[U-Boot] [RFC 10/15] efi_loader: image_loader: support image authentication
AKASHI Takahiro
takahiro.akashi at linaro.org
Wed Sep 18 01:26:38 UTC 2019
With this commit, image validation can be enforced, as UEFI specification
section 32.5 describes, if CONFIG_EFI_SECURE_BOOT is enabled.
Currently we support
* authentication based on db and dbx,
so dbx-validated image will always be rejected.
* following signature types:
EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
EFI_CERT_X509_GUID (x509 certificate for signed images)
Timestamp-based certifcate revocation is not supported here.
Internally, authentication data is stored in one of certificates tables
of PE image (See efi_image_parse()) and will be verified by
efi_image_authenticate(), hence efi_signature_verify_with_db(), before
loading a given image.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
include/efi_loader.h | 7 +-
lib/efi_loader/efi_boottime.c | 2 +-
lib/efi_loader/efi_image_loader.c | 364 +++++++++++++++++++++++++++++-
3 files changed, 366 insertions(+), 7 deletions(-)
diff --git a/include/efi_loader.h b/include/efi_loader.h
index caac8efba89a..b0e1a3b7902d 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -11,6 +11,7 @@
#include <common.h>
#include <part_efi.h>
#include <efi_api.h>
+#include <pe.h>
/* No need for efi loader support in SPL */
#if CONFIG_IS_ENABLED(EFI_LOADER)
@@ -385,7 +386,8 @@ efi_status_t efi_set_watchdog(unsigned long timeout);
/* Called from places to check whether a timer expired */
void efi_timer_check(void);
/* PE loader implementation */
-efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
+efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
+ void *efi, size_t efi_size,
struct efi_loaded_image *loaded_image_info);
/* Called once to store the pristine gd pointer */
void efi_save_gd(void);
@@ -703,6 +705,9 @@ efi_signature_store *efi_sigstore_parse_sigdb(u16 *name);
bool efi_secure_boot_enabled(void);
efi_status_t efi_init_secure_boot(void);
+
+bool efi_image_parse(void *efi, size_t len, efi_image_regions **regp,
+ WIN_CERTIFICATE **auth, size_t *auth_len);
#endif /* CONFIG_EFI_SECURE_BOOT */
#else /* CONFIG_IS_ENABLED(EFI_LOADER) */
diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
index b9bff894cbba..e27a52493291 100644
--- a/lib/efi_loader/efi_boottime.c
+++ b/lib/efi_loader/efi_boottime.c
@@ -1879,7 +1879,7 @@ efi_status_t EFIAPI efi_load_image(bool boot_policy,
efi_dp_split_file_path(file_path, &dp, &fp);
ret = efi_setup_loaded_image(dp, fp, image_obj, &info);
if (ret == EFI_SUCCESS)
- ret = efi_load_pe(*image_obj, dest_buffer, info);
+ ret = efi_load_pe(*image_obj, dest_buffer, source_size, info);
if (!source_buffer)
/* Release buffer to which file was loaded */
efi_free_pages((uintptr_t)dest_buffer,
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index 13541cfa7a28..3004cb34a3cd 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -9,7 +9,13 @@
#include <common.h>
#include <efi_loader.h>
+#include <malloc.h>
#include <pe.h>
+/*
+ * avoid duplicated inclusion:
+ * #include "../lib/crypto/x509_parser.h"
+ */
+#include "../lib/crypto/pkcs7_parser.h"
const efi_guid_t efi_global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
const efi_guid_t efi_guid_device_path = EFI_DEVICE_PATH_PROTOCOL_GUID;
@@ -205,6 +211,288 @@ static void efi_set_code_and_data_type(
}
}
+#ifdef CONFIG_EFI_SECURE_BOOT
+/*
+ * Parse image binary in PE32(+) format
+ * Assuming that sanity of PE image has been checked by a caller.
+ *
+ * Return: true on success, false on failure
+ */
+bool efi_image_parse(void *efi, size_t len, efi_image_regions **regp,
+ WIN_CERTIFICATE **auth, size_t *auth_len)
+{
+ efi_image_regions *regs;
+ IMAGE_DOS_HEADER *dos;
+ IMAGE_NT_HEADERS32 *nt;
+ IMAGE_SECTION_HEADER *sections;
+ int num_sections, i;
+ int ctidx = IMAGE_DIRECTORY_ENTRY_CERTTABLE;
+ u32 align, size, authsz, authoff;
+ size_t bytes_hashed;
+
+ regs = calloc(1, sizeof(*regs));
+ if (!regs)
+ goto err;
+
+ dos = (void *)efi;
+ nt = (void *)(efi + dos->e_lfanew);
+
+ /*
+ * Collect data regions for hash calculation
+ * 1. File headers
+ */
+ if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
+ IMAGE_NT_HEADERS64 *nt64 = (void *)nt;
+ IMAGE_OPTIONAL_HEADER64 *opt = &nt64->OptionalHeader;
+
+ /* Skip CheckSum */
+ efi_image_region_add(regs, efi, &opt->CheckSum, 0);
+ if (nt64->OptionalHeader.NumberOfRvaAndSizes <= ctidx) {
+ efi_image_region_add(regs,
+ &opt->CheckSum + 1,
+ efi + opt->SizeOfHeaders, 0);
+ } else {
+ /* Skip Certificates Table */
+ efi_image_region_add(regs,
+ &opt->CheckSum + 1,
+ &opt->DataDirectory[ctidx], 0);
+ efi_image_region_add(regs,
+ &opt->DataDirectory[ctidx] + 1,
+ efi + opt->SizeOfHeaders, 0);
+ }
+
+ bytes_hashed = opt->SizeOfHeaders;
+ align = opt->FileAlignment;
+ authoff = opt->DataDirectory[ctidx].VirtualAddress;
+ authsz = opt->DataDirectory[ctidx].Size;
+ } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
+ IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader;
+
+ efi_image_region_add(regs, efi, &opt->CheckSum, 0);
+ efi_image_region_add(regs, &opt->CheckSum + 1,
+ &opt->DataDirectory[ctidx], 0);
+ efi_image_region_add(regs, &opt->DataDirectory[ctidx] + 1,
+ efi + opt->SizeOfHeaders, 0);
+
+ bytes_hashed = opt->SizeOfHeaders;
+ align = opt->FileAlignment;
+ authoff = opt->DataDirectory[ctidx].VirtualAddress;
+ authsz = opt->DataDirectory[ctidx].Size;
+ } else {
+ debug("%s: Invalid optional header magic %x\n", __func__,
+ nt->OptionalHeader.Magic);
+ goto err;
+ }
+
+ /* 2. Sections */
+ num_sections = nt->FileHeader.NumberOfSections;
+ sections = (void *)((uint8_t *)&nt->OptionalHeader +
+ nt->FileHeader.SizeOfOptionalHeader);
+ for (i = 0; i < num_sections; i++) {
+ if (!sections[i].SizeOfRawData)
+ continue;
+
+ /* TODO: ensure ascending order */
+ size = (sections[i].SizeOfRawData + align - 1) & ~(align - 1);
+ efi_image_region_add(regs, efi + sections[i].PointerToRawData,
+ efi + sections[i].PointerToRawData + size,
+ 0);
+ debug("section[%d](%s): raw: 0x%x-0x%x, virt: %x-%x\n",
+ i, sections[i].Name,
+ sections[i].PointerToRawData,
+ sections[i].PointerToRawData + size,
+ sections[i].VirtualAddress,
+ sections[i].VirtualAddress
+ + sections[i].Misc.VirtualSize);
+
+ bytes_hashed += size;
+ }
+
+ /* 3. Extra data excluding Certificates Table */
+ if (bytes_hashed + authsz < len) {
+ debug("extra data for hash: %lu\n",
+ len - (bytes_hashed + authsz));
+ efi_image_region_add(regs, efi + bytes_hashed,
+ efi + len - authsz, 0);
+ }
+
+ /* Return Certificates Table */
+ if (authsz) {
+ if (len < authoff + authsz) {
+ debug("%s: Size for auth too large: %u >= %zu\n",
+ __func__, authsz, len - authoff);
+ goto err;
+ }
+ if (authsz < sizeof(*auth)) {
+ debug("%s: Size for auth too small: %u < %zu\n",
+ __func__, authsz, sizeof(*auth));
+ goto err;
+ }
+ *auth = efi + authoff;
+ *auth_len = authsz;
+ debug("WIN_CERTIFICATE: 0x%x, size: 0x%x\n", authoff, authsz);
+ } else {
+ *auth = NULL;
+ *auth_len = 0;
+ }
+
+ *regp = regs;
+
+ return true;
+
+err:
+ free(regs);
+
+ return false;
+}
+
+/*
+ * Authenticate unsigned image with SHA256 hash
+ *
+ * Return: true on success, false on failure
+ */
+static bool efi_image_unsigned_authenticate(efi_image_regions *regs)
+{
+ efi_signature_store *db;
+ bool ret;
+
+ /* try black-list */
+ ret = true;
+ db = efi_sigstore_parse_sigdb(L"dbx");
+ if (db) {
+ if (efi_signature_verify_with_db(regs, NULL, db)) {
+ debug("Image is not signed and rejected by \"dbx\"\n");
+ ret = false;
+ }
+
+ efi_sigstore_free(db);
+ } else {
+ debug("Getting signature database(dbx) failed\n");
+ }
+
+ if (!ret)
+ goto out;
+
+ /* try white-list */
+ ret = false;
+ db = efi_sigstore_parse_sigdb(L"db");
+ if (db) {
+ if (efi_signature_verify_with_db(regs, NULL, db))
+ ret = true;
+ else
+ debug("Image is not signed and not found in \"db\" or \"dbx\"\n");
+
+ efi_sigstore_free(db);
+ } else {
+ debug("Getting signature database(db) failed\n");
+ }
+
+out:
+ return ret;
+}
+
+/*
+ * TODO:
+ * When AuditMode==0, if the image's signature is not found in
+ * the authorized database, or is found in the forbidden database,
+ * the image will not be started and instead, information about it
+ * will be placed in this table.
+ * When AuditMode==1, an EFI_IMAGE_EXECUTION_INFO element is created
+ * in the EFI_IMAGE_EXECUTION_INFO_TABLE for every certificate found
+ * in the certificate table of every image that is validated.
+ *
+ * Return: true on success, false on failure
+ */
+static bool efi_image_authenticate(void *efi, size_t len)
+{
+ efi_image_regions *regs = NULL;
+ WIN_CERTIFICATE *wincerts = NULL, *wincert;
+ size_t wincerts_len;
+ struct pkcs7_message *msg = NULL;
+ efi_signature_store *db = NULL, *dbx = NULL;
+ bool ret = false;
+
+ if (!efi_secure_boot_enabled())
+ return true;
+
+ if (!efi_image_parse(efi, len, ®s, &wincerts,
+ &wincerts_len)) {
+ debug("Parsing PE executable image failed\n");
+ return false;
+ }
+
+ if (!wincerts) {
+ /* The image is not signed */
+ ret = efi_image_unsigned_authenticate(regs);
+ free(regs);
+
+ return ret;
+ }
+
+ /*
+ * verify signature using db and dbx
+ */
+ db = efi_sigstore_parse_sigdb(L"db");
+ if (!db) {
+ debug("Getting signature database(db) failed\n");
+ goto err;
+ }
+
+ dbx = efi_sigstore_parse_sigdb(L"dbx");
+ if (!dbx) {
+ /* FIXME: error or not found? */
+ debug("Getting signature database(dbx) failed\n");
+ goto err;
+ }
+
+ /* go through WIN_CERTIFICATE list */
+ for (wincert = wincerts;
+ (void *)wincert < (void *)wincerts + wincerts_len;
+ wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) {
+ if (wincert->dwLength < sizeof(*wincert)) {
+ debug("%s: dwLength too small: %u < %zu\n",
+ __func__, wincert->dwLength, sizeof(*wincert));
+ goto err;
+ }
+ msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert),
+ wincert->dwLength - sizeof(*wincert));
+ if (!msg) {
+ debug("Parsing image's signature failed\n");
+ goto err;
+ }
+
+ /* try black-list first */
+ if (dbx) {
+ if (efi_signature_revoke(regs, msg, dbx, NULL)) {
+ debug("Signature was revoked by \"dbx\"\n");
+ goto err;
+ }
+ }
+
+ /* try white-list */
+ if (db) {
+ if (!efi_signature_verify_with_db(regs, msg, db))
+ debug("Verifying signature with \"db\" failed\n");
+ else
+ ret = true;
+ }
+ }
+
+err:
+ efi_sigstore_free(db);
+ efi_sigstore_free(dbx);
+ pkcs7_free_message(msg);
+ free(regs);
+
+ return ret;
+}
+#else
+static bool efi_image_authenticate(void *efi, size_t len)
+{
+ return true;
+}
+#endif /* CONFIG_EFI_SECURE_BOOT */
+
/**
* efi_load_pe() - relocate EFI binary
*
@@ -216,7 +504,8 @@ static void efi_set_code_and_data_type(
* @loaded_image_info: loaded image protocol
* Return: status code
*/
-efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
+efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
+ void *efi, size_t efi_size,
struct efi_loaded_image *loaded_image_info)
{
IMAGE_NT_HEADERS32 *nt;
@@ -232,15 +521,56 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
unsigned long virt_size = 0;
int supported = 0;
+ /*
+ * Size must be 8-byte aligned and the trailing bytes must be
+ * zero'ed. Otherwise hash value may be incorrect.
+ */
+ if (efi_size & 0x7) {
+ void *new_efi;
+ size_t new_efi_size;
+
+ new_efi_size = (efi_size + 0x7) & ~0x7ULL;
+ new_efi = calloc(new_efi_size, 1);
+ if (!new_efi)
+ return EFI_OUT_OF_RESOURCES;
+ memcpy(new_efi, efi, efi_size);
+ efi = new_efi;
+ efi_size = new_efi_size;
+ /* TODO: free */
+ }
+
+ /* Sanity check for a file header */
+ if (efi_size < sizeof(*dos)) {
+ printf("%s: Truncated DOS Header\n", __func__);
+
+ return EFI_LOAD_ERROR;
+ }
+
dos = efi;
if (dos->e_magic != IMAGE_DOS_SIGNATURE) {
printf("%s: Invalid DOS Signature\n", __func__);
+
+ return EFI_LOAD_ERROR;
+ }
+
+ /* assume sizeof(IMAGE_NT_HEADERS32) <= sizeof(IMAGE_NT_HEADERS64) */
+ if (efi_size < dos->e_lfanew + sizeof(IMAGE_NT_HEADERS32)) {
+ printf("%s: Invalid offset for Extended Header\n", __func__);
+
return EFI_LOAD_ERROR;
}
nt = (void *) ((char *)efi + dos->e_lfanew);
+ if ((nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) &&
+ (efi_size < dos->e_lfanew + sizeof(IMAGE_NT_HEADERS64))) {
+ printf("%s: Invalid offset for Extended Header\n", __func__);
+
+ return EFI_LOAD_ERROR;
+ }
+
if (nt->Signature != IMAGE_NT_SIGNATURE) {
printf("%s: Invalid NT Signature\n", __func__);
+
return EFI_LOAD_ERROR;
}
@@ -253,14 +583,32 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
if (!supported) {
printf("%s: Machine type 0x%04x is not supported\n",
__func__, nt->FileHeader.Machine);
+
return EFI_LOAD_ERROR;
}
- /* Calculate upper virtual address boundary */
num_sections = nt->FileHeader.NumberOfSections;
sections = (void *)&nt->OptionalHeader +
nt->FileHeader.SizeOfOptionalHeader;
+ if (efi_size < ((void *)sections + sizeof(sections[0]) * num_sections
+ - efi)) {
+ printf("%s: Invalid number of sections: %d\n",
+ __func__, num_sections);
+
+ return EFI_LOAD_ERROR;
+ }
+
+ /*
+ * Authenticate an image
+ * TODO:
+ * If authentication fails, relevant information must be
+ * recorded in executable information table.
+ */
+ if (!efi_image_authenticate(efi, efi_size))
+ return EFI_ACCESS_DENIED;
+
+ /* Calculate upper virtual address boundary */
for (i = num_sections - 1; i >= 0; i--) {
IMAGE_SECTION_HEADER *sec = §ions[i];
virt_size = max_t(unsigned long, virt_size,
@@ -279,6 +627,7 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
if (!efi_reloc) {
printf("%s: Could not allocate %lu bytes\n",
__func__, virt_size);
+
return EFI_OUT_OF_RESOURCES;
}
handle->entry = efi_reloc + opt->AddressOfEntryPoint;
@@ -295,6 +644,7 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
if (!efi_reloc) {
printf("%s: Could not allocate %lu bytes\n",
__func__, virt_size);
+
return EFI_OUT_OF_RESOURCES;
}
handle->entry = efi_reloc + opt->AddressOfEntryPoint;
@@ -304,13 +654,16 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
} else {
printf("%s: Invalid optional header magic %x\n", __func__,
nt->OptionalHeader.Magic);
+
return EFI_LOAD_ERROR;
}
/* Copy PE headers */
- memcpy(efi_reloc, efi, sizeof(*dos) + sizeof(*nt)
- + nt->FileHeader.SizeOfOptionalHeader
- + num_sections * sizeof(IMAGE_SECTION_HEADER));
+ memcpy(efi_reloc, efi,
+ sizeof(*dos)
+ + sizeof(*nt)
+ + nt->FileHeader.SizeOfOptionalHeader
+ + num_sections * sizeof(IMAGE_SECTION_HEADER));
/* Load sections into RAM */
for (i = num_sections - 1; i >= 0; i--) {
@@ -327,6 +680,7 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, void *efi,
(unsigned long)image_base) != EFI_SUCCESS) {
efi_free_pages((uintptr_t) efi_reloc,
(virt_size + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT);
+
return EFI_LOAD_ERROR;
}
--
2.21.0
More information about the U-Boot
mailing list