iPXE
Functions
imgtrust.h File Reference

Image trust management. More...

#include <ipxe/image.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
int imgverify (struct image *image, struct image *signature, const char *name)
 Verify image using downloaded signature. More...
 

Detailed Description

Image trust management.

Definition in file imgtrust.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ imgverify()

int imgverify ( struct image image,
struct image signature,
const char *  name 
)

Verify image using downloaded signature.

Parameters
imageImage to verify
signatureImage containing signature
nameRequired common name, or NULL to allow any name
Return values
rcReturn status code

Definition at line 51 of file imgtrust.c.

52  {
53  struct asn1_cursor *data;
54  struct cms_signature *sig;
55  struct cms_signer_info *info;
56  time_t now;
57  int next;
58  int rc;
59 
60  /* Mark image as untrusted */
61  image_untrust ( image );
62 
63  /* Get raw signature data */
64  next = image_asn1 ( signature, 0, &data );
65  if ( next < 0 ) {
66  rc = next;
67  goto err_asn1;
68  }
69 
70  /* Parse signature */
71  if ( ( rc = cms_signature ( data->data, data->len, &sig ) ) != 0 )
72  goto err_parse;
73 
74  /* Free raw signature data */
75  free ( data );
76  data = NULL;
77 
78  /* Complete all certificate chains */
79  list_for_each_entry ( info, &sig->info, list ) {
80  if ( ( rc = create_validator ( &monojob, info->chain ) ) != 0 )
81  goto err_create_validator;
82  if ( ( rc = monojob_wait ( NULL, 0 ) ) != 0 )
83  goto err_validator_wait;
84  }
85 
86  /* Use signature to verify image */
87  now = time ( NULL );
88  if ( ( rc = cms_verify ( sig, image->data, image->len,
89  name, now, NULL, NULL ) ) != 0 )
90  goto err_verify;
91 
92  /* Drop reference to signature */
93  cms_put ( sig );
94  sig = NULL;
95 
96  /* Mark image as trusted */
97  image_trust ( image );
98  syslog ( LOG_NOTICE, "Image \"%s\" signature OK\n", image->name );
99 
100  return 0;
101 
102  err_verify:
103  err_validator_wait:
104  err_create_validator:
105  cms_put ( sig );
106  err_parse:
107  free ( data );
108  err_asn1:
109  syslog ( LOG_ERR, "Image \"%s\" signature bad: %s\n",
110  image->name, strerror ( rc ) );
111  return rc;
112 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
const char * name
Definition: ath9k_hw.c:1984
userptr_t data
Raw file image.
Definition: image.h:41
u32 info
Definition: ar9003_mac.h:67
u8 sig
Definition: CIB_PRM.h:43
uint32_t next
Next descriptor address.
Definition: myson.h:18
int monojob_wait(const char *string, unsigned long timeout)
Wait for single foreground job to complete.
Definition: monojob.c:81
static void cms_put(struct cms_signature *sig)
Drop reference to CMS signature.
Definition: cms.h:66
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition: asn1.c:854
An executable image.
Definition: image.h:24
#define LOG_ERR
Error: error conditions.
Definition: syslog.h:35
u8 signature
Definition: CIB_PRM.h:35
CMS signer information.
Definition: cms.h:20
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
struct interface monojob
Definition: monojob.c:56
static void image_untrust(struct image *image)
Set image as untrusted.
Definition: image.h:233
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
size_t len
Length of raw file image.
Definition: image.h:43
struct list_head list
List of signer information blocks.
Definition: cms.h:22
#define syslog(priority, fmt,...)
Write message to system log.
Definition: syslog.h:93
int cms_verify(struct cms_signature *sig, userptr_t data, size_t len, const char *name, time_t time, struct x509_chain *store, struct x509_root *root)
Verify CMS signature.
Definition: cms.c:681
A CMS signature.
Definition: cms.h:39
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
static void image_trust(struct image *image)
Set image as trusted.
Definition: image.h:224
int create_validator(struct interface *job, struct x509_chain *chain)
Instantiate a certificate validator.
Definition: validator.c:626
int64_t time_t
Seconds since the Epoch.
Definition: time.h:18
uint64_t time
Current time.
Definition: ntlm.h:20
char * name
Name.
Definition: image.h:34
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
#define LOG_NOTICE
Notice: normal but significant conditions.
Definition: syslog.h:41
An ASN.1 object cursor.
Definition: asn1.h:19

References cms_put(), cms_verify(), create_validator(), data, image::data, free, image_asn1(), image_trust(), image_untrust(), info, image::len, cms_signer_info::list, list_for_each_entry, LOG_ERR, LOG_NOTICE, monojob, monojob_wait(), image::name, name, next, NULL, rc, sig, signature, strerror(), syslog, and time.

Referenced by imgverify_exec().