| Message ID | 20240523132341.32092-1-jarkko@kernel.org (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [v2] KEYS: trusted: Use ASN.1 encoded OID | expand |
Jarkko Sakkinen <jarkko@kernel.org> wrote: > There's no reason to encode OID_TPMSealedData at run-time, as it never > changes. > > Replace it with the encoded version, which has exactly the same size: > > 67 81 05 0A 01 05 > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > the OID can be simply copied to the blob. This seems reasonable. We have a limited set of OIDs we can generate (currently 1). Better to store the BER-encoded form and copy that in rather than trying to turn a pretty-printed OID into the BER encoding unless we absolutely have to. David
Jarkko Sakkinen <jarkko@kernel.org> wrote: > There's no reason to encode OID_TPMSealedData at run-time, as it never > changes. > > Replace it with the encoded version, which has exactly the same size: > > 67 81 05 0A 01 05 > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > the OID can be simply copied to the blob. > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: David Howells <dhowells@redhat.com>
On Thu, May 23, 2024 at 16:23:37 +0300, Jarkko Sakkinen wrote: > There's no reason to encode OID_TPMSealedData at run-time, as it never > changes. > > Replace it with the encoded version, which has exactly the same size: > > 67 81 05 0A 01 05 Is it the same size? It looks considerably smaller to me (6*4 bytes versus 8 bytes). > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > the OID can be simply copied to the blob. An "epilogue" occurs at the end, but it seems to be at the beginning here (that would be a "prologue"). > -static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 }; > +/* Encoded OID_TPMSealedData. */ > +static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05}; I'd say that a comment of what it encodes would be good to have for context, but the source tree has `OID_TPMSealedData` in a header with the value in a comment there, so that seems good enough to me. > as it never changes. Should it, perhaps be `const` too? --Ben
On Thu May 23, 2024 at 4:41 PM EEST, Ben Boeckel wrote: > On Thu, May 23, 2024 at 16:23:37 +0300, Jarkko Sakkinen wrote: > > There's no reason to encode OID_TPMSealedData at run-time, as it never > > changes. > > > > Replace it with the encoded version, which has exactly the same size: > > > > 67 81 05 0A 01 05 > > Is it the same size? It looks considerably smaller to me (6*4 bytes > versus 8 bytes). Not in that sense but in practice the old array stored byte values. Forgot for that reason that it was actually u32 array. I can change it to "same number of elements". > > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > > the OID can be simply copied to the blob. > > An "epilogue" occurs at the end, but it seems to be at the beginning > here (that would be a "prologue"). Yup, typo. > > -static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 }; > > +/* Encoded OID_TPMSealedData. */ > > +static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05}; > > I'd say that a comment of what it encodes would be good to have for > context, but the source tree has `OID_TPMSealedData` in a header with > the value in a comment there, so that seems good enough to me. OK. I named it this way to promote generation these from CSV file (see my other response to James). > > > as it never changes. > > Should it, perhaps be `const` too? Yup. > > --Ben Thanks for the remarks! BR, Jarkko
On Thu May 23, 2024 at 4:36 PM EEST, David Howells wrote: > Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > There's no reason to encode OID_TPMSealedData at run-time, as it never > > changes. > > > > Replace it with the encoded version, which has exactly the same size: > > > > 67 81 05 0A 01 05 > > > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > > the OID can be simply copied to the blob. > > This seems reasonable. We have a limited set of OIDs we can generate > (currently 1). Better to store the BER-encoded form and copy that in rather > than trying to turn a pretty-printed OID into the BER encoding unless we > absolutely have to. Yup, I crafted a plan in response to James about possibility to generate all from a CSV file (oid_registry.gen.[sh] and oid_registry.h incldues oid_registry.gen.h for compat). No bandwidth to work in it, but happy to review it. > > David BR, Jarkko
On Thu May 23, 2024 at 4:39 PM EEST, David Howells wrote: > Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > There's no reason to encode OID_TPMSealedData at run-time, as it never > > changes. > > > > Replace it with the encoded version, which has exactly the same size: > > > > 67 81 05 0A 01 05 > > > > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that > > the OID can be simply copied to the blob. > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > Reviewed-by: David Howells <dhowells@redhat.com> Thanks! BR, Jarkko
diff --git a/include/linux/asn1_encoder.h b/include/linux/asn1_encoder.h index 08cd0c2ad34f..afeefdfe2525 100644 --- a/include/linux/asn1_encoder.h +++ b/include/linux/asn1_encoder.h @@ -8,14 +8,10 @@ #include <linux/asn1_ber_bytecode.h> #include <linux/bug.h> -#define asn1_oid_len(oid) (sizeof(oid)/sizeof(u32)) unsigned char * asn1_encode_integer(unsigned char *data, const unsigned char *end_data, s64 integer); unsigned char * -asn1_encode_oid(unsigned char *data, const unsigned char *end_data, - u32 oid[], int oid_len); -unsigned char * asn1_encode_tag(unsigned char *data, const unsigned char *end_data, u32 tag, const unsigned char *string, int len); unsigned char * diff --git a/lib/asn1_encoder.c b/lib/asn1_encoder.c index 0fd3c454a468..c0db3cbebe89 100644 --- a/lib/asn1_encoder.c +++ b/lib/asn1_encoder.c @@ -85,97 +85,6 @@ asn1_encode_integer(unsigned char *data, const unsigned char *end_data, } EXPORT_SYMBOL_GPL(asn1_encode_integer); -/* calculate the base 128 digit values setting the top bit of the first octet */ -static int asn1_encode_oid_digit(unsigned char **_data, int *data_len, u32 oid) -{ - unsigned char *data = *_data; - int start = 7 + 7 + 7 + 7; - int ret = 0; - - if (*data_len < 1) - return -EINVAL; - - /* quick case */ - if (oid == 0) { - *data++ = 0x80; - (*data_len)--; - goto out; - } - - while (oid >> start == 0) - start -= 7; - - while (start > 0 && *data_len > 0) { - u8 byte; - - byte = oid >> start; - oid = oid - (byte << start); - start -= 7; - byte |= 0x80; - *data++ = byte; - (*data_len)--; - } - - if (*data_len > 0) { - *data++ = oid; - (*data_len)--; - } else { - ret = -EINVAL; - } - - out: - *_data = data; - return ret; -} - -/** - * asn1_encode_oid() - encode an oid to ASN.1 - * @data: position to begin encoding at - * @end_data: end of data pointer, points one beyond last usable byte in @data - * @oid: array of oids - * @oid_len: length of oid array - * - * this encodes an OID up to ASN.1 when presented as an array of OID values - */ -unsigned char * -asn1_encode_oid(unsigned char *data, const unsigned char *end_data, - u32 oid[], int oid_len) -{ - int data_len = end_data - data; - unsigned char *d = data + 2; - int i, ret; - - if (WARN(oid_len < 2, "OID must have at least two elements")) - return ERR_PTR(-EINVAL); - - if (WARN(oid_len > 32, "OID is too large")) - return ERR_PTR(-EINVAL); - - if (IS_ERR(data)) - return data; - - - /* need at least 3 bytes for tag, length and OID encoding */ - if (data_len < 3) - return ERR_PTR(-EINVAL); - - data[0] = _tag(UNIV, PRIM, OID); - *d++ = oid[0] * 40 + oid[1]; - - data_len -= 3; - - for (i = 2; i < oid_len; i++) { - ret = asn1_encode_oid_digit(&d, &data_len, oid[i]); - if (ret < 0) - return ERR_PTR(ret); - } - - data[1] = d - data - 2; - - return d; -} -EXPORT_SYMBOL_GPL(asn1_encode_oid); - /** * asn1_encode_length() - encode a length to follow an ASN.1 tag * @data: pointer to encode at diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 8b7dd73d94c1..4a2b4ad5a913 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -26,7 +26,8 @@ static struct tpm2_hash tpm2_hash_map[] = { {HASH_ALGO_SM3_256, TPM_ALG_SM3_256}, }; -static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 }; +/* Encoded OID_TPMSealedData. */ +static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05}; static int tpm2_key_encode(struct trusted_key_payload *payload, struct trusted_key_options *options, @@ -51,8 +52,8 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, if (!scratch) return -ENOMEM; - work = asn1_encode_oid(work, end_work, tpm2key_oid, - asn1_oid_len(tpm2key_oid)); + work = memcpy(work, OID_TPMSealedData_ASN1, sizeof(OID_TPMSealedData_ASN1)); + work += sizeof(OID_TPMSealedData_ASN1); if (options->blobauth_len == 0) { unsigned char bool[3], *w = bool;
There's no reason to encode OID_TPMSealedData at run-time, as it never changes. Replace it with the encoded version, which has exactly the same size: 67 81 05 0A 01 05 Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that the OID can be simply copied to the blob. Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> --- v2: * Not my day I guess. This one has print_hex_dump() taken away. Apologies for spamming. The patch is however tested properly with run-tests.sh in https://gitlab.com/jarkkojs/linux-tpmdd-test. --- include/linux/asn1_encoder.h | 4 - lib/asn1_encoder.c | 91 ----------------------- security/keys/trusted-keys/trusted_tpm2.c | 7 +- 3 files changed, 4 insertions(+), 98 deletions(-)