From patchwork Sat Jul 11 07:26:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241340 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:23 +0200 Subject: [PATCH v4 01/12] efi_loader: image_loader: add a check against certificate type of authenticode In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-2-xypron.glpk@gmx.de> From: AKASHI Takahiro UEFI specification requires that we shall support three type of certificates of authenticode in PE image: WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID WIN_CERT_TYPE_PKCS_SIGNED_DATA WIN_CERT_TYPE_EFI_PKCS1_15 As EDK2 does, we will support the first two that are pkcs7 SignedData. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_image_loader.c | 56 ++++++++++++++++++++++++------- 1 file changed, 44 insertions(+), 12 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 06a2ebdb90..9b01e1ec90 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -483,7 +483,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) struct efi_signature_store *db = NULL, *dbx = NULL; struct x509_certificate *cert = NULL; void *new_efi = NULL; - size_t new_efi_size; + u8 *auth, *wincerts_end; + size_t new_efi_size, auth_size; bool ret = false; if (!efi_secure_boot_enabled()) @@ -532,21 +533,52 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } /* go through WIN_CERTIFICATE list */ - for (wincert = wincerts; - (void *)wincert < (void *)wincerts + wincerts_len; - wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) { - if (wincert->dwLength < sizeof(*wincert)) { - EFI_PRINT("%s: dwLength too small: %u < %zu\n", - __func__, wincert->dwLength, - sizeof(*wincert)); - goto err; + for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len; + (u8 *)wincert < wincerts_end; + wincert = (WIN_CERTIFICATE *) + ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) { + if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end) + break; + + if (wincert->dwLength <= sizeof(*wincert)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + + EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n", + wincert->wCertificateType); + + auth = (u8 *)wincert + sizeof(*wincert); + auth_size = wincert->dwLength - sizeof(*wincert); + if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) { + if (auth + sizeof(efi_guid_t) >= wincerts_end) + break; + + if (auth_size <= sizeof(efi_guid_t)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) { + EFI_PRINT("Certificate type not supported: %pUl\n", + auth); + continue; + } + + auth += sizeof(efi_guid_t); + auth_size -= sizeof(efi_guid_t); + } else if (wincert->wCertificateType + != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { + EFI_PRINT("Certificate type not supported\n"); + continue; } - msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert), - wincert->dwLength - sizeof(*wincert)); + + msg = pkcs7_parse_message(auth, auth_size); if (IS_ERR(msg)) { EFI_PRINT("Parsing image's signature failed\n"); msg = NULL; - goto err; + continue; } /* try black-list first */ From patchwork Sat Jul 11 07:26:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241344 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:24 +0200 Subject: [PATCH v4 02/12] efi_loader: image_loader: retrieve authenticode only if it exists In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-3-xypron.glpk@gmx.de> From: AKASHI Takahiro Since the certificate table, which is indexed by IMAGE_DIRECTORY_ENTRY_SECURITY and contains authenticode in PE image, doesn't always exist, we should make sure that we will retrieve its pointer only if it exists. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_image_loader.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 9b01e1ec90..de230409e3 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -267,6 +267,8 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, dos = (void *)efi; nt = (void *)(efi + dos->e_lfanew); + authoff = 0; + authsz = 0; /* * Count maximum number of regions to be digested. @@ -305,25 +307,36 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, efi_image_region_add(regs, &opt->DataDirectory[ctidx] + 1, efi + opt->SizeOfHeaders, 0); + + authoff = opt->DataDirectory[ctidx].VirtualAddress; + authsz = opt->DataDirectory[ctidx].Size; } bytes_hashed = opt->SizeOfHeaders; align = opt->FileAlignment; - authoff = opt->DataDirectory[ctidx].VirtualAddress; - authsz = opt->DataDirectory[ctidx].Size; } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { IMAGE_OPTIONAL_HEADER32 *opt = &nt->OptionalHeader; + /* Skip CheckSum */ efi_image_region_add(regs, efi, &opt->CheckSum, 0); - efi_image_region_add(regs, &opt->Subsystem, - &opt->DataDirectory[ctidx], 0); - efi_image_region_add(regs, &opt->DataDirectory[ctidx] + 1, - efi + opt->SizeOfHeaders, 0); + if (nt->OptionalHeader.NumberOfRvaAndSizes <= ctidx) { + efi_image_region_add(regs, + &opt->Subsystem, + efi + opt->SizeOfHeaders, 0); + } else { + /* Skip Certificates Table */ + efi_image_region_add(regs, &opt->Subsystem, + &opt->DataDirectory[ctidx], 0); + efi_image_region_add(regs, + &opt->DataDirectory[ctidx] + 1, + efi + opt->SizeOfHeaders, 0); + + authoff = opt->DataDirectory[ctidx].VirtualAddress; + authsz = opt->DataDirectory[ctidx].Size; + } bytes_hashed = opt->SizeOfHeaders; align = opt->FileAlignment; - authoff = opt->DataDirectory[ctidx].VirtualAddress; - authsz = opt->DataDirectory[ctidx].Size; } else { EFI_PRINT("%s: Invalid optional header magic %x\n", __func__, nt->OptionalHeader.Magic); From patchwork Sat Jul 11 07:26:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241342 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:25 +0200 Subject: [PATCH v4 03/12] efi_loader: signature: fix a size check against revocation list In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-4-xypron.glpk@gmx.de> From: AKASHI Takahiro Since the size check against an entry in efi_search_siglist() is incorrect, this function will never find out a to-be-matched certificate and its associated revocation time in the signature list. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_signature.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index e05c471c61..cd2df46264 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -433,10 +433,11 @@ static bool efi_search_siglist(struct x509_certificate *cert, * time64_t revocation_time; * }; */ - if ((sig_data->size == SHA256_SUM_LEN) && - !memcmp(sig_data->data, hash, SHA256_SUM_LEN)) { + if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) && + !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) { memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN, sizeof(*revoc_time)); + EFI_PRINT("revocation time: 0x%llx\n", *revoc_time); found = true; goto out; } From patchwork Sat Jul 11 07:26:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241346 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:26 +0200 Subject: [PATCH v4 04/12] efi_loader: signature: make efi_hash_regions more generic In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-5-xypron.glpk@gmx.de> From: AKASHI Takahiro There are a couple of occurrences of hash calculations in which a new efi_hash_regions will be commonly used. Signed-off-by: AKASHI Takahiro --- lib/efi_loader/efi_signature.c | 46 +++++++++++++--------------------- 1 file changed, 17 insertions(+), 29 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index cd2df46264..b14d104094 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -28,7 +28,8 @@ const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; /** * efi_hash_regions - calculate a hash value - * @regs: List of regions + * @regs: Array of regions + * @count: Number of regions * @hash: Pointer to a pointer to buffer holding a hash value * @size: Size of buffer to be returned * @@ -36,18 +37,20 @@ const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID; * * Return: true on success, false on error */ -static bool efi_hash_regions(struct efi_image_regions *regs, void **hash, - size_t *size) +static bool efi_hash_regions(struct image_region *regs, int count, + void **hash, size_t *size) { - *size = 0; - *hash = calloc(1, SHA256_SUM_LEN); if (!*hash) { - EFI_PRINT("Out of memory\n"); - return false; + *hash = calloc(1, SHA256_SUM_LEN); + if (!*hash) { + EFI_PRINT("Out of memory\n"); + return false; + } } - *size = SHA256_SUM_LEN; + if (size) + *size = SHA256_SUM_LEN; - hash_calculate("sha256", regs->reg, regs->num, *hash); + hash_calculate("sha256", regs, count, *hash); #ifdef DEBUG EFI_PRINT("hash calculated:\n"); print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, @@ -72,26 +75,10 @@ static bool efi_hash_msg_content(struct pkcs7_message *msg, void **hash, { struct image_region regtmp; - *size = 0; - *hash = calloc(1, SHA256_SUM_LEN); - if (!*hash) { - EFI_PRINT("Out of memory\n"); - free(msg); - return false; - } - *size = SHA256_SUM_LEN; - regtmp.data = msg->data; regtmp.size = msg->data_len; - hash_calculate("sha256", ®tmp, 1, *hash); -#ifdef DEBUG - EFI_PRINT("hash calculated based on contentInfo:\n"); - print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, - *hash, SHA256_SUM_LEN, false); -#endif - - return true; + return efi_hash_regions(®tmp, 1, hash, size); } /** @@ -169,9 +156,10 @@ static bool efi_signature_verify(struct efi_image_regions *regs, false); #endif /* against contentInfo first */ + hash = NULL; if ((msg->data && efi_hash_msg_content(msg, &hash, &size)) || /* for signed image */ - efi_hash_regions(regs, &hash, &size)) { + efi_hash_regions(regs->reg, regs->num, &hash, &size)) { /* for authenticated variable */ if (ps_info->msgdigest_len != size || memcmp(hash, ps_info->msgdigest, size)) { @@ -239,7 +227,7 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, regs, signed_info, siglist, valid_cert); if (!signed_info) { - void *hash; + void *hash = NULL; size_t size; EFI_PRINT("%s: unsigned image\n", __func__); @@ -253,7 +241,7 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, goto out; } - if (!efi_hash_regions(regs, &hash, &size)) { + if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) { EFI_PRINT("Digesting unsigned image failed\n"); goto out; } From patchwork Sat Jul 11 07:26:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241343 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:27 +0200 Subject: [PATCH v4 05/12] efi_loader: image_loader: verification for all signatures should pass In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-6-xypron.glpk@gmx.de> From: AKASHI Takahiro A signed image may have multiple signatures in - each WIN_CERTIFICATE in authenticode, and/or - each SignerInfo in pkcs7 SignedData (of WIN_CERTIFICATE) In the initial implementation of efi_image_authenticate(), the criteria of verification check for multiple signatures case is a bit ambiguous and it may cause inconsistent result. With this patch, we will make sure that verification check in efi_image_authenticate() should pass against all the signatures. The only exception would be - the case where a digest algorithm used in signature is not supported by U-Boot, or - the case where parsing some portion of authenticode has failed In those cases, we don't know how the signature be handled and should just ignore them. Please note that, due to this change, efi_signature_verify_with_sigdb()'s function prototype will be modified, taking "dbx" as well as "db" instead of outputing a "certificate." If "dbx" is null, the behavior would be the exact same as before. The function's name will be changed to efi_signature_verify() once current efi_signature_verify() has gone due to further improvement in intermediate certificates support. Signed-off-by: AKASHI Takahiro --- include/efi_loader.h | 13 +- lib/efi_loader/efi_image_loader.c | 43 ++--- lib/efi_loader/efi_signature.c | 298 +++++++++++++++++------------- 3 files changed, 198 insertions(+), 156 deletions(-) -- 2.27.0 diff --git a/include/efi_loader.h b/include/efi_loader.h index fc9344c742..2f9fb112b3 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -765,14 +765,15 @@ struct efi_signature_store { struct x509_certificate; struct pkcs7_message; -bool efi_signature_verify_cert(struct x509_certificate *cert, - struct efi_signature_store *dbx); -bool efi_signature_verify_signers(struct pkcs7_message *msg, - struct efi_signature_store *dbx); +bool efi_signature_verify_one(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db); bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, struct pkcs7_message *msg, - struct efi_signature_store *db, - struct x509_certificate **cert); + struct efi_signature_store *db, + struct efi_signature_store *dbx); +bool efi_signature_check_signers(struct pkcs7_message *msg, + struct efi_signature_store *dbx); efi_status_t efi_image_region_add(struct efi_image_regions *regs, const void *start, const void *end, diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index de230409e3..058359fc25 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -448,13 +448,13 @@ static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs) } /* try black-list first */ - if (efi_signature_verify_with_sigdb(regs, NULL, dbx, NULL)) { + if (efi_signature_verify_one(regs, NULL, dbx)) { EFI_PRINT("Image is not signed and rejected by \"dbx\"\n"); goto out; } /* try white-list */ - if (efi_signature_verify_with_sigdb(regs, NULL, db, NULL)) + if (efi_signature_verify_one(regs, NULL, db)) ret = true; else EFI_PRINT("Image is not signed and not found in \"db\" or \"dbx\"\n"); @@ -494,12 +494,13 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) size_t wincerts_len; struct pkcs7_message *msg = NULL; struct efi_signature_store *db = NULL, *dbx = NULL; - struct x509_certificate *cert = NULL; void *new_efi = NULL; u8 *auth, *wincerts_end; size_t new_efi_size, auth_size; bool ret = false; + debug("%s: Enter, %d\n", __func__, ret); + if (!efi_secure_boot_enabled()) return true; @@ -545,7 +546,17 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) goto err; } - /* go through WIN_CERTIFICATE list */ + /* + * go through WIN_CERTIFICATE list + * NOTE: + * We may have multiple signatures either as WIN_CERTIFICATE's + * in PE header, or as pkcs7 SignerInfo's in SignedData. + * So the verification policy here is: + * - Success if, at least, one of signatures is verified + * - unless + * any of signatures is rejected explicitly, or + * none of digest algorithms are supported + */ for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len; (u8 *)wincert < wincerts_end; wincert = (WIN_CERTIFICATE *) @@ -595,42 +606,32 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } /* try black-list first */ - if (efi_signature_verify_with_sigdb(regs, msg, dbx, NULL)) { + if (efi_signature_verify_one(regs, msg, dbx)) { EFI_PRINT("Signature was rejected by \"dbx\"\n"); goto err; } - if (!efi_signature_verify_signers(msg, dbx)) { - EFI_PRINT("Signer was rejected by \"dbx\"\n"); + if (!efi_signature_check_signers(msg, dbx)) { + EFI_PRINT("Signer(s) in \"dbx\"\n"); goto err; - } else { - ret = true; } /* try white-list */ - if (!efi_signature_verify_with_sigdb(regs, msg, db, &cert)) { - EFI_PRINT("Verifying signature with \"db\" failed\n"); + if (!efi_signature_verify_with_sigdb(regs, msg, db, dbx)) { + EFI_PRINT("Signature was not verified by \"db\"\n"); goto err; - } else { - ret = true; - } - - if (!efi_signature_verify_cert(cert, dbx)) { - EFI_PRINT("Certificate was rejected by \"dbx\"\n"); - goto err; - } else { - ret = true; } } + ret = true; err: - x509_free_certificate(cert); efi_sigstore_free(db); efi_sigstore_free(dbx); pkcs7_free_message(msg); free(regs); free(new_efi); + debug("%s: Exit, %d\n", __func__, ret); return ret; } #else diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index b14d104094..52392d139a 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -301,27 +301,110 @@ out: } /** - * efi_signature_verify_with_sigdb - verify a signature with db + * efi_signature_check_revocation - check revocation with dbx + * @sinfo: Signer's info + * @cert: x509 certificate + * @dbx: Revocation signature database + * + * Search revocation signature database pointed to by @dbx and find + * an entry matching to certificate pointed to by @cert. + * + * While this entry contains revocation time, we don't support timestamp + * protocol at this time and any image will be unconditionally revoked + * when this match occurs. + * + * Return: true if check passed, false otherwise. + */ +static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo, + struct x509_certificate *cert, + struct efi_signature_store *dbx) +{ + struct efi_signature_store *siglist; + struct efi_sig_data *sig_data; + struct image_region reg[1]; + void *hash = NULL; + size_t size = 0; + time64_t revoc_time; + bool revoked = false; + + EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx); + + if (!sinfo || !cert || !dbx || !dbx->sig_data_list) + goto out; + + EFI_PRINT("Checking revocation against %s\n", cert->subject); + for (siglist = dbx; siglist; siglist = siglist->next) { + if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) + continue; + + /* calculate hash of TBSCertificate */ + reg[0].data = cert->tbs; + reg[0].size = cert->tbs_size; + if (!efi_hash_regions(reg, 1, &hash, &size)) + goto out; + + for (sig_data = siglist->sig_data_list; sig_data; + sig_data = sig_data->next) { + /* + * struct efi_cert_x509_sha256 { + * u8 tbs_hash[256/8]; + * time64_t revocation_time; + * }; + */ +#ifdef DEBUG + if (sig_data->size >= size) { + EFI_PRINT("hash in db:\n"); + print_hex_dump(" ", DUMP_PREFIX_OFFSET, + 16, 1, + sig_data->data, size, false); + } +#endif + if ((sig_data->size < size + sizeof(time64_t)) || + memcmp(sig_data->data, hash, size)) + continue; + + memcpy(&revoc_time, sig_data->data + size, + sizeof(revoc_time)); + EFI_PRINT("revocation time: 0x%llx\n", revoc_time); + /* + * TODO: compare signing timestamp in sinfo + * with revocation time + */ + + revoked = true; + free(hash); + goto out; + } + free(hash); + hash = NULL; + } +out: + EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); + return !revoked; +} + +/** + * efi_signature_verify_one - verify signatures with database * @regs: List of regions to be authenticated * @msg: Signature - * @db: Signature database for trusted certificates - * @cert: x509 certificate that verifies this signature + * @db: Signature database * - * Signature pointed to by @msg against image pointed to by @regs - * is verified by signature database pointed to by @db. + * All the signature pointed to by @msg against image pointed to by @regs + * will be verified by signature database pointed to by @db. * - * Return: true if signature is verified, false if not + * Return: true if verification for one of signatures passed, false + * otherwise */ -bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, - struct pkcs7_message *msg, - struct efi_signature_store *db, - struct x509_certificate **cert) +bool efi_signature_verify_one(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db) { - struct pkcs7_signed_info *info; + struct pkcs7_signed_info *sinfo; struct efi_signature_store *siglist; + struct x509_certificate *cert; bool verified = false; - EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, cert); + EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, regs, msg, db); if (!db) goto out; @@ -334,27 +417,26 @@ bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, EFI_PRINT("%s: Verify unsigned image with db\n", __func__); for (siglist = db; siglist; siglist = siglist->next) if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, cert)) { + siglist, &cert)) { verified = true; - goto out; + break; } - goto out; } /* for signed image or variable */ EFI_PRINT("%s: Verify signed image with db\n", __func__); - for (info = msg->signed_infos; info; info = info->next) { + for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", - info->sig->hash_algo, info->sig->pkey_algo); + sinfo->sig->hash_algo, sinfo->sig->pkey_algo); - for (siglist = db; siglist; siglist = siglist->next) { - if (efi_signature_verify_with_list(regs, msg, info, - siglist, cert)) { + for (siglist = db; siglist; siglist = siglist->next) + if (efi_signature_verify_with_list(regs, msg, sinfo, + siglist, &cert)) { verified = true; goto out; } - } + EFI_PRINT("Valid certificate not in \"db\"\n"); } out: @@ -363,150 +445,108 @@ out: } /** - * efi_search_siglist - search signature list for a certificate - * @cert: x509 certificate - * @siglist: Signature list - * @revoc_time: Pointer to buffer for revocation time + * efi_signature_verify_with_sigdb - verify signatures with db and dbx + * @regs: List of regions to be authenticated + * @msg: Signature + * @db: Signature database for trusted certificates + * @dbx: Revocation signature database * - * Search signature list pointed to by @siglist and find a certificate - * pointed to by @cert. - * If found, revocation time that is specified in signature database is - * returned in @revoc_time. + * All the signature pointed to by @msg against image pointed to by @regs + * will be verified by signature database pointed to by @db and @dbx. * - * Return: true if certificate is found, false if not + * Return: true if verification for all signatures passed, false otherwise */ -static bool efi_search_siglist(struct x509_certificate *cert, - struct efi_signature_store *siglist, - time64_t *revoc_time) +bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct efi_signature_store *db, + struct efi_signature_store *dbx) { - struct image_region reg[1]; - void *hash = NULL, *msg = NULL; - struct efi_sig_data *sig_data; - bool found = false; + struct pkcs7_signed_info *info; + struct efi_signature_store *siglist; + struct x509_certificate *cert; + bool verified = false; - /* can be null */ - if (!siglist->sig_data_list) - return false; + EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx); - if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256)) { - /* TODO: other hash algos */ - EFI_PRINT("Certificate's digest type is not supported: %pUl\n", - &siglist->sig_type); + if (!db) goto out; - } - /* calculate hash of TBSCertificate */ - msg = calloc(1, SHA256_SUM_LEN); - if (!msg) { - EFI_PRINT("Out of memory\n"); + if (!db->sig_data_list) goto out; - } - hash = calloc(1, SHA256_SUM_LEN); - if (!hash) { - EFI_PRINT("Out of memory\n"); + /* for unsigned image */ + if (!msg) { + EFI_PRINT("%s: Verify unsigned image with db\n", __func__); + for (siglist = db; siglist; siglist = siglist->next) + if (efi_signature_verify_with_list(regs, NULL, NULL, + siglist, &cert)) { + verified = true; + break; + } goto out; } - reg[0].data = cert->tbs; - reg[0].size = cert->tbs_size; - hash_calculate("sha256", reg, 1, msg); + /* for signed image or variable */ + EFI_PRINT("%s: Verify signed image with db\n", __func__); + for (info = msg->signed_infos; info; info = info->next) { + EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", + info->sig->hash_algo, info->sig->pkey_algo); - /* go through signature list */ - for (sig_data = siglist->sig_data_list; sig_data; - sig_data = sig_data->next) { - /* - * struct efi_cert_x509_sha256 { - * u8 tbs_hash[256/8]; - * time64_t revocation_time; - * }; - */ - if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) && - !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) { - memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN, - sizeof(*revoc_time)); - EFI_PRINT("revocation time: 0x%llx\n", *revoc_time); - found = true; + for (siglist = db; siglist; siglist = siglist->next) { + if (efi_signature_verify_with_list(regs, msg, info, + siglist, &cert)) + break; + } + if (!siglist) { + EFI_PRINT("Valid certificate not in \"db\"\n"); goto out; } - } - -out: - free(hash); - free(msg); - - return found; -} - -/** - * efi_signature_verify_cert - verify a certificate with dbx - * @cert: x509 certificate - * @dbx: Signature database - * - * Search signature database pointed to by @dbx and find a certificate - * pointed to by @cert. - * This function is expected to be used against "dbx". - * - * Return: true if a certificate is not rejected, false otherwise. - */ -bool efi_signature_verify_cert(struct x509_certificate *cert, - struct efi_signature_store *dbx) -{ - struct efi_signature_store *siglist; - time64_t revoc_time; - bool found = false; - EFI_PRINT("%s: Enter, %p, %p\n", __func__, dbx, cert); - - if (!cert) - return false; - - for (siglist = dbx; siglist; siglist = siglist->next) { - if (efi_search_siglist(cert, siglist, &revoc_time)) { - /* TODO */ - /* compare signing time with revocation time */ + if (!dbx || efi_signature_check_revocation(info, cert, dbx)) + continue; - found = true; - break; - } + EFI_PRINT("Certificate in \"dbx\"\n"); + goto out; } + verified = true; - EFI_PRINT("%s: Exit, verified: %d\n", __func__, !found); - return !found; +out: + EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified); + return verified; } /** - * efi_signature_verify_signers - verify signers' certificates with dbx + * efi_signature_check_signers - check revocation against all signers with dbx * @msg: Signature - * @dbx: Signature database + * @dbx: Revocation signature database * - * Determine if any of signers' certificates in @msg may be verified - * by any of certificates in signature database pointed to by @dbx. - * This function is expected to be used against "dbx". + * Determine if none of signers' certificates in @msg are revoked + * by signature database pointed to by @dbx. * - * Return: true if none of certificates is rejected, false otherwise. + * Return: true if all signers passed, false otherwise. */ -bool efi_signature_verify_signers(struct pkcs7_message *msg, - struct efi_signature_store *dbx) +bool efi_signature_check_signers(struct pkcs7_message *msg, + struct efi_signature_store *dbx) { - struct pkcs7_signed_info *info; - bool found = false; + struct pkcs7_signed_info *sinfo; + bool revoked = false; EFI_PRINT("%s: Enter, %p, %p\n", __func__, msg, dbx); - if (!msg) + if (!msg || !dbx) goto out; - for (info = msg->signed_infos; info; info = info->next) { - if (info->signer && - !efi_signature_verify_cert(info->signer, dbx)) { - found = true; - goto out; + for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->signer && + !efi_signature_check_revocation(sinfo, sinfo->signer, + dbx)) { + revoked = true; + break; } } out: - EFI_PRINT("%s: Exit, verified: %d\n", __func__, !found); - return !found; + EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked); + return !revoked; } /** From patchwork Sat Jul 11 07:26:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241345 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:28 +0200 Subject: [PATCH v4 06/12] efi_loader: image_loader: add digest-based verification for signed image In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-7-xypron.glpk@gmx.de> From: AKASHI Takahiro In case that a type of certificate in "db" or "dbx" is EFI_CERT_X509_SHA256_GUID, it is actually not a certificate which contains a public key for RSA decryption, but a digest of image to be loaded. If the value matches to a value calculated from a given binary image, it is granted for loading. With this patch, common digest check code, which used to be used for unsigned image verification, will be extracted from efi_signature_verify_with_sigdb() into efi_signature_lookup_digest(), and extra step for digest check will be added to efi_image_authenticate(). Signed-off-by: AKASHI Takahiro --- include/efi_loader.h | 2 + lib/efi_loader/efi_image_loader.c | 44 ++++++++-- lib/efi_loader/efi_signature.c | 128 ++++++++++++++---------------- 3 files changed, 99 insertions(+), 75 deletions(-) -- 2.27.0 diff --git a/include/efi_loader.h b/include/efi_loader.h index 2f9fb112b3..ceabbaadd0 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -765,6 +765,8 @@ struct efi_signature_store { struct x509_certificate; struct pkcs7_message; +bool efi_signature_lookup_digest(struct efi_image_regions *regs, + struct efi_signature_store *db); bool efi_signature_verify_one(struct efi_image_regions *regs, struct pkcs7_message *msg, struct efi_signature_store *db); diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 058359fc25..b7cf26046e 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -448,16 +448,16 @@ static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs) } /* try black-list first */ - if (efi_signature_verify_one(regs, NULL, dbx)) { - EFI_PRINT("Image is not signed and rejected by \"dbx\"\n"); + if (efi_signature_lookup_digest(regs, dbx)) { + EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n"); goto out; } /* try white-list */ - if (efi_signature_verify_one(regs, NULL, db)) + if (efi_signature_lookup_digest(regs, db)) ret = true; else - EFI_PRINT("Image is not signed and not found in \"db\" or \"dbx\"\n"); + EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n"); out: efi_sigstore_free(db); @@ -605,6 +605,25 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) continue; } + /* + * NOTE: + * UEFI specification defines two signature types possible + * in signature database: + * a. x509 certificate, where a signature in image is + * a message digest encrypted by RSA public key + * (EFI_CERT_X509_GUID) + * b. bare hash value of message digest + * (EFI_CERT_SHAxxx_GUID) + * + * efi_signature_verify() handles case (a), while + * efi_signature_lookup_digest() handles case (b). + * + * There is a third type: + * c. message digest of a certificate + * (EFI_CERT_X509_SHAAxxx_GUID) + * This type of signature is used only in revocation list + * (dbx) and handled as part of efi_signatgure_verify(). + */ /* try black-list first */ if (efi_signature_verify_one(regs, msg, dbx)) { EFI_PRINT("Signature was rejected by \"dbx\"\n"); @@ -616,11 +635,22 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) goto err; } - /* try white-list */ - if (!efi_signature_verify_with_sigdb(regs, msg, db, dbx)) { - EFI_PRINT("Signature was not verified by \"db\"\n"); + if (efi_signature_lookup_digest(regs, dbx)) { + EFI_PRINT("Image's digest was found in \"dbx\"\n"); goto err; } + + /* try white-list */ + if (efi_signature_verify_with_sigdb(regs, msg, db, dbx)) + continue; + + debug("Signature was not verified by \"db\"\n"); + + if (efi_signature_lookup_digest(regs, db)) + continue; + + debug("Image's digest was not found in \"db\" or \"dbx\"\n"); + goto err; } ret = true; diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c index 52392d139a..fc0314e6d4 100644 --- a/lib/efi_loader/efi_signature.c +++ b/lib/efi_loader/efi_signature.c @@ -198,55 +198,43 @@ out: } /** - * efi_signature_verify_with_list - verify a signature with signature list - * @regs: List of regions to be authenticated - * @msg: Signature - * @signed_info: Pointer to PKCS7's signed_info - * @siglist: Signature list for certificates - * @valid_cert: x509 certificate that verifies this signature + * efi_signature_lookup_digest - search for an image's digest in sigdb + * @regs: List of regions to be authenticated + * @db: Signature database for trusted certificates * - * Signature pointed to by @signed_info against image pointed to by @regs - * is verified by signature list pointed to by @siglist. - * Signature database is a simple concatenation of one or more - * signature list(s). + * A message digest of image pointed to by @regs is calculated and + * its hash value is compared to entries in signature database pointed + * to by @db. * - * Return: true if signature is verified, false if not + * Return: true if found, false if not */ -static -bool efi_signature_verify_with_list(struct efi_image_regions *regs, - struct pkcs7_message *msg, - struct pkcs7_signed_info *signed_info, - struct efi_signature_store *siglist, - struct x509_certificate **valid_cert) +bool efi_signature_lookup_digest(struct efi_image_regions *regs, + struct efi_signature_store *db) { - struct x509_certificate *cert; + struct efi_signature_store *siglist; struct efi_sig_data *sig_data; - bool verified = false; + void *hash = NULL; + size_t size = 0; + bool found = false; - EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, - regs, signed_info, siglist, valid_cert); + EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db); - if (!signed_info) { - void *hash = NULL; - size_t size; + if (!regs || !db || !db->sig_data_list) + goto out; - EFI_PRINT("%s: unsigned image\n", __func__); - /* - * verify based on calculated hash value - * TODO: support other hash algorithms - */ + for (siglist = db; siglist; siglist = siglist->next) { + /* TODO: support other hash algorithms */ if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) { EFI_PRINT("Digest algorithm is not supported: %pUl\n", &siglist->sig_type); - goto out; + break; } if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) { - EFI_PRINT("Digesting unsigned image failed\n"); - goto out; + EFI_PRINT("Digesting an image failed\n"); + break; } - /* go through the list */ for (sig_data = siglist->sig_data_list; sig_data; sig_data = sig_data->next) { #ifdef DEBUG @@ -254,18 +242,52 @@ bool efi_signature_verify_with_list(struct efi_image_regions *regs, print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, sig_data->data, sig_data->size, false); #endif - if ((sig_data->size == size) && + if (sig_data->size == size && !memcmp(sig_data->data, hash, size)) { - verified = true; + found = true; free(hash); goto out; } } + free(hash); - goto out; + hash = NULL; } - EFI_PRINT("%s: signed image\n", __func__); +out: + EFI_PRINT("%s: Exit, found: %d\n", __func__, found); + return found; +} + +/** + * efi_signature_verify_with_list - verify a signature with signature list + * @regs: List of regions to be authenticated + * @msg: Signature + * @signed_info: Pointer to PKCS7's signed_info + * @siglist: Signature list for certificates + * @valid_cert: x509 certificate that verifies this signature + * + * Signature pointed to by @signed_info against image pointed to by @regs + * is verified by signature list pointed to by @siglist. + * Signature database is a simple concatenation of one or more + * signature list(s). + * + * Return: true if signature is verified, false if not + */ +static +bool efi_signature_verify_with_list(struct efi_image_regions *regs, + struct pkcs7_message *msg, + struct pkcs7_signed_info *signed_info, + struct efi_signature_store *siglist, + struct x509_certificate **valid_cert) +{ + struct x509_certificate *cert; + struct efi_sig_data *sig_data; + bool verified = false; + + EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, + regs, signed_info, siglist, valid_cert); + if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509)) { EFI_PRINT("Signature type is not supported: %pUl\n", &siglist->sig_type); @@ -412,19 +434,6 @@ bool efi_signature_verify_one(struct efi_image_regions *regs, if (!db->sig_data_list) goto out; - /* for unsigned image */ - if (!msg) { - EFI_PRINT("%s: Verify unsigned image with db\n", __func__); - for (siglist = db; siglist; siglist = siglist->next) - if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, &cert)) { - verified = true; - break; - } - goto out; - } - - /* for signed image or variable */ EFI_PRINT("%s: Verify signed image with db\n", __func__); for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", @@ -468,26 +477,9 @@ bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs, EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx); - if (!db) - goto out; - - if (!db->sig_data_list) + if (!regs || !msg || !db || !db->sig_data_list) goto out; - /* for unsigned image */ - if (!msg) { - EFI_PRINT("%s: Verify unsigned image with db\n", __func__); - for (siglist = db; siglist; siglist = siglist->next) - if (efi_signature_verify_with_list(regs, NULL, NULL, - siglist, &cert)) { - verified = true; - break; - } - goto out; - } - - /* for signed image or variable */ - EFI_PRINT("%s: Verify signed image with db\n", __func__); for (info = msg->signed_infos; info; info = info->next) { EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n", info->sig->hash_algo, info->sig->pkey_algo); From patchwork Sat Jul 11 07:26:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241349 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:29 +0200 Subject: [PATCH v4 07/12] test/py: efi_secboot: apply autopep8 In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-8-xypron.glpk@gmx.de> From: AKASHI Takahiro Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/conftest.py | 74 ++++++++++--------- test/py/tests/test_efi_secboot/defs.py | 14 ++-- .../py/tests/test_efi_secboot/test_authvar.py | 1 + test/py/tests/test_efi_secboot/test_signed.py | 1 + .../tests/test_efi_secboot/test_unsigned.py | 37 +++++----- 5 files changed, 67 insertions(+), 60 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index ac5a780fdb..82bc8886c4 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -10,6 +10,8 @@ from subprocess import call, check_call, check_output, CalledProcessError from defs import * # from test/py/conftest.py + + def tool_is_in_path(tool): for path in os.environ["PATH"].split(os.pathsep): fn = os.path.join(path, tool) @@ -20,13 +22,15 @@ def tool_is_in_path(tool): # # Fixture for UEFI secure boot test # + + @pytest.fixture(scope='session') def efi_boot_env(request, u_boot_config): """Set up a file system to be used in UEFI secure boot test. Args: request: Pytest request object. - u_boot_config: U-boot configuration. + u_boot_config: U-boot configuration. Return: A path to disk image to be used for testing @@ -48,20 +52,20 @@ def efi_boot_env(request, u_boot_config): # create a disk/partition check_call('dd if=/dev/zero of=%s bs=1MiB count=%d' - % (image_path, image_size), shell=True) + % (image_path, image_size), shell=True) check_call('sgdisk %s -n 1:0:+%dMiB' - % (image_path, part_size), shell=True) + % (image_path, part_size), shell=True) # create a file system check_call('dd if=/dev/zero of=%s.tmp bs=1MiB count=%d' - % (image_path, part_size), shell=True) + % (image_path, part_size), shell=True) check_call('mkfs -t %s %s.tmp' % (fs_type, image_path), shell=True) check_call('dd if=%s.tmp of=%s bs=1MiB seek=1 count=%d conv=notrunc' - % (image_path, image_path, 1), shell=True) + % (image_path, image_path, 1), shell=True) check_call('rm %s.tmp' % image_path, shell=True) loop_dev = check_output('sudo losetup -o 1MiB --sizelimit %dMiB --show -f %s | tr -d "\n"' % (part_size, image_path), shell=True).decode() check_output('sudo mount -t %s -o umask=000 %s %s' - % (fs_type, loop_dev, mnt_point), shell=True) + % (fs_type, loop_dev, mnt_point), shell=True) # suffix # *.key: RSA private key in PEM @@ -73,53 +77,53 @@ def efi_boot_env(request, u_boot_config): # *.efi.signed: signed UEFI image # Create signature database - ## PK + # PK check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## PK_null for deletion + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # PK_null for deletion check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth' - % (mnt_point, EFITOOLS_PATH), shell=True) - ## KEK + % (mnt_point, EFITOOLS_PATH), shell=True) + # KEK check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db1 + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db1 check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) - ## db1-update + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db1-update check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth' - % (mnt_point, EFITOOLS_PATH), shell=True) - ## dbx + % (mnt_point, EFITOOLS_PATH), shell=True) + # dbx check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' - % mnt_point, shell=True) + % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth' - % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), - shell=True) + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) - ## Sign image + # Sign image check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' - % mnt_point, shell=True) - ## Digest image + % mnt_point, shell=True) + # Digest image check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' - % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), - shell=True) + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), + shell=True) check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) diff --git a/test/py/tests/test_efi_secboot/defs.py b/test/py/tests/test_efi_secboot/defs.py index d6222809c5..099f453979 100644 --- a/test/py/tests/test_efi_secboot/defs.py +++ b/test/py/tests/test_efi_secboot/defs.py @@ -1,21 +1,21 @@ # SPDX-License-Identifier: GPL-2.0+ # Disk image name -EFI_SECBOOT_IMAGE_NAME='test_efi_secboot.img' +EFI_SECBOOT_IMAGE_NAME = 'test_efi_secboot.img' # Size in MiB -EFI_SECBOOT_IMAGE_SIZE=16 -EFI_SECBOOT_PART_SIZE=8 +EFI_SECBOOT_IMAGE_SIZE = 16 +EFI_SECBOOT_PART_SIZE = 8 # Partition file system type -EFI_SECBOOT_FS_TYPE='vfat' +EFI_SECBOOT_FS_TYPE = 'vfat' # Owner guid -GUID='11111111-2222-3333-4444-123456789abc' +GUID = '11111111-2222-3333-4444-123456789abc' # v1.5.1 or earlier of efitools has a bug in sha256 calculation, and # you need build a newer version on your own. -EFITOOLS_PATH='' +EFITOOLS_PATH = '' # Hello World application for sandbox -HELLO_PATH='' +HELLO_PATH = '' diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 148aa3123e..359adba4b4 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -11,6 +11,7 @@ This test verifies variable authentication import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_fat') diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 19d78b1b64..6d4b03ef41 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -11,6 +11,7 @@ This test verifies image authentication for signed images. import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_efidebug') diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index c42c5ddc47..3748b51ee7 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -11,6 +11,7 @@ This test verifies image authentication for unsigned images. import pytest from defs import * + @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('efi_secure_boot') @pytest.mark.buildconfigspec('cmd_efidebug') @@ -28,10 +29,10 @@ class TestEfiUnsignedImage(object): # Test Case 1 output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -55,12 +56,12 @@ class TestEfiUnsignedImage(object): # Test Case 2 output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -79,12 +80,12 @@ class TestEfiUnsignedImage(object): # Test Case 3a, rejected by dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', - 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', - 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ @@ -101,8 +102,8 @@ class TestEfiUnsignedImage(object): with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) assert(not 'Failed to set EFI variable' in ''.join(output)) output = u_boot_console.run_command_list([ From patchwork Sat Jul 11 07:26:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241352 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:30 +0200 Subject: [PATCH v4 08/12] test/py: efi_secboot: more fixes against pylint In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-9-xypron.glpk@gmx.de> From: AKASHI Takahiro More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/conftest.py | 11 +-- .../py/tests/test_efi_secboot/test_authvar.py | 91 +++++++++---------- test/py/tests/test_efi_secboot/test_signed.py | 31 +++---- .../tests/test_efi_secboot/test_unsigned.py | 29 +++--- 4 files changed, 79 insertions(+), 83 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 82bc8886c4..c0ee8be9f7 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -4,9 +4,8 @@ import os import os.path -import pytest -import re from subprocess import call, check_call, check_output, CalledProcessError +import pytest from defs import * # from test/py/conftest.py @@ -14,8 +13,8 @@ from defs import * def tool_is_in_path(tool): for path in os.environ["PATH"].split(os.pathsep): - fn = os.path.join(path, tool) - if os.path.isfile(fn) and os.access(fn, os.X_OK): + full_path = os.path.join(path, tool) + if os.path.isfile(full_path) and os.access(full_path, os.X_OK): return True return False @@ -128,8 +127,8 @@ def efi_boot_env(request, u_boot_config): check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) - except CalledProcessError as e: - pytest.skip('Setup failed: %s' % e.cmd) + except CalledProcessError as exception: + pytest.skip('Setup failed: %s' % exception.cmd) return else: yield image_path diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index 359adba4b4..d0c6b9035b 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -9,7 +9,6 @@ This test verifies variable authentication """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -29,18 +28,18 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'printenv -e SecureBoot']) - assert('00000000: 00' in ''.join(output)) + assert '00000000: 00' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1b'): # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize PK']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1c'): # Test Case 1c, install PK @@ -48,79 +47,79 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert('PK:' in ''.join(output)) + assert 'PK:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 00' in output) + assert '00000000: 00' in output with u_boot_console.log.section('Test Case 1d'): # Test Case 1d, db/dbx without KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1e'): # Test Case 1e, install KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize KEK']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'printenv -e -n KEK']) - assert('KEK:' in ''.join(output)) + assert 'KEK:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1f'): # Test Case 1f, install db output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output with u_boot_console.log.section('Test Case 1g'): # Test Case 1g, install dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize dbx']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('dbx:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'dbx:' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 01' in output) + assert '00000000: 01' in output def test_efi_var_auth2(self, u_boot_console, efi_boot_env): """ @@ -139,20 +138,20 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2c'): # Test Case 2c, update with correct signature @@ -160,8 +159,8 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth3(self, u_boot_console, efi_boot_env): """ @@ -180,20 +179,20 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -a -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) - assert('Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3c'): # Test Case 3c, update with correct signature @@ -201,8 +200,8 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db1.auth', 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth4(self, u_boot_console, efi_boot_env): """ @@ -221,22 +220,22 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'setenv -e -nv -bs -rt db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'db:' in ''.join(output) with u_boot_console.log.section('Test Case 4b'): # Test Case 4b, update without correct signature/data output = u_boot_console.run_command_list([ 'setenv -e -nv -bs -rt -at db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('db:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'db:' in ''.join(output) def test_efi_var_auth5(self, u_boot_console, efi_boot_env): """ @@ -255,15 +254,15 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'printenv -e -n PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('PK:' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert 'PK:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK_null.esl', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert('Failed to set EFI variable' in ''.join(output)) - assert('PK:' in ''.join(output)) + assert 'Failed to set EFI variable' in ''.join(output) + assert 'PK:' in ''.join(output) with u_boot_console.log.section('Test Case 5b'): # Test Case 5b, Uninstall PK with correct signature @@ -271,12 +270,12 @@ class TestEfiAuthVar(object): 'fatload host 0:1 4000000 PK_null.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', 'printenv -e -n PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) - assert('\"PK\" not defined' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) + assert '\"PK\" not defined' in ''.join(output) output = u_boot_console.run_command( 'printenv -e SecureBoot') - assert('00000000: 00' in output) + assert '00000000: 00' in output output = u_boot_console.run_command( 'printenv -e SetupMode') - assert('00000000: 01' in output) + assert '00000000: 01' in output diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 6d4b03ef41..4e6f129b7f 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -9,7 +9,6 @@ This test verifies image authentication for signed images. """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -32,7 +31,7 @@ class TestEfiSignedImage(object): 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1b'): # Test Case 1b, run unsigned image if no db/dbx @@ -40,7 +39,7 @@ class TestEfiSignedImage(object): 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1c'): # Test Case 1c, not authenticated by db @@ -51,23 +50,23 @@ class TestEfiSignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'bootefi bootmgr']) - assert('\'HELLO2\' failed' in ''.join(output)) + assert '\'HELLO2\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 1d'): # Test Case 1d, authenticated by db output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): """ @@ -85,30 +84,30 @@ class TestEfiSignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index 3748b51ee7..c4c3f4c202 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -9,7 +9,6 @@ This test verifies image authentication for unsigned images. """ import pytest -from defs import * @pytest.mark.boardspec('sandbox') @@ -33,18 +32,18 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): """ @@ -62,13 +61,13 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('Hello, world!' in ''.join(output)) + assert 'Hello, world!' in ''.join(output) def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env): """ @@ -86,33 +85,33 @@ class TestEfiUnsignedImage(object): 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db_hello.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) - assert(not 'Failed to set EFI variable' in ''.join(output)) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', 'efidebug boot next 1', 'bootefi bootmgr']) - assert('\'HELLO\' failed' in ''.join(output)) + assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert('efi_start_image() returned: 26' in ''.join(output)) - assert(not 'Hello, world!' in ''.join(output)) + assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' not in ''.join(output) From patchwork Sat Jul 11 07:26:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241347 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:31 +0200 Subject: [PATCH v4 09/12] test/py: efi_secboot: split "signed image" test case-1 into two cases In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-10-xypron.glpk@gmx.de> From: AKASHI Takahiro Split the existing test case-1 into case1 and a new case-2: case-1 for non-SecureBoot mode; case-2 for SecureBoot mode. In addition, one corner case is added to case-2; a image is signed but a corresponding certificate is not yet installed in "db." Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/test_signed.py | 66 +++++++++++-------- 1 file changed, 38 insertions(+), 28 deletions(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 4e6f129b7f..8ea45c8486 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -20,12 +20,12 @@ import pytest class TestEfiSignedImage(object): def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): """ - Test Case 1 - authenticated by db + Test Case 1 - Secure boot is not in force """ u_boot_console.restart_uboot() disk_img = efi_boot_env with u_boot_console.log.section('Test Case 1a'): - # Test Case 1a, run signed image if no db/dbx + # Test Case 1a, run signed image if no PK output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', @@ -34,48 +34,66 @@ class TestEfiSignedImage(object): assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 1b'): - # Test Case 1b, run unsigned image if no db/dbx + # Test Case 1b, run unsigned image if no PK output = u_boot_console.run_command_list([ 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 1c'): - # Test Case 1c, not authenticated by db + def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + """ + Test Case 2 - Secure boot is in force, + authenticated by db (TEST_db certificate in db) + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 2a'): + # Test Case 2a, db is not yet installed output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert('\'HELLO1\' failed' in ''.join(output)) + assert('efi_start_image() returned: 26' in ''.join(output)) + output = u_boot_console.run_command_list([ + 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', 'efidebug boot next 2', - 'bootefi bootmgr']) + 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 2b'): + # Test Case 2b, authenticated by db + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', 'efidebug test bootmgr']) + assert '\'HELLO2\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) - - with u_boot_console.log.section('Test Case 1d'): - # Test Case 1d, authenticated by db output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth3(self, u_boot_console, efi_boot_env): """ - Test Case 2 - rejected by dbx + Test Case 3 - rejected by dbx (TEST_db certificate in dbx) """ u_boot_console.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 2a'): - # Test Case 2a, rejected by dbx + with u_boot_console.log.section('Test Case 3a'): + # Test Case 3a, rejected by dbx output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', @@ -87,27 +105,19 @@ class TestEfiSignedImage(object): assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', - 'efidebug boot next 1', - 'bootefi bootmgr']) - assert '\'HELLO\' failed' in ''.join(output) - output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) - with u_boot_console.log.section('Test Case 2b'): - # Test Case 2b, rejected by dbx even if db allows + with u_boot_console.log.section('Test Case 3b'): + # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ - 'efidebug boot next 1', - 'bootefi bootmgr']) - assert '\'HELLO\' failed' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) - assert 'Hello, world!' not in ''.join(output) From patchwork Sat Jul 11 07:26:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241350 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:32 +0200 Subject: [PATCH v4 10/12] test/py: efi_secboot: add a test against certificate revocation In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-11-xypron.glpk@gmx.de> From: AKASHI Takahiro Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 6 ++++- test/py/tests/test_efi_secboot/test_signed.py | 26 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index c0ee8be9f7..c3d56622a2 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -106,12 +106,16 @@ def efi_boot_env(request, u_boot_config): # db1-update check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth' % (mnt_point, EFITOOLS_PATH), shell=True) - # dbx + ## dbx (TEST_dbx certificate) check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' % mnt_point, shell=True) check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_hash (digest of TEST_db certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 8ea45c8486..6dabecb669 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -121,3 +121,29 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env): + """ + Test Case 4 - revoked by dbx (digest of TEST_db certificate in dbx) + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 4'): + # Test Case 4, rejected by dbx + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 dbx_hash.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) From patchwork Sat Jul 11 07:26:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241348 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:33 +0200 Subject: [PATCH v4 11/12] test/py: efi_secboot: add a test for multiple signatures In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-12-xypron.glpk@gmx.de> From: AKASHI Takahiro In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 9 +++- test/py/tests/test_efi_secboot/test_signed.py | 51 +++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index c3d56622a2..7bb2e1d765 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -116,6 +116,10 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_hash1 (digest of TEST_db1 certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) @@ -123,7 +127,10 @@ def efi_boot_env(request, u_boot_config): # Sign image check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' % mnt_point, shell=True) - # Digest image + ## Sign already-signed image with another key + check_call('cd %s; sbsign --key db1.key --cert db1.crt --output helloworld.efi.signed_2sigs helloworld.efi.signed' + % mnt_point, shell=True) + ## Digest image check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 6dabecb669..1a31a57e12 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -147,3 +147,54 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env): + """ + Test Case 5 - multiple signatures + one signed with TEST_db, and + one signed with TEST_db1 + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 5a'): + # Test Case 5a, rejected if any of signatures is not verified + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 5b'): + # Test Case 5b, authenticated if both signatures are verified + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 5c'): + # Test Case 5c, rejected if any of signatures is revoked + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_hash1.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) From patchwork Sat Jul 11 07:26:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241351 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sat, 11 Jul 2020 09:26:34 +0200 Subject: [PATCH v4 12/12] test/py: efi_secboot: add a test for verifying with digest of signed image In-Reply-To: <20200711072634.290165-1-xypron.glpk@gmx.de> References: <20200711072634.290165-1-xypron.glpk@gmx.de> Message-ID: <20200711072634.290165-13-xypron.glpk@gmx.de> From: AKASHI Takahiro Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt --- v4: call sign-efi-sig-list with -t --- test/py/tests/test_efi_secboot/conftest.py | 10 ++++ test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ 2 files changed, 59 insertions(+) -- 2.27.0 diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 7bb2e1d765..71ef723e59 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + ## dbx_db (with TEST_db certificate) + check_call('cd %s; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) # Copy image check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -t "2020-04-03" -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' + % (mnt_point, EFITOOLS_PATH), + shell=True) check_call('sudo umount %s' % loop_dev, shell=True) check_call('sudo losetup -d %s' % loop_dev, shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 1a31a57e12..7531bbac6a 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): + """ + Test Case 6 - using digest of signed image in database + """ + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 6a'): + # Test Case 6a, verified by image's digest in db + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 6b'): + # Test Case 6b, rejected by TEST_db certificate in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + with u_boot_console.log.section('Test Case 6c'): + # Test Case 6c, rejected by image's digest in dbx + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 dbx_hello_signed.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output)