From 1a16e66e6543dbe8a78f7762b3bb13444eab8ab2 Mon Sep 17 00:00:00 2001 From: Mark Kettenis Date: Thu, 5 May 2022 16:42:23 +0200 Subject: [PATCH 1/8] Makefile: Avoid non-portable GNU sed extension Use [:space:] instead of \s and \S in regular expression that determines the sandbox target architecture. Fixes the build failure on OpenBSD introduced with commit 4e65ca00f3a3 ("efi_loader: bootmgr: add booting from removable media"). Fixes: f7691a6d736b ("sandbox: allow cross-compiling sandbox") Signed-off-by: Mark Kettenis Reviewed-by: Heinrich Schuchardt --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ea80f00716d..6eceeb35b46 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ include include/host_arch.h ifeq ("", "$(CROSS_COMPILE)") MK_ARCH="${shell uname -m}" else - MK_ARCH="${shell echo $(CROSS_COMPILE) | sed -n 's/^\s*\([^\/]*\/\)*\([^-]*\)-\S*/\2/p'}" + MK_ARCH="${shell echo $(CROSS_COMPILE) | sed -n 's/^[[:space:]]*\([^\/]*\/\)*\([^-]*\)-[^[:space:]]*/\2/p'}" endif unexport HOST_ARCH ifeq ("x86_64", $(MK_ARCH)) From ecd4e5cf18b183b4b4679b2c1ce96df605b81746 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sat, 7 May 2022 22:58:39 +0200 Subject: [PATCH 2/8] Makefile: support CROSS_COMPILE=armv7a-* Gentoo uses armv7a-hardfloat-linux-gnueabi- as cross compiler prefix. Signed-off-by: Heinrich Schuchardt --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 6eceeb35b46..00caaaf3250 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ else ifneq (,$(findstring $(MK_ARCH), "i386" "i486" "i586" "i686")) export HOST_ARCH=$(HOST_ARCH_X86) else ifneq (,$(findstring $(MK_ARCH), "aarch64" "armv8l")) export HOST_ARCH=$(HOST_ARCH_AARCH64) -else ifneq (,$(findstring $(MK_ARCH), "arm" "armv7" "armv7l")) +else ifneq (,$(findstring $(MK_ARCH), "arm" "armv7" "armv7a" "armv7l")) export HOST_ARCH=$(HOST_ARCH_ARM) else ifeq ("riscv32", $(MK_ARCH)) export HOST_ARCH=$(HOST_ARCH_RISCV32) From deb2638aa09e23e0ca263a77bde2079dc4bd48df Mon Sep 17 00:00:00 2001 From: Sean Anderson Date: Fri, 8 Apr 2022 16:08:39 -0400 Subject: [PATCH 3/8] mkimage: Document misc options Over the years, several options have not made it into the help message. Document them. Do the same for the man page. Signed-off-by: Sean Anderson --- doc/mkimage.1 | 36 +++++++++++++++++++++++++++++++++++- tools/mkimage.c | 15 +++++++++++---- 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 287006279f7..c92e1337326 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -53,6 +53,10 @@ Parse image file as type. Pass \-h as the image to see the list of supported image type. Without this option image type is autodetected. +.TP +.BI "\-q" +Quiet. Don't print the image header on successful verification. + .P .B Create old legacy image: @@ -91,6 +95,11 @@ List the contents of an image. .BI "\-n [" "image name" "]" Set image name to 'image name'. +.TP +.BI "\-R [" "secondary image name" "]" +Some image types support a second image for additional data. For these types, +use \-R to specify this second image. + .TP .BI "\-d [" "image data file" "]" Use image data from 'image data file'. @@ -99,6 +108,15 @@ Use image data from 'image data file'. .BI "\-x" Set XIP (execute in place) flag. +.TP +.BI "\-s" +Create an image with no data. The header will be created, but the image itself +will not contain data (such as U-Boot or any specified kernel). + +.TP +.BI "\-v" +Verbose. Print file names as they are added to the image. + .P .B Create FIT image: @@ -126,6 +144,11 @@ in each image will be replaced with 'data-offset' and 'data-size' properties. A 'data-offset' of 0 indicates that it starts in the first (4-byte aligned) byte after the FIT. +.TP +.BI "\-B [" "alignment" "]" +The alignment, in hexadecimal, that external data will be aligned to. This +option only has an effect when \-E is specified. + .TP .BI "\-f [" "image tree source file" " | " "auto" "]" Image tree source file that describes the structure and contents of the @@ -161,6 +184,11 @@ the corresponding public key is written into this file for for run-time verification. Typically the file here is the device tree binary used by CONFIG_OF_CONTROL in U-Boot. +.TP +.BI "\-G [" "key_file" "]" +Specifies the private key file to use when signing. This option may be used +instead of \-k. + .TP .BI "\-o [" "signing algorithm" "]" Specifies the algorithm to be used for signing a FIT image. The default is @@ -173,11 +201,17 @@ a 'data-offset' property defining the offset from the end of the FIT, \-p will use 'data-position' as the absolute position from the base of the FIT. .TP -.BI "\-r +.BI "\-r" Specifies that keys used to sign the FIT are required. This means that they must be verified for the image to boot. Without this option, the verification will be optional (useful for testing but not for release). +.TP +.BI "\-N [" "engine" "]" +The openssl engine to use when signing and verifying the image. For a complete list of +available engines, refer to +.BR engine (1). + .TP .BI "\-t Update the timestamp in the FIT. diff --git a/tools/mkimage.c b/tools/mkimage.c index be58e565463..5c6a60e8513 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -84,7 +84,8 @@ static void usage(const char *msg) fprintf(stderr, "Error: %s\n", msg); fprintf(stderr, "Usage: %s [-T type] -l image\n" " -l ==> list image header information\n" - " -T ==> parse image file as 'type'\n", + " -T ==> parse image file as 'type'\n" + " -q ==> quiet\n", params.cmdname); fprintf(stderr, " %s [-x] -A arch -O os -T type -C comp -a addr -e ep -n name -d data_file[:data_file...] image\n" @@ -95,8 +96,11 @@ static void usage(const char *msg) " -a ==> set load address to 'addr' (hex)\n" " -e ==> set entry point to 'ep' (hex)\n" " -n ==> set image name to 'name'\n" + " -R ==> set second image name to 'name'\n" " -d ==> use image data from 'datafile'\n" - " -x ==> set XIP (execute in place)\n", + " -x ==> set XIP (execute in place)\n" + " -s ==> create an image with no data\n" + " -v ==> verbose\n", params.cmdname); fprintf(stderr, " %s [-D dtc_options] [-f fit-image.its|-f auto|-F] [-b [-b ]] [-E] [-B size] [-i ] fit-image\n" @@ -107,7 +111,9 @@ static void usage(const char *msg) " -f => input filename for FIT source\n" " -i => input filename for ramdisk file\n" " -E => place data outside of the FIT structure\n" - " -B => align size in hex for FIT structure and header\n"); + " -B => align size in hex for FIT structure and header\n" + " -b => append the device tree binary to the FIT\n" + " -t => update the timestamp in the FIT\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c ] [-p addr] [-r] [-N engine]\n" @@ -118,7 +124,8 @@ static void usage(const char *msg) " -F => re-sign existing FIT image\n" " -p => place external data at a static position\n" " -r => mark keys used as 'required' in dtb\n" - " -N => openssl engine to use for signing\n"); + " -N => openssl engine to use for signing\n" + " -o => algorithm to use for signing\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); From e927e21c07483337ffb63b828d4ddb5e0db342b2 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 6 May 2022 13:28:52 +0200 Subject: [PATCH 4/8] tools: mkimage: set OPENSSL_API_COMPAT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Building with OpenSSL 3.0 produces warnings like: ../tools/sunxi_toc0.c:846:17: warning: ‘RSA_get0_d’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 846 | if (root_key && RSA_get0_d(root_key)) { | ^~ As OpenSSL 3.0 is not available in elder Linux distributions just silence the warning. Add missing #include . Fixes: e9e87ec47c75 ("tools: mkimage: Add Allwinner TOC0 support") Signed-off-by: Heinrich Schuchardt Tested-by: Andre Przywara --- tools/sunxi_toc0.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/sunxi_toc0.c b/tools/sunxi_toc0.c index 58a6e7a0a10..bab5d17b7de 100644 --- a/tools/sunxi_toc0.c +++ b/tools/sunxi_toc0.c @@ -4,6 +4,8 @@ * (C) Copyright 2020-2021 Samuel Holland */ +#define OPENSSL_API_COMPAT 0x10101000L + #include #include #include @@ -11,6 +13,7 @@ #include #include +#include #include #include From 6ae494831d13e96e5bc82b70c8061f5771219c3c Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Wed, 27 Apr 2022 07:47:15 +0200 Subject: [PATCH 5/8] efi_loader: Select EVENT as well Fixes WARNING: unmet direct dependencies detected for EVENT_DYNAMIC Depends on [n]: EVENT [=n] Selected by [y]: - EFI_LOADER [=y] && OF_LIBFDT [=y] && ... and the succeeding build breakage. Signed-off-by: Jan Kiszka Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index eb2d6fddc4f..e2a1a5a69a2 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -16,6 +16,7 @@ config EFI_LOADER default y if !ARM || SYS_CPU = armv7 || SYS_CPU = armv8 select CHARSET select DM_EVENT + select EVENT select EVENT_DYNAMIC select LIB_UUID imply PARTITION_UUIDS From 3ae6cf5400ee004c309f73f358c1043cf6d8eecc Mon Sep 17 00:00:00 2001 From: Masahisa Kojima Date: Thu, 28 Apr 2022 17:09:45 +0900 Subject: [PATCH 6/8] bootmenu: factor out the user input handling This commit moves the user input handling from cmd/bootmenu.c to common/menu.c to reuse it from other modules. Signed-off-by: Masahisa Kojima Reviewed-by: Heinrich Schuchardt --- cmd/bootmenu.c | 141 ------------------------------------------------- common/menu.c | 128 ++++++++++++++++++++++++++++++++++++++++++++ include/menu.h | 20 +++++++ 3 files changed, 148 insertions(+), 141 deletions(-) diff --git a/cmd/bootmenu.c b/cmd/bootmenu.c index ac857672466..8859eebea50 100644 --- a/cmd/bootmenu.c +++ b/cmd/bootmenu.c @@ -51,21 +51,6 @@ struct bootmenu_entry { struct bootmenu_entry *next; /* next menu entry (num+1) */ }; -struct bootmenu_data { - int delay; /* delay for autoboot */ - int active; /* active menu entry */ - int count; /* total count of menu entries */ - struct bootmenu_entry *first; /* first menu entry */ -}; - -enum bootmenu_key { - KEY_NONE = 0, - KEY_UP, - KEY_DOWN, - KEY_SELECT, - KEY_QUIT, -}; - static char *bootmenu_getoption(unsigned short int n) { char name[MAX_ENV_SIZE]; @@ -97,132 +82,6 @@ static void bootmenu_print_entry(void *data) puts(ANSI_COLOR_RESET); } -static void bootmenu_autoboot_loop(struct bootmenu_data *menu, - enum bootmenu_key *key, int *esc) -{ - int i, c; - - while (menu->delay > 0) { - printf(ANSI_CURSOR_POSITION, menu->count + 5, 3); - printf("Hit any key to stop autoboot: %d ", menu->delay); - for (i = 0; i < 100; ++i) { - if (!tstc()) { - WATCHDOG_RESET(); - mdelay(10); - continue; - } - - menu->delay = -1; - c = getchar(); - - switch (c) { - case '\e': - *esc = 1; - *key = KEY_NONE; - break; - case '\r': - *key = KEY_SELECT; - break; - case 0x3: /* ^C */ - *key = KEY_QUIT; - break; - default: - *key = KEY_NONE; - break; - } - - break; - } - - if (menu->delay < 0) - break; - - --menu->delay; - } - - printf(ANSI_CURSOR_POSITION, menu->count + 5, 1); - puts(ANSI_CLEAR_LINE); - - if (menu->delay == 0) - *key = KEY_SELECT; -} - -static void bootmenu_loop(struct bootmenu_data *menu, - enum bootmenu_key *key, int *esc) -{ - int c; - - if (*esc == 1) { - if (tstc()) { - c = getchar(); - } else { - WATCHDOG_RESET(); - mdelay(10); - if (tstc()) - c = getchar(); - else - c = '\e'; - } - } else { - while (!tstc()) { - WATCHDOG_RESET(); - mdelay(10); - } - c = getchar(); - } - - switch (*esc) { - case 0: - /* First char of ANSI escape sequence '\e' */ - if (c == '\e') { - *esc = 1; - *key = KEY_NONE; - } - break; - case 1: - /* Second char of ANSI '[' */ - if (c == '[') { - *esc = 2; - *key = KEY_NONE; - } else { - /* Alone ESC key was pressed */ - *key = KEY_QUIT; - *esc = (c == '\e') ? 1 : 0; - } - break; - case 2: - case 3: - /* Third char of ANSI (number '1') - optional */ - if (*esc == 2 && c == '1') { - *esc = 3; - *key = KEY_NONE; - break; - } - - *esc = 0; - - /* ANSI 'A' - key up was pressed */ - if (c == 'A') - *key = KEY_UP; - /* ANSI 'B' - key down was pressed */ - else if (c == 'B') - *key = KEY_DOWN; - /* other key was pressed */ - else - *key = KEY_NONE; - - break; - } - - /* enter key was pressed */ - if (c == '\r') - *key = KEY_SELECT; - - /* ^C was pressed */ - if (c == 0x3) - *key = KEY_QUIT; -} - static char *bootmenu_choice_entry(void *data) { struct bootmenu_data *menu = data; diff --git a/common/menu.c b/common/menu.c index f5fc6930a2c..3e876b55b34 100644 --- a/common/menu.c +++ b/common/menu.c @@ -4,11 +4,14 @@ * Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved. */ +#include #include #include #include #include +#include #include +#include #include "menu.h" @@ -421,3 +424,128 @@ int menu_destroy(struct menu *m) return 1; } + +void bootmenu_autoboot_loop(struct bootmenu_data *menu, + enum bootmenu_key *key, int *esc) +{ + int i, c; + + while (menu->delay > 0) { + printf(ANSI_CURSOR_POSITION, menu->count + 5, 3); + printf("Hit any key to stop autoboot: %d ", menu->delay); + for (i = 0; i < 100; ++i) { + if (!tstc()) { + WATCHDOG_RESET(); + mdelay(10); + continue; + } + + menu->delay = -1; + c = getchar(); + + switch (c) { + case '\e': + *esc = 1; + *key = KEY_NONE; + break; + case '\r': + *key = KEY_SELECT; + break; + case 0x3: /* ^C */ + *key = KEY_QUIT; + break; + default: + *key = KEY_NONE; + break; + } + + break; + } + + if (menu->delay < 0) + break; + + --menu->delay; + } + + printf(ANSI_CURSOR_POSITION ANSI_CLEAR_LINE, menu->count + 5, 1); + + if (menu->delay == 0) + *key = KEY_SELECT; +} + +void bootmenu_loop(struct bootmenu_data *menu, + enum bootmenu_key *key, int *esc) +{ + int c; + + if (*esc == 1) { + if (tstc()) { + c = getchar(); + } else { + WATCHDOG_RESET(); + mdelay(10); + if (tstc()) + c = getchar(); + else + c = '\e'; + } + } else { + while (!tstc()) { + WATCHDOG_RESET(); + mdelay(10); + } + c = getchar(); + } + + switch (*esc) { + case 0: + /* First char of ANSI escape sequence '\e' */ + if (c == '\e') { + *esc = 1; + *key = KEY_NONE; + } + break; + case 1: + /* Second char of ANSI '[' */ + if (c == '[') { + *esc = 2; + *key = KEY_NONE; + } else { + /* Alone ESC key was pressed */ + *key = KEY_QUIT; + *esc = (c == '\e') ? 1 : 0; + } + break; + case 2: + case 3: + /* Third char of ANSI (number '1') - optional */ + if (*esc == 2 && c == '1') { + *esc = 3; + *key = KEY_NONE; + break; + } + + *esc = 0; + + /* ANSI 'A' - key up was pressed */ + if (c == 'A') + *key = KEY_UP; + /* ANSI 'B' - key down was pressed */ + else if (c == 'B') + *key = KEY_DOWN; + /* other key was pressed */ + else + *key = KEY_NONE; + + break; + } + + /* enter key was pressed */ + if (c == '\r') + *key = KEY_SELECT; + + /* ^C was pressed */ + if (c == 0x3) + *key = KEY_QUIT; +} diff --git a/include/menu.h b/include/menu.h index ad5859437ea..e74616cae87 100644 --- a/include/menu.h +++ b/include/menu.h @@ -35,4 +35,24 @@ int menu_default_choice(struct menu *m, void **choice); */ int menu_show(int bootdelay); +struct bootmenu_data { + int delay; /* delay for autoboot */ + int active; /* active menu entry */ + int count; /* total count of menu entries */ + struct bootmenu_entry *first; /* first menu entry */ +}; + +enum bootmenu_key { + KEY_NONE = 0, + KEY_UP, + KEY_DOWN, + KEY_SELECT, + KEY_QUIT, +}; + +void bootmenu_autoboot_loop(struct bootmenu_data *menu, + enum bootmenu_key *key, int *esc); +void bootmenu_loop(struct bootmenu_data *menu, + enum bootmenu_key *key, int *esc); + #endif /* __MENU_H__ */ From b436cc6a57cae017343a549f4b701e748d7e6448 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Fri, 6 May 2022 15:36:00 +0300 Subject: [PATCH 7/8] efi_loader: add sha384/512 on certificate revocation Currently we don't support sha384/512 for the X.509 certificate in dbx. Moreover if we come across such a hash we skip the check and approve the image, although the image might needs to be rejected. Rework the code a bit and fix it by adding an array of structs with the supported GUIDs, len and literal used in the U-Boot crypto APIs instead of hardcoding the GUID types. It's worth noting here that efi_hash_regions() can now be reused from efi_signature_lookup_digest() and add sha348/512 support there as well Signed-off-by: Ilias Apalodimas --- include/efi_api.h | 6 +++ include/efi_loader.h | 6 +++ lib/efi_loader/efi_helper.c | 66 +++++++++++++++++++++++++++++ lib/efi_loader/efi_signature.c | 76 ++++++++++++++++++++++++---------- 4 files changed, 131 insertions(+), 23 deletions(-) diff --git a/include/efi_api.h b/include/efi_api.h index c7f7873b5d4..83c01085fde 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1873,6 +1873,12 @@ struct efi_system_resource_table { #define EFI_CERT_X509_SHA256_GUID \ EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \ 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed) +#define EFI_CERT_X509_SHA384_GUID \ + EFI_GUID(0x7076876e, 0x80c2, 0x4ee6, \ + 0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b) +#define EFI_CERT_X509_SHA512_GUID \ + EFI_GUID(0x446dbf63, 0x2502, 0x4cda, \ + 0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d) #define EFI_CERT_TYPE_PKCS7_GUID \ EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) diff --git a/include/efi_loader.h b/include/efi_loader.h index effb43369d9..733ee03cd77 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -300,6 +300,8 @@ extern const efi_guid_t efi_guid_image_security_database; extern const efi_guid_t efi_guid_sha256; extern const efi_guid_t efi_guid_cert_x509; extern const efi_guid_t efi_guid_cert_x509_sha256; +extern const efi_guid_t efi_guid_cert_x509_sha384; +extern const efi_guid_t efi_guid_cert_x509_sha512; extern const efi_guid_t efi_guid_cert_type_pkcs7; /* GUID of RNG protocol */ @@ -677,6 +679,10 @@ efi_status_t efi_file_size(struct efi_file_handle *fh, efi_uintn_t *size); /* get a device path from a Boot#### option */ struct efi_device_path *efi_get_dp_from_boot(const efi_guid_t guid); +/* get len, string (used in u-boot crypto from a guid */ +const char *guid_to_sha_str(const efi_guid_t *guid); +int algo_to_len(const char *algo); + /** * efi_size_in_pages() - convert size in bytes to size in pages * diff --git a/lib/efi_loader/efi_helper.c b/lib/efi_loader/efi_helper.c index 802d39ed97b..c4499f65eeb 100644 --- a/lib/efi_loader/efi_helper.c +++ b/lib/efi_loader/efi_helper.c @@ -92,3 +92,69 @@ err: free(var_value); return NULL; } + +const struct guid_to_hash_map { + efi_guid_t guid; + const char algo[32]; + u32 bits; +} guid_to_hash[] = { + { + EFI_CERT_X509_SHA256_GUID, + "sha256", + SHA256_SUM_LEN * 8, + }, + { + EFI_CERT_SHA256_GUID, + "sha256", + SHA256_SUM_LEN * 8, + }, + { + EFI_CERT_X509_SHA384_GUID, + "sha384", + SHA384_SUM_LEN * 8, + }, + { + EFI_CERT_X509_SHA512_GUID, + "sha512", + SHA512_SUM_LEN * 8, + }, +}; + +#define MAX_GUID_TO_HASH_COUNT ARRAY_SIZE(guid_to_hash) + +/** guid_to_sha_str - return the sha string e.g "sha256" for a given guid + * used on EFI security databases + * + * @guid: guid to check + * + * Return: len or 0 if no match is found + */ +const char *guid_to_sha_str(const efi_guid_t *guid) +{ + size_t i; + + for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) { + if (!guidcmp(guid, &guid_to_hash[i].guid)) + return guid_to_hash[i].algo; + } + + return NULL; +} + +/** algo_to_len - return the sha size in bytes for a given string + * + * @algo: string indicating hashing algorithm to check + * + * Return: length of hash in bytes or 0 if no match is found + */ +int algo_to_len(const char *algo) +{ + size_t i; + + for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) { + if (!strcmp(algo, guid_to_hash[i].algo)) + return guid_to_hash[i].bits / 8; + } + + return 0; +} diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 79ed077ae7d..ddac751d128 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -24,6 +24,8 @@ const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; +const efi_guid_t efi_guid_cert_x509_sha384 = EFI_CERT_X509_SHA384_GUID; +const efi_guid_t efi_guid_cert_x509_sha512 = EFI_CERT_X509_SHA512_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; static u8 pkcs7_hdr[] = { @@ -124,23 +126,35 @@ struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, * Return: true on success, false on error */ static bool efi_hash_regions(struct image_region *regs, int count, - void **hash, size_t *size) + void **hash, const char *hash_algo, int *len) { + int ret, hash_len; + + if (!hash_algo) + return false; + + hash_len = algo_to_len(hash_algo); + if (!hash_len) + return false; + if (!*hash) { - *hash = calloc(1, SHA256_SUM_LEN); + *hash = calloc(1, hash_len); if (!*hash) { EFI_PRINT("Out of memory\n"); return false; } } - if (size) - *size = SHA256_SUM_LEN; - hash_calculate("sha256", regs, count, *hash); + ret = hash_calculate(hash_algo, regs, count, *hash); + if (ret) + return false; + + if (len) + *len = hash_len; #ifdef DEBUG EFI_PRINT("hash calculated:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - *hash, SHA256_SUM_LEN, false); + *hash, hash_len, false); #endif return true; @@ -190,7 +204,6 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, struct efi_signature_store *siglist; struct efi_sig_data *sig_data; void *hash = NULL; - size_t size = 0; bool found = false; bool hash_done = false; @@ -200,6 +213,8 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, goto out; for (siglist = db; siglist; siglist = siglist->next) { + int len = 0; + const char *hash_algo = NULL; /* * if the hash algorithm is unsupported and we get an entry in * dbx reject the image @@ -215,8 +230,14 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) continue; + hash_algo = guid_to_sha_str(&efi_guid_sha256); + /* + * We could check size and hash_algo but efi_hash_regions() + * will do that for us + */ if (!hash_done && - !efi_hash_regions(regs->reg, regs->num, &hash, &size)) { + !efi_hash_regions(regs->reg, regs->num, &hash, hash_algo, + &len)) { EFI_PRINT("Digesting an image failed\n"); break; } @@ -229,8 +250,8 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, sig_data->data, sig_data->size, false); #endif - if (sig_data->size == size && - !memcmp(sig_data->data, hash, size)) { + if (sig_data->size == len && + !memcmp(sig_data->data, hash, len)) { found = true; free(hash); goto out; @@ -263,8 +284,9 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, struct efi_sig_data *sig_data; struct image_region reg[1]; void *hash = NULL, *hash_tmp = NULL; - size_t size = 0; + int len = 0; bool found = false; + const char *hash_algo = NULL; EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db); @@ -278,7 +300,10 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, /* calculate hash of TBSCertificate */ reg[0].data = cert->tbs; reg[0].size = cert->tbs_size; - if (!efi_hash_regions(reg, 1, &hash, &size)) + + /* We just need any sha256 algo to start the matching */ + hash_algo = guid_to_sha_str(&efi_guid_sha256); + if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) goto out; EFI_PRINT("%s: searching for %s\n", __func__, cert->subject); @@ -300,12 +325,13 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, cert_tmp->subject); reg[0].data = cert_tmp->tbs; reg[0].size = cert_tmp->tbs_size; - if (!efi_hash_regions(reg, 1, &hash_tmp, NULL)) + if (!efi_hash_regions(reg, 1, &hash_tmp, hash_algo, + NULL)) goto out; x509_free_certificate(cert_tmp); - if (!memcmp(hash, hash_tmp, size)) { + if (!memcmp(hash, hash_tmp, len)) { found = true; goto out; } @@ -400,9 +426,10 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, struct efi_sig_data *sig_data; struct image_region reg[1]; void *hash = NULL; - size_t size = 0; + int len = 0; time64_t revoc_time; bool revoked = false; + const char *hash_algo = NULL; EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx); @@ -411,13 +438,14 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, EFI_PRINT("Checking revocation against %s\n", cert->subject); for (siglist = dbx; siglist; siglist = siglist->next) { - if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) + hash_algo = guid_to_sha_str(&siglist->sig_type); + if (!hash_algo) continue; /* calculate hash of TBSCertificate */ reg[0].data = cert->tbs; reg[0].size = cert->tbs_size; - if (!efi_hash_regions(reg, 1, &hash, &size)) + if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) goto out; for (sig_data = siglist->sig_data_list; sig_data; @@ -429,18 +457,18 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, * }; */ #ifdef DEBUG - if (sig_data->size >= size) { + if (sig_data->size >= len) { EFI_PRINT("hash in db:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - sig_data->data, size, false); + sig_data->data, len, false); } #endif - if ((sig_data->size < size + sizeof(time64_t)) || - memcmp(sig_data->data, hash, size)) + if ((sig_data->size < len + sizeof(time64_t)) || + memcmp(sig_data->data, hash, len)) continue; - memcpy(&revoc_time, sig_data->data + size, + memcpy(&revoc_time, sig_data->data + len, sizeof(revoc_time)); EFI_PRINT("revocation time: 0x%llx\n", revoc_time); /* @@ -500,7 +528,9 @@ bool efi_signature_verify(struct efi_image_regions *regs, */ if (!msg->data && !efi_hash_regions(regs->reg, regs->num, - (void **)&sinfo->sig->digest, NULL)) { + (void **)&sinfo->sig->digest, + guid_to_sha_str(&efi_guid_sha256), + NULL)) { EFI_PRINT("Digesting an image failed\n"); goto out; } From 4b494770577cc61c3c1a4b57ced2fc98d87957dc Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Fri, 6 May 2022 15:36:01 +0300 Subject: [PATCH 8/8] test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas --- test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 51 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003..8a53dabe541 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d4..30b3fa4e701 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -283,3 +283,54 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth7(self, u_boot_console, efi_boot_env): + """ + Test Case 7 - Reject images based on the sha384/512 of their x509 cert + """ + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 7a'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 7b'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output)