mbox series

[0/5] efi_loader: fix a verification process issue in secure boot

Message ID 20220705054815.30318-1-takahiro.akashi@linaro.org
Headers show
Series efi_loader: fix a verification process issue in secure boot | expand

Message

AKASHI Takahiro July 5, 2022, 5:48 a.m. UTC
In the commit 4540dabdcaca ("efi_loader: image_loader: support image
authentication"), U-Boot implementation of UEFI secure boot was
introduced.
It was reported by a Siemens engineer, however, that the verification
process is not fully compliant with MicroSoft's authenticode specification
and it is possible to exploit the code in a signed PE image without deep
knowledge.

This patch series fixes this security issue and, in addition, adds a test
case.

patch#1-3: preparatory patches
patch#4: add a missing step in signature verification process
patch#5: a new test case under pytest

AKASHI Takahiro (5):
  lib: crypto: add mscode_parser
  efi_loader: signature: export efi_hash_regions()
  efi_loader: image_loader: replace EFI_PRINT with log macros
  efi_loader: image_loader: add a missing digest verification for signed
    PE image
  test/py: efi_secboot: add a test for a forged signed image

 include/crypto/mscode.h                       |  43 ++++++
 include/efi_loader.h                          |   2 +
 lib/crypto/Kconfig                            |   9 ++
 lib/crypto/Makefile                           |  12 ++
 lib/crypto/mscode.asn1                        |  28 ++++
 lib/crypto/mscode_parser.c                    | 135 ++++++++++++++++++
 lib/efi_loader/Kconfig                        |   1 +
 lib/efi_loader/efi_image_loader.c             | 114 +++++++++++----
 lib/efi_loader/efi_signature.c                |   4 +-
 test/py/tests/test_efi_secboot/conftest.py    |   3 +
 test/py/tests/test_efi_secboot/forge_image.sh |   5 +
 test/py/tests/test_efi_secboot/test_signed.py |  35 +++++
 12 files changed, 361 insertions(+), 30 deletions(-)
 create mode 100644 include/crypto/mscode.h
 create mode 100644 lib/crypto/mscode.asn1
 create mode 100644 lib/crypto/mscode_parser.c
 create mode 100644 test/py/tests/test_efi_secboot/forge_image.sh