From patchwork Mon Apr 18 18:07:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 563106 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp2627002map; Mon, 18 Apr 2022 11:07:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxnegoB4IdF2p4qFPDBGsW5IivCfpeN7yWVWrhuqulaWfAvNZ2XVdWgjlwS9GeSMQ0cnHLq X-Received: by 2002:a05:6402:35cd:b0:423:daf3:f7a3 with SMTP id z13-20020a05640235cd00b00423daf3f7a3mr9309530edc.77.1650305253148; Mon, 18 Apr 2022 11:07:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650305253; cv=none; d=google.com; s=arc-20160816; b=IBCKMoPak8xg84CXHSNIPhDLGc/AGDF2VbtMC8Cb/jTC9/iVsbO35kEbPNHp2rn03I B/CfbkWn4ASYbEI1ZJ13P89uHG1d5FmDpb2kpMXEP6VM9gQwN+hWiDxOzPXlhpJiPS8B 9b7r/eDfaIhOg0XXS5lR36uYw7HZS18NIGyFi1sUwRDtI6JPbXKIWm51WlZwBQdVvcB2 mvQnGwtDmZJDotFzjNhW1abMyBVXNlZKzDfx7OJgxWsdTqx5hQfYliSxEEGr/4/gIRpm RiREeIShY2vUg1DOVed6OBOp+tZHe5cxWw9fwYwY9s2wn02HaLtdYq17s8DArYztzfyd O1qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=TXw76zOIbJ/VvJOn9i4DfCBR5eIQ8cOtSgiwRLYvNkM=; b=BKHO681UiIH4wtdhgFb1XpRsG0hGp4d9Oj5+tjd2E6oiXNR3cyxMxP4WtyiT/pWgRn sPhEKRJnFygarNModawLkJotYXtY1ILazwXjtRd+QIajfABQTQj5t6yWLw3H+9JG1PCC 70pDuySu0eviPfGsimaJjZNhjmK/ItfsFy9lb6EcIwPHP0X3DpQRRnZBzD2wjRwdub/s UDBUCe0b1q0HAFfTdWFZruQ4XcKQZEaIK+rUnn7ieKR9Pswr1/8zrhHz77hKw5V30bpZ THYoRd/YW+3+vxKoiUFMGcG6O2RMeJ4Jkz1sJUi75Xhdt1Vm/tDSfnn6STNRLLSZhyc7 8ADA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dEepk7Op; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id n19-20020a170906701300b006df76385bbfsi6875956ejj.95.2022.04.18.11.07.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:33 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dEepk7Op; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 67578837C9; Mon, 18 Apr 2022 20:07:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dEepk7Op"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 73CC783989; Mon, 18 Apr 2022 20:07:31 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4D67D811D8 for ; Mon, 18 Apr 2022 20:07:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wr1-x435.google.com with SMTP id q3so18783397wrj.7 for ; Mon, 18 Apr 2022 11:07:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TXw76zOIbJ/VvJOn9i4DfCBR5eIQ8cOtSgiwRLYvNkM=; b=dEepk7Op49SI5WQKSf1zWOfLESOAHHEd+u47ljF2qW9aQ1+UE/H6NJ73ZHmwQOXR9X v778wFNQkBpBzpAWkkj5uKD+kq/ghtf8y01Oa5gXkfWo4NBMB5Y6lFT0qvJw6qHpymtd iM5oX6sreWjhExgkFGWVMzubZzVeIoQrxm6wxH3/XEvS+V3/mAAsTK/A7Xblq2lMbzPJ NAwCQFO19niidsWR5q9w1r2rYg8P/r99M77b+9tzBAGXj9xbHarnFZxdVqKlUQJ8b9Wq yeAOqpH+b3hYYUFejUTrEv/H3mEpGD5kd5qk8ZYw2+ptiCOLTER766UZYb+sWI//sopg LhGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TXw76zOIbJ/VvJOn9i4DfCBR5eIQ8cOtSgiwRLYvNkM=; b=cTmXNXoz6F+xJNvPTSG7YehHo6qp+B/U663A9kw0xf+92BZT6AW6mKjmZ0tXOw1wTS V4wIoxYkn05xADF3/QvlPAjIMShwqX7JOsm4CiF3Vn3W+bERxBoQGLkXke+v1zeuQQbE 00awc4eX1MBihAryEnWxb1VY3YEFDC3lFWZC0ahjlqs1KFFeYC0UpQxoFlJReF2X1L0b aB4STvZbXK+NRmzMdPcxyzjAvD+RGOubWu65hqSZ/vPi74SAGrqM/45n9xKsZrx9Ctsj Y2wpNXK2gBcenYuthRwUvCbs8VehFZz8K7c+3eWjC2kiCyxvCgj2fhhcPCLcN3eYJmtj +/Ow== X-Gm-Message-State: AOAM531LgISrPI/mBVPVUR1khZQepSRKxe+4DzEEMPmMzZvFBvTu75xU 7djSR0qKKC6Fe9sVyRp7IlYd4g== X-Received: by 2002:a05:6000:1d93:b0:205:e0af:e079 with SMTP id bk19-20020a0560001d9300b00205e0afe079mr8859975wrb.525.1650305247829; Mon, 18 Apr 2022 11:07:27 -0700 (PDT) Received: from hades.. ([2a02:587:462a:d233:3efd:feff:fe6b:c5ca]) by smtp.gmail.com with ESMTPSA id l14-20020adffe8e000000b00207af9cdd90sm10637580wrr.39.2022.04.18.11.07.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:27 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org, Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 1/2] efi_loader: add sha384/512 on certificate revocation Date: Mon, 18 Apr 2022 21:07:22 +0300 Message-Id: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Currently we don't support sha384/512 for the X.509 certificate in dbx. Moreover if we come across such a hash we skip the check and approve the image, although the image might needs to be rejected. Rework the code a bit and fix it by adding an array of structs with the supported GUIDs, len and literal used in the U-Boot crypto APIs instead of hardcoding the GUID types. It's worth noting here that efi_hash_regions() can now be reused from efi_signature_lookup_digest() and add sha348/512 support there as well Signed-off-by: Ilias Apalodimas --- changes since v2: - updated changelog (there was no v1) changes since RFC: - add an array of structs with the algo info info of a function - checking hash_calculate result in efi_hash_regions() include/efi_api.h | 6 +++ include/efi_loader.h | 7 +++ lib/efi_loader/efi_helper.c | 85 ++++++++++++++++++++++++++++++++++ lib/efi_loader/efi_signature.c | 76 +++++++++++++++++++++--------- 4 files changed, 151 insertions(+), 23 deletions(-) diff --git a/include/efi_api.h b/include/efi_api.h index 982c2001728d..b9a04958f9ba 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -1873,6 +1873,12 @@ struct efi_system_resource_table { #define EFI_CERT_X509_SHA256_GUID \ EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \ 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed) +#define EFI_CERT_X509_SHA384_GUID \ + EFI_GUID(0x7076876e, 0x80c2, 0x4ee6, \ + 0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b) +#define EFI_CERT_X509_SHA512_GUID \ + EFI_GUID(0x446dbf63, 0x2502, 0x4cda, \ + 0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d) #define EFI_CERT_TYPE_PKCS7_GUID \ EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \ 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) diff --git a/include/efi_loader.h b/include/efi_loader.h index af36639ec6a7..ce221ee9317b 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -300,6 +300,8 @@ extern const efi_guid_t efi_guid_image_security_database; extern const efi_guid_t efi_guid_sha256; extern const efi_guid_t efi_guid_cert_x509; extern const efi_guid_t efi_guid_cert_x509_sha256; +extern const efi_guid_t efi_guid_cert_x509_sha384; +extern const efi_guid_t efi_guid_cert_x509_sha512; extern const efi_guid_t efi_guid_cert_type_pkcs7; /* GUID of RNG protocol */ @@ -671,6 +673,11 @@ efi_status_t efi_file_size(struct efi_file_handle *fh, efi_uintn_t *size); /* get a device path from a Boot#### option */ struct efi_device_path *efi_get_dp_from_boot(const efi_guid_t guid); +/* get len, string (used in u-boot crypto from a guid */ +const char *guid_to_sha_str(const efi_guid_t *guid); +int guid_to_sha_len(const efi_guid_t *guid); +int algo_to_len(const char *algo); + /** * efi_size_in_pages() - convert size in bytes to size in pages * diff --git a/lib/efi_loader/efi_helper.c b/lib/efi_loader/efi_helper.c index 802d39ed97b6..c186ba4a3c01 100644 --- a/lib/efi_loader/efi_helper.c +++ b/lib/efi_loader/efi_helper.c @@ -92,3 +92,88 @@ err: free(var_value); return NULL; } + +const struct guid_to_hash_map { + efi_guid_t guid; + const char algo[32]; + u32 bits; +} guid_to_hash[] = { + { + EFI_CERT_X509_SHA256_GUID, + "sha256", + 256, + }, + { + EFI_CERT_SHA256_GUID, + "sha256", + 256, + }, + { + EFI_CERT_X509_SHA384_GUID, + "sha384", + 384, + }, + { + EFI_CERT_X509_SHA512_GUID, + "sha512", + 512, + }, +}; + +#define MAX_GUID_TO_HASH_COUNT ARRAY_SIZE(guid_to_hash) + +/** guid_to_sha_str - return the sha string e.g "sha256" for a given guid + * used on EFI security databases + * + * @guid: guid to check + * + * Return: len or 0 if no match is found + */ +const char *guid_to_sha_str(const efi_guid_t *guid) +{ + size_t i; + + for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) { + if (!guidcmp(guid, &guid_to_hash[i].guid)) + return guid_to_hash[i].algo; + } + + return NULL; +} + +/** guid_to_sha_len - return the sha size in bytes for a given guid + * used on EFI security databases + * + * @guid: guid to check + * + * Return: len or 0 if no match is found + */ +int guid_to_sha_len(const efi_guid_t *guid) +{ + size_t i; + + for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) { + if (!guidcmp(guid, &guid_to_hash[i].guid)) + return guid_to_hash[i].bits / 8; + } + + return 0; +} + +/** algo_to_len - return the sha size in bytes for a given string + * + * @guid: string to check + * + * Return: len or 0 if no match is found + */ +int algo_to_len(const char *algo) +{ + size_t i; + + for (i = 0; i < MAX_GUID_TO_HASH_COUNT; i++) { + if (!strcmp(algo, guid_to_hash[i].algo)) + return guid_to_hash[i].bits / 8; + } + + return 0; +} diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 79ed077ae7dd..cf01f21b4d04 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -24,6 +24,8 @@ const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID; const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID; const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID; const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID; +const efi_guid_t efi_guid_cert_x509_sha384 = EFI_CERT_X509_SHA384_GUID; +const efi_guid_t efi_guid_cert_x509_sha512 = EFI_CERT_X509_SHA512_GUID; const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; static u8 pkcs7_hdr[] = { @@ -124,23 +126,32 @@ struct pkcs7_message *efi_parse_pkcs7_header(const void *buf, * Return: true on success, false on error */ static bool efi_hash_regions(struct image_region *regs, int count, - void **hash, size_t *size) + void **hash, const char *hash_algo, int *len) { + int ret; + + if (!hash_algo || !len) + return false; + + *len = algo_to_len(hash_algo); + if (!*len) + return false; + if (!*hash) { - *hash = calloc(1, SHA256_SUM_LEN); + *hash = calloc(1, *len); if (!*hash) { EFI_PRINT("Out of memory\n"); return false; } } - if (size) - *size = SHA256_SUM_LEN; - hash_calculate("sha256", regs, count, *hash); + ret = hash_calculate(hash_algo, regs, count, *hash); + if (ret) + return false; #ifdef DEBUG EFI_PRINT("hash calculated:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - *hash, SHA256_SUM_LEN, false); + *hash, *len, false); #endif return true; @@ -190,7 +201,6 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, struct efi_signature_store *siglist; struct efi_sig_data *sig_data; void *hash = NULL; - size_t size = 0; bool found = false; bool hash_done = false; @@ -200,6 +210,8 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, goto out; for (siglist = db; siglist; siglist = siglist->next) { + int len = 0; + const char *hash_algo = NULL; /* * if the hash algorithm is unsupported and we get an entry in * dbx reject the image @@ -215,8 +227,14 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) continue; + hash_algo = guid_to_sha_str(&efi_guid_sha256); + /* + * We could check size and hash_algo but efi_hash_regions() + * will do that for us + */ if (!hash_done && - !efi_hash_regions(regs->reg, regs->num, &hash, &size)) { + !efi_hash_regions(regs->reg, regs->num, &hash, hash_algo, + &len)) { EFI_PRINT("Digesting an image failed\n"); break; } @@ -229,8 +247,8 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs, print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, sig_data->data, sig_data->size, false); #endif - if (sig_data->size == size && - !memcmp(sig_data->data, hash, size)) { + if (sig_data->size == len && + !memcmp(sig_data->data, hash, len)) { found = true; free(hash); goto out; @@ -263,8 +281,9 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, struct efi_sig_data *sig_data; struct image_region reg[1]; void *hash = NULL, *hash_tmp = NULL; - size_t size = 0; + int len = 0; bool found = false; + const char *hash_algo = NULL; EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db); @@ -278,7 +297,11 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, /* calculate hash of TBSCertificate */ reg[0].data = cert->tbs; reg[0].size = cert->tbs_size; - if (!efi_hash_regions(reg, 1, &hash, &size)) + + /* We just need any sha256 algo to start the matching */ + hash_algo = guid_to_sha_str(&efi_guid_sha256); + len = guid_to_sha_len(&efi_guid_sha256); + if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) goto out; EFI_PRINT("%s: searching for %s\n", __func__, cert->subject); @@ -290,6 +313,7 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, for (sig_data = siglist->sig_data_list; sig_data; sig_data = sig_data->next) { struct x509_certificate *cert_tmp; + int len_tmp; cert_tmp = x509_cert_parse(sig_data->data, sig_data->size); @@ -300,12 +324,13 @@ static bool efi_lookup_certificate(struct x509_certificate *cert, cert_tmp->subject); reg[0].data = cert_tmp->tbs; reg[0].size = cert_tmp->tbs_size; - if (!efi_hash_regions(reg, 1, &hash_tmp, NULL)) + if (!efi_hash_regions(reg, 1, &hash_tmp, hash_algo, + &len_tmp)) goto out; x509_free_certificate(cert_tmp); - if (!memcmp(hash, hash_tmp, size)) { + if (!memcmp(hash, hash_tmp, len)) { found = true; goto out; } @@ -400,9 +425,10 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, struct efi_sig_data *sig_data; struct image_region reg[1]; void *hash = NULL; - size_t size = 0; + int len = 0; time64_t revoc_time; bool revoked = false; + const char *hash_algo = NULL; EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx); @@ -411,13 +437,14 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, EFI_PRINT("Checking revocation against %s\n", cert->subject); for (siglist = dbx; siglist; siglist = siglist->next) { - if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) + hash_algo = guid_to_sha_str(&siglist->sig_type); + if (!hash_algo) continue; /* calculate hash of TBSCertificate */ reg[0].data = cert->tbs; reg[0].size = cert->tbs_size; - if (!efi_hash_regions(reg, 1, &hash, &size)) + if (!efi_hash_regions(reg, 1, &hash, hash_algo, &len)) goto out; for (sig_data = siglist->sig_data_list; sig_data; @@ -429,18 +456,18 @@ static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, * }; */ #ifdef DEBUG - if (sig_data->size >= size) { + if (sig_data->size >= len) { EFI_PRINT("hash in db:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - sig_data->data, size, false); + sig_data->data, len, false); } #endif - if ((sig_data->size < size + sizeof(time64_t)) || - memcmp(sig_data->data, hash, size)) + if ((sig_data->size < len + sizeof(time64_t)) || + memcmp(sig_data->data, hash, len)) continue; - memcpy(&revoc_time, sig_data->data + size, + memcpy(&revoc_time, sig_data->data + len, sizeof(revoc_time)); EFI_PRINT("revocation time: 0x%llx\n", revoc_time); /* @@ -488,6 +515,7 @@ bool efi_signature_verify(struct efi_image_regions *regs, goto out; for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { + int len; EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", sinfo->sig->hash_algo, sinfo->sig->pkey_algo); @@ -500,7 +528,9 @@ bool efi_signature_verify(struct efi_image_regions *regs, */ if (!msg->data && !efi_hash_regions(regs->reg, regs->num, - (void **)&sinfo->sig->digest, NULL)) { + (void **)&sinfo->sig->digest, + guid_to_sha_str(&efi_guid_sha256), + &len)) { EFI_PRINT("Digesting an image failed\n"); goto out; } From patchwork Mon Apr 18 18:07:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 563107 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp2627114map; Mon, 18 Apr 2022 11:07:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaXLMgp48EvPYIoMUwbcttaoE6dxi5ykQ4tg7jDcji0oQHoB7tgUUPUgvDdLOb//J9cB+y X-Received: by 2002:a17:907:6d90:b0:6e8:c8e7:8622 with SMTP id sb16-20020a1709076d9000b006e8c8e78622mr10414673ejc.242.1650305261106; Mon, 18 Apr 2022 11:07:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650305261; cv=none; d=google.com; s=arc-20160816; b=F+GsSkV+7Dp8rNu7D93Vwvr0CvaBCCWKCiulfJD2iOGjPiBBL/O61Y+tgmf+3dEwp7 2KVX+b8bjCYMXDTmVc+LEGqk64Xtst+PUOqXuxQE7d+AKKDqSq1JzmZxkEUu2gOGPcr6 F/91C5q/rJDb2jQZtar9wsELTjQc0ZfGS8jZUjRglSC+cpTTnde5cpHG3KSgMbfH5sqo Y2DzAPWc5kIdFk31DCh/CNwCPIL+xbdbgpPSQV90MsQxb6SV7DjbdRa1jMT51bEG4S9i DOAhGJS0OvO/bB6PZgX2Ql7r8Ar0xwSpx88gmICASRX6kMrPaNf1Ms14boOsDLoHl7DD QSbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eXvw9YanKFR52zuE/Q1w+RomaeEU55sJ2JuCAXeSuBpvaPz3Ks1cevnVlxbm/ofLMX DM90QwoWY3GLvzct6VoMjkjcb3THLH0fWxVDo5j/qm/pRen/IRl54Kci3e1iEyCEG3/T TwRnILaiSSXrlT/7YlQiIYS8YasfyFk7hd2BwZ7y3AEdhYKY4BtdCl47Wp1OlGkXPMwM 6TjTz2z62cQ+pKkyu4PMxSC/FnKIiGxsBRC9Mzmv8vEM26TSYQNO54ijfRcYSanYO7bw HX4woFGEiXwHfAFxZ7/ax0n3GXVIBNsMa0setB1GnQWZH0ALmK/rjPUxXakFkF3hE+XZ 2MoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="eUIRr/6H"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id kq12-20020a170906abcc00b006e88b062ff8si7209139ejb.679.2022.04.18.11.07.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="eUIRr/6H"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2A34183AFF; Mon, 18 Apr 2022 20:07:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="eUIRr/6H"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E82CE839B2; Mon, 18 Apr 2022 20:07:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2066A838AE for ; Mon, 18 Apr 2022 20:07:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x32b.google.com with SMTP id y21so7700331wmi.2 for ; Mon, 18 Apr 2022 11:07:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eUIRr/6H8fPeKFqvgoHp+xCGporlzXvkeVS25VXIJ3FReXvOjuRtGuErMqtwU7M4+U h0o4l0KV3K6JCqxI6uBWv7rHnlxjLCcC6ZhxKjq1ufLayAsFVUnOlLfJjUfEnFiQr2tR HgIfFp/cFl9jXPPgRif6DEbAlGs1nugsYNzrlobkZCZW/hRhjunjk0X2vwWwv6KFSPT+ 6ILwTWIHonhiBlKkddYnWyLn9MjcfWa3S7jRavsMgodMSxmiv6Hso5G10kwbd7B8AQtQ nQMSK2lfhF5LpkDKY4wsf9lXUXRsqQ8pGZIFz5uF/43C25mR8gdJ/wtdBTK0JDClwKpO iX+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eoXRcv8jZBwABk5fkbe+wmViVw0kKOrI1o22E1VIv1QIxSvElOBugpW0VEMhXvsyuo damr4b5kQSCVu6Xzer2cc0zaqbo+oHZKPk1/4/vbOXIDPaKuxFXsy0MaMYyRC4H7cRT1 rA1LrbeQLEQ7SQfOY7ToW1HIw6Bz98EtQ9Oml31KBLDFFC0rqdYe1CzFfxdmjA1v3s+y 4K+fIsCvzvBkXOB6SDgxQxuPS1qvpHVQqAki5ptlTWnNvfqkSGPYVcbZd0S2gRZ0s/Dr 6JGwALPBkVLCFpwAHZw/AWnDzimCMWyba+vSoJRp3C6wBnuoj1HWNiLheyrwlRw3DBO/ cZMw== X-Gm-Message-State: AOAM5325T/58fam9QtWq/zlLWT071H8Rdko5tvjM/cYBd35QEgv6nIY4 l7CjnTFYnz5iNZ0kQuU+IxJKaQ== X-Received: by 2002:a7b:c844:0:b0:37b:b986:7726 with SMTP id c4-20020a7bc844000000b0037bb9867726mr12893015wml.160.1650305249734; Mon, 18 Apr 2022 11:07:29 -0700 (PDT) Received: from hades.. ([2a02:587:462a:d233:3efd:feff:fe6b:c5ca]) by smtp.gmail.com with ESMTPSA id l14-20020adffe8e000000b00207af9cdd90sm10637580wrr.39.2022.04.18.11.07.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:29 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org, Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Date: Mon, 18 Apr 2022 21:07:23 +0300 Message-Id: <20220418180724.1855888-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> References: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas --- changes since v2: - None changes since RFC: - new patch test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003c..8a53dabe5414 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d48..80d5eff74be3 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5f, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5G, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database