Commit graph

72 commits

Author SHA1 Message Date
Jeremy Kerr
0ca483d5d0 fileio: Add fileio_write_file
Add a convenience function for writing a single buffer to a file.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 15:34:21 +08:00
Jeremy Kerr
ce1689436e efivars: rename efi variable header
We'd like to add some other definitions to this, so give it a more
generic name.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 14:31:56 +08:00
Jeremy Kerr
6e4b3edcfb fileio: Unify whole-file reads
We do whole-file reads in a few places, so unify to a fileio_read_file()
function.

To do this, we change the type of struct image->buf to a uint8_t *.
Where we do pointer manipulation on the image buffer, we need a
temporary void * variable.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 11:14:17 +08:00
Jeremy Kerr
d19b993024 fileio: Unify key & cert loading
Rather than duplicating the key & certificate loading in each tool,
unify it in a fileio object.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 10:36:38 +08:00
Jeremy Kerr
d27647ba69 image: add functions to add and remove signatures
Rather than setting ->sigbuf directly, add two functions to handle image
signature addition and removal:

 image_add_signature(image, sig, sigsize);
 image_remove_signature(image);

And warn when a signature is to be overwritten.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 10:03:14 +08:00
Jeremy Kerr
36e79114d2 sbattach: fix --detach
sbattach --detach isn't working, as we're not properly setting sigbuf in
image_pecoff parse.

This change ensures we populate sigbuf when we find a valid cert table.
Also, add a test case for this.

Bug report & initial patch from from Steve Langasek.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:47:14 +08:00
Jeremy Kerr
ca05adbc77 sbattach: fix missing openssl/evp.h header
sbattach.c was generating a warning on compile:

../sbattach.c: In function ‘main’:
../sbattach.c:247:2: warning: implicit declaration of function ‘OpenSSL_add_all_digests’ [-Wimplicit-function-declaration]

OpenSSL_add_all_digests is defined in evp.h, so add the #include.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:47:14 +08:00
Jeremy Kerr
953b00481f sbvarsign: First cut of a variable-signing tool
Add sbvarsign, to sign variables to be passed to the efivars filesystem.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:46:51 +08:00
Jeremy Kerr
b0ef29caaf Version 0.3
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 15:16:46 +08:00
Jeremy Kerr
5dc7b4c370 license: Add OpenSSL exception to GPLv3 terms
We're using OpenSSL, so need to grant binary distrbutors permission to
link with it.

Cleared with current contributors.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 15:06:31 +08:00
Jeremy Kerr
dd005c61e0 COPYING: remove non-license text
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:33:44 +08:00
James Bottomley
d7cfae59da image: fix signature calculation when there's junk at the end of the efi binary
The current gnu efi generation tools insist on leaving junk at the end
of the binary.  According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.

I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:23:49 +08:00
Jeremy Kerr
1614a6e0f1 tests: Add test for PE/COFF cert table header validity
Add a test to check the validity of the certificate table header,
ensuring that parsing the header gives us the valid certificate.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:23:45 +08:00
James Bottomley
bf7e97bd1c image: fix incorrect assumption about signature header
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature.  It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header.  UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).

I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify.  When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 10:47:55 +08:00
Jeremy Kerr
81d7825c98 sbsign: handle errors from PKCS7_sign_add_signer()
Rather than causing a segfault (si == NULL), report an error and exit.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 10:18:08 +08:00
James Bottomley
8f8939d9bb sbsign: fix failure to sign when key is password protected
The current incarnation of sbsign doesn't all all ciphers to OpenSSL
meaning that if the private key is encrypted, it can't decrypt it and
instead it returns the unhelpful error message

error reading private key ../certs/PK.key

Fix this by adding all ciphers before trying to read the private key.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-27 12:23:54 +08:00
Ivan Hu
14cff46671 configure: Add check for bfh.h
We need bfd.h for the image object, so add a check for it in
configure.ac.

Signed-off-by: Ivan Hu <ivanh.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-20 11:59:32 +08:00
Ivan Hu
4d892eb723 tests: Add a test to check invalid PKCS7 signature attaching
Add a test for the invalid PKCS7 signature attaching. This test
generates 1K of zero bytes as an invalid signature to attach.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-19 17:11:25 +08:00
Ivan Hu
e80a975ff9 sbattach: Check that attached signatures are valid PKCS7 data
Check detached signatures to ensure that we're attaching a valid PKCS7
object. If no, show a warning message and skip the attach action.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-19 17:09:48 +08:00
Jeremy Kerr
71f6b9b5cb sbverify: Use a variable for image filename
... rather than using argv[optind] multiple times.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-14 10:32:50 +08:00
Jeremy Kerr
376974e386 image: Unconditionally parse PE/COFF data
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:39:34 +08:00
Jeremy Kerr
186f1d59d9 sbverify: Check for failed image load
Currently, sbverify will segfault when it can't load an image file, as
the image is used unconditionally. This change adds a check to ensure we
continue with a valid image pointer.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:30:31 +08:00
Jeremy Kerr
0568983fab tests: Add tests for missing image, cert & key files
Currently causes a segfault in verify-missing-image.sh.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:30:31 +08:00
Jeremy Kerr
b3edb1fb72 tests: Execute tests in a clean (temporary) directory
Instead of executing in the current (build) directory, create a
temporary directory and change into it before running any tests. This
ensures that tests aren't relying on left-overs from previous test runs.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 16:56:28 +08:00
Jeremy Kerr
1be14f0c9b tests: Use COMPILE.S for assembing test object
Currently, ASFLAGS is not used, as we call $(AS) directly. Use
$(COMPILE.S) instead.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 16:23:00 +08:00
Jeremy Kerr
2added6a45 Version 0.2
We have a new tool (sbattach) now, so bump to version 0.2.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:30:29 +08:00
Jeremy Kerr
8e14f39980 docs: Add simple manpage for sbattach
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:28:57 +08:00
Jeremy Kerr
59641438fb automake: Clean generated man files
`make distcheck` fails with the following error:

  ERROR: files left in build directory after distclean:
  ./docs/sbverify.1
  ./docs/sbsign.1

This change adds a CLEANFILES rule for the generated manpages.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:26:08 +08:00
Jeremy Kerr
b05afccde0 tests: Add a few simple tests
Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:23:26 +08:00
Jeremy Kerr
0c5de30566 Remove unused test.c file
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 10:02:59 +08:00
Jeremy Kerr
edf1d26d49 sbattach: Add too to manage detached signatures
Add a third tool (`sbattach`) to attach and detach signatures from
PE/COFF files.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 17:47:38 +08:00
Jeremy Kerr
be7559abfe image: Add facility to write unsigned images
Change image_write_signed to image_write, and conditionally write the
signature if one is present.

This will allow us to write unsigned images when detaching a sig from an
image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 10:19:08 +08:00
Jeremy Kerr
a8f1453a53 sbsign,sbverify: Update getopt_long optstrings
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 19:49:28 +08:00
Jeremy Kerr
dc9ffc752f sbverify: Add support for detached signatures
Allow sbverify to read PKCS7 data from a separate file with the
'--detached <file>' option.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 17:19:15 +08:00
Jeremy Kerr
f457bb21f1 sbverify: Split image signature table reading to separate function
We'd like to read detached signatures too, so split the
signature-buffer-reading code into a separate function.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 17:04:17 +08:00
Jeremy Kerr
ffc1f41ace Fix warnings from added -W flags
Fix a few warnings:

 idc.c: In function ‘IDC_get’:
 idc.c:248:12: warning: ‘idclen’ may be used uninitialised in this function [-Wuninitialized]

 image.c: In function ‘image_load’:
 image.c:37:15: warning: unused variable ‘bytes_read’ [-Wunused-variable]

Plus, a bunch of strict-aliasing warnings:

 image.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 [ similar warnings trimmed ]

when compiling image.c. Since struct external_PEI_DOS_hdr uses char[]
types for all members, we need to use accessors here.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 16:54:42 +08:00
Jeremy Kerr
34edfd6348 automake: Add -Wall -Wextra CFLAGS
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 15:59:48 +08:00
Jeremy Kerr
3c9815acc6 sbsign: Add --detached option to create detached PKCS7 signatures
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 15:59:48 +08:00
Jeremy Kerr
f98a885cfa sbsign: fix flag for verbose operation
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 14:54:57 +08:00
Jeremy Kerr
9786761e4f docs: Fix manpage creation
$(builddir) should be $(top_builddir), and we need a valid definition of
MKDIR_P to create the docs.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 14:37:33 +08:00
Adam Conrad
b0619274fd autogen.sh: Fix ccan_module assignment
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-29 09:33:05 +08:00
Jeremy Kerr
9a4440676c image: use read_write_all from ccan
Rather than using our own functions for reading/writing an entire
buffer, use ccan's.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:44:39 +08:00
Jeremy Kerr
3bb18f8ed9 image: Fix format specifier for 32-bit builds
Use %t rather than assuming typeof(ptr - int) == unsigned long.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:35:48 +08:00
Jeremy Kerr
3def238360 autoconfiscate
Add autoconf & automake metadata, plus required files for automake to
run without complaint.

Requires an update to ccan, to get the --build-type argument to
create-ccan-tree.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:35:48 +08:00
Jeremy Kerr
42c7160576 docs: Add initial manpages
Mostly generated from help2man output.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:26 +08:00
Jeremy Kerr
fcf3cdf70a sbsign,sbverify: help2man-ize usage output
Update the usage output of sbsign and sbverify so that it can be better
parsed by help2man. Also, add --version and --help.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:25 +08:00
Jeremy Kerr
e83712388f Makefile: Add dist targets
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:24 +08:00
Jeremy Kerr
c74f1ceeb1 ccan: Add ccan import logic
Add make logic to import lib/ccan from lib/ccan.git. We need to set some
dependencies on $(obj) to ensure the the ccan headers are available
before starting the main build.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:24 +08:00
Jeremy Kerr
90c4c8718e Move ccan submodule
Move the ccan git submodule to lib/ccan.git, so we can use ccan's
create-ccan-tree utility.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:18 +08:00
Jeremy Kerr
3e6c9347be Remove unused header
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-15 14:19:00 +08:00