From patchwork Tue Jun 16 05:26:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 242455 List-Id: U-Boot discussion From: takahiro.akashi at linaro.org (AKASHI Takahiro) Date: Tue, 16 Jun 2020 14:26:47 +0900 Subject: [PATCH v2 0/8] efi_loader: secure boot: support intermediate certificates in signature Message-ID: <20200616052655.4845-1-takahiro.akashi@linaro.org> Summary ======= under the current implementation of secure boot merged in v2020.07-rc1, UEFI subsystem verifies a signature using certificates that are coming from signature dtabase, i.e. "db." In real world, an image is signed by a signer, but its certificate can also be signed by another CA and, if it is not self-signed, the latter will be signed by yet another CA and so on. This is called a certificate chain and any certificates in the middle of chain is called "intermediate" certificates. With this patch set applied on top of the current implementation, UEFI subsystem will get capable of verifying intermediate certificates being contained in a signature and authenticating an image in a chain of trusted certificates. Please note that we don't support RFC6131, or timestamp protocol, and so if any certificate in the chain is found in the revocation list, i.e. dbx, the image will unconditionally be disqualified from being loaded or run. Patch structure =============== Patch#1-#6: preparatory patches Patch#7: main part Patch#8: pytest Prerequisite ============ Require my patch set[1]. Those two patch sets are mutually independent in terms of functionality, but have dependencies due to code overlap. You can fetch the whole workable repository from here[2]. One patch[3] to sbsigntools must also be applied so that we wil be able to sign an image with intermediate certificates. It is required here for testing. Test ==== - The added new pytest (test_signed_intca.py) passed locally. - Travis CI passed, except the new pytest added here due to a new feature in sbsigntools as mentioned above. Misc ==== - checkpatch.pl makes several warnings against pkcs7_verify.c, but we will ignore them as it is a file imported from linux code. [1] https://lists.denx.de/pipermail/u-boot/2020-June/415476.html [2] https://git.linaro.org/people/takahiro.akashi/u-boot.git efi/secboot [3] https://groups.io/g/sbsigntools/message/23 v2 (June 16, 2020) * add function descriptions (Patch#2, #6 and #7) * pylint and autopep8 against pytest (Patch#8) v1 (June 9, 2020) * initial release * on top of v2020.07-rc4 AKASHI Takahiro (8): lib: rsa: export rsa_verify_with_pkey() lib: crypto: add public_key_verify_signature() lib: crypto: enable x509_check_for_self_signed() lib: crypto: import pkcs7_verify.c from linux lib: crypto: add pkcs7_digest() lib: crypto: export and enhance pkcs7_verify_one() efi_loader: signature: rework for intermediate certificates support test/py: efi_secboot: add test for intermediate certificates include/crypto/pkcs7.h | 9 +- include/crypto/public_key.h | 2 +- include/efi_loader.h | 8 +- include/u-boot/rsa.h | 3 + lib/crypto/Kconfig | 3 + lib/crypto/Makefile | 1 + lib/crypto/pkcs7_verify.c | 658 ++++++++++++++++++ lib/crypto/public_key.c | 63 +- lib/crypto/x509_cert_parser.c | 2 - lib/crypto/x509_public_key.c | 33 +- lib/efi_loader/Kconfig | 1 + lib/efi_loader/efi_image_loader.c | 2 +- lib/efi_loader/efi_signature.c | 385 +++++----- lib/efi_loader/efi_variable.c | 5 +- lib/rsa/rsa-verify.c | 8 +- test/py/tests/test_efi_secboot/conftest.py | 138 +++- test/py/tests/test_efi_secboot/defs.py | 11 +- test/py/tests/test_efi_secboot/openssl.cnf | 48 ++ .../test_efi_secboot/test_signed_intca.py | 134 ++++ 19 files changed, 1281 insertions(+), 233 deletions(-) create mode 100644 lib/crypto/pkcs7_verify.c create mode 100644 test/py/tests/test_efi_secboot/openssl.cnf create mode 100644 test/py/tests/test_efi_secboot/test_signed_intca.py