sbsigntools

Author	SHA1	Message	Date
Jeremy Kerr	ae1523673e	sbkeysync: print keystore before key databases Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	37d838a43d	sbkeysync: Find keys missing from firmware key databases Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	60586e122f	sbkeysync: Rename struct keystore_entry->list to keystore_list We want to collect keystore entries on a separate list, so rename the 'list' member to something more specific. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	ae3344f5eb	sbkeysync: Generate and print key descriptions .. rather than printing the raw IDs. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	7dc407e311	sbkeysync: add comment to sigdb_iterate Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	bd9de8eadd	sbkeysync: Change key_id to key_parse Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	22450d8c40	sbkeysync: Print filesystem key databases Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	54e1fbed30	sbkeysync: read keystore into kdb->filesystem_keys Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:32 +08:00
Jeremy Kerr	5527ef2db4	sbkeysync: Unify key_database Use key_database as a generic container for both firmware & filesystem keys. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:03:29 +08:00
Jeremy Kerr	1bdfb9acb8	sbkeysync: Add key_database->filesystem_keys Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	bdeb14370d	sbkeysync: keystore -> fs_keystore To make it clear that these are key files. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	98911a7f4c	sbkeysync: pass data buffer (instead of EFI_SIGNATURE_DATA) to key_id We want to call key_id on file buffers too, which don't have the EFI_SIGNATURE_DATA encapsulation. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	1a431a5a2d	sbkeysync: add keystore_entry->root Helps to show where the keys are loaded from. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	add8d00f31	sbkeysync: Add --keystore and --no-default-keystores options Add a couple of options to configure the location we read keys from Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	a151ffdb9d	sbkeysync: Add --verbose option and conditionally print debug output Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:02:15 +08:00
Jeremy Kerr	d5ce9e3f36	sbkeysync: Add keystore parsing functions Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:01:31 +08:00
Jeremy Kerr	2f82c545c2	sbkeysync: Add --efivars-dir option to specific different locations for var files Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:01:31 +08:00
Jeremy Kerr	5757f27812	sbkeysync: Add X509 key parsing Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:01:30 +08:00
Jeremy Kerr	c03ca4f73f	sbkeysync: Add key ID data to print_key_database() Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:01:30 +08:00
Jeremy Kerr	72ec025d79	sbkeysync: read & print signature databases Add some initial code to parse the EFI signature databases. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:00:52 +08:00
Jeremy Kerr	f8024a6a3b	Move EFI_CERT types to efivars.h Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 20:00:15 +08:00
Jeremy Kerr	f9eed9cc42	fileio: Add fileio_read_file_noerror() We may want to read files which can be absent. In this case, we don't want to print an error. This change adds fileio_read_file_noerror(), which suppresses error output. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-24 19:58:21 +08:00
Jeremy Kerr	07328d85c3	sbvarsign: Start with a default set of variable attributes We're almost always going to want the attributes set to NON_VOLATILE \| BOOTSERVICE_ACCESS \| RUNTIME_ACCES \| APPEND_WRITE, and TIME_BASED_AUTHENTICATED_WRITE is required. So, provide this as the default if no --attrs argument is specified. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-23 19:39:32 +08:00
Jeremy Kerr	88625a586c	efivars: Move EFI_VARIABLE_* attributes to efivars.h Rather than making these private to sbvarsign, move the EFI_VARIABLE attribute defintions to efivars.h Since some of these are defined by gnu-efi, we need to protect the definitions with an #ifdef. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-23 19:11:34 +08:00
Jeremy Kerr	a7228c8307	sbsiglist: fix signature size check Rather than checking the size with the EFI_SIGNATURE_DATA header, just check the data len. Also, fix the definition for the SHA256 size. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-22 18:16:49 +08:00
Jeremy Kerr	fd553e841a	sbvarsign: WIN_CERTIFICATE.dwLength should include the header size Despite what the Authenticode spec says ("dwLength is set to the length of bCertificate"), the MS var sign tool and EDK2 sources include the header in the dwLength size. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-22 16:53:49 +08:00
Jeremy Kerr	feddcb4f4f	sbvarsign: Fix invalid sizeof() for zeroing timestamp data Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-22 14:58:13 +08:00
Jeremy Kerr	030d5ef321	sbsiglist: check for owner and type arguments ..rather than segfaulting. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-22 14:58:07 +08:00
Jeremy Kerr	541beab7ce	sbsiglist: Fix SignatureSize We need to allow for the GUID in EFI_SIGNATURE_DATA too. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-14 14:32:16 +08:00
Jeremy Kerr	9389752741	image: use fileio_write_file Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:14:11 +08:00
Jeremy Kerr	dcae99eca5	Remove unused gen-keyfiles source gen-keyfiles isn't built, and has been replaced by sbsiglist. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:13:35 +08:00
Jeremy Kerr	15fb9d37c2	docs: Create man pages for sbvarsign & sbsiglist Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:10:21 +08:00
Jeremy Kerr	c7ee585439	Move sources to src/ subdirectory We have a number of source files now, so move them from the top level to src/ Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:10:21 +08:00
Jeremy Kerr	5466f381dd	image: Use size of image data when writing images When detaching a signature, we need to know the size of the non-signature data. So, add a data_size member to struct image, and populate it when we iterate through the section table. When writing the image, use data_size rather than size, so we don't unnecessarily add the (now unused) signature data. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:10:21 +08:00
Jeremy Kerr	8a55df5e96	image: always parse image regions Rather than only calling image_find_regions when we want to sign or verify image, call it when the image is loaded. We'll want to use the parse data later, which will require it to be present on all instances of an image. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 15:05:12 +08:00
Jeremy Kerr	36a14ed978	Include efivars.h in automake infrastructure make distcheck was failing due to a missing efivars.h in the dist tarball. Add it to common_SOURCES to include it. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 13:16:42 +08:00
Jeremy Kerr	1187df3459	tests: run tests for each arch Since we can sign i386 PE/COFF images, run the tests on both x86-64 and i386 binaries. We do this by moving test.pecoff to test-<arch>.pecoff, and using automake's parallel-test option to add a wrapper to each test execution. This wrapper calls each test once per arch (as defined in TEST_ARCHES), and checks for failures in any invocation. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 13:14:09 +08:00
Jeremy Kerr	e1b58d6ccb	image: Allow manipulation of i386 PE/COFF files Replace struct image->aouthdr with a union of the 32- and 64-bit a.out header definitions, and abstract the relevant parsing code into the image_pecoff_parse_{32,64} functions. We also move all references of data in the a.out header to these functions, so we don't need to lookup the machine types elsewhere. Based on a patch by Maxim Kammerer <mk@dee.su>. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-13 11:27:39 +08:00
Jeremy Kerr	e027b87cff	Remove arch-specific coff headers If we use IMAGE_FILE_MACHINE_AMD64 instead of AMD64MAGIC, we can avoid including the arch-specific coff/x86_64 header. Based on a patch from Maxim Kammerer <mk@dee.su>. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-10 17:12:54 +08:00
Maxim Kammerer	1c8fac1fbe	image: Prevent an uninitialized variable warning padlen variable in image_write() cannot be used uninitialized, but compiler is unable to determine that. Signed-off-by: Maxim Kammerer <mk@dee.su> Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-10 16:37:25 +08:00
Jeremy Kerr	591847bb79	sbsiglist: Add utility for creating EFI_SIGNATURE_LISTs KEK, db and dbx updates need to be written as EFI_SIGNATURE_LIST structures, so create a simple tool to create them. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-10 15:35:07 +08:00
Jeremy Kerr	0ca483d5d0	fileio: Add fileio_write_file Add a convenience function for writing a single buffer to a file. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-10 15:34:21 +08:00
Jeremy Kerr	ce1689436e	efivars: rename efi variable header We'd like to add some other definitions to this, so give it a more generic name. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-10 14:31:56 +08:00
Jeremy Kerr	6e4b3edcfb	fileio: Unify whole-file reads We do whole-file reads in a few places, so unify to a fileio_read_file() function. To do this, we change the type of struct image->buf to a uint8_t . Where we do pointer manipulation on the image buffer, we need a temporary void variable. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-03 11:14:17 +08:00
Jeremy Kerr	d19b993024	fileio: Unify key & cert loading Rather than duplicating the key & certificate loading in each tool, unify it in a fileio object. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-03 10:36:38 +08:00
Jeremy Kerr	d27647ba69	image: add functions to add and remove signatures Rather than setting ->sigbuf directly, add two functions to handle image signature addition and removal: image_add_signature(image, sig, sigsize); image_remove_signature(image); And warn when a signature is to be overwritten. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-03 10:03:14 +08:00
Jeremy Kerr	36e79114d2	sbattach: fix --detach sbattach --detach isn't working, as we're not properly setting sigbuf in image_pecoff parse. This change ensures we populate sigbuf when we find a valid cert table. Also, add a test case for this. Bug report & initial patch from from Steve Langasek. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-02 16:47:14 +08:00
Jeremy Kerr	ca05adbc77	sbattach: fix missing openssl/evp.h header sbattach.c was generating a warning on compile: ../sbattach.c: In function ‘main’: ../sbattach.c:247:2: warning: implicit declaration of function ‘OpenSSL_add_all_digests’ [-Wimplicit-function-declaration] OpenSSL_add_all_digests is defined in evp.h, so add the #include. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-02 16:47:14 +08:00
Jeremy Kerr	953b00481f	sbvarsign: First cut of a variable-signing tool Add sbvarsign, to sign variables to be passed to the efivars filesystem. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-08-02 16:46:51 +08:00
Jeremy Kerr	b0ef29caaf	Version 0.3 Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>	2012-06-28 15:16:46 +08:00

1 2 3

113 commits