On 02.06.2025 15:36, Ross Lagerwall wrote:
> Parse the raw data of the embedded RSA key into a form that can be later
> used for verifying live patch signatures.
>
> Signed-off-by: Ross Lagerwall <ross.lagerw...@citrix.com>
> ---
>
> * Fix endianness of builtin key lengths
> * Set builtin key to __ro_after_init
>
> xen/common/livepatch.c | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
>
> diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
> index 9a0df5363b59..92d1d342d872 100644
> --- a/xen/common/livepatch.c
> +++ b/xen/common/livepatch.c
> @@ -11,6 +11,8 @@
> #include <xen/lib.h>
> #include <xen/list.h>
> #include <xen/mm.h>
> +#include <xen/mpi.h>
> +#include <xen/rsa.h>
> #include <xen/sched.h>
> #include <xen/smp.h>
> #include <xen/softirq.h>
> @@ -73,6 +75,10 @@ static struct livepatch_work livepatch_work;
> static DEFINE_PER_CPU(bool, work_to_do);
> static DEFINE_PER_CPU(struct tasklet, livepatch_tasklet);
>
> +#ifdef CONFIG_PAYLOAD_VERIFY
> +static struct rsa_public_key __ro_after_init builtin_payload_key;
> +#endif
> +
> static int get_name(const struct xen_livepatch_name *name, char *n)
> {
> if ( !name->size || name->size > XEN_LIVEPATCH_NAME_SIZE )
> @@ -2300,6 +2306,31 @@ static void cf_check livepatch_printall(unsigned char
> key)
> spin_unlock(&payload_lock);
> }
>
> +static int load_builtin_payload_key(void)
__init
> +{
> +#ifdef CONFIG_PAYLOAD_VERIFY
> + const uint8_t *ptr;
> + uint32_t len;
> +
> + rsa_public_key_init(&builtin_payload_key);
> +
> + ptr = xen_livepatch_key_data;
> +
> + memcpy(&len, ptr, sizeof(len));
How do you know enough data is available?
> + ptr += sizeof(len);
> + builtin_payload_key.n = mpi_read_raw_data(ptr, le32_to_cpu(len));
Even more so here. And then again below.
> + ptr += len;
> +
> + memcpy(&len, ptr, sizeof(len));
> + ptr += sizeof(len);
> + builtin_payload_key.e = mpi_read_raw_data(ptr, le32_to_cpu(len));
> +
> + return rsa_public_key_prepare(&builtin_payload_key);
> +#else
> + return 0;
> +#endif
> +}
> +
> static int cf_check cpu_callback(
> struct notifier_block *nfb, unsigned long action, void *hcpu)
> {
> @@ -2318,6 +2349,11 @@ static struct notifier_block cpu_nfb = {
> static int __init cf_check livepatch_init(void)
> {
> unsigned int cpu;
> + int err;
> +
> + err = load_builtin_payload_key();
> + if ( err )
> + return err;
>
> for_each_online_cpu ( cpu )
> {
So far this function can't fail. Therefore it makes sense that I can't find any
provisions for this case elsewhere in the file. Such provisions will need
adding as a prereq, I expect. Or alternatively it would want clarifying
explicitly that (why) none are required.
Jan
