[PATCH v5 00/16] efi_loader: add secure boot support
Heinrich Schuchardt
xypron.glpk at gmx.de
Sun Feb 23 12:53:16 CET 2020
On 1/28/20 9:25 AM, AKASHI Takahiro wrote:
> # Documentation for UEFI secure boot on U-Boot will be submitted in
> # a separate patch in near future.
>
> One of major missing features in current UEFI implementation is "secure boot."
> The ultimate goal of my attempt is to implement image authentication based
> on signature and provide UEFI secure boot support which would be fully
> compliant with UEFI specification, section 32[1].
> (The code was originally developed by Patrick Wildt.)
>
> Please note, however, this patch doesn't work on its own; there are
> a couple of functional dependencies[2] and [3], that I have submitted
> before. For complete workable patch set, see my repository[4],
> which also contains experimental timestamp-based revocation suuport.
>
> My "non-volatile" support[5], which is under discussion, is not mandatory
> and so not included here, but this inevitably implies that, for example,
> signature database variables, like db and dbx, won't be persistent unless
> you explicitly run "env save" command.
> Anyhow, Linaro is also working on implementing real "secure storage"
> solution based on TF-A and OP-TEE.
In the patch series I am missing a patch providing the documentation
explaining how to set up secure boot with U-Boot. doc/uefi/uefi.rst
would be a good place for it.
I guess the description should include:
- which certificates have to be created and how to generate these
- which variables have to be initialized with which values
- how the images can be signed
Best regards
Heinrich
>
>
> Supported features:
> * image authentication based on db and dbx
> * supported signature types are
> EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images)
> EFI_CERT_X509_GUID (x509 certificate for signed images)
> * SecureBoot/SignatureSupport variables
> * SetupMode and user mode
> * variable authentication based on PK and KEK
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
> * basic pytest test cases
>
> Unsupported features: (marked as TODO in most cases in the source code,
> and won't be included in this series)
> * hash algorithms other than SHA256
> * dbt: timestamp(RFC6131)-based certificate revocation
> * dbr: OS recovery
> * xxxDefault: default values for signature stores
> * transition to AuditMode and DeployedMode
> * recording rejected images in EFI_IMAGE_EXECUTION_INFO_TABLE
> * verification "policy", in particular, check against signature's owner
> * private authenticated variables
> * variable authentication with EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS
> * real secure storage support, including hardware-specific PK (Platform Key)
> installation
>
> TODO's other than "Unsupported features": (won't be included in this series)
> * fail recovery, in particular, in modifying authenticated variables
> * support read-only attributes of well-defined global variables
> in particular, "SignatureSupport"
> * Extensive test suite (or more test cases) to confirm compatibility
> with EDK2
> => I requested EDK SCT community to add tests[6].
>
> Test:
> * My pytest, included in this patch set, passed.
> * efi_selftest passed. (At least no regression.)
> * Travis CI tests have passed.
>
> Known issues:
> * efitools is used in pytest, and its version must be v1.5.2 or later.
> (Solution: You can define EFITOOLS_PATH in defs.py for your own efitools.)
>
>
> Hints about how to use:
> (Please see other documents, or my pytest scripts, for details.)
> * You can create your own certificates with openssl.
> * You can sign your application with sbsign (on Ubuntu).
> * You can create raw data for signature database with efitools, and
> install/manage authenticated variables with "env -set -e" command
> or efitools' "UpdateVars.efi" application.
>
>
> [1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
> [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
> (import x509/pkcs7 parsers from linux)
> [3] https://lists.denx.de/pipermail/u-boot/2020-January/398057.html
> (extend rsa_verify() for UEFI secure boot)
> [4] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot
> [5] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html
> (non-volatile variables support)
> [6] https://bugzilla.tianocore.org/show_bug.cgi?id=2230
>
>
> Changes in v5 (Jan 28, 2020)
> * rebased to pre-v2020.04-rc1 (fixed some merge conflicts)
> * remove already-merged commits (v4's patch#1)
> * fix a compile error caused by gcc 9.x (patch#4)
> * return SECURITY_VIOLATION instead of ACCESS_DENIED if authentication fails
> (patch#7)
> * use qsort() for section sorting (patch#7)
> * add "efidebug test" sub-command (patch#11)
> * add efi_start_image(SECURITY_VIOLATION) test (patch#14)
>
> Changes in v4 (Dec 18, 2019)
> * adjust EFI_SECURE_BOOT dependencies due to a change of RSA extension patch v5
> (patch#2)
> * change "imply" to "select" against kconfig dependencies (patch#2)
> * otherwise, no functional changes
>
> Changes in v3 (Dec 9, 2019)
> * allow for arbitrary number of regions in efi_image_region_add()
> (patch#3, #5 and #8)
> * remove a redundant check in a while loop at efi_sigstore_free() (patch#4)
>
> Changes in v2 (Nov 26, 2019)
> * rebased to v2020.01-rc3
> * rename IMAGE_DIRECTORY_ENTRY_CERTTABLE to IMAGE_DIRECTORY_ENTRY_SECURITY
> (patch#1,#9)
> * add comments (patch#1)
> * drop v1's patch#2 as it is no longer necessary
> * drop v1's patch#3 as other "SECURE_BOOT" architectures have renamed
> this option and no longer use it
> * add structure descriptions (patch#3)
> * rework hash calculation code in efi_signature_verify() and remove
> an odd constant, WinIndrectSha256 (patch#3)
> * move travis.yml changes to a separate patch (patch#12, #16)
> * yield_fixture() -> fixture() (patch#12)
> * call console.restart_uboot() at every test case (13,#14)
> * add patch#15; enable UEFI-related configurations by default on sandbox
> * add patch#16; modify Travis CI environment to run UEFI secure boot test
>
> Changes in v1 (Nov 13, 2019)
> * rebased to v2020.01-rc
> * remove already-merged patches
> * re-work the patch set for easier reviews, including
> - move a config definition patch forward (patch#4)
> - refactor/rename verification functions (patch#5/#10)
> - split signature database parser as a separate patch (patch#6)
> - split secure state transition code as a separate patch (patch#8)
> - move most part of init_secure_boot() into init_variables() (patch#8)
> - split test environment setup from test patches (patch#14)
> * add function descriptions (patch#5-#11)
> * make sure the section list is sorted in ascending order in hash
> calculation of PE image (patch#10)
> * add a new "-at" (authenticated access) option to "env -e" (patch#13)
> * list required host packages, in particular udisks2, in pytest
> (patch#14)
> * modify conftest.py to run under python3 (patch#14)
> * use a partition on a disk instead of a whole disk without partition
> table (patch#14)
> * reduce dependency on efitools, yet relying on its host tools (patch#14)
> * modify pytests to catch up wth latest changes of "env -e" syntax
> (patch#15,#16)
>
> RFC (Sept 18, 2019)
>
> AKASHI Takahiro (16):
> efi_loader: add CONFIG_EFI_SECURE_BOOT config option
> efi_loader: add signature verification functions
> efi_loader: add signature database parser
> efi_loader: variable: support variable authentication
> efi_loader: variable: add secure boot state transition
> efi_loader: variable: add VendorKeys variable
> efi_loader: image_loader: support image authentication
> efi_loader: set up secure boot
> cmd: env: use appropriate guid for authenticated UEFI variable
> cmd: env: add "-at" option to "env set -e" command
> cmd: efidebug: add "test bootmgr" sub-command
> efi_loader, pytest: set up secure boot environment
> efi_loader, pytest: add UEFI secure boot tests (authenticated
> variables)
> efi_loader, pytest: add UEFI secure boot tests (image)
> sandbox: add extra configurations for UEFI and related tests
> travis: add packages for UEFI secure boot test
>
> .travis.yml | 11 +-
> cmd/efidebug.c | 78 +-
> cmd/nvedit.c | 5 +-
> cmd/nvedit_efi.c | 23 +-
> configs/sandbox64_defconfig | 3 +
> configs/sandbox_defconfig | 3 +
> include/efi_api.h | 87 ++
> include/efi_loader.h | 91 +-
> lib/efi_loader/Kconfig | 18 +
> lib/efi_loader/Makefile | 1 +
> lib/efi_loader/efi_boottime.c | 10 +-
> lib/efi_loader/efi_image_loader.c | 460 ++++++++-
> lib/efi_loader/efi_setup.c | 38 +
> lib/efi_loader/efi_signature.c | 809 +++++++++++++++
> lib/efi_loader/efi_variable.c | 951 ++++++++++++++++--
> test/py/README.md | 8 +
> test/py/tests/test_efi_secboot/conftest.py | 151 +++
> test/py/tests/test_efi_secboot/defs.py | 21 +
> .../py/tests/test_efi_secboot/test_authvar.py | 282 ++++++
> test/py/tests/test_efi_secboot/test_signed.py | 117 +++
> .../tests/test_efi_secboot/test_unsigned.py | 121 +++
> 21 files changed, 3157 insertions(+), 131 deletions(-)
> create mode 100644 lib/efi_loader/efi_signature.c
> create mode 100644 test/py/tests/test_efi_secboot/conftest.py
> create mode 100644 test/py/tests/test_efi_secboot/defs.py
> create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py
> create mode 100644 test/py/tests/test_efi_secboot/test_signed.py
> create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py
>
More information about the U-Boot
mailing list