| Message ID | 1362385801-19253-1-git-send-email-ivan.hu@canonical.com |
|---|---|
| State | Rejected |
| Headers | show |
On 04/03/13 08:30, Ivan Hu wrote: > Check the variable KEK existence and Ubuntu master CA certificate presence > in KEK. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 81f3c36..6a88932 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -269,10 +269,37 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha > "The Microsoft UEFI CA certificate not found ."); > } > > +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "KEK")) > + return; > + > + var_found |= VAR_KEK_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + > + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); > + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) > + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); > + else > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootUbuntuCertNotFound", > + "The Ubuntu master CA certificate not found ."); As I mentioned in my response to patch 1 of this series, I'm not sure if this should strictly be a failure if it's not on a Ubuntu system since fwts is theoretically meant to be disto agnostic. We could check if it is Ubuntu from the output of 'lsb_release -a' and only run the test if it a Ubuntu system, however the is yet another dependency.. Actually, we should probably add the system check into fwts lib as it probably is quite useful in other places. > +} > + > static securebootcert_info securebootcert_info_table[] = { > { "SecureBoot", securebootcert_secure_boot }, > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > + { "KEK", securebootcert_key_ex_key }, > { NULL, NULL } > }; > > @@ -374,6 +401,9 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable DB not found."); > + if (!(var_found & VAR_KEK_FOUND)) > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > + "The secure boot variable KEK not found."); > > fwts_uefi_free_variable_names(&name_list); > >
On 04/03/13 09:52, Colin Ian King wrote: > On 04/03/13 08:30, Ivan Hu wrote: >> Check the variable KEK existence and Ubuntu master CA certificate >> presence >> in KEK. >> >> Signed-off-by: Ivan Hu <ivan.hu@canonical.com> >> --- >> src/uefi/securebootcert/securebootcert.c | 30 >> ++++++++++++++++++++++++++++++ >> 1 file changed, 30 insertions(+) >> >> diff --git a/src/uefi/securebootcert/securebootcert.c >> b/src/uefi/securebootcert/securebootcert.c >> index 81f3c36..6a88932 100644 >> --- a/src/uefi/securebootcert/securebootcert.c >> +++ b/src/uefi/securebootcert/securebootcert.c >> @@ -269,10 +269,37 @@ static void >> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha >> "The Microsoft UEFI CA certificate not found ."); >> } >> >> +static void securebootcert_key_ex_key(fwts_framework *fw, >> fwts_uefi_var *var, char *varname) >> +{ >> + >> + bool ident = false; >> + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; >> + >> + if (strcmp(varname, "KEK")) >> + return; >> + >> + var_found |= VAR_KEK_FOUND; >> + ident = compare_guid(&global_var_guid, var->guid); >> + >> + if (!ident) { >> + fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableGUIDInvalid", >> + "The secure boot variable %s GUID invalid.", varname); >> + return; >> + } >> + >> + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate >> presence in %s", varname); >> + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, >> ubuntu_key_len)) >> + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); >> + else >> + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootUbuntuCertNotFound", >> + "The Ubuntu master CA certificate not found ."); > > As I mentioned in my response to patch 1 of this series, I'm not sure if > this should strictly be a failure if it's not on a Ubuntu system since > fwts is theoretically meant to be disto agnostic. We could check if it > is Ubuntu from the output of 'lsb_release -a' and only run the test if > it a Ubuntu system, however the is yet another dependency.. I've sent a patch to the list so we can identify a distro (debian based ones at the moment, can add more later) so we can do this Ubuntu specific test if we are on a Ubuntu system. Colin > > Actually, we should probably add the system check into fwts lib as it > probably is quite useful in other places. > >> +} >> + >> static securebootcert_info securebootcert_info_table[] = { >> { "SecureBoot", securebootcert_secure_boot }, >> { "SetupMode", securebootcert_setup_mode }, >> { "db", securebootcert_data_base }, >> + { "KEK", securebootcert_key_ex_key }, >> { NULL, NULL } >> }; >> >> @@ -374,6 +401,9 @@ static int securebootcert_test1(fwts_framework *fw) >> if (!(var_found & VAR_DB_FOUND)) >> fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableNotFound", >> "The secure boot variable DB not found."); >> + if (!(var_found & VAR_KEK_FOUND)) >> + fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableNotFound", >> + "The secure boot variable KEK not found."); >> >> fwts_uefi_free_variable_names(&name_list); >> >> >
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 81f3c36..6a88932 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -269,10 +269,37 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha "The Microsoft UEFI CA certificate not found ."); } +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) +{ + + bool ident = false; + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; + + if (strcmp(varname, "KEK")) + return; + + var_found |= VAR_KEK_FOUND; + ident = compare_guid(&global_var_guid, var->guid); + + if (!ident) { + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", + "The secure boot variable %s GUID invalid.", varname); + return; + } + + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); + else + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootUbuntuCertNotFound", + "The Ubuntu master CA certificate not found ."); +} + static securebootcert_info securebootcert_info_table[] = { { "SecureBoot", securebootcert_secure_boot }, { "SetupMode", securebootcert_setup_mode }, { "db", securebootcert_data_base }, + { "KEK", securebootcert_key_ex_key }, { NULL, NULL } }; @@ -374,6 +401,9 @@ static int securebootcert_test1(fwts_framework *fw) if (!(var_found & VAR_DB_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", "The secure boot variable DB not found."); + if (!(var_found & VAR_KEK_FOUND)) + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", + "The secure boot variable KEK not found."); fwts_uefi_free_variable_names(&name_list);
Check the variable KEK existence and Ubuntu master CA certificate presence in KEK. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> --- src/uefi/securebootcert/securebootcert.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)