Age | Commit message (Collapse) | Author | Files | Lines |
|
Andreas Schwab (1):
sbsigntool: add support for RISC-V 64-bit PE/COFF images
Daniel Axtens (1):
sbvarsign: do not include PKCS#7 attributes
James Bottomley (1):
Add support for openssl-3
Jeremi Piotrowski (1):
Fix openssl-3.0 issue involving ASN1 xxx_it
dann frazier (1):
sbkeysync: Don't ignore errors from insert_new_keys()
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to
`const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application, but
only if the `ASN1_ITEM_rptr()` macro is used.
This change passes `make check` with both openssl 1.1 and 3.0.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
We're currently using a raft of APIs which trigger deprecation
warnings, so add OPENSSL_API_COMPAT to the command line for openssl-3
to cause them not to break the build.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2
descriptor) includes the following information about constructing
the PKCS#7 message for the authentication descriptor under
point 4(g):
SignedData.signerInfos shall be constructed as:
...
- SignerInfo.authenticatedAttributes shall not be present.
sbvarsign does not currently honour this, and generates a PKCS#7
message containing authenticated attributes. This is a snippet from
OpenSSL's printout of a message I reconstructed from an auth file:
signedAttrs:
object: contentType (1.2.840.113549.1.9.3)
set:
OBJECT:pkcs7-data (1.2.840.113549.1.7.1)
object: signingTime (1.2.840.113549.1.9.5)
set:
UTCTIME:Mar 2 11:20:21 2021 GMT
object: messageDigest (1.2.840.113549.1.9.4)
set:
OCTET STRING:
0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b .X.....K.j..k
000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa Q9...!$0.(...
001a - 5c 33 c1 80 3f d1 \3..?.
Tell OpenSSL to stop adding attributes.
This also brings sbvarsign in to line with sign-efi-sig-list.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
But although this seemed to succeed on my system, looking at the logs shows
a different story:
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
AKASHI Takahiro (1):
sbsign: allow for adding intermediate certificates
James Bottomley (8):
sbverify: fix verification with intermediate certificates
Tests: Add intermediate certificate tests to the sign-verify cases
Fix some openssl 1.1.0 deprecated functions
sbvarsign: remove unused global variable
sbverify: refer to unused function
Fix errors on 32 bit
Enable -Werror for builds
docs: add man page for sbkeysync
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Now that all the build warnings are eliminated, make sure they don't
come back
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
print format and signed conversion due to big hex types
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The function print_certificate_store_certs() is currently commented
out leading to an unused function warning. Make verbose a level and
call this function for levels > 1 (meaning you have to specify -v -v
to see it).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
replace OPENSSL_config with OPENSSL_init_crypto and ASN1_STRING_data
with ASN1_STRING_get0_data
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
sbverify is currently failing if an intermediate certificate is added
on signing but the binary is verified with the singing certificate.
It fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
This is happening because the x509_STORE only contains the signing
certificate but the pkcs7 bundle in the binary contains the issuer
certificate as well. Fix this by unconditionally approving any
locally missing certificates on verify.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
SignedData can have multiple certificates, but the current
implementation of sbsign only allows a single one (as a signer).
With this patch, "-addcert" options will be available on command line to
specify a file in which any number of intermediate certificates in PEM
format can be concatenated.
$ sign --key <key> --cert <cert> --addcert <morecerts> [...] image_file
Background:
I'm working on implementing UEFI secure boot on U-Boot and want
to test my code against PE images with intermediate certificates
in certificate chain.
As far as I know, the only tool that supports it in signing is
Microsoft's signtool.exe. So I'd like to have some corresponding
tool on linux.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
James Bottomley (1):
README: update git location and add mailing list information
Laszlo Ersek (1):
sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" assignment
Steve McIntyre (1):
Fix PE/COFF checksum calculation
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Now that a Mailing list is set up, update the README to point to it
and mention the new maintained git location for this fork.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
According to UEFI-2.8, section 8.3 "Time Services" / GetTime(), the
"EFI_TIME.Year" field must be in the range [1900, 9999] (both bounds
inclusive). It is not stated or even implied that "EFI_TIME.Year" would
not be an absolute year number.
According to POSIX, the "tm_year" field of "struct tm" is defined as
"Years since 1900". In other words, "tm_year" is relative to 1900.
In set_timestamp(), time() and gmtime() are suitable for populating
"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp", as the UEFI spec specifically
requires a stamp expressed in the GMT (UTC) zone. But we still need to
offset "tm->tm_year" by 1900 for filling in "timestamp->Year". So let's do
that now.
While this issue does not seem to affect upstream edk2, SetVariable()
calls with payloads containing an invalid
"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" value do seem to be
rejected at least on some Dell Inspiron machines (using a UEFI
implementation from AMI).
Reported-by: Eugene Khoruzhenko <ekhoruzhenko@absolute.com>
Reported-by: Paulo Henrique Lacerda de Amorim <phlamorim@riseup.net>
Ref: https://edk2.groups.io/g/devel/message/49402
Fixes: 953b00481f3957fc756a6dc7d10c570da32a08bc
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Only count the cert_table header once when performing the calculation
and counting buffer sizes.
The problem entered because of a mismerge of multiple signature
support and "be1f3d8 Update the PE checksum field using the
somewhat-underdocumented algorithm, so that we match the Microsoft
implementation in our signature generation.". Originally
image->cert_table held the full certificate table including the
Microsoft _WINH_CERTIFICATE header and image->sigbuf pointed to the
pkcs11 signature inside, so the two had to be checksummed separately.
After multiple signature support, image->sigbuf points to the full
certificate table because we now need the headers to decide where one
signature ends and the next begins, so the correct checksum only needs
to sum over the entire image->sigbuf.
Signed-off-by: Steve McIntyre <93sam@debian.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Fix fedora build
Fix variable signing for current tianocore
Fix image processing not to invalidate existing signatures
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The old code forced region size to be aligned to the PECOFF file
alignment parameter, which is correct according to the spec. However,
the major UEFI platforms do not align up when checking the signature,
so if the PECOFF binary being signed already contains a signature,
realigning the sections will make the existing signature invalid. Fix
this by relaxing the rule about aligning up (also eliminates
complaints about some pecoff sections being misaligned).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The EFI standard is ambiguous about which one to use for variable
updates (it is definite about using PKCS7 for signed binaries). Until
recently, the reference platform, tianocore, accepted both. However
after patch
commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <lubo.zhang@intel.com>
Date: Thu Jan 5 14:58:05 2017 +0800
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
The acceptance of PKCS7 got broken. This breakage seems to be
propagating to the UEFI ecosystem, so update the variable signing
tools to emit the SignedData type (which all previous EFI
implementations accepted).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Of course, Fedora puts gnu-efi in yet another different, non-standard place
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Add support for engine based keys
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Add the ability to specify an engine to read the keyfile. For safety,
we don't do the full dynamic engine support, but only use engines
configured for use by the platform.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This version builds correctly on openssl 1.1 and also includes
functional autotests for every architecture.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Older versions of openssl 1.0.0 don't have X509_STORE_CTX_get0_store
so define that as well.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The current test infrastructure is tied to x86/amd64. This means the
tests always fail on a non-x86 architecture (like aarch64). Fix this
by generating the efi binary directly from C code and removing the
architectural restrictions in the Makefile.am. One of the
consequences of this is that we no longer test ia32 on x86_64, but the
difficulty of detecting which architectures can support 32 bit
variants and generating them correctly from EFI c code is too great.
We also need to exclude tests involving objdump from aarch64 since its
bfd still doesn't have an efi_app_aarch64 target.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
pecoff for i386 can be too short, so it gets padded for an accurate
signature. Make sure the size comparison takes this into account to
avoid spurious failures.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
newer versions of gcc have contained an efi target for a while so use
it instead of hacking a linker script.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The original tests to warn about overwriting signatures have never
worked after the multiple signature code was added (because we add a
new signature instead of overwriting the old one) update the tests to
check instead for the signature addition.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.
The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves. Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
|
|
autotest is very finicky. The environment can't be set up in
SH_LOG_COMPILER, but have to be done in AM_TESTS_ENVIRONMENT instead,
so fix this.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
In the current framework for using engine based keys, the engine has
to be loaded and initialised as part of the default engines. The only
way this can happen for the TPM engine is if it is named in a config
secion, so all the tools must read and act on the config file to be
able to use TPM based keys.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This version works correctly on arm 32 and 64.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
It causes the ARM build to crash (because of directives) and it's
unnecessary in this file.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
arm has a variety of uname -m forms, all beginning with arm, so use
this to determine the EFI architecture
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
OpenSSL 1.0.2e now actively checks for both data and contents being present
for a certificate. Clear out contents so that we have only data, and run a
chance of actually verifying the signature.
Bug-Ubuntu: https://launchpad.net/bugs/1526959
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Buffers of odd length can be passed to the checksum, for example signatures.
csum_bytes uses a uint16_t so change the function to prevent overflowing the
buffer, while taking the extra byte into account if the length is odd.
Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Newer versions of openssl return a different error with alternate
certificate chains; update for compatibility.
Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)
rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to
an older calling convention that is incompatible with Tianocore UEFI.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The loop that iterates over the PE/COFF sections correctly skips zero
sized sections, but still increments the loop index 'i'. This results in
subsequent iterations poking into unallocated memory.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Original patch from: Steve Langasek <steve.langasek@canonical.com>
The ubuntu version of the signature expiry patch ignores serveral more errors,
so add them.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
algorithm, so that we match the Microsoft implementation in our
signature generation.
[jejb: add endian to autogen.sh and fix for multi-sign]
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Change responsible person to James Bottomley
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
sbsign will sign an already signed binary (adding a signature at the end)
sbverify has a new mode --list, for listing all the signatures and sbattach
takes a --signum argument for --remove or --detach.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
no leaf is OK as is expired cert.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
This prevents a FIPS failure message if no FIPS module is loaded.
Plus add -v as short form for --verbose in sbverify
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
In line with the verification process in firmware, update our verify
callback to explicitly trust all certificates that we load to our cert
store.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add an option to print the certificate & signature info while verifying
a signed image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Proposed changes to the kernel will establish /sys/firmware/efi/efivars
as the canonical mountpoint for the efivars filesystem.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than overrunning the heap, explicitly allocate the pad area for
cases where we've aligned-up the section table sizes.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Since we write the certificate table starting at data_size (not size),
use this value when generating the cert table header.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Only add the endjunk region when we need to add data, and warn when
we've got too much.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
The PE/COFF spec allows variable-sized data directories, which reduce
the size of the optional header. While GNU ld always produces
maximum-sized headers, the kernel's EFI_STUB code generates a smaller
header size, which causes the image parsing code to abort.
This change allows variable-sized optional headers, but checks for at
least enough of an optional header to contain a CERT_TABLE data
directory entry.
We also rename struct image's aouthdr to opthdr, as it contains more
than just the a.out fields.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Brown paper bag time: we want to hash the variable data, not the stack.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We were updating siglist before incrementing i, and so aborting the
siglist iteration earlier than necessary.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
For db and dbx, we want EFI_IMAGE_SECURITY_DATABASE.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than having three sets of (firmware, filesystem) key databases,
refactor into two sets of (kdk, db, dbx) databases. This allows us to
add the PK later.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We want to free path, not ke. We can also unify the error path.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We should free filename, and buf on error.
Also, check for the length of the file's data; we may be passed empty
files, and end up with a negative len.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We want to collect keystore entries on a separate list, so rename the
'list' member to something more specific.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
.. rather than printing the raw IDs.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Use key_database as a generic container for both firmware & filesystem
keys.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
To make it clear that these are key files.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We want to call key_id on file buffers too, which don't have the
EFI_SIGNATURE_DATA encapsulation.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Helps to show where the keys are loaded from.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a couple of options to configure the location we read keys from
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
files
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add some initial code to parse the EFI signature databases.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We may want to read files which can be absent. In this case, we don't
want to print an error.
This change adds fileio_read_file_noerror(), which suppresses error
output.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We're almost always going to want the attributes set to
NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCES | APPEND_WRITE,
and TIME_BASED_AUTHENTICATED_WRITE is required. So, provide this
as the default if no --attrs argument is specified.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than making these private to sbvarsign, move the EFI_VARIABLE
attribute defintions to efivars.h
Since some of these are defined by gnu-efi, we need to protect the
definitions with an #ifdef.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than checking the size with the EFI_SIGNATURE_DATA header, just
check the data len.
Also, fix the definition for the SHA256 size.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Despite what the Authenticode spec says ("dwLength is set to the length
of bCertificate"), the MS var sign tool and EDK2 sources include the
header in the dwLength size.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
..rather than segfaulting.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We need to allow for the GUID in EFI_SIGNATURE_DATA too.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
gen-keyfiles isn't built, and has been replaced by sbsiglist.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We have a number of source files now, so move them from the top level to
src/
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
When detaching a signature, we need to know the size of the
non-signature data. So, add a data_size member to struct image, and
populate it when we iterate through the section table.
When writing the image, use data_size rather than size, so we don't
unnecessarily add the (now unused) signature data.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than only calling image_find_regions when we want to sign or
verify image, call it when the image is loaded. We'll want to use the
parse data later, which will require it to be present on all instances
of an image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
make distcheck was failing due to a missing efivars.h in the dist
tarball. Add it to common_SOURCES to include it.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Since we can sign i386 PE/COFF images, run the tests on both x86-64 and
i386 binaries.
We do this by moving test.pecoff to test-<arch>.pecoff, and using
automake's parallel-test option to add a wrapper to each test execution.
This wrapper calls each test once per arch (as defined in TEST_ARCHES),
and checks for failures in any invocation.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Replace struct image->aouthdr with a union of the 32- and 64-bit a.out
header definitions, and abstract the relevant parsing code into the
image_pecoff_parse_{32,64} functions.
We also move all references of data in the a.out header to these
functions, so we don't need to lookup the machine types elsewhere.
Based on a patch by Maxim Kammerer <mk@dee.su>.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
If we use IMAGE_FILE_MACHINE_AMD64 instead of AMD64MAGIC, we can avoid
including the arch-specific coff/x86_64 header.
Based on a patch from Maxim Kammerer <mk@dee.su>.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
padlen variable in image_write() cannot be used uninitialized,
but compiler is unable to determine that.
Signed-off-by: Maxim Kammerer <mk@dee.su>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
KEK, db and dbx updates need to be written as EFI_SIGNATURE_LIST
structures, so create a simple tool to create them.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a convenience function for writing a single buffer to a file.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We'd like to add some other definitions to this, so give it a more
generic name.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We do whole-file reads in a few places, so unify to a fileio_read_file()
function.
To do this, we change the type of struct image->buf to a uint8_t *.
Where we do pointer manipulation on the image buffer, we need a
temporary void * variable.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than duplicating the key & certificate loading in each tool,
unify it in a fileio object.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than setting ->sigbuf directly, add two functions to handle image
signature addition and removal:
image_add_signature(image, sig, sigsize);
image_remove_signature(image);
And warn when a signature is to be overwritten.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
sbattach --detach isn't working, as we're not properly setting sigbuf in
image_pecoff parse.
This change ensures we populate sigbuf when we find a valid cert table.
Also, add a test case for this.
Bug report & initial patch from from Steve Langasek.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
sbattach.c was generating a warning on compile:
../sbattach.c: In function ‘main’:
../sbattach.c:247:2: warning: implicit declaration of function ‘OpenSSL_add_all_digests’ [-Wimplicit-function-declaration]
OpenSSL_add_all_digests is defined in evp.h, so add the #include.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add sbvarsign, to sign variables to be passed to the efivars filesystem.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We're using OpenSSL, so need to grant binary distrbutors permission to
link with it.
Cleared with current contributors.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
The current gnu efi generation tools insist on leaving junk at the end
of the binary. According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.
I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a test to check the validity of the certificate table header,
ensuring that parsing the header gives us the valid certificate.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature. It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).
I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify. When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than causing a segfault (si == NULL), report an error and exit.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
The current incarnation of sbsign doesn't all all ciphers to OpenSSL
meaning that if the private key is encrypted, it can't decrypt it and
instead it returns the unhelpful error message
error reading private key ../certs/PK.key
Fix this by adding all ciphers before trying to read the private key.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We need bfd.h for the image object, so add a check for it in
configure.ac.
Signed-off-by: Ivan Hu <ivanh.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a test for the invalid PKCS7 signature attaching. This test
generates 1K of zero bytes as an invalid signature to attach.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Check detached signatures to ensure that we're attaching a valid PKCS7
object. If no, show a warning message and skip the attach action.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
... rather than using argv[optind] multiple times.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Currently, sbverify will segfault when it can't load an image file, as
the image is used unconditionally. This change adds a check to ensure we
continue with a valid image pointer.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Currently causes a segfault in verify-missing-image.sh.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Instead of executing in the current (build) directory, create a
temporary directory and change into it before running any tests. This
ensures that tests aren't relying on left-overs from previous test runs.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Currently, ASFLAGS is not used, as we call $(AS) directly. Use
$(COMPILE.S) instead.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We have a new tool (sbattach) now, so bump to version 0.2.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
`make distcheck` fails with the following error:
ERROR: files left in build directory after distclean:
./docs/sbverify.1
./docs/sbsign.1
This change adds a CLEANFILES rule for the generated manpages.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a third tool (`sbattach`) to attach and detach signatures from
PE/COFF files.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Change image_write_signed to image_write, and conditionally write the
signature if one is present.
This will allow us to write unsigned images when detaching a sig from an
image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Allow sbverify to read PKCS7 data from a separate file with the
'--detached <file>' option.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
We'd like to read detached signatures too, so split the
signature-buffer-reading code into a separate function.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Fix a few warnings:
idc.c: In function ‘IDC_get’:
idc.c:248:12: warning: ‘idclen’ may be used uninitialised in this function [-Wuninitialized]
image.c: In function ‘image_load’:
image.c:37:15: warning: unused variable ‘bytes_read’ [-Wunused-variable]
Plus, a bunch of strict-aliasing warnings:
image.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
[ similar warnings trimmed ]
when compiling image.c. Since struct external_PEI_DOS_hdr uses char[]
types for all members, we need to use accessors here.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
$(builddir) should be $(top_builddir), and we need a valid definition of
MKDIR_P to create the docs.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Rather than using our own functions for reading/writing an entire
buffer, use ccan's.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Use %t rather than assuming typeof(ptr - int) == unsigned long.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add autoconf & automake metadata, plus required files for automake to
run without complaint.
Requires an update to ccan, to get the --build-type argument to
create-ccan-tree.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Mostly generated from help2man output.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Update the usage output of sbsign and sbverify so that it can be better
parsed by help2man. Also, add --version and --help.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add make logic to import lib/ccan from lib/ccan.git. We need to set some
dependencies on $(obj) to ensure the the ccan headers are available
before starting the main build.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Move the ccan git submodule to lib/ccan.git, so we can use ccan's
create-ccan-tree utility.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Remove a duplicate call to ERR_load_crypto_strings, and move the digest
init earlier.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Make sure d2i_PKCS7 returned a PKCS7 structure.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add an option (--cert <file>) to specify a root certificate (or
certificates) to use as a trusted CA.
Verification can be disabled with --no-verify.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Extract the IDC-parsing code from IDC_check_hash, and use it to
initialise a BIO. This BIO can then be used to perform the PKCS7
verification.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Don't warn when the certificate table is the only un-hashed data.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Add a check to match the calculated image's hash against the one found
in the PKCS7 IndirectDataContext
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Prevents weirdness when overwriting old files.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
GPLv3; the sources include parts of binutils, include parts of ccan,
and have been partially based of osslsigntool.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|
|
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
|