mirror of
https://github.com/u-boot/u-boot.git
synced 2024-11-25 21:24:21 +08:00
Pull request for UEFI sub-system for efi-2020-10-rc3 (2)
This series includes bug fixes for: * UEFI secure boot - images with multiple signatures * UEFI secure boot - support for intermediate certificates * corrections for UEFI unit tests * missing loadaddr on MAIX board -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl82zyEACgkQxIHbvCwF GsR8GQ/9FzCCfmhu2VhVI1cUKIT2B/FhAXbADAAhmBFk1SezhnKrsWUFFUbHeD+v c0+QKBldIARxpD40M68FNP7QVA35iaU2+Z5jBQ7r5ZUuTuZkxeFavtHRXlSCL02R rmdsKTtwPTRgve3IxEFJcxc4jpvAhNH+QLveK+PA+gUGjd2UoYWoGknJ4n8oe2rG uDX4em8Sy1LXrkJLCf5Ae8+M3FBOtsBAFif1tX5cWnH5kP3DbL9A5A5JHxlVJEQi SBC8NuJW+At89VlckEGpREt8itFMicdbLT/dSKDU3kh+l/h6zTbd9fGmoKLKXDdw O/qwC2kwsKg/jrfZwYOTzUIpRt3jhe+CwrEajVJY12jIQzAW4kvj2mo9AeBEydHO umFfbExGH8zwZgynrhhbjHdNxcGBahUGLoKLCkJI51I7EwCMCrN5rtUpUzxVybTE VJKyTqlyUSIZGU4AsQT3KflLGRGU/HNS2ariQWjEbKWcCC03Q7dXH1RQMUxTlqL3 Owhqv/NI07WIvQZD3oWPkn3Z8tiQMzF370qO2gb/AwM7U0P3ggkcUxAs7mCIj5x6 81PP65di4+zRzCyU1IHCILem7LHxGR6drGatbHspGBYAJrPduyM2cYAa0eXUOCvX Hz1GURhlVGwBdBAwaZ+g13/NtisrkRBQQYZO8jiEBqhnWoc3514= =0ZD1 -----END PGP SIGNATURE----- Merge tag 'efi-2020-10-rc3-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi Pull request for UEFI sub-system for efi-2020-10-rc3 (2) This series includes bug fixes for: * UEFI secure boot - images with multiple signatures * UEFI secure boot - support for intermediate certificates * corrections for UEFI unit tests * missing loadaddr on MAIX board
This commit is contained in:
commit
789bfb5266
@ -1126,7 +1126,7 @@ static int do_efi_test_bootmgr(struct cmd_tbl *cmdtp, int flag,
|
||||
efi_uintn_t exit_data_size = 0;
|
||||
u16 *exit_data = NULL;
|
||||
efi_status_t ret;
|
||||
void *load_options;
|
||||
void *load_options = NULL;
|
||||
|
||||
ret = efi_bootmgr_load(&image, &load_options);
|
||||
printf("efi_bootmgr_load() returned: %ld\n", ret & ~EFI_ERROR_MASK);
|
||||
|
@ -21,4 +21,13 @@
|
||||
/* For early init */
|
||||
#define K210_SYSCTL_BASE 0x50440000
|
||||
|
||||
#ifndef CONFIG_EXTRA_ENV_SETTINGS
|
||||
#define CONFIG_EXTRA_ENV_SETTINGS \
|
||||
"loadaddr=0x80060000\0" \
|
||||
"fdt_addr_r=0x80028000\0" \
|
||||
"scriptaddr=0x80020000\0" \
|
||||
"kernel_addr_r=0x80060000\0" \
|
||||
"fdtfile=kendryte/" CONFIG_DEFAULT_DEVICE_TREE ".dtb\0"
|
||||
#endif
|
||||
|
||||
#endif /* CONFIGS_SIPEED_MAIX_H */
|
||||
|
@ -773,13 +773,16 @@ struct pkcs7_message;
|
||||
|
||||
bool efi_signature_lookup_digest(struct efi_image_regions *regs,
|
||||
struct efi_signature_store *db);
|
||||
bool efi_signature_verify_one(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db);
|
||||
bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db,
|
||||
struct efi_signature_store *dbx);
|
||||
bool efi_signature_verify(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db,
|
||||
struct efi_signature_store *dbx);
|
||||
static inline bool efi_signature_verify_one(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db)
|
||||
{
|
||||
return efi_signature_verify(regs, msg, db, NULL);
|
||||
}
|
||||
bool efi_signature_check_signers(struct pkcs7_message *msg,
|
||||
struct efi_signature_store *dbx);
|
||||
|
||||
|
@ -205,6 +205,7 @@ config EFI_SECURE_BOOT
|
||||
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
||||
select X509_CERTIFICATE_PARSER
|
||||
select PKCS7_MESSAGE_PARSER
|
||||
select PKCS7_VERIFY
|
||||
default n
|
||||
help
|
||||
Select this option to enable EFI secure boot support.
|
||||
|
@ -546,6 +546,11 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (efi_signature_lookup_digest(regs, dbx)) {
|
||||
EFI_PRINT("Image's digest was found in \"dbx\"\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* go through WIN_CERTIFICATE list
|
||||
* NOTE:
|
||||
@ -553,10 +558,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
|
||||
* in PE header, or as pkcs7 SignerInfo's in SignedData.
|
||||
* So the verification policy here is:
|
||||
* - Success if, at least, one of signatures is verified
|
||||
* - unless
|
||||
* any of signatures is rejected explicitly, or
|
||||
* none of digest algorithms are supported
|
||||
* - unless signature is rejected explicitly with its digest.
|
||||
*/
|
||||
|
||||
for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
|
||||
(u8 *)wincert < wincerts_end;
|
||||
wincert = (WIN_CERTIFICATE *)
|
||||
@ -627,32 +631,29 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
|
||||
/* try black-list first */
|
||||
if (efi_signature_verify_one(regs, msg, dbx)) {
|
||||
EFI_PRINT("Signature was rejected by \"dbx\"\n");
|
||||
goto err;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!efi_signature_check_signers(msg, dbx)) {
|
||||
EFI_PRINT("Signer(s) in \"dbx\"\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (efi_signature_lookup_digest(regs, dbx)) {
|
||||
EFI_PRINT("Image's digest was found in \"dbx\"\n");
|
||||
goto err;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* try white-list */
|
||||
if (efi_signature_verify_with_sigdb(regs, msg, db, dbx))
|
||||
continue;
|
||||
if (efi_signature_verify(regs, msg, db, dbx)) {
|
||||
ret = true;
|
||||
break;
|
||||
}
|
||||
|
||||
debug("Signature was not verified by \"db\"\n");
|
||||
|
||||
if (efi_signature_lookup_digest(regs, db))
|
||||
continue;
|
||||
if (efi_signature_lookup_digest(regs, db)) {
|
||||
ret = true;
|
||||
break;
|
||||
}
|
||||
|
||||
debug("Image's digest was not found in \"db\" or \"dbx\"\n");
|
||||
goto err;
|
||||
}
|
||||
ret = true;
|
||||
|
||||
err:
|
||||
efi_sigstore_free(db);
|
||||
|
@ -10,7 +10,9 @@
|
||||
#include <image.h>
|
||||
#include <hexdump.h>
|
||||
#include <malloc.h>
|
||||
#include <crypto/pkcs7.h>
|
||||
#include <crypto/pkcs7_parser.h>
|
||||
#include <crypto/public_key.h>
|
||||
#include <linux/compat.h>
|
||||
#include <linux/oid_registry.h>
|
||||
#include <u-boot/rsa.h>
|
||||
@ -60,143 +62,6 @@ static bool efi_hash_regions(struct image_region *regs, int count,
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_hash_msg_content - calculate a hash value of contentInfo
|
||||
* @msg: Signature
|
||||
* @hash: Pointer to a pointer to buffer holding a hash value
|
||||
* @size: Size of buffer to be returned
|
||||
*
|
||||
* Calculate a sha256 value of contentInfo in @msg and return a value in @hash.
|
||||
*
|
||||
* Return: true on success, false on error
|
||||
*/
|
||||
static bool efi_hash_msg_content(struct pkcs7_message *msg, void **hash,
|
||||
size_t *size)
|
||||
{
|
||||
struct image_region regtmp;
|
||||
|
||||
regtmp.data = msg->data;
|
||||
regtmp.size = msg->data_len;
|
||||
|
||||
return efi_hash_regions(®tmp, 1, hash, size);
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_signature_verify - verify a signature with a certificate
|
||||
* @regs: List of regions to be authenticated
|
||||
* @signed_info: Pointer to PKCS7's signed_info
|
||||
* @cert: x509 certificate
|
||||
*
|
||||
* Signature pointed to by @signed_info against image pointed to by @regs
|
||||
* is verified by a certificate pointed to by @cert.
|
||||
* @signed_info holds a signature, including a message digest which is to be
|
||||
* compared with a hash value calculated from @regs.
|
||||
*
|
||||
* Return: true if signature is verified, false if not
|
||||
*/
|
||||
static bool efi_signature_verify(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct pkcs7_signed_info *ps_info,
|
||||
struct x509_certificate *cert)
|
||||
{
|
||||
struct image_sign_info info;
|
||||
struct image_region regtmp[2];
|
||||
void *hash;
|
||||
size_t size;
|
||||
char c;
|
||||
bool verified;
|
||||
|
||||
EFI_PRINT("%s: Enter, %p, %p, %p(issuer: %s, subject: %s)\n", __func__,
|
||||
regs, ps_info, cert, cert->issuer, cert->subject);
|
||||
|
||||
verified = false;
|
||||
|
||||
memset(&info, '\0', sizeof(info));
|
||||
info.padding = image_get_padding_algo("pkcs-1.5");
|
||||
/*
|
||||
* Note: image_get_[checksum|crypto]_algo takes an string
|
||||
* argument like "<checksum>,<crypto>"
|
||||
* TODO: support other hash algorithms
|
||||
*/
|
||||
if (!strcmp(ps_info->sig->hash_algo, "sha1")) {
|
||||
info.checksum = image_get_checksum_algo("sha1,rsa2048");
|
||||
info.name = "sha1,rsa2048";
|
||||
} else if (!strcmp(ps_info->sig->hash_algo, "sha256")) {
|
||||
info.checksum = image_get_checksum_algo("sha256,rsa2048");
|
||||
info.name = "sha256,rsa2048";
|
||||
} else {
|
||||
EFI_PRINT("unknown msg digest algo: %s\n",
|
||||
ps_info->sig->hash_algo);
|
||||
goto out;
|
||||
}
|
||||
info.crypto = image_get_crypto_algo(info.name);
|
||||
|
||||
info.key = cert->pub->key;
|
||||
info.keylen = cert->pub->keylen;
|
||||
|
||||
/* verify signature */
|
||||
EFI_PRINT("%s: crypto: %s, signature len:%x\n", __func__,
|
||||
info.name, ps_info->sig->s_size);
|
||||
if (ps_info->aa_set & (1UL << sinfo_has_message_digest)) {
|
||||
EFI_PRINT("%s: RSA verify authentication attribute\n",
|
||||
__func__);
|
||||
/*
|
||||
* NOTE: This path will be executed only for
|
||||
* PE image authentication
|
||||
*/
|
||||
|
||||
/* check if hash matches digest first */
|
||||
EFI_PRINT("checking msg digest first, len:0x%x\n",
|
||||
ps_info->msgdigest_len);
|
||||
|
||||
#ifdef DEBUG
|
||||
EFI_PRINT("hash in database:\n");
|
||||
print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
|
||||
ps_info->msgdigest, ps_info->msgdigest_len,
|
||||
false);
|
||||
#endif
|
||||
/* against contentInfo first */
|
||||
hash = NULL;
|
||||
if ((msg->data && efi_hash_msg_content(msg, &hash, &size)) ||
|
||||
/* for signed image */
|
||||
efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
|
||||
/* for authenticated variable */
|
||||
if (ps_info->msgdigest_len != size ||
|
||||
memcmp(hash, ps_info->msgdigest, size)) {
|
||||
EFI_PRINT("Digest doesn't match\n");
|
||||
free(hash);
|
||||
goto out;
|
||||
}
|
||||
|
||||
free(hash);
|
||||
} else {
|
||||
EFI_PRINT("Digesting image failed\n");
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* against digest */
|
||||
c = 0x31;
|
||||
regtmp[0].data = &c;
|
||||
regtmp[0].size = 1;
|
||||
regtmp[1].data = ps_info->authattrs;
|
||||
regtmp[1].size = ps_info->authattrs_len;
|
||||
|
||||
if (!rsa_verify(&info, regtmp, 2,
|
||||
ps_info->sig->s, ps_info->sig->s_size))
|
||||
verified = true;
|
||||
} else {
|
||||
EFI_PRINT("%s: RSA verify content data\n", __func__);
|
||||
/* against all data */
|
||||
if (!rsa_verify(&info, regs->reg, regs->num,
|
||||
ps_info->sig->s, ps_info->sig->s_size))
|
||||
verified = true;
|
||||
}
|
||||
|
||||
out:
|
||||
EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
|
||||
return verified;
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_signature_lookup_digest - search for an image's digest in sigdb
|
||||
* @regs: List of regions to be authenticated
|
||||
@ -260,61 +125,129 @@ out:
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_signature_verify_with_list - verify a signature with signature list
|
||||
* @regs: List of regions to be authenticated
|
||||
* @msg: Signature
|
||||
* @signed_info: Pointer to PKCS7's signed_info
|
||||
* @siglist: Signature list for certificates
|
||||
* @valid_cert: x509 certificate that verifies this signature
|
||||
* efi_lookup_certificate - find a certificate within db
|
||||
* @msg: Signature
|
||||
* @db: Signature database
|
||||
*
|
||||
* Signature pointed to by @signed_info against image pointed to by @regs
|
||||
* is verified by signature list pointed to by @siglist.
|
||||
* Signature database is a simple concatenation of one or more
|
||||
* signature list(s).
|
||||
* Search signature database pointed to by @db and find a certificate
|
||||
* pointed to by @cert.
|
||||
*
|
||||
* Return: true if signature is verified, false if not
|
||||
* Return: true if found, false otherwise.
|
||||
*/
|
||||
static
|
||||
bool efi_signature_verify_with_list(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct pkcs7_signed_info *signed_info,
|
||||
struct efi_signature_store *siglist,
|
||||
struct x509_certificate **valid_cert)
|
||||
static bool efi_lookup_certificate(struct x509_certificate *cert,
|
||||
struct efi_signature_store *db)
|
||||
{
|
||||
struct x509_certificate *cert;
|
||||
struct efi_signature_store *siglist;
|
||||
struct efi_sig_data *sig_data;
|
||||
bool verified = false;
|
||||
struct image_region reg[1];
|
||||
void *hash = NULL, *hash_tmp = NULL;
|
||||
size_t size = 0;
|
||||
bool found = false;
|
||||
|
||||
EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__,
|
||||
regs, signed_info, siglist, valid_cert);
|
||||
EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db);
|
||||
|
||||
if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) {
|
||||
EFI_PRINT("Signature type is not supported: %pUl\n",
|
||||
&siglist->sig_type);
|
||||
if (!cert || !db || !db->sig_data_list)
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* TODO: identify a certificate using sha256 digest
|
||||
* Is there any better way?
|
||||
*/
|
||||
/* calculate hash of TBSCertificate */
|
||||
reg[0].data = cert->tbs;
|
||||
reg[0].size = cert->tbs_size;
|
||||
if (!efi_hash_regions(reg, 1, &hash, &size))
|
||||
goto out;
|
||||
|
||||
EFI_PRINT("%s: searching for %s\n", __func__, cert->subject);
|
||||
for (siglist = db; siglist; siglist = siglist->next) {
|
||||
/* only with x509 certificate */
|
||||
if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
|
||||
continue;
|
||||
|
||||
for (sig_data = siglist->sig_data_list; sig_data;
|
||||
sig_data = sig_data->next) {
|
||||
struct x509_certificate *cert_tmp;
|
||||
|
||||
cert_tmp = x509_cert_parse(sig_data->data,
|
||||
sig_data->size);
|
||||
if (IS_ERR_OR_NULL(cert_tmp))
|
||||
continue;
|
||||
|
||||
EFI_PRINT("%s: against %s\n", __func__,
|
||||
cert_tmp->subject);
|
||||
reg[0].data = cert_tmp->tbs;
|
||||
reg[0].size = cert_tmp->tbs_size;
|
||||
if (!efi_hash_regions(reg, 1, &hash_tmp, NULL))
|
||||
goto out;
|
||||
|
||||
x509_free_certificate(cert_tmp);
|
||||
|
||||
if (!memcmp(hash, hash_tmp, size)) {
|
||||
found = true;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
out:
|
||||
free(hash);
|
||||
free(hash_tmp);
|
||||
|
||||
/* go through the list */
|
||||
for (sig_data = siglist->sig_data_list; sig_data;
|
||||
sig_data = sig_data->next) {
|
||||
/* TODO: support owner check based on policy */
|
||||
EFI_PRINT("%s: Exit, found: %d\n", __func__, found);
|
||||
return found;
|
||||
}
|
||||
|
||||
cert = x509_cert_parse(sig_data->data, sig_data->size);
|
||||
if (IS_ERR(cert)) {
|
||||
EFI_PRINT("Parsing x509 certificate failed\n");
|
||||
goto out;
|
||||
/**
|
||||
* efi_verify_certificate - verify certificate's signature with database
|
||||
* @signer: Certificate
|
||||
* @db: Signature database
|
||||
* @root: Certificate to verify @signer
|
||||
*
|
||||
* Determine if certificate pointed to by @signer may be verified
|
||||
* by one of certificates in signature database pointed to by @db.
|
||||
*
|
||||
* Return: true if certificate is verified, false otherwise.
|
||||
*/
|
||||
static bool efi_verify_certificate(struct x509_certificate *signer,
|
||||
struct efi_signature_store *db,
|
||||
struct x509_certificate **root)
|
||||
{
|
||||
struct efi_signature_store *siglist;
|
||||
struct efi_sig_data *sig_data;
|
||||
struct x509_certificate *cert;
|
||||
bool verified = false;
|
||||
int ret;
|
||||
|
||||
EFI_PRINT("%s: Enter, %p, %p\n", __func__, signer, db);
|
||||
|
||||
if (!signer || !db || !db->sig_data_list)
|
||||
goto out;
|
||||
|
||||
for (siglist = db; siglist; siglist = siglist->next) {
|
||||
/* only with x509 certificate */
|
||||
if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
|
||||
continue;
|
||||
|
||||
for (sig_data = siglist->sig_data_list; sig_data;
|
||||
sig_data = sig_data->next) {
|
||||
cert = x509_cert_parse(sig_data->data, sig_data->size);
|
||||
if (IS_ERR_OR_NULL(cert)) {
|
||||
EFI_PRINT("Cannot parse x509 certificate\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
ret = public_key_verify_signature(cert->pub,
|
||||
signer->sig);
|
||||
if (!ret) {
|
||||
verified = true;
|
||||
if (root)
|
||||
*root = cert;
|
||||
else
|
||||
x509_free_certificate(cert);
|
||||
goto out;
|
||||
}
|
||||
x509_free_certificate(cert);
|
||||
}
|
||||
|
||||
verified = efi_signature_verify(regs, msg, signed_info, cert);
|
||||
|
||||
if (verified) {
|
||||
if (valid_cert)
|
||||
*valid_cert = cert;
|
||||
else
|
||||
x509_free_certificate(cert);
|
||||
break;
|
||||
}
|
||||
x509_free_certificate(cert);
|
||||
}
|
||||
|
||||
out:
|
||||
@ -335,7 +268,7 @@ out:
|
||||
* protocol at this time and any image will be unconditionally revoked
|
||||
* when this match occurs.
|
||||
*
|
||||
* Return: true if check passed, false otherwise.
|
||||
* Return: true if check passed (not found), false otherwise.
|
||||
*/
|
||||
static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo,
|
||||
struct x509_certificate *cert,
|
||||
@ -405,56 +338,8 @@ out:
|
||||
return !revoked;
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_signature_verify_one - verify signatures with database
|
||||
* @regs: List of regions to be authenticated
|
||||
* @msg: Signature
|
||||
* @db: Signature database
|
||||
*
|
||||
* All the signature pointed to by @msg against image pointed to by @regs
|
||||
* will be verified by signature database pointed to by @db.
|
||||
*
|
||||
* Return: true if verification for one of signatures passed, false
|
||||
* otherwise
|
||||
*/
|
||||
bool efi_signature_verify_one(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db)
|
||||
{
|
||||
struct pkcs7_signed_info *sinfo;
|
||||
struct efi_signature_store *siglist;
|
||||
struct x509_certificate *cert;
|
||||
bool verified = false;
|
||||
|
||||
EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, regs, msg, db);
|
||||
|
||||
if (!db)
|
||||
goto out;
|
||||
|
||||
if (!db->sig_data_list)
|
||||
goto out;
|
||||
|
||||
EFI_PRINT("%s: Verify signed image with db\n", __func__);
|
||||
for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
|
||||
EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n",
|
||||
sinfo->sig->hash_algo, sinfo->sig->pkey_algo);
|
||||
|
||||
for (siglist = db; siglist; siglist = siglist->next)
|
||||
if (efi_signature_verify_with_list(regs, msg, sinfo,
|
||||
siglist, &cert)) {
|
||||
verified = true;
|
||||
goto out;
|
||||
}
|
||||
EFI_PRINT("Valid certificate not in \"db\"\n");
|
||||
}
|
||||
|
||||
out:
|
||||
EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
|
||||
return verified;
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_signature_verify_with_sigdb - verify signatures with db and dbx
|
||||
/*
|
||||
* efi_signature_verify - verify signatures with db and dbx
|
||||
* @regs: List of regions to be authenticated
|
||||
* @msg: Signature
|
||||
* @db: Signature database for trusted certificates
|
||||
@ -465,43 +350,71 @@ out:
|
||||
*
|
||||
* Return: true if verification for all signatures passed, false otherwise
|
||||
*/
|
||||
bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db,
|
||||
struct efi_signature_store *dbx)
|
||||
bool efi_signature_verify(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db,
|
||||
struct efi_signature_store *dbx)
|
||||
{
|
||||
struct pkcs7_signed_info *info;
|
||||
struct efi_signature_store *siglist;
|
||||
struct x509_certificate *cert;
|
||||
struct pkcs7_signed_info *sinfo;
|
||||
struct x509_certificate *signer, *root;
|
||||
bool verified = false;
|
||||
int ret;
|
||||
|
||||
EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx);
|
||||
|
||||
if (!regs || !msg || !db || !db->sig_data_list)
|
||||
goto out;
|
||||
|
||||
for (info = msg->signed_infos; info; info = info->next) {
|
||||
for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
|
||||
EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n",
|
||||
info->sig->hash_algo, info->sig->pkey_algo);
|
||||
sinfo->sig->hash_algo, sinfo->sig->pkey_algo);
|
||||
|
||||
for (siglist = db; siglist; siglist = siglist->next) {
|
||||
if (efi_signature_verify_with_list(regs, msg, info,
|
||||
siglist, &cert))
|
||||
break;
|
||||
}
|
||||
if (!siglist) {
|
||||
EFI_PRINT("Valid certificate not in \"db\"\n");
|
||||
/*
|
||||
* only for authenticated variable.
|
||||
*
|
||||
* If this function is called for image,
|
||||
* hash calculation will be done in
|
||||
* pkcs7_verify_one().
|
||||
*/
|
||||
if (!msg->data &&
|
||||
!efi_hash_regions(regs->reg, regs->num,
|
||||
(void **)&sinfo->sig->digest, NULL)) {
|
||||
EFI_PRINT("Digesting an image failed\n");
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!dbx || efi_signature_check_revocation(info, cert, dbx))
|
||||
EFI_PRINT("Verifying certificate chain\n");
|
||||
signer = NULL;
|
||||
ret = pkcs7_verify_one(msg, sinfo, &signer);
|
||||
if (ret == -ENOPKG)
|
||||
continue;
|
||||
|
||||
EFI_PRINT("Certificate in \"dbx\"\n");
|
||||
goto out;
|
||||
}
|
||||
verified = true;
|
||||
if (ret < 0 || !signer)
|
||||
goto out;
|
||||
|
||||
if (sinfo->blacklisted)
|
||||
goto out;
|
||||
|
||||
EFI_PRINT("Verifying last certificate in chain\n");
|
||||
if (signer->self_signed) {
|
||||
if (efi_lookup_certificate(signer, db))
|
||||
if (efi_signature_check_revocation(sinfo,
|
||||
signer, dbx))
|
||||
break;
|
||||
} else if (efi_verify_certificate(signer, db, &root)) {
|
||||
bool check;
|
||||
|
||||
check = efi_signature_check_revocation(sinfo, root,
|
||||
dbx);
|
||||
x509_free_certificate(root);
|
||||
if (check)
|
||||
break;
|
||||
}
|
||||
|
||||
EFI_PRINT("Certificate chain didn't reach trusted CA\n");
|
||||
}
|
||||
if (sinfo)
|
||||
verified = true;
|
||||
out:
|
||||
EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
|
||||
return verified;
|
||||
|
@ -37,16 +37,21 @@ static u8 pkcs7_hdr[] = {
|
||||
* efi_variable_parse_signature - parse a signature in variable
|
||||
* @buf: Pointer to variable's value
|
||||
* @buflen: Length of @buf
|
||||
* @tmpbuf: Pointer to temporary buffer
|
||||
*
|
||||
* Parse a signature embedded in variable's value and instantiate
|
||||
* a pkcs7_message structure. Since pkcs7_parse_message() accepts only
|
||||
* pkcs7's signedData, some header needed be prepended for correctly
|
||||
* parsing authentication data, particularly for variable's.
|
||||
* A temporary buffer will be allocated if needed, and it should be
|
||||
* kept valid during the authentication because some data in the buffer
|
||||
* will be referenced by efi_signature_verify().
|
||||
*
|
||||
* Return: Pointer to pkcs7_message structure on success, NULL on error
|
||||
*/
|
||||
static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
|
||||
size_t buflen)
|
||||
size_t buflen,
|
||||
u8 **tmpbuf)
|
||||
{
|
||||
u8 *ebuf;
|
||||
size_t ebuflen, len;
|
||||
@ -59,7 +64,9 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
|
||||
if (buflen > sizeof(pkcs7_hdr) &&
|
||||
!memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
|
||||
msg = pkcs7_parse_message(buf, buflen);
|
||||
goto out;
|
||||
if (IS_ERR(msg))
|
||||
return NULL;
|
||||
return msg;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -94,12 +101,12 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
|
||||
|
||||
msg = pkcs7_parse_message(ebuf, ebuflen);
|
||||
|
||||
free(ebuf);
|
||||
|
||||
out:
|
||||
if (IS_ERR(msg))
|
||||
if (IS_ERR(msg)) {
|
||||
free(ebuf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
*tmpbuf = ebuf;
|
||||
return msg;
|
||||
}
|
||||
|
||||
@ -136,6 +143,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
|
||||
struct efi_time timestamp;
|
||||
struct rtc_time tm;
|
||||
u64 new_time;
|
||||
u8 *ebuf;
|
||||
enum efi_auth_var_type var_type;
|
||||
efi_status_t ret;
|
||||
|
||||
@ -143,6 +151,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
|
||||
truststore = NULL;
|
||||
truststore2 = NULL;
|
||||
regs = NULL;
|
||||
ebuf = NULL;
|
||||
ret = EFI_SECURITY_VIOLATION;
|
||||
|
||||
if (*data_size < sizeof(struct efi_variable_authentication_2))
|
||||
@ -204,9 +213,12 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
|
||||
/* variable's signature list */
|
||||
if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
|
||||
goto err;
|
||||
|
||||
/* ebuf should be kept valid during the authentication */
|
||||
var_sig = efi_variable_parse_signature(auth->auth_info.cert_data,
|
||||
auth->auth_info.hdr.dwLength
|
||||
- sizeof(auth->auth_info));
|
||||
- sizeof(auth->auth_info),
|
||||
&ebuf);
|
||||
if (!var_sig) {
|
||||
EFI_PRINT("Parsing variable's signature failed\n");
|
||||
goto err;
|
||||
@ -241,12 +253,11 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
|
||||
}
|
||||
|
||||
/* verify signature */
|
||||
if (efi_signature_verify_with_sigdb(regs, var_sig, truststore, NULL)) {
|
||||
if (efi_signature_verify(regs, var_sig, truststore, NULL)) {
|
||||
EFI_PRINT("Verified\n");
|
||||
} else {
|
||||
if (truststore2 &&
|
||||
efi_signature_verify_with_sigdb(regs, var_sig,
|
||||
truststore2, NULL)) {
|
||||
efi_signature_verify(regs, var_sig, truststore2, NULL)) {
|
||||
EFI_PRINT("Verified\n");
|
||||
} else {
|
||||
EFI_PRINT("Verifying variable's signature failed\n");
|
||||
@ -262,6 +273,7 @@ err:
|
||||
efi_sigstore_free(truststore);
|
||||
efi_sigstore_free(truststore2);
|
||||
pkcs7_free_message(var_sig);
|
||||
free(ebuf);
|
||||
free(regs);
|
||||
|
||||
return ret;
|
||||
@ -496,10 +508,6 @@ efi_status_t efi_init_variables(void)
|
||||
if (ret != EFI_SUCCESS)
|
||||
return ret;
|
||||
|
||||
ret = efi_init_secure_state();
|
||||
if (ret != EFI_SUCCESS)
|
||||
return ret;
|
||||
|
||||
if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
|
||||
ret = efi_var_restore((struct efi_var_file *)
|
||||
__efi_var_file_begin);
|
||||
@ -507,5 +515,9 @@ efi_status_t efi_init_variables(void)
|
||||
log_err("Invalid EFI variable seed\n");
|
||||
}
|
||||
|
||||
return efi_var_from_file();
|
||||
ret = efi_var_from_file();
|
||||
if (ret != EFI_SUCCESS)
|
||||
return ret;
|
||||
|
||||
return efi_init_secure_state();
|
||||
}
|
||||
|
@ -25,13 +25,8 @@ def efi_boot_env(request, u_boot_config):
|
||||
Return:
|
||||
A path to disk image to be used for testing
|
||||
"""
|
||||
global HELLO_PATH
|
||||
|
||||
image_path = u_boot_config.persistent_data_dir
|
||||
image_path = image_path + '/' + EFI_SECBOOT_IMAGE_NAME
|
||||
|
||||
if HELLO_PATH == '':
|
||||
HELLO_PATH = u_boot_config.build_dir + '/lib/efi_loader/helloworld.efi'
|
||||
image_path = image_path + '/test_efi_secboot.img'
|
||||
|
||||
try:
|
||||
mnt_point = u_boot_config.build_dir + '/mnt_efisecure'
|
||||
@ -75,9 +70,6 @@ def efi_boot_env(request, u_boot_config):
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# db1-update
|
||||
check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
|
||||
% (mnt_point, EFITOOLS_PATH), shell=True)
|
||||
# dbx (TEST_dbx certificate)
|
||||
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
|
||||
% mnt_point, shell=True)
|
||||
@ -89,7 +81,7 @@ def efi_boot_env(request, u_boot_config):
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# dbx_hash1 (digest of TEST_db1 certificate)
|
||||
check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
|
||||
check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# dbx_db (with TEST_db certificate)
|
||||
@ -98,7 +90,8 @@ def efi_boot_env(request, u_boot_config):
|
||||
shell=True)
|
||||
|
||||
# Copy image
|
||||
check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
|
||||
check_call('cp %s/lib/efi_loader/helloworld.efi %s' %
|
||||
(u_boot_config.build_dir, mnt_point), shell=True)
|
||||
|
||||
# Sign image
|
||||
check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
|
||||
@ -128,3 +121,119 @@ def efi_boot_env(request, u_boot_config):
|
||||
yield image_path
|
||||
finally:
|
||||
call('rm -f %s' % image_path, shell=True)
|
||||
|
||||
#
|
||||
# Fixture for UEFI secure boot test of intermediate certificates
|
||||
#
|
||||
|
||||
|
||||
@pytest.fixture(scope='session')
|
||||
def efi_boot_env_intca(request, u_boot_config):
|
||||
"""Set up a file system to be used in UEFI secure boot test
|
||||
of intermediate certificates.
|
||||
|
||||
Args:
|
||||
request: Pytest request object.
|
||||
u_boot_config: U-boot configuration.
|
||||
|
||||
Return:
|
||||
A path to disk image to be used for testing
|
||||
"""
|
||||
image_path = u_boot_config.persistent_data_dir
|
||||
image_path = image_path + '/test_efi_secboot_intca.img'
|
||||
|
||||
try:
|
||||
mnt_point = u_boot_config.persistent_data_dir + '/mnt_efi_secboot_intca'
|
||||
check_call('rm -rf {}'.format(mnt_point), shell=True)
|
||||
check_call('mkdir -p {}'.format(mnt_point), shell=True)
|
||||
|
||||
# Create signature database
|
||||
# PK
|
||||
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
|
||||
% mnt_point, shell=True)
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# KEK
|
||||
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
|
||||
% mnt_point, shell=True)
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
|
||||
# We will have three-tier hierarchy of certificates:
|
||||
# TestRoot: Root CA (self-signed)
|
||||
# TestSub: Intermediate CA (signed by Root CA)
|
||||
# TestCert: User certificate (signed by Intermediate CA, and used
|
||||
# for signing an image)
|
||||
#
|
||||
# NOTE:
|
||||
# I consulted the following EDK2 document for certificate options:
|
||||
# BaseTools/Source/Python/Pkcs7Sign/Readme.md
|
||||
# Please not use them as they are in product system. They are
|
||||
# for test purpose only.
|
||||
|
||||
# TestRoot
|
||||
check_call('cp %s/test/py/tests/test_efi_secboot/openssl.cnf %s'
|
||||
% (u_boot_config.source_dir, mnt_point), shell=True)
|
||||
check_call('cd %s; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestRoot.key 2048; openssl req -extensions v3_ca -new -x509 -days 365 -key TestRoot.key -out TestRoot.crt -subj "/CN=TEST_root/"; touch index.txt; touch index.txt.attr'
|
||||
% mnt_point, shell=True)
|
||||
# TestSub
|
||||
check_call('cd %s; touch serial.new; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestSub.key 2048; openssl req -new -key TestSub.key -out TestSub.csr -subj "/CN=TEST_sub/"; openssl ca -in TestSub.csr -out TestSub.crt -extensions v3_int_ca -days 365 -batch -rand_serial -cert TestRoot.crt -keyfile TestRoot.key'
|
||||
% mnt_point, shell=True)
|
||||
# TestCert
|
||||
check_call('cd %s; touch serial.new; export OPENSSL_CONF=./openssl.cnf; openssl genrsa -out TestCert.key 2048; openssl req -new -key TestCert.key -out TestCert.csr -subj "/CN=TEST_cert/"; openssl ca -in TestCert.csr -out TestCert.crt -extensions usr_cert -days 365 -batch -rand_serial -cert TestSub.crt -keyfile TestSub.key'
|
||||
% mnt_point, shell=True)
|
||||
# db
|
||||
# for TestCert
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s TestCert.crt TestCert.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db TestCert.esl db_a.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# for TestSub
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s TestSub.crt TestSub.esl; %ssign-efi-sig-list -t "2020-07-16" -c KEK.crt -k KEK.key db TestSub.esl db_b.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# for TestRoot
|
||||
check_call('cd %s; %scert-to-efi-sig-list -g %s TestRoot.crt TestRoot.esl; %ssign-efi-sig-list -t "2020-07-17" -c KEK.crt -k KEK.key db TestRoot.esl db_c.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
## dbx (hash of certificate with revocation time)
|
||||
# for TestCert
|
||||
check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-20" -s 256 TestCert.crt TestCert.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx TestCert.crl dbx_a.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# for TestSub
|
||||
check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-21" -s 256 TestSub.crt TestSub.crl; %ssign-efi-sig-list -t "2020-07-18" -c KEK.crt -k KEK.key dbx TestSub.crl dbx_b.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
# for TestRoot
|
||||
check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2020-07-22" -s 256 TestRoot.crt TestRoot.crl; %ssign-efi-sig-list -t "2020-07-19" -c KEK.crt -k KEK.key dbx TestRoot.crl dbx_c.auth'
|
||||
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
|
||||
shell=True)
|
||||
|
||||
# Sign image
|
||||
# additional intermediate certificates may be included
|
||||
# in SignedData
|
||||
|
||||
check_call('cp %s/lib/efi_loader/helloworld.efi %s' %
|
||||
(u_boot_config.build_dir, mnt_point), shell=True)
|
||||
# signed by TestCert
|
||||
check_call('cd %s; %ssbsign --key TestCert.key --cert TestCert.crt --out helloworld.efi.signed_a helloworld.efi'
|
||||
% (mnt_point, SBSIGN_PATH), shell=True)
|
||||
# signed by TestCert with TestSub in signature
|
||||
check_call('cd %s; %ssbsign --key TestCert.key --cert TestCert.crt --addcert TestSub.crt --out helloworld.efi.signed_ab helloworld.efi'
|
||||
% (mnt_point, SBSIGN_PATH), shell=True)
|
||||
# signed by TestCert with TestSub and TestRoot in signature
|
||||
check_call('cd %s; cat TestSub.crt TestRoot.crt > TestSubRoot.crt; %ssbsign --key TestCert.key --cert TestCert.crt --addcert TestSubRoot.crt --out helloworld.efi.signed_abc helloworld.efi'
|
||||
% (mnt_point, SBSIGN_PATH), shell=True)
|
||||
|
||||
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat {} {}'.format(mnt_point, image_path), shell=True)
|
||||
check_call('rm -rf {}'.format(mnt_point), shell=True)
|
||||
|
||||
except CalledProcessError as e:
|
||||
pytest.skip('Setup failed: %s' % e.cmd)
|
||||
return
|
||||
else:
|
||||
yield image_path
|
||||
finally:
|
||||
call('rm -f %s' % image_path, shell=True)
|
||||
|
@ -1,14 +1,14 @@
|
||||
# SPDX-License-Identifier: GPL-2.0+
|
||||
|
||||
# Disk image name
|
||||
EFI_SECBOOT_IMAGE_NAME = 'test_efi_secboot.img'
|
||||
|
||||
# Owner guid
|
||||
GUID = '11111111-2222-3333-4444-123456789abc'
|
||||
|
||||
# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
|
||||
# you need build a newer version on your own.
|
||||
# The path must terminate with '/'.
|
||||
EFITOOLS_PATH = ''
|
||||
|
||||
# Hello World application for sandbox
|
||||
HELLO_PATH = ''
|
||||
# "--addcert" option of sbsign must be available, otherwise
|
||||
# you need build a newer version on your own.
|
||||
# The path must terminate with '/'.
|
||||
SBSIGN_PATH = ''
|
||||
|
48
test/py/tests/test_efi_secboot/openssl.cnf
Normal file
48
test/py/tests/test_efi_secboot/openssl.cnf
Normal file
@ -0,0 +1,48 @@
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
new_certs_dir = .
|
||||
database = ./index.txt
|
||||
serial = ./serial
|
||||
default_md = sha256
|
||||
policy = policy_min
|
||||
|
||||
[ req ]
|
||||
distinguished_name = def_distinguished_name
|
||||
|
||||
[def_distinguished_name]
|
||||
|
||||
# Extensions
|
||||
# -addext " ... = ..."
|
||||
#
|
||||
[ v3_ca ]
|
||||
# Extensions for a typical Root CA.
|
||||
basicConstraints = critical,CA:TRUE
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
|
||||
[ v3_int_ca ]
|
||||
# Extensions for a typical intermediate CA.
|
||||
basicConstraints = critical, CA:TRUE
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
|
||||
[ usr_cert ]
|
||||
# Extensions for user end certificates.
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = clientAuth, emailProtection
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
|
||||
[ policy_min ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
@ -157,7 +157,8 @@ class TestEfiSignedImage(object):
|
||||
u_boot_console.restart_uboot()
|
||||
disk_img = efi_boot_env
|
||||
with u_boot_console.log.section('Test Case 5a'):
|
||||
# Test Case 5a, rejected if any of signatures is not verified
|
||||
# Test Case 5a, authenticated even if only one of signatures
|
||||
# is verified
|
||||
output = u_boot_console.run_command_list([
|
||||
'host bind 0 %s' % disk_img,
|
||||
'fatload host 0:1 4000000 db.auth',
|
||||
@ -171,8 +172,7 @@ class TestEfiSignedImage(object):
|
||||
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO\' failed' in ''.join(output)
|
||||
assert 'efi_start_image() returned: 26' in ''.join(output)
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 5b'):
|
||||
# Test Case 5b, authenticated if both signatures are verified
|
||||
@ -181,19 +181,29 @@ class TestEfiSignedImage(object):
|
||||
'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
|
||||
'efidebug boot next 1',
|
||||
'bootefi bootmgr'])
|
||||
'efidebug test bootmgr'])
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 5c'):
|
||||
# Test Case 5c, rejected if any of signatures is revoked
|
||||
# Test Case 5c, not rejected if one of signatures (digest of
|
||||
# certificate) is revoked
|
||||
output = u_boot_console.run_command_list([
|
||||
'fatload host 0:1 4000000 dbx_hash1.auth',
|
||||
'fatload host 0:1 4000000 dbx_hash.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 5d'):
|
||||
# Test Case 5d, rejected if both of signatures are revoked
|
||||
output = u_boot_console.run_command_list([
|
||||
'fatload host 0:1 4000000 dbx_hash1.auth',
|
||||
'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO\' failed' in ''.join(output)
|
||||
|
135
test/py/tests/test_efi_secboot/test_signed_intca.py
Normal file
135
test/py/tests/test_efi_secboot/test_signed_intca.py
Normal file
@ -0,0 +1,135 @@
|
||||
# SPDX-License-Identifier: GPL-2.0+
|
||||
# Copyright (c) 2020, Linaro Limited
|
||||
# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
||||
#
|
||||
# U-Boot UEFI: Image Authentication Test (signature with certificates chain)
|
||||
|
||||
"""
|
||||
This test verifies image authentication for a signed image which is signed
|
||||
by user certificate and contains additional intermediate certificates in its
|
||||
signature.
|
||||
"""
|
||||
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.mark.boardspec('sandbox')
|
||||
@pytest.mark.buildconfigspec('efi_secure_boot')
|
||||
@pytest.mark.buildconfigspec('cmd_efidebug')
|
||||
@pytest.mark.buildconfigspec('cmd_fat')
|
||||
@pytest.mark.buildconfigspec('cmd_nvedit_efi')
|
||||
@pytest.mark.slow
|
||||
class TestEfiSignedImageIntca(object):
|
||||
def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca):
|
||||
"""
|
||||
Test Case 1 - authenticated by root CA in db
|
||||
"""
|
||||
u_boot_console.restart_uboot()
|
||||
disk_img = efi_boot_env_intca
|
||||
with u_boot_console.log.section('Test Case 1a'):
|
||||
# Test Case 1a, with no Int CA and not authenticated by root CA
|
||||
output = u_boot_console.run_command_list([
|
||||
'host bind 0 %s' % disk_img,
|
||||
'fatload host 0:1 4000000 db_c.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
|
||||
'fatload host 0:1 4000000 KEK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
|
||||
'fatload host 0:1 4000000 PK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 1 HELLO_a host 0:1 /helloworld.efi.signed_a ""',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO_a\' failed' in ''.join(output)
|
||||
assert 'efi_start_image() returned: 26' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 1b'):
|
||||
# Test Case 1b, signed and authenticated by root CA
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab ""',
|
||||
'efidebug boot next 2',
|
||||
'bootefi bootmgr'])
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
|
||||
def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca):
|
||||
"""
|
||||
Test Case 2 - authenticated by root CA in db
|
||||
"""
|
||||
u_boot_console.restart_uboot()
|
||||
disk_img = efi_boot_env_intca
|
||||
with u_boot_console.log.section('Test Case 2a'):
|
||||
# Test Case 2a, unsigned and not authenticated by root CA
|
||||
output = u_boot_console.run_command_list([
|
||||
'host bind 0 %s' % disk_img,
|
||||
'fatload host 0:1 4000000 KEK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
|
||||
'fatload host 0:1 4000000 PK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO_abc\' failed' in ''.join(output)
|
||||
assert 'efi_start_image() returned: 26' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 2b'):
|
||||
# Test Case 2b, signed and authenticated by root CA
|
||||
output = u_boot_console.run_command_list([
|
||||
'fatload host 0:1 4000000 db_b.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO_abc\' failed' in ''.join(output)
|
||||
assert 'efi_start_image() returned: 26' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 2c'):
|
||||
# Test Case 2c, signed and authenticated by root CA
|
||||
output = u_boot_console.run_command_list([
|
||||
'fatload host 0:1 4000000 db_c.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
|
||||
def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca):
|
||||
"""
|
||||
Test Case 3 - revoked by dbx
|
||||
"""
|
||||
u_boot_console.restart_uboot()
|
||||
disk_img = efi_boot_env_intca
|
||||
with u_boot_console.log.section('Test Case 3a'):
|
||||
# Test Case 3a, revoked by int CA in dbx
|
||||
output = u_boot_console.run_command_list([
|
||||
'host bind 0 %s' % disk_img,
|
||||
'fatload host 0:1 4000000 dbx_b.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
|
||||
'fatload host 0:1 4000000 db_c.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
|
||||
'fatload host 0:1 4000000 KEK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
|
||||
'fatload host 0:1 4000000 PK.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
|
||||
assert 'Failed to set EFI variable' not in ''.join(output)
|
||||
|
||||
output = u_boot_console.run_command_list([
|
||||
'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert 'Hello, world!' in ''.join(output)
|
||||
# Or,
|
||||
# assert '\'HELLO_abc\' failed' in ''.join(output)
|
||||
# assert 'efi_start_image() returned: 26' in ''.join(output)
|
||||
|
||||
with u_boot_console.log.section('Test Case 3b'):
|
||||
# Test Case 3b, revoked by root CA in dbx
|
||||
output = u_boot_console.run_command_list([
|
||||
'fatload host 0:1 4000000 dbx_c.auth',
|
||||
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
|
||||
'efidebug boot next 1',
|
||||
'efidebug test bootmgr'])
|
||||
assert '\'HELLO_abc\' failed' in ''.join(output)
|
||||
assert 'efi_start_image() returned: 26' in ''.join(output)
|
Loading…
Reference in New Issue
Block a user