From patchwork Sat Jul 11 07:26:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327229 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=Gyie26cu; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hMv0CMqz9sQt for ; Sat, 11 Jul 2020 17:28:08 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B979282294; Sat, 11 Jul 2020 09:27:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="Gyie26cu"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3A90F8229E; Sat, 11 Jul 2020 09:27:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1B7AC821D8 for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452470; bh=O9jpLtPnu04LNqZaNxVNRE3D1yCC1CwnIb6NyBciSy4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=Gyie26cuXEVhTiIy/WzFhH7XPCa2Sw/V4vMGC2EsIgZuaUlh5I8dAX80pudIBKWp+ Fop8AzybyOaXV/INI3w7lJHrvIgfoJx7vN9VVg6aDavtfW/ZfjU4M/+BpdObxcth1v GdHnGRWS7TzG0ZhP3E1WOerwVhVET4Q1Gh2ZW5bg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MMofW-1kCnEg14oW-00IlH6; Sat, 11 Jul 2020 09:27:50 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 01/12] efi_loader: image_loader: add a check against certificate type of authenticode Date: Sat, 11 Jul 2020 09:26:23 +0200 Message-Id: <20200711072634.290165-2-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:a89+O44VLlI+3+5KO0RCUUnva5SllwkvIHo51eL6kj2FEuycuYI YMuOlAbPMZS91QNnUuXXW+MjaRommOSI42jkBcSkC7/PKuIw+PHYMmzZU9RLviaqWpSx+OI tKf5nLY16/i4BEUf7CMPtSHExyFr7EkS9QQPTcG0+BnNuzqKFqguAzPkysKg2D6VVyoCrT0 OVjoqC01FUvUxv/I85ZbQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:109rpsS7BGU=:6ypV5oF0VtJrDceOnu39DT BZGNsYNIFQWzVd6IElEYFTaP8nj91Zp70Mxuu5NmBy2oWwbXMCFv92AEsXrcwNobMprbZcBCN MDNlXtDFh3aoImIaH1E2qN22YOX336uQs4fOrrVBsOSWejIDTJJRmMPXmQMTrQ9Uue6MFrgjl HlRFmLeCTQ74K0Q8KeMjNUQ0ORx34Qk7qY/YumhaZelq2/Obw4yt7N677JvNDKlmMUrqgvFMa q+G9e6tluXCv16QRk7SF3kfiSuTlFUn3wuKYJAL2kMuwtvO9NeLBM2KA3LVO8SuYePXni+Go5 M8K1jbD4ZjSDfMp6aNGx8joXKcaR313ucuDYMbkOtyWkWySIeuYs1oI3cg5eNByiOTV7LkzaR vwE34ptD5fiWGImi4l9/C1XGw1VPjaF9lngokpMm6UHmABdosArZOjpem/TpxD/mj2N3c7206 /6Nzj+V8oUrjeIO+xh9DWzuWSSVv363YdMxgW1x55HO3xGsPmkaveLkopd4uj0cH6NrLBwPZY pvAZMKXCS0hyWd5yjQwNph6+kvUuVwik2LpV8S5UCRTkiJYIfPBxEXoXXAFUgTx4dXb5qFhNt vHHnK0wkMMGQEBqcBLyzaxrU/CPGWZqUPhUtxhQ+MOlw+dKIbXu/YCQDoRJywuk0Uss0UI88m CddqxH2Zd2I71TPR7Dm0+0k+m1UnJlq6kZIxLYasm4c6rpBQ431B9gzXpaGlApKGD2a2j0FbW XWtnlEFVVMyIICJxdQQ3e9E7JptGHqFZfrzPRMOfMrhStd9DM9pFhENemZeOeNXmUi8LgpJGP Oi02EMNWhIenUGx92XtBYh42qFvwr/iwebCV5xMCYvon/UYhblxnYtuXxbKVt1vNzEHzib5UG dBsDVv/uhfJDFcUNiaGvRWtNToH1sNqds8NCUkSRpGQPfEVvtVrAuN6Hcp536xuQtAfV9mP2a 48s72KfTW/HNS38YxXhPWustA7OarOiMHVgdNOBa/b8HGHStAfsoE7OwGQRbNOdrnLixkvLbP X7YhSx8aEnoSKJOQ6RDwL1lVq/4D9o0Ek+tfSug8aTlMpJzNnFqOrEetGOUDNiL7ictt8MJLK GqInonjgFpt96s6E61D9SJKszef5LD+gAIUcQN6o4qEjgbD2ic52jwkYJhqoy8lo8yPPF/Yv4 hYLl/Pau75Jt2hbW2Bx9nEwtOtWyFH/ci0nqYFi2BLSdbLGC4HwaIg621L9ywQ7XBd3EfkDEj vYHx58Eh0z8er+RIujxbO1SOc81JDKdD8FFSrhg== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro UEFI specification requires that we shall support three type of certificates of authenticode in PE image: WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID WIN_CERT_TYPE_PKCS_SIGNED_DATA WIN_CERT_TYPE_EFI_PKCS1_15 As EDK2 does, we will support the first two that are pkcs7 SignedData. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_image_loader.c | 56 ++++++++++++++++++++++++------- 1 file changed, 44 insertions(+), 12 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 06a2ebdb90..9b01e1ec90 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -483,7 +483,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) struct efi_signature_store *db = NULL, *dbx = NULL; struct x509_certificate *cert = NULL; void *new_efi = NULL; - size_t new_efi_size; + u8 *auth, *wincerts_end; + size_t new_efi_size, auth_size; bool ret = false; if (!efi_secure_boot_enabled()) @@ -532,21 +533,52 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } /* go through WIN_CERTIFICATE list */ - for (wincert = wincerts; - (void *)wincert < (void *)wincerts + wincerts_len; - wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) { - if (wincert->dwLength < sizeof(*wincert)) { - EFI_PRINT("%s: dwLength too small: %u < %zu\n", - __func__, wincert->dwLength, - sizeof(*wincert)); - goto err; + for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len; + (u8 *)wincert < wincerts_end; + wincert = (WIN_CERTIFICATE *) + ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) { + if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end) + break; + + if (wincert->dwLength <= sizeof(*wincert)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + + EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n", + wincert->wCertificateType); + + auth = (u8 *)wincert + sizeof(*wincert); + auth_size = wincert->dwLength - sizeof(*wincert); + if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) { + if (auth + sizeof(efi_guid_t) >= wincerts_end) + break; + + if (auth_size <= sizeof(efi_guid_t)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) { + EFI_PRINT("Certificate type not supported: %pUl\n", + auth); + continue; + } + + auth += sizeof(efi_guid_t); + auth_size -= sizeof(efi_guid_t); + } else if (wincert->wCertificateType + != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { + EFI_PRINT("Certificate type not supported\n"); + continue; } - msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert), - wincert->dwLength - sizeof(*wincert)); + + msg = pkcs7_parse_message(auth, auth_size); if (IS_ERR(msg)) { EFI_PRINT("Parsing image's signature failed\n"); msg = NULL; - goto err; + continue; } /* try black-list first */ From patchwork Sat Jul 11 07:26:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327233 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=eFjy7aOB; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hNt0YcHz9sQt for ; Sat, 11 Jul 2020 17:29:01 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A58A0822AC; Sat, 11 Jul 2020 09:28:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="eFjy7aOB"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B2A9A822A0; Sat, 11 Jul 2020 09:28:00 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 314EB82281 for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452470; bh=zAdX6Tk8SH/C0OIdye+3MqRduIfalHa61Tns5R7IFyA=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=eFjy7aOBuB6mTTpwEaytCvN5NP7YD03BDnF1grQS1RMcJUFn9Ai6Ur0y54FGDcDkh B8eHEy3DtsmJ7F7ljnC0U2LsPCk/Mlvx9bOpRVG9+6Ffa4SiKXRq3joE7U3Ug7/Lpz N2n8zMYKCTmCJrw8/O5uiGKjaM0ynrcA0DrfBgtk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MiJZE-1kZZD62DYs-00fUt0; Sat, 11 Jul 2020 09:27:50 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 02/12] efi_loader: image_loader: retrieve authenticode only if it exists Date: Sat, 11 Jul 2020 09:26:24 +0200 Message-Id: <20200711072634.290165-3-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:Imm7toSHrTUPONVBwJn3Esvz0O3DBcAjC55FJG8Ycn8IM3jd3ds X4GF3QqDnHAQEL4qw4OObpjO4gkhH642S3OqcQ4oPcyMIY8l7/oiXbze9zf71/gaLXjqq3j BOmD+9QoHodV+fL/9al+uwD/PMp6He7QLP6efnVR/ABDXPOKTeoIlgF450q6oMRgXdV7vj7 lTDAoLLOUCCHmu/UH2Ctg== X-UI-Out-Filterresults: notjunk:1;V03:K0:W4AC+kHfNEU=:m8jfHzuOzDLz+uPX+gen3I jCttMc8iSvRVuJdb25JjZlbjDoB1UUnWrwj4t+ziC9v16Ywufi6A3YF5ju12miOaRWk1i33gu +fhz/76rnrjrnj2B+hmK7jTG2bsXRGFIO8QsM/KfUN7n4HONDuLwQ0NCycmj3B8BDI+kVbQLH wu/tcFSmhGXM9Gi5yxrYF1WFxgvHg6YUv+N7SxA/DVlqgwGfsyCZEHV5801HWmuVB+BStFrrO WW3zR1SdEzfFfPZORKlW4xVmowDjVGwtxHBtIRGfZTQjRngLG69OwUyeSa1EXn4/HiUkHf6e8 Evvfar0jRi1CZd8ojZ8KH609s8nbgQ0ayvvOGkq1phH0k9+NUxbAtDjVRkNOnrlg2l7hPCOA7 Mw8a9JNzCj9hFu5ZfuTqPMt4ebkPd+RdHhwEcJasyeXjTSXEAGKVWqecjLmQ17YXjIINKlz7C s1fvMBwotwQovo2HtzPelBOiv9g81AMwSn9gFcvp7zDiujMTVqFdknyw1A/OhPYBS6Yk5i47w 9TyTyhf5nGKIn/+R3RuvJYAUCvf260GqCmPXknb/I3cPzpSIjmP7hc7bK6UGXasVNHV1AKs7t ruKGpL0rf10udIN+0pvI+dmfDGyPrXx3Bx2s5Y4yABHP6XH2gGvNihCYHKIvufhczpIT7jeLT xhgSdfGYrt5GioPrYy11Lxmk7ApHqd99r6eG7Kj3pSoKmBEsYanUc93+1PvvwJQkqXxbvbjZx 2laW6JxUCABvauS3uNWd5Nl+BP3vt/+xB6/MIJUKvTdE245si9Zq+l+ORU4N4U/S2FjnEqP5O AVWLfyytWQ0ZJ7yOLfnNE79PCiN86MDBkvArxu5pEQxPVHHfbzAxsd+00+Ug6cR4CtGeLfqgK jjK3EuYpdKNWHFMhgXYkV13AdUJzoFZqmazGo/j5yqnsWcAcb5vdQ00QAtRSJhzACDxEMrtob aNOr6fg8lkGfbKuJcUJce/2NfFznWuicvfUdKJevt+hsME0z9kOGLLPQaM2UV050DQWq2Dib+ NCL2fqzoq5rXpNnPSLchl5gs73+LFdNr6xzo83WWkGo6CHUtQrSVh4kHReIzjXkt3YEIn8RXm wsOcQuVQ7B4rXC1aUvFN7fiji1R11qcKJFeo1XSxJgVTAo2HA0iwOSzEt++AHJdosoKx+kZHA zxVMLYgMCNKhq4CAqVP/kl10+yy1W+N4ChrGaqSwKzYnxwV30/29PCwY+9+1yCV9sFt4jFv8C i9I5LllUy4CvgjBd2pEYZSzExTL/o1UUwBzvtkw== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Since the certificate table, which is indexed by IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image, doesn't always exist, we should make sure that we will retrieve its pointer only if it exists. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_image_loader.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 9b01e1ec90..de230409e3 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -267,6 +267,8 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, dos = (void *)efi; nt = (void *)(efi + dos->e_lfanew); + authoff = 0; + authsz = 0; /* * Count maximum number of regions to be digested. @@ -305,25 +307,36 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, efi_image_region_add(regs, &opt->DataDirectory[ctidx] + 1, efi + opt->SizeOfHeaders, 0); + + authoff = opt->DataDirectory[ctidx].VirtualAddress; + authsz = opt->DataDirectory[ctidx].Size; } bytes_hashed = opt->SizeOfHeaders; align = opt->FileAlignment; - authoff = opt->DataDirectory[ctidx].VirtualAddress; - authsz = opt->DataDirectory[ctidx].Size; } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader; + /* Skip CheckSum */ efi_image_region_add(regs, efi, &opt->CheckSum, 0); - efi_image_region_add(regs, &opt->Subsystem, - &opt->DataDirectory[ctidx], 0); - efi_image_region_add(regs, &opt->DataDirectory[ctidx] + 1, - efi + opt->SizeOfHeaders, 0); + if (nt->OptionalHeader.NumberOfRvaAndSizes <= ctidx) { + efi_image_region_add(regs, + &opt->Subsystem, + efi + opt->SizeOfHeaders, 0); + } else { + /* Skip Certificates Table */ + efi_image_region_add(regs, &opt->Subsystem, + &opt->DataDirectory[ctidx], 0); + efi_image_region_add(regs, + &opt->DataDirectory[ctidx] + 1, + efi + opt->SizeOfHeaders, 0); + + authoff = opt->DataDirectory[ctidx].VirtualAddress; + authsz = opt->DataDirectory[ctidx].Size; + } bytes_hashed = opt->SizeOfHeaders; align = opt->FileAlignment; - authoff = opt->DataDirectory[ctidx].VirtualAddress; - authsz = opt->DataDirectory[ctidx].Size; } else { EFI_PRINT("%s: Invalid optional header magic %x\n", __func__, nt->OptionalHeader.Magic); From patchwork Sat Jul 11 07:26:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327231 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=TqfdC/6j; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hNP54HHz9sQt for ; Sat, 11 Jul 2020 17:28:37 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 202E8822A0; Sat, 11 Jul 2020 09:28:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="TqfdC/6j"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 24807822A5; Sat, 11 Jul 2020 09:27:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 45A968227F for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452471; bh=UdoJp7ygHSOtddaYNDaAtsUM01ZslSZBlXGhlGRKaGk=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=TqfdC/6jMm+PjqB2t3mNBVhRZGhNJ4KUvM4i0PkjDoiWyJlHFEAfQwRS/9Rq5ClBL TSoAS1Rqsk6pfASnkhipmH4g7WvJ51OgAX90An0w9pvT2MVBfuZNhggQGgzCJZ3W3U F8ExYXPy5UehjmvMzZ9cemV0Jh6OihFLmdhTv9vw= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MWzfv-1kMO0V3LoX-00XHLR; Sat, 11 Jul 2020 09:27:50 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 03/12] efi_loader: signature: fix a size check against revocation list Date: Sat, 11 Jul 2020 09:26:25 +0200 Message-Id: <20200711072634.290165-4-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:fYExag6pjlvedGa+OqVBi1vlBiTjcxT/8zqi4Gtlpb+YXMPDZtV 7NG3pN8WhsNzUK/Nw6HQTp7qt5TJkMP+YdYlxtrTMXd0xbqSt9u76ckYwr6OxnBMz55DCDx BRl7mdMHQOhuqN/4kh8Wn9FEtp7KXOKlfsALoqRW6CtPSrwKDOZQWQYERaLPjKquTXXqWi2 FhlL6hlBllyUc075whxKQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:WzsVRZSUuMM=:o5vPnIQ/7ydKLf7e50UNG9 kp1RLwumm2NDiSuiTk1NCGX/GewgVmLO0ILVcbP/xhrY0qHqwZLNm9tPVZj2zs5wr3EzE9Wuu K0ucMjk64o2bdVLVuiHDdZhJ3br30V+13Qorl5Ndn1bDKOkUZSu655hqV17CTI/MBpaMA0nxF 92zYtcQ1mCOYtmN8AH7o9jlIORN7SApf67SmYUNOQpuU5QCYZtFmBP9pxJi0v4TCz48Ye9ZOB Oo130BQYwlp4rQ3S6Pqu3k66XTiyjFjXgh++ZP7154DRBahrVGOF2DdcdHmBz1edRFzsUQHC/ ySiiXTMCZe5zD06uPA4UGQQS9Tllk3Nm5cIr3vpSxFCql9KUH73wtVoaMyRH5PUEi27Pde/PH WYo4EWrKAQ50S7rRBJSaHjm6t1sksEKow8tC8IcLnYMvM/ljL44ttcQttDvO6kA/XxYxLipIj YqHF3NML5FknQ/MOWvMVcNxokWoQNLMdWf+ud7lg3+UECo1T1rjfXKBxycPRypI7e+l2Bklwn nN8LMTAnskMAkqkoPYHxCQb5dE6qP7MhGDiNlHn0CMnx1lgKjFn5DD0theJQoJ/hYss76CKsL KM6ifENznoMpChj/B8C2F7L78KMNrjCl94jm+262MbMmdadtIr0X5b3bkCh53HIiD0PoNHn1C XWJYV7r51okkV5FH91W18Vxk2K4bMws9w47ZLTXZ5aXZP0qWA5TqQ43TRhVWfjzYdg38SI5O9 FubGxsZ+KBjPz2A+qoJ2Vc7DJDq2NW40fSacQ9M5gemM88etktxpd5Vo+qYKv29Juwv2c+ljk 1/TjpTqwhf+ozNAW4NQhxaYashcuFIm/H8dYrgD0qpYB5YRpU2yNhYUJvUwPRxpVbQBXyq2ci qP68zf+0pt1Fbry3UyBYG6CpC5Xq3MuKu2kjmUEEMidRiwszWGbLVkLItiNADSFhqJTTkSbnw 9jd8FHCl4P2gCRMa0wVTqKoQfOiA66Svx4iE70G++G9wNKFbiBYLACf1bYWquEknkbdnbf8PR YHRZ2HLYaHOHbc2KmOVykCyS4txAV2WS8yQMlE5BLYaMOrcx/NPP8J5e6QnoC9qrCy7D76xU+ cQmihN7t8SEf9WELo+ZUiW83SbS05axpMYfMyY7A8gI59SLqqESM8+MtOXAdR6pf2W9JC6iWh qSVNtRiktj2EJEJ1ZBEeA/kAyjuFxN1zIoyFrlhusSlVjAzgYxhw8x5wtjrtsv1iGKcVSfrkJ tU68QM4Jaup5Za9RDLWQ4ce7jLtcJghyVnP0Rug== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Since the size check against an entry in efi_search_siglist() is incorrect, this function will never find out a to-be-matched certificate and its associated revocation time in the signature list. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_signature.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index e05c471c61..cd2df46264 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -433,10 +433,11 @@ static bool efi_search_siglist(struct x509_certificate *cert, * time64_t revocation_time; * }; */ - if ((sig_data->size == SHA256_SUM_LEN) && - !memcmp(sig_data->data, hash, SHA256_SUM_LEN)) { + if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) && + !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) { memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN, sizeof(*revoc_time)); + EFI_PRINT("revocation time: 0x%llx\n", *revoc_time); found = true; goto out; } From patchwork Sat Jul 11 07:26:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327235 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=FnDgsGoD; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hPK5vxfz9sQt for ; Sat, 11 Jul 2020 17:29:25 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1AFA8822B6; Sat, 11 Jul 2020 09:28:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="FnDgsGoD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E9B52822A4; Sat, 11 Jul 2020 09:27:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9191082284 for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452471; bh=VpGJHpSG+Unv+LgDodB4p84vomMV2svmchK5YxxHxcA=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=FnDgsGoDlLahLAIaLmQHRO+LwBoAj2lmJucdi4HTbYP8C7647bc0yG9Kl4XDvICLZ DPyCQWoA68yjl/LcJW/OdtiDyB9VtK9lxNlhY2n4BJWHBgTWtNLvFUmjn+kxWzVWFV 59ZCgARhFsv5QcmX7lrw49tTo1es+d2sipdzkHaY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1M5QF5-1juzGk0dML-001VNB; Sat, 11 Jul 2020 09:27:51 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 04/12] efi_loader: signature: make efi_hash_regions more generic Date: Sat, 11 Jul 2020 09:26:26 +0200 Message-Id: <20200711072634.290165-5-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:m5OEN9tdsK4hl1oqee/YNGWamocMnCBomFZCOaP/JT1RDFRsq+C HynGdPGExir2LTG6Qob5XThQDgjPdLODSOwvj4YGODp8iLc5BWytX1Sd4N/r//N1km6v8Oo EIseYXzldIjAPsy5xnQ7qVvlIHT7MONhAzvMAISm9Zs6y7Ge0Hjjw/r3wOED8YzKgoD0s2O vnkCxwNMMPuPp37pTU/QQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:OCIrImkJ0Pg=:JMCQa6weSv74Ep+Sya7OXG paA0n9IkqGqvFucPNy/9LmjcfslnBbkD0596FSiU5WDUFQCvO1JxIKLuucjqs5yiFzm2kdTvY 7YHYwxTXqFOxLXMgqp3Z1K0Zpt4OhoCIZ8ynqmlAWxdwuZzDNXT54PPboaGLrrJUyo53tcLrG ZembHBaYldI78q6RTh5Kr8H01FINHkpLPgBUbIG08s9Kfl6mZXTL88GV+aVS4qRuy53xGUiqY bgQZ2vUzXhSmVgov5apqmbsDYl9yIksovoAiJQDSeG3nHSz/g9g2gpUXLofJJ2VCy1fn3P1L4 //jrk5AA4ZFmUh1YHPRtmPZzcZwQ/0XkhPh1dU8wS/Ix3T1IN4Ahqj9CG/qD/aX+TpM4jdpCa nHm3xq7GkAcowqhUhEyadPnaygQiFeIRytlMDIzArap6Piijy64ZF6q7/K+f5QV2BXlYa0qih NctB6S1FSl87WDfjwRrZDC9aCo8hTI0n5B27QdHSLuyV73Ssu5xCxqvAU6FL1mLF3vXYczgdZ hQMEEaKeQRz5wjGDtPZEMLD7PYXzJDNsjEgJfvfsaHQnJdx6AbQsJOXnnLQqsmfLLtQTDiBoU 4BqVjB5J6UNmup7XCDv/bJBCv3K9UmPlnHiAJrGJfOYmV/tnw26wvvMiCksz5kjqSZy450Qe2 ipyi+n9Pd9dqzTqWbXmYTf5Ifz15QTDqMYicIMP2/foJRvTgeNU2AEF4sxZcZ71z9UpglJBiW vqr5SUBHOwBH8BOBhwAVk45xBxQUnSycY6YhxJYVQrd3Dsi3RZBUI8PY7c8EAqlCsPc09wS61 Z2E8YMPu6WV4kHvdivVwsRLAGYv4WF3ryjVT7yrEj/dNJPaOlInQp/NuOfcw42jKyS6pk/38B Et5E7YhXYES/idzMNridXOtwyoGCr2I/i2Gbm4nQ9LaRWDH4P4Trps5eyX1L7NucDC/TSa6gz dScYdEU+2H070FDhrBAKHicShwzsqlvU+pDmanrTknoVHrY9BnI+CX5pJo1Nro3BelH1HbZaF MyyDmUkOR2GfeIO07p/9WGbLqsb+4jEl5lSrCcEFNyqIquFIx43pn0X7y0LVLXkLmJIijK9RU r//tOaqyJHTKvAWtc6ZFdMUcDeS1/548bkK8npUoTwNWvG2dAHXiRdKXVrXe26l7COToHTy+l 3YuHVbdGeYZX1GpWiS9j1QDY/JiZ0sWtSy62PErhmznn+Jfl92H2aaEqzxxABLJU78BFOJoeT lr+BmyISLGqv/p6o90cyh1a8udojf7EwjuSSAMA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro There are a couple of occurrences of hash calculations in which a new efi_hash_regions will be commonly used. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_signature.c | 46 +++++++++++++--------------------- 1 file changed, 17 insertions(+), 29 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index cd2df46264..b14d104094 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -28,7 +28,8 @@ const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; /** * efi_hash_regions - calculate a hash value - * @regs: List of regions + * @regs: Array of regions + * @count: Number of regions * @hash: Pointer to a pointer to buffer holding a hash value * @size: Size of buffer to be returned * @@ -36,18 +37,20 @@ const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; * * Return: true on success, false on error */ -static bool efi_hash_regions(struct efi_image_regions *regs, void **hash, - size_t *size) +static bool efi_hash_regions(struct image_region *regs, int count, + void **hash, size_t *size) { - *size = 0; - *hash = calloc(1, SHA256_SUM_LEN); if (!*hash) { - EFI_PRINT("Out of memory\n"); - return false; + *hash = calloc(1, SHA256_SUM_LEN); + if (!*hash) { + EFI_PRINT("Out of memory\n"); + return false; + } } - *size = SHA256_SUM_LEN; + if (size) + *size = SHA256_SUM_LEN; - hash_calculate("sha256", regs->reg, regs->num, *hash); + hash_calculate("sha256", regs, count, *hash); #ifdef DEBUG EFI_PRINT("hash calculated:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, @@ -72,26 +75,10 @@ static bool efi_hash_msg_content(struct pkcs7_message *msg, void **hash, { struct image_region regtmp; - *size = 0; - *hash = calloc(1, SHA256_SUM_LEN); - if (!*hash) { - EFI_PRINT("Out of memory\n"); - free(msg); - return false; - } - *size = SHA256_SUM_LEN; - regtmp.data = msg->data; regtmp.size = msg->data_len; - hash_calculate("sha256", ®tmp, 1, *hash); -#ifdef DEBUG - EFI_PRINT("hash calculated based on contentInfo:\n"); - print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - *hash, SHA256_SUM_LEN, false); -#endif - - return true; + return efi_hash_regions(®tmp, 1, hash, size); } /** @@ -169,9 +156,10 @@ static bool efi_signature_verify(struct efi_image_regions *regs, false); #endif /* against contentInfo first */ + hash = NULL; if ((msg->data && efi_hash_msg_content(msg, &hash, &size)) || /* for signed image */ - efi_hash_regions(regs, &hash, &size)) { + efi_hash_regions(regs->reg, regs->num, &hash, &size)) { /* for authenticated variable */ if (ps_info->msgdigest_len != size || memcmp(hash, ps_info->msgdigest, size)) { @@ -239,7 +227,7 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, regs, signed_info, siglist, valid_cert); if (!signed_info) { - void *hash; + void *hash = NULL; size_t size; EFI_PRINT("%s: unsigned image\n", __func__); @@ -253,7 +241,7 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, goto out; } - if (!efi_hash_regions(regs, &hash, &size)) { + if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) { EFI_PRINT("Digesting unsigned image failed\n"); goto out; } From patchwork Sat Jul 11 07:26:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327232 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=VK0uXyZZ; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hNd62JHz9sQt for ; Sat, 11 Jul 2020 17:28:49 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5E80882295; Sat, 11 Jul 2020 09:28:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="VK0uXyZZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6E2B482281; Sat, 11 Jul 2020 09:28:04 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CF22D82287 for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452471; bh=9hF4KqtBFymKFj2i8xjV1ttmQMb9KssH7LHuslbWjtc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=VK0uXyZZRMrvG8VmtbB/yAo+oKxg8nwZ0/9fqHzqmStPVXlLtWx+JZksy/xREYxTR HNxuHx/rKGzRaShMbIJJ7sf7A5uAU5ZZWj+4bWut3v/yoLHadtx3lmCUpb5IyhvyzG teRk9SYcYQxfsOfBweomw3P6cFKRpOlACCAwjJqA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MDywo-1k41oJ1gZA-009zpg; Sat, 11 Jul 2020 09:27:51 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 05/12] efi_loader: image_loader: verification for all signatures should pass Date: Sat, 11 Jul 2020 09:26:27 +0200 Message-Id: <20200711072634.290165-6-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:Bv8SwdhPc0NxAkVMclsR4JrWDGBfgszY09OCwllPRX4ZWFmu6fD O7RXrxPxYRw+vO7NqKSWc4UEXAID5iRLwL0hUHbclLZltJJJnT3cc6FPeSJpIGzfBqzj3Ch XEVeEJE63+m2RXfREuwmLHczH0p6qlk99B1SnpOtn/EXumUuuHTbrS4PtX9ORHMbE7Qfb83 0eEjbL2EI08wY/A+PN87g== X-UI-Out-Filterresults: notjunk:1;V03:K0:1nHibm58Bl4=:x0leXsqsVjsIfHun7wdZzK WAa2wAqNojt0Ydr8DSft0AqpATruGktizrbt4kjjuALCK/z8HprfHXKcpHsVFsTiVDrmcl3QX FY3zW2S/tkdYwHRL/O4nt6CGOSZQT5fv3Xe2vlc/7GewHYpl2qTQKq+sX51j9KhfgV6ncfjDM 1hmJi7JTYax6IdNOKbUv+EpAd6GJ4DyT6lB/iAkaDm9Z4ERvv6U7gSvc55ELPQ+7JYc7wuKzZ sGN+lHFLsm4Fg1OAC+VQbMXy6bUeaYy2ezgYfhkTZFCAz/5Dn/yFR6DC5LESphvpfNPnPStug X6FhH7ZYVbnHKltH18hF8r4BuAHIVJyitnsBDFPmjqpVoM5/s+6aj2ZRsKk3xHXBFvXi7bGh4 bw/nUMmX/buviVUW1bVM1pvWjBfU9FbJMUgk4EPWR5o47j5rhWFIGXa5zKyrGCauf/CCNZGVQ oRLJe21n17MYeY0aSHk8LAAwFrV0kzDznz7QOQ6MqRO1+iX12/Gz9EI0WsH4K8zTX+7KP55Sl nqpLlCxk95QmIgGJYPX9FCKjEu88WXA87QJinTpsxnrN5N3HrLe+H+h0VRHIhCRroeq3MASNX VBLqMSblxPvfMCGcQVvpUzkxfS6Pk8HcU4+2kn/VLQuWfYZJrrPuxabUHwxeJbN8urCAJjd1n Mt9CXaC/0p7EcKLjYc8n8cepB6z8W8Iv6h7awMgOGTKH6R4BNS/rJhM9GyCRLgDmm4yJp1mX/ zup1UWVQwVT4anpAzZhkWkRxvyUpXk/gcN9jnmuctrYiP7lrbXemVj9lZo6m5kLfKRI4oqgoT FQnQWzo4jPZifGov9YeU+HKPg8ZoMp2WlhcYi8Z1syJE/9t1NgEk/f6vlc0dcIw66wK/frg5Z b0TinpM6PeAfA8nbJsgg9mBLEOKGp2StGok3UtFhEtrSLybdIiCveA7IyRUsV17FIIN6o3qL2 FS/Iei2L/C+r4K5Sl7j+yT7HjueyB6c97KzMrtqtmLCqnA71o7ZebYY5TdO+iGpaHk5n76Nn5 0CjkfbAWFE5ztcV809Mm916qO/t+CHQJoI2KfBuEqwMMQ5xrgqYJBRAOh7qA5WSCim4ANuFBB Eo2payzLG8d86XBc5u0fuvXzv1fTsU+Wt99H5U7INXZzFqMwiBPFe7GathTYF1EHaJsuzzsvO W7Q8/Gz+ToeCKjifBFKLbcb5DxH9FYrvKZ0oUwZU/hT7GCUPTBsgvyJpK1St+PWQwar9SQZjF VpoejvD1DrqnvJ6wusWwd6RB8sd36q/ciBYA0QA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro A signed image may have multiple signatures in - each WIN_CERTIFICATE in authenticode, and/or - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE) In the initial implementation of efi_image_authenticate(), the criteria of verification check for multiple signatures case is a bit ambiguous and it may cause inconsistent result. With this patch, we will make sure that verification check in efi_image_authenticate() should pass against all the signatures. The only exception would be - the case where a digest algorithm used in signature is not supported by U-Boot, or - the case where parsing some portion of authenticode has failed In those cases, we don't know how the signature be handled and should just ignore them. Please note that, due to this change, efi_signature_verify_with_sigdb()'s function prototype will be modified, taking "dbx" as well as "db" instead of outputing a "certificate." If "dbx" is null, the behavior would be the exact same as before. The function's name will be changed to efi_signature_verify() once current efi_signature_verify() has gone due to further improvement in intermediate certificates support. Signed-off-by: AKASHI Takahiro --- include/efi_loader.h | 13 +- lib/efi_loader/efi_image_loader.c | 43 ++--- lib/efi_loader/efi_signature.c | 298 +++++++++++++++++------------- 3 files changed, 198 insertions(+), 156 deletions(-) -- 2.27.0 diff --git a/include/efi_loader.h b/include/efi_loader.h index fc9344c742..2f9fb112b3 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -765,14 +765,15 @@ struct efi_signature_store { struct x509_certificate; struct pkcs7_message; -bool efi_signature_verify_cert(struct x509_certificate *cert, - struct efi_signature_store *dbx); -bool efi_signature_verify_signers(struct pkcs7_message *msg, - struct efi_signature_store *dbx); +bool efi_signature_verify_one(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db); bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, struct pkcs7_message *msg, - struct efi_signature_store *db, - struct x509_certificate **cert); + struct efi_signature_store *db, + struct efi_signature_store *dbx); +bool efi_signature_check_signers(struct pkcs7_message *msg, + struct efi_signature_store *dbx); efi_status_t efi_image_region_add(struct efi_image_regions *regs, const void *start, const void *end, diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index de230409e3..058359fc25 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -448,13 +448,13 @@ static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs) } /* try black-list first */ - if (efi_signature_verify_with_sigdb(regs, NULL, dbx, NULL)) { + if (efi_signature_verify_one(regs, NULL, dbx)) { EFI_PRINT("Image is not signed and rejected by \"dbx\"\n"); goto out; } /* try white-list */ - if (efi_signature_verify_with_sigdb(regs, NULL, db, NULL)) + if (efi_signature_verify_one(regs, NULL, db)) ret = true; else EFI_PRINT("Image is not signed and not found in \"db\" or \"dbx\"\n"); @@ -494,12 +494,13 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) size_t wincerts_len; struct pkcs7_message *msg = NULL; struct efi_signature_store *db = NULL, *dbx = NULL; - struct x509_certificate *cert = NULL; void *new_efi = NULL; u8 *auth, *wincerts_end; size_t new_efi_size, auth_size; bool ret = false; + debug("%s: Enter, %d\n", __func__, ret); + if (!efi_secure_boot_enabled()) return true; @@ -545,7 +546,17 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) goto err; } - /* go through WIN_CERTIFICATE list */ + /* + * go through WIN_CERTIFICATE list + * NOTE: + * We may have multiple signatures either as WIN_CERTIFICATE's + * in PE header, or as pkcs7 SignerInfo's in SignedData. + * So the verification policy here is: + * - Success if, at least, one of signatures is verified + * - unless + * any of signatures is rejected explicitly, or + * none of digest algorithms are supported + */ for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len; (u8 *)wincert < wincerts_end; wincert = (WIN_CERTIFICATE *) @@ -595,42 +606,32 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } /* try black-list first */ - if (efi_signature_verify_with_sigdb(regs, msg, dbx, NULL)) { + if (efi_signature_verify_one(regs, msg, dbx)) { EFI_PRINT("Signature was rejected by \"dbx\"\n"); goto err; } - if (!efi_signature_verify_signers(msg, dbx)) { - EFI_PRINT("Signer was rejected by \"dbx\"\n"); + if (!efi_signature_check_signers(msg, dbx)) { + EFI_PRINT("Signer(s) in \"dbx\"\n"); goto err; - } else { - ret = true; } /* try white-list */ - if (!efi_signature_verify_with_sigdb(regs, msg, db, &cert)) { - EFI_PRINT("Verifying signature with \"db\" failed\n"); + if (!efi_signature_verify_with_sigdb(regs, msg, db, dbx)) { + EFI_PRINT("Signature was not verified by \"db\"\n"); goto err; - } else { - ret = true; - } - - if (!efi_signature_verify_cert(cert, dbx)) { - EFI_PRINT("Certificate was rejected by \"dbx\"\n"); - goto err; - } else { - ret = true; } } + ret = true; err: - x509_free_certificate(cert); efi_sigstore_free(db); efi_sigstore_free(dbx); pkcs7_free_message(msg); free(regs); free(new_efi); + debug("%s: Exit, %d\n", __func__, ret); return ret; } #else diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index b14d104094..52392d139a 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -301,27 +301,110 @@ out: } /** - * efi_signature_verify_with_sigdb - verify a signature with db + * efi_signature_check_revocation - check revocation with dbx + * @sinfo: Signer's info + * @cert: x509 certificate + * @dbx: Revocation signature database + * + * Search revocation signature database pointed to by @dbx and find + * an entry matching to certificate pointed to by @cert. + * + * While this entry contains revocation time, we don't support timestamp + * protocol at this time and any image will be unconditionally revoked + * when this match occurs. + * + * Return: true if check passed, false otherwise. + */ +static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, + struct x509_certificate *cert, + struct efi_signature_store *dbx) +{ + struct efi_signature_store *siglist; + struct efi_sig_data *sig_data; + struct image_region reg[1]; + void *hash = NULL; + size_t size = 0; + time64_t revoc_time; + bool revoked = false; + + EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx); + + if (!sinfo || !cert || !dbx || !dbx->sig_data_list) + goto out; + + EFI_PRINT("Checking revocation against %s\n", cert->subject); + for (siglist = dbx; siglist; siglist = siglist->next) { + if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) + continue; + + /* calculate hash of TBSCertificate */ + reg[0].data = cert->tbs; + reg[0].size = cert->tbs_size; + if (!efi_hash_regions(reg, 1, &hash, &size)) + goto out; + + for (sig_data = siglist->sig_data_list; sig_data; + sig_data = sig_data->next) { + /* + * struct efi_cert_x509_sha256 { + * u8 tbs_hash[256/8]; + * time64_t revocation_time; + * }; + */ +#ifdef DEBUG + if (sig_data->size >= size) { + EFI_PRINT("hash in db:\n"); + print_hex_dump(" ", DUMP_PREFIX_OFFSET, + 16, 1, + sig_data->data, size, false); + } +#endif + if ((sig_data->size < size + sizeof(time64_t)) || + memcmp(sig_data->data, hash, size)) + continue; + + memcpy(&revoc_time, sig_data->data + size, + sizeof(revoc_time)); + EFI_PRINT("revocation time: 0x%llx\n", revoc_time); + /* + * TODO: compare signing timestamp in sinfo + * with revocation time + */ + + revoked = true; + free(hash); + goto out; + } + free(hash); + hash = NULL; + } +out: + EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); + return !revoked; +} + +/** + * efi_signature_verify_one - verify signatures with database * @regs: List of regions to be authenticated * @msg: Signature - * @db: Signature database for trusted certificates - * @cert: x509 certificate that verifies this signature + * @db: Signature database * - * Signature pointed to by @msg against image pointed to by @regs - * is verified by signature database pointed to by @db. + * All the signature pointed to by @msg against image pointed to by @regs + * will be verified by signature database pointed to by @db. * - * Return: true if signature is verified, false if not + * Return: true if verification for one of signatures passed, false + * otherwise */ -bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, - struct pkcs7_message *msg, - struct efi_signature_store *db, - struct x509_certificate **cert) +bool efi_signature_verify_one(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db) { - struct pkcs7_signed_info *info; + struct pkcs7_signed_info *sinfo; struct efi_signature_store *siglist; + struct x509_certificate *cert; bool verified = false; - EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, cert); + EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, regs, msg, db); if (!db) goto out; @@ -334,27 +417,26 @@ bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, EFI_PRINT("%s: Verify unsigned image with db\n", __func__); for (siglist = db; siglist; siglist = siglist->next) if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, cert)) { + siglist, &cert)) { verified = true; - goto out; + break; } - goto out; } /* for signed image or variable */ EFI_PRINT("%s: Verify signed image with db\n", __func__); - for (info = msg->signed_infos; info; info = info->next) { + for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", - info->sig->hash_algo, info->sig->pkey_algo); + sinfo->sig->hash_algo, sinfo->sig->pkey_algo); - for (siglist = db; siglist; siglist = siglist->next) { - if (efi_signature_verify_with_list(regs, msg, info, - siglist, cert)) { + for (siglist = db; siglist; siglist = siglist->next) + if (efi_signature_verify_with_list(regs, msg, sinfo, + siglist, &cert)) { verified = true; goto out; } - } + EFI_PRINT("Valid certificate not in \"db\"\n"); } out: @@ -363,150 +445,108 @@ out: } /** - * efi_search_siglist - search signature list for a certificate - * @cert: x509 certificate - * @siglist: Signature list - * @revoc_time: Pointer to buffer for revocation time + * efi_signature_verify_with_sigdb - verify signatures with db and dbx + * @regs: List of regions to be authenticated + * @msg: Signature + * @db: Signature database for trusted certificates + * @dbx: Revocation signature database * - * Search signature list pointed to by @siglist and find a certificate - * pointed to by @cert. - * If found, revocation time that is specified in signature database is - * returned in @revoc_time. + * All the signature pointed to by @msg against image pointed to by @regs + * will be verified by signature database pointed to by @db and @dbx. * - * Return: true if certificate is found, false if not + * Return: true if verification for all signatures passed, false otherwise */ -static bool efi_search_siglist(struct x509_certificate *cert, - struct efi_signature_store *siglist, - time64_t *revoc_time) +bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db, + struct efi_signature_store *dbx) { - struct image_region reg[1]; - void *hash = NULL, *msg = NULL; - struct efi_sig_data *sig_data; - bool found = false; + struct pkcs7_signed_info *info; + struct efi_signature_store *siglist; + struct x509_certificate *cert; + bool verified = false; - /* can be null */ - if (!siglist->sig_data_list) - return false; + EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx); - if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) { - /* TODO: other hash algos */ - EFI_PRINT("Certificate's digest type is not supported: %pUl\n", - &siglist->sig_type); + if (!db) goto out; - } - /* calculate hash of TBSCertificate */ - msg = calloc(1, SHA256_SUM_LEN); - if (!msg) { - EFI_PRINT("Out of memory\n"); + if (!db->sig_data_list) goto out; - } - hash = calloc(1, SHA256_SUM_LEN); - if (!hash) { - EFI_PRINT("Out of memory\n"); + /* for unsigned image */ + if (!msg) { + EFI_PRINT("%s: Verify unsigned image with db\n", __func__); + for (siglist = db; siglist; siglist = siglist->next) + if (efi_signature_verify_with_list(regs, NULL, NULL, + siglist, &cert)) { + verified = true; + break; + } goto out; } - reg[0].data = cert->tbs; - reg[0].size = cert->tbs_size; - hash_calculate("sha256", reg, 1, msg); + /* for signed image or variable */ + EFI_PRINT("%s: Verify signed image with db\n", __func__); + for (info = msg->signed_infos; info; info = info->next) { + EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", + info->sig->hash_algo, info->sig->pkey_algo); - /* go through signature list */ - for (sig_data = siglist->sig_data_list; sig_data; - sig_data = sig_data->next) { - /* - * struct efi_cert_x509_sha256 { - * u8 tbs_hash[256/8]; - * time64_t revocation_time; - * }; - */ - if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) && - !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) { - memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN, - sizeof(*revoc_time)); - EFI_PRINT("revocation time: 0x%llx\n", *revoc_time); - found = true; + for (siglist = db; siglist; siglist = siglist->next) { + if (efi_signature_verify_with_list(regs, msg, info, + siglist, &cert)) + break; + } + if (!siglist) { + EFI_PRINT("Valid certificate not in \"db\"\n"); goto out; } - } - -out: - free(hash); - free(msg); - - return found; -} - -/** - * efi_signature_verify_cert - verify a certificate with dbx - * @cert: x509 certificate - * @dbx: Signature database - * - * Search signature database pointed to by @dbx and find a certificate - * pointed to by @cert. - * This function is expected to be used against "dbx". - * - * Return: true if a certificate is not rejected, false otherwise. - */ -bool efi_signature_verify_cert(struct x509_certificate *cert, - struct efi_signature_store *dbx) -{ - struct efi_signature_store *siglist; - time64_t revoc_time; - bool found = false; - EFI_PRINT("%s: Enter, %p, %p\n", __func__, dbx, cert); - - if (!cert) - return false; - - for (siglist = dbx; siglist; siglist = siglist->next) { - if (efi_search_siglist(cert, siglist, &revoc_time)) { - /* TODO */ - /* compare signing time with revocation time */ + if (!dbx || efi_signature_check_revocation(info, cert, dbx)) + continue; - found = true; - break; - } + EFI_PRINT("Certificate in \"dbx\"\n"); + goto out; } + verified = true; - EFI_PRINT("%s: Exit, verified: %d\n", __func__, !found); - return !found; +out: + EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified); + return verified; } /** - * efi_signature_verify_signers - verify signers' certificates with dbx + * efi_signature_check_signers - check revocation against all signers with dbx * @msg: Signature - * @dbx: Signature database + * @dbx: Revocation signature database * - * Determine if any of signers' certificates in @msg may be verified - * by any of certificates in signature database pointed to by @dbx. - * This function is expected to be used against "dbx". + * Determine if none of signers' certificates in @msg are revoked + * by signature database pointed to by @dbx. * - * Return: true if none of certificates is rejected, false otherwise. + * Return: true if all signers passed, false otherwise. */ -bool efi_signature_verify_signers(struct pkcs7_message *msg, - struct efi_signature_store *dbx) +bool efi_signature_check_signers(struct pkcs7_message *msg, + struct efi_signature_store *dbx) { - struct pkcs7_signed_info *info; - bool found = false; + struct pkcs7_signed_info *sinfo; + bool revoked = false; EFI_PRINT("%s: Enter, %p, %p\n", __func__, msg, dbx); - if (!msg) + if (!msg || !dbx) goto out; - for (info = msg->signed_infos; info; info = info->next) { - if (info->signer && - !efi_signature_verify_cert(info->signer, dbx)) { - found = true; - goto out; + for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->signer && + !efi_signature_check_revocation(sinfo, sinfo->signer, + dbx)) { + revoked = true; + break; } } out: - EFI_PRINT("%s: Exit, verified: %d\n", __func__, !found); - return !found; + EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); + return !revoked; } /** From patchwork Sat Jul 11 07:26:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327234 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=R7+6Ckqh; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hP62k3fz9sQt for ; Sat, 11 Jul 2020 17:29:14 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8351B822A4; Sat, 11 Jul 2020 09:28:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="R7+6Ckqh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C9815822A6; Sat, 11 Jul 2020 09:28:05 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EC7E082292 for ; Sat, 11 Jul 2020 09:27:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452471; bh=4P815U0cxQkLhthihaZc6Weujl6lja1amPvAKEpUa1w=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=R7+6CkqhO76npv/cX23KSb9oeoheP5x3l0lKxCv/WIcFlmFi6LMHhUtLrh03gVLRm +HqjEka9WhvGND5xEKvvb3csch6+LPoWe/7zjAlr2yMR/swzN99AM06s6U/STk3S6u G7F6PoLc0lTnqmu0blfWMrnfiRx9Lgw5q+iNxixk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N7iCW-1kyl1h2kHi-014hHi; Sat, 11 Jul 2020 09:27:51 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 06/12] efi_loader: image_loader: add digest-based verification for signed image Date: Sat, 11 Jul 2020 09:26:28 +0200 Message-Id: <20200711072634.290165-7-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:eVAs5RV7ZnBLxi9U09l3Fxmj2MYmL5uunsJKTV6Gv64QjAjQl4W gjf9jacFlq2Gkd6HB0v/XaeWhkUfnKwZ7vM6s6eQHJ61lVhcbtqL7YzNMRD38B/e4pgMTxZ 7KarGBcA/AVc5KV0Enu5ottwllXu6rFAco2u8NdZkBw2OPIEKOV4MCnIWHQ1akAoSV2m7Uj ZSVfCWpHBXcgZwQHXGHUA== X-UI-Out-Filterresults: notjunk:1;V03:K0:qHs7wOvPajM=:l3gaxPwWGJLhEA8nul6MYI wZdZuP1PwwWbZ2Pb6OPlvf/RcLopcqyeQXAUjr4SdPo08qSVSL2vcuHBjXfu2rbKisLX1seKD ZSDIsLGtflFZw5shWas3VgupeuKDZYF978lyuC3QGqKk7F3uGkEb6eS0REzRoohmdUAZTtCVU p5Ca9KbsoS5T2eJFtgixkJaIedMRIYU+x10a0t/jZM0epo7/5p/kyS6dzsYahY+orubfeI/C8 RLZw3hf+So7+9pDQW6Ml9n3hcB9PUze+xnua9PsUoshQykAb/Q6CSkTxbkH+LSz8jEIsDLVFf JL0iUZisKnVBwyRkEZmcKQVEoeA4JKdzskZBxliPn56ajFR8s8MFqPK0vU8yl2Tg3L8PFWJ+F gwsrkzw6sNZx4qLc47tjYROPNbgPft1/L2JZxpP9wWWfHCR3/LkLStbfWEnvi3sdNumqEaANZ QvL/bjHa5l2A/gbIvSWSn9mEHpguRqrWhMKoRFgWRLeNlAMX4bJfnWzpOBlWdK4IqX2uD7qjD wlV8UVY6ikgF+Wg+jAyXnBAEbH2J8xDWgSpMDuIVKl85JruWn8kbp1UdPqbkZkucAcBSEKf5Z 0RHKeQS260+Pyo59NIg2ScDpsdxWry5iEZgWbWseGQwUwvI3r7JzhBzPuse2MmnUk1tp/NNy3 IhZHfz6XQ4sWv/sZxHzsGf61b+K0Ld3M6OVCI5dbvO8xXjVqD11WefNdxrtJVjUeD508bsWsv IG6Rx6XfsvoAKMVYm9B2E0r7cdhCgp29r+9c8+Vvq3YIM0cFOFJRzH9IxCF5xB/W2cke6YZyY fGJgOXXYM9Rtwa+6QGn+kJkDG9miKNS4iya1J2zVWCWjbtK+IR4WKHdZyJ6sIpcRjI/73n6YQ ElohAVjOvVJOyPBnSmujwBmcUfZXVQ7r8sgfPUwWU1yXQ6Td1YA6B3fnV/TmtA+P5I4AkSJTl qkmHrpOZBCq+64YPsEAZv9lXNORa1jRQM/NTEAdWO6hrlFTjpkWei7SZ/99cZwILXFjFnLH1J cJZTIjUHf3PFNC1kZSuymls6BYGKnR1vuGHQ1cuAOBQxtD0Xv3bZUchGNZ6zV/vgFnvU1ZIqX ArFbX30tfCFWyt/0n1AN2dpuNmLpL3H++e/vaPZD6sV8qgJV7oo6Evng5ojl+YOs/1CYEZjsf QnmPToP792JqQVbYtmvNg9ZxTtsvAt2l1fZ7/aMDDvCMvIIyifYBzkJFd5m+6xsni5074wAu7 SZLjdY/QKWImv51MTZWxl89Pkab5mFbsc+13xIQ== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro --- include/efi_loader.h | 2 + lib/efi_loader/efi_image_loader.c | 44 ++++++++-- lib/efi_loader/efi_signature.c | 128 ++++++++++++++---------------- 3 files changed, 99 insertions(+), 75 deletions(-) -- 2.27.0 diff --git a/include/efi_loader.h b/include/efi_loader.h index 2f9fb112b3..ceabbaadd0 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -765,6 +765,8 @@ struct efi_signature_store { struct x509_certificate; struct pkcs7_message; +bool efi_signature_lookup_digest(struct efi_image_regions *regs, + struct efi_signature_store *db); bool efi_signature_verify_one(struct efi_image_regions *regs, struct pkcs7_message *msg, struct efi_signature_store *db); diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 058359fc25..b7cf26046e 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -448,16 +448,16 @@ static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs) } /* try black-list first */ - if (efi_signature_verify_one(regs, NULL, dbx)) { - EFI_PRINT("Image is not signed and rejected by \"dbx\"\n"); + if (efi_signature_lookup_digest(regs, dbx)) { + EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n"); goto out; } /* try white-list */ - if (efi_signature_verify_one(regs, NULL, db)) + if (efi_signature_lookup_digest(regs, db)) ret = true; else - EFI_PRINT("Image is not signed and not found in \"db\" or \"dbx\"\n"); + EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n"); out: efi_sigstore_free(db); @@ -605,6 +605,25 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) continue; } + /* + * NOTE: + * UEFI specification defines two signature types possible + * in signature database: + * a. x509 certificate, where a signature in image is + * a message digest encrypted by RSA public key + * (EFI_CERT_X509_GUID) + * b. bare hash value of message digest + * (EFI_CERT_SHAxxx_GUID) + * + * efi_signature_verify() handles case (a), while + * efi_signature_lookup_digest() handles case (b). + * + * There is a third type: + * c. message digest of a certificate + * (EFI_CERT_X509_SHAAxxx_GUID) + * This type of signature is used only in revocation list + * (dbx) and handled as part of efi_signatgure_verify(). + */ /* try black-list first */ if (efi_signature_verify_one(regs, msg, dbx)) { EFI_PRINT("Signature was rejected by \"dbx\"\n"); @@ -616,11 +635,22 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) goto err; } - /* try white-list */ - if (!efi_signature_verify_with_sigdb(regs, msg, db, dbx)) { - EFI_PRINT("Signature was not verified by \"db\"\n"); + if (efi_signature_lookup_digest(regs, dbx)) { + EFI_PRINT("Image's digest was found in \"dbx\"\n"); goto err; } + + /* try white-list */ + if (efi_signature_verify_with_sigdb(regs, msg, db, dbx)) + continue; + + debug("Signature was not verified by \"db\"\n"); + + if (efi_signature_lookup_digest(regs, db)) + continue; + + debug("Image's digest was not found in \"db\" or \"dbx\"\n"); + goto err; } ret = true; diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 52392d139a..fc0314e6d4 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -198,55 +198,43 @@ out: } /** - * efi_signature_verify_with_list - verify a signature with signature list - * @regs: List of regions to be authenticated - * @msg: Signature - * @signed_info: Pointer to PKCS7's signed_info - * @siglist: Signature list for certificates - * @valid_cert: x509 certificate that verifies this signature + * efi_signature_lookup_digest - search for an image's digest in sigdb + * @regs: List of regions to be authenticated + * @db: Signature database for trusted certificates * - * Signature pointed to by @signed_info against image pointed to by @regs - * is verified by signature list pointed to by @siglist. - * Signature database is a simple concatenation of one or more - * signature list(s). + * A message digest of image pointed to by @regs is calculated and + * its hash value is compared to entries in signature database pointed + * to by @db. * - * Return: true if signature is verified, false if not + * Return: true if found, false if not */ -static -bool efi_signature_verify_with_list(struct efi_image_regions *regs, - struct pkcs7_message *msg, - struct pkcs7_signed_info *signed_info, - struct efi_signature_store *siglist, - struct x509_certificate **valid_cert) +bool efi_signature_lookup_digest(struct efi_image_regions *regs, + struct efi_signature_store *db) { - struct x509_certificate *cert; + struct efi_signature_store *siglist; struct efi_sig_data *sig_data; - bool verified = false; + void *hash = NULL; + size_t size = 0; + bool found = false; - EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, - regs, signed_info, siglist, valid_cert); + EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db); - if (!signed_info) { - void *hash = NULL; - size_t size; + if (!regs || !db || !db->sig_data_list) + goto out; - EFI_PRINT("%s: unsigned image\n", __func__); - /* - * verify based on calculated hash value - * TODO: support other hash algorithms - */ + for (siglist = db; siglist; siglist = siglist->next) { + /* TODO: support other hash algorithms */ if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) { EFI_PRINT("Digest algorithm is not supported: %pUl\n", &siglist->sig_type); - goto out; + break; } if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) { - EFI_PRINT("Digesting unsigned image failed\n"); - goto out; + EFI_PRINT("Digesting an image failed\n"); + break; } - /* go through the list */ for (sig_data = siglist->sig_data_list; sig_data; sig_data = sig_data->next) { #ifdef DEBUG @@ -254,18 +242,52 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, sig_data->data, sig_data->size, false); #endif - if ((sig_data->size == size) && + if (sig_data->size == size && !memcmp(sig_data->data, hash, size)) { - verified = true; + found = true; free(hash); goto out; } } + free(hash); - goto out; + hash = NULL; } - EFI_PRINT("%s: signed image\n", __func__); +out: + EFI_PRINT("%s: Exit, found: %d\n", __func__, found); + return found; +} + +/** + * efi_signature_verify_with_list - verify a signature with signature list + * @regs: List of regions to be authenticated + * @msg: Signature + * @signed_info: Pointer to PKCS7's signed_info + * @siglist: Signature list for certificates + * @valid_cert: x509 certificate that verifies this signature + * + * Signature pointed to by @signed_info against image pointed to by @regs + * is verified by signature list pointed to by @siglist. + * Signature database is a simple concatenation of one or more + * signature list(s). + * + * Return: true if signature is verified, false if not + */ +static +bool efi_signature_verify_with_list(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct pkcs7_signed_info *signed_info, + struct efi_signature_store *siglist, + struct x509_certificate **valid_cert) +{ + struct x509_certificate *cert; + struct efi_sig_data *sig_data; + bool verified = false; + + EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, + regs, signed_info, siglist, valid_cert); + if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) { EFI_PRINT("Signature type is not supported: %pUl\n", &siglist->sig_type); @@ -412,19 +434,6 @@ bool efi_signature_verify_one(struct efi_image_regions *regs, if (!db->sig_data_list) goto out; - /* for unsigned image */ - if (!msg) { - EFI_PRINT("%s: Verify unsigned image with db\n", __func__); - for (siglist = db; siglist; siglist = siglist->next) - if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, &cert)) { - verified = true; - break; - } - goto out; - } - - /* for signed image or variable */ EFI_PRINT("%s: Verify signed image with db\n", __func__); for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", @@ -468,26 +477,9 @@ bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx); - if (!db) - goto out; - - if (!db->sig_data_list) + if (!regs || !msg || !db || !db->sig_data_list) goto out; - /* for unsigned image */ - if (!msg) { - EFI_PRINT("%s: Verify unsigned image with db\n", __func__); - for (siglist = db; siglist; siglist = siglist->next) - if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, &cert)) { - verified = true; - break; - } - goto out; - } - - /* for signed image or variable */ - EFI_PRINT("%s: Verify signed image with db\n", __func__); for (info = msg->signed_infos; info; info = info->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", info->sig->hash_algo, info->sig->pkey_algo); From patchwork Sat Jul 11 07:26:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327238 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=ZM52EnI6; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hPy0ShVz9sQt for ; Sat, 11 Jul 2020 17:29:57 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 68FCB822D0; Sat, 11 Jul 2020 09:28:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="ZM52EnI6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0721B822A4; Sat, 11 Jul 2020 09:28:13 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3130682289 for ; Sat, 11 Jul 2020 09:27:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452472; bh=FQ3P/3Oi8dWCs4V8jw+qt6sNzXiEUlORt+UdULNyoDM=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=ZM52EnI6dRLZmHV31+nem73ncDSA0XkxTGBti2CJVfag01zhlKNOVKlD8fy1uyWen dPGhtRB+PGJ2swUZ8T0oSY/H0JvFlhF4u8CK3JS1He+9wkFPz2wfqYRk6VCyfWzKKp f0kKw5DO8qQQ+/pXGcTHKb+0cNojvibM8yUnZ8XQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1M1psI-1jrx0B3qga-002KK4; Sat, 11 Jul 2020 09:27:52 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro , Heinrich Schuchardt Subject: [PATCH v4 07/12] test/py: efi_secboot: apply autopep8 Date: Sat, 11 Jul 2020 09:26:29 +0200 Message-Id: <20200711072634.290165-8-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:hCLLbA9Hx4c4GXHoojUcYVkcCKyEcN4StYnRTrazfNbA24nu8m3 yJx+S8VqFpv5bHD59tgX6NMXwseg8WRxdBWcLLyuv+GL5CPUUJcmJ4GwrTC7REcrxAqE/SZ kgfBb8m6dHRyKZiCUeJxEZvg9kyoOb1WmdDjGVIrgzdAS+8NtW7bKM5hZKwKVpfzmjU65Eh wnzmJRpnPG2ay9fxkaUxg== X-UI-Out-Filterresults: notjunk:1;V03:K0:pEq905ZvGoA=:F/AvyFQDQpFRfH24E5RqyT j3h+U2ezRx+PME8oUqTUKMyX0FiQCHptMrCrK/3/9qqxmpueAZDuFGQb3HPr0sY6F59qUULfM dl7NLin7/fVrxtyiHPAvxT5pWNhIkD//ds0b1aCm8DydQNWElTr/MtkVuYxOkWQbBalnfI4b7 5YtZFpdN7aBveY4f1kGeT7tSuAlE7w+tem3mMDFkwtgnCKQegBe6186BjQqwQQl8WM7jfA6Uf 0X6kzwURKYZATRtmZFWKQweWKSlqAFreJYVJlCYr5P5E72c3yagzCegu0MtQwXBrTQpbNp1QY VfVD4lQvFkpjsFzRxPweI23FUiuzpWFHvVlh2HVOpEPorRjtok6PvNmvyZztcxYsOhHvUj/ft f8Fssnhuh8GA1l9KrNGXZ8C2PfxMBp7J/uExSlB1etNR+Krc9QpjCZ7TnVxL7ZGoBIyNwll6q +3tuG3LfPTHWCShk+3PKU2kvIQhrW4Li/iBuI30rvOdPPm+EEbadWc588I9beWlw4duf8uHkK 4VyLn54j9SGgSGrRIOYo6LThvMYHPXxl2r0FRRlh6DlpZAYsHJYtCOiOkDp3K5105y7Ykioxw MsThBQwIv9DOGxrlIEoKIWxjJ4x39RCNv/h5HMAinjwGHk9GPRps94QJ5rjYKt6UgZSKlZU4t JHgaPgw+Cdr+KCe2aOHnfJSmTnviABurHGMVkKkgppE1KEKO9ZuBloEajBeApZUDYC2lp5Kbv HkGSDn9eUMYE75Tec4FANt1iJxDdEmxhPTUDd9nDpJvP3AfcVNDPciiE2uRmNNeqXhhoewhzD IkzFlhJlfyQf8n1jP5PxbhubLcw9H8bzpkKaNC6SmSNdltgEKJPC2gi/mfoSF4+hEmawZPNsy JjqpfDOguVjb1GninMV9RN0GpJvrnjsfixRkjGV0nGrJKzktxa5Y2A3iexQkJJj4h4g6foyvB mfkVZpZlzYIozOouZxIQ4PvxT4ZrHdaz6PkNT1t2Qog96d597HAflMh9dalSwfnjffRteLY9G 5GNeKqguDzG21lVlU0qtV8ibiNyMOeJ2Xfc1dB4bg/HXN4WHlERzEXtlZi9D2q7dAG7xWb0Uk /mmlRjpZIyQugCSeTycnsSIFO7VevaaMsvJZ9Heit6yJqHlSefTyiiDI7aRn47uf0D1gOnKCx jDhWZS94SYpWinLypf0xmT1nfAJnxo77RFUVv41dwA2Xr0yHXIJ2urdo4sp1b7JmcZdhLZTlP dNA6XLNmRsk7DPRK8U1FppDCcY6r2NxkiJs91qw== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/conftest.py | 74 ++++++++++--------- test/py/tests/test_efi_secboot/defs.py | 14 ++-- .../py/tests/test_efi_secboot/test_authvar.py | 1 + test/py/tests/test_efi_secboot/test_signed.py | 1 + .../tests/test_efi_secboot/test_unsigned.py | 37 +++++----- 5 files changed, 67 insertions(+), 60 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index ac5a780fdb..82bc8886c4 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -10,6 +10,8 @@ from subprocess import call, check_call, check_output, CalledProcessError from defs import * # from test/py/conftest.py + + def tool_is_in_path(tool): for path in os.environ["PATH"].split(os.pathsep): fn = os.path.join(path, tool) @@ -20,13 +22,15 @@ def tool_is_in_path(tool): # # Fixture for UEFI secure boot test # + + @pytest.fixture(scope='session') def efi_boot_env(request, u_boot_config): """Set up a file system to be used in UEFI secure boot test. Args: request: Pytest request object. - u_boot_config: U-boot configuration. + u_boot_config: U-boot configuration. Return: A path to disk image to be used for testing @@ -48,20 +52,20 @@ def efi_boot_env(request, u_boot_config): # create a disk/partition check_call('dd if=/dev/zero of=%s bs=1MiB count=%d' - % (image_path, image_size), shell=True) + % (image_path, image_size), shell=True) check_call('sgdisk %s -n 1:0:+%dMiB' - % (image_path, part_size), shell=True) + % (image_path, part_size), shell=True) # create a file system check_call('dd if=/dev/zero of=%s.tmp bs=1MiB count=%d' - % (image_path, part_size), shell=True) + % (image_path, part_size), shell=True) check_call('mkfs -t %s %s.tmp' % (fs_type, image_path), shell=True) check_call('dd if=%s.tmp of=%s bs=1MiB seek=1 count=%d conv=notrunc' - % (image_path, image_path, 1), shell=True) + % (image_path, image_path, 1), shell=True) check_call('rm %s.tmp' % image_path, shell=True) loop_dev = check_output('sudo losetup -o 1MiB --sizelimit %dMiB --show -f %s | tr -d "\n"' % (part_size, image_path), shell=True).decode() check_output('sudo mount -t %s -o umask=000 %s %s' - % (fs_type, loop_dev, mnt_point), shell=True) + % (fs_type, loop_dev, mnt_point), shell=True) # suffix # *.key: RSA private key in PEM @@ -73,53 +77,53 @@ def efi_boot_env(request, u_boot_config): # *.efi.signed: signed UEFI image # Create signature database - ## PK + # PK check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## PK_null for deletion + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # PK_null for deletion check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth' - % (mnt_point, EFITOOLS_PATH), shell=True) - ## KEK + % (mnt_point, EFITOOLS_PATH), shell=True) + # KEK check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db1 + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db1 check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db1-update + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db1-update check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth' - % (mnt_point, EFITOOLS_PATH), shell=True) - ## dbx + % (mnt_point, EFITOOLS_PATH), shell=True) + # dbx check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) - ## Sign image + # Sign image check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' - % mnt_point, shell=True) - ## Digest image + % mnt_point, shell=True) + # Digest image check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' - % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), - shell=True) + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), + shell=True) check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) diff --git a/test/py/tests/test_efi_secboot/defs.py b/test/py/tests/test_efi_secboot/defs.py index d6222809c5..099f453979 100644 --- a/test/py/tests/test_efi_secboot/defs.py +++ b/test/py/tests/test_efi_secboot/defs.py @@ -1,21 +1,21 @@ # SPDX-License-Identifier: GPL-2.0+ # Disk image name -EFI_SECBOOT_IMAGE_NAME='test_efi_secboot.img' +EFI_SECBOOT_IMAGE_NAME = 'test_efi_secboot.img' # Size in MiB -EFI_SECBOOT_IMAGE_SIZE=16 -EFI_SECBOOT_PART_SIZE=8 +EFI_SECBOOT_IMAGE_SIZE = 16 +EFI_SECBOOT_PART_SIZE = 8 # Partition file system type -EFI_SECBOOT_FS_TYPE='vfat' +EFI_SECBOOT_FS_TYPE = 'vfat' # Owner guid -GUID='11111111-2222-3333-4444-123456789abc' +GUID = '11111111-2222-3333-4444-123456789abc' # v1.5.1 or earlier of efitools has a bug in sha256 calculation, and # you need build a newer version on your own. -EFITOOLS_PATH='' +EFITOOLS_PATH = '' # Hello World application for sandbox -HELLO_PATH='' +HELLO_PATH = '' diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 148aa3123e..359adba4b4 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -11,6 +11,7 @@ This test verifies variable authentication import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_fat') diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 19d78b1b64..6d4b03ef41 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -11,6 +11,7 @@ This test verifies image authentication for signed images. import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_efidebug') diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index c42c5ddc47..3748b51ee7 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -11,6 +11,7 @@ This test verifies image authentication for unsigned images. import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_efidebug') @@ -28,10 +29,10 @@ class TestEfiUnsignedImage(object): # Test Case 1 output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -55,12 +56,12 @@ class TestEfiUnsignedImage(object): # Test Case 2 output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -79,12 +80,12 @@ class TestEfiUnsignedImage(object): # Test Case 3a, rejected by dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -101,8 +102,8 @@ class TestEfiUnsignedImage(object): with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ From patchwork Sat Jul 11 07:26:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327241 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=P1I+PoML; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hQc2NfPz9sQt for ; Sat, 11 Jul 2020 17:30:32 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1E629822A0; Sat, 11 Jul 2020 09:28:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="P1I+PoML"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 579FF81B65; Sat, 11 Jul 2020 09:28:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AFFEC8228A for ; Sat, 11 Jul 2020 09:27:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452472; bh=Yf3EOvos74kZVRF6iQETND8EIhpRKhEeXZK5caD7wZc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=P1I+PoMLMH5sMF5r/F5TzN3Qfaa9liZUoxAmZn7cQH0OpZN81+C3XcrRZ3NkcxgFS FVX87ERrb1TwRAhFeRoaDnzZyWdc3q4BTQxsGVwO1Vy61WUSUB13A+GrvafSxsYztr Ofe1P1+xZTCeG4o8S1RKPOiOHhzWonXz6SdKCZ8M= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1Mv31W-1kl1Wi0fXU-00r0AG; Sat, 11 Jul 2020 09:27:52 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 08/12] test/py: efi_secboot: more fixes against pylint Date: Sat, 11 Jul 2020 09:26:30 +0200 Message-Id: <20200711072634.290165-9-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:KcmQN3vzAOC6dsQ/JfGAKN9PVSPMO68gQucog3qStRVtigphYZd pchL0hmJt/hvaMUtYbAYq6j4CUbgmfVnF+3xj8VQnbbKGY0JRIZx6ZTTiSqCS2ouxxY/ZD/ cEKT+itV6tc6OaPugYGHoOQ435nIflxX1bJTULd7otqDyJjuNwWwxTVNRlOkx/1vfNit3MF vsVR7o+k/Pad6S6QKz4zg== X-UI-Out-Filterresults: notjunk:1;V03:K0:WkOvYsh7xP4=:lnE3wFyCJ3QEDXJI+TvLuP 4iVaGsogADN+zg4bSeHIxhjeRKCt558mPxxYt/WoDadeJsdODXhglDJwmQpne4XLyMAvRSkYr 1QSQxq0/6s81ttvTaedbutfpgVOog1ymZ1ON7uWyc2JKp/twuRJ1oQufCJjHk4r5tGyksNcoc JRU2llqMhxJCG7MSCdD20QJ0Gy6PnzR4UEyZ9gF5FOWJz1XTriN8C2sQT/FsDw7tBnnCRtPb2 Qg/+nIyTZk8lF7vAXmzdjlmF5PEJcBNqn1MBDdaOXPbrXYu2OzLRXFtvtSqeEPBWGvyzkNLbY LkabEjPYLbwSO1o7E4jOkYFxBK0sCAUQb+tg8zYREgzx8W9B9NSQZvpX5hFh+aByPJxe99EZG DSOXGGtPo9v2LMBZ39hRgRPn6RLGx51le7POBFv0lwnB0BMfjWv7SJtnnYQT4Sgdi6hMrkXh5 tICHPFstvXafjWn7b2dtDmcoglAW4b9eg6i68mS6rjYjmtbaBOpDL/Zx1bR5iUQB3lIZbmBm8 jM2EtNlNFa0mwj27fGwbLFXI7G1h17QHtN2CVxQg7mXXXx4scJ3GmAX1SENmJ4dWFmpRFHz1H g32HrH7XsmUL0GmNn7RuBFmRB28okjSw2Sc5UNY0I6GSaq9l1HSgh8TJpNolAUF5mnVVUcUUc 2Lw9o62QFFwP2verUffNLCdk/mG/JgA4b0Iwbu4t09hSKCZVJzY7kZkPRNg7EQpSCPHNwCXYC oekfFIBuTkCm/r0A03ErGfvl9bEvh+Y+VpPdB8XGB7AyapHkaptZG17gZdNB6XlQfH9qfkFC1 rLmP9/WNhz7aL+EjxO4sLLiSvsUZcRBizxfXZa9G8eX8tll3p0xigvbhZV+HpmiaIovjQWwy5 LKlGxdKe0r/ufTgyY7Xp5qlFdsCxnNn+Lzp79Ei18VcLy7w8STuV3atslgyzmkUpeP0Db4G4d DM/ZgMAyHmpdutgh8PFT0EdyJg8fXDH9Owdm4nJzshrWpVI5N02bo3J3+Qx4Ti1IpAaP8fFUq mGOeXlzdaUKgfCjcxQceXN2DTLYb7FCnxuJyEYpJv2nNw/9w1XRBRKhiOLMNVnOFn1lhT4yVK RhhJrqxp5z54EGWdtxxpDnSJtcWmoi/DLsrrUswI/fd8Iba59HFBFIafha/XgpNyyBP3NN4im ypwo4nSchNTRdpFjt/dapOOglICaWZeURiY+8GEDDveaFCeeGtYzL9+7k+w0A5K/AbhhoDnOq cswtcNcGSc65Wj2DKt39ilRmWNHXjcSZzfT7kXA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/conftest.py | 11 +-- .../py/tests/test_efi_secboot/test_authvar.py | 91 +++++++++---------- test/py/tests/test_efi_secboot/test_signed.py | 31 +++---- .../tests/test_efi_secboot/test_unsigned.py | 29 +++--- 4 files changed, 79 insertions(+), 83 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 82bc8886c4..c0ee8be9f7 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -4,9 +4,8 @@ import os import os.path -import pytest -import re from subprocess import call, check_call, check_output, CalledProcessError +import pytest from defs import * # from test/py/conftest.py @@ -14,8 +13,8 @@ from defs import * def tool_is_in_path(tool): for path in os.environ["PATH"].split(os.pathsep): - fn = os.path.join(path, tool) - if os.path.isfile(fn) and os.access(fn, os.X_OK): + full_path = os.path.join(path, tool) + if os.path.isfile(full_path) and os.access(full_path, os.X_OK): return True return False @@ -128,8 +127,8 @@ def efi_boot_env(request, u_boot_config): check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) - except CalledProcessError as e: - pytest.skip('Setup failed: %s' % e.cmd) + except CalledProcessError as exception: + pytest.skip('Setup failed: %s' % exception.cmd) return else: yield image_path diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 359adba4b4..d0c6b9035b 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -9,7 +9,6 @@ This test verifies variable authentication """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -29,18 +28,18 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'printenv -e SecureBoot']) - assert('00000000: 00' in ''.join(output)) + assert '00000000: 00' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1b'): # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize PK']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1c'): # Test Case 1c, install PK @@ -48,79 +47,79 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert('PK:' in ''.join(output)) + assert 'PK:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 00' in output) + assert '00000000: 00' in output with u_boot_console.log.section('Test Case 1d'): # Test Case 1d, db/dbx without KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1e'): # Test Case 1e, install KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize KEK']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'printenv -e -n KEK']) - assert('KEK:' in ''.join(output)) + assert 'KEK:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1f'): # Test Case 1f, install db output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1g'): # Test Case 1g, install dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize dbx']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('dbx:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'dbx:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output def test_efi_var_auth2(self, u_boot_console, efi_boot_env): """ @@ -139,20 +138,20 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2c'): # Test Case 2c, update with correct signature @@ -160,8 +159,8 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth3(self, u_boot_console, efi_boot_env): """ @@ -180,20 +179,20 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -a -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3c'): # Test Case 3c, update with correct signature @@ -201,8 +200,8 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth4(self, u_boot_console, efi_boot_env): """ @@ -221,22 +220,22 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'setenv -e -nv -bs -rt db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'db:' in ''.join(output) with u_boot_console.log.section('Test Case 4b'): # Test Case 4b, update without correct signature/data output = u_boot_console.run_command_list([ 'setenv -e -nv -bs -rt -at db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth5(self, u_boot_console, efi_boot_env): """ @@ -255,15 +254,15 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('PK:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'PK:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK_null.esl', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('PK:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'PK:' in ''.join(output) with u_boot_console.log.section('Test Case 5b'): # Test Case 5b, Uninstall PK with correct signature @@ -271,12 +270,12 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 PK_null.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('\"PK\" not defined' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert '\"PK\" not defined' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 00' in output) + assert '00000000: 00' in output output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 01' in output) + assert '00000000: 01' in output diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 6d4b03ef41..4e6f129b7f 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -9,7 +9,6 @@ This test verifies image authentication for signed images. """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -32,7 +31,7 @@ class TestEfiSignedImage(object): 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1b'): # Test Case 1b, run unsigned image if no db/dbx @@ -40,7 +39,7 @@ class TestEfiSignedImage(object): 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1c'): # Test Case 1c, not authenticated by db @@ -51,23 +50,23 @@ class TestEfiSignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'bootefi bootmgr']) - assert('\'HELLO2\' failed' in ''.join(output)) + assert '\'HELLO2\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 1d'): # Test Case 1d, authenticated by db output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): """ @@ -85,30 +84,30 @@ class TestEfiSignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index 3748b51ee7..c4c3f4c202 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -9,7 +9,6 @@ This test verifies image authentication for unsigned images. """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -33,18 +32,18 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): """ @@ -62,13 +61,13 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env): """ @@ -86,33 +85,33 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db_hello.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) From patchwork Sat Jul 11 07:26:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327236 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=bKIrKvcu; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hPY1bnFz9sQt for ; Sat, 11 Jul 2020 17:29:36 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E2534822BC; Sat, 11 Jul 2020 09:28:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="bKIrKvcu"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A781982292; Sat, 11 Jul 2020 09:28:07 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B056482293 for ; Sat, 11 Jul 2020 09:27:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452472; bh=4GLE073F7vhwDM12CzhNUP7jtNH/6fKAXzSbyWBU8mY=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=bKIrKvcufyVU1v4eNxbc7/QMlzU63m7FqX1+pm73XtqJDq7o0hi6/laEOtdc48oey RHIgcjVPhhh626MJ86/XFquGp3qLSXZgduVYF+KPS9MZ7tfkQT5890vfbGF5KwmIZd A3BtQPaf+rZ+fbBUeNKoYa78xbzYlEWtMoneBh/Y= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MNt0M-1kDth21o2S-00OEv6; Sat, 11 Jul 2020 09:27:52 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro Subject: [PATCH v4 09/12] test/py: efi_secboot: split "signed image" test case-1 into two cases Date: Sat, 11 Jul 2020 09:26:31 +0200 Message-Id: <20200711072634.290165-10-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:mkiNPgU2RvHqkxSQz9w4/S+8HNf8q6S70EXZPSdQ4aaZd2BA8ef xJ42JGldclyc7sQY47QPgSwJP3RC29Dq2sspZP/9UqlG1UPsmbp3Es54PL4I3mL36H89GtB 2IAy+FJ4eoUhNiDML7Qy5iepoOR9SPCamtWtKjGYvLu062s7+6l08bq0zlbLPXXJfohcjzC kWBTWy020PW9KNGSxHDjg== X-UI-Out-Filterresults: notjunk:1;V03:K0:eKPN3pIJRBE=:suzbFsa+q8CUbO53ZEBzLx EoOdlxZbgp7T5xiX8ST+bq9OKvnZpqKgHHtvRvvUM9mo7Ajq7rRIT7dW5UvLrfaC+gHafytJn kkhHfl+uOI4djEnpveTz0Y1S3J7jGiIlIfg3w6RFVwqC6cKonYEho4MB9F2pfnyy87qxmJk6W rKuT//7qXIkLDPlNUAQeXY6ajfcW/fOwP8KO58tFS5LoJYLD+oGZIo9uhM1JK+0qG3OMYp0qc WP/3tgoShC1iVgV4L8WDlx9BJymeLtFBxah30wLnT4ldSSzQZx7tDRd4RvVvs00pS94AyrMZ2 3zkwSMsYTmTzLrTHyt0vMvBMclNe8zG0Btj8FIMTV6V+K7M6S1RxwNNSS1F7/I0c2jKhVke5h 2D9hhHDVB3QbP1e1WTlPw2OoymWaI0kOJxF2LNQ6dQAkrx6sAvalUCiDFetYqYGgUkBO5t1IM 1PSQ1tiud3InsFJngfsoMB6LsbItqIOjqBExpBtE8ATwIq10GIRuZYLrejoZfSP4JNSx96kfC uBQnI6136y/cgNmwAiYtCOAlLWSMKTn/TwCAKwXJqJn/3d5sR4QXQIF+6fu7a+kQSGXKpvme8 16U6BHByl36kTdvwe5I9+faj8IIURCrvOs5lvnBzLulPnlivytgXLShp8+nvwVaaPA+lOIlva KeIP1ehhz9HmbwKFH4jXY1a5XS1wBuEaIopEmZxbC61kB0kU2FlKCZJ2duJrGgZFWdLFjtD0Q gyk3/rXXewHtNnEcXlfrakr+w0aK2ZZOgk5LMAYcxLgsRZaguDLCODz4BCBLp0gR/VKMsEyoY rf0ht8n1P42ac9vD9qjJ20p+69Q6geX4I3COBaSIQ6FxBqBdDKnCgNc7Vqdzoskls0A46PKLM OsfqDNnlEn+oR2sHtN6Rz7daNTbt5h/ia8KrUwEIiOU6mTL9m+eaVrcl9Ctor0NMKJyQanbH3 BEZWWJLDk1EtAS1nwbg4qxNcmUGP4V+DDXypJf/7o5QFt0M6VJi62G1sBO4CZKJPbnX38c/zs ZM/htcLxjW4qjbAtGH3fgQnZbm/UYi6Pr13XdyoqkXSQJBhyhoHJLbu4FcyIkpE3gpHbk5ssx FiqLx/egk4S2XWEsedD6bd7FAPRF9HXU4Y/EBvqPHeUje+Tk1JIWQDdJYKpwz4TrF7zqGL8Ze TfI1NJHfV3qL7Jet3ab/ac4TiaWvbDBHsaITiav8jtJfP9lDZwFafxXpEJcZiFtTxNDedt1bg m32lq1cPXUMg0Cjlv7jdgay9SxFJd4eIKw9O4JA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Split the existing test case-1 into case1 and a new case-2: case-1 for non-SecureBoot mode; case-2 for SecureBoot mode. In addition, one corner case is added to case-2; a image is signed but a corresponding certificate is not yet installed in "db." Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/test_signed.py | 66 +++++++++++-------- 1 file changed, 38 insertions(+), 28 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 4e6f129b7f..8ea45c8486 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -20,12 +20,12 @@ import pytest class TestEfiSignedImage(object): def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): """ - Test Case 1 - authenticated by db + Test Case 1 - Secure boot is not in force """ u_boot_console.restart_uboot() disk_img = efi_boot_env with u_boot_console.log.section('Test Case 1a'): - # Test Case 1a, run signed image if no db/dbx + # Test Case 1a, run signed image if no PK output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', @@ -34,48 +34,66 @@ class TestEfiSignedImage(object): assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1b'): - # Test Case 1b, run unsigned image if no db/dbx + # Test Case 1b, run unsigned image if no PK output = u_boot_console.run_command_list([ 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 1c'): - # Test Case 1c, not authenticated by db + def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + """ + Test Case 2 - Secure boot is in force, + authenticated by db (TEST_db certificate in db) + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 2a'): + # Test Case 2a, db is not yet installed output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert('\'HELLO1\' failed' in ''.join(output)) + assert('efi_start_image() returned: 26' in ''.join(output)) + output = u_boot_console.run_command_list([ + 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', - 'bootefi bootmgr']) + 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 2b'): + # Test Case 2b, authenticated by db + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'efidebug test bootmgr']) + assert '\'HELLO2\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) - - with u_boot_console.log.section('Test Case 1d'): - # Test Case 1d, authenticated by db output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth3(self, u_boot_console, efi_boot_env): """ - Test Case 2 - rejected by dbx + Test Case 3 - rejected by dbx (TEST_db certificate in dbx) """ u_boot_console.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 2a'): - # Test Case 2a, rejected by dbx + with u_boot_console.log.section('Test Case 3a'): + # Test Case 3a, rejected by dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', @@ -87,27 +105,19 @@ class TestEfiSignedImage(object): assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', - 'efidebug boot next 1', - 'bootefi bootmgr']) - assert '\'HELLO\' failed' in ''.join(output) - output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) - with u_boot_console.log.section('Test Case 2b'): - # Test Case 2b, rejected by dbx even if db allows + with u_boot_console.log.section('Test Case 3b'): + # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ - 'efidebug boot next 1', - 'bootefi bootmgr']) - assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) From patchwork Sat Jul 11 07:26:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327239 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=kYEdTZf1; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hQ90hlqz9sQt for ; Sat, 11 Jul 2020 17:30:09 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A6D65822D7; Sat, 11 Jul 2020 09:28:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="kYEdTZf1"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3BC2082294; Sat, 11 Jul 2020 09:28:13 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 224B982295 for ; Sat, 11 Jul 2020 09:27:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452472; bh=XTBn4PMCMS/4m4efR8bdt6sR94R1TtJOXYZ+8+toD/A=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=kYEdTZf147SMB1jZP08q/u2H1vc7J8lSPnqAybeTv/E3a8peVz9Qa9z61qnWrb7pg mT/yjpyV57dHOEuollJ95kMvbZambiib2V728VY9uIVV+Ls0HiPwXO3nYL1BD9jmTv gvl5lVBXgtOQMiu98tazzA3ZLZVq9AlSGqN/QG+U= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MN5eR-1kCW7h2ytJ-00J2G1; Sat, 11 Jul 2020 09:27:52 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro , Heinrich Schuchardt Subject: [PATCH v4 10/12] test/py: efi_secboot: add a test against certificate revocation Date: Sat, 11 Jul 2020 09:26:32 +0200 Message-Id: <20200711072634.290165-11-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:9K6RZ1ZWfnKAgPN08qo1WHJEHUNoBtf3tEyQZaAEysUpw1fzHtN DpMliLSxLTtTVyk9e7lJZakhxaA+1PJ6T8KG010zUavW7SAuS3iLayKu6d7S9zs2UD6HrXj Xr1t9/kYZIgyelbThWOvUwj6o+e2IClA2cMtNRJteuYAYcFonLa7CB5PQ2WuMqqIntQZoDz 8Cpl8H72tA0lP3AYxulBQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:3Ft0TyywiY8=:jGFwHsVq7cgwaKxgyTlUVG 5zr01Lxn4z1LpaCfruqyyoOIPJUVy84f0O9NqYAdEPy5uSsUZFY+j5ZuuruArb043DyBF/uoS mQLCztbhFqBD2y/W2iNzzv9PHw2DKXHm1ztlnxP3bBt/8JLOCQFxYDTy0pQcBHCIeCvxI6DSb ijsbmyFNs9P2rUO9R1ddmgh4vBw4Ljhev3DqbZx8SQDpuPYrpqDjBd9MMAXVNOfpkWEf6Srm3 JdJwMsiZrnvj2DznBfR2KQrPwFu0vu1AxXfwCH8IusxLuhsCrpc6gkZByd0hWofTVh6+krnbo w1MIDZf1vbnsVrX3BG5guV3pfSKGP4kGXOox+b9JV1vZzdiceSvJtTd6+LGhiA0mw0P686Snl FCWEEXjM9Q5bPBD4SbAzVkdVJNOF6k30vIGaJK0goAv+63P34ERsu0D/zFOJ8BsFF6H03wWt6 2owDpGC9DM44/3+x7+A2S1+ecD+4r68T8xPjtXy5EX4mvyH9tP69IEYQ6IvdjD1laAzBWYwwM N9TCTdr/k8K2ksiPGYU++46MJkqfSbPLf2+5bfgJ7ARR6OoIeczuhfGO0HYvlnW8FZ80jQAal ja8FkuioISnUjWOOkaWJ/JPJ7EGFDGPd83gDge3EtE7J+3TAStfgD33Zm0wS9Ra5sE5wI5SBb zPlfMPQ5uxJuceTg8ExBel0AHLJpi7/9nil4/ltL52Rbrmj3dcdhhfM6XR8w+UBZh+yU5tlBU Ls8OqXBVEB83t9haKpWFZzheb0SUtELnJzdscGQvUK/N6fnQ5xoEt0RCYW+MPpr5EJNnUePuK PM5WA9dh037Y/8aT7y8tOVTCHYcBQdFiG0f9BPMwxYcdQgRoW60cheZ5rcOTwx+fu6t8SVa0q JilwvV1etjjF9ejbMFDZwDG+IaTOtX5dBy4VfRKK3BU5Ln3qx8O65TNLdcHQOCflaHeMn1/WD M1k4E18nvgebBIjpT2edUcBowsHIRwuSd+8ZPRs2NAqZndZ5ZMT9fbwNaGod/iwBGu8/sX6gz UzvSR890/+26VCpMtd2j72lVTDQbl/FJOcmLpMTXtKfUycSbDBTw8M4nZ+QthVpntoloVBCTm Tbq8LExMjGYAKiz0IDIC7DQOLklJZrBx9eLH6pZlY+bDr25gSqiZ3LIG+v7etPqlcx97YwKh9 g+bTQqrCa1sbZcrLju3itlIeObNg9tls7La4klO8Kvb9Nhx+cyI1kcdiqfydz6ip7TC6GOVyu wTtXf34i4bMzyAfntXauO35VeFO/AFKPe4pD9eg== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 6 ++++- test/py/tests/test_efi_secboot/test_signed.py | 26 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index c0ee8be9f7..c3d56622a2 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -106,12 +106,16 @@ def efi_boot_env(request, u_boot_config): # db1-update check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth' % (mnt_point, EFITOOLS_PATH), shell=True) - # dbx + ## dbx (TEST_dbx certificate) check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_hash (digest of TEST_db certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 8ea45c8486..6dabecb669 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -121,3 +121,29 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env): + """ + Test Case 4 - revoked by dbx (digest of TEST_db certificate in dbx) + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 4'): + # Test Case 4, rejected by dbx + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 dbx_hash.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) From patchwork Sat Jul 11 07:26:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327237 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=c7zwjj10; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hPm0TyJz9sQt for ; Sat, 11 Jul 2020 17:29:47 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8F51E822C2; Sat, 11 Jul 2020 09:28:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="c7zwjj10"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0F16A822AE; Sat, 11 Jul 2020 09:28:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3743982297 for ; Sat, 11 Jul 2020 09:27:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452473; bh=6o62SfALktQVSYA4g64wwCr19Gc7AegiTVyzja9gyzc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=c7zwjj10EUR+DSVK+0XdsuWTwrynrAVAOLiLuItSYP5N4U1Ne0Lv/g1vXrJJ1bTKf mq/5bwGk4Of1535VlCNjosHEEHR+Jxr9cLMYAjMkjDdQapxrsW3zYzRqcu1OxzVVgV DFZ+ysUEDiOt0MFbl/n6gszOK5MWYSYe+ttL00bQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MfYPi-1kVhaq4Ay8-00g2qy; Sat, 11 Jul 2020 09:27:53 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro , Heinrich Schuchardt Subject: [PATCH v4 11/12] test/py: efi_secboot: add a test for multiple signatures Date: Sat, 11 Jul 2020 09:26:33 +0200 Message-Id: <20200711072634.290165-12-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:yQjG5n41LO4uz/GXsvYEkpLE0IJdoSViI58tgAeuGBOeZsnSn9+ kZeVBJggEAFs3mQmb+32lPzncyWmDDr+hXdNQs5fnAEz8RiOAUuZJBS+J9WozNvgwLUq+3R h+sw/tu6JhqNzhKA48L3yCv8/w0/n/YiciXNB6tQ0qfvki/3nbP5LRSGXzTDocMegA2RXPm pfIMMJA7cnirkhwWPh/RQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:iDDbeH/pCrY=:J3lBrrlS7KTVZ9iiGvIl+l gI5d9eljBTEhSfCc0o43bL632vltHdoGEcC32hH8UzT27Yu8Ur12Ti4ATSaVMsPkU5LKFPBWd fa/V9oAmxWZgbThG6ewiBz9+QROiFQ93O/jmdyrBwTjX4ryxfvYoMoEzKRYMsPym9Hps7bPSD 31gYzVNgK5T4REa8zUQpmGfGu03BZNzaIiQkxxZJ0BxpPtJM3DiYsf4AqXcDynyimi3B99GPU 7f+C/cIQ6zAk6Mp/+DN/Y9k7NsD5fhp34XG+nVRnCX6Kq19ayVGTaehjFihPszJ+sOK8Se/TA ofrOIwsFpwvqPMS53FHUiVdjqLA+uFFbRzj9NKwjzIA8y49yGYMNIJ17wpz0NvGweLDbuBKbA m2n1ixO4byHkd1K1LG1BE6b7qMLUWpCAXD/iWh0kGG/w+BVCwe4e7SWqpaFPenD1unxn7VEP2 aC8bI5LCItQm6DyKMjkek7IPMz1qVzzaOeuIF6OGiQjcIprAf40t46f65a6aMRvMzlQcT5Sc/ l2BGtZFgHCnYLFp07q5fRAge61MlS8AcfaEtFCBg4f40a6rfeyKtGIourLzBtNnlmMh+p3clx Hn/wlMi2FGsvRA7drUVNhKEXrqkHZRSj2CmFHE7tgx/gS0+d6OuHMbj1nObQiga8KSWydJYZs LhJG8e3rgGZtQrOmFfyCXldGoLF0xkjbcHBr/MIW/g9WtuhaHM24V4eFpiSDybj5xwdgvCWSK uYRJ/ZP8ou5TrDZkGBtxbCmgOOxywFB8sCQfUjsehH4CdRWupMu/OHQb9bsQ5v2+9rm3CKJEa cOYRb5cDYPlgd+07QdyeDkcNzUKSc9p3dyibajW/ZU0iB3CI5RRIIkXD7fQNex8UUlrKlTChD E2/DDG9n91lHhlfyzUDE7KobgggjBLbuFSwLtMfSLy694nv9YBEAXU5WMISYgnnRPjBMUvMcB 33scGT7F86/9R+cn3jmqqlmanTXEupqsXyYBX+nmnP144NuHHgepKpvCyHEUuG/BdRLGyOkq/ +1JaJUT0ifTmko0ruK3llcaHBNbms2I8p7IJJvzDFCUhQLOHXxu01h3zJc8zVNljZJWVJzGEF wesEAJ+Tlf9ZJyJVbwH+wAOhbq9Cb/DXpdcePuyzQinGbZumLOmV8UyQ2g+QtlUMg3GkiCwVD JrVzdTfqxvia0m5EOu2zQ6zjj3OQl+o06ZC+5DsM+8a0HWDEmxSpAHHaK6ZW5Zdl3C3sGl7LV +RwYBXqW+pk54KOxhsROYKGRPcmCCTEtgEs/1LA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 9 +++- test/py/tests/test_efi_secboot/test_signed.py | 51 +++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index c3d56622a2..7bb2e1d765 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -116,6 +116,10 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_hash1 (digest of TEST_db1 certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) @@ -123,7 +127,10 @@ def efi_boot_env(request, u_boot_config): # Sign image check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' % mnt_point, shell=True) - # Digest image + ## Sign already-signed image with another key + check_call('cd %s; sbsign --key db1.key --cert db1.crt --output helloworld.efi.signed_2sigs helloworld.efi.signed' + % mnt_point, shell=True) + ## Digest image check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 6dabecb669..1a31a57e12 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -147,3 +147,54 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env): + """ + Test Case 5 - multiple signatures + one signed with TEST_db, and + one signed with TEST_db1 + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 5a'): + # Test Case 5a, rejected if any of signatures is not verified + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 5b'): + # Test Case 5b, authenticated if both signatures are verified + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 5c'): + # Test Case 5c, rejected if any of signatures is revoked + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_hash1.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) From patchwork Sat Jul 11 07:26:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1327240 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=isOzfX1m; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B3hQN0G0Pz9sRW for ; Sat, 11 Jul 2020 17:30:20 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7677A822D9; Sat, 11 Jul 2020 09:28:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="isOzfX1m"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6D309822A4; Sat, 11 Jul 2020 09:28:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7EDF882299 for ; Sat, 11 Jul 2020 09:27:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594452473; bh=/7V8KrmYmXgZb+KX7FOE+8YwDh2716HOYynIw9h5T6w=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=isOzfX1mJ+6uuCdVineSicKEqyhkDagaW/Gr7Qx41ZTr8ZIES6I5gPXVOfWz6mXL7 uCHI5Q2QBoHHxtoBayWpiFiWSLuS1AOB5mQOj0XubrsjLPnbvKztepW9YZCMEZJtXJ I52hKgMQDUHgPGEA/bCiAU1W3BEQbC8smXfl9ot8= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MO9zH-1kDcZs1CHJ-00OVu1; Sat, 11 Jul 2020 09:27:53 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, sughosh.ganu@linaro.org, mail@patrick-wildt.de, AKASHI Takahiro , Heinrich Schuchardt Subject: [PATCH v4 12/12] test/py: efi_secboot: add a test for verifying with digest of signed image Date: Sat, 11 Jul 2020 09:26:34 +0200 Message-Id: <20200711072634.290165-13-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:we1CK+Ee9gG2GxzlQcAKR4+kyHyjFQ3Kmnf/bjXHMOp00vUUmdE wBahzWEMIiPDt6flJUmR8khuSHIKTEYhxxZOSRXns3tMWiRDDmMCzLqgCRlzyZrcxpdkZ5f 9e6BbhwFEMlypL7Lv2vIKf/bHqz2eJOZ0sjdxqmTCLEIgxX3X7r38Qce/IgsoGkfe1Vl7CA nKz2Dxj6ZiNdIJAeixYUQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:TNdGwoVU4VQ=:0uVcUyHEUMtrtdYkmCX/yp BdCRJ3AzNYYvUAZYqBpO+55mplMDWoW8FZH7s+ExFmiGQPdxXoypuer+CB3EOgx3oaZx6ypKG S78jOugLGjwjD/3oG6B2Rb2ttiFlB8qVqpJEyHjt38KDkcyXejgLIIORPo4CJkux/M3nRMghp GwhvmZLVlg7tgp9QChiEVv5hgGfNV7jr86eYqQE7VDBMCQH5l8C6yxaFCOR5a6UGzqChDdmyS FnMVbR18Hn61vcjQlOpthrq4ZMXkhNrIPqz/Ec4RQH8Q961L7FlblupmGnEN9EgXUeRDj/WeQ xdMzxe5PjN8TwsDe0r7QlZA681D99xrUGZ/HA8KP1LYeONy87VIdb4ANxdrPPfPiTBg65R2of I78eeXxt7+RdDXo0YeMn/IBgjxs71yVxyfNcaJbpkXb5dUDHFJC/mcAXUCtOEchYyEvgNWGZX PCZhoPDfxCPfDsJrLQYszIVvlvQNHIlN2ADrcMwQfoKcFkDWe16RdX5rt+dCieJ4jCmVn8mi7 I8+XP6mEmJ72Nf3Pa3KtMg0vSTeDgfafRjducW8CVSBjJTt82MmACtHh4Q5JXoteraC5yHf9n 0GLMicVChYf5/g2eQ9ZmGwnUVlLZN0txEFnBPwCO8StoeyVn970z5vWvdWrwDE9nagR9kz84s BFTHicm2i8xyBDxNej8l9K9+LOz+zxMsMjFBxh0jsnxLhFeux7zEnKJG//FF6curMfXXE02GH ILKJ8qzjFzDd9Z+AdHDzW8c9wqNfEDZKE9wu4yoRRo4e3W+Dg+cmhKJX+zkuh9y7SnylVs2J9 hh8LlsGDmUAihgUanXluLMsOpL/NoJOX36AjhYVP5l22k1BE8keih+Y8Mut7DZSSgywcg1w0L XhMwCcbGfivGIAN9EK02RDkrZA9ER7RQyUJKY9Hd1WAISel2O82Bs6hAm5A20suZgpreMEhvE de/kIChbfl8Xfmi116vbTKYiYvRI9wJq8o9hEhZ0Cv5dxyBXnlljrkdz1/XTFm7R0W4YK3XeG NXx7wFR4j7vwMGz1GHvCFOew/+CeIMnlQm3FrNEsKj/dV3oqhJMeax5AEXsO4YvvcjlnkUfb/ RnbIgDjlxZrS6FDbOmbPQe0/U9es61HR2trrQqPxRvAc1XSpxGA62YQQKI5l1m3haOpXt5GHI sDWFlc+8OUV/CXVmG5zD/bnYZ0PSZAhjpNnsYLx3PPm6i7IJT9nWl+wV/3mli2swFWU4R4aBk p9eK1StHe+nISjqwAf4W9M6kpj+RLAMNIT1KK0w== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean From: AKASHI Takahiro Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 10 ++++ test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ 2 files changed, 59 insertions(+) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 7bb2e1d765..71ef723e59 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_db (with TEST_db certificate) + check_call('cd %s; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -t "2020-04-03" -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 1a31a57e12..7531bbac6a 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): + """ + Test Case 6 - using digest of signed image in database + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 6a'): + # Test Case 6a, verified by image's digest in db + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 6b'): + # Test Case 6b, rejected by TEST_db certificate in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 6c'): + # Test Case 6c, rejected by image's digest in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 dbx_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output)