From patchwork Fri Feb 7 05:14:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1234736 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=mJya9BLA; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48DNm41tQgz9s3x for ; Fri, 7 Feb 2020 16:15:12 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7EFCC816D8; Fri, 7 Feb 2020 06:15:04 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mJya9BLA"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 10ECA81749; Fri, 7 Feb 2020 06:15:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C29A6814C4 for ; Fri, 7 Feb 2020 06:14:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x441.google.com with SMTP id x185so661940pfc.5 for ; Thu, 06 Feb 2020 21:14:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+tJnEwn1C716eXnJnzCm66alusVd9GhEP4htmTg3ngc=; b=mJya9BLA4+6MWYpej4mWMj91U1VR7FvDkPxD/C7gQHtelnTKGJZ89m4/tCof6dDuUS RZz2o1P1E6ujLUTF8GijZ+IumJ31l2zQbcMUqjG1RJoS7eVEDmbKgBFwm07QCmjYJMcX TH6BWDx3+lrc7ykXqKDS123omZZw/3VYhTlJUzPpuznSzDoRGDwMyR7PDEK+8WcvaMPn qt1H2ZhMfXLW8j4edtdQ5JPntInQcbFBnUnOsQmTjcF0dnqHRAOIESOIbVi2j0qrRb5G iYnO5Av4EuW7nowSYf9QSACFrf43/tKagz1EUYrtQXhx1RNLe21dGo97YqogTsE1kXxE DnoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+tJnEwn1C716eXnJnzCm66alusVd9GhEP4htmTg3ngc=; b=S0aqp7dpLpCZTUPCvblfnyt0EudsnLpxATWG66eF3wkSuzCDJbJ6yzY3FMO/PdN6Pz dBpmG6NoFiXFzq80r/Xpm9Ox9/BI6q9sD4EIhYYA7mGBW7K3+09/SMMoBa2KLeKgfMb4 8rSyVMk07VF35YjfVKgg1KBhCSsPAvD4ad98uGAKaQLaLML3TkmAls47jm77E4yEkEQU cixst27MzHNWcIdkbmhxkQXpG9R06y43fupo+t2wB2LTU0LvRUGd8nedfa0YEP0/aYN8 zq7jEpZrK5PcJzlGHlyZwYW7vlp31d0LRt2xKa2oZLhJjc+k85qOEDtnkVlQ+7k+TGng REyw== X-Gm-Message-State: APjAAAXCWnhegjut5D2iuYnjAw1OfRIX5e1G5sEKfnE33gu32RxvzMjl AsPYphpxsCkYTnmlirFTeTK4Bg== X-Google-Smtp-Source: APXvYqxwvedmjAjRgiZkGq16s8BhfCouTvtL3+XhHTXCHpmQTglvEw3wigaGAdrkv+jRy/pNtRHabg== X-Received: by 2002:a62:7696:: with SMTP id r144mr7994975pfc.177.1581052497722; Thu, 06 Feb 2020 21:14:57 -0800 (PST) Received: from linaro.org ([121.95.100.191]) by smtp.googlemail.com with ESMTPSA id h3sm1153357pfr.15.2020.02.06.21.14.56 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 06 Feb 2020 21:14:57 -0800 (PST) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Subject: [PATCH] efi_loader: add some description about UEFI secure boot Date: Fri, 7 Feb 2020 14:14:37 +0900 Message-Id: <20200207051437.18747-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.26 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: u-boot@lists.denx.de, mail@patrick-wildt.de Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.101.4 at phobos.denx.de X-Virus-Status: Clean A small text in docs/uefi/uefi.rst was added to explain how we can configure and utilise UEFI secure boot feature on U-Boot. Signed-off-by: AKASHI Takahiro Acked-by: Ilias Apalodimas --- doc/uefi/uefi.rst | 77 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index a8fd886d6b5e..98cd770aefe5 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -97,6 +97,83 @@ Below you find the output of an example session starting GRUB:: See doc/uImage.FIT/howto.txt for an introduction to FIT images. +Configuring UEFI secure boot +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +UEFI specification[1] defines a secure way of executing UEFI images +by verifying a signature (or message digest) of image with certificates. +This feature on U-Boot is enabled with:: + + CONFIG_UEFI_SECURE_BOOT=y + +To make the boot sequence safe, you need to establish a chain of trust; +In UEFI secure boot, you can make it with the UEFI variables, "PK" +(Platform Key), "KEK" (Key Exchange Keys), "db" (white list database) +and "dbx" (black list database). + +There are many online documents that describe what UEFI secure boot is +and how it works. Please consult some of them for details. + +Here is a simple example that you can follow for your initial attempt +(Please note that the actual steps would absolutely depend on your system +and environment.): + +1. Install utility commands on your host + * openssl + * efitools + * sbsigntool + +2. Create signing keys and key database files on your host + for PK:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \ + -keyout PK.key -out PK.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + PK.crt PK.esl; + $ sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + + for KEK:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \ + -keyout KEK.key -out KEK.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + KEK.crt KEK.esl + $ sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + + for db:: + + $ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \ + -keyout db.key -out db.crt -nodes -days 365 + $ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ + db.crt db.esl + $ sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + + Copy \*.auth to media, say mmc, that is accessible from U-Boot. + +3. Sign an image with one key in "db" on your host:: + + $ sbsign --key db.key --cert db.crt helloworld.efi + +4. Install keys on your board:: + + ==> fatload mmc 0:1 PK.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize PK + ==> fatload mmc 0:1 KEK.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize KEK + ==> fatload mmc 0:1 db.auth + ==> setenv -e -nv -bs -rt -at -i ,$filesize db + +5. Set up boot parameters on your board:: + + ==> efidebug boot add 1 HELLO mmc 0:1 /helloworld.efi.signed "" + +Then your board runs that image from Boot manager (See below). +You can also try this sequence by running Pytest, test_efi_secboot, +on sandbox:: + + $ cd + $ pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~