Message ID | 20200708050203.15230-14-takahiro.akashi@linaro.org |
---|---|
State | Superseded, archived |
Delegated to: | Heinrich Schuchardt |
Headers | show |
Series | efi_loader: rework/improve UEFI secure boot code | expand |
On 7/8/20 7:02 AM, AKASHI Takahiro wrote: > Signature database (db or dbx) may have not only certificates that contain > a public key for RSA decryption, but also digests of signed images. > > In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) > and if the value matches to a hash value calculated from image's binary, > authentication should pass in case of db, and fail in case of dbx. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > test/py/tests/test_efi_secboot/conftest.py | 10 ++++ > test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ > 2 files changed, 59 insertions(+) > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > index c7da1a6e29a3..553550ee02b1 100644 > --- a/test/py/tests/test_efi_secboot/conftest.py > +++ b/test/py/tests/test_efi_secboot/conftest.py > @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > shell=True) > + ## dbx_db (with TEST_db certificate) > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' > + % (mnt_point, EFITOOLS_PATH), > + shell=True) > > # Copy image > check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) > @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): > check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' > % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > shell=True) > + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' > + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > + shell=True) > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' > + % (mnt_point, EFITOOLS_PATH), > + shell=True) > > check_call('sudo umount %s' % loop_dev, shell=True) > check_call('sudo losetup -d %s' % loop_dev, shell=True) > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > index 1a31a57e12c2..7531bbac6a5f 100644 > --- a/test/py/tests/test_efi_secboot/test_signed.py > +++ b/test/py/tests/test_efi_secboot/test_signed.py > @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): > 'efidebug test bootmgr']) > assert '\'HELLO\' failed' in ''.join(output) > assert 'efi_start_image() returned: 26' in ''.join(output) > + > + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > + """ > + Test Case 6 - using digest of signed image in database > + """ > + u_boot_console.restart_uboot() > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 6a'): > + # Test Case 6a, verified by image's digest in db > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db_hello_signed.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert 'Hello, world!' in ''.join(output) > + > + with u_boot_console.log.section('Test Case 6b'): > + # Test Case 6b, rejected by TEST_db certificate in dbx > + output = u_boot_console.run_command_list([ > + 'fatload host 0:1 4000000 dbx_db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > + > + with u_boot_console.log.section('Test Case 6c'): > + # Test Case 6c, rejected by image's digest in dbx > + output = u_boot_console.run_command_list([ > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > + 'fatload host 0:1 4000000 dbx_hello_signed.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > This test fails due to not set time stamps for the *.auth files. The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth. db_hello_signed.auth must be older then db.auth. I will add the missing time stamps. Best regards Heinrich
Heinrich, On Sat, Jul 11, 2020 at 08:47:15AM +0200, Heinrich Schuchardt wrote: > On 7/8/20 7:02 AM, AKASHI Takahiro wrote: > > Signature database (db or dbx) may have not only certificates that contain > > a public key for RSA decryption, but also digests of signed images. > > > > In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) > > and if the value matches to a hash value calculated from image's binary, > > authentication should pass in case of db, and fail in case of dbx. > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > > --- > > test/py/tests/test_efi_secboot/conftest.py | 10 ++++ > > test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ > > 2 files changed, 59 insertions(+) > > > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > > index c7da1a6e29a3..553550ee02b1 100644 > > --- a/test/py/tests/test_efi_secboot/conftest.py > > +++ b/test/py/tests/test_efi_secboot/conftest.py > > @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > shell=True) > > + ## dbx_db (with TEST_db certificate) > > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' > > + % (mnt_point, EFITOOLS_PATH), > > + shell=True) > > > > # Copy image > > check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) > > @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' > > % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > > shell=True) > > + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' > > + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > > + shell=True) > > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' > > + % (mnt_point, EFITOOLS_PATH), > > + shell=True) > > > > check_call('sudo umount %s' % loop_dev, shell=True) > > check_call('sudo losetup -d %s' % loop_dev, shell=True) > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > > index 1a31a57e12c2..7531bbac6a5f 100644 > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): > > 'efidebug test bootmgr']) > > assert '\'HELLO\' failed' in ''.join(output) > > assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > > + """ > > + Test Case 6 - using digest of signed image in database > > + """ > > + u_boot_console.restart_uboot() > > + disk_img = efi_boot_env > > + with u_boot_console.log.section('Test Case 6a'): > > + # Test Case 6a, verified by image's digest in db > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db_hello_signed.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', > > + 'efidebug boot next 1', > > + 'bootefi bootmgr']) > > + assert 'Hello, world!' in ''.join(output) > > + > > + with u_boot_console.log.section('Test Case 6b'): > > + # Test Case 6b, rejected by TEST_db certificate in dbx > > + output = u_boot_console.run_command_list([ > > + 'fatload host 0:1 4000000 dbx_db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + with u_boot_console.log.section('Test Case 6c'): > > + # Test Case 6c, rejected by image's digest in dbx > > + output = u_boot_console.run_command_list([ > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > > + 'fatload host 0:1 4000000 dbx_hello_signed.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > > > This test fails due to not set time stamps for the *.auth files. > > The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth. > db_hello_signed.auth must be older then db.auth. I have fixed this issue by adding "sleep 2" to make different timestamps, but forgot to put it in the follow-up patch. I have taken the same approach in my intermediate certificates patch. Apologies for any confusion. -Takahiro Akashi diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 94c50f6cf7ca..b74640240318 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -141,7 +141,9 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) - check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' + # 'sleep 2' here because timestamp should be newer than dbx_db.auth + # See Test Case 6c + check_call('cd %s; sleep 2; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' % (mnt_point, EFITOOLS_PATH), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 7531bbac6a5f..8b1e132c756c 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -237,8 +237,6 @@ class TestEfiSignedImage(object): with u_boot_console.log.section('Test Case 6c'): # Test Case 6c, rejected by image's digest in dbx output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'fatload host 0:1 4000000 dbx_hello_signed.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output)
diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index c7da1a6e29a3..553550ee02b1 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_db (with TEST_db certificate) + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 1a31a57e12c2..7531bbac6a5f 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): + """ + Test Case 6 - using digest of signed image in database + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 6a'): + # Test Case 6a, verified by image's digest in db + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 6b'): + # Test Case 6b, rejected by TEST_db certificate in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 6c'): + # Test Case 6c, rejected by image's digest in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 dbx_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output)
Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- test/py/tests/test_efi_secboot/conftest.py | 10 ++++ test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ 2 files changed, 59 insertions(+)