Summary
=======
I'm currently working on reworking UEFI secure boot, aiming to add
"intermediate certificates" support. In this effort, I found a couple
of issues that should immediately be fixed or useful improvements even
without intermediate certificates support.
Each commit in this patch series has self-explained description of
the issue to be addressed.
While they are independent in terms of functionality, they are compiled
in a set since the one may depend on the other in terms of code change
overlap. All the changes can and should be merged at once for best
convenience.
I hope that I will post intermediate certificates support sometime
in the next week.
Patch structure
===============
Patch#1,#5: rather preliminary patches
Patch#2-#4,#6,#7: main commits
Patch#8-#13: pytests
Patch#11,#12 for Patch#6
Patch#13 for Patch#7
Test
====
- Travis CI is still running with the latest
(it passed with the previous one, including new pytests added here)
AKASHI Takahiro (13):
efi_loader: signature: move efi_guid_cert_type_pkcs7 to
efi_signature.c
efi_loader: image_loader: add a check against certificate type of
authenticode
efi_loader: image_loader: retrieve authenticode only if it exists
efi_loader: signature: fix a size check against revocation list
efi_loader: signature: make efi_hash_regions more generic
efi_loader: image_loader: verification for all signatures should pass
efi_loader: image_loader: add digest-based verification for signed
image
test/py: efi_secboot: remove all "re.search"
test/py: efi_secboot: fix test case 1g of test_authvar
test/py: efi_secboot: split "signed image" test case-1 into two cases
test/py: efi_secboot: add a test against certificate revocation
test/py: efi_secboot: add a test for multiple signatures
test/py: efi_secboot: add a test for verifying with digest of signed
image
include/efi_loader.h | 12 +-
lib/efi_loader/efi_image_loader.c | 142 ++++--
lib/efi_loader/efi_signature.c | 426 ++++++++----------
lib/efi_loader/efi_variable.c | 1 -
test/py/tests/test_efi_secboot/conftest.py | 20 +-
.../py/tests/test_efi_secboot/test_authvar.py | 83 ++--
test/py/tests/test_efi_secboot/test_signed.py | 236 +++++++---
.../tests/test_efi_secboot/test_unsigned.py | 32 +-
8 files changed, 563 insertions(+), 389 deletions(-)
Summary ======= I'm currently working on reworking UEFI secure boot, aiming to add "intermediate certificates" support. In this effort, I found a couple of issues that should immediately be fixed or useful improvements even without intermediate certificates support. Each commit in this patch series has self-explained description of the issue to be addressed. While they are independent in terms of functionality, they are compiled in a set since the one may depend on the other in terms of code change overlap. All the changes can and should be merged at once for best convenience. I hope that I will post intermediate certificates support sometime in the next week. Patch structure =============== Patch#1,#5: rather preliminary patches Patch#2-#4,#6,#7: main commits Patch#8-#13: pytests Patch#11,#12 for Patch#6 Patch#13 for Patch#7 Test ==== - Travis CI is still running with the latest (it passed with the previous one, including new pytests added here) AKASHI Takahiro (13): efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c efi_loader: image_loader: add a check against certificate type of authenticode efi_loader: image_loader: retrieve authenticode only if it exists efi_loader: signature: fix a size check against revocation list efi_loader: signature: make efi_hash_regions more generic efi_loader: image_loader: verification for all signatures should pass efi_loader: image_loader: add digest-based verification for signed image test/py: efi_secboot: remove all "re.search" test/py: efi_secboot: fix test case 1g of test_authvar test/py: efi_secboot: split "signed image" test case-1 into two cases test/py: efi_secboot: add a test against certificate revocation test/py: efi_secboot: add a test for multiple signatures test/py: efi_secboot: add a test for verifying with digest of signed image include/efi_loader.h | 12 +- lib/efi_loader/efi_image_loader.c | 142 ++++-- lib/efi_loader/efi_signature.c | 426 ++++++++---------- lib/efi_loader/efi_variable.c | 1 - test/py/tests/test_efi_secboot/conftest.py | 20 +- .../py/tests/test_efi_secboot/test_authvar.py | 83 ++-- test/py/tests/test_efi_secboot/test_signed.py | 236 +++++++--- .../tests/test_efi_secboot/test_unsigned.py | 32 +- 8 files changed, 563 insertions(+), 389 deletions(-)