Merge changes from topic "fix-for-hash-lengths" into integration

* changes:
fix(auth): allow hashes of different lengths
feat(juno): add mbedtls_asn1_get_len symbol in ROMlib
feat(fvp): add mb

Merge changes from topic "fix-for-hash-lengths" into integration

* changes:
fix(auth): allow hashes of different lengths
feat(juno): add mbedtls_asn1_get_len symbol in ROMlib
feat(fvp): add mbedtls_asn1_get_len symbol in ROMlib

show more ...

fix(auth): allow hashes of different lengths

Trusted Board Boot supports multiple hash algorithms, including SHA-256,
SHA-384, and SHA-512. These algorithms produce hashes of different
lengths, so

fix(auth): allow hashes of different lengths

Trusted Board Boot supports multiple hash algorithms, including SHA-256,
SHA-384, and SHA-512. These algorithms produce hashes of different
lengths, so the resulting DER-encoded hash objects are also of different
lengths. However, the common Trusted Board Boot code only stores the
contents of the object, not its length. Before commit
f47547b35462571636a76b737602e827ae43bc24, this was harmless: ASN.1
objects are self-delimiting, and any excess padding was ignored.
f47547b35462571636a76b737602e827ae43bc24 changed the code to reject
excess padding. However, this breaks using a shorter hash in a build
that supports longer hashes: the shorter hash will have padding after
it, and verify_hash() will reject it. This was found by an Arm
customer: TF-A v2.9 refused to boot, even though TF-A v2.6 (which did
not have f47547b35462571636a76b737602e827ae43bc24) worked just fine.

Storing the length of the hash turns out to be quite difficult.
However, it turns out that hashes verified by verify_hash() always come
from the ROTPK or an X.509 certificate extension. Furthermore, _all_
X.509 certificate extensions used by Trusted Board Boot are ASN.1
DER encoded, so it is possible to reject padding in get_ext(). Padding
after the ROTPK is harmless, and it is better to ignore that padding
than to refuse to boot the system.

Change-Id: I28a19d7783e6036b65e86426d78c8e5b2ed6f542
Fixes: f47547b35462571636a76b737602e827ae43bc24 ("fix(auth): reject invalid padding in digests")
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge "style: remove useless trailing semicolon and line continuations" into integration

style: remove useless trailing semicolon and line continuations

found using checkpatch.pl[1]

[1]: https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/heads/master/util/lint/checkpatch.pl

S

style: remove useless trailing semicolon and line continuations

found using checkpatch.pl[1]

[1]: https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/heads/master/util/lint/checkpatch.pl

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Change-Id: I7957c9694300fefb85d11f7819c43af95271f14c

show more ...

Merge "refactor(auth): use a single function for parsing extensions" into integration

refactor(auth): use a single function for parsing extensions

Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract th

refactor(auth): use a single function for parsing extensions

Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract the
extension data. This is error prone and caused TFV-10 (CVE-2022-47630).

A simpler approach is to have get_ext() be responsible for all extension
parsing, and to treat a NULL OID as an indicator that get_ext() is only
being called for validation. cert_parse() checks that get_ext() returns
IMG_PARSER_OK and fails otherwise.

Change-Id: I65a2ff053a188351ba54799827a2b7bd833bb037
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes Ia19c6678,I44baaa47 into integration

* changes:
refactor(auth): clean up certificate length checks
refactor(auth): remove code duplication

refactor(auth): clean up certificate length checks

The previous code was correct but unnecessarily verbose.

Change-Id: Ia19c667811a7c3b6957a0274d36076b0b16e36b7
Signed-off-by: Demi Marie Obenour <d

refactor(auth): clean up certificate length checks

The previous code was correct but unnecessarily verbose.

Change-Id: Ia19c667811a7c3b6957a0274d36076b0b16e36b7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

refactor(auth): remove code duplication

The unique IDs are handled identically, so just use a for loop to get
both of them.

Change-Id: I44baaa4747ca7f314d364a79dfcbce97315f5a92
Signed-off-by: Demi

refactor(auth): remove code duplication

The unique IDs are handled identically, so just use a for loop to get
both of them.

Change-Id: I44baaa4747ca7f314d364a79dfcbce97315f5a92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes from topic "fix_sparse_warnings" into integration

* changes:
fix(libc): remove __putchar alias
fix(console): correct scopes for console symbols
fix(auth): use NULL instead of 0 f

Merge changes from topic "fix_sparse_warnings" into integration

* changes:
fix(libc): remove __putchar alias
fix(console): correct scopes for console symbols
fix(auth): use NULL instead of 0 for pointer check
fix(io): compare function pointers with NULL
fix(fdt-wrappers): use correct prototypes

show more ...

Merge changes Id4570f91,Ibdf1af70 into integration

* changes:
fix(auth): properly validate X.509 extensions
fix(auth): avoid out-of-bounds read in auth_nvctr()

fix(auth): use NULL instead of 0 for pointer check

This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer

Signed-off-by:

fix(auth): use NULL instead of 0 for pointer check

This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I392316c2a81ef8da7597e35f136e038f152d19d1

show more ...

fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succee

fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.

This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.

This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.

Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

Merge "refactor(auth): avoid parsing signature algorithm twice" into integration

Merge changes I794d2927,Ie33205fb,Ifdbe3b4c into integration

* changes:
refactor(auth): do not include SEQUENCE tag in saved extensions
fix(auth): reject junk after certificates
fix(auth): req

Merge changes I794d2927,Ie33205fb,Ifdbe3b4c into integration

* changes:
refactor(auth): do not include SEQUENCE tag in saved extensions
fix(auth): reject junk after certificates
fix(auth): require bit strings to have no unused bits

show more ...

refactor(auth): do not include SEQUENCE tag in saved extensions

This makes the code a little bit smaller. No functional change
intended.

Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed

refactor(auth): do not include SEQUENCE tag in saved extensions

This makes the code a little bit smaller. No functional change
intended.

Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): reject junk after certificates

Certificates must not allow trailing junk after them.

Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@g

fix(auth): reject junk after certificates

Certificates must not allow trailing junk after them.

Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e931

fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration

* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT

Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration

* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT STRING in signatures
fix(auth): reject invalid padding in digests
fix(auth): require at least one extension to be present
fix(auth): forbid junk after extensions
fix(auth): only accept v3 X.509 certificates

show more ...

refactor(auth): avoid parsing signature algorithm twice

Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Inst

refactor(auth): avoid parsing signature algorithm twice

Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.

Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

refactor(auth): partially validate SubjectPublicKeyInfo early

This reduces the likelihood of future problems later.

Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Ob

refactor(auth): partially validate SubjectPublicKeyInfo early

This reduces the likelihood of future problems later.

Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): require at least one extension to be present

X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least

fix(auth): require at least one extension to be present

X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.

Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate.

Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <de

fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate.

Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): only accept v3 X.509 certificates

v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.

fix(auth): only accept v3 X.509 certificates

v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.

Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes from topic "stm32mp1-trusted-boot" into integration

* changes:
docs(st): update documentation for TRUSTED_BOARD_BOOT
fix(build): ensure that the correct rule is called for tools

Merge changes from topic "stm32mp1-trusted-boot" into integration

* changes:
docs(st): update documentation for TRUSTED_BOARD_BOOT
fix(build): ensure that the correct rule is called for tools
feat(stm32mp1): add the platform specific build for tools
fix(stm32mp13-fdts): remove secure status
feat(stm32mp1-fdts): add CoT and fuse references for authentication
feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip
feat(stm32mp1): add the decryption support
feat(stm32mp1): add the TRUSTED_BOARD_BOOT support
feat(stm32mp1): update ROM code API for header v2 management
feat(stm32mp1): remove unused function from boot API
refactor(stm32mp1): remove authentication using STM32 image mode
fix(fconf): fix type error displaying disable_auth
feat(tbbr): increase PK_DER_LEN size
fix(auth): correct sign-compare warning
feat(auth): allow to verify PublicKey with platform format PK
feat(cert-create): update for ECDSA brainpoolP256r/t1 support
feat(stm32mp1): add RNG initialization in BL2 for STM32MP13
feat(st-crypto): remove BL32 HASH driver usage
feat(stm32mp1): add a stm32mp crypto library
feat(st-crypto): add STM32 RNG driver
feat(st-crypto): add AES decrypt/auth by SAES IP
feat(st-crypto): add ECDSA signature check with PKA
feat(st-crypto): update HASH for new hardware version used in STM32MP13

show more ...