Commit graph

169 commits

Author SHA1 Message Date
James Bottomley
ea4e6db5d9 README: update git location and add mailing list information
Now that a Mailing list is set up, update the README to point to it
and mention the new maintained git location for this fork.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2020-01-09 09:29:39 -08:00
Laszlo Ersek
2ed8eebcc5 sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" assignment
According to UEFI-2.8, section 8.3 "Time Services" / GetTime(), the
"EFI_TIME.Year" field must be in the range [1900, 9999] (both bounds
inclusive). It is not stated or even implied that "EFI_TIME.Year" would
not be an absolute year number.

According to POSIX, the "tm_year" field of "struct tm" is defined as
"Years since 1900". In other words, "tm_year" is relative to 1900.

In set_timestamp(), time() and gmtime() are suitable for populating
"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp", as the UEFI spec specifically
requires a stamp expressed in the GMT (UTC) zone. But we still need to
offset "tm->tm_year" by 1900 for filling in "timestamp->Year". So let's do
that now.

While this issue does not seem to affect upstream edk2, SetVariable()
calls with payloads containing an invalid
"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" value do seem to be
rejected at least on some Dell Inspiron machines (using a UEFI
implementation from AMI).

Reported-by: Eugene Khoruzhenko <ekhoruzhenko@absolute.com>
Reported-by: Paulo Henrique Lacerda de Amorim <phlamorim@riseup.net>
Ref: https://edk2.groups.io/g/devel/message/49402
Fixes: 953b00481f
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2020-01-09 09:21:25 -08:00
Steve McIntyre
0dc3d4b521 Fix PE/COFF checksum calculation
Only count the cert_table header once when performing the calculation
and counting buffer sizes.

The problem entered because of a mismerge of multiple signature
support and "be1f3d8 Update the PE checksum field using the
somewhat-underdocumented algorithm, so that we match the Microsoft
implementation in our signature generation.".  Originally
image->cert_table held the full certificate table including the
Microsoft _WINH_CERTIFICATE header and image->sigbuf pointed to the
pkcs11 signature inside, so the two had to be checksummed separately.
After multiple signature support, image->sigbuf points to the full
certificate table because we now need the headers to decide where one
signature ends and the next begins, so the correct checksum only needs
to sum over the entire image->sigbuf.

Signed-off-by: Steve McIntyre <93sam@debian.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2019-07-27 15:20:49 -07:00
James Bottomley
216dbd3331 Version 0.9.2
Fix fedora build
Fix variable signing for current tianocore
Fix image processing not to invalidate existing signatures

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2019-01-09 16:09:37 -08:00
James Bottomley
98d3ce77b4 src/image.c: remove alignment of regions
The old code forced region size to be aligned to the PECOFF file
alignment parameter, which is correct according to the spec.  However,
the major UEFI platforms do not align up when checking the signature,
so if the PECOFF binary being signed already contains a signature,
realigning the sections will make the existing signature invalid.  Fix
this by relaxing the rule about aligning up (also eliminates
complaints about some pecoff sections being misaligned).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2019-01-09 16:04:01 -08:00
James Bottomley
73a13fb7e3 sbvarsign: use SignedData instead of PKCS7 for authenticated updates
The EFI standard is ambiguous about which one to use for variable
updates (it is definite about using PKCS7 for signed binaries).  Until
recently, the reference platform, tianocore, accepted both.  However
after patch

commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <lubo.zhang@intel.com>
Date:   Thu Jan 5 14:58:05 2017 +0800

    SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.

The acceptance of PKCS7 got broken.  This breakage seems to be
propagating to the UEFI ecosystem, so update the variable signing
tools to emit the SignedData type (which all previous EFI
implementations accepted).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2019-01-09 15:52:34 -08:00
Guy Lunardi
704d2c2506 Fix Fedora Build
Of course, Fedora puts gnu-efi in yet another different, non-standard place

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2018-02-20 15:36:19 -05:00
James Bottomley
a631793f2d Version 0.9.1
Add support for engine based keys

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-28 14:23:16 +01:00
James Bottomley
efc424c8ee sbsign, sbvarsign: support engine based private keys
Add the ability to specify an engine to read the keyfile.  For safety,
we don't do the full dynamic engine support, but only use engines
configured for use by the platform.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-28 14:21:24 +01:00
James Bottomley
62c9352519 Version 0.9
This version builds correctly on openssl 1.1 and also includes
functional autotests for every architecture.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 11:18:29 -07:00
James Bottomley
8e184454fd Fix Debian 8 and Leap_42.1 builds
Older versions of openssl 1.0.0 don't have X509_STORE_CTX_get0_store
so define that as well.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 11:09:41 -07:00
James Bottomley
f065bb5705 tests: Fix up to work on arbitrary architectures
The current test infrastructure is tied to x86/amd64.  This means the
tests always fail on a non-x86 architecture (like aarch64).  Fix this
by generating the efi binary directly from C code and removing the
architectural restrictions in the Makefile.am.  One of the
consequences of this is that we no longer test ia32 on x86_64, but the
difficulty of detecting which architectures can support 32 bit
variants and generating them correctly from EFI c code is too great.

We also need to exclude tests involving objdump from aarch64 since its
bfd still doesn't have an efi_app_aarch64 target.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:58 -07:00
James Bottomley
cbbafe244b tests/detach-remove.sh: fix for i386 pecoff size problems
pecoff for i386 can be too short, so it gets padded for an accurate
signature.  Make sure the size comparison takes this into account to
avoid spurious failures.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:58 -07:00
James Bottomley
bc6ff99d36 tests: fix up the generation of the test pecoff binary for gcc-7.2
newer versions of gcc have contained an efi target for a while so use
it instead of hacking a linker script.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:58 -07:00
James Bottomley
5b79ed2179 tests: fix signature resign/reattach test problems
The original tests to warn about overwriting signatures have never
worked after the multiple signature code was added (because we add a
new signature instead of overwriting the old one) update the tests to
check instead for the signature addition.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:58 -07:00
Ben Hutchings
79d0c44afb Update OpenSSL API usage to support OpenSSL 1.1
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.

The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves.  Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
2017-10-19 10:45:58 -07:00
James Bottomley
73a261f238 make check: fix test environment problem
autotest is very finicky.  The environment can't be set up in
SH_LOG_COMPILER, but have to be done in AM_TESTS_ENVIRONMENT instead,
so fix this.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:57 -07:00
James Bottomley
e9626fefa1 Add OPENSSL_config(NULL) to each binary to load openssl.cnf
In the current framework for using engine based keys, the engine has
to be loaded and initialised as part of the default engines.  The only
way this can happen for the TPM engine is if it is named in a config
secion, so all the tools must read and act on the config file to be
able to use TPM based keys.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2017-10-19 10:45:41 -07:00
James Bottomley
df8303a4e3 Version: 0.8
This version works correctly on arm 32 and 64.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-02-14 12:04:45 -08:00
James Bottomley
5f7f8f3ded sbkeysync: don't include efi.h
It causes the ARM build to crash (because of directives) and it's
unnecessary in this file.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-02-12 15:54:31 -08:00
James Bottomley
3b4e9bb901 configure: build on arm
arm has a variety of uname -m forms, all beginning with arm, so use
this to determine the EFI architecture

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-02-12 15:46:44 -08:00
Mathieu Trudel-Lapierre
f37c1858fc sbverify: Clear out content for the signature we're building
OpenSSL 1.0.2e now actively checks for both data and contents being present
for a certificate. Clear out contents so that we have only data, and run a
chance of actually verifying the signature.

Bug-Ubuntu: https://launchpad.net/bugs/1526959
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 12:18:28 -08:00
Linn Crosetto
1c9dfe7364 Handle odd buffer lengths in checksum
Buffers of odd length can be passed to the checksum, for example signatures.
csum_bytes uses a uint16_t so change the function to prevent overflowing the
buffer, while taking the extra byte into account if the length is odd.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:53:53 -08:00
Steve Langasek
2c2f71313e Support openssl 1.0.2b and above
Newer versions of openssl return a different error with alternate
certificate chains; update for compatibility.

Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:53:18 -08:00
Ard Biesheuvel
ca6ad33055 sbsigntool: add support for ARM and Aarch64 PE/COFF images
Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)
rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to
an older calling convention that is incompatible with Tianocore UEFI.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:50:19 -08:00
Ard Biesheuvel
84d8361642 sbsigntool: fix handling of zero sized sections
The loop that iterates over the PE/COFF sections correctly skips zero
sized sections, but still increments the loop index 'i'. This results in
subsequent iterations poking into unallocated memory.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:49:30 -08:00
Ard Biesheuvel
38ebdc8a66 sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:48:09 -08:00
James Bottomley
a03f9d4d7c sbverify: add extra expiry errors to ignore
Original patch from: Steve Langasek <steve.langasek@canonical.com>

The ubuntu version of the signature expiry patch ignores serveral more errors,
so add them.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:42:53 -08:00
Steve Langasek
be1f3d8350 Update the PE checksum field using the somewhat-underdocumented
algorithm, so that we match the Microsoft implementation in our
signature generation.

[jejb: add endian to autogen.sh and fix for multi-sign]
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:38:00 -08:00
James Bottomley
706bec1a95 OBS add correcting definition of EFI_ARCH
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2015-01-06 12:45:03 -08:00
James Bottomley
ed53774c2f Version 0.7
Change responsible person to James Bottomley

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:44:54 -08:00
James Bottomley
f6115a8045 sbsign, sbattach, sbverify: add multiple signature support
sbsign will sign an already signed binary (adding a signature at the end)
sbverify has a new mode --list, for listing all the signatures and sbattach
takes a --signum argument for --remove or --detach.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
6b493361c2 sbverify: fix verification
no leaf is OK as is expired cert.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
35e2e074e3 Clear ssl errors after loading everyting
This prevents a FIPS failure message if no FIPS module is loaded.

Plus add -v as short form for --verbose in sbverify

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
592ec2188f Fix for multi-sign
The new Tianocore multi-sign code fails now for images signed with
sbsigntools.  The reason is that we don't actually align the signature table,
we just slap it straight after the binary data.  Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason.  Fix by adding junk to the end of the image to
align the signature section.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
b963c5cb38 image.c: clear image variable
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
Jeremy Kerr
951ee95a30 sbkeysync: add corrected efivars magic
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-11-14 16:37:08 +08:00
Jeremy Kerr
a7577f56b3 Version 0.6
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-11 20:32:32 +08:00
Jeremy Kerr
050f003ce7 sbverify: explicitly trust all certificates given in --cert arguments
In line with the verification process in firmware, update our verify
callback to explicitly trust all certificates that we load to our cert
store.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-11 20:31:04 +08:00
Jeremy Kerr
c98692a71f sbverify: Add --verbose option
Add an option to print the certificate & signature info while verifying
a signed image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-10 15:56:58 +08:00
Jeremy Kerr
cd51a26911 Version 0.5
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-10 09:00:55 +08:00
Jeremy Kerr
ab63e31bb8 sbkeysync: change default efivarfs mountpoint to /sys/.../efivars/
Proposed changes to the kernel will establish /sys/firmware/efi/efivars
as the canonical mountpoint for the efivars filesystem.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-08 12:07:43 +08:00
Jeremy Kerr
6bfa9f3349 Version 0.4
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 17:12:02 +08:00
Jeremy Kerr
de78e0cde9 image: improve handling of unaligned section tables
Rather than overrunning the heap, explicitly allocate the pad area for
cases where we've aligned-up the section table sizes.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 11:44:39 +08:00
Jeremy Kerr
142ba5c1b3 image: use data_size in cert table header
Since we write the certificate table starting at data_size (not size),
use this value when generating the cert table header.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 11:22:37 +08:00
Jeremy Kerr
63cfc10ce0 image: improve section table parsing
Only add the endjunk region when we need to add data, and warn when
we've got too much.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-28 15:45:42 +08:00
Jeremy Kerr
274d4df0ff image: Allow variable sized data directories
The PE/COFF spec allows variable-sized data directories, which reduce
the size of the optional header. While GNU ld always produces
maximum-sized headers, the kernel's EFI_STUB code generates a smaller
header size, which causes the image parsing code to abort.

This change allows variable-sized optional headers, but checks for at
least enough of an optional header to contain a CERT_TABLE data
directory entry.

We also rename struct image's aouthdr to opthdr, as it contains more
than just the a.out fields.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-28 09:56:48 +08:00
Jeremy Kerr
cf747fcca3 sbvarsign: fix incorrect pointer in add_auth_descriptor
Brown paper bag time: we want to hash the variable data, not the stack.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-05 11:19:05 +08:00
Jeremy Kerr
c933b5e8fd sbvarsign: auth descriptor hash does not cover the \0 in the varname
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-05 11:16:42 +08:00
Jeremy Kerr
15354eaa4e sbkeysync: fix siglist iteration
We were updating siglist before incrementing i, and so aborting the
siglist iteration earlier than necessary.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 23:03:49 +08:00