From 89a302e5d9e65cbc45cf711136e0d79ac2cf3e0b Mon Sep 17 00:00:00 2001 From: Nikolaj Schlej Date: Sun, 9 Oct 2022 11:24:27 +0200 Subject: [PATCH] Calculate key manifest public key hashes that could be written into FPFs --- common/ffsparser.cpp | 6 +++--- common/fitparser.cpp | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/common/ffsparser.cpp b/common/ffsparser.cpp index c842aa7..b007d42 100644 --- a/common/ffsparser.cpp +++ b/common/ffsparser.cpp @@ -3766,7 +3766,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel } if (protectedRangesFound) { - securityInfo += usprintf("Phoenix hash file found at base %08Xh\nProtected ranges:", model->base(index)); + securityInfo += usprintf("Phoenix hash file found at base %08Xh\nProtected ranges:\n", model->base(index)); for (UINT32 i = 0; i < header->NumEntries; i++) { const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY* entry = (const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY*)(header + 1) + i; securityInfo += usprintf("RelativeOffset: %08Xh Size: %Xh\nHash: ", entry->Base, entry->Size); @@ -3828,7 +3828,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel protectedRanges.push_back(range); } - msg(usprintf("%s: new AMI hash file found", __FUNCTION__), fileIndex); + msg(usprintf("%s: AMI hash file v2 found", __FUNCTION__), fileIndex); } else if (size == sizeof(PROTECTED_RANGE_VENDOR_HASH_FILE_HEADER_AMI_V1)) { securityInfo += usprintf("AMI hash file v1 found at base %08Xh\nProtected range:\n", model->base(fileIndex)); @@ -3849,7 +3849,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel protectedRanges.push_back(range); } - msg(usprintf("%s: old AMI hash file found", __FUNCTION__), fileIndex); + msg(usprintf("%s: AMI hash file v1 found", __FUNCTION__), fileIndex); } else { msg(usprintf("%s: unknown or corrupted AMI hash file found", __FUNCTION__), index); diff --git a/common/fitparser.cpp b/common/fitparser.cpp index b1c0002..c2d657b 100644 --- a/common/fitparser.cpp +++ b/common/fitparser.cpp @@ -486,6 +486,22 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif } kmInfo += "\n"; + // Calculate the hashes of public key modulus only + // One of those hashes is what's getting written into Field Programmable Fuses + UINT8 hash[SHA384_HASH_SIZE] = {}; + sha256(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash); + kmInfo += usprintf("Key Manifest Public Key Hash (SHA256): "); + for (UINT8 i = 0; i < SHA256_HASH_SIZE; i++) { + kmInfo += usprintf("%02X", hash[i]); + } + kmInfo += "\n"; + sha384(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash); + kmInfo += usprintf("Key Manifest Public Key Hash (SHA384): "); + for (UINT8 i = 0; i < SHA384_HASH_SIZE; i++) { + kmInfo += usprintf("%02X", hash[i]); + } + kmInfo += "\n"; + // Add Signature kmInfo += UString("Key Manifest Signature: "); for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) { @@ -493,7 +509,7 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i)); } kmInfo += "\n"; - + securityInfo += kmInfo + "\n"; bgKeyManifestFound = true; return U_SUCCESS; @@ -578,6 +594,22 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif } kmInfo += "\n"; + // Calculate the hashes of public key modulus only + // One of those hashes is what's getting written into Field Programmable Fuses + UINT8 hash[SHA384_HASH_SIZE] = {}; + sha256(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash); + kmInfo += usprintf("Key Manifest Public Key Hash (SHA256): "); + for (UINT8 i = 0; i < SHA256_HASH_SIZE; i++) { + kmInfo += usprintf("%02X", hash[i]); + } + kmInfo += "\n"; + sha384(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash); + kmInfo += usprintf("Key Manifest Public Key Hash (SHA384): "); + for (UINT8 i = 0; i < SHA384_HASH_SIZE; i++) { + kmInfo += usprintf("%02X", hash[i]); + } + kmInfo += "\n"; + // Add Signature kmInfo += UString("Key Manifest Signature: "); for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) { @@ -585,7 +617,7 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i)); } kmInfo += "\n"; - + securityInfo += kmInfo + "\n"; bgKeyManifestFound = true; return U_SUCCESS;