[U-Boot] [PATCH 00/16] efi_loader: add secure boot support

AKASHI Takahiro takahiro.akashi at linaro.org
Wed Nov 13 00:52:50 UTC 2019


One of major missing features in current UEFI implementation is "secure boot."
The ultimate goal of my attempt is to implement image authentication based
on signature and provide UEFI secure boot support which would be fully
compliant with UEFI specification, section 32[1].
(The code was originally developed by Patrick Wildt.)

While this patch/RFC is still rough-edged, the aim here is to get early
feedbacks from the community as the patch is quite huge (in total) and also
as it's a security enhancement.

Please note, however, this patch doesn't work on its own; there are
a couple of functional dependencies[2] and [3], that I have submitted
before. For complete workable patch set, see my repository[4],
which also contains exeperimental timestamp-based revocation suuport.

My "non-volatile" support[5], which is under discussion, is not mandatory
and so not included here, but this inevitably implies that, for example,
signature database variables, like db and dbx, won't be persistent unless you
explicitly run "env save" command and that UEFI variables are not separated
from U-Boot environment. Anyhow, Linaro is also working on implementing
real "secure storage" solution based on TF-A and OP-TEE.


Supported features:
* image authentication based on db and dbx
* supported signature types are
    EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
    EFI_CERT_X509_GUID (x509 certificate for signed images)
* SecureBoot/SignatureSupport variables
* SetupMode and user mode
* variable authentication based on PK and KEK
    EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
* basic pytest test cases

Unsupported features: (marked as TODO in most cases in the source code,
			and won't be included in this series)
* hash algorithms other than SHA256
* dbt: timestamp(RFC6131)-based certificate revocation
* dbr: OS recovery 
* xxxDefault: default values for signature stores
* transition to AuditMode and DeployedMode
* recording rejected images in EFI_IMAGE_EXECUTION_INFO_TABLE
* verification "policy", in particular, check against signature's owner
* private authenticated variables
* variable authentication with EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS
* real secure storage support, including hardware-specific PK (Platform Key)
  installation

TODO's other than "Unsupported features": (won't be included in this series)
* struct efi_image_regions cannot have arbitrary number of regions
* fail recovery, in particular, in modifying authenticated variables
* support read-only attributes of well-defined global variables
  in particular, "SignatureSupport"
* Extensive test suite (or more test cases) to confirm compatibility
  with EDK2
	=> I requested EDK SCT community to add tests[6].

Known issues:
* remove generic CONFIG_SECURE_BOOT option (on NXP/Freescale platforms)
  (I'm looking forward to fixes from NXP guys.)
* efitools is used in pytest, and its version must be v1.5.2 or later.
  (Solution: You can define EFITOOLS_PATH in defs.py for your own efitools.)
* Pytest depends on standalone "helloworld" app for sandbox
  (Solution: You can define HELLO_PATH in defs.py or Heinrich's [7].)

Test:
* my pytest, included in this patch set, passed.
* efi_selftest passed. (At least no reguression.)
* Travis CI passed. (But pytest itself was skipped.)


Hints about how to use:
(Please see other documents, or my pytest scripts, for details.)
* You can create your own certificates with openssl.
* You can sign your application with sbsign (on Ubuntu).
* You can create raw data for signature database with efitools, and
  install/manage authenticated variables with "env -set -e" command
  or efitools' "UpdateVars.efi" application.


[1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
[2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
    (import x509/pkcs7 parsers from linux)
[3] https://lists.denx.de/pipermail/u-boot/2019-November/390150.html
    (extend rsa_verify() for UEFI secure boot)
[4] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot
[5] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html
    (non-volatile variables support)
[6] https://bugzilla.tianocore.org/show_bug.cgi?id=2230
[7] https://lists.denx.de/pipermail/u-boot/2019-November/389593.html


Changes in v1 (Nov 13, 2019)
* rebased to v2020.01-rc
* remove already-merged patches
* re-work the patch set for easier reviews, including
  - move a config definition patch forward (patch#4)
  - refactor/rename verification functions (patch#5/#10)
  - split signature database parser as a separate patch (patch#6)
  - split secure state transition code as a separate patch (patch#8)
  - move most part of init_secure_boot() into init_variables() (patch#8)
  - split test environment setup from test patches (patch#14)
* add function descriptions (patch#5-#11)
* make sure the section list is sorted in ascending order in hash
  calculation of PE image (patch#10)
* add a new "-at" (authenticated access) option to "env -e" (patch#13)
* list required host packages, in particular udisks2, in pytest
  (patch#14)
* modify conftest.py to run under python3 (patch#14)
* use a partition on a disk instead of a whole disk without partition
  table (patch#14)
* reduce depencendy on efitools, yet relying on its host tools (patch#14)
* modify pytests to catch up wth latest changes of "env -e" syntax
  (patch#15,#16)

RFC (Sept 18, 2019)

AKASHI Takahiro (16):
  include: pe.h: add signature-related definitions
  include: image.h: export hash algorithm helper functions
  secure boot: rename CONFIG_SECURE_BOOT config option
  efi_loader: add CONFIG_EFI_SECURE_BOOT config option
  efi_loader: add signature verification functions
  efi_loader: add signature database parser
  efi_loader: variable: support variable authentication
  efi_loader: variable: add secure boot state transition
  efi_loader: variable: add VendorKeys variable
  efi_loader: image_loader: support image authentication
  efi_loader: set up secure boot
  cmd: env: use appropriate guid for authenticated UEFI variable
  cmd: env: add "-at" option to "env set -e" command
  efi_loader, pytest: set up secure boot environment
  efi_loader, pytest: add UEFI secure boot tests (authenticated
    variables)
  efi_loader, pytest: add UEFI secure boot tests (image)

 .travis.yml                                   |   4 +
 Kconfig                                       |   7 +
 arch/arm/cpu/armv7/ls102xa/Kconfig            |   3 +-
 arch/arm/cpu/armv8/fsl-layerscape/Kconfig     |   3 +-
 arch/powerpc/cpu/mpc85xx/Kconfig              |   3 +-
 cmd/nvedit.c                                  |   5 +-
 cmd/nvedit_efi.c                              |  23 +-
 include/efi_api.h                             |  47 +
 include/efi_loader.h                          |  59 +-
 include/image.h                               |  10 +-
 include/pe.h                                  |  16 +
 lib/efi_loader/Kconfig                        |  13 +
 lib/efi_loader/Makefile                       |   1 +
 lib/efi_loader/efi_boottime.c                 |   2 +-
 lib/efi_loader/efi_image_loader.c             | 443 +++++++-
 lib/efi_loader/efi_setup.c                    |  38 +
 lib/efi_loader/efi_signature.c                | 827 +++++++++++++++
 lib/efi_loader/efi_variable.c                 | 950 ++++++++++++++++--
 test/py/README.md                             |   4 +
 test/py/tests/test_efi_secboot/conftest.py    | 128 +++
 test/py/tests/test_efi_secboot/defs.py        |  21 +
 .../py/tests/test_efi_secboot/test_authvar.py | 289 ++++++
 test/py/tests/test_efi_secboot/test_signed.py |  97 ++
 .../tests/test_efi_secboot/test_unsigned.py   | 100 ++
 24 files changed, 2958 insertions(+), 135 deletions(-)
 create mode 100644 lib/efi_loader/efi_signature.c
 create mode 100644 test/py/tests/test_efi_secboot/conftest.py
 create mode 100644 test/py/tests/test_efi_secboot/defs.py
 create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py
 create mode 100644 test/py/tests/test_efi_secboot/test_signed.py
 create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py

-- 
2.21.0



More information about the U-Boot mailing list