Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp7141pxf; Wed, 10 Mar 2021 18:50:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJzu/dvnoIrmFVc2wz6cytR4ZFISfSi40mNf/6r+9gY5aFmX4jp51XV8qzgUJ/5A+3GaGVQG X-Received: by 2002:a17:907:9e6:: with SMTP id ce6mr872835ejc.207.1615431014864; Wed, 10 Mar 2021 18:50:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615431014; cv=none; d=google.com; s=arc-20160816; b=MD9L7WPlvS83IK4wK7E/LkRYWgzZUvhq6BybCqi46iTW7UDASITwQKGahDyUbkvr7e GdlG16VdZjgjx0I2r8yTb7ocMY1yvtip+8lMOL9QXlUxza5K/+JlKnpdrMinUaNsuLRG udvh46DqC9KpT3G1IQihUkd1ATAHMYOo8CB7RMGce4o9Qdlg42Mazz85gZ02vYGSp+aX fCmaylCiURTxfVXTFjV7hSC0ec5ttzTcHOaMmHGon46HzzS944i4TdfwKIm7kT0tvSmI BJP/sDo9NpBX+zSzvxU4UWtJhxUhoqtpuF0TOpKAEynRE/4W5dN/AUWYGOUcd8SYRzz6 fv6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=jNNXW/isqFdpOspFzZhWXGevfoElZ5sZVw5LgdLWlcI=; b=e53W2Lh+bNjCPlyrqVTDvZViaEDhoxoxfTkX9eLgRUIt9Nyf4gsa5rq/lbumDpzE8J V/A/gVn5s1VPlURpasIbImPg1fDBYZRB3M39CHDWahuj43vaExS90GNTk7p/OZVC2wwl nURnVlQdMoJqedRhzKRc2RnLHpyrMGST9gvwGfpNYj/jOjH0UDy4Of133aj7PSIe4E4+ Y+NNR5kGV4kp+Xn1ZhtWXADo33Vey93oRYIWvlBttOqGBi9QXXEFDH6EFxhcmENO3i9f BssCdX+/hRXEs2jlQyfZx4oq3dnpu3UmOGgzuaeZUkeWY6VKasfX8TniYvoiHKd6c9mn hFnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l13si811786edn.284.2021.03.10.18.49.52; Wed, 10 Mar 2021 18:50:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229762AbhCKCsd (ORCPT + 99 others); Wed, 10 Mar 2021 21:48:33 -0500 Received: from out30-43.freemail.mail.aliyun.com ([115.124.30.43]:34259 "EHLO out30-43.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbhCKCry (ORCPT ); Wed, 10 Mar 2021 21:47:54 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R141e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=alimailimapcm10staff010182156082;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=13;SR=0;TI=SMTPD_---0URMi9aJ_1615430870; Received: from ali-6c96cfd98fb5.local(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0URMi9aJ_1615430870) by smtp.aliyun-inc.com(127.0.0.1); Thu, 11 Mar 2021 10:47:50 +0800 Subject: Re: [PATCH] selftests/sgx: fix EINIT failure dueto SGX_INVALID_SIGNATURE To: Jarkko Sakkinen Cc: Andy Lutomirski , Tianjia Zhang , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Sean Christopherson , Shuah Khan , X86 ML , linux-sgx@vger.kernel.org, "open list:KERNEL SELFTEST FRAMEWORK" , LKML References: <20210301051836.30738-1-tianjia.zhang@linux.alibaba.com> <3bcdcf04-4bed-ed95-84b6-790675f18240@linux.alibaba.com> <1f5c2375-39e2-65a8-3ad3-8dc43422f568@linux.alibaba.com> From: Jia Zhang Message-ID: <20ef1254-007d-04ce-8df5-5122ffd4d8d3@linux.alibaba.com> Date: Thu, 11 Mar 2021 10:47:50 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021/3/11 上午5:39, Jarkko Sakkinen wrote: > On Wed, Mar 10, 2021 at 08:44:44PM +0800, Jia Zhang wrote: >> >> >> On 2021/3/2 下午9:47, Jarkko Sakkinen wrote: >>> On Mon, Mar 01, 2021 at 09:54:37PM -0800, Andy Lutomirski wrote: >>>> On Mon, Mar 1, 2021 at 9:06 PM Tianjia Zhang >>>> wrote: >>>>> >>>>> >>>>> >>>>> On 3/1/21 5:54 PM, Jarkko Sakkinen wrote: >>>>>> On Mon, Mar 01, 2021 at 01:18:36PM +0800, Tianjia Zhang wrote: >>>>>>> q2 is not always 384-byte length. Sometimes it only has 383-byte. >>>>>> >>>>>> What does determine this? >>>>>> >>>>>>> In this case, the valid portion of q2 is reordered reversely for >>>>>>> little endian order, and the remaining portion is filled with zero. >>>>>> >>>>>> I'm presuming that you want to say "In this case, q2 needs to be reversed because...". >>>>>> >>>>>> I'm lacking these details: >>>>>> >>>>>> 1. Why the length of Q2 can vary? >>>>>> 2. Why reversing the bytes is the correct measure to counter-measure >>>>>> this variation? >>>>>> >>>>>> /Jarkko >>>>>> >>>>> >>>>> When use openssl to generate a key instead of using the built-in >>>>> sign_key.pem, there is a probability that will encounter this problem. >>>>> >>>>> Here is a problematic key I encountered. The calculated q1 and q2 of >>>>> this key are both 383 bytes, If the length is not processed, the >>>>> hardware signature will fail. >>>> >>>> Presumably the issue is that some keys have parameters that have >>>> enough leading 0 bits to be effectively shorter. The openssl API >>>> (and, sadly, a bunch of the ASN.1 stuff) treats these parameters as >>>> variable-size integers. >>> >>> But the test uses a static key. It used to generate a key on fly but >> >> IMO even though the test code, it comes from the linux kernel, meaning >> that its quality has a certain guarantee and it is a good reference, so >> the test code still needs to ensure its correctness. > > Hmm... what is working incorrectly then? In current implementation, it is working well, after all the static key can derive the full 384-byte length of q1 and q2. As mentioned above, if someone refers to the design of signing tool from selftest code, it is quite possible that the actual implementation will use dynamical or external signing key deriving shorter q1 and/or q2 in length. Going back the technical background, I'm not a crypto expert, so I choose to check the code, doc and make experiment. Accorindg to intel sdm vol3 37.14: ``` SIGSTRUCT includes four 3072-bit integers (MODULUS, SIGNATURE, Q1, Q2). Each such integer is represented as a byte strings of length 384, with the most significant byte at the position “offset + 383”, and the least significant byte at position “offset”. ... The 3072-bit integers Q1 and Q2 are defined by: q1 = floor(Signature^2 / Modulus); q2 = floor((Signature^3 - q1 * Signature * Modulus) / Modulus); ``` and the implementation of singing tool from Intel SGX SDK (https://github.com/intel/linux-sgx/blob/master/sdk/sign_tool/SignTool/sign_tool.cpp#L381 ), the most significant byte shuld be at the position “offset + q1/q2_actuall_len”, and the padding portion should be filled with zero, and don't involve the order reverse, but the selftest code always does. This is the root cause of SGX_INVALID_SIGNATURE. Just simplily enforce size_q1 and size_q2 to SE_KEY_SIZE, and generate randome siging key with `openssl genrsa -3 -out signing_key.pem 3072`, the SGX_INVALID_SIGNATURE error will appear up quickly. Jia > > /Jarkko >