mbox series

[00/13] efi_loader: rework/improve UEFI secure boot code

Message ID 20200529064130.28332-1-takahiro.akashi@linaro.org
Headers show
Series efi_loader: rework/improve UEFI secure boot code | expand

Message

AKASHI Takahiro May 29, 2020, 6:41 a.m. UTC
Summary
=======
I'm currently working on reworking UEFI secure boot, aiming to add
"intermediate certificates" support. In this effort, I found a couple
of issues that should immediately be fixed or useful improvements even
without intermediate certificates support.

Each commit in this patch series has self-explained description of
the issue to be addressed.
While they are independent in terms of functionality, they are compiled
in a set since the one may depend on the other in terms of code change
overlap. All the changes can and should be merged at once for best
convenience.

I hope that I will post intermediate certificates support sometime
in the next week.

Patch structure
===============
Patch#1,#5: rather preliminary patches
Patch#2-#4,#6,#7: main commits
Patch#8-#13: pytests
  Patch#11,#12 for Patch#6
  Patch#13 for Patch#7

Test
====
- Travis CI is still running with the latest
  (it passed with the previous one, including new pytests added here)

AKASHI Takahiro (13):
  efi_loader: signature: move efi_guid_cert_type_pkcs7 to
    efi_signature.c
  efi_loader: image_loader: add a check against certificate type of
    authenticode
  efi_loader: image_loader: retrieve authenticode only if it exists
  efi_loader: signature: fix a size check against revocation list
  efi_loader: signature: make efi_hash_regions more generic
  efi_loader: image_loader: verification for all signatures should pass
  efi_loader: image_loader: add digest-based verification for signed
    image
  test/py: efi_secboot: remove all "re.search"
  test/py: efi_secboot: fix test case 1g of test_authvar
  test/py: efi_secboot: split "signed image" test case-1 into two cases
  test/py: efi_secboot: add a test against certificate revocation
  test/py: efi_secboot: add a test for multiple signatures
  test/py: efi_secboot: add a test for verifying with digest of signed
    image

 include/efi_loader.h                          |  12 +-
 lib/efi_loader/efi_image_loader.c             | 142 ++++--
 lib/efi_loader/efi_signature.c                | 426 ++++++++----------
 lib/efi_loader/efi_variable.c                 |   1 -
 test/py/tests/test_efi_secboot/conftest.py    |  20 +-
 .../py/tests/test_efi_secboot/test_authvar.py |  83 ++--
 test/py/tests/test_efi_secboot/test_signed.py | 236 +++++++---
 .../tests/test_efi_secboot/test_unsigned.py   |  32 +-
 8 files changed, 563 insertions(+), 389 deletions(-)