[PATCH v7 04/17] efi_loader: variable: support variable authentication

Sughosh Ganu sughosh.ganu at linaro.org
Mon Apr 20 21:35:13 CEST 2020


hello Heinrich,

On Tue, 21 Apr 2020 at 01:00, Heinrich Schuchardt <xypron.glpk at gmx.de>
wrote:

> On 4/20/20 9:22 PM, Sughosh Ganu wrote:
> >
> > On Tue, 14 Apr 2020 at 08:23, AKASHI Takahiro
> > <takahiro.akashi at linaro.org <mailto:takahiro.akashi at linaro.org>> wrote:
> >
> >     With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
> >     is supported for authenticated variables and the system secure state
> >     will transfer between setup mode and user mode as UEFI specification
> >     section 32.3 describes.
> >
> >     Internally, authentication data is stored as part of authenticated
> >     variable's value. It is nothing but a pkcs7 message (but we need some
> >     wrapper, see efi_variable_parse_signature()) and will be validated by
> >     efi_variable_authenticate(), hence efi_signature_verify_with_db().
> >
> >     Associated time value will be encoded in "{...,time=...}" along with
> >     other UEFI variable's attributes.
> >
> >     Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org
> >     <mailto:takahiro.akashi at linaro.org>>
> >     ---
> >      include/efi_loader.h          |   3 +
> >      lib/efi_loader/efi_variable.c | 666
> ++++++++++++++++++++++++++++------
> >      2 files changed, 565 insertions(+), 104 deletions(-)
> >
> >
> > <snip>
> >
> >
> >     diff --git a/lib/efi_loader/efi_variable.c
> >     b/lib/efi_loader/efi_variable.c
> >     index fe2f26459136..adb78470f2d6 100644
> >     --- a/lib/efi_loader/efi_variable.c
> >     +++ b/lib/efi_loader/efi_variable.c
> >     @@ -10,8 +10,14 @@
> >      #include <env_internal.h>
> >      #include <hexdump.h>
> >      #include <malloc.h>
> >     +#include <rtc.h>
> >      #include <search.h>
> >     +#include <linux/compat.h>
> >      #include <u-boot/crc.h>
> >     +#include "../lib/crypto/pkcs7_parser.h"
> >     +
> >     +const efi_guid_t efi_guid_cert_type_pkcs7 =
> EFI_CERT_TYPE_PKCS7_GUID;
> >     +static bool efi_secure_boot;
> >
> >      #define READ_ONLY BIT(31)
> >
> >     @@ -106,9 +112,10 @@ static const char *prefix(const char *str,
> >     const char *prefix)
> >       *
> >       * @str:       value of U-Boot variable
> >       * @attrp:     pointer to UEFI attributes
> >     + * @timep:     pointer to time attribute
> >       * Return:     pointer to remainder of U-Boot variable value
> >       */
> >     -static const char *parse_attr(const char *str, u32 *attrp)
> >     +static const char *parse_attr(const char *str, u32 *attrp, u64
> *timep)
> >      {
> >             u32 attr = 0;
> >             char sep = '{';
> >     @@ -131,6 +138,12 @@ static const char *parse_attr(const char *str,
> >     u32 *attrp)
> >                             attr |= EFI_VARIABLE_BOOTSERVICE_ACCESS;
> >                     } else if ((s = prefix(str, "run"))) {
> >                             attr |= EFI_VARIABLE_RUNTIME_ACCESS;
> >     +               } else if ((s = prefix(str, "time="))) {
> >     +                       attr |=
> >     EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> >     +                       hex2bin((u8 *)timep, s, sizeof(*timep));
> >     +                       s += sizeof(*timep) * 2;
> >     +               } else if (*str == '}') {
> >     +                       break;
> >                     } else {
> >                             printf("invalid attribute: %s\n", str);
> >                             break;
> >     @@ -148,48 +161,291 @@ static const char *parse_attr(const char
> >     *str, u32 *attrp)
> >      }
> >
> >      /**
> >     - * efi_get_variable() - retrieve value of a UEFI variable
> >     + * efi_secure_boot_enabled - return if secure boot is enabled or not
> >       *
> >     - * This function implements the GetVariable runtime service.
> >     + * Return:     true if enabled, false if disabled
> >     + */
> >     +bool efi_secure_boot_enabled(void)
> >     +{
> >     +       return efi_secure_boot;
> >     +}
> >     +
> >     +#ifdef CONFIG_EFI_SECURE_BOOT
> >     +static u8 pkcs7_hdr[] = {
> >     +       /* SEQUENCE */
> >     +       0x30, 0x82, 0x05, 0xc7,
> >     +       /* OID: pkcs7-signedData */
> >     +       0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
> >     0x02,
> >     +       /* Context Structured? */
> >     +       0xa0, 0x82, 0x05, 0xb8,
> >     +};
> >     +
> >     +/**
> >     + * efi_variable_parse_signature - parse a signature in variable
> >     + * @buf:       Pointer to variable's value
> >     + * @buflen:    Length of @buf
> >       *
> >     - * See the Unified Extensible Firmware Interface (UEFI)
> >     specification for
> >     - * details.
> >     + * Parse a signature embedded in variable's value and instantiate
> >     + * a pkcs7_message structure. Since pkcs7_parse_message() accepts
> only
> >     + * pkcs7's signedData, some header needed be prepended for correctly
> >     + * parsing authentication data, particularly for variable's.
> >       *
> >     - * @variable_name:     name of the variable
> >     - * @vendor:            vendor GUID
> >     - * @attributes:                attributes of the variable
> >     - * @data_size:         size of the buffer to which the variable
> >     value is copied
> >     - * @data:              buffer to which the variable value is copied
> >     - * Return:             status code
> >     + * Return:     Pointer to pkcs7_message structure on success, NULL
> >     on error
> >       */
> >     -efi_status_t EFIAPI efi_get_variable(u16 *variable_name,
> >     -                                    const efi_guid_t *vendor, u32
> >     *attributes,
> >     -                                    efi_uintn_t *data_size, void
> *data)
> >     +static struct pkcs7_message *efi_variable_parse_signature(const
> >     void *buf,
> >     +                                                         size_t
> buflen)
> >
> >
> > This is a generic function used for parsing the pkcs7 header. This will
> > also be used for capsule authentication. Can you move this under
> > efi_signature.c as an api, and change the name to something like
> > efi_parse_pkcs7_header.
> >
> > -sughosh
>
> Hello Sughosh,
>
> the patch is already merged. Could you, please, provide a follow-up
> patch with the suggested change.
>

Will do, as part of my capsule authentication changes. Thanks.

-sughosh


More information about the U-Boot mailing list