Some updates, On Tue, Nov 26, 2019 at 09:51:04AM +0900, AKASHI Takahiro wrote: > One of major missing features in current UEFI implementation is "secure boot." > The ultimate goal of my attempt is to implement image authentication based > on signature and provide UEFI secure boot support which would be fully > compliant with UEFI specification, section 32[1]. > (The code was originally developed by Patrick Wildt.) > > While this patch/RFC is still rough-edged, the aim here is to get early > feedbacks from the community as the patch is quite huge (in total) and also > as it's a security enhancement.
Oops, this sentence should have been deleted. [...] > Test: > * my pytest, included in this patch set, passed. > * efi_selftest passed. (At least no reguression.) > * Travis CI tests, except the following two, have passed: > - test/py sandbox > test/py/tests/test_fs/test_unlink.py test_unlink2 I cannot reproduce this issue even if I re-submit a specific job. It may be a transient error as Heinrich has reported on fat write before? > - test/py sandbox with clang > cmd/efidebug.c:703:15: error: result of comparison of constant > 9223372036854775822 with expression of type 'int' is always false > [-Werror,-Wtautological-constant-out-of-range-compare] Sent out a patch. Thanks, -Takahiro Akashi > But as you can see, those have nothing to do with my UEFI secure boot > patch and are existing bugs. > > Known issues: > * efitools is used in pytest, and its version must be v1.5.2 or later. > (Solution: You can define EFITOOLS_PATH in defs.py for your own efitools.) > * Pytest depends on standalone "helloworld" app for sandbox > (Solution: You can define HELLO_PATH in defs.py or Heinrich's [7].) > * Travis CI errors mentioned above > => I will send *separate* bug-fix patches once fixed. > > > Hints about how to use: > (Please see other documents, or my pytest scripts, for details.) > * You can create your own certificates with openssl. > * You can sign your application with sbsign (on Ubuntu). > * You can create raw data for signature database with efitools, and > install/manage authenticated variables with "env -set -e" command > or efitools' "UpdateVars.efi" application. > > > [1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf > [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html > (import x509/pkcs7 parsers from linux) > [3] https://lists.denx.de/pipermail/u-boot/2019-November/390150.html > (extend rsa_verify() for UEFI secure boot) > [4] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot > [5] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html > (non-volatile variables support) > [6] https://bugzilla.tianocore.org/show_bug.cgi?id=2230 > [7] https://lists.denx.de/pipermail/u-boot/2019-November/389593.html > > > Changes in v2 (Nov 26, 2019) > * rebased to v2020.01-rc3 > * rename IMAGE_DIRECTORY_ENTRY_CERTTABLE to IMAGE_DIRECTORY_ENTRY_SECURITY > (patch#1,#9) > * add comments (patch#1) > * drop v1's patch#2 as it is no longer necessary > * drop v1's patch#3 as other "SECURE_BOOT" architectures have renamed > this option and no longer use it > * add structure descriptions (patch#3) > * rework hash calculation code in efi_signature_verify() and remove > an odd constant, WinIndrectSha256 (patch#3) > * move travis.yml changes to a seprate patch (patch#12, #16) > * yield_fixture() -> fixture() (patch#12) > * call console.restart_uboot() at every test case (13,#14) > * add patch#15; enable UEFI-related configurations by default on sandbox > * add patch#16; modify Travis CI environment to run UEFI secure boot test > > Changes in v1 (Nov 13, 2019) > * rebased to v2020.01-rc > * remove already-merged patches > * re-work the patch set for easier reviews, including > - move a config definition patch forward (patch#4) > - refactor/rename verification functions (patch#5/#10) > - split signature database parser as a separate patch (patch#6) > - split secure state transition code as a separate patch (patch#8) > - move most part of init_secure_boot() into init_variables() (patch#8) > - split test environment setup from test patches (patch#14) > * add function descriptions (patch#5-#11) > * make sure the section list is sorted in ascending order in hash > calculation of PE image (patch#10) > * add a new "-at" (authenticated access) option to "env -e" (patch#13) > * list required host packages, in particular udisks2, in pytest > (patch#14) > * modify conftest.py to run under python3 (patch#14) > * use a partition on a disk instead of a whole disk without partition > table (patch#14) > * reduce depencendy on efitools, yet relying on its host tools (patch#14) > * modify pytests to catch up wth latest changes of "env -e" syntax > (patch#15,#16) > > RFC (Sept 18, 2019) > > AKASHI Takahiro (16): > include: pe.h: add signature-related definitions > efi_loader: add CONFIG_EFI_SECURE_BOOT config option > efi_loader: add signature verification functions > efi_loader: add signature database parser > efi_loader: variable: support variable authentication > efi_loader: variable: add secure boot state transition > efi_loader: variable: add VendorKeys variable > efi_loader: image_loader: support image authentication > efi_loader: set up secure boot > cmd: env: use appropriate guid for authenticated UEFI variable > cmd: env: add "-at" option to "env set -e" command > efi_loader, pytest: set up secure boot environment > efi_loader, pytest: add UEFI secure boot tests (authenticated > variables) > efi_loader, pytest: add UEFI secure boot tests (image) > sandbox: add extra configurations for UEFI and related tests > travis: add packages for UEFI secure boot test > > .travis.yml | 11 +- > cmd/nvedit.c | 5 +- > cmd/nvedit_efi.c | 23 +- > configs/sandbox64_defconfig | 3 + > configs/sandbox_defconfig | 3 + > include/efi_api.h | 87 ++ > include/efi_loader.h | 85 +- > include/pe.h | 18 + > lib/efi_loader/Kconfig | 16 + > lib/efi_loader/Makefile | 1 + > lib/efi_loader/efi_boottime.c | 2 +- > lib/efi_loader/efi_image_loader.c | 443 +++++++- > lib/efi_loader/efi_setup.c | 38 + > lib/efi_loader/efi_signature.c | 811 +++++++++++++++ > lib/efi_loader/efi_variable.c | 950 ++++++++++++++++-- > test/py/README.md | 8 + > test/py/tests/test_efi_secboot/conftest.py | 151 +++ > test/py/tests/test_efi_secboot/defs.py | 21 + > .../py/tests/test_efi_secboot/test_authvar.py | 282 ++++++ > test/py/tests/test_efi_secboot/test_signed.py | 99 ++ > .../tests/test_efi_secboot/test_unsigned.py | 103 ++ > 21 files changed, 3032 insertions(+), 128 deletions(-) > create mode 100644 lib/efi_loader/efi_signature.c > create mode 100644 test/py/tests/test_efi_secboot/conftest.py > create mode 100644 test/py/tests/test_efi_secboot/defs.py > create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py > create mode 100644 test/py/tests/test_efi_secboot/test_signed.py > create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py > > -- > 2.24.0 > _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
