[PATCH v2 00/17] efi_loader: rework/improve UEFI secure boot code

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Jun 9 07:09:30 CEST 2020


Summary
=======
I'm currently working on reworking UEFI secure boot, aiming to add
"intermediate certificates" support. In this effort, I found a couple
of issues that should immediately be fixed or useful improvements even
without intermediate certificates support.

Each commit in this patch series has self-explained description of
the issue to be addressed.
While they are independent in terms of functionality, they are compiled
in a set since the one may depend on the other in terms of code change
overlap. All the changes can and should be merged at once for best
convenience.

I hope that I will post intermediate certificates support sometime
in the next week.

Patch structure
===============
Patch#1-#5,#9: rather preparatory patches
Patch#6-#8,#10-#11: main commits
Patch#12-#17: pytests
  Patch#15-#16 for Patch#10
  Patch#17 for Patch#11

Prerequisite
============
The version of "sbsign" command must be 0.7 or higher to sign an image
with multiple signatures. It is required here for testing.

Test
====
- The added new pytests in test_signed.py passed locally.
- Travis CI passed, except Test Case 5 for signed image
  (test_efi_signed_image_auth5) because the version of "sbsign" command
  is old and it doesn't support multiple signatures.

v2 (Jun 9, 2020)
* on top of v2020.07-rc4
* add patch#1,#2 to remove unnecessary hacks in pytest
* use EFI_PRINT() instead of debug() everywhere (patch#3-#5)
* fix a verification logic so that we should reject an image if, at least,
  one of signaures be verified by dbx. New efi_signature_verify_one() has
  a main role. (patch#10)
* use "llu" format instead of "llx" to print out the revocation time
  (patch#10)
* add some description about verification logic against multiple signatures
  (patch#11)

v1 (May 29, 2020)
* initial release

AKASHI Takahiro (17):
  efi_loader: change efi objects initialization order
  Revert "test: stabilize test_efi_secboot"
  efi_loader: signature: replace debug to EFI_PRINT
  efi_loader: variable: replace debug to EFI_PRINT
  efi_loader: image_loader: replace debug to EFI_PRINT
  efi_loader: image_loader: add a check against certificate type of
    authenticode
  efi_loader: image_loader: retrieve authenticode only if it exists
  efi_loader: signature: fix a size check against revocation list
  efi_loader: signature: make efi_hash_regions more generic
  efi_loader: image_loader: verification for all signatures should pass
  efi_loader: image_loader: add digest-based verification for signed
    image
  test/py: efi_secboot: remove all "re.search"
  test/py: efi_secboot: fix test case 1g of test_authvar
  test/py: efi_secboot: split "signed image" test case-1 into two cases
  test/py: efi_secboot: add a test against certificate revocation
  test/py: efi_secboot: add a test for multiple signatures
  test/py: efi_secboot: add a test for verifying with digest of signed
    image

 include/efi_loader.h                          |  15 +-
 lib/efi_loader/efi_image_loader.c             | 210 ++++---
 lib/efi_loader/efi_setup.c                    |   7 +-
 lib/efi_loader/efi_signature.c                | 512 +++++++++---------
 lib/efi_loader/efi_variable.c                 |  27 +-
 test/py/tests/test_efi_secboot/conftest.py    |  24 +-
 .../py/tests/test_efi_secboot/test_authvar.py |  91 ++--
 test/py/tests/test_efi_secboot/test_signed.py | 212 ++++++--
 .../tests/test_efi_secboot/test_unsigned.py   |  38 +-
 9 files changed, 696 insertions(+), 440 deletions(-)

-- 
2.27.0



More information about the U-Boot mailing list