[PATCH 0/5] efi_loader: fix a verification process issue in secure boot
AKASHI Takahiro
takahiro.akashi at linaro.org
Tue Jul 5 07:48:10 CEST 2022
In the commit 4540dabdcaca ("efi_loader: image_loader: support image
authentication"), U-Boot implementation of UEFI secure boot was
introduced.
It was reported by a Siemens engineer, however, that the verification
process is not fully compliant with MicroSoft's authenticode specification
and it is possible to exploit the code in a signed PE image without deep
knowledge.
This patch series fixes this security issue and, in addition, adds a test
case.
patch#1-3: preparatory patches
patch#4: add a missing step in signature verification process
patch#5: a new test case under pytest
AKASHI Takahiro (5):
lib: crypto: add mscode_parser
efi_loader: signature: export efi_hash_regions()
efi_loader: image_loader: replace EFI_PRINT with log macros
efi_loader: image_loader: add a missing digest verification for signed
PE image
test/py: efi_secboot: add a test for a forged signed image
include/crypto/mscode.h | 43 ++++++
include/efi_loader.h | 2 +
lib/crypto/Kconfig | 9 ++
lib/crypto/Makefile | 12 ++
lib/crypto/mscode.asn1 | 28 ++++
lib/crypto/mscode_parser.c | 135 ++++++++++++++++++
lib/efi_loader/Kconfig | 1 +
lib/efi_loader/efi_image_loader.c | 114 +++++++++++----
lib/efi_loader/efi_signature.c | 4 +-
test/py/tests/test_efi_secboot/conftest.py | 3 +
test/py/tests/test_efi_secboot/forge_image.sh | 5 +
test/py/tests/test_efi_secboot/test_signed.py | 35 +++++
12 files changed, 361 insertions(+), 30 deletions(-)
create mode 100644 include/crypto/mscode.h
create mode 100644 lib/crypto/mscode.asn1
create mode 100644 lib/crypto/mscode_parser.c
create mode 100644 test/py/tests/test_efi_secboot/forge_image.sh
--
2.36.1
More information about the U-Boot
mailing list