get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This makes the code a little bit smaller. No functional change
intended.
Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Certificates must not allow trailing junk after them.
Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.
Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT STRING in signatures
fix(auth): reject invalid padding in digests
fix(auth): require at least one extension to be present
fix(auth): forbid junk after extensions
fix(auth): only accept v3 X.509 certificates
Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.
Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This reduces the likelihood of future problems later.
Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Digests must not have padding after the SEQUENCE or OCTET STRING.
Change-Id: Id25ab23111781f8c8a97c2c3c8edf1cc4a4384c0
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The extensions must use all remaining bytes in the TBSCertificate.
Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The functions stm32_pka_get_platdata() and stm32_saes_get_platdata()
are not used. They can be removed as we always use DT to retrieve
the device configuration.
This issue was triggered by sparse tool or when enabling warning
-Wmissing-prototypes.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I5cce9a0765144d694e8ddece37361ccbb85d1734
with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
Wrap the assert for the d-cache enabled check in CONDITIONAL_CMO and
plat_can_cmo calls to allow booting with d-cache disabled.
Signed-off-by: Channagoud kadabi <kadabi@google.com>
Change-Id: I80153df493d1ec9e5e354c7c2e6a14322d22c446
This corrects MISRA C2012-10.6:
The value of a composite expression shall not be assigned to an object
with wider essential type.
While at it change all the shift values to unsigned.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Idf9915313af965db2106095df7cb48a84f50c519
Fix MISRA C2012-10.3:
The value of an expression shall not be assigned to an object with
a narrower essential type or of a different essential type category.
Check buffer size is less than 4GB before casting the command argument.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Iac1afcfe905c99b22cb39dc4104d351b0e647e5d
This corrects MISRA C2012-18.4:
The +, -, += and -= operators should not be applied to an expression
of pointer type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9128f567a7c83d8e3381428b07e6bd785be2703b
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I4c331b0225af975fd022ffe9e5fd1d536ed59879
This corrects MISRA C2012-16.6:
Every switch statement shall have at least two switch-clauses.
While at it, remove useless rate variable.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I123784e7184dbf4146fd0d7faeffd6a0382fc6a1
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id217d3da223caf75cd0439d7ce11c9efab87b4d2
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Iacc58349cc3ab558fb4ffe0605a623e84e21e035
This corrects MISRA C2012-20.7:
Expressions resulting from the expansion of macro parameters shall be
enclosed in parentheses.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9989a5aaacf17f6f7a65381c8d41f21a35f6ddd9
This corrects MISRA C2012-18.4:
The +, -, += and -= operators should not be applied to an expression
of pointer type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ie1a196b875eae2eff9242cf83abfc1a79bdee6f3
This corrects the MISRA violation C2012-12.1:
The precedence of operators within expressions should be made explicit.
This is done either by adding parentheses, or by creating dedicated
variables.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8312442222ba848ac1f5e38df1bed0a367646a7
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I4f8da6b0ce73df65b2b45ba10d4ca16ed8b70113
This corrects MISRA C2012-20.7
Expressions resulting from the expansion of macro parameters shall be
enclosed in parentheses.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9269d7a5b6aa4573bc0ca55b3054c3475dc4b6b2
Coverity Issue 21268351
Fixed unused value of xspi read while reading training values from
xspi during warm reset.
Signed-off-by: Maninder Singh <maninder.singh_1@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I779587afedb1c73d174a132bbfbcb21bf45bdff8
rss_comms_init() should return with success (0) in case of an internal
MHU_ERR_ALREADY_INIT error code which is harmless (occurs when
rss_comms_init() is called multiple times in a row).
Change-Id: Ibb1fef48a60866e80d3a389128cb8eef1332ea01
Signed-off-by: David Vincze <david.vincze@arm.com>
Returning enum usb_status in an enum usb_action function is wrong as
they have different meanings. However, usb_dwc2_ep0_out_start() and
usb_dwc2_activate_setup() only return USBD_OK so we will never get to
there. Replace these checks with asserts in case the code changes in
future.
This also silences a warning when compiling with -Wextra.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I73dfd5c189a357544c15ceb3f4268da82ce272b9
On release builds EMMC_TRACE doesn't expand to anything. Some
conditionals with no braces end up with empty bodies. This produces a
warning when compiling with -Werror=empty-body (enabled by -Wextra).
Since TF-A coding guidelines require braces to comply with MISRA
guidelines anyway, add them in the whole file.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ib4e691efc7acdb8fb8692278c7a9772fc894f77f
secure_boot_api_f is defined to take uint32_t, uint32_t, and void *
parameters. However rom_secure_boot_api_f is defined to take uint32_t *,
uint32_t *, void *. These are incompatible and cause a warning when
compiling with -Wextra. Align the rom definition to the more generic
definition from where it's called.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ia030803b3c2335d220aff09fc0eef5c7615276aa
TF-A wants to eventually enable -Wold-style-definition globally. Convert
the rare few instances where this is still the case.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I9c450fc875cf097e6de2ed577ea3b085821c9f5e
Compiling with -Wimplicit-fallthrough=3 (enabled by -Wextra) produces
many warnings about fallthrough comments either missing or being wrong.
Unify the comments so we comply with -Wextra.
Note that Coverity recommends against using the __attribute__ directive.
Also, zlib does not build with a higher value of -Wimplicit-fallthrough.
Finally, compilers strip comments before expanding macros. As such,
checkpatch's fallthrough annotation (or higher levels of the flag) isn't
really possible.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I060cf4f8dc04c02cbb45cf4ceb69569a8369ccee
The platform.mk can add extra MbedTLS source files to LIBMBEDTLS_SRC.
Change-Id: Ida9abfd59d8b02eae23ec0a7f326db060b42bf49
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Fixed coverity issue for "shifting by a negtive value", returned
before go to the next shifting code.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I00171b057b8948cb9e9ec5d9405b2e32aba568fb
Coverity Issue detail:
underrun-local: Underrunning array bin[i].cl[k].caslat
at element index -1 (byte offset -1)
using index j (which evaluates to -1).
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I1ec4833bbd5db1ac51436eac606484eefc4338ee
In function "desc_length", LSB byte of the first word of the
descriptor will be anded with 0x7F, to get the number of words
constructing the descriptor.
LSB byte of the first word of the descriptor is auto-incremented
with each add_word used while constructing the descriptor.
But if function "desc_add_word" is called more than
MAX_DESC_SIZE_WORDS times, then only the function "desc_length",
can return number of words greater than MAX_DESC_SIZE_WORDS.
This is the condition when core can overwrite the out of bound
memory.
Hence, the following fix is needed:
- Before adding any new word to the descriptor, a check for
max word length needs to be added, into these functions:
"desc_add_word" & "desc_add_ptr".
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: If896cd2e02ecde72fb09c5147119dec4f2f84bc3
Fixed the following coverity issues:
Using uninitialized value cmd_id1, cmd_id2.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I8cd430ec015fc617521db455a6ffe16b33f42b78
Updated the event log driver's function to accept metadata as an
argument, to remove the platform function usage from the event log
driver to make it a standalone driver.
Change-Id: I512cf693d51dc3c0b9d2c1bfde4f89414e273049
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Setting 2MB shared memory and following 64MB secure memory.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: Ia992d21f205d305a6fff92fc11435634ce7c9d21
Timing CFG 0 and Timing CFG 4 are ddr controller registers that
have been affected by 1d phy training during cold boot. They are
needed to be stored and restored along with phy training values.
Signed-off-by: Maninder Singh <maninder.singh_1@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I29c55256e74456515aaeb098e2e0e3475697a466
