 0xdb, 0xc2, 0xf5, 0x51, + 0xde, 0x7b, 0x9f, 0x28, 0xff, 0xae, 0xdb, 0xa5, 0xbf, 0x73, 0x63, 0x99, + 0x5e, 0x04, 0xa5, 0x9d, 0xfd, 0xcd, 0x24, 0x2e, 0xdd, 0x0b, 0x02, 0x88, + 0xe9, 0x71, 0x7b, 0xf2, 0x89, 0x90, 0xae, 0xaf, 0x0d, 0xa0, 0x68, 0x4d, + 0x31, 0x1b, 0x30, 0xe8, 0x19, 0x2e, 0xfc, 0x33, 0x8f, 0xee, 0x6d, 0x2a, + 0x0a, 0x09, 0x42, 0x34, 0xc1, 0x40, 0xa8, 0xe8, 0xb6, 0xc7, 0x92, 0x5d, + 0xa5, 0x96, 0x14, 0xd7, 0xaf, 0x8c, 0x71, 0x6b, 0x4e, 0x7d, 0x6e, 0xfa, + 0x73, 0x1c, 0x40, 0x4c, 0x05, 0x9e, 0xfa, 0xb2, 0x4c, 0x8c, 0xcb, 0x9d, + 0xe2, 0xa9, 0x04, 0x01, 0x91, 0x5b, 0xbf, 0xff, 0x85, 0x54, 0x2a, 0x65, + 0x96, 0x84, 0x6f, 0xfa, 0x99, 0x1c, 0x9e, 0xe0, 0x77, 0x68, 0x4d, 0x58, + 0x2a, 0xc7, 0xc0, 0x8f, 0x71, 0x5a, 0x8f, 0xa9, 0xff, 0x44, 0xed, 0xf7, + 0xe4, 0x47, 0xd8, 0x4c, 0x9c, 0xf4, 0x78, 0xa0, 0xb3, 0x37, 0xaf, 0x43, + 0x0b, 0x03, 0x6f, 0xe4, 0xe1, 0x2d, 0x52, 0x0b, 0x4b, 0x62, 0xc6, 0x2f, + 0xe3, 0xfc, 0x32, 0xf2, 0xe2, 0x11, 0x1c, 0xac, 0xdf, 0x5a, 0xe8, 0xdd, + 0x55, 0x65, 0xa4, 0x6f, 0x61, 0xb7, 0x0f, 0x1c, 0xc6, 0x08, 0x2a, 0xaf, + 0x5d, 0x36, 0x50, 0x06, 0x7b, 0x49, 0xa0, 0x8b, 0x1c, 0x93, 0xdc, 0x72, + 0x69, 0x7b, 0xf1, 0xcc, 0xee, 0xa4, 0xe8, 0xd0, 0x7b, 0x5f, 0x61, 0xbc, + 0xbe, 0x20, 0xfb, 0x0b, 0xaa, 0x54, 0xf6, 0xe0, 0x13, 0xad, 0xe8, 0x96, + 0x53, 0x6a, 0xa9, 0x4b, 0xa1, 0xcf, 0x56, 0x10, 0xbc, 0x2a, 0x09, 0xc9, + 0x0a, 0xcc, 0x8d, 0x20, 0xdd, 0x4d, 0x14, 0xc7, 0x08, 0xab, 0xc1, 0xc3, + 0xaf, 0x0b, 0x35, 0x40, 0x57, 0x34, 0x97, 0x3b, 0xa2, 0x2d, 0xa3, 0x46, + 0xc1, 0x30, 0x14, 0x88, 0xa8, 0x74, 0x79, 0xdd, 0xb1, 0x02, 0x03, 0x01, + 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, 0xb5, + 0xf8, 0x7d, 0x28, 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, 0x94, + 0xa8, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, + 0x80, 0x14, 0xd7, 0x75, 0xfc, 0xed, 0xb7, 0xc8, 0xb5, 0xf8, 0x7d, 0x28, + 0xc5, 0x13, 0x34, 0xcd, 0x0b, 0xbe, 0x57, 0x0d, 0x94, 0xa8, 0x30, 0x0f, + 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, + 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x58, + 0xd2, 0x25, 0xa3, 0xe6, 0xaa, 0xb9, 0x56, 0x67, 0xc3, 0xa6, 0x4b, 0x88, + 0x99, 0xfe, 0xde, 0xc6, 0x16, 0x4c, 0x43, 0x1b, 0xb8, 0xea, 0xe3, 0x77, + 0xc4, 0xe4, 0x66, 0x15, 0x9f, 0x92, 0x6d, 0xe3, 0x7f, 0x3c, 0xac, 0x88, + 0x8b, 0xb9, 0xc5, 0x5c, 0x39, 0x4f, 0x02, 0x75, 0x5a, 0x3d, 0xc5, 0xaf, + 0xad, 0x8f, 0x32, 0xd4, 0x5a, 0x44, 0xc8, 0xcb, 0x1f, 0x40, 0xa1, 0x44, + 0xef, 0xa8, 0x2a, 0xa4, 0x0d, 0x7a, 0x25, 0xe1, 0x6c, 0x09, 0x4b, 0x96, + 0x6a, 0x73, 0x0f, 0xe0, 0x9b, 0x0e, 0x26, 0xff, 0x61, 0x96, 0xc4, 0xb6, + 0x10, 0xe1, 0x90, 0x36, 0xfd, 0x96, 0xb5, 0x90, 0xb0, 0x76, 0xed, 0xc2, + 0x17, 0xc0, 0xfe, 0xd4, 0x38, 0xff, 0x7f, 0xc3, 0xa0, 0x88, 0x60, 0xe8, + 0x27, 0x10, 0x34, 0x35, 0x93, 0x59, 0xcb, 0x12, 0xe5, 0x25, 0xaf, 0x2d, + 0x1d, 0x7d, 0x3f, 0x16, 0x95, 0x71, 0x57, 0x8e, 0x3f, 0xc2, 0xad, 0x8e, + 0xc4, 0x0e, 0xe1, 0xed, 0x46, 0xf9, 0xd7, 0x07, 0x85, 0xb3, 0x05, 0xbe, + 0xf1, 0x4c, 0xba, 0xf1, 0x34, 0xe5, 0xd5, 0x26, 0x9b, 0x6c, 0x15, 0x9e, + 0x35, 0xa2, 0xd5, 0x81, 0x09, 0x36, 0x05, 0xa6, 0x99, 0x1f, 0xa2, 0x17, + 0x35, 0x3a, 0x38, 0x18, 0x52, 0x44, 0xcf, 0x22, 0xb3, 0x69, 0xba, 0x07, + 0x74, 0x48, 0x1c, 0x8e, 0x4c, 0xa7, 0xb0, 0xc2, 0x65, 0x6c, 0x1d, 0x30, + 0xe2, 0x82, 0xc2, 0x35, 0x60, 0x25, 0xf2, 0xb1, 0x05, 0x18, 0x0a, 0x73, + 0x87, 0x27, 0xee, 0x6e, 0xc2, 0x5f, 0xff, 0xd8, 0xfc, 0x77, 0x06, 0x2e, + 0x3d, 0x4f, 0xa1, 0x14, 0x04, 0x5d, 0xae, 0x38, 0x28, 0xf9, 0x3d, 0x82, + 0x5f, 0xc6, 0xd0, 0x31, 0x21, 0x88, 0xda, 0x7f, 0x78, 0xe3, 0xb7, 0xed, + 0x52, 0x37, 0xf4, 0x29, 0x08, 0x88, 0x50, 0x54, 0x56, 0x67, 0xc0, 0xe1, + 0xf4, 0xe7, 0xcf, +}; +unsigned int multipleKEK_auth_len = 2787; diff --git a/libstb/secvar/test/data/multiplePK.h b/libstb/secvar/test/data/multiplePK.h new file mode 100644 index 00000000..528c0d50 --- /dev/null +++ b/libstb/secvar/test/data/multiplePK.h @@ -0,0 +1,236 @@ +unsigned char multiplePK_auth[] = { + 0xe3, 0x07, 0x0c, 0x0e, 0x0f, 0x02, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0xce, 0xc5, 0x99, 0x68, 0xad, 0x54, 0xfb, + 0x86, 0xb0, 0xdd, 0xee, 0x3f, 0xa6, 0xe9, 0xa1, 0x9d, 0x90, 0x13, 0x09, + 0xba, 0xc1, 0x92, 0x30, 0x11, 0x5a, 0xdb, 0x53, 0xde, 0xff, 0xb6, 0x4a, + 0xe1, 0x60, 0x07, 0x48, 0x62, 0x81, 0x48, 0x1d, 0x62, 0x52, 0x0c, 0xfe, + 0x09, 0xcb, 0x30, 0xf6, 0xb1, 0xea, 0x1a, 0x15, 0x38, 0x37, 0xd8, 0xe5, + 0xdd, 0xb6, 0x09, 0xf7, 0x8a, 0x60, 0x91, 0x57, 0x52, 0x99, 0xbf, 0xd9, + 0xc9, 0x25, 0xa9, 0x44, 0x46, 0x46, 0xda, 0xdb, 0xe5, 0x73, 0x3d, 0xc5, + 0x07, 0x75, 0x92, 0xce, 0x36, 0x0b, 0xb8, 0xe6, 0xdf, 0x84, 0x85, 0xdd, + 0x45, 0xbc, 0x52, 0x5b, 0xb6, 0x90, 0x56, 0x9d, 0x0e, 0x05, 0x86, 0x2d, + 0x85, 0xc2, 0x05, 0xff, 0xd5, 0x49, 0x85, 0xe8, 0x8f, 0x0f, 0x3a, 0x28, + 0x79, 0x67, 0x1e, 0x46, 0x70, 0x7f, 0x4d, 0xdf, 0x52, 0x5f, 0x3d, 0xe6, + 0xd5, 0x25, 0x6e, 0xe0, 0x74, 0xee, 0xa8, 0xfd, 0x9b, 0x3d, 0xee, 0x5c, + 0x26, 0x8c, 0x7a, 0x31, 0xb7, 0x0c, 0x42, 0xbf, 0xa4, 0x5c, 0x9c, 0x4b, + 0x52, 0x66, 0x17, 0x94, 0x53, 0x6f, 0x5e, 0x3b, 0xc1, 0x9d, 0x68, 0x79, + 0xb8, 0x31, 0xa6, 0x05, 0xc5, 0x3b, 0xf2, 0x20, 0xa8, 0xe6, 0x17, 0xd4, + 0xee, 0x0a, 0x3c, 0x93, 0x03, 0xaf, 0x87, 0xe1, 0x11, 0x10, 0xc9, 0xf3, + 0xfe, 0xbd, 0x0a, 0x40, 0xc3, 0xc1, 0xa3, 0xc0, 0x83, 0xcf, 0xf5, 0xbb, + 0xa6, 0x31, 0x22, 0x40, 0x43, 0xb0, 0x81, 0x27, 0xd1, 0x2a, 0x07, 0x2c, + 0xe1, 0xbf, 0x3a, 0xde, 0xec, 0x00, 0x36, 0xae, 0xdd, 0xa2, 0xf7, 0x42, + 0xdb, 0x90, 0x44, 0x18, 0xc3, 0x82, 0xfb, 0xbf, 0x4e, 0xf5, 0x84, 0x27, + 0xa4, 0x95, 0x6c, 0x6d, 0xe9, 0x20, 0xc2, 0x19, 0x3b, 0x81, 0x08, 0xa4, + 0xcb, 0x02, 0xff, 0x9a, 0xec, 0xf1, 0x04, 0xe1, 0x4f, 0xa1, 0x59, 0xc0, + 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, + 0x72, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, + 0x00, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, + 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, + 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, + 0x1e, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, + 0x36, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, + 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, + 0x2d, 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, + 0x61, 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, + 0xd3, 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, + 0xb4, 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, + 0x0d, 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, + 0x8d, 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, + 0x5f, 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, + 0xf0, 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, + 0x75, 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, + 0x91, 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, + 0xbf, 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, + 0x21, 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, + 0x41, 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, + 0x87, 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, + 0x0e, 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, + 0xac, 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, + 0x2c, 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, + 0xed, 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, + 0x8d, 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, + 0xee, 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, + 0x2a, 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, + 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, + 0xef, 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, + 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, + 0x37, 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, + 0x9c, 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, + 0xb1, 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, + 0x9f, 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, + 0xe5, 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, + 0xe1, 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, + 0xed, 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, + 0xd4, 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, + 0xe0, 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, + 0xcc, 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, + 0x14, 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, + 0x23, 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, + 0xe2, 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, + 0x7f, 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, + 0xfa, 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, + 0x52, 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, + 0xe7, 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, + 0xb7, 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, + 0x0c, 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, + 0x8b, 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, + 0xe7, 0x12, 0xe1, 0x66, 0x15, 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, + 0x4a, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72, 0x20, 0x03, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x03, 0x00, 0x00, 0x11, 0x11, 0x11, + 0x11, 0x22, 0x22, 0x33, 0x33, 0x44, 0x44, 0x12, 0x34, 0x56, 0x78, 0x9a, + 0xbc, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, 0xa0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, + 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x31, + 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, + 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, 0xfd, 0xff, 0x21, + 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, 0x10, 0x21, 0xe1, + 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, 0x5d, 0xa6, 0xce, + 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, 0x35, 0xca, 0x30, + 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, 0xc0, 0x8d, 0xca, + 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, 0xe0, 0xf6, 0xbc, + 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, 0x1e, 0xe6, 0xed, + 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, 0xf6, 0x1b, 0x07, + 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, 0x48, 0xd4, 0xfa, + 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, 0x65, 0x19, 0x99, + 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, 0x1f, 0xff, 0xd2, + 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, 0xe1, 0x86, 0xfb, + 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, 0xdb, 0xc9, 0x73, + 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, 0x90, 0xc2, 0x58, + 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, 0xcc, 0xfe, 0x1a, + 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, 0xaf, 0xc9, 0xa5, + 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, 0xcb, 0xc1, 0x82, + 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, 0x50, 0xfc, 0x39, + 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, 0x17, 0x35, 0x63, + 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, 0xf4, 0x82, 0xe1, + 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, 0x8b, 0x8d, 0xa2, + 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, + 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, + 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, + 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, 0x0f, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0x4b, 0x0e, + 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, 0xed, 0x7b, 0x89, + 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, 0xbf, 0x10, 0x8e, + 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, 0x9b, 0x2e, 0x68, + 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, 0x5b, 0x52, 0x6b, + 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, 0x0b, 0xb4, 0x60, + 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, 0x35, 0x6c, 0x43, + 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, 0xa9, 0x98, 0x13, + 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, 0xa1, 0x46, 0x89, + 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, 0x32, 0xb2, 0x07, + 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, 0x1d, 0x64, 0x61, + 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, 0xbe, 0x8f, 0x70, + 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, 0xc6, 0x36, 0x23, + 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, 0xb2, 0x37, 0x8c, + 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, 0x5e, 0x76, 0x9b, + 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, 0x90, 0x76, 0x08, + 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, 0xec, 0xc7, 0xa0, + 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, 0x59, 0x6a, 0x9a, + 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, 0x6f, 0xc8, 0x44, + 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, 0x43, 0x9f, 0x13, + 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, 0x2e, 0xa7, 0x7d, + 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, 0x12, 0xe1, 0x66, + 0x15, +}; +unsigned int multiplePK_auth_len = 2785; diff --git a/libstb/secvar/test/data/noPK.h b/libstb/secvar/test/data/noPK.h new file mode 100644 index 00000000..eff9314f --- /dev/null +++ b/libstb/secvar/test/data/noPK.h @@ -0,0 +1,102 @@ +unsigned char noPK_auth[] = { + 0xe3, 0x07, 0x0c, 0x0e, 0x0e, 0x14, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0x75, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0x66, 0x30, + 0x82, 0x04, 0x62, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, + 0xa0, 0x82, 0x02, 0xf4, 0x30, 0x82, 0x02, 0xf0, 0x30, 0x82, 0x01, 0xd8, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xec, 0x89, 0x21, 0xbe, + 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0d, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x1e, + 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x32, 0x31, 0x38, 0x35, 0x36, + 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x31, 0x30, 0x39, 0x31, + 0x38, 0x35, 0x36, 0x32, 0x39, 0x5a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0xa9, 0xd0, 0x47, 0xf4, 0x2d, + 0xfd, 0xff, 0x21, 0x6f, 0x11, 0x89, 0x9d, 0x54, 0xe8, 0xb1, 0x97, 0x61, + 0x10, 0x21, 0xe1, 0x9e, 0x51, 0x09, 0x66, 0xea, 0x23, 0xdb, 0x01, 0xd3, + 0x5d, 0xa6, 0xce, 0xc5, 0x75, 0x52, 0xec, 0x2f, 0xb4, 0x1f, 0x36, 0xb4, + 0x35, 0xca, 0x30, 0xfd, 0xd9, 0xed, 0x14, 0x63, 0xa3, 0x9e, 0xc6, 0x0d, + 0xc0, 0x8d, 0xca, 0x7a, 0x1b, 0x9a, 0xcd, 0xbf, 0xb4, 0x4c, 0x21, 0x8d, + 0xe0, 0xf6, 0xbc, 0x74, 0xbc, 0xef, 0xc6, 0x8f, 0xc1, 0x81, 0x33, 0x5f, + 0x1e, 0xe6, 0xed, 0x69, 0x68, 0x49, 0x4c, 0xd7, 0x0f, 0x84, 0x70, 0xf0, + 0xf6, 0x1b, 0x07, 0x35, 0xa4, 0x09, 0xae, 0x5e, 0xdd, 0x42, 0xa2, 0x75, + 0x48, 0xd4, 0xfa, 0x3c, 0x28, 0xe7, 0xaa, 0xc9, 0x2b, 0xbf, 0xc1, 0x91, + 0x65, 0x19, 0x99, 0x3b, 0x56, 0x80, 0x1a, 0xee, 0x90, 0x43, 0xae, 0xbf, + 0x1f, 0xff, 0xd2, 0x55, 0x1d, 0x18, 0xff, 0x49, 0x38, 0xd8, 0xdc, 0x21, + 0xe1, 0x86, 0xfb, 0xf2, 0x86, 0x43, 0x37, 0x2e, 0x93, 0xe8, 0xd0, 0x41, + 0xdb, 0xc9, 0x73, 0xd8, 0x0f, 0xf5, 0x11, 0x18, 0xa9, 0x93, 0xb2, 0x87, + 0x90, 0xc2, 0x58, 0x96, 0x93, 0xff, 0x69, 0xb2, 0x05, 0xec, 0xaa, 0x0e, + 0xcc, 0xfe, 0x1a, 0x78, 0x6c, 0x31, 0xfa, 0x6b, 0x0d, 0xb6, 0xeb, 0xac, + 0xaf, 0xc9, 0xa5, 0x09, 0xbb, 0xdd, 0x01, 0x16, 0x6d, 0x31, 0x53, 0x2c, + 0xcb, 0xc1, 0x82, 0x87, 0x81, 0x99, 0x7f, 0xc1, 0xee, 0x86, 0x6a, 0xed, + 0x50, 0xfc, 0x39, 0xc1, 0x51, 0x71, 0x04, 0xe0, 0x66, 0x63, 0x6f, 0x8d, + 0x17, 0x35, 0x63, 0x56, 0x4b, 0x90, 0x20, 0x7a, 0x5f, 0xc8, 0x63, 0xee, + 0xf4, 0x82, 0xe1, 0x61, 0xbf, 0x41, 0x46, 0x04, 0xfd, 0x96, 0x46, 0x2a, + 0x8b, 0x8d, 0xa2, 0x4c, 0x82, 0xe3, 0xf0, 0x6e, 0x24, 0x8b, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, + 0x4b, 0xb1, 0x3e, 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, + 0x55, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x14, 0xb2, 0x26, 0xdc, 0xe0, 0x99, 0x4b, 0xb1, 0x3e, + 0xc4, 0xc8, 0xeb, 0xe3, 0xc9, 0x8b, 0x69, 0x78, 0xef, 0x55, 0xbd, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x8f, 0x4b, 0x0e, 0x4d, 0xd6, 0xed, 0x73, 0xb0, 0xe6, 0xa5, 0xcf, 0x37, + 0xed, 0x7b, 0x89, 0x82, 0xc4, 0x67, 0x95, 0x16, 0x03, 0x19, 0x3d, 0x9c, + 0xbf, 0x10, 0x8e, 0x23, 0x71, 0xcb, 0x53, 0xa2, 0xb0, 0xa1, 0x88, 0xb1, + 0x9b, 0x2e, 0x68, 0xda, 0x1e, 0x74, 0xfe, 0x32, 0x6f, 0xa1, 0xda, 0x9f, + 0x5b, 0x52, 0x6b, 0x10, 0x11, 0x48, 0x0d, 0x71, 0xec, 0x08, 0x24, 0xe5, + 0x0b, 0xb4, 0x60, 0x52, 0x47, 0x64, 0xfb, 0xf5, 0x99, 0x45, 0x15, 0xe1, + 0x35, 0x6c, 0x43, 0xe3, 0x9c, 0xeb, 0xe4, 0xfd, 0x5b, 0x91, 0x5d, 0xed, + 0xa9, 0x98, 0x13, 0x79, 0x6d, 0xcd, 0x8a, 0x8f, 0xae, 0x09, 0x42, 0xd4, + 0xa1, 0x46, 0x89, 0xd1, 0x95, 0x20, 0x27, 0x82, 0x80, 0x93, 0x3d, 0xe0, + 0x32, 0xb2, 0x07, 0x2e, 0xee, 0x89, 0xbf, 0x08, 0xca, 0x3c, 0xc5, 0xcc, + 0x1d, 0x64, 0x61, 0x4c, 0xdd, 0x26, 0x99, 0x3d, 0xee, 0x0f, 0xad, 0x14, + 0xbe, 0x8f, 0x70, 0x9e, 0xb1, 0x31, 0xd1, 0xb2, 0x7d, 0xdf, 0xbc, 0x23, + 0xc6, 0x36, 0x23, 0xfc, 0xa1, 0x77, 0xdb, 0x80, 0xaf, 0x41, 0xaf, 0xe2, + 0xb2, 0x37, 0x8c, 0x74, 0xff, 0x19, 0x04, 0x96, 0x6a, 0x40, 0x37, 0x7f, + 0x5e, 0x76, 0x9b, 0xee, 0x84, 0x7e, 0x4e, 0x2f, 0x75, 0x7d, 0x76, 0xfa, + 0x90, 0x76, 0x08, 0x41, 0x61, 0x63, 0xa4, 0x9e, 0x79, 0x2e, 0xb0, 0x52, + 0xec, 0xc7, 0xa0, 0x47, 0x16, 0x76, 0x4f, 0x01, 0xb1, 0x58, 0x67, 0xe7, + 0x59, 0x6a, 0x9a, 0xe9, 0xf8, 0x59, 0x33, 0x52, 0x98, 0x52, 0xc8, 0xb7, + 0x6f, 0xc8, 0x44, 0x52, 0x8b, 0xa2, 0x30, 0x1e, 0xb6, 0xd2, 0xc2, 0x0c, + 0x43, 0x9f, 0x13, 0x1f, 0x0f, 0xef, 0x16, 0xa6, 0xc0, 0xf7, 0x09, 0x8b, + 0x2e, 0xa7, 0x7d, 0x6a, 0x30, 0x0b, 0x09, 0xbb, 0x69, 0x2f, 0xaf, 0xe7, + 0x12, 0xe1, 0x66, 0x15, 0x31, 0x82, 0x01, 0x45, 0x30, 0x82, 0x01, 0x41, + 0x02, 0x01, 0x01, 0x30, 0x1a, 0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x50, 0x4b, 0x02, 0x09, 0x00, 0xec, + 0x89, 0x21, 0xbe, 0xc3, 0xb0, 0x04, 0xc6, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x04, 0x82, 0x01, 0x00, 0x24, 0xc8, 0x03, 0x40, 0x7f, 0xf1, 0xb0, + 0x31, 0xc7, 0x0f, 0x26, 0x95, 0x27, 0xb7, 0x7c, 0x80, 0x5a, 0x97, 0x35, + 0x27, 0x72, 0xb4, 0xe4, 0x91, 0x05, 0x09, 0xa8, 0x57, 0x40, 0x39, 0xb6, + 0x75, 0x4f, 0x74, 0x12, 0x91, 0xfd, 0x55, 0x63, 0x65, 0x3a, 0x68, 0xb5, + 0x2e, 0x67, 0x1f, 0x06, 0xbb, 0x08, 0x23, 0xb8, 0x8e, 0xaa, 0x46, 0x50, + 0x73, 0xc2, 0x90, 0x85, 0xcd, 0xa9, 0x4e, 0xd8, 0x65, 0xca, 0x6c, 0x0a, + 0x62, 0x19, 0x97, 0x07, 0xa8, 0x31, 0x9a, 0x4d, 0x7f, 0x90, 0x5f, 0xbd, + 0x34, 0x63, 0xa1, 0xa2, 0x80, 0xf3, 0x0b, 0xb8, 0x73, 0x1c, 0xfe, 0x4c, + 0xee, 0x7e, 0xc8, 0x50, 0xb6, 0xfe, 0x94, 0xf0, 0x28, 0x03, 0x25, 0x28, + 0xf7, 0x99, 0xca, 0x4b, 0xa9, 0x97, 0x79, 0x74, 0x71, 0x3b, 0x58, 0xc4, + 0x37, 0x8b, 0xf7, 0x7d, 0x14, 0x55, 0x97, 0xe2, 0xd3, 0xc7, 0x09, 0x40, + 0x55, 0x64, 0xb2, 0xeb, 0xe7, 0xc1, 0xa2, 0x66, 0x23, 0xe2, 0x79, 0x41, + 0x40, 0xd2, 0xda, 0x63, 0xac, 0x6a, 0x5c, 0x29, 0x30, 0x51, 0xd6, 0x08, + 0x39, 0x54, 0xb8, 0x19, 0x5f, 0x15, 0x77, 0x20, 0x04, 0xcf, 0x98, 0x28, + 0x3e, 0x77, 0x6a, 0x21, 0xfb, 0x07, 0xa6, 0xe5, 0xe9, 0xed, 0x79, 0xf7, + 0xfe, 0xe9, 0xea, 0x59, 0x97, 0x87, 0x05, 0x9e, 0x57, 0xf3, 0x49, 0xe4, + 0x5a, 0xe7, 0xf4, 0xa6, 0xcc, 0x48, 0xc1, 0xf1, 0xb3, 0xb2, 0x45, 0x60, + 0x48, 0x1e, 0x45, 0xa3, 0x02, 0x31, 0xd6, 0x12, 0xc5, 0x96, 0x69, 0x69, + 0x73, 0x23, 0xa5, 0x64, 0x2a, 0xbb, 0xd6, 0xf9, 0x66, 0x34, 0xb2, 0x86, + 0x6a, 0x15, 0x13, 0x24, 0xc8, 0x87, 0xf4, 0xd5, 0xd1, 0xcc, 0x88, 0xc2, + 0x64, 0xdc, 0xb3, 0x55, 0x8f, 0x04, 0x89, 0x99, 0x2c, 0x9d, 0x45, 0x16, + 0x99, 0x4f, 0x48, 0xb8, 0xe9, 0xa9, 0xc9, 0xbd, 0x19, +}; +unsigned int noPK_auth_len = 1185; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c new file mode 100644 index 00000000..9b9af2d0 --- /dev/null +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -0,0 +1,297 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#include "secvar_common_test.c" +#include "../backend/edk2-compat.c" +#include "../backend/edk2-compat-process.c" +#include "../secvar_util.c" +#define MBEDTLS_PKCS7_USE_C +#include "../../crypto/pkcs7/pkcs7.c" +#include "./data/edk2_test_data.h" +#include "./data/PK1.h" +#include "./data/noPK.h" +#include "./data/KEK.h" +#include "./data/multipleKEK.h" +#include "./data/multipleDB.h" +#include "./data/multiplePK.h" + +int reset_keystore(struct list_head *bank __unused) { return 0; } +int add_hw_key_hash(struct list_head *bank __unused) { return 0; } +int delete_hw_key_hash(struct list_head *bank __unused) { return 0; } +int verify_hw_key_hash(void) { return 0; } + +const char *secvar_test_name = "edk2-compat"; + +int secvar_set_secure_mode(void) { return 0; }; + +int run_test() +{ + int rc = -1; + struct secvar_node *tmp; + int keksize; + int dbsize; + struct secvar_node *ts; + ts = alloc_secvar(sizeof(struct secvar) + 64); + memcpy(ts->var->key, "TS", 3); + ts->var->key_len = 3; + memset(ts->var->data, 0, 64); + ts->var->data_size = 64; + + // Check pre-process creates the empty variables + ASSERT(0 == list_length(&variable_bank)); + rc = edk2_compat_pre_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + tmp = find_secvar("TS", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(64 == tmp->var->data_size); + ASSERT(!(memcmp(tmp->var->data, ts->var->data, 64))); + + + // Add PK to update and .process() + printf("Add PK"); + tmp = alloc_secvar(PK1_auth_len); + memcpy(tmp->var->key, "PK", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, PK1_auth, PK1_auth_len); + tmp->var->data_size = PK1_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("PK", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + ASSERT(PK_auth_len > tmp->var->data_size); // esl should be smaller without auth + ASSERT(!setup_mode); + + // Add db, should fail with no KEK + printf("Add db"); + dbsize = sizeof(DB_auth); + tmp = alloc_secvar(dbsize); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, DB_auth, dbsize); + tmp->var->data_size = dbsize; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + printf("rc is %d %04x\n", rc, rc); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("db", 3, &variable_bank); + ASSERT(NULL != tmp); + + printf("Add KEK"); + + // Add valid KEK, .process(), succeeds + + tmp = alloc_secvar(KEK_auth_len); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, KEK_auth, KEK_auth_len); + tmp->var->data_size = KEK_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add valid KEK, .process(), timestamp check fails + + tmp = alloc_secvar(ValidKEK_auth_len); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, ValidKEK_auth, ValidKEK_auth_len); + tmp->var->data_size = ValidKEK_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_PERMISSION == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add db, .process(), should succeed + printf("Add db again\n"); + dbsize = sizeof(DB_auth); + tmp = alloc_secvar(dbsize); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, DB_auth, dbsize); + tmp->var->data_size = dbsize; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("db", 3, &variable_bank); + printf("tmp is %s\n", tmp->var->key); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add db, .process(), should fail because of timestamp + printf("Add db again\n"); + dbsize = sizeof(DB_auth); + tmp = alloc_secvar(dbsize); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, DB_auth, dbsize); + tmp->var->data_size = dbsize; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_PERMISSION == rc); + + // Add invalid KEK, .process(), should fail + printf("Add invalid KEK\n"); + keksize = sizeof(InvalidKEK_auth); + tmp = alloc_secvar(keksize); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, InvalidKEK_auth, keksize); + tmp->var->data_size = keksize; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add ill formatted KEK, .process(), should fail + printf("Add invalid KEK\n"); + keksize = sizeof(IllformatKEK_auth); + tmp = alloc_secvar(keksize); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, IllformatKEK_auth, keksize); + tmp->var->data_size = keksize; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add multiple KEK ESLs, one of them should sign the db + printf("Add multiple KEK\n"); + tmp = alloc_secvar(multipleKEK_auth_len); + memcpy(tmp->var->key, "KEK", 4); + tmp->var->key_len = 4; + memcpy(tmp->var->data, multipleKEK_auth, multipleKEK_auth_len); + tmp->var->data_size = multipleKEK_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Add multiple DB ESLs signed with second key of the KEK + printf("Add multiple db\n"); + tmp = alloc_secvar(multipleDB_auth_len); + memcpy(tmp->var->key, "db", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, multipleDB_auth, multipleDB_auth_len); + tmp->var->data_size = multipleDB_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("db", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 != tmp->var->data_size); + + // Delete PK. + printf("Delete PK\n"); + tmp = alloc_secvar(noPK_auth_len); + memcpy(tmp->var->key, "PK", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, noPK_auth, noPK_auth_len); + tmp->var->data_size = noPK_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("PK", 3, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->var->data_size); + ASSERT(setup_mode); + + // Add multiple PK. + printf("Multiple PK\n"); + tmp = alloc_secvar(multiplePK_auth_len); + memcpy(tmp->var->key, "PK", 3); + tmp->var->key_len = 3; + memcpy(tmp->var->data, multiplePK_auth, multiplePK_auth_len); + tmp->var->data_size = multiplePK_auth_len; + ASSERT(0 == edk2_compat_validate(tmp->var)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_SUCCESS != rc); + + return 0; +} + +int main(void) +{ + int rc; + + list_head_init(&variable_bank); + list_head_init(&update_bank); + + secvar_storage.max_var_size = 4096; + + rc = run_test(); + + clear_bank_list(&variable_bank); + clear_bank_list(&update_bank); + + return rc; +} diff --git a/libstb/secvar/test/secvar_common_test.c b/libstb/secvar/test/secvar_common_test.c index 3bab5cf9..d862dffb 100644 --- a/libstb/secvar/test/secvar_common_test.c +++ b/libstb/secvar/test/secvar_common_test.c @@ -4,6 +4,8 @@ #define SECBOOT_FILE "secboot.img" #define SECBOOT_SIZE 128000 +#define HAVE_LITTLE_ENDIAN 1 + #include #include #include From patchwork Mon May 11 21:31:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288097 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ794rsJz9sRK for ; Tue, 12 May 2020 07:38:29 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ792slmzDrLX for ; Tue, 12 May 2020 07:38:29 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LZ022SzczDqjY for ; Tue, 12 May 2020 07:32:18 +1000 (AEST) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLV2lk194850 for ; Mon, 11 May 2020 17:32:16 -0400 Received: from ppma01fra.de.ibm.com (46.49.7a9f.ip4.static.sl-reverse.com [159.122.73.70]) by mx0b-001b2d01.pphosted.com with ESMTP id 30ydxt18jm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:16 -0400 Received: from pps.filterd (ppma01fra.de.ibm.com [127.0.0.1]) by ppma01fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPXhJ005156 for ; Mon, 11 May 2020 21:32:14 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma01fra.de.ibm.com with ESMTP id 30wm55a372-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:14 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLWBEQ27001042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:11 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66CDDA405C; Mon, 11 May 2020 21:32:11 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B27FFA405B; Mon, 11 May 2020 21:32:10 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:10 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:52 -0500 Message-Id: <20200511213152.24952-19-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 impostorscore=0 suspectscore=1 mlxscore=0 phishscore=0 priorityscore=1501 mlxlogscore=830 malwarescore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 18/18] witherspoon: enable secvar for witherspoon platform X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Secure variable support needs to be enabled for each platform, and each platform needs to select which storage and backend drivers to use (or alternatively implement their own). This patch adds secure variable support to the witherspoon platform. Signed-off-by: Eric Richter --- platforms/astbmc/witherspoon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/platforms/astbmc/witherspoon.c b/platforms/astbmc/witherspoon.c index 39c3f161..6bbf51a1 100644 --- a/platforms/astbmc/witherspoon.c +++ b/platforms/astbmc/witherspoon.c @@ -17,6 +17,8 @@ #include #include #include +#include +#include "libstb/secvar/storage/secboot_tpm.h" #include "astbmc.h" #include "ast.h" @@ -572,6 +574,11 @@ static void witherspoon_finalise_dt(bool is_reboot) } } +static int witherspoon_secvar_init(void) +{ + return secvar_main(secboot_tpm_driver, edk2_compatible_v1); +} + /* The only difference between these is the PCI slot handling */ DECLARE_PLATFORM(witherspoon) = { @@ -594,4 +601,5 @@ DECLARE_PLATFORM(witherspoon) = { .ocapi = &witherspoon_ocapi, .npu2_device_detect = witherspoon_npu2_device_detect, .op_display = op_display_lpc, + .secvar_init = witherspoon_secvar_init, };