From patchwork Fri Dec 16 06:25:23 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Hu <ivan.hu@canonical.com>
X-Patchwork-Id: 706338
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3tg0gG1kL5z9t0H;
	Fri, 16 Dec 2016 17:25:46 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1cHlxh-0005hw-5Z; Fri, 16 Dec 2016 06:25:45 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <ivan.hu@canonical.com>) id 1cHlxY-0005fq-NV
	for fwts-devel@lists.ubuntu.com; Fri, 16 Dec 2016 06:25:36 +0000
Received: from [175.41.48.77] (helo=canonical.com)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <ivan.hu@canonical.com>)
	id 1cHlxX-0001z2-Vm; Fri, 16 Dec 2016 06:25:36 +0000
From: Ivan Hu <ivan.hu@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH 2/2] securebootcert: add variable DeployedMode checking
Date: Fri, 16 Dec 2016 14:25:23 +0800
Message-Id: <1481869523-7395-3-git-send-email-ivan.hu@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1481869523-7395-1-git-send-email-ivan.hu@canonical.com>
References: <1481869523-7395-1-git-send-email-ivan.hu@canonical.com>
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: fwts-devel-bounces@lists.ubuntu.com
Sender: fwts-devel-bounces@lists.ubuntu.com

UEFI 2.6 add the AuditMode global variable for secure boot, so also check the
DeployedMode variable in this test.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Alex Hung <alex.hung@canonical.com>
---
 src/uefi/securebootcert/securebootcert.c | 56 +++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 2f7de50..3a8c3a5 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -52,6 +52,7 @@ typedef struct _EFI_SIGNATURE_LIST {
 #define VAR_DB_FOUND		(1 << 2)
 #define VAR_KEK_FOUND		(1 << 3)
 #define VAR_AUDITMODE_FOUND	(1 << 4)
+#define VAR_DEPLOYEDMODE_FOUND	(1 << 5)
 
 #define EFI_GLOBAL_VARIABLE \
 { \
@@ -67,6 +68,7 @@ typedef struct _EFI_SIGNATURE_LIST {
 
 static uint8_t var_found;
 static bool securebooted = false;
+static bool deployed = false;
 
 static bool compare_guid(EFI_GUID *guid1, uint8_t *guid2)
 {
@@ -213,6 +215,49 @@ static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, ch
 	}
 }
 
+static void securebootcert_deployed_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname)
+{
+	bool ident = false;
+	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
+
+	if (strcmp(varname, "DeployedMode"))
+		return;
+
+	var_found |= VAR_DEPLOYEDMODE_FOUND;
+	ident = compare_guid(&global_var_guid, var->guid);
+
+	if (!ident) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
+			"The secure boot variable %s GUID invalid.", varname);
+		return;
+	}
+	if (var->datalen != 1) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid",
+			"The secure boot variable %s size invalid.", varname);
+		return;
+	} else {
+		char *mode;
+		uint8_t value = (uint8_t)var->data[0];
+
+		switch (value) {
+		case 0:
+			mode = "";
+			break;
+		case 1:
+			mode = " (Deployed Mode On)";
+			break;
+		default:
+			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid",
+				"The secure boot variable data invalid.");
+			return;
+		}
+		if (value == 1)
+			deployed = true;
+		fwts_log_info_verbatim(fw, "  Value: 0x%2.2x%s.", value, mode);
+		fwts_passed(fw, "Secure boot relative variable %s check passed.", varname);
+	}
+}
+
 static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len)
 {
 	uint8_t *var_data_addr;
@@ -348,6 +393,7 @@ static securebootcert_info securebootcert_info_table[] = {
 	{ "db",			securebootcert_data_base },
 	{ "KEK",		securebootcert_key_ex_key },
 	{ "AuditMode",		securebootcert_audit_mode },
+	{ "DeployedMode",	securebootcert_deployed_mode },
 	{ NULL, NULL }
 };
 
@@ -423,7 +469,15 @@ static int securebootcert_test1(fwts_framework *fw)
 			"It may because the firmware hasn't been updated to "
 			"support the UEFI Specification 2.6.");
 	}
-	if (securebooted) {
+	if (!(var_found & VAR_DEPLOYEDMODE_FOUND)) {
+		fwts_warning(fw, "The secure boot variable DeployedMode not found.");
+		fwts_advice(fw,
+			"DeployedMode global variable is defined in the UEFI "
+			"Specification 2.6 for new secure boot architecture. "
+			"It may because the firmware hasn't been updated to "
+			"support the UEFI Specification 2.6.");
+	}
+	if (securebooted || deployed) {
 		if (!(var_found & VAR_DB_FOUND))
 			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
 				"The secure boot variable DB not found.");