Attention is currently required from: Julius Werner, Yu-Ping Wu.

Jakub Czapiga has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/69762 )

Change subject: vboot/vboot_logic: Fix hash digest size and padding ......................................................................

vboot/vboot_logic: Fix hash digest size and padding

vboot_save_hash() in ChromeOS EC implementation expects hash digest to be of fixed size - maximum supported digest size. If data is not long enough, it should be padded with zeros.

Signed-off-by: Jakub Czapiga jacz@semihalf.com Change-Id: If6d46e0b58dbca86af56221b7ff2606ab2d1799a --- M src/security/vboot/vboot_logic.c 1 file changed, 30 insertions(+), 3 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/62/69762/1

diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 98a044c..b979328 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -337,10 +337,23 @@ printk(BIOS_INFO, "Phase 4\n"); if (CONFIG(VBOOT_CBFS_INTEGRATION)) { struct vb2_hash *metadata_hash; + rv = vb2api_get_metadata_hash(ctx, &metadata_hash); - if (rv == VB2_SUCCESS) - rv = handle_digest_result(metadata_hash->raw, - vb2_digest_size(metadata_hash->algo)); + + if (rv == VB2_SUCCESS) { + uint8_t hash_digest[VBOOT_MAX_HASH_SIZE]; + const size_t hash_digest_sz = sizeof(hash_digest); + const size_t metadata_hash_digest_sz = + vb2_digest_size(metadata_hash->algo); + + if (metadata_hash_digest_sz > hash_digest_sz) + die("Metadata hash digest size is too big"); + + memset(hash_digest, 0, hash_digest_sz); + memcpy(hash_digest, metadata_hash->raw, metadata_hash_digest_sz); + + rv = handle_digest_result(hash_digest, hash_digest_sz); + } } else { struct region_device fw_body; rv = vboot_locate_firmware(ctx, &fw_body);