Patchwork [3/3,Resend] securebootcert: add Ubuntu UEFI secure boot test - check Ubuntu CA presence

login
register
mail settings
Submitter Ivan Hu
Date March 5, 2013, 9:03 a.m.
Message ID <1362474202-23701-1-git-send-email-ivan.hu@canonical.com>
Download mbox | patch
Permalink /patch/224968/
State Rejected
Headers show

Comments

Ivan Hu - March 5, 2013, 9:03 a.m.
From: IvanHu <ivan.hu@canonical.com>

Check the variable KEK existence and Ubuntu master CA certificate presence
in KEK.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
---
 src/uefi/securebootcert/securebootcert.c |   37 ++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
Colin King - March 5, 2013, 9:09 a.m.
On 05/03/13 09:03, Ivan Hu wrote:
> From: IvanHu <ivan.hu@canonical.com>
>
> Check the variable KEK existence and Ubuntu master CA certificate presence
> in KEK.
>
> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
> ---
>   src/uefi/securebootcert/securebootcert.c |   37 ++++++++++++++++++++++++++++++
>   1 file changed, 37 insertions(+)
>
> diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
> index 60d55cb..0675e15 100644
> --- a/src/uefi/securebootcert/securebootcert.c
> +++ b/src/uefi/securebootcert/securebootcert.c
> @@ -253,10 +253,44 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
>   			"The Microsoft UEFI CA certificate not found .");
>   }
>
> +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
> +{
> +
> +	bool ident = false;
> +	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
> +
> +	if (strcmp(varname, "KEK"))
> +		return;
> +
> +	var_found |= VAR_KEK_FOUND;
> +	ident = compare_guid(&global_var_guid, var->guid);
> +
> +	if (!ident) {
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
> +			"The secure boot variable %s GUID invalid.", varname);
> +		return;
> +	}
> +
> +	fwts_release *release = fwts_release_get();
> +	if (release == NULL) {
> +		fwts_skipped(fw, "Not on Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate.");
> +		return;
> +	}

Perhaps I should have explained the fwts_release API better.  Best to do 
something like:

	fwts_release *release;

	...
	...

	release = fwts_release_get();
	if (release == NULL) {
		fwts_skipped(fw, "Cannot determine system.. etc...");
		return;
	}

	if (!strcmp(release->distributor, "Ubuntu")) {
		fwts_skipped(fw, "Not a Ubuntu system... etc..");
		return;
	}

> +
> +	fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname);
> +	if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len))
> +		fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
> +	else {
> +		fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname);
> +		fwts_infoonly(fw);
> +	}
> +}
> +
>   static securebootcert_info securebootcert_info_table[] = {
>   	{ "SecureBoot",		securebootcert_secure_boot },
>   	{ "SetupMode",		securebootcert_setup_mode },
>   	{ "db",			securebootcert_data_base },
> +	{ "KEK",		securebootcert_key_ex_key },
>   	{ NULL, NULL }
>   };
>
> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw)
>   	if (!(var_found & VAR_DB_FOUND))
>   		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
>   			"The secure boot variable DB not found.");
> +	if (!(var_found & VAR_KEK_FOUND))
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
> +			"The secure boot variable KEK not found.");
>
>   	fwts_uefi_free_variable_names(&name_list);
>
>
Colin King - March 5, 2013, 9:13 a.m.
On 05/03/13 09:09, Colin Ian King wrote:
> On 05/03/13 09:03, Ivan Hu wrote:
>> From: IvanHu <ivan.hu@canonical.com>
>>
>> Check the variable KEK existence and Ubuntu master CA certificate
>> presence
>> in KEK.
>>
>> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
>> ---
>>   src/uefi/securebootcert/securebootcert.c |   37
>> ++++++++++++++++++++++++++++++
>>   1 file changed, 37 insertions(+)
>>
>> diff --git a/src/uefi/securebootcert/securebootcert.c
>> b/src/uefi/securebootcert/securebootcert.c
>> index 60d55cb..0675e15 100644
>> --- a/src/uefi/securebootcert/securebootcert.c
>> +++ b/src/uefi/securebootcert/securebootcert.c
>> @@ -253,10 +253,44 @@ static void
>> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
>>               "The Microsoft UEFI CA certificate not found .");
>>   }
>>
>> +static void securebootcert_key_ex_key(fwts_framework *fw,
>> fwts_uefi_var *var, char *varname)
>> +{
>> +
>> +    bool ident = false;
>> +    EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
>> +
>> +    if (strcmp(varname, "KEK"))
>> +        return;
>> +
>> +    var_found |= VAR_KEK_FOUND;
>> +    ident = compare_guid(&global_var_guid, var->guid);
>> +
>> +    if (!ident) {
>> +        fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableGUIDInvalid",
>> +            "The secure boot variable %s GUID invalid.", varname);
>> +        return;
>> +    }
>> +
>> +    fwts_release *release = fwts_release_get();
>> +    if (release == NULL) {
>> +        fwts_skipped(fw, "Not on Ubuntu system, it's not necessary
>> checking the Ubuntu Master CA certificate.");
>> +        return;
>> +    }
>
> Perhaps I should have explained the fwts_release API better.  Best to do
> something like:
>
>      fwts_release *release;
>
>      ...
>      ...
>
>      release = fwts_release_get();
>      if (release == NULL) {
>          fwts_skipped(fw, "Cannot determine system.. etc...");
>          return;
>      }
>
>      if (!strcmp(release->distributor, "Ubuntu")) {
>          fwts_skipped(fw, "Not a Ubuntu system... etc..");
>          return;
>      }
>

Oh, and I forgot, we need to free up after using it:

	fwts_release_free(release);



>> +
>> +    fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate
>> presence in %s", varname);
>> +    if (check_sigdb_presence(var->data, var->datalen, ubuntu_key,
>> ubuntu_key_len))
>> +        fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
>> +    else {
>> +        fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate
>> presence in %s", varname);
>> +        fwts_infoonly(fw);
>> +    }
>> +}
>> +
>>   static securebootcert_info securebootcert_info_table[] = {
>>       { "SecureBoot",        securebootcert_secure_boot },
>>       { "SetupMode",        securebootcert_setup_mode },
>>       { "db",            securebootcert_data_base },
>> +    { "KEK",        securebootcert_key_ex_key },
>>       { NULL, NULL }
>>   };
>>
>> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw)
>>       if (!(var_found & VAR_DB_FOUND))
>>           fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableNotFound",
>>               "The secure boot variable DB not found.");
>> +    if (!(var_found & VAR_KEK_FOUND))
>> +        fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableNotFound",
>> +            "The secure boot variable KEK not found.");
>>
>>       fwts_uefi_free_variable_names(&name_list);
>>
>>
>
>
Ivan Hu - March 5, 2013, 9:21 a.m.
On 03/05/2013 05:13 PM, Colin Ian King wrote:
> On 05/03/13 09:09, Colin Ian King wrote:
>> On 05/03/13 09:03, Ivan Hu wrote:
>>> From: IvanHu <ivan.hu@canonical.com>
>>>
>>> Check the variable KEK existence and Ubuntu master CA certificate
>>> presence
>>> in KEK.
>>>
>>> Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
>>> ---
>>>   src/uefi/securebootcert/securebootcert.c |   37
>>> ++++++++++++++++++++++++++++++
>>>   1 file changed, 37 insertions(+)
>>>
>>> diff --git a/src/uefi/securebootcert/securebootcert.c
>>> b/src/uefi/securebootcert/securebootcert.c
>>> index 60d55cb..0675e15 100644
>>> --- a/src/uefi/securebootcert/securebootcert.c
>>> +++ b/src/uefi/securebootcert/securebootcert.c
>>> @@ -253,10 +253,44 @@ static void
>>> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
>>>               "The Microsoft UEFI CA certificate not found .");
>>>   }
>>>
>>> +static void securebootcert_key_ex_key(fwts_framework *fw,
>>> fwts_uefi_var *var, char *varname)
>>> +{
>>> +
>>> +    bool ident = false;
>>> +    EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
>>> +
>>> +    if (strcmp(varname, "KEK"))
>>> +        return;
>>> +
>>> +    var_found |= VAR_KEK_FOUND;
>>> +    ident = compare_guid(&global_var_guid, var->guid);
>>> +
>>> +    if (!ident) {
>>> +        fwts_failed(fw, LOG_LEVEL_HIGH,
>>> "SecureBootCertVariableGUIDInvalid",
>>> +            "The secure boot variable %s GUID invalid.", varname);
>>> +        return;
>>> +    }
>>> +
>>> +    fwts_release *release = fwts_release_get();
>>> +    if (release == NULL) {
>>> +        fwts_skipped(fw, "Not on Ubuntu system, it's not necessary
>>> checking the Ubuntu Master CA certificate.");
>>> +        return;
>>> +    }
>>
>> Perhaps I should have explained the fwts_release API better.  Best to do
>> something like:
>>
>>      fwts_release *release;
>>
>>      ...
>>      ...
>>
>>      release = fwts_release_get();
>>      if (release == NULL) {
>>          fwts_skipped(fw, "Cannot determine system.. etc...");
>>          return;
>>      }
>>
>>      if (!strcmp(release->distributor, "Ubuntu")) {
>>          fwts_skipped(fw, "Not a Ubuntu system... etc..");
>>          return;
>>      }
>>
>
> Oh, and I forgot, we need to free up after using it:
>
>      fwts_release_free(release);
>
>
>
>>> +
>>> +    fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate
>>> presence in %s", varname);
>>> +    if (check_sigdb_presence(var->data, var->datalen, ubuntu_key,
>>> ubuntu_key_len))
>>> +        fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
>>> +    else {
>>> +        fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate
>>> presence in %s", varname);
>>> +        fwts_infoonly(fw);
>>> +    }
>>> +}
>>> +
>>>   static securebootcert_info securebootcert_info_table[] = {
>>>       { "SecureBoot",        securebootcert_secure_boot },
>>>       { "SetupMode",        securebootcert_setup_mode },
>>>       { "db",            securebootcert_data_base },
>>> +    { "KEK",        securebootcert_key_ex_key },
>>>       { NULL, NULL }
>>>   };
>>>
>>> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw)
>>>       if (!(var_found & VAR_DB_FOUND))
>>>           fwts_failed(fw, LOG_LEVEL_HIGH,
>>> "SecureBootCertVariableNotFound",
>>>               "The secure boot variable DB not found.");
>>> +    if (!(var_found & VAR_KEK_FOUND))
>>> +        fwts_failed(fw, LOG_LEVEL_HIGH,
>>> "SecureBootCertVariableNotFound",
>>> +            "The secure boot variable KEK not found.");
>>>
>>>       fwts_uefi_free_variable_names(&name_list);
>>>
>>>
>>
>>
>
>

Thanks, will resend patch latter.

Ivan

Patch

diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 60d55cb..0675e15 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -253,10 +253,44 @@  static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
 			"The Microsoft UEFI CA certificate not found .");
 }
 
+static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
+{
+
+	bool ident = false;
+	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
+
+	if (strcmp(varname, "KEK"))
+		return;
+
+	var_found |= VAR_KEK_FOUND;
+	ident = compare_guid(&global_var_guid, var->guid);
+
+	if (!ident) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
+			"The secure boot variable %s GUID invalid.", varname);
+		return;
+	}
+
+	fwts_release *release = fwts_release_get();
+	if (release == NULL) {
+		fwts_skipped(fw, "Not on Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate.");
+		return;
+	}
+
+	fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname);
+	if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len))
+		fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
+	else {
+		fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname);
+		fwts_infoonly(fw);
+	}
+}
+
 static securebootcert_info securebootcert_info_table[] = {
 	{ "SecureBoot",		securebootcert_secure_boot },
 	{ "SetupMode",		securebootcert_setup_mode },
 	{ "db",			securebootcert_data_base },
+	{ "KEK",		securebootcert_key_ex_key },
 	{ NULL, NULL }
 };
 
@@ -358,6 +392,9 @@  static int securebootcert_test1(fwts_framework *fw)
 	if (!(var_found & VAR_DB_FOUND))
 		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
 			"The secure boot variable DB not found.");
+	if (!(var_found & VAR_KEK_FOUND))
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
+			"The secure boot variable KEK not found.");
 
 	fwts_uefi_free_variable_names(&name_list);