From: Daniel Axtens <dja@axtens.net>
To: Michael Chang via Grub-devel <grub-devel@gnu.org>,
The development of GNU GRUB <grub-devel@gnu.org>
Cc: "Michael Chang" <mchang@suse.com>,
"Michal Suchánek" <msuchanek@suse.de>,
rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com,
sudhakar@linux.ibm.com,
"Javier Martinez Canillas" <javierm@redhat.com>
Subject: Re: [PATCH v3 15/19] appended signatures: parse PKCS#7 signedData and X.509 certificates
Date: Tue, 17 May 2022 23:19:44 +1000 [thread overview]
Message-ID: <87h75o8ff3.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <20220422032148.GA4794@mazu>
Hi Michael,
apologies for the delay, I've left IBM and am taking a while to get back
on my feet.
> On Thu, Apr 21, 2022 at 09:32:41PM +1000, Daniel Axtens wrote:
>> Hi,
>>
>> >> This code allows us to parse:
>> >>
>> >> - PKCS#7 signedData messages. Only a single signerInfo is supported,
>> >> which is all that the Linux sign-file utility supports creating
>> >> out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
>> >> Any certificate embedded in the PKCS#7 message will be ignored.
>> >>
>> >> - X.509 certificates: at least enough to verify the signatures on the
>> >> PKCS#7 messages. We expect that the certificates embedded in grub will
>> >> be leaf certificates, not CA certificates. The parser enforces this.
>> >
>> > Doesn't grub support CA certificates for EFI?
>> >
>> For EFI, the verification isn't done by grub, it's done by either the
>> shim or by firmware. They do - per the spec - support certificate
>> chaining. So you could validly put a CA cert into db or MokList and have
>> a signature on an Authenticode signature chain back to that.
>>
>> > Why limit to leaf certificates here?
>>
>> Conventionally, appended signatures don't include embedded certificates
>> whereas Authenticode signatures do. There's nothing stopping you putting
>> one into the PKCS#7 message for an appended signature - it's just not
>> the way they are used on kernel modules or kernel binaries. So if
>> there's not an embedded certificate that can chain back to a CA
>> certificate, grub has to have access to the leaf certificate.
>>
>> > If this is technical limitation of the code in question could you fail
>> > the build when CA certificate is used rather than crashing the
>> > bootloader when it boots?
>>
>> I guess. I think IBM has been reasonably open in saying that static key
>> secure boot is not the end of the road for Power, so we expect that
>> ultimately keys could be loaded from somewhere other than the binary
>> like firmware storage. So even if we added this check in grub-mkimage,
>> we'd still need to keep it at runtime as well.
>>
>> >> - X.509 certificates support the Extended Key Usage extension and handle
>> >> it by verifying that the certificate has a single purpose, that is code
>> > ^^^^^^^^^^^^^^
>> > This should be updated I suppose.
>>
>> So this is - surprisingly - still accurate! We still only support 1
>> _Extended_ Key Usage. The change that we made as a result of SUSE's bug
>
> It is unclear to me OpenFirmware enforces such restriction as well ? My
> understanding is that the (single purpose) restriction is lifed in
> firmware becuase it happily accepts our cert and boots SUSE signed grub
> in secure boot without complaining Key Usage. If so I wonder why it is
> necessary for having the stricter check in grub ?
I suppose it depends on the particular OpenFirmware implementation. You
would have to ask IBM via official channels what restrictions the
proprietary firmware imposes. The SLOF prototype probably imposes no
restrictions because it was thrown together very very quickly as a proof
of concept and development tool.
I do still want to tease out (or repeat ad nauseum) the difference
between Key Usage and Extended Key Usage. The original code permitted a
Key Usage of only Digitial Signature and no critical Extended Key
Usages. Subsequent versions, such as this one, support multiple Key
Usages, so long as the Digital Signature Usage is present, and either
zero or one Extended Key Usage sections, which permit only the Code
Signing EKU.
AIUI/IIRC, SUSE OBS keys have Digital Signature and another Key Usage
set - which was where we ran into issues with your keys.
>> report was to support additional regular, non-extended key
>> usages. Here's the change broken out:
>
> Would this change be used next version ?
>
The next proprietary firmware version, or the next revision of this
series? I don't have any insights into the future firmware
development. For grub, that change is part of this v3 series already.
Kind regards,
Daniel
> Thanks,
> Michael
>
>>
>> commit 6056d5fc59907c486309c401135757f00ebf7760
>> Author: Daniel Axtens <dja@axtens.net>
>> Date: Tue Nov 30 15:00:57 2021 +1100
>>
>> x509: allow Digitial Signature plus other Key Usages
>>
>> Currently the x509 certificate parser for appended signature
>> verification requires that the certificate have the Digitial Signature
>> key usage and _only_ the Digitial Signature use. This is overly strict
>> and becomes policy enforcement rather than a security property.
>>
>> Require that the Digitial Signature usage is present, but do not
>> require that it is the only usage present.
>>
>> Reported-by: Michal Suchanek <msuchanek@suse.com>
>> Signed-off-by: Daniel Axtens <dja@axtens.net>
>>
>> diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c
>> index 70480aa73c9d..6ae985b30ff8 100644
>> --- a/grub-core/commands/appendedsig/x509.c
>> +++ b/grub-core/commands/appendedsig/x509.c
>> @@ -547,7 +547,7 @@ cleanup:
>>
>> /*
>> * Verify the Key Usage extension.
>> - * We only permit the Digital signature usage.
>> + * We require the Digital signature usage.
>> */
>> static grub_err_t
>> verify_key_usage (grub_uint8_t *value, int value_size)
>> @@ -586,10 +586,10 @@ verify_key_usage (grub_uint8_t *value, int value_size)
>> goto cleanup;
>> }
>>
>> - if (usage != digitalSignatureUsage)
>> + if (!(usage & digitalSignatureUsage))
>> {
>> err =
>> - grub_error (GRUB_ERR_BAD_FILE_TYPE, "Unexpected Key Usage value: %x",
>> + grub_error (GRUB_ERR_BAD_FILE_TYPE, "Key Usage (0x%x) missing Digital Signature usage",
>> usage);
>> goto cleanup;
>> }
>>
>> Kind regards,
>> Daniel
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2022-05-17 13:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-21 7:46 [PATCH v3 00/19] Appended signature secure boot support Daniel Axtens
2022-04-21 7:46 ` [PATCH v3 01/19] Add suport for signing grub with an appended signature Daniel Axtens
2022-04-21 7:46 ` [PATCH v3 02/19] docs/grub: Document signing grub under UEFI Daniel Axtens
2022-04-21 7:46 ` [PATCH v3 03/19] docs/grub: Document signing grub with an appended signature Daniel Axtens
2022-04-21 7:46 ` [PATCH v3 04/19] dl: provide a fake grub_dl_set_persistent for the emu target Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 05/19] pgp: factor out rsa_pad Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 06/19] crypto: move storage for grub_crypto_pk_* to crypto.c Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 07/19] posix_wrap: tweaks in preparation for libtasn1 Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 08/19] libtasn1: import libtasn1-4.18.0 Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 09/19] libtasn1: disable code not needed in grub Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 10/19] libtasn1: changes for grub compatibility Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 11/19] libtasn1: compile into asn1 module Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 12/19] test_asn1: test module for libtasn1 Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 13/19] grub-install: support embedding x509 certificates Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 14/19] appended signatures: import GNUTLS's ASN.1 description files Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 15/19] appended signatures: parse PKCS#7 signedData and X.509 certificates Daniel Axtens
2022-04-21 7:57 ` Michal Suchánek
2022-04-21 11:32 ` Daniel Axtens
2022-04-22 3:21 ` Michael Chang
2022-05-17 13:19 ` Daniel Axtens [this message]
2022-04-21 7:47 ` [PATCH v3 16/19] appended signatures: support verifying appended signatures Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 17/19] appended signatures: verification tests Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 18/19] appended signatures: documentation Daniel Axtens
2022-04-21 7:47 ` [PATCH v3 19/19] ieee1275: enter lockdown based on /ibm,secure-boot Daniel Axtens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h75o8ff3.fsf@dja-thinkpad.axtens.net \
--to=dja@axtens.net \
--cc=alastair@d-silva.org \
--cc=grub-devel@gnu.org \
--cc=javierm@redhat.com \
--cc=mchang@suse.com \
--cc=msuchanek@suse.de \
--cc=nayna@linux.ibm.com \
--cc=rashmica.g@gmail.com \
--cc=sudhakar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.