vboot2: add support for verify data / digest using new signature struct

This adds the vb2_signature2 equivalents of vb2_verify_digest() and vb2_verify_data(), including support for bare hash signatures. BUG=chromium:423882 BRANCH=none TEST=VBOOT2=1 make runtests Change-Id: I372c9e5f0be926a833e4ca8f84665cfb05907481 Reviewed-on: https://chromium-review.googlesource.com/226950 Tested-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Bill Richardson <wfrichar@chromium.org> Commit-Queue: Randall Spangler <rspangler@chromium.org>
2025-12-16 21:07:26 +00:00 · 2014-11-01 17:56:46 -07:00
parent c0ce70b468
commit b885c3bd3d
6 changed files with 325 additions and 2 deletions
--- a/firmware/2lib/include/2common.h
+++ b/firmware/2lib/include/2common.h
@@ -291,6 +291,15 @@ int vb2_unpack_key2(struct vb2_public_key *key,
 uint32_t vb2_sig_size(enum vb2_signature_algorithm sig_alg,
 		      enum vb2_hash_algorithm hash_alg);

+/**
+ * Return a key_guid for an unsigned hash algorithm.
+ *
+ * @param hash_alg	Hash algorithm to return key for
+ * @return A pointer to the key_guid for that hash algorithm and
+ *	   sig_alg=VB2_SIG_NONE, or NULL if error.
+ */
+const struct vb2_guid *vb2_hash_guid(enum vb2_hash_algorithm hash_alg);
+
 /**
 * Verify the integrity of a signature struct
 * @param sig		Signature struct
@@ -300,7 +309,10 @@ uint32_t vb2_sig_size(enum vb2_signature_algorithm sig_alg,
 int vb2_verify_signature2(const struct vb2_signature2 *sig,
 			  uint32_t size);

-/* Size of work buffer sufficient for vb2_rsa_verify_digest() worst case */
+/*
+ * Size of work buffer sufficient for vb2_verify_digest() or
+ * vb2_verify_digest2() worst case.
+ */
 #define VB2_VERIFY_DIGEST_WORKBUF_BYTES VB2_VERIFY_RSA_DIGEST_WORKBUF_BYTES

 /**
@@ -317,7 +329,24 @@ int vb2_verify_digest(const struct vb2_public_key *key,
 		      const uint8_t *digest,
 		      struct vb2_workbuf *wb);

-/* Size of work buffer sufficient for vb2_verify_data() worst case */
+/**
+ * Verify a signature against an expected hash digest.
+ *
+ * @param key		Key to use in signature verification
+ * @param sig		Signature to verify (may be destroyed in process)
+ * @param digest	Digest of signed data
+ * @param wb		Work buffer
+ * @return VB2_SUCCESS, or non-zero if error.
+ */
+int vb2_verify_digest2(const struct vb2_public_key *key,
+		       struct vb2_signature2 *sig,
+		       const uint8_t *digest,
+		       struct vb2_workbuf *wb);
+
+/*
+ * Size of work buffer sufficient for vb2_verify_data() or vb2_verify_data2()
+ * worst case.
+ */
 #define VB2_VERIFY_DATA_WORKBUF_BYTES					\
 	(VB2_SHA512_DIGEST_SIZE +					\
 	 VB2_MAX(VB2_VERIFY_DIGEST_WORKBUF_BYTES,			\
@@ -340,6 +369,12 @@ int vb2_verify_data(const uint8_t *data,
 		    const struct vb2_public_key *key,
 		    struct vb2_workbuf *wb);

+int vb2_verify_data2(const void *data,
+		     uint32_t size,
+		     struct vb2_signature2 *sig,
+		     const struct vb2_public_key *key,
+		     struct vb2_workbuf *wb);
+
 /* Size of work buffer sufficient for vb2_verify_keyblock() worst case */
 #define VB2_KEY_BLOCK_VERIFY_WORKBUF_BYTES VB2_VERIFY_DATA_WORKBUF_BYTES