Re: [RFC PATCH 1/2] efi_loader: fix dual signed image certification

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

Hi Ilias,

Thank you for reviewing the logic.

On Fri, Feb 04, 2022 at 09:32:01AM +0200, Ilias Apalodimas wrote:
> The EFI spec allows for images to carry multiple signatures. Currently
> we don't adhere to the verification process for such images.

In this patch, you're trying to do three things:
* remove efi_image_unsigned_authenticate()
* pull efi_signature_lookup_digest() out of a while loop
* change the logic of authentication

I'd prefer to see those changes in separate patches for better reviewing.

> The spec says:
> "Multiple signatures are allowed to exist in the binary's certificate
> table (as per PE/COFF Section "Attribute Certificate Table"). Only one
> hash or signature is required to be present in db in order to pass
> validation, so long as neither the SHA-256 hash of the binary nor any
> present signature is reflected in dbx."

I have some concern about what the last phrase, "neither the SHA-256 hash
of the binary nor any present signature is reflected in dbx" means.
See the comment below.

> With our current implementation signing the image with two certificates
> and inserting both of them in db and one of them dbx doesn't always reject
> the image.  The rejection depends on the order that the image was signed
> and the order the certificates are read (and checked) in db.
> 
> While at it move the sha256 hash verification outside the signature
> checking loop, since it only needs to run once per image and get simplify
> the logic for authenticating an unsigned imahe using sha256 hashes.
> 
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  lib/efi_loader/efi_image_loader.c | 88 +++++++------------------------
>  1 file changed, 18 insertions(+), 70 deletions(-)
> 
> diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> index f41cfa4fccd5..5df35939f702 100644
> --- a/lib/efi_loader/efi_image_loader.c
> +++ b/lib/efi_loader/efi_image_loader.c
> @@ -516,53 +516,6 @@ err:
>  }
>  
>  #ifdef CONFIG_EFI_SECURE_BOOT
> -/**
> - * efi_image_unsigned_authenticate() - authenticate unsigned image with
> - * SHA256 hash
> - * @regs:	List of regions to be verified
> - *
> - * If an image is not signed, it doesn't have a signature. In this case,
> - * its message digest is calculated and it will be compared with one of
> - * hash values stored in signature databases.
> - *
> - * Return:	true if authenticated, false if not
> - */
> -static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs)
> -{
> -	struct efi_signature_store *db = NULL, *dbx = NULL;
> -	bool ret = false;
> -
> -	dbx = efi_sigstore_parse_sigdb(u"dbx");
> -	if (!dbx) {
> -		EFI_PRINT("Getting signature database(dbx) failed\n");
> -		goto out;
> -	}
> -
> -	db = efi_sigstore_parse_sigdb(u"db");
> -	if (!db) {
> -		EFI_PRINT("Getting signature database(db) failed\n");
> -		goto out;
> -	}
> -
> -	/* try black-list first */
> -	if (efi_signature_lookup_digest(regs, dbx, true)) {
> -		EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n");
> -		goto out;
> -	}
> -
> -	/* try white-list */
> -	if (efi_signature_lookup_digest(regs, db, false))
> -		ret = true;
> -	else
> -		EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n");
> -
> -out:
> -	efi_sigstore_free(db);
> -	efi_sigstore_free(dbx);
> -
> -	return ret;
> -}
> -
>  /**
>   * efi_image_authenticate() - verify a signature of signed image
>   * @efi:	Pointer to image
> @@ -608,14 +561,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	if (!efi_image_parse(new_efi, efi_size, &regs, &wincerts,
>  			     &wincerts_len)) {
>  		EFI_PRINT("Parsing PE executable image failed\n");
> -		goto err;
> -	}
> -
> -	if (!wincerts) {
> -		/* The image is not signed */
> -		ret = efi_image_unsigned_authenticate(regs);
> -
> -		goto err;
> +		goto out;
>  	}
>  
>  	/*
> @@ -624,18 +570,18 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	db = efi_sigstore_parse_sigdb(u"db");
>  	if (!db) {
>  		EFI_PRINT("Getting signature database(db) failed\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	dbx = efi_sigstore_parse_sigdb(u"dbx");
>  	if (!dbx) {
>  		EFI_PRINT("Getting signature database(dbx) failed\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	if (efi_signature_lookup_digest(regs, dbx, true)) {
>  		EFI_PRINT("Image's digest was found in \"dbx\"\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	/*
> @@ -678,7 +624,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  			if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
>  				EFI_PRINT("Certificate type not supported: %pUs\n",
>  					  auth);
> -				continue;
> +				ret = false;
> +				goto out;

Why should we break the loop here?

>  			}
>  
>  			auth += sizeof(efi_guid_t);
> @@ -686,7 +633,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  		} else if (wincert->wCertificateType
>  				!= WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
>  			EFI_PRINT("Certificate type not supported\n");
> -			continue;
> +			ret = false;
> +			goto out;
>  		}
>  
>  		msg = pkcs7_parse_message(auth, auth_size);
> @@ -717,32 +665,32 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  		 */
>  		/* try black-list first */
>  		if (efi_signature_verify_one(regs, msg, dbx)) {
> +			ret = false;
>  			EFI_PRINT("Signature was rejected by \"dbx\"\n");
> -			continue;
> +			goto out;

If we go to "out" here, we have no chance to verify some cases:
1) An image has two signatures, for instance, one signed by SHA1 cert
   and the other signed by SHA256 cert. A user wants to reject SHA1 cert
   and put the cert in dbx.
   But this image can and should yet be verified by SHA256 cert.
2) A user knows that a given image is safe for some reason even though
   he or she doesn't trust the certficate which is used for signing
   the image.

-Takahiro Akashi

>  		}
>  
>  		if (!efi_signature_check_signers(msg, dbx)) {
> +			ret = false;
>  			EFI_PRINT("Signer(s) in \"dbx\"\n");
> -			continue;
> +			goto out;
>  		}
>  
>  		/* try white-list */
>  		if (efi_signature_verify(regs, msg, db, dbx)) {
>  			ret = true;
> -			break;
> +			continue;
>  		}
>  
>  		EFI_PRINT("Signature was not verified by \"db\"\n");
> +	}
>  
> -		if (efi_signature_lookup_digest(regs, db, false)) {
> -			ret = true;
> -			break;
> -		}
>  
> -		EFI_PRINT("Image's digest was not found in \"db\" or \"dbx\"\n");
> -	}
> +	/* last resort try the image sha256 hash in db */
> +	if (!ret && efi_signature_lookup_digest(regs, db, false))
> +		ret = true;
>  
> -err:
> +out:
>  	efi_sigstore_free(db);
>  	efi_sigstore_free(dbx);
>  	pkcs7_free_message(msg);
> -- 
> 2.32.0
>