From patchwork Fri Feb 11 07:37:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 541778 Delivered-To: patch@linaro.org Received: by 2002:ad5:420f:0:0:0:0:0 with SMTP id e15csp2867897imo; Thu, 10 Feb 2022 23:38:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJzqPpGV/NRI+Zzj3T0x7Oz5BR4nq7TvC9JFnOdz1h2RWHC+w/pSowXkbOAwoTZ73prlDMKU X-Received: by 2002:a17:906:99c6:: with SMTP id s6mr346801ejn.522.1644565080787; Thu, 10 Feb 2022 23:38:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644565080; cv=none; d=google.com; s=arc-20160816; b=Rub7UUl9xlw01xwqAIlp4FlUcAZucQMn3hNLqmVtfKX+6Qe/8PK7W1OawxLuYdytum t2ww462ZEdNBN1tp8hPkH2GCY7zJdPvjJ59wT8YHe7WhQAMKVR9q8ARbx67Wwh/cB2O1 q8XD8/PojiN5YXzlOGrou2sCb3oFJsS2/7yub+uIZYL0X6PIIbx1+wawMX7FqvyijHJ+ KzN4Gu6KDgCU+LosShn1mFqCgc8JC+8mbHCpre0jYCgms0Dp/fWNX0JQrdmmeszvXzqN C7HdQssqmNOZTbbQk+XpSAxAcvymaqnjoZ8DKFa9JLK9zH9yA7CnU+HYRuf8spuijzTL DhGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=75PrlUY9zR3+0OJetIhFQQZtKZWPwnWRXv3uwsYjPHY=; b=KoVPIvUHS5N5ltFrFxjG4ZlwF3wbk4P4p+MxIJvc637I9acvZFy838HidX667eAe09 Iu7I9r//dbGO1n9QHtPkwe4iZIyIJ/rB2B3PP731KMGdI8LA7dZo+ofTNCV0lQ5hUFXB 3rnL7U9Oy35pZbZbUuwzr/9QxI0LWu15aqNSSfHtn5IGnvwhwTWM1a4dSf2Pz1Fnc9Tp 2urIoPq5olppEyMMFd7GYZK7bWD9HJF36sZj+H5TtYT1HaHP9ZCyhy/f6szglEWtE09Q Aoxr5No4Ccbm6IU6TYsBlMA82SjJ08OUmKF0Q+NHFDuOT7LbGbauSfSg9lZjpHh6GVMf e5lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=z6S7ZstG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id qf5si14494809ejc.141.2022.02.10.23.38.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:38:00 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=z6S7ZstG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 71A53835EA; Fri, 11 Feb 2022 08:37:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="z6S7ZstG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A5E2C838B9; Fri, 11 Feb 2022 08:37:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C7DB0833C2 for ; Fri, 11 Feb 2022 08:37:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x630.google.com with SMTP id j14so20953898ejy.6 for ; Thu, 10 Feb 2022 23:37:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=75PrlUY9zR3+0OJetIhFQQZtKZWPwnWRXv3uwsYjPHY=; b=z6S7ZstGU6F92FZhGlvASkOaH+YtJ+XcCO6AVq0Vg+q26TvMqkAQYbfDOk6b+z+dm8 wdAoxmK8jX4/wrVWFnfhlSiab0WnFeDKiBdIbWyXTNQkBTZO9HsuWfv+T0Sm9dysDcMc q9QM0SGu/QAQKYSXuov8qThyExrI3fChR4OvtKQOA99NZ3HSMXLOEBDKFtkt6xYonl3h uAgopfXGxVXEu54LH6PdGVRtI0lmn68iY20459n6xa1PtN/krkIwjQNpZ43FOtXIz9n0 zjurKSq25ZXhik0uVdztS018EWfdsom4n0CPJuorOpcqToc0MH1Aq8Jf8IEtdHVzWrPd ck7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=75PrlUY9zR3+0OJetIhFQQZtKZWPwnWRXv3uwsYjPHY=; b=lBACC1vxvWk7LylZNr5UrR6GzqMLCMWGhBMaNIOR6+V0w56kSlXHxVQtXsk127WqCY 1cFOv8uqQgwEWpFz5zqtkhUjmTFGYCoJq+ojDskb4sTFOFtVlVmcP0MVI9sqVALHgucw MueqPDhkHQK0HvhJkGEKAv7vcbAeHCfKhJ7SgT0ZKHDnrGHShd44/Ulv5XpU0oELpz+E 2vejmJwbCdHP1dLa1j2QI87crT0l0BIIAhIYzl88TibNj2y6a5G0T3oOFOc3Trxnjo05 D+Cdk6XOzbDLW8/bPmyYuPtNai6X2FMFt2E4q0i89hFFzHQ8vYI+P7fgXVpDGp6qfvWH BQPQ== X-Gm-Message-State: AOAM53129ftKWezSIDNZ+wamw8vFexI+j07XGtslRrAUhuv6Cr7MBFuO x+It4njM0am/QrOrfDJYzCcJaA== X-Received: by 2002:a17:907:608f:: with SMTP id ht15mr327474ejc.484.1644565073314; Thu, 10 Feb 2022 23:37:53 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:3efd:feff:fe6b:c5cb]) by smtp.gmail.com with ESMTPSA id d11sm333503ejo.207.2022.02.10.23.37.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:37:52 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 1/2] efi_loader: fix dual signed image certification Date: Fri, 11 Feb 2022 09:37:49 +0200 Message-Id: <20220211073750.733348-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The EFI spec allows for images to carry multiple signatures. Currently we don't adhere to the verification process for such images. The spec says: "Multiple signatures are allowed to exist in the binary's certificate table (as per PE/COFF Section "Attribute Certificate Table"). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx." With our current implementation signing the image with two certificates and inserting both of them in db and one of them dbx doesn't always reject the image. The rejection depends on the order that the image was signed and the order the certificates are read (and checked) in db. While at it move the sha256 hash verification outside the signature checking loop, since it only needs to run once per image and get simplify the logic for authenticating an unsigned imahe using sha256 hashes. Signed-off-by: Ilias Apalodimas --- changes since RFC: - none lib/efi_loader/efi_image_loader.c | 88 +++++++------------------------ 1 file changed, 18 insertions(+), 70 deletions(-) diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index f41cfa4fccd5..5df35939f702 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -516,53 +516,6 @@ err: } #ifdef CONFIG_EFI_SECURE_BOOT -/** - * efi_image_unsigned_authenticate() - authenticate unsigned image with - * SHA256 hash - * @regs: List of regions to be verified - * - * If an image is not signed, it doesn't have a signature. In this case, - * its message digest is calculated and it will be compared with one of - * hash values stored in signature databases. - * - * Return: true if authenticated, false if not - */ -static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs) -{ - struct efi_signature_store *db = NULL, *dbx = NULL; - bool ret = false; - - dbx = efi_sigstore_parse_sigdb(u"dbx"); - if (!dbx) { - EFI_PRINT("Getting signature database(dbx) failed\n"); - goto out; - } - - db = efi_sigstore_parse_sigdb(u"db"); - if (!db) { - EFI_PRINT("Getting signature database(db) failed\n"); - goto out; - } - - /* try black-list first */ - if (efi_signature_lookup_digest(regs, dbx, true)) { - EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n"); - goto out; - } - - /* try white-list */ - if (efi_signature_lookup_digest(regs, db, false)) - ret = true; - else - EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n"); - -out: - efi_sigstore_free(db); - efi_sigstore_free(dbx); - - return ret; -} - /** * efi_image_authenticate() - verify a signature of signed image * @efi: Pointer to image @@ -608,14 +561,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) if (!efi_image_parse(new_efi, efi_size, ®s, &wincerts, &wincerts_len)) { EFI_PRINT("Parsing PE executable image failed\n"); - goto err; - } - - if (!wincerts) { - /* The image is not signed */ - ret = efi_image_unsigned_authenticate(regs); - - goto err; + goto out; } /* @@ -624,18 +570,18 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) db = efi_sigstore_parse_sigdb(u"db"); if (!db) { EFI_PRINT("Getting signature database(db) failed\n"); - goto err; + goto out; } dbx = efi_sigstore_parse_sigdb(u"dbx"); if (!dbx) { EFI_PRINT("Getting signature database(dbx) failed\n"); - goto err; + goto out; } if (efi_signature_lookup_digest(regs, dbx, true)) { EFI_PRINT("Image's digest was found in \"dbx\"\n"); - goto err; + goto out; } /* @@ -678,7 +624,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) { EFI_PRINT("Certificate type not supported: %pUs\n", auth); - continue; + ret = false; + goto out; } auth += sizeof(efi_guid_t); @@ -686,7 +633,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } else if (wincert->wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { EFI_PRINT("Certificate type not supported\n"); - continue; + ret = false; + goto out; } msg = pkcs7_parse_message(auth, auth_size); @@ -717,32 +665,32 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) */ /* try black-list first */ if (efi_signature_verify_one(regs, msg, dbx)) { + ret = false; EFI_PRINT("Signature was rejected by \"dbx\"\n"); - continue; + goto out; } if (!efi_signature_check_signers(msg, dbx)) { + ret = false; EFI_PRINT("Signer(s) in \"dbx\"\n"); - continue; + goto out; } /* try white-list */ if (efi_signature_verify(regs, msg, db, dbx)) { ret = true; - break; + continue; } EFI_PRINT("Signature was not verified by \"db\"\n"); + } - if (efi_signature_lookup_digest(regs, db, false)) { - ret = true; - break; - } - EFI_PRINT("Image's digest was not found in \"db\" or \"dbx\"\n"); - } + /* last resort try the image sha256 hash in db */ + if (!ret && efi_signature_lookup_digest(regs, db, false)) + ret = true; -err: +out: efi_sigstore_free(db); efi_sigstore_free(dbx); pkcs7_free_message(msg); From patchwork Fri Feb 11 07:37:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 541779 Delivered-To: patch@linaro.org Received: by 2002:ad5:420f:0:0:0:0:0 with SMTP id e15csp2867986imo; Thu, 10 Feb 2022 23:38:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwQhKXEbV6U3l7IidGOFeh7NIwUpu9Z78gLjhI7mt6l0cCCrymdcQupZzmXln3pdxHgKmBj X-Received: by 2002:a17:907:94d4:: with SMTP id dn20mr336239ejc.208.1644565091671; Thu, 10 Feb 2022 23:38:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644565091; cv=none; d=google.com; s=arc-20160816; b=jMVGXAhJb2qZLY6zxLHORpOpnT2y80351oNaCVVQ8yOy6GQVdWSOlZhdY0WwzUsBuF 9V9FQAMry2p305/rdStyEJJCwQfj++Ioot5lmnal/Gm3wcbPOjcE0ifjmjBKxttCJVVv MWDq9dVNuqs6rd4gIOtrVI0wY3HaSz+Knzx9xVHCxGnXpPKq2R3q7/M+2l3cdImymNYN Uy8n6CUVZZaxIKoic9n49DvTs/Dv7ejQMzBleIOy2EiV5i+UNz4RXtuoZOn9kWMkz3ng 4S3hC8qJTW2UxOC3/a3VDYvUACy2qouofS6rqKF1fKTXU/7rmVBU0KtJy/nCMRRaso4i gUYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=DSZDxQQwiA0mvqvvkfkx/OpnhD9lZAY6g1Z1LbIC8fnafmc9DwQnDINp2jVptzyxSd uP71SSgRJAEt+UMKQXaG80X/EvbznHPGoY76j2edc7qg4rZZPVpNfKko/yhpi5dWAMTQ PXfLjRdOlYZc28Xs75AQM33CGVc9TjBElPuEpHYEfOWyZQTVGQRq9FtZ5gQfh0Xtbq5N StFHcMlES1sFg+jqugV1ri4JGHMFoWdd2ZWOT1ZygU0S8ro5Br7HwmzfFwLsoOvE0B6w pa2CrrJs+K2ZEhy+C4/k9SYiZiN6uyod730Vegb66TZY7DM25ousd+YbboMKuMpOvYj3 8a9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QpcQTWg+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id sg16si5293199ejc.489.2022.02.10.23.38.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:38:11 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QpcQTWg+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6AAAD837F2; Fri, 11 Feb 2022 08:38:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QpcQTWg+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 79881837F2; Fri, 11 Feb 2022 08:37:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 099C5837F2 for ; Fri, 11 Feb 2022 08:37:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x530.google.com with SMTP id da4so15058300edb.4 for ; Thu, 10 Feb 2022 23:37:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=QpcQTWg+LeABA2EoaQzkKl8mlwZ3ypHJXCGyRknzmv3CDWyM7Hoo82tuBuuUbNDHkp PMLOehAmyT93u/UeEDQd/k9TQ9DbzxN25XzAT4k9ri329+eO8JlD/bx68Ns/Bp1nnJdz qeak3pkXfesc8Bu3HrSqHbH6/FOEx0dFBJrMTKY1WTvJTRqT3xKSw+hCmoFslPBaTLdi e3yMXjnei7Kg1NC6otHW19yltXZe3UGpawS5hGyGMPxCjZu4of11lXFYKAfGb3wuEg42 q2lX4wIHTCvMgh4zY+FyrgLoCBVCeHXo7FNg1RdxRqSXn5Lz8q4IOdYt4BUllpGLuJyh EQRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=M9zoyahZzpsF7CvO2eiI6TAACjpZPYzCCNDR7pB+5Fgxff1msTNLeUxRlLuBidyBEt B85aJrO/+8CObwLqpieTUWSyngTxYrOJDjX1mjX+KwusTRSFzX4PlGu+ETv+pVPHNtX5 06jSHgfGfCn4NnHpM8MG1oVerc/XDiMyVZgTW2cMZ+vLvbZYqKpLEwvMpGR1X6EPj3VM RX5DlH8ZYj9xOJIKBo2Rgy/6z5OqLPb4BFNTEFR0En97kF8n8dHHEIFzta8SiNLMvWKv se9q6pmjI0fBJtsDUGm65qd2+yQF9rWLTzGUaPZhhxbFx5bW48QCDBJlAhkp8A1tnKu5 qlNA== X-Gm-Message-State: AOAM532Js+tyRkcG3cpF3lLRWoQNKplqnmOo5Mq+sIpVbeRJbd2CF8Kn FX5jpFHZxsaJ8BBEKPs5lMAd1A== X-Received: by 2002:a05:6402:4384:: with SMTP id o4mr547382edc.15.1644565074643; Thu, 10 Feb 2022 23:37:54 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:3efd:feff:fe6b:c5cb]) by smtp.gmail.com with ESMTPSA id d11sm333503ejo.207.2022.02.10.23.37.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:37:54 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Date: Fri, 11 Feb 2022 09:37:50 +0200 Message-Id: <20220211073750.733348-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220211073750.733348-1-ilias.apalodimas@linaro.org> References: <20220211073750.733348-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch is changing U-Boot's behavior wrt certificate based binary authentication. Specifically an image who's digest of a certificate is found in dbx is now rejected. Fix the test accordingly and add another one testing signatures in reverse order Signed-off-by: Ilias Apalodimas --- changes since RFC: - Added another test cases checking signature hashes in reverse order test/py/tests/test_efi_secboot/test_signed.py | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 0aee34479f55..cc9396a11d48 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -186,7 +186,7 @@ class TestEfiSignedImage(object): assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 5c'): - # Test Case 5c, not rejected if one of signatures (digest of + # Test Case 5c, rejected if one of signatures (digest of # certificate) is revoked output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_hash.auth', @@ -195,7 +195,8 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert 'Hello, world!' in ''.join(output) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 5d'): # Test Case 5d, rejected if both of signatures are revoked @@ -209,6 +210,31 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # Try rejection in reverse order. + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5e, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash1.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database