From patchwork Sat Jul 11 07:26:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327230 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=aBpGFbq8; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hNC0VbLz9sQt for ; Sat, 11 Jul 2020 17:28:26 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 01AEE822A5; Sat, 11 Jul 2020 09:28:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="aBpGFbq8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BBBF2821D6; Sat, 11 Jul 2020 09:27:56 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 06E31821D6 for ; Sat, 11 Jul 2020 09:27:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452470; bh=yWddupnwKWkFq9fDcaQEhKF2rBwvqFwRmuhxoCUQFJI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=aBpGFbq8vSVxuoWAboMdFzrR2vBu/QrT1FNSfqpq/yUNxGaNeHdWygcTKTMoIqiBY Il8CZhYKJSyOtczjnOfHa2oQqQllKIzkZ3MiXkyTTHKEAK3J4NHT8ydYa+FitN6r05 eLCQtgFgvEkejQmHVq1bp/21tZ6Os34Nx6snCjs0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MWRRZ-1kMwEn00Md-00XpJH; Sat, 11 Jul 2020 09:27:50 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro , Heinrich Schuchardt Subject: [PATCH v4 00/12] efi_loader: rework/improve UEFI secure boot code Date: Sat, 11 Jul 2020 09:26:22 +0200 Message-Id: <20200711072634.290165-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:iF5hW3MEpdK4CJ5aFVRhAeVRiZmB19l48MOBf1aRDBFSEAsNyyC 5zGVoEPKCjDaK8dug5YjIyLQ7o8KTGDEjqXlsUqX07s8x2sU6/cNlD17IGBdOjXVNrdppw8 jAWh1tNAvcEOJoM8MtdFxkpcrbY7VpoE/3PpQPgHG6W3GDetDsXhV7yy3KgtkGEtkGTNfuD S1tlyZ3dfpE2okp5knyzg== X-UI-Out-Filterresults: notjunk:1;V03:K0:mIHUF50LlZU=:b8HIY1lfGbsvyQI6rHNJhP gwiflp1lkEA2n2w9SlmthId86N6SzjzJsdqISU+Yrn6VGwEWIZO7aTlNalKjWkNSgYtAVrZ90 h5E0bYNgC/zyJ/tkmt08WZjPrTK29FM9mf92ivBvCM08riiWuQZcKq4vIUn5jWeFEjcOL6wkD 7yixAt2kUSlAnYKgyTlHZo32eXyodfj1m4Sc+RbQaHz6xiswdW44p0luIJK0pXJs9Tpe1R3Gp wWmqwW1FUDJnRnlqo8PUqzO8ZEeTvNiKGc55eqMmRcb8zzh5JzRHgwHiPR/4Knaf9xrYL37Lp FuQbIXUM5EWho4PPVYCqhWt/uE+DbCgch+X/5cJsGGJa8OOoyhHivJkAtXLWiae+jWghnHiuP 9IKUQjFOn+mmfHkP2CRMc9p40von3Y1Q/4F+XpZh5tu7el2JKytl7Bosa+j8KH5IpbIJ392mI EXN8v5okd9971u1kKLUuUnSzoh3BoAyrSJQc9AbV+bhXEn3ohiEnQIk6x5aMenN0OjoHqQ/Bd lcCjpVakUsiyTB+2u6Lmg4pzfALRHV/UMbzmYiKuxh7hWyQePDu4w3BcYNNvebFHNtk97Aazj vnufMIJ1LZ2tc05GJxo6bqD3DmHcbQBbr4JjW2ZXrlR3K3B0qIdH7vXjiCwsW04TiJunTpDJ8 xQf7ucl5kbVbxDvz+7tSfXkd6lAlcuz9O+e1emyja/AkUtKAD9xlQm6SMNbxShZmPpUmOr9YG pbjzUFXwpY+cvLlmYuCi+IV6ONTK1+2VYa5olr9nUpeyxHk8x9ZA3oCok9B1eJMD9bE+j5Yyk ID3CTShIx9MZEjsBFHneNH57vAMK3MllqtxqfJsr3/U+4eUA6/cfjlASHmofQqU3rw3syq2fc ySR7WkRihUyF4sIHJoeZnrN1tBc20CjMpyXSfYThGq5rNTJ9Bsof6nEmNgsLy2/daEU1d1mtg Ke+2RE8XVTPR17jY6kf4R/fv+hyqiI8dCPFWevu4cRa1oiB3OBkr7aZcpFIB7GlDWf050Q5Nj 3Ip/CJZ45Jr1ueFPkIqW8Oclkok1IxMIW6KWCiX+OdM+EXFbk1T7iBTc+PCu3OSN64cMB2VQH HfYaqOJiVJduVrmtOFsFaJnuZICCPobnzvIhAWLM5TKGf0eEOFe0c1pGP3CbH1PfwGzyKQ3eX Pt4X4fSDH5EVDrpu1UBSYvOy6IHN8XVp3B69/QLcHWpP/SBZSw8YKlFndQn9S9M5pAR5UYQCd nLVQ6H8qGZhlmFn6afCvXXbO0CVG0+eMMPs14vQ== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This is a respin of Takahiro's patch series adding a defined time stamp for time authenticated variables by calling sign-efi-sig-list with -t in patches 10 - 12. The original patch 01 of version 3 has been obsoleted by lib/crypto: use qualified path for x509_parser.h https://lists.denx.de/pipermail/u-boot/2020-July/419214.html v4 (Jul 11th, 2020) * remove obsolete patch 01/13 of v3 * call sign-efi-sig-list with -t v3 (Jul 8, 2020) * rebased to Heinrich's (current) efi-2020-10-rc1 * removed already-merged commits * include pylint fixes (patch#8, #9 and #10-#13) * print time64_t in "0x%llx" format (patch#4) * make a small change on a description about efi_hash_regions() (patch#5) v2 (Jun 9, 2020) * on top of v2020.07-rc4 * add patch#1,#2 to remove unnecessary hacks in pytest * use EFI_PRINT() instead of debug() everywhere (patch#3-#5) * fix a verification logic so that we should reject an image if, at least, one of signaures be verified by dbx. New efi_signature_verify_one() has a main role. (patch#10) * use "llu" format instead of "llx" to print out the revocation time (patch#10) * add some description about verification logic against multiple signatures (patch#11) v1 (May 29, 2020) * initial release *** BLURB HERE *** AKASHI Takahiro (12): efi_loader: image_loader: add a check against certificate type of authenticode efi_loader: image_loader: retrieve authenticode only if it exists efi_loader: signature: fix a size check against revocation list efi_loader: signature: make efi_hash_regions more generic efi_loader: image_loader: verification for all signatures should pass efi_loader: image_loader: add digest-based verification for signed image test/py: efi_secboot: apply autopep8 test/py: efi_secboot: more fixes against pylint test/py: efi_secboot: split "signed image" test case-1 into two cases test/py: efi_secboot: add a test against certificate revocation test/py: efi_secboot: add a test for multiple signatures test/py: efi_secboot: add a test for verifying with digest of signed image include/efi_loader.h | 15 +- lib/efi_loader/efi_image_loader.c | 162 +++++-- lib/efi_loader/efi_signature.c | 435 +++++++++--------- test/py/tests/test_efi_secboot/conftest.py | 104 +++-- test/py/tests/test_efi_secboot/defs.py | 14 +- .../py/tests/test_efi_secboot/test_authvar.py | 92 ++-- test/py/tests/test_efi_secboot/test_signed.py | 206 +++++++-- .../tests/test_efi_secboot/test_unsigned.py | 66 +-- 8 files changed, 677 insertions(+), 417 deletions(-) --- 2.27.0