-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Added hash only function to tpmsbsign Co-authored-by: Heike Pesch <[email protected]>
- Loading branch information
1 parent
e62493d
commit 864461e
Showing
3 changed files
with
115 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,9 @@ | ||
tpmsbsigntool (0.9.4-2) jammy; urgency=medium | ||
|
||
* Added hash only function for signed PE binaries. | ||
|
||
-- Richard Robert Reitz <[email protected]> Wed, 23 Nov 2022 19:02:54 +0100 | ||
|
||
tpmsbsigntool (0.9.4-1) jammy; urgency=medium | ||
|
||
* Forked sbsigntool 0.9.4-2ubuntu2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
Description: Add hash-only patch provided by Trammell Hudson | ||
For predicting the TPM PCRs it is necessary to compute the | ||
PE hash as defined by Microsoft's complicated 15-step process. | ||
Since sbsign already has the logic to walk the executable | ||
and generate this sha256 value, this patch adds an option | ||
to print the hash by itself. | ||
|
||
It provides the correct hashes only for signed PE, unsigned PE hashes | ||
seems to be calculated wrong. But in our case we only need the correct | ||
hash value for signed PE only. | ||
|
||
--- | ||
The information above should follow the Patch Tagging Guidelines, please | ||
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here | ||
are templates for supplementary fields that you might want to add: | ||
|
||
Origin: other, https://groups.io/g/sbsigntools/message/42 | ||
Reviewed-By: Richard Robert Reitz <[email protected]> | ||
Last-Update: 2022-11-02 | ||
|
||
--- tpmsbsigntool-0.9.4.orig/src/idc.h | ||
+++ tpmsbsigntool-0.9.4/src/idc.h | ||
@@ -42,5 +42,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO | ||
struct idc *IDC_get(PKCS7 *p7, BIO *bio); | ||
int IDC_check_hash(struct idc *idc, struct image *image); | ||
|
||
+const char *sha256_str(const uint8_t *hash); | ||
+ | ||
#endif /* IDC_H */ | ||
|
||
--- tpmsbsigntool-0.9.4.orig/src/tpmsbsign.c | ||
+++ tpmsbsigntool-0.9.4/src/tpmsbsign.c | ||
@@ -76,6 +76,7 @@ static struct option options[] = { | ||
{ "detached", no_argument, NULL, 'd' }, | ||
{ "verbose", no_argument, NULL, 'v' }, | ||
{ "help", no_argument, NULL, 'h' }, | ||
+ { "hash-only", no_argument, NULL, 'H' }, | ||
{ "version", no_argument, NULL, 'V' }, | ||
{ "engine", required_argument, NULL, 'e'}, | ||
{ "provider", required_argument, NULL, 'P'}, | ||
@@ -105,7 +105,8 @@ static void usage(void) | ||
"\t--output <file> write signed data to <file>\n" | ||
"\t (default <efi-boot-image>.signed,\n" | ||
"\t or <efi-boot-image>.pk7 for detached\n" | ||
- "\t signatures)\n", | ||
+ "\t signatures)\n" | ||
+ "\t--hash-only print the PE hash of already signed binaries\n", | ||
toolname); | ||
} | ||
|
||
@@ -162,7 +164,7 @@ int main(int argc, char **argv) | ||
const char *keyfilename, *certfilename, *addcertfilename, *engine; | ||
struct sign_context *ctx; | ||
uint8_t *buf, *tmp; | ||
- int rc, c, sigsize; | ||
+ int rc, c, sigsize, hash_only = 0; | ||
EVP_PKEY *pkey; | ||
|
||
ctx = talloc_zero(NULL, struct sign_context); | ||
@@ -174,7 +176,7 @@ int main(int argc, char **argv) | ||
|
||
for (;;) { | ||
int idx; | ||
- c = getopt_long(argc, argv, "P:Q:o:c:k:dvVhe:a:", options, &idx); | ||
+ c = getopt_long(argc, argv, "P:Q:o:c:k:dvVhe:a:H", options, &idx); | ||
if (c == -1) | ||
break; | ||
|
||
@@ -216,6 +218,9 @@ int main(int argc, char **argv) | ||
case 'a': | ||
addcertfilename = optarg; | ||
break; | ||
+ case 'H': | ||
+ hash_only = 1; | ||
+ break; | ||
} | ||
} | ||
|
||
@@ -225,6 +230,18 @@ int main(int argc, char **argv) | ||
} | ||
|
||
ctx->infilename = argv[optind]; | ||
+ | ||
+ ctx->image = image_load(ctx->infilename); | ||
+ if (!ctx->image) | ||
+ return EXIT_FAILURE; | ||
+ | ||
+ if (hash_only) { | ||
+ unsigned char sha[SHA256_DIGEST_LENGTH]; | ||
+ image_hash_sha256(ctx->image, sha); | ||
+ printf("%s\n", sha256_str(sha)); | ||
+ return EXIT_SUCCESS; | ||
+ } | ||
+ | ||
if (!ctx->outfilename) | ||
set_default_outfilename(ctx); | ||
|
||
@@ -241,10 +258,6 @@ int main(int argc, char **argv) | ||
return EXIT_FAILURE; | ||
} | ||
|
||
- ctx->image = image_load(ctx->infilename); | ||
- if (!ctx->image) | ||
- return EXIT_FAILURE; | ||
- | ||
talloc_steal(ctx, ctx->image); | ||
|
||
ERR_load_crypto_strings(); |