Add hash only (#1)

* Added hash only function to tpmsbsign

Co-authored-by: Heike Pesch <[email protected]>

debian/changelog

@@ -1,3 +1,9 @@
+tpmsbsigntool (0.9.4-2) jammy; urgency=medium
+
+  * Added hash only function for signed PE binaries.
+
+ -- Richard Robert Reitz <[email protected]>  Wed, 23 Nov 2022 19:02:54 +0100
+
 tpmsbsigntool (0.9.4-1) jammy; urgency=medium
 
   * Forked sbsigntool 0.9.4-2ubuntu2

debian/patches/series

@@ -8,4 +8,4 @@ renamed-to-tpm.patch
 kmodsign-tpm-support.patch
 sbsign-tpm-and-pin-support.patch
 ossl_store.patch
-
+tpmsbsign_hash_only.patch

debian/patches/tpmsbsign_hash_only.patch

@@ -0,0 +1,108 @@
+Description: Add hash-only patch provided by Trammell Hudson
+For predicting the TPM PCRs it is necessary to compute the
+PE hash as defined by Microsoft's complicated 15-step process.
+Since sbsign already has the logic to walk the executable
+and generate this sha256 value, this patch adds an option
+to print the hash by itself.
+
+It provides the correct hashes only for signed PE, unsigned PE hashes
+seems to be calculated wrong. But in our case we only need the correct
+hash value for signed PE only.
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: other, https://groups.io/g/sbsigntools/message/42
+Reviewed-By: Richard Robert Reitz <[email protected]>
+Last-Update: 2022-11-02
+
+--- tpmsbsigntool-0.9.4.orig/src/idc.h
++++ tpmsbsigntool-0.9.4/src/idc.h
+@@ -42,5 +42,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
+ struct idc *IDC_get(PKCS7 *p7, BIO *bio);
+ int IDC_check_hash(struct idc *idc, struct image *image);
+
++const char *sha256_str(const uint8_t *hash);
++
+ #endif /* IDC_H */
+
+--- tpmsbsigntool-0.9.4.orig/src/tpmsbsign.c
++++ tpmsbsigntool-0.9.4/src/tpmsbsign.c
+@@ -76,6 +76,7 @@ static struct option options[] = {
+ 	{ "detached", no_argument, NULL, 'd' },
+ 	{ "verbose", no_argument, NULL, 'v' },
+ 	{ "help", no_argument, NULL, 'h' },
++	{ "hash-only", no_argument, NULL, 'H' },
+ 	{ "version", no_argument, NULL, 'V' },
+ 	{ "engine", required_argument, NULL, 'e'},
+ 	{ "provider", required_argument, NULL, 'P'},
+@@ -105,7 +105,8 @@ static void usage(void)
+ 		"\t--output <file>    write signed data to <file>\n"
+ 		"\t                    (default <efi-boot-image>.signed,\n"
+ 		"\t                    or <efi-boot-image>.pk7 for detached\n"
+-		"\t                    signatures)\n",
++		"\t                    signatures)\n"
++		"\t--hash-only        print the PE hash of already signed binaries\n",
+ 		toolname);
+ }
+
+@@ -162,7 +164,7 @@ int main(int argc, char **argv)
+ 	const char *keyfilename, *certfilename, *addcertfilename, *engine;
+ 	struct sign_context *ctx;
+ 	uint8_t *buf, *tmp;
+-	int rc, c, sigsize;
++	int rc, c, sigsize, hash_only = 0;
+ 	EVP_PKEY *pkey;
+
+ 	ctx = talloc_zero(NULL, struct sign_context);
+@@ -174,7 +176,7 @@ int main(int argc, char **argv)
+
+ 	for (;;) {
+ 		int idx;
+-		c = getopt_long(argc, argv, "P:Q:o:c:k:dvVhe:a:", options, &idx);
++		c = getopt_long(argc, argv, "P:Q:o:c:k:dvVhe:a:H", options, &idx);
+ 		if (c == -1)
+ 			break;
+
+@@ -216,6 +218,9 @@ int main(int argc, char **argv)
+ 		case 'a':
+ 			addcertfilename = optarg;
+ 			break;
++		case 'H':
++			hash_only = 1;
++			break;
+ 		}
+ 	}
+
+@@ -225,6 +230,18 @@ int main(int argc, char **argv)
+ 	}
+
+ 	ctx->infilename = argv[optind];
++	
++	ctx->image = image_load(ctx->infilename);
++	if (!ctx->image)
++		return EXIT_FAILURE;
++
++	if (hash_only) {
++		unsigned char sha[SHA256_DIGEST_LENGTH];
++		image_hash_sha256(ctx->image, sha);
++		printf("%s\n", sha256_str(sha));
++		return EXIT_SUCCESS;
++	}
++
+ 	if (!ctx->outfilename)
+ 		set_default_outfilename(ctx);
+
+@@ -241,10 +258,6 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 	}
+
+-	ctx->image = image_load(ctx->infilename);
+-	if (!ctx->image)
+-		return EXIT_FAILURE;
+-
+ 	talloc_steal(ctx, ctx->image);
+
+ 	ERR_load_crypto_strings();