From patchwork Mon Mar  4 08:30:01 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Hu <ivan.hu@canonical.com>
X-Patchwork-Id: 224637
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 917D92C0302
	for <incoming@patchwork.ozlabs.org>;
	Mon,  4 Mar 2013 19:29:59 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1UCQmU-0005N6-GN; Mon, 04 Mar 2013 08:29:58 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <ivan.hu@canonical.com>) id 1UCQmT-0005Mp-1s
	for fwts-devel@lists.ubuntu.com; Mon, 04 Mar 2013 08:29:57 +0000
Received: from [175.41.48.77] (helo=canonical.com)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ivan.hu@canonical.com>)
	id 1UCQmS-0006tI-EE; Mon, 04 Mar 2013 08:29:57 +0000
From: Ivan Hu <ivan.hu@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH 3/3] securebootcert: add Ubuntu UEFI secure boot test - check
	Ubuntu CA presence
Date: Mon,  4 Mar 2013 16:30:01 +0800
Message-Id: <1362385801-19253-1-git-send-email-ivan.hu@canonical.com>
X-Mailer: git-send-email 1.7.10.4
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: fwts-devel-bounces@lists.ubuntu.com
Sender: fwts-devel-bounces@lists.ubuntu.com

Check the variable KEK existence and Ubuntu master CA certificate presence
in KEK.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
---
 src/uefi/securebootcert/securebootcert.c |   30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 81f3c36..6a88932 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -269,10 +269,37 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
 			"The Microsoft UEFI CA certificate not found .");
 }
 
+static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
+{
+
+	bool ident = false;
+	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
+
+	if (strcmp(varname, "KEK"))
+		return;
+
+	var_found |= VAR_KEK_FOUND;
+	ident = compare_guid(&global_var_guid, var->guid);
+
+	if (!ident) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
+			"The secure boot variable %s GUID invalid.", varname);
+		return;
+	}
+
+	fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname);
+	if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len))
+		fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
+	else
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootUbuntuCertNotFound",
+			"The Ubuntu master CA certificate not found .");
+}
+
 static securebootcert_info securebootcert_info_table[] = {
 	{ "SecureBoot",		securebootcert_secure_boot },
 	{ "SetupMode",		securebootcert_setup_mode },
 	{ "db",			securebootcert_data_base },
+	{ "KEK",		securebootcert_key_ex_key },
 	{ NULL, NULL }
 };
 
@@ -374,6 +401,9 @@ static int securebootcert_test1(fwts_framework *fw)
 	if (!(var_found & VAR_DB_FOUND))
 		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
 			"The secure boot variable DB not found.");
+	if (!(var_found & VAR_KEK_FOUND))
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
+			"The secure boot variable KEK not found.");
 
 	fwts_uefi_free_variable_names(&name_list);