[PATCH v4 03/16] efi_loader: add signature verification functions
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Jan 15 01:13:36 CET 2020
On 1/15/20 12:43 AM, Heinrich Schuchardt wrote:
> On 12/18/19 1:44 AM, AKASHI Takahiro wrote:
>> In this commit, implemented are a couple of helper functions which
>> will be
>> used to materialize variable authentication as well as image
>> authentication
>> in later patches.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>> ---
>> include/efi_api.h | 87 +++++
>> include/efi_loader.h | 72 ++++
>> lib/efi_loader/Makefile | 1 +
>> lib/efi_loader/efi_signature.c | 584 +++++++++++++++++++++++++++++++++
>> 4 files changed, 744 insertions(+)
>> create mode 100644 lib/efi_loader/efi_signature.c
>>
>> diff --git a/include/efi_api.h b/include/efi_api.h
>> index 22396172e15f..47f24fc90873 100644
>> --- a/include/efi_api.h
>> +++ b/include/efi_api.h
>> @@ -18,6 +18,7 @@
>>
>> #include <efi.h>
>> #include <charset.h>
>> +#include <pe.h>
>>
>> #ifdef CONFIG_EFI_LOADER
>> #include <asm/setjmp.h>
>> @@ -307,6 +308,10 @@ struct efi_runtime_services {
>> EFI_GUID(0x8be4df61, 0x93ca, 0x11d2, 0xaa, 0x0d, \
>> 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c)
>>
>> +#define EFI_IMAGE_SECURITY_DATABASE_GUID \
>> + EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, \
>> + 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
>> +
>> #define EFI_FDT_GUID \
>> EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, \
>> 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
>> @@ -1616,4 +1621,86 @@ struct efi_unicode_collation_protocol {
>> #define LOAD_OPTION_CATEGORY_BOOT 0x00000000
>> #define LOAD_OPTION_CATEGORY_APP 0x00000100
>>
>> +/* Certificate types in signature database */
>> +#define EFI_CERT_SHA256_GUID \
>> + EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, \
>> + 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
>> +#define EFI_CERT_RSA2048_GUID \
>> + EFI_GUID(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, \
>> + 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6)
>> +#define EFI_CERT_X509_GUID \
>> + EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, \
>> + 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
>> +#define EFI_CERT_X509_SHA256_GUID \
>> + EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \
>> + 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
>> +#define EFI_CERT_TYPE_PKCS7_GUID \
>> + EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
>> + 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
>> +
>> +/**
>> + * win_certificate_uefi_guid - A certificate that encapsulates
>> + * a GUID-specific signature
>> + *
>> + * @hdr: Windows certificate header
>> + * @cert_type: Certificate type
>> + * @cert_data: Certificate data
>> + */
>> +struct win_certificate_uefi_guid {
>> + WIN_CERTIFICATE hdr;
>> + efi_guid_t cert_type;
>> + u8 cert_data[];
>> +} __attribute__((__packed__));
>> +
>> +/**
>> + * efi_variable_authentication_2 - A time-based authentication method
>> + * descriptor
>> + *
>> + * This structure describes an authentication information for
>> + * a variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
>> + * and should be included as part of a variable's value.
>> + * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
>> + *
>> + * @time_stamp: Descriptor's time stamp
>> + * @auth_info: Authentication info
>> + */
>> +struct efi_variable_authentication_2 {
>> + struct efi_time time_stamp;
>> + struct win_certificate_uefi_guid auth_info;
>> +} __attribute__((__packed__));
>> +
>> +/**
>> + * efi_signature_data - A format of signature
>> + *
>> + * This structure describes a single signature in signature database.
>> + *
>> + * @signature_owner: Signature owner
>> + * @signature_data: Signature data
>> + */
>> +struct efi_signature_data {
>> + efi_guid_t signature_owner;
>> + u8 signature_data[];
>> +} __attribute__((__packed__));
>> +
>> +/**
>> + * efi_signature_list - A format of signature database
>> + *
>> + * This structure describes a list of signatures with the same type.
>> + * An authenticated variable's value is a concatenation of one or more
>> + * efi_signature_list's.
>> + *
>> + * @signature_type: Signature type
>> + * @signature_list_size: Size of signature list
>> + * @signature_header_size: Size of signature header
>> + * @signature_size: Size of signature
>> + */
>> +struct efi_signature_list {
>> + efi_guid_t signature_type;
>> + u32 signature_list_size;
>> + u32 signature_header_size;
>> + u32 signature_size;
>> +/* u8 signature_header[signature_header_size]; */
>> +/* struct efi_signature_data signatures[...][signature_size]; */
>> +} __attribute__((__packed__));
>> +
>> #endif
>> diff --git a/include/efi_loader.h b/include/efi_loader.h
>> index 381da80cdce0..3ca68f9bbb6e 100644
>> --- a/include/efi_loader.h
>> +++ b/include/efi_loader.h
>> @@ -21,6 +21,7 @@ static inline int guidcmp(const void *g1, const void
>> *g2)
>> #if CONFIG_IS_ENABLED(EFI_LOADER)
>>
>> #include <linux/list.h>
>> +#include <linux/oid_registry.h>
>>
>> /* Maximum number of configuration tables */
>> #define EFI_MAX_CONFIGURATION_TABLES 16
>> @@ -169,6 +170,11 @@ extern const efi_guid_t
>> efi_guid_hii_config_routing_protocol;
>> extern const efi_guid_t efi_guid_hii_config_access_protocol;
>> extern const efi_guid_t efi_guid_hii_database_protocol;
>> extern const efi_guid_t efi_guid_hii_string_protocol;
>> +/* GUIDs for authentication */
>> +extern const efi_guid_t efi_guid_image_security_database;
>> +extern const efi_guid_t efi_guid_sha256;
>> +extern const efi_guid_t efi_guid_cert_x509;
>> +extern const efi_guid_t efi_guid_cert_x509_sha256;
>>
>> extern unsigned int __efi_runtime_start, __efi_runtime_stop;
>> extern unsigned int __efi_runtime_rel_start, __efi_runtime_rel_stop;
>> @@ -650,6 +656,72 @@ void efi_deserialize_load_option(struct
>> efi_load_option *lo, u8 *data);
>> unsigned long efi_serialize_load_option(struct efi_load_option *lo,
>> u8 **data);
>> efi_status_t efi_bootmgr_load(efi_handle_t *handle);
>>
>> +#ifdef CONFIG_EFI_SECURE_BOOT
>
> This constraint surrounds the whole code. So, please, move the
> constraint to the Makefile.
>
> Best regards
>
> Heinrich
>
>> +#include <image.h>
>> +
>> +/**
>> + * efi_image_regions - A list of memory regions
>> + *
>> + * @max: Maximum number of regions
>> + * @num: Number of regions
>> + * @reg: array of regions
>> + */
>> +struct efi_image_regions {
>> + int max;
>> + int num;
>> + struct image_region reg[];
>> +};
>> +
>> +/**
>> + * efi_sig_data - A decoded data of struct efi_signature_data
>> + *
>> + * This structure represents an internal form of signature in
>> + * signature database. A listed list may represent a signature list.
>> + *
>> + * @next: Pointer to next entry
>> + * @onwer: Signature owner
>> + * @data: Pointer to signature data
>> + * @size: Size of signature data
>> + */
>> +struct efi_sig_data {
>> + struct efi_sig_data *next;
>> + efi_guid_t owner;
>> + void *data;
>> + size_t size;
>> +};
>> +
>> +/**
>> + * efi_signature_store - A decoded data of signature database
>> + *
>> + * This structure represents an internal form of signature database.
>> + *
>> + * @next: Pointer to next entry
>> + * @sig_type: Signature type
>> + * @sig_data_list: Pointer to signature list
>> + */
>> +struct efi_signature_store {
>> + struct efi_signature_store *next;
>> + efi_guid_t sig_type;
>> + struct efi_sig_data *sig_data_list;
>> +};
>> +
>> +struct x509_certificate;
>> +struct pkcs7_message;
>> +
>> +bool efi_signature_verify_cert(struct x509_certificate *cert,
>> + struct efi_signature_store *dbx);
>> +bool efi_signature_verify_signers(struct pkcs7_message *msg,
>> + struct efi_signature_store *dbx);
>> +bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
>> + struct pkcs7_message *msg,
>> + struct efi_signature_store *db,
>> + struct x509_certificate **cert);
>> +
>> +efi_status_t efi_image_region_add(struct efi_image_regions *regs,
>> + const void *start, const void *end,
>> + int nocheck);
>> +#endif /* CONFIG_EFI_SECURE_BOOT */
>> +
>> #else /* CONFIG_IS_ENABLED(EFI_LOADER) */
>>
>> /* Without CONFIG_EFI_LOADER we don't have a runtime section, stub
>> it out */
>> diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
>> index 7db406028618..3ffbfe78a46b 100644
>> --- a/lib/efi_loader/Makefile
>> +++ b/lib/efi_loader/Makefile
>> @@ -42,3 +42,4 @@ obj-$(CONFIG_PARTITIONS) += efi_disk.o
>> obj-$(CONFIG_NET) += efi_net.o
>> obj-$(CONFIG_GENERATE_ACPI_TABLE) += efi_acpi.o
>> obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += efi_smbios.o
>> +obj-y += efi_signature.o
>> diff --git a/lib/efi_loader/efi_signature.c
>> b/lib/efi_loader/efi_signature.c
>> new file mode 100644
>> index 000000000000..823d3311e010
>> --- /dev/null
>> +++ b/lib/efi_loader/efi_signature.c
>> @@ -0,0 +1,584 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +/*
>> + * Copyright (c) 2018 Patrick Wildt <patrick at blueri.se>
>> + * Copyright (c) 2019 Linaro Limited, Author: AKASHI Takahiro
>> + */
>> +
>> +#include <common.h>
>> +#include <charset.h>
>> +#include <efi_loader.h>
>> +#include <image.h>
>> +#include <hexdump.h>
>> +#include <malloc.h>
>> +#include <pe.h>
>> +#include <linux/compat.h>
>> +#include <linux/oid_registry.h>
>> +#include <u-boot/rsa.h>
>> +#include <u-boot/sha256.h>
>> +/*
>> + * avoid duplicated inclusion:
>> + * #include "../lib/crypto/x509_parser.h"
>> + */
>> +#include "../lib/crypto/pkcs7_parser.h"
>> +
>> +const efi_guid_t efi_guid_image_security_database =
>> + EFI_IMAGE_SECURITY_DATABASE_GUID;
>> +const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
>> +const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
>> +const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
>> +const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
>> +
>> +#ifdef CONFIG_EFI_SECURE_BOOT
This is the #ifdef to move to the Makefile. In the previous mail I got
into the wrong line.
Best regards
Heinrich
More information about the U-Boot
mailing list