| Message ID | 1362474202-23701-1-git-send-email-ivan.hu@canonical.com |
|---|---|
| State | Rejected |
| Headers | show |
On 05/03/13 09:03, Ivan Hu wrote: > From: IvanHu <ivan.hu@canonical.com> > > Check the variable KEK existence and Ubuntu master CA certificate presence > in KEK. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 37 ++++++++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 60d55cb..0675e15 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -253,10 +253,44 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha > "The Microsoft UEFI CA certificate not found ."); > } > > +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "KEK")) > + return; > + > + var_found |= VAR_KEK_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + > + fwts_release *release = fwts_release_get(); > + if (release == NULL) { > + fwts_skipped(fw, "Not on Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate."); > + return; > + } Perhaps I should have explained the fwts_release API better. Best to do something like: fwts_release *release; ... ... release = fwts_release_get(); if (release == NULL) { fwts_skipped(fw, "Cannot determine system.. etc..."); return; } if (!strcmp(release->distributor, "Ubuntu")) { fwts_skipped(fw, "Not a Ubuntu system... etc.."); return; } > + > + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); > + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) > + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); > + else { > + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname); > + fwts_infoonly(fw); > + } > +} > + > static securebootcert_info securebootcert_info_table[] = { > { "SecureBoot", securebootcert_secure_boot }, > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > + { "KEK", securebootcert_key_ex_key }, > { NULL, NULL } > }; > > @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable DB not found."); > + if (!(var_found & VAR_KEK_FOUND)) > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > + "The secure boot variable KEK not found."); > > fwts_uefi_free_variable_names(&name_list); > >
On 05/03/13 09:09, Colin Ian King wrote: > On 05/03/13 09:03, Ivan Hu wrote: >> From: IvanHu <ivan.hu@canonical.com> >> >> Check the variable KEK existence and Ubuntu master CA certificate >> presence >> in KEK. >> >> Signed-off-by: Ivan Hu <ivan.hu@canonical.com> >> --- >> src/uefi/securebootcert/securebootcert.c | 37 >> ++++++++++++++++++++++++++++++ >> 1 file changed, 37 insertions(+) >> >> diff --git a/src/uefi/securebootcert/securebootcert.c >> b/src/uefi/securebootcert/securebootcert.c >> index 60d55cb..0675e15 100644 >> --- a/src/uefi/securebootcert/securebootcert.c >> +++ b/src/uefi/securebootcert/securebootcert.c >> @@ -253,10 +253,44 @@ static void >> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha >> "The Microsoft UEFI CA certificate not found ."); >> } >> >> +static void securebootcert_key_ex_key(fwts_framework *fw, >> fwts_uefi_var *var, char *varname) >> +{ >> + >> + bool ident = false; >> + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; >> + >> + if (strcmp(varname, "KEK")) >> + return; >> + >> + var_found |= VAR_KEK_FOUND; >> + ident = compare_guid(&global_var_guid, var->guid); >> + >> + if (!ident) { >> + fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableGUIDInvalid", >> + "The secure boot variable %s GUID invalid.", varname); >> + return; >> + } >> + >> + fwts_release *release = fwts_release_get(); >> + if (release == NULL) { >> + fwts_skipped(fw, "Not on Ubuntu system, it's not necessary >> checking the Ubuntu Master CA certificate."); >> + return; >> + } > > Perhaps I should have explained the fwts_release API better. Best to do > something like: > > fwts_release *release; > > ... > ... > > release = fwts_release_get(); > if (release == NULL) { > fwts_skipped(fw, "Cannot determine system.. etc..."); > return; > } > > if (!strcmp(release->distributor, "Ubuntu")) { > fwts_skipped(fw, "Not a Ubuntu system... etc.."); > return; > } > Oh, and I forgot, we need to free up after using it: fwts_release_free(release); >> + >> + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate >> presence in %s", varname); >> + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, >> ubuntu_key_len)) >> + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); >> + else { >> + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate >> presence in %s", varname); >> + fwts_infoonly(fw); >> + } >> +} >> + >> static securebootcert_info securebootcert_info_table[] = { >> { "SecureBoot", securebootcert_secure_boot }, >> { "SetupMode", securebootcert_setup_mode }, >> { "db", securebootcert_data_base }, >> + { "KEK", securebootcert_key_ex_key }, >> { NULL, NULL } >> }; >> >> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw) >> if (!(var_found & VAR_DB_FOUND)) >> fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableNotFound", >> "The secure boot variable DB not found."); >> + if (!(var_found & VAR_KEK_FOUND)) >> + fwts_failed(fw, LOG_LEVEL_HIGH, >> "SecureBootCertVariableNotFound", >> + "The secure boot variable KEK not found."); >> >> fwts_uefi_free_variable_names(&name_list); >> >> > >
On 03/05/2013 05:13 PM, Colin Ian King wrote: > On 05/03/13 09:09, Colin Ian King wrote: >> On 05/03/13 09:03, Ivan Hu wrote: >>> From: IvanHu <ivan.hu@canonical.com> >>> >>> Check the variable KEK existence and Ubuntu master CA certificate >>> presence >>> in KEK. >>> >>> Signed-off-by: Ivan Hu <ivan.hu@canonical.com> >>> --- >>> src/uefi/securebootcert/securebootcert.c | 37 >>> ++++++++++++++++++++++++++++++ >>> 1 file changed, 37 insertions(+) >>> >>> diff --git a/src/uefi/securebootcert/securebootcert.c >>> b/src/uefi/securebootcert/securebootcert.c >>> index 60d55cb..0675e15 100644 >>> --- a/src/uefi/securebootcert/securebootcert.c >>> +++ b/src/uefi/securebootcert/securebootcert.c >>> @@ -253,10 +253,44 @@ static void >>> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha >>> "The Microsoft UEFI CA certificate not found ."); >>> } >>> >>> +static void securebootcert_key_ex_key(fwts_framework *fw, >>> fwts_uefi_var *var, char *varname) >>> +{ >>> + >>> + bool ident = false; >>> + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; >>> + >>> + if (strcmp(varname, "KEK")) >>> + return; >>> + >>> + var_found |= VAR_KEK_FOUND; >>> + ident = compare_guid(&global_var_guid, var->guid); >>> + >>> + if (!ident) { >>> + fwts_failed(fw, LOG_LEVEL_HIGH, >>> "SecureBootCertVariableGUIDInvalid", >>> + "The secure boot variable %s GUID invalid.", varname); >>> + return; >>> + } >>> + >>> + fwts_release *release = fwts_release_get(); >>> + if (release == NULL) { >>> + fwts_skipped(fw, "Not on Ubuntu system, it's not necessary >>> checking the Ubuntu Master CA certificate."); >>> + return; >>> + } >> >> Perhaps I should have explained the fwts_release API better. Best to do >> something like: >> >> fwts_release *release; >> >> ... >> ... >> >> release = fwts_release_get(); >> if (release == NULL) { >> fwts_skipped(fw, "Cannot determine system.. etc..."); >> return; >> } >> >> if (!strcmp(release->distributor, "Ubuntu")) { >> fwts_skipped(fw, "Not a Ubuntu system... etc.."); >> return; >> } >> > > Oh, and I forgot, we need to free up after using it: > > fwts_release_free(release); > > > >>> + >>> + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate >>> presence in %s", varname); >>> + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, >>> ubuntu_key_len)) >>> + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); >>> + else { >>> + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate >>> presence in %s", varname); >>> + fwts_infoonly(fw); >>> + } >>> +} >>> + >>> static securebootcert_info securebootcert_info_table[] = { >>> { "SecureBoot", securebootcert_secure_boot }, >>> { "SetupMode", securebootcert_setup_mode }, >>> { "db", securebootcert_data_base }, >>> + { "KEK", securebootcert_key_ex_key }, >>> { NULL, NULL } >>> }; >>> >>> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw) >>> if (!(var_found & VAR_DB_FOUND)) >>> fwts_failed(fw, LOG_LEVEL_HIGH, >>> "SecureBootCertVariableNotFound", >>> "The secure boot variable DB not found."); >>> + if (!(var_found & VAR_KEK_FOUND)) >>> + fwts_failed(fw, LOG_LEVEL_HIGH, >>> "SecureBootCertVariableNotFound", >>> + "The secure boot variable KEK not found."); >>> >>> fwts_uefi_free_variable_names(&name_list); >>> >>> >> >> > > Thanks, will resend patch latter. Ivan
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 60d55cb..0675e15 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -253,10 +253,44 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha "The Microsoft UEFI CA certificate not found ."); } +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) +{ + + bool ident = false; + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; + + if (strcmp(varname, "KEK")) + return; + + var_found |= VAR_KEK_FOUND; + ident = compare_guid(&global_var_guid, var->guid); + + if (!ident) { + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", + "The secure boot variable %s GUID invalid.", varname); + return; + } + + fwts_release *release = fwts_release_get(); + if (release == NULL) { + fwts_skipped(fw, "Not on Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate."); + return; + } + + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); + else { + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname); + fwts_infoonly(fw); + } +} + static securebootcert_info securebootcert_info_table[] = { { "SecureBoot", securebootcert_secure_boot }, { "SetupMode", securebootcert_setup_mode }, { "db", securebootcert_data_base }, + { "KEK", securebootcert_key_ex_key }, { NULL, NULL } }; @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw) if (!(var_found & VAR_DB_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", "The secure boot variable DB not found."); + if (!(var_found & VAR_KEK_FOUND)) + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", + "The secure boot variable KEK not found."); fwts_uefi_free_variable_names(&name_list);