2024-05-23 13:24:21

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

There's no reason to encode OID_TPMSealedData at run-time, as it never
changes.

Replace it with the encoded version, which has exactly the same size:

67 81 05 0A 01 05

Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
the OID can be simply copied to the blob.

Signed-off-by: Jarkko Sakkinen <[email protected]>
---
v2:
* Not my day I guess. This one has print_hex_dump() taken away.
Apologies for spamming. The patch is however tested properly
with run-tests.sh in https://gitlab.com/jarkkojs/linux-tpmdd-test.
---
include/linux/asn1_encoder.h | 4 -
lib/asn1_encoder.c | 91 -----------------------
security/keys/trusted-keys/trusted_tpm2.c | 7 +-
3 files changed, 4 insertions(+), 98 deletions(-)

diff --git a/include/linux/asn1_encoder.h b/include/linux/asn1_encoder.h
index 08cd0c2ad34f..afeefdfe2525 100644
--- a/include/linux/asn1_encoder.h
+++ b/include/linux/asn1_encoder.h
@@ -8,14 +8,10 @@
#include <linux/asn1_ber_bytecode.h>
#include <linux/bug.h>

-#define asn1_oid_len(oid) (sizeof(oid)/sizeof(u32))
unsigned char *
asn1_encode_integer(unsigned char *data, const unsigned char *end_data,
s64 integer);
unsigned char *
-asn1_encode_oid(unsigned char *data, const unsigned char *end_data,
- u32 oid[], int oid_len);
-unsigned char *
asn1_encode_tag(unsigned char *data, const unsigned char *end_data,
u32 tag, const unsigned char *string, int len);
unsigned char *
diff --git a/lib/asn1_encoder.c b/lib/asn1_encoder.c
index 0fd3c454a468..c0db3cbebe89 100644
--- a/lib/asn1_encoder.c
+++ b/lib/asn1_encoder.c
@@ -85,97 +85,6 @@ asn1_encode_integer(unsigned char *data, const unsigned char *end_data,
}
EXPORT_SYMBOL_GPL(asn1_encode_integer);

-/* calculate the base 128 digit values setting the top bit of the first octet */
-static int asn1_encode_oid_digit(unsigned char **_data, int *data_len, u32 oid)
-{
- unsigned char *data = *_data;
- int start = 7 + 7 + 7 + 7;
- int ret = 0;
-
- if (*data_len < 1)
- return -EINVAL;
-
- /* quick case */
- if (oid == 0) {
- *data++ = 0x80;
- (*data_len)--;
- goto out;
- }
-
- while (oid >> start == 0)
- start -= 7;
-
- while (start > 0 && *data_len > 0) {
- u8 byte;
-
- byte = oid >> start;
- oid = oid - (byte << start);
- start -= 7;
- byte |= 0x80;
- *data++ = byte;
- (*data_len)--;
- }
-
- if (*data_len > 0) {
- *data++ = oid;
- (*data_len)--;
- } else {
- ret = -EINVAL;
- }
-
- out:
- *_data = data;
- return ret;
-}
-
-/**
- * asn1_encode_oid() - encode an oid to ASN.1
- * @data: position to begin encoding at
- * @end_data: end of data pointer, points one beyond last usable byte in @data
- * @oid: array of oids
- * @oid_len: length of oid array
- *
- * this encodes an OID up to ASN.1 when presented as an array of OID values
- */
-unsigned char *
-asn1_encode_oid(unsigned char *data, const unsigned char *end_data,
- u32 oid[], int oid_len)
-{
- int data_len = end_data - data;
- unsigned char *d = data + 2;
- int i, ret;
-
- if (WARN(oid_len < 2, "OID must have at least two elements"))
- return ERR_PTR(-EINVAL);
-
- if (WARN(oid_len > 32, "OID is too large"))
- return ERR_PTR(-EINVAL);
-
- if (IS_ERR(data))
- return data;
-
-
- /* need at least 3 bytes for tag, length and OID encoding */
- if (data_len < 3)
- return ERR_PTR(-EINVAL);
-
- data[0] = _tag(UNIV, PRIM, OID);
- *d++ = oid[0] * 40 + oid[1];
-
- data_len -= 3;
-
- for (i = 2; i < oid_len; i++) {
- ret = asn1_encode_oid_digit(&d, &data_len, oid[i]);
- if (ret < 0)
- return ERR_PTR(ret);
- }
-
- data[1] = d - data - 2;
-
- return d;
-}
-EXPORT_SYMBOL_GPL(asn1_encode_oid);
-
/**
* asn1_encode_length() - encode a length to follow an ASN.1 tag
* @data: pointer to encode at
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
index 8b7dd73d94c1..4a2b4ad5a913 100644
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -26,7 +26,8 @@ static struct tpm2_hash tpm2_hash_map[] = {
{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
};

-static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 };
+/* Encoded OID_TPMSealedData. */
+static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05};

static int tpm2_key_encode(struct trusted_key_payload *payload,
struct trusted_key_options *options,
@@ -51,8 +52,8 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
if (!scratch)
return -ENOMEM;

- work = asn1_encode_oid(work, end_work, tpm2key_oid,
- asn1_oid_len(tpm2key_oid));
+ work = memcpy(work, OID_TPMSealedData_ASN1, sizeof(OID_TPMSealedData_ASN1));
+ work += sizeof(OID_TPMSealedData_ASN1);

if (options->blobauth_len == 0) {
unsigned char bool[3], *w = bool;
--
2.45.1



2024-05-23 13:36:46

by David Howells

[permalink] [raw]
Subject: Re: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

Jarkko Sakkinen <[email protected]> wrote:

> There's no reason to encode OID_TPMSealedData at run-time, as it never
> changes.
>
> Replace it with the encoded version, which has exactly the same size:
>
> 67 81 05 0A 01 05
>
> Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
> the OID can be simply copied to the blob.

This seems reasonable. We have a limited set of OIDs we can generate
(currently 1). Better to store the BER-encoded form and copy that in rather
than trying to turn a pretty-printed OID into the BER encoding unless we
absolutely have to.

David


2024-05-23 13:41:20

by Ben Boeckel

[permalink] [raw]
Subject: Re: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

On Thu, May 23, 2024 at 16:23:37 +0300, Jarkko Sakkinen wrote:
> There's no reason to encode OID_TPMSealedData at run-time, as it never
> changes.
>
> Replace it with the encoded version, which has exactly the same size:
>
> 67 81 05 0A 01 05

Is it the same size? It looks considerably smaller to me (6*4 bytes
versus 8 bytes).

> Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
> the OID can be simply copied to the blob.

An "epilogue" occurs at the end, but it seems to be at the beginning
here (that would be a "prologue").

> -static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 };
> +/* Encoded OID_TPMSealedData. */
> +static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05};

I'd say that a comment of what it encodes would be good to have for
context, but the source tree has `OID_TPMSealedData` in a header with
the value in a comment there, so that seems good enough to me.

> as it never changes.

Should it, perhaps be `const` too?

--Ben

2024-05-23 13:58:17

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

On Thu May 23, 2024 at 4:41 PM EEST, Ben Boeckel wrote:
> On Thu, May 23, 2024 at 16:23:37 +0300, Jarkko Sakkinen wrote:
> > There's no reason to encode OID_TPMSealedData at run-time, as it never
> > changes.
> >
> > Replace it with the encoded version, which has exactly the same size:
> >
> > 67 81 05 0A 01 05
>
> Is it the same size? It looks considerably smaller to me (6*4 bytes
> versus 8 bytes).

Not in that sense but in practice the old array stored byte values.
Forgot for that reason that it was actually u32 array.

I can change it to "same number of elements".

>
> > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
> > the OID can be simply copied to the blob.
>
> An "epilogue" occurs at the end, but it seems to be at the beginning
> here (that would be a "prologue").

Yup, typo.

> > -static u32 tpm2key_oid[] = { 2, 23, 133, 10, 1, 5 };
> > +/* Encoded OID_TPMSealedData. */
> > +static u8 OID_TPMSealedData_ASN1[] = {0x06, 0x06, 0x67, 0x81, 0x05, 0x0a, 0x01, 0x05};
>
> I'd say that a comment of what it encodes would be good to have for
> context, but the source tree has `OID_TPMSealedData` in a header with
> the value in a comment there, so that seems good enough to me.

OK. I named it this way to promote generation these from CSV file
(see my other response to James).


>
> > as it never changes.
>
> Should it, perhaps be `const` too?

Yup.

>
> --Ben

Thanks for the remarks!

BR, Jarkko

2024-05-23 14:01:33

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

On Thu May 23, 2024 at 4:39 PM EEST, David Howells wrote:
> Jarkko Sakkinen <[email protected]> wrote:
>
> > There's no reason to encode OID_TPMSealedData at run-time, as it never
> > changes.
> >
> > Replace it with the encoded version, which has exactly the same size:
> >
> > 67 81 05 0A 01 05
> >
> > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
> > the OID can be simply copied to the blob.
> >
> > Signed-off-by: Jarkko Sakkinen <[email protected]>
>
> Reviewed-by: David Howells <[email protected]>

Thanks!

BR, Jarkko

2024-05-23 14:07:21

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v2] KEYS: trusted: Use ASN.1 encoded OID

On Thu May 23, 2024 at 4:36 PM EEST, David Howells wrote:
> Jarkko Sakkinen <[email protected]> wrote:
>
> > There's no reason to encode OID_TPMSealedData at run-time, as it never
> > changes.
> >
> > Replace it with the encoded version, which has exactly the same size:
> >
> > 67 81 05 0A 01 05
> >
> > Include OBJECT IDENTIFIER (0x06) tag and length as the epilogue so that
> > the OID can be simply copied to the blob.
>
> This seems reasonable. We have a limited set of OIDs we can generate
> (currently 1). Better to store the BER-encoded form and copy that in rather
> than trying to turn a pretty-printed OID into the BER encoding unless we
> absolutely have to.

Yup, I crafted a plan in response to James about possibility to generate
all from a CSV file (oid_registry.gen.[sh] and oid_registry.h incldues
oid_registry.gen.h for compat).

No bandwidth to work in it, but happy to review it.

>
> David

BR, Jarkko