The sbsign tools appear to assume that WIN_CERTIFICATE.dwLength is the
length of the signature. It's not, it's the length of the signature
plus the length of the WIN_CERTIFICATE header. UEFI Version 2.3.1,
Errata A explicitly states this in section 27.2.5 (Code Definitions).
I found this because I've been playing around with the tianocore secure
boot UEFI images and I couldn't get efi binaries signed with your tools
to verify. When you apply the fix, I've got the binaries to verify (at
least with X509 KEK signatures).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
The current incarnation of sbsign doesn't all all ciphers to OpenSSL
meaning that if the private key is encrypted, it can't decrypt it and
instead it returns the unhelpful error message
error reading private key ../certs/PK.key
Fix this by adding all ciphers before trying to read the private key.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We need bfd.h for the image object, so add a check for it in
configure.ac.
Signed-off-by: Ivan Hu <ivanh.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add a test for the invalid PKCS7 signature attaching. This test
generates 1K of zero bytes as an invalid signature to attach.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Check detached signatures to ensure that we're attaching a valid PKCS7
object. If no, show a warning message and skip the attach action.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Currently, sbverify will segfault when it can't load an image file, as
the image is used unconditionally. This change adds a check to ensure we
continue with a valid image pointer.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Instead of executing in the current (build) directory, create a
temporary directory and change into it before running any tests. This
ensures that tests aren't relying on left-overs from previous test runs.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
`make distcheck` fails with the following error:
ERROR: files left in build directory after distclean:
./docs/sbverify.1
./docs/sbsign.1
This change adds a CLEANFILES rule for the generated manpages.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Change image_write_signed to image_write, and conditionally write the
signature if one is present.
This will allow us to write unsigned images when detaching a sig from an
image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We'd like to read detached signatures too, so split the
signature-buffer-reading code into a separate function.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Fix a few warnings:
idc.c: In function ‘IDC_get’:
idc.c:248:12: warning: ‘idclen’ may be used uninitialised in this function [-Wuninitialized]
image.c: In function ‘image_load’:
image.c:37:15: warning: unused variable ‘bytes_read’ [-Wunused-variable]
Plus, a bunch of strict-aliasing warnings:
image.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
[ similar warnings trimmed ]
when compiling image.c. Since struct external_PEI_DOS_hdr uses char[]
types for all members, we need to use accessors here.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
$(builddir) should be $(top_builddir), and we need a valid definition of
MKDIR_P to create the docs.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add autoconf & automake metadata, plus required files for automake to
run without complaint.
Requires an update to ccan, to get the --build-type argument to
create-ccan-tree.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Update the usage output of sbsign and sbverify so that it can be better
parsed by help2man. Also, add --version and --help.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add make logic to import lib/ccan from lib/ccan.git. We need to set some
dependencies on $(obj) to ensure the the ccan headers are available
before starting the main build.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add an option (--cert <file>) to specify a root certificate (or
certificates) to use as a trusted CA.
Verification can be disabled with --no-verify.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Extract the IDC-parsing code from IDC_check_hash, and use it to
initialise a BIO. This BIO can then be used to perform the PKCS7
verification.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add a check to match the calculated image's hash against the one found
in the PKCS7 IndirectDataContext
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>