Commit graph

89 commits

Author SHA1 Message Date
Jeremy Kerr
a7228c8307 sbsiglist: fix signature size check
Rather than checking the size with the EFI_SIGNATURE_DATA header, just
check the data len.

Also, fix the definition for the SHA256 size.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-22 18:16:49 +08:00
Jeremy Kerr
fd553e841a sbvarsign: WIN_CERTIFICATE.dwLength should include the header size
Despite what the Authenticode spec says ("dwLength is set to the length
of bCertificate"), the MS var sign tool and EDK2 sources include the
header in the dwLength size.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-22 16:53:49 +08:00
Jeremy Kerr
feddcb4f4f sbvarsign: Fix invalid sizeof() for zeroing timestamp data
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-22 14:58:13 +08:00
Jeremy Kerr
030d5ef321 sbsiglist: check for owner and type arguments
..rather than segfaulting.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-22 14:58:07 +08:00
Jeremy Kerr
541beab7ce sbsiglist: Fix SignatureSize
We need to allow for the GUID in EFI_SIGNATURE_DATA too.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-14 14:32:16 +08:00
Jeremy Kerr
9389752741 image: use fileio_write_file
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:14:11 +08:00
Jeremy Kerr
dcae99eca5 Remove unused gen-keyfiles source
gen-keyfiles isn't built, and has been replaced by sbsiglist.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:13:35 +08:00
Jeremy Kerr
15fb9d37c2 docs: Create man pages for sbvarsign & sbsiglist
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:10:21 +08:00
Jeremy Kerr
c7ee585439 Move sources to src/ subdirectory
We have a number of source files now, so move them from the top level to
src/

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:10:21 +08:00
Jeremy Kerr
5466f381dd image: Use size of image data when writing images
When detaching a signature, we need to know the size of the
non-signature data. So, add a data_size member to struct image, and
populate it when we iterate through the section table.

When writing the image, use data_size rather than size, so we don't
unnecessarily add the (now unused) signature data.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:10:21 +08:00
Jeremy Kerr
8a55df5e96 image: always parse image regions
Rather than only calling image_find_regions when we want to sign or
verify image, call it when the image is loaded. We'll want to use the
parse data later, which will require it to be present on all instances
of an image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 15:05:12 +08:00
Jeremy Kerr
36a14ed978 Include efivars.h in automake infrastructure
make distcheck was failing due to a missing efivars.h in the dist
tarball. Add it to common_SOURCES to include it.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 13:16:42 +08:00
Jeremy Kerr
1187df3459 tests: run tests for each arch
Since we can sign i386 PE/COFF images, run the tests on both x86-64 and
i386 binaries.

We do this by moving test.pecoff to test-<arch>.pecoff, and using
automake's parallel-test option to add a wrapper to each test execution.
This wrapper calls each test once per arch (as defined in TEST_ARCHES),
and checks for failures in any invocation.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 13:14:09 +08:00
Jeremy Kerr
e1b58d6ccb image: Allow manipulation of i386 PE/COFF files
Replace struct image->aouthdr with a union of the 32- and 64-bit a.out
header definitions, and abstract the relevant parsing code into the
image_pecoff_parse_{32,64} functions.

We also move all references of data in the a.out header to these
functions, so we don't need to lookup the machine types elsewhere.

Based on a patch by Maxim Kammerer <mk@dee.su>.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-13 11:27:39 +08:00
Jeremy Kerr
e027b87cff Remove arch-specific coff headers
If we use IMAGE_FILE_MACHINE_AMD64 instead of AMD64MAGIC, we can avoid
including the arch-specific coff/x86_64 header.

Based on a patch from Maxim Kammerer <mk@dee.su>.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 17:12:54 +08:00
Maxim Kammerer
1c8fac1fbe image: Prevent an uninitialized variable warning
padlen variable in image_write() cannot be used uninitialized,
but compiler is unable to determine that.

Signed-off-by: Maxim Kammerer <mk@dee.su>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 16:37:25 +08:00
Jeremy Kerr
591847bb79 sbsiglist: Add utility for creating EFI_SIGNATURE_LISTs
KEK, db and dbx updates need to be written as EFI_SIGNATURE_LIST
structures, so create a simple tool to create them.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 15:35:07 +08:00
Jeremy Kerr
0ca483d5d0 fileio: Add fileio_write_file
Add a convenience function for writing a single buffer to a file.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 15:34:21 +08:00
Jeremy Kerr
ce1689436e efivars: rename efi variable header
We'd like to add some other definitions to this, so give it a more
generic name.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-10 14:31:56 +08:00
Jeremy Kerr
6e4b3edcfb fileio: Unify whole-file reads
We do whole-file reads in a few places, so unify to a fileio_read_file()
function.

To do this, we change the type of struct image->buf to a uint8_t *.
Where we do pointer manipulation on the image buffer, we need a
temporary void * variable.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 11:14:17 +08:00
Jeremy Kerr
d19b993024 fileio: Unify key & cert loading
Rather than duplicating the key & certificate loading in each tool,
unify it in a fileio object.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 10:36:38 +08:00
Jeremy Kerr
d27647ba69 image: add functions to add and remove signatures
Rather than setting ->sigbuf directly, add two functions to handle image
signature addition and removal:

 image_add_signature(image, sig, sigsize);
 image_remove_signature(image);

And warn when a signature is to be overwritten.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-03 10:03:14 +08:00
Jeremy Kerr
36e79114d2 sbattach: fix --detach
sbattach --detach isn't working, as we're not properly setting sigbuf in
image_pecoff parse.

This change ensures we populate sigbuf when we find a valid cert table.
Also, add a test case for this.

Bug report & initial patch from from Steve Langasek.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:47:14 +08:00
Jeremy Kerr
ca05adbc77 sbattach: fix missing openssl/evp.h header
sbattach.c was generating a warning on compile:

../sbattach.c: In function ‘main’:
../sbattach.c:247:2: warning: implicit declaration of function ‘OpenSSL_add_all_digests’ [-Wimplicit-function-declaration]

OpenSSL_add_all_digests is defined in evp.h, so add the #include.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:47:14 +08:00
Jeremy Kerr
953b00481f sbvarsign: First cut of a variable-signing tool
Add sbvarsign, to sign variables to be passed to the efivars filesystem.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-02 16:46:51 +08:00
Jeremy Kerr
b0ef29caaf Version 0.3
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 15:16:46 +08:00
Jeremy Kerr
5dc7b4c370 license: Add OpenSSL exception to GPLv3 terms
We're using OpenSSL, so need to grant binary distrbutors permission to
link with it.

Cleared with current contributors.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 15:06:31 +08:00
Jeremy Kerr
dd005c61e0 COPYING: remove non-license text
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:33:44 +08:00
James Bottomley
d7cfae59da image: fix signature calculation when there's junk at the end of the efi binary
The current gnu efi generation tools insist on leaving junk at the end
of the binary.  According to the authenticode spec, we have to include
this in the hash otherwise signature verification fails, so add the end
junk to the calculation of the hash.

I've verified that with this fix (and another one to get objcopy to
align the sections correctly) we can now sign gnu tools generated efi
code with tianocore r13466

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:23:49 +08:00
Jeremy Kerr
1614a6e0f1 tests: Add test for PE/COFF cert table header validity
Add a test to check the validity of the certificate table header,
ensuring that parsing the header gives us the valid certificate.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 14:23:45 +08:00
James Bottomley
bf7e97bd1c image: fix incorrect assumption about signature header
The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature.  It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header.  UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).

I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify.  When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 10:47:55 +08:00
Jeremy Kerr
81d7825c98 sbsign: handle errors from PKCS7_sign_add_signer()
Rather than causing a segfault (si == NULL), report an error and exit.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-28 10:18:08 +08:00
James Bottomley
8f8939d9bb sbsign: fix failure to sign when key is password protected
The current incarnation of sbsign doesn't all all ciphers to OpenSSL
meaning that if the private key is encrypted, it can't decrypt it and
instead it returns the unhelpful error message

error reading private key ../certs/PK.key

Fix this by adding all ciphers before trying to read the private key.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-27 12:23:54 +08:00
Ivan Hu
14cff46671 configure: Add check for bfh.h
We need bfd.h for the image object, so add a check for it in
configure.ac.

Signed-off-by: Ivan Hu <ivanh.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-20 11:59:32 +08:00
Ivan Hu
4d892eb723 tests: Add a test to check invalid PKCS7 signature attaching
Add a test for the invalid PKCS7 signature attaching. This test
generates 1K of zero bytes as an invalid signature to attach.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-19 17:11:25 +08:00
Ivan Hu
e80a975ff9 sbattach: Check that attached signatures are valid PKCS7 data
Check detached signatures to ensure that we're attaching a valid PKCS7
object. If no, show a warning message and skip the attach action.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-19 17:09:48 +08:00
Jeremy Kerr
71f6b9b5cb sbverify: Use a variable for image filename
... rather than using argv[optind] multiple times.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-14 10:32:50 +08:00
Jeremy Kerr
376974e386 image: Unconditionally parse PE/COFF data
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:39:34 +08:00
Jeremy Kerr
186f1d59d9 sbverify: Check for failed image load
Currently, sbverify will segfault when it can't load an image file, as
the image is used unconditionally. This change adds a check to ensure we
continue with a valid image pointer.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:30:31 +08:00
Jeremy Kerr
0568983fab tests: Add tests for missing image, cert & key files
Currently causes a segfault in verify-missing-image.sh.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 17:30:31 +08:00
Jeremy Kerr
b3edb1fb72 tests: Execute tests in a clean (temporary) directory
Instead of executing in the current (build) directory, create a
temporary directory and change into it before running any tests. This
ensures that tests aren't relying on left-overs from previous test runs.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 16:56:28 +08:00
Jeremy Kerr
1be14f0c9b tests: Use COMPILE.S for assembing test object
Currently, ASFLAGS is not used, as we call $(AS) directly. Use
$(COMPILE.S) instead.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 16:23:00 +08:00
Jeremy Kerr
2added6a45 Version 0.2
We have a new tool (sbattach) now, so bump to version 0.2.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:30:29 +08:00
Jeremy Kerr
8e14f39980 docs: Add simple manpage for sbattach
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:28:57 +08:00
Jeremy Kerr
59641438fb automake: Clean generated man files
`make distcheck` fails with the following error:

  ERROR: files left in build directory after distclean:
  ./docs/sbverify.1
  ./docs/sbsign.1

This change adds a CLEANFILES rule for the generated manpages.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:26:08 +08:00
Jeremy Kerr
b05afccde0 tests: Add a few simple tests
Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:23:26 +08:00
Jeremy Kerr
0c5de30566 Remove unused test.c file
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 10:02:59 +08:00
Jeremy Kerr
edf1d26d49 sbattach: Add too to manage detached signatures
Add a third tool (`sbattach`) to attach and detach signatures from
PE/COFF files.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 17:47:38 +08:00
Jeremy Kerr
be7559abfe image: Add facility to write unsigned images
Change image_write_signed to image_write, and conditionally write the
signature if one is present.

This will allow us to write unsigned images when detaching a sig from an
image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 10:19:08 +08:00
Jeremy Kerr
a8f1453a53 sbsign,sbverify: Update getopt_long optstrings
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 19:49:28 +08:00