Commit graph

148 commits

Author SHA1 Message Date
Mathieu Trudel-Lapierre
f37c1858fc sbverify: Clear out content for the signature we're building
OpenSSL 1.0.2e now actively checks for both data and contents being present
for a certificate. Clear out contents so that we have only data, and run a
chance of actually verifying the signature.

Bug-Ubuntu: https://launchpad.net/bugs/1526959
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 12:18:28 -08:00
Linn Crosetto
1c9dfe7364 Handle odd buffer lengths in checksum
Buffers of odd length can be passed to the checksum, for example signatures.
csum_bytes uses a uint16_t so change the function to prevent overflowing the
buffer, while taking the extra byte into account if the length is odd.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:53:53 -08:00
Steve Langasek
2c2f71313e Support openssl 1.0.2b and above
Newer versions of openssl return a different error with alternate
certificate chains; update for compatibility.

Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:53:18 -08:00
Ard Biesheuvel
ca6ad33055 sbsigntool: add support for ARM and Aarch64 PE/COFF images
Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)
rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to
an older calling convention that is incompatible with Tianocore UEFI.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:50:19 -08:00
Ard Biesheuvel
84d8361642 sbsigntool: fix handling of zero sized sections
The loop that iterates over the PE/COFF sections correctly skips zero
sized sections, but still increments the loop index 'i'. This results in
subsequent iterations poking into unallocated memory.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:49:30 -08:00
Ard Biesheuvel
38ebdc8a66 sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:48:09 -08:00
James Bottomley
a03f9d4d7c sbverify: add extra expiry errors to ignore
Original patch from: Steve Langasek <steve.langasek@canonical.com>

The ubuntu version of the signature expiry patch ignores serveral more errors,
so add them.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:42:53 -08:00
Steve Langasek
be1f3d8350 Update the PE checksum field using the somewhat-underdocumented
algorithm, so that we match the Microsoft implementation in our
signature generation.

[jejb: add endian to autogen.sh and fix for multi-sign]
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2016-01-27 11:38:00 -08:00
James Bottomley
706bec1a95 OBS add correcting definition of EFI_ARCH
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2015-01-06 12:45:03 -08:00
James Bottomley
ed53774c2f Version 0.7
Change responsible person to James Bottomley

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:44:54 -08:00
James Bottomley
f6115a8045 sbsign, sbattach, sbverify: add multiple signature support
sbsign will sign an already signed binary (adding a signature at the end)
sbverify has a new mode --list, for listing all the signatures and sbattach
takes a --signum argument for --remove or --detach.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
6b493361c2 sbverify: fix verification
no leaf is OK as is expired cert.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
35e2e074e3 Clear ssl errors after loading everyting
This prevents a FIPS failure message if no FIPS module is loaded.

Plus add -v as short form for --verbose in sbverify

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
592ec2188f Fix for multi-sign
The new Tianocore multi-sign code fails now for images signed with
sbsigntools.  The reason is that we don't actually align the signature table,
we just slap it straight after the binary data.  Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason.  Fix by adding junk to the end of the image to
align the signature section.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
James Bottomley
b963c5cb38 image.c: clear image variable
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2014-12-19 16:42:37 -08:00
Jeremy Kerr
951ee95a30 sbkeysync: add corrected efivars magic
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-11-14 16:37:08 +08:00
Jeremy Kerr
a7577f56b3 Version 0.6
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-11 20:32:32 +08:00
Jeremy Kerr
050f003ce7 sbverify: explicitly trust all certificates given in --cert arguments
In line with the verification process in firmware, update our verify
callback to explicitly trust all certificates that we load to our cert
store.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-11 20:31:04 +08:00
Jeremy Kerr
c98692a71f sbverify: Add --verbose option
Add an option to print the certificate & signature info while verifying
a signed image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-10 15:56:58 +08:00
Jeremy Kerr
cd51a26911 Version 0.5
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-10 09:00:55 +08:00
Jeremy Kerr
ab63e31bb8 sbkeysync: change default efivarfs mountpoint to /sys/.../efivars/
Proposed changes to the kernel will establish /sys/firmware/efi/efivars
as the canonical mountpoint for the efivars filesystem.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-08 12:07:43 +08:00
Jeremy Kerr
6bfa9f3349 Version 0.4
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 17:12:02 +08:00
Jeremy Kerr
de78e0cde9 image: improve handling of unaligned section tables
Rather than overrunning the heap, explicitly allocate the pad area for
cases where we've aligned-up the section table sizes.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 11:44:39 +08:00
Jeremy Kerr
142ba5c1b3 image: use data_size in cert table header
Since we write the certificate table starting at data_size (not size),
use this value when generating the cert table header.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-10-02 11:22:37 +08:00
Jeremy Kerr
63cfc10ce0 image: improve section table parsing
Only add the endjunk region when we need to add data, and warn when
we've got too much.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-28 15:45:42 +08:00
Jeremy Kerr
274d4df0ff image: Allow variable sized data directories
The PE/COFF spec allows variable-sized data directories, which reduce
the size of the optional header. While GNU ld always produces
maximum-sized headers, the kernel's EFI_STUB code generates a smaller
header size, which causes the image parsing code to abort.

This change allows variable-sized optional headers, but checks for at
least enough of an optional header to contain a CERT_TABLE data
directory entry.

We also rename struct image's aouthdr to opthdr, as it contains more
than just the a.out fields.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-28 09:56:48 +08:00
Jeremy Kerr
cf747fcca3 sbvarsign: fix incorrect pointer in add_auth_descriptor
Brown paper bag time: we want to hash the variable data, not the stack.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-05 11:19:05 +08:00
Jeremy Kerr
c933b5e8fd sbvarsign: auth descriptor hash does not cover the \0 in the varname
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-09-05 11:16:42 +08:00
Jeremy Kerr
15354eaa4e sbkeysync: fix siglist iteration
We were updating siglist before incrementing i, and so aborting the
siglist iteration earlier than necessary.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 23:03:49 +08:00
Jeremy Kerr
41c8bb9ea2 sbvarsign: Improve default GUID choice
For db and dbx, we want EFI_IMAGE_SECURITY_DATABASE.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:57:00 +08:00
Jeremy Kerr
03e6a4e2b3 skkeysync: Add PK-handing code
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:04:14 +08:00
Jeremy Kerr
74153741c4 sbkeysync: Refactor signature database data structures
Rather than having three sets of (firmware, filesystem) key databases,
refactor into two sets of (kdk, db, dbx) databases. This allows us to
add the PK later.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:04:13 +08:00
Jeremy Kerr
b4773c902a sbkeysync: fix invalid free in keystore_read_entry
We want to free path, not ke. We can also unify the error path.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:56 +08:00
Jeremy Kerr
41c741fe13 sbkeysync: Improve error handling in read_firmware_key_database
We should free filename, and buf on error.

Also, check for the length of the file's data; we may be passed empty
files, and end up with a negative len.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:54 +08:00
Jeremy Kerr
16c09d22a6 sbkeysync: insert new keys
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
ae1523673e sbkeysync: print keystore before key databases
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
37d838a43d sbkeysync: Find keys missing from firmware key databases
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
60586e122f sbkeysync: Rename struct keystore_entry->list to keystore_list
We want to collect keystore entries on a separate list, so rename the
'list' member to something more specific.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
ae3344f5eb sbkeysync: Generate and print key descriptions
.. rather than printing the raw IDs.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
7dc407e311 sbkeysync: add comment to sigdb_iterate
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
bd9de8eadd sbkeysync: Change key_id to key_parse
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
22450d8c40 sbkeysync: Print filesystem key databases
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
54e1fbed30 sbkeysync: read keystore into kdb->filesystem_keys
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:32 +08:00
Jeremy Kerr
5527ef2db4 sbkeysync: Unify key_database
Use key_database as a generic container for both firmware & filesystem
keys.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:03:29 +08:00
Jeremy Kerr
1bdfb9acb8 sbkeysync: Add key_database->filesystem_keys
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00
Jeremy Kerr
bdeb14370d sbkeysync: keystore -> fs_keystore
To make it clear that these are key files.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00
Jeremy Kerr
98911a7f4c sbkeysync: pass data buffer (instead of EFI_SIGNATURE_DATA) to key_id
We want to call key_id on file buffers too, which don't have the
EFI_SIGNATURE_DATA encapsulation.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00
Jeremy Kerr
1a431a5a2d sbkeysync: add keystore_entry->root
Helps to show where the keys are loaded from.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00
Jeremy Kerr
add8d00f31 sbkeysync: Add --keystore and --no-default-keystores options
Add a couple of options to configure the location we read keys from

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00
Jeremy Kerr
a151ffdb9d sbkeysync: Add --verbose option and conditionally print debug output
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-08-24 20:02:15 +08:00