[PATCH v5 0/8] efi_loader: secure boot: support intermediate certificates in signature

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Jul 21 12:35:16 CEST 2020 

Summary
=======
under the current implementation of secure boot merged in v2020.07,
UEFI subsystem verifies a signature using certificates that are coming
from signature dtabase, i.e. "db."

In real world, an image is signed by a signer, but its certificate
can also be signed by another CA and, if it is not self-signed, the latter
will be signed by yet another CA and so on. This is called a certificate
chain and any certificates in the middle of chain is called "intermediate"
certificates.

With this patch set applied on top of the current implementation,
UEFI subsystem will get capable of verifying intermediate certificates
being contained in a signature and authenticating an image in a chain
of trusted certificates.

Please note that we don't support RFC6131, or timestamp protocol, and so
if any certificate in the chain is found in the revocation list, i.e. dbx,
the image will unconditionally be disqualified from being loaded or run.

Patch structure
===============
Patch#1-#5: preparatory patches
Patch#6: main part
Patch#7-#8: pytest

Prerequisite
============
All the required patches have been merged.
You can fetch the whole workable repository from here[1].

One patch[2] to sbsigntools must also be applied so that we wil be able
to sign an image with intermediate certificates. It is required here for
testing.

Test
====
- The added new pytest (test_signed_intca.py) passed locally.
- In this version, I didn't run Travis CI because there are problems
  with sbsigntools[3][4] as well as virt-make-fs[5].
  But I'm sure all the tests have passed in my local environment.

Misc
====
- checkpatch.pl makes several warnings against pkcs7_verify.c, but
  we will ignore them as it is a file imported from linux code.

[1] https://git.linaro.org/people/takahiro.akashi/u-boot.git efi/secboot
[2] https://groups.io/g/sbsigntools/message/23
[3] https://lists.denx.de/pipermail/u-boot/2020-July/420876.html
[4] https://lists.denx.de/pipermail/u-boot/2020-July/420878.html
[5] https://lists.denx.de/pipermail/u-boot/2020-July/419976.html

v5 (July 21, 2020)
* fix a checkpatch error (Patch#1)
* describe what was the original source (Patch#3)
* use IS_ERR_OR_NULL() to check a return value of x509_cert_parse()
  (Patch#6)
* remove HELLO_PATH and EFI_SECBOOT_IMAGE_NAME (Patch#7)
* modify conftest.py to make it compatible on different version
  of openssl (Ubuntu 18.04 to 19.10) (Patch#8)
* remove changes to the existing code (Patch#8)
* specify timestamps in generating certificates (Patch#8)
* change test case names (Patch#8)

v4 (July 17, 2020)
* rebased to Heinrich's efi-2020-10-rc4
* remove a already-merged patch
* (no functional change)
* modify conftest.py to align it with recent changes Heinrich made
  (patch#7)

v3 (Jul 10, 2020)
* rebased to Heinrich's (current) efi-2020-10-rc1 along with
  my follow-up patches
* add sanity checks in public_key_verify_signature() (Patch#2)
* smplify include headers in pkcs7_verify.c (Patch#4)
* fix timestamp issues in Test Case 2 and 3 (Patch#8)

v2 (June 16, 2020)
* add function descriptions (Patch#2, #6 and #7)
* pylint and autopep8 against pytest (Patch#8)

v1 (June 9, 2020)
* initial release
* on top of v2020.07-rc4

AKASHI Takahiro (8):
  lib: crypto: add public_key_verify_signature()
  lib: crypto: enable x509_check_for_self_signed()
  lib: crypto: import pkcs7_verify.c from linux
  lib: crypto: add pkcs7_digest()
  lib: crypto: export and enhance pkcs7_verify_one()
  efi_loader: signature: rework for intermediate certificates support
  test/py: efi_secboot: small rework for adding a new test
  test/py: efi_secboot: add test for intermediate certificates

 include/crypto/pkcs7.h                        |   9 +-
 include/crypto/public_key.h                   |   2 +-
 include/efi_loader.h                          |   8 +-
 lib/crypto/Kconfig                            |   3 +
 lib/crypto/Makefile                           |   1 +
 lib/crypto/pkcs7_verify.c                     | 657 ++++++++++++++++++
 lib/crypto/public_key.c                       |  70 +-
 lib/crypto/x509_cert_parser.c                 |   2 -
 lib/crypto/x509_public_key.c                  |  33 +-
 lib/efi_loader/Kconfig                        |   1 +
 lib/efi_loader/efi_image_loader.c             |   2 +-
 lib/efi_loader/efi_signature.c                | 385 +++++-----
 lib/efi_loader/efi_variable.c                 |   5 +-
 test/py/tests/test_efi_secboot/conftest.py    | 126 +++-
 test/py/tests/test_efi_secboot/defs.py        |  10 +-
 test/py/tests/test_efi_secboot/openssl.cnf    |  48 ++
 .../test_efi_secboot/test_signed_intca.py     | 135 ++++
 17 files changed, 1259 insertions(+), 238 deletions(-)
 create mode 100644 lib/crypto/pkcs7_verify.c
 create mode 100644 test/py/tests/test_efi_secboot/openssl.cnf
 create mode 100644 test/py/tests/test_efi_secboot/test_signed_intca.py

-- 
2.27.0

More information about the U-Boot mailing list