From patchwork Fri May 29 06:41:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 246805 List-Id: U-Boot discussion From: takahiro.akashi at linaro.org (AKASHI Takahiro) Date: Fri, 29 May 2020 15:41:17 +0900 Subject: [PATCH 00/13] efi_loader: rework/improve UEFI secure boot code Message-ID: <20200529064130.28332-1-takahiro.akashi@linaro.org> Summary ======= I'm currently working on reworking UEFI secure boot, aiming to add "intermediate certificates" support. In this effort, I found a couple of issues that should immediately be fixed or useful improvements even without intermediate certificates support. Each commit in this patch series has self-explained description of the issue to be addressed. While they are independent in terms of functionality, they are compiled in a set since the one may depend on the other in terms of code change overlap. All the changes can and should be merged at once for best convenience. I hope that I will post intermediate certificates support sometime in the next week. Patch structure =============== Patch#1,#5: rather preliminary patches Patch#2-#4,#6,#7: main commits Patch#8-#13: pytests Patch#11,#12 for Patch#6 Patch#13 for Patch#7 Test ==== - Travis CI is still running with the latest (it passed with the previous one, including new pytests added here) AKASHI Takahiro (13): efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c efi_loader: image_loader: add a check against certificate type of authenticode efi_loader: image_loader: retrieve authenticode only if it exists efi_loader: signature: fix a size check against revocation list efi_loader: signature: make efi_hash_regions more generic efi_loader: image_loader: verification for all signatures should pass efi_loader: image_loader: add digest-based verification for signed image test/py: efi_secboot: remove all "re.search" test/py: efi_secboot: fix test case 1g of test_authvar test/py: efi_secboot: split "signed image" test case-1 into two cases test/py: efi_secboot: add a test against certificate revocation test/py: efi_secboot: add a test for multiple signatures test/py: efi_secboot: add a test for verifying with digest of signed image include/efi_loader.h | 12 +- lib/efi_loader/efi_image_loader.c | 142 ++++-- lib/efi_loader/efi_signature.c | 426 ++++++++---------- lib/efi_loader/efi_variable.c | 1 - test/py/tests/test_efi_secboot/conftest.py | 20 +- .../py/tests/test_efi_secboot/test_authvar.py | 83 ++-- test/py/tests/test_efi_secboot/test_signed.py | 236 +++++++--- .../tests/test_efi_secboot/test_unsigned.py | 32 +- 8 files changed, 563 insertions(+), 389 deletions(-)