From patchwork Fri Jul 17 07:16:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 235675 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp1457486ilg; Fri, 17 Jul 2020 00:16:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlt2x0Trf1jfsNP1g9Ptvr3/yYvx6tfu9Df1n6VYcJVgFVoeRndtuZI5AqYiVC3u44TXOA X-Received: by 2002:a17:906:94c6:: with SMTP id d6mr7609573ejy.389.1594970217393; Fri, 17 Jul 2020 00:16:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594970217; cv=none; d=google.com; s=arc-20160816; b=QBX+9TY4D/Lp/eL85cm2o6lV1YV5Y1GeQ+SDTjYJUGxeZ3eFiGt7FFtjqScIkjzqMU ei3vbxZjrd1MTwmTTK25buvK7/Q6MJ/CK7LwDGwcyTDl8Z/uK7AGcbV8znXLRAFb090m zx4yzktNkP2Ndc/kVQAoMiTRZvuhhmo0EZqJaojomsY5H5s20fl2PorJY0scXif89Ar9 aaAswVyAieXCMR5t3oBrt7tjFTX35+GL9IEBBTlChTlvrHRss/W9VJUgOSzu6A7ax9jl kVVBJ/TyYQwCYESjztPCREi31Ty4Fq3TE7yrriUjnAbbbc/67Et3ewdtmif+GGfRuXzk Qcaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=/NcovgHgG4sIaHZJg3a0G1FjWYhUqBoT+4Z7Vck6cKE=; b=z1K2xtKquRtjtGRRY71wM7R8FKThh1D4xuWfl/+HeGV7Dqz69mS5BAY0kSpiFRpJNf vEC23NoRsNS7lL52mdvHTAp6SlFlW8ugEpaVYJ2n7Q4dv9FscSzx9vkf1QbTFc8rWTDd FAhKilmi6c8/v0Ga/2EOPczVD28sCQ3Q9mqSD4f2ey/he+kkKmVtpptoh5+QG8UBB0D1 EOKEuacTsAqO2P/Gd6vs8cksp9Nx9byRShpcCvdP6GwGgIuJyf9deYvQ60WO1JOWnwrq 7QoD8q5lougkvJzHBQyvBL/KhF49n/lCFPIwJ9omwwB7BE+pmWI0GXk3V3QZho2XZlE/ vK0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gXKylsmR; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a14si4712228eds.487.2020.07.17.00.16.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2020 00:16:57 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gXKylsmR; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CF31581BFA; Fri, 17 Jul 2020 09:16:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="gXKylsmR"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E642881BF9; Fri, 17 Jul 2020 09:16:52 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0311D81BF9 for ; Fri, 17 Jul 2020 09:16:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x641.google.com with SMTP id l6so5070654plt.7 for ; Fri, 17 Jul 2020 00:16:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/NcovgHgG4sIaHZJg3a0G1FjWYhUqBoT+4Z7Vck6cKE=; b=gXKylsmRCGvSXbNtxQzPcQUNqWBhcYTxIOQ8RM8oqYlczM2bep9XJ9zwwEDnYU2NCM mrjJV96rXMYHaOsy6cpDhcAyk7tRJ7HQX/NjCi14s6oagEf16YKQDHcsreVXImoS3NxG HgM4fyo2JmdglcBakUc4ugK/PLKHdJ8UfNE4XPRfwQW0cSzWuQc4edRzSC2vy8FK0NcX 0GE1GFWhp7V1uO116GyV3WFx+8OdrPi741MOKQ4ioBzEbkYZ01tT+Eze1sPGf6Pzqh/G n78TBLh46wKkOLq55sVRGfTphu/slu6t05QV2DAY44uEu4FfW1R7MaAi3tAP1yPbRgZF MSCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/NcovgHgG4sIaHZJg3a0G1FjWYhUqBoT+4Z7Vck6cKE=; b=qEHp1mrr6ij+XpBFqkEa/nBnieHn3gTGc84VE0NyjkO+QQwT8aozB0Z+jtVKOMs/l/ JtR7A/B69YB62n7FAvnlzlDH8mB29Et7NZ8ngWUvRoQMsWlhC7I28uiRdZFT1PBaYFCw gt9CdP7auuHn0W0oeW/nxo0/cjLGDqzrtPTcCJcbbiw2Qo1vykR/xfEXZFmxG648APSu BPdSpFCIO4uyXlCnpX8UCdew2Ea97aUF3bEWbEvhHQ+AF6ywNWS4mnQ2ue/yl6EnvT52 mA147Sgd+UbMinVQWiL/Ot0Na8LZSjwB4pqK9SAAHkhMQtpMGQbM5aV884WKox7+Xr/g 2kbg== X-Gm-Message-State: AOAM532iM5DccboqjPYXluaULhk0ZlVJ6BvTGLWS7a0lGM3fBV7R+cXB zx1CDGum/Y4//SqcCHI2INJj/w== X-Received: by 2002:a17:902:7281:: with SMTP id d1mr4507136pll.247.1594970207172; Fri, 17 Jul 2020 00:16:47 -0700 (PDT) Received: from localhost.localdomain (p6e424d9a.tkyea130.ap.so-net.ne.jp. [110.66.77.154]) by smtp.gmail.com with ESMTPSA id g12sm6749388pfb.190.2020.07.17.00.16.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2020 00:16:46 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 0/7] efi_loader: secure boot: support intermediate certificates in signature Date: Fri, 17 Jul 2020 16:16:23 +0900 Message-Id: <20200717071630.7363-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Summary ======= under the current implementation of secure boot merged in v2020.07, UEFI subsystem verifies a signature using certificates that are coming from signature dtabase, i.e. "db." In real world, an image is signed by a signer, but its certificate can also be signed by another CA and, if it is not self-signed, the latter will be signed by yet another CA and so on. This is called a certificate chain and any certificates in the middle of chain is called "intermediate" certificates. With this patch set applied on top of the current implementation, UEFI subsystem will get capable of verifying intermediate certificates being contained in a signature and authenticating an image in a chain of trusted certificates. Please note that we don't support RFC6131, or timestamp protocol, and so if any certificate in the chain is found in the revocation list, i.e. dbx, the image will unconditionally be disqualified from being loaded or run. Patch structure =============== Patch#1-#5: preparatory patches Patch#6: main part Patch#7: pytest Prerequisite ============ All the required patches have been merged. You can fetch the whole workable repository from here[1]. One patch[2] to sbsigntools must also be applied so that we wil be able to sign an image with intermediate certificates. It is required here for testing. Test ==== - The added new pytest (test_signed_intca.py) passed locally. - Travis CI passed, except the new pytest added here due to a new feature in sbsigntools as mentioned above. (the latest vesion is still running though.) Misc ==== - checkpatch.pl makes several warnings against pkcs7_verify.c, but we will ignore them as it is a file imported from linux code. [1] https://git.linaro.org/people/takahiro.akashi/u-boot.git efi/secboot [2] https://groups.io/g/sbsigntools/message/23 v4 (July 17, 2020) * rebased to Heinrich's efi-2020-10-rc4 * remove a already-merged patch * (no functional change) * modify conftest.py to align it with recent changes Heinrich made (patch#7) v3 (Jul 10, 2020) * rebased to Heinrich's (current) efi-2020-10-rc1 along with my follow-up patches * add sanity checks in public_key_verify_signature() (Patch#2) * smplify include headers in pkcs7_verify.c (Patch#4) * fix timestamp issues in Test Case 2 and 3 (Patch#8) v2 (June 16, 2020) * add function descriptions (Patch#2, #6 and #7) * pylint and autopep8 against pytest (Patch#8) v1 (June 9, 2020) * initial release * on top of v2020.07-rc4 AKASHI Takahiro (7): lib: crypto: add public_key_verify_signature() lib: crypto: enable x509_check_for_self_signed() lib: crypto: import pkcs7_verify.c from linux lib: crypto: add pkcs7_digest() lib: crypto: export and enhance pkcs7_verify_one() efi_loader: signature: rework for intermediate certificates support test/py: efi_secboot: add test for intermediate certificates include/crypto/pkcs7.h | 9 +- include/crypto/public_key.h | 2 +- include/efi_loader.h | 8 +- lib/crypto/Kconfig | 3 + lib/crypto/Makefile | 1 + lib/crypto/pkcs7_verify.c | 654 ++++++++++++++++++ lib/crypto/public_key.c | 70 +- lib/crypto/x509_cert_parser.c | 2 - lib/crypto/x509_public_key.c | 33 +- lib/efi_loader/Kconfig | 1 + lib/efi_loader/efi_image_loader.c | 2 +- lib/efi_loader/efi_signature.c | 385 +++++------ lib/efi_loader/efi_variable.c | 5 +- test/py/tests/test_efi_secboot/conftest.py | 134 +++- test/py/tests/test_efi_secboot/defs.py | 8 +- test/py/tests/test_efi_secboot/openssl.cnf | 48 ++ .../test_efi_secboot/test_signed_intca.py | 135 ++++ 17 files changed, 1266 insertions(+), 234 deletions(-) create mode 100644 lib/crypto/pkcs7_verify.c create mode 100644 test/py/tests/test_efi_secboot/openssl.cnf create mode 100644 test/py/tests/test_efi_secboot/test_signed_intca.py -- 2.27.0