From patchwork Mon Feb 14 09:14:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 542518 Delivered-To: patch@linaro.org Received: by 2002:ac0:e142:0:0:0:0:0 with SMTP id r2csp715595imn; Mon, 14 Feb 2022 01:14:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJyb9/JnHBjrWU6MA2er2q77wFZ8ida9RCMQwm12vIl8HTulfXWkMjpPAtSzz2AKw/ATJPxq X-Received: by 2002:a17:906:2bd9:: with SMTP id n25mr10602618ejg.359.1644830073741; Mon, 14 Feb 2022 01:14:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644830073; cv=none; d=google.com; s=arc-20160816; b=q2xAICuf3v34Bu43CEh72pG44EI2ZUupPhHMjaGEv6dIIextTmyvP0IOTqExAFrNYn KwpQjBVqDviwYiZh1bcXwcw1tw7GTzqJxrIHvuR4p1H475Lz5yF2fKDgguiSfC7ps9KM cpToG7k8/GtWxAR6uvQtnFeKmmZigO3UhNx3e4QB0w9Uq87jxp3KyWgKVvvK0jWeAY5W XxoftOcmPGZxhS14r9PJ1ayrl/rUKtSmkVIJPlyGei8jOUM3saiIG3z30IZkVHF8TbXb 8OZbtPMG460YdW3FPa1hNcy9/8ypppHvfKCDJjUIBStt+4bYREpX9dvnkTV19Eo5Bqn6 GF7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=X0afBiyqHmlkwLWJR/SgfKlfCT7oq3sKGYLcLgExFjY=; b=XiYmoBVDBCql3cuX3wj604bf0SDVlVinWJttWwLKDjWQzbSJMx94KEqfEtHz3hFcXx 69VQvFsAoELZtUHHPkw10NcnYUmx3wThUubU/2KYkfmP+5PFDCYj7zmK9IipwwV4KY+L bOXe+rIHCLxI2NQx3UXbfteOEL6kVUD1ys1bzgeTSrafJGmOUGW2NoQTpM8mpgUQlbOy gwwhmv3rEgTCstzx1cZYsO1iJweFWk03T7ItsxsyVGL4/SrICYWAJnTKzKLX/B6Q42TL HAzpJV6dTkKNovcd8D9AaKnaqcmPcyju5arqzM4E6101nJEE27MDB6ZqqFB7ipNYn6OU +u7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wVAwS7XG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d18si18873498edt.644.2022.02.14.01.14.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 01:14:33 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wVAwS7XG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 056D6838C4; Mon, 14 Feb 2022 10:14:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="wVAwS7XG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 45FB683A10; Mon, 14 Feb 2022 10:14:29 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C227483894 for ; Mon, 14 Feb 2022 10:14:25 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62e.google.com with SMTP id jg20so11060787ejc.3 for ; Mon, 14 Feb 2022 01:14:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X0afBiyqHmlkwLWJR/SgfKlfCT7oq3sKGYLcLgExFjY=; b=wVAwS7XGKCRDQXFR4oQrDDRWEbBP/3a4T7YdvhqhV8iHLWV5vg81GjtXBGQZbfsSsB PGbwqM7lbVYQ1+yS91DHjxYaa91QJVdudMUKw+/EjEuRj2nplZIiWqNV1KoOdmTRdhnK YGDJt8+jE2to2rHsq+1c9lMIymJeXZdsjIQ4w9P+Q15ITxshPMxXrar5BAtYJkoYkkcY gWfRUTZCHNFCjagHGpCeL2B92EYCAQrsYlm9pc8+/mKQkQ5xKsIwljcCb67yL9jbfaFp kSkkYLdmZPLws2pipiOE+7puQtBqlpEYRy+mg/zOiiFuHCXMnfzZFfa16uOwF6WK0UIN 7BaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X0afBiyqHmlkwLWJR/SgfKlfCT7oq3sKGYLcLgExFjY=; b=oRYs/HTSb1uZm9Yx4Y6Hw1S8KxDR04tNcTR2ODy9Vws/vPcRNHrTfp6u64CGYLifXm u9l6pBZGIAXg0Y1ExJFWOPtqSkRwKcS+se3/PxycUxFSJoS7g91eq63z2iC33Hm7roya RGMyyqmHP93UY4bzGqQEfkrvQkcXvOYfAVoZCK0TXWynRSA0wzpFCb+aTahZ0tLuoNe/ WI4WvmwvFR2CaLb9EHBCNykPX0kDKoWW36Rc5lm3M4+iDpThaNxExVFy91VVp9DFwwcb 5G/hG9+ISxo5PYgtSd5RyvBvJGwppOP+4uSV3guhb/Nzut0c+4eRMKadL5/RSns/9pRX aFag== X-Gm-Message-State: AOAM531J6X8MGTAe8Yd6xn4B0MfngvCDXUHatd2C9knHILuVVv0cwt2t w53bwD4QYtLcPorN9KIca+z4upd/tEhagQ== X-Received: by 2002:a17:907:6e8c:: with SMTP id sh12mr9680182ejc.515.1644830065363; Mon, 14 Feb 2022 01:14:25 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:3efd:feff:fe6b:c5cb]) by smtp.gmail.com with ESMTPSA id l24sm954711edv.88.2022.02.14.01.14.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 01:14:24 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , u-boot@lists.denx.de Subject: [RFC PATCH] efi_loader: fix uefi secure boot with intermediate certs Date: Mon, 14 Feb 2022 11:14:22 +0200 Message-Id: <20220214091422.2393818-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The general rule of accepting or rejecting an image is 1. Is the sha256 of the image in dbx 2. Is the image signed with a certificate that's found in db and not in dbx 3. The image carries a cert which is signed by a cert in db (and not in dbx) and the image can be verified against the former 4. Is the sha256 of the image in db For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher", which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root". The latter is a self-signed CA certificate and with our current implementation allows shim to execute if we insert it in db. However it's the CA cert in the middle of the chain which usually ends up in the system's db. pkcs7_verify_one() might or might not return the root certificate for a given chain. But when verifying executables in UEFI, the trust anchor can be in the middle of the chain, as long as that certificate is present in db. Currently we only allow this check on self-signed certificates, so let's remove that check and allow all certs to try a match an entry in db. Open questions: - Does this break any aspect of variable authentication since efi_signature_verify() is used on those as well? Signed-off-by: Ilias Apalodimas --- lib/efi_loader/efi_signature.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 1bd1fdc95fce..79ed077ae7dd 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -518,12 +518,11 @@ bool efi_signature_verify(struct efi_image_regions *regs, goto out; EFI_PRINT("Verifying last certificate in chain\n"); - if (signer->self_signed) { - if (efi_lookup_certificate(signer, db)) - if (efi_signature_check_revocation(sinfo, - signer, dbx)) - break; - } else if (efi_verify_certificate(signer, db, &root)) { + if (efi_lookup_certificate(signer, db)) + if (efi_signature_check_revocation(sinfo, signer, dbx)) + break; + if (!signer->self_signed && + efi_verify_certificate(signer, db, &root)) { bool check; check = efi_signature_check_revocation(sinfo, root,