[PATCH v2] Add optional salt to AUTOBOOT_STOP_STR_SHA256

Sun Nov 22 00:07:57 CET 2020

On Fri, 20 Nov 2020 at 12:05, Joel Peshkin <joel.peshkin at broadcom.com> wrote:
>
> From: Joel Peshkin <joel.peshkin at broadcom.com>
>
> Adds an optional SALT value to AUTOBOOT_STOP_STR_SHA256.   If a string
> followed by a ":" is prepended to the sha256, the portion to the left
> of the colon will be used as a salt and the password will be appended
> to the salt before the sha256 is computed and compared.
>
> Signed-off-by: Joel Peshkin <joel.peshkin at broadcom.com>
> Cc: Simon Glass <sjg at chromium.org>
> Cc: Bin Meng <bmeng.cn at gmail.com>
> Cc: Patrick Delaunay <patrick.delaunay at st.com>
> Cc: Heiko Schocher <hs at denx.de>
> Cc: trini at konsulko.com
> Cc: Heinrich Schuchardt <xypron.glpk at gmx.de>
> Cc: Joel Peshkin <joel.peshkin at broadcom.com>
> To: u-boot at lists.denx.de
>
> ---
> Changes for v2:
>    - Increase MAX_DELAY_STOP_STR
>    - Check salt size against MAX_DELAY_STOP_STR before copying
>    - Minor cleanup
> ---
>  common/Kconfig.boot |  5 ++++-
>  common/autoboot.c   | 12 ++++++++++--
>  2 files changed, 14 insertions(+), 3 deletions(-)

Reviewed-by: Simon Glass <sjg at chromium.org>

Please see below

>
> diff --git a/common/Kconfig.boot b/common/Kconfig.boot
> index 3f6d9c1..8a98672 100644
> --- a/common/Kconfig.boot
> +++ b/common/Kconfig.boot
> @@ -819,7 +819,10 @@ config AUTOBOOT_STOP_STR_SHA256
>           This option adds the feature to only stop the autobooting,
>           and therefore boot into the U-Boot prompt, when the input
>           string / password matches a values that is encypted via
> -         a SHA256 hash and saved in the environment.
> +         a SHA256 hash and saved in the environment variable
> +         "bootstopkeysha256". If the value in that variable
> +         includes a ":", the portion prior to the ":" will be treated
> +         as a salt value.
>
>  config AUTOBOOT_USE_MENUKEY
>         bool "Allow a specify key to run a menu from the environment"
> diff --git a/common/autoboot.c b/common/autoboot.c
> index e628baf..982b561 100644
> --- a/common/autoboot.c
> +++ b/common/autoboot.c
> @@ -25,7 +25,7 @@
>
>  DECLARE_GLOBAL_DATA_PTR;
>
> -#define MAX_DELAY_STOP_STR 32
> +#define MAX_DELAY_STOP_STR 64
>
>  #ifndef DEBUG_BOOTKEYS
>  #define DEBUG_BOOTKEYS 0
> @@ -80,6 +80,7 @@ static int passwd_abort_sha256(uint64_t etime)
>         u8 sha_env[SHA256_SUM_LEN];
>         u8 *sha;
>         char *presskey;
> +       char *c;
>         const char *algo_name = "sha256";
>         u_int presskey_len = 0;
>         int abort = 0;
> @@ -89,6 +90,14 @@ static int passwd_abort_sha256(uint64_t etime)
>         if (sha_env_str == NULL)
>                 sha_env_str = AUTOBOOT_STOP_STR_SHA256;
>
> +       presskey = malloc_cache_aligned(MAX_DELAY_STOP_STR);
> +       c = strstr(sha_env_str, ":");
> +       if ((c) && (c - sha_env_str < MAX_DELAY_STOP_STR)) {

Use c instead of (c)


> +               /* preload presskey with salt */
> +               memcpy(presskey, sha_env_str, c - sha_env_str);
> +               presskey_len = c - sha_env_str;
> +               sha_env_str = c + 1;
> +       }
>         /*
>          * Generate the binary value from the environment hash value
>          * so that we can compare this value with the computed hash
> @@ -100,7 +109,6 @@ static int passwd_abort_sha256(uint64_t etime)
>                 return 0;
>         }
>
> -       presskey = malloc_cache_aligned(MAX_DELAY_STOP_STR);
>         sha = malloc_cache_aligned(SHA256_SUM_LEN);
>         size = SHA256_SUM_LEN;
>         /*
> --
> 1.8.3.1
>