shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048,

shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048, then it's considered deprecated and will make
signature verification fail. Note that this only affects verifying TA
and subkey signatures.

This change aligns with GlobalPlatform's decision, influenced by
feedback from ANSSI, BSI, SOGIS, and NIST. For further details on the
GlobalPlatform's cryptographic algorithm recommendations, see [1].

Link: https://globalplatform.org/specs-library/globalplatform-technology-cryptographic-algorithm-recommendations/ [1]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SH

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SHA224 to the list of weak signature algorithms.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix possible overflow in shdr_alloc_and_copy()

Prior to this patch, if SHDR_GET_SIZE() overflows it will return 0 and
further down in the function lead to an out-of-bounds access. So fix
this

core: fix possible overflow in shdr_alloc_and_copy()

Prior to this patch, if SHDR_GET_SIZE() overflows it will return 0 and
further down in the function lead to an out-of-bounds access. So fix
this with an explicit test before using shdr_size in
shdr_alloc_and_copy().

Fixes: 064663e8bd27 ("core: crypto: add struct shdr helper functions")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add fault mitigations to shdr_verify_signature*()

Adds fault mitigations to shdr_verify_signature() and
shdr_verify_signature2(). shdr_verify_signature() and
shdr_verify_signature2() are calle

core: add fault mitigations to shdr_verify_signature*()

Adds fault mitigations to shdr_verify_signature() and
shdr_verify_signature2(). shdr_verify_signature() and
shdr_verify_signature2() are called using the wrapper FTMN_CALL_FUNC()
which verifies that the correct function was called and that the return
value hasn't been tampered with.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: shdr: check that hash algorithm is strong enough

Until now shdr_verify_signature() accepted any hash GP algorithm known
to OP-TEE. A few of those (MD5 and SHA-1) are known to be weak. So add
a

core: shdr: check that hash algorithm is strong enough

Until now shdr_verify_signature() accepted any hash GP algorithm known
to OP-TEE. A few of those (MD5 and SHA-1) are known to be weak. So add
an extra check to only allow algorithms strong enough.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Asaf Modelevsky <amodele@amazon.com>
Reported-by: Asaf Modelevsky <amodele@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed w

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed with a subkey are confined to the UUID-V5 namespace of the subkey
to avoid TA UUID clashes with different subkeys.

SHDR_SUBKEY is a type of header which enables chains of public keys.
The public root key is used to verify the first public subkey, which
then is used to verify the next public subkey and so on.

The TA is finally verified using the last subkey. All these headers are
added in front of the TA binary so everything needed to verify the TA is
available when it's loaded into memory.

For example:
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: f573f329fe77be686ce71647909c4ea35b5e1cd7de86369bd7d9fca31f6a4d65
struct shdr_subkey
uuid: f04fa996-148a-453c-b037-1dcfbad120a6
name_size: 64
subkey_version: 1
max_depth: 4
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "mid_level_subkey"
Next header at offset: 692 (0x2b4)
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: 233a6dcf1a2cf69e50cde8e20c4129157da707c76fa86ce12ee31037edef02d7
struct shdr_subkey
uuid: 1a5948c5-1aa0-518c-86f4-be6f6a057b16
name_size: 64
subkey_version: 1
max_depth: 3
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "subkey1_ta"
Next header at offset: 1384 (0x568)
Bootstrap TA
struct shdr
magic: 0x4f545348
img_type: 1 (SHDR_BOOTSTRAP_TA)
img_size: 84576 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: ea31ac7dc2cc06a9dc2853cd791dd00f784b5edc062ecfa274deeb66589b4ca5
struct shdr_bootstrap_ta
uuid: 5c206987-16a3-59cc-ab0f-64b9cfc9e758
ta_version: 0
TA offset: 1712 (0x6b0) bytes
TA size: 84576 (0x14a60) bytes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by:

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: fix the RSA public key size for TA signature verification

The size of the RSA public key allocation should be based on the modulus
size in bits.

Fixes: 064663e8b ("core: crypto: add s

core: crypto: fix the RSA public key size for TA signature verification

The size of the RSA public key allocation should be based on the modulus
size in bits.

Fixes: 064663e8b ("core: crypto: add struct shdr helper functions")
Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: merge tee_*_get_digest_size() into a single function

Rename tee_hash_get_digest_size() to tee_alg_get_digest_size().

Change tee_alg_get_digest_size() to use new libutee macro
TEE_ALG_GET_DIGE

core: merge tee_*_get_digest_size() into a single function

Rename tee_hash_get_digest_size() to tee_alg_get_digest_size().

Change tee_alg_get_digest_size() to use new libutee macro
TEE_ALG_GET_DIGEST_SIZE.

Remove tee_mac_get_digest_size() as its functionality
is handled by tee_alg_get_digest_size() now.

Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: shdr_verify_signature() supply hash length for salt length

In order to support the TEE_ALG_RSASSA_PKCS1_PSS_MGF1_* group of
algorithms supply the size of the hash as the size of the salt to
cr

core: shdr_verify_signature() supply hash length for salt length

In order to support the TEE_ALG_RSASSA_PKCS1_PSS_MGF1_* group of
algorithms supply the size of the hash as the size of the salt to
crypto_acipher_rsassa_verify().

A salt is something introduced by PCKS1_PSS, PKCS1_V1.5 does not have a
salt and the parameter will be ignored by crypto_acipher_rsassa_verify()
for the latter.

With the PCKS1_PSS algorithm it is common practice to use a salt with
the same size as the hash, but it is not a requirement. The
implementation here depends on using a salt with the same size as the
hash. This is a compromise to avoid extending the signed header with a
salt length field.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.foriss

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.4]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-b

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Reformat copyright/license header in files with an SPDX ID

Some files were committed with an SPDX license identifier before the
rules were defined [1]. Reformat them accordingly.

[1] documentation/

Reformat copyright/license header in files with an SPDX ID

Some files were committed with an SPDX license identifier before the
rules were defined [1]. Reformat them accordingly.

[1] documentation/copyright_and_license_headers.rst

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: crypto: add struct shdr helper functions

Adds struct shdr helper functions to allocate and verify a struct shdr.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Fo

core: crypto: add struct shdr helper functions

Adds struct shdr helper functions to allocate and verify a struct shdr.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...