On Fri, 2019-12-06 at 21:28 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
> On Fri, 2019-12-06 at 11:37 +0100, Lukasz Hawrylko wrote:
> > On Wed, 2019-12-04 at 14:33 +0000, Paul Moore (pmoore2) wrote:
> > > Can you elaborate a bit more on what you mean by "the root of
> > > certificate"?  Alternatively, could you upload the kernel and
> > > signing
> > > certificate somewhere I could grab so I can play with it?
> > 
> > Maybe I used wrong words, I am talking about pkcs1_search_signer
> > function and following lines:
> > 
> >   if (!asn1_blob_cmp(&entry->cert.serial, serial) &&
> >       !asn1_blob_cmp(&entry->cert.ca->subject, subject))
> > 
> > If I change them to
> > 
> >   if (!asn1_blob_cmp(&entry->cert.serial, serial) &&
> >       !asn1_blob_cmp(&entry->cert.subject, subject))
> > 
> > it will find my certificate.
> 
> Thanks, that makes it much more clear.  One of the benefits of sharing
> code is that it helps remove any uncertainties. :)
> 
> > Could you please explain me why are you
> > using serial from root of entry and subject from sub-element? Is it
> > connected with certificate chain? What if there is just the simplest
> > possible certificate that is not signed by anybody?
> 
> That does look a little odd, doesn't it?

It turns out it wasn't quite as odd as originally thought.  While wrong,
it wasn't far from the truth; the PKCS #7 blob in the signed PECOFF
kernel image doesn't contain the signer's subject name, but rather the
issuer's subject name.  This explains why the code worked: in the self-
signed (Lukasz's test case) and one intermediate CA cases (the Fedora
test case) using the CA would result in the signer being found, anything
with more than one intermediate CA would fail.

I've corrected the code and pushed it to the repo/branch below:

* https://github.com/pcmoore/misc-tboot/tree/working-txtsig


> > I have uploaded certificate and key that I have generated here: 
> > https://cloud.hawrylko.pl/s/ivHd7HZpuLIjQ88 there is also a signed
> > bzImage that I am using.
> 
> Great, thank you.  I'll take a closer look.

It turns out this was due to a limitation in libtomfastmath.  Your test
key/certificate used a 4k RSA key, but libtomfastmath had a restriction
on keys larger than 2k (it turns out the Fedora keys are 2k).  I
increased the libtomfastmath number limit to support 4k keys, and
increased the tboot stack size accordingly.  The updated misc-
tboot/working-txtsig code should now work for your self-signed test
case, if not please let me know.

Thanks,
-Paul


_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to