From patchwork Tue Jul 21 10:35:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 245583 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2790674ilg; Tue, 21 Jul 2020 03:36:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw/aNBwEESlX7fjAqssNlgpeTFc185o23fFRzz4rxPTpd7WG3TMgQXT1PzdOZE+Hp6hDkTs X-Received: by 2002:a05:6402:559:: with SMTP id i25mr24680183edx.35.1595327768331; Tue, 21 Jul 2020 03:36:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595327768; cv=none; d=google.com; s=arc-20160816; b=sXwJ2F4VMjEtZjFvyiRoSP/DgCheCN+R8ifBP5khPze3djAZJHmLpk90B0LGWqdX2h KHX4CmzY+jPJkoGUDScCusN0j5+0yXKI/EVrsKuydO41lpoG80J5h9D+hln2kTYkH/ek Qr3Cja4ideLSFdbLK4uqwCNG74//+moyyLO/f+meq5BZK2/xFl8+YLnu0bLHEdqTr7Dz 7QRtMbmFMMdSy1mTVNbpfhY0rH8gldY9q/nt0s2YnUOKdlYF+rcBZoFOHMkIeO6fz685 p4+r8+Uw9amkqyf9ZP0sh3mJ6ZF3pXUaBQMXGUfobWQdSQ4ASHFB3nW/gINzrnrB68jZ oIRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=Fzd8WSuqa8Ucd77LqkI5v2OjBwLjtCPQ6ecfiDQtbFA=; b=pVQWzT1riDratc625boujZtr2E9AbJ+CcyEec+sL3Qb25+ScuO539yTyhfmW/U5zxD +DLHKA+dUcCMFu5CetDtZD5MV7XE/d7lkEdkxHAvVHQRA0BcFtl0Nz1nlv3L8bV57h/T 54V6x+ZDtjsaIqsp4XRLJb69MD/U1eiYSS+I0neMSEFbtVAWbxSB/1Mgqt27tuDV/cwk SJFOotSo4D0yBY2cow14+ge9Y/DKmAwn5FuszRZOR/wjoOsF5eI8pMbGh1yM4fY4VMYR SB9wfkb7Q5NQacr+ssLFzuXEIGbIZsNKLQa2WOh1N2baRMmF//OD5tFBQwY3ZKpDRGAY rQ/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B3vpMFsS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id w3si12338341edx.581.2020.07.21.03.36.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jul 2020 03:36:08 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B3vpMFsS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6237081991; Tue, 21 Jul 2020 12:36:03 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="B3vpMFsS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DBFB781BA2; Tue, 21 Jul 2020 12:36:00 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7765D80394 for ; Tue, 21 Jul 2020 12:35:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1044.google.com with SMTP id f16so1473414pjt.0 for ; Tue, 21 Jul 2020 03:35:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Fzd8WSuqa8Ucd77LqkI5v2OjBwLjtCPQ6ecfiDQtbFA=; b=B3vpMFsSY3PFnkpkhCBDaCNAU6pf/HvEW6bjzTB5h3syiEYXxTRHolay5V8eqdSj91 vABekrzDlM9FJ9YkX93/Tdgs5rG8bNM0FAeS0Qbp0eelZRQkBn2xBuWxSjcPxCs5BDox TnqKmU5kUEJZo6F5NC1khzBC2wOKsA07JsgSgsg0EovQYevmGhlIMrAfxZtZky+LjeNU Lw3UeOs7J8GQDs/uHPwr6RF7321Sw+MO4Kr3kPwWJQHKjiLAH6F2xx9XH1olUbUzoKSO ycquUrFiMAY8KMdPxAUTJ417B6d2ALcEjDqP31KEAI/LtRAzBFXt71LMWVtCnF5TltEq 1bLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Fzd8WSuqa8Ucd77LqkI5v2OjBwLjtCPQ6ecfiDQtbFA=; b=HruAqx2ImEe+KhCzfoTPTM4P0Ch4kPOvrxRwslc11vXaVxgPCjXwNB5DrhBCdBKRVP RaPFuykkSC9jVJQzMlQD2vWHG/MttG+JJu2JZZQy9clvFlFc6+5S39f92qJRXi3YBXCF dNSavUC/hOupwuLZO0Epb81lxRf+cgCrXurcC2Tq75xJMlyCJtOhdbj5gXx9jPfgYtyB MHNL8BFhFtuSB1uP2UCECbaQiwIbUb5lkzTFxbl9T8U+k3ueXKgnVQmAlbZiKVyjIJdU jCpZ79Ow+VyWU127WKA/o5HjN6GrJNSGq2C9l8ctpeeM5EI+aeOXI72B4SDCaLK47vp1 mKqw== X-Gm-Message-State: AOAM532DFIQkqHMgw4SUb4hewkIGKCi1oseccfe0XPWBtWo6cy7b8z9b pyRR8R9ag0qdq0osLu/DYRGtfQ== X-Received: by 2002:a17:90a:3488:: with SMTP id p8mr4318416pjb.211.1595327754031; Tue, 21 Jul 2020 03:35:54 -0700 (PDT) Received: from localhost.localdomain (p6e424d9a.tkyea130.ap.so-net.ne.jp. [110.66.77.154]) by smtp.gmail.com with ESMTPSA id q20sm19838276pfn.111.2020.07.21.03.35.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jul 2020 03:35:53 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 0/8] efi_loader: secure boot: support intermediate certificates in signature Date: Tue, 21 Jul 2020 19:35:16 +0900 Message-Id: <20200721103524.5956-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Summary ======= under the current implementation of secure boot merged in v2020.07, UEFI subsystem verifies a signature using certificates that are coming from signature dtabase, i.e. "db." In real world, an image is signed by a signer, but its certificate can also be signed by another CA and, if it is not self-signed, the latter will be signed by yet another CA and so on. This is called a certificate chain and any certificates in the middle of chain is called "intermediate" certificates. With this patch set applied on top of the current implementation, UEFI subsystem will get capable of verifying intermediate certificates being contained in a signature and authenticating an image in a chain of trusted certificates. Please note that we don't support RFC6131, or timestamp protocol, and so if any certificate in the chain is found in the revocation list, i.e. dbx, the image will unconditionally be disqualified from being loaded or run. Patch structure =============== Patch#1-#5: preparatory patches Patch#6: main part Patch#7-#8: pytest Prerequisite ============ All the required patches have been merged. You can fetch the whole workable repository from here[1]. One patch[2] to sbsigntools must also be applied so that we wil be able to sign an image with intermediate certificates. It is required here for testing. Test ==== - The added new pytest (test_signed_intca.py) passed locally. - In this version, I didn't run Travis CI because there are problems with sbsigntools[3][4] as well as virt-make-fs[5]. But I'm sure all the tests have passed in my local environment. Misc ==== - checkpatch.pl makes several warnings against pkcs7_verify.c, but we will ignore them as it is a file imported from linux code. [1] https://git.linaro.org/people/takahiro.akashi/u-boot.git efi/secboot [2] https://groups.io/g/sbsigntools/message/23 [3] https://lists.denx.de/pipermail/u-boot/2020-July/420876.html [4] https://lists.denx.de/pipermail/u-boot/2020-July/420878.html [5] https://lists.denx.de/pipermail/u-boot/2020-July/419976.html v5 (July 21, 2020) * fix a checkpatch error (Patch#1) * describe what was the original source (Patch#3) * use IS_ERR_OR_NULL() to check a return value of x509_cert_parse() (Patch#6) * remove HELLO_PATH and EFI_SECBOOT_IMAGE_NAME (Patch#7) * modify conftest.py to make it compatible on different version of openssl (Ubuntu 18.04 to 19.10) (Patch#8) * remove changes to the existing code (Patch#8) * specify timestamps in generating certificates (Patch#8) * change test case names (Patch#8) v4 (July 17, 2020) * rebased to Heinrich's efi-2020-10-rc4 * remove a already-merged patch * (no functional change) * modify conftest.py to align it with recent changes Heinrich made (patch#7) v3 (Jul 10, 2020) * rebased to Heinrich's (current) efi-2020-10-rc1 along with my follow-up patches * add sanity checks in public_key_verify_signature() (Patch#2) * smplify include headers in pkcs7_verify.c (Patch#4) * fix timestamp issues in Test Case 2 and 3 (Patch#8) v2 (June 16, 2020) * add function descriptions (Patch#2, #6 and #7) * pylint and autopep8 against pytest (Patch#8) v1 (June 9, 2020) * initial release * on top of v2020.07-rc4 AKASHI Takahiro (8): lib: crypto: add public_key_verify_signature() lib: crypto: enable x509_check_for_self_signed() lib: crypto: import pkcs7_verify.c from linux lib: crypto: add pkcs7_digest() lib: crypto: export and enhance pkcs7_verify_one() efi_loader: signature: rework for intermediate certificates support test/py: efi_secboot: small rework for adding a new test test/py: efi_secboot: add test for intermediate certificates include/crypto/pkcs7.h | 9 +- include/crypto/public_key.h | 2 +- include/efi_loader.h | 8 +- lib/crypto/Kconfig | 3 + lib/crypto/Makefile | 1 + lib/crypto/pkcs7_verify.c | 657 ++++++++++++++++++ lib/crypto/public_key.c | 70 +- lib/crypto/x509_cert_parser.c | 2 - lib/crypto/x509_public_key.c | 33 +- lib/efi_loader/Kconfig | 1 + lib/efi_loader/efi_image_loader.c | 2 +- lib/efi_loader/efi_signature.c | 385 +++++----- lib/efi_loader/efi_variable.c | 5 +- test/py/tests/test_efi_secboot/conftest.py | 126 +++- test/py/tests/test_efi_secboot/defs.py | 10 +- test/py/tests/test_efi_secboot/openssl.cnf | 48 ++ .../test_efi_secboot/test_signed_intca.py | 135 ++++ 17 files changed, 1259 insertions(+), 238 deletions(-) create mode 100644 lib/crypto/pkcs7_verify.c create mode 100644 test/py/tests/test_efi_secboot/openssl.cnf create mode 100644 test/py/tests/test_efi_secboot/test_signed_intca.py -- 2.27.0