From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
Simon Glass <sjg@chromium.org>,
Takahiro Akashi <takahiro.akashi@linaro.org>,
Francois Ozog <francois.ozog@linaro.org>,
Mark Kettenis <mark.kettenis@xs4all.nl>,
Chris Morgan <macromorgan@hotmail.com>,
Roland Gaudig <roland.gaudig@weidmueller.com>,
Huang Jianan <jnhuang95@gmail.com>,
Ashok Reddy Soma <ashok.reddy.soma@xilinx.com>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: Re: [RFC PATCH 1/3] eficonfig: add UEFI Secure Boot Key enrollment interface
Date: Fri, 8 Jul 2022 12:14:50 +0300 [thread overview]
Message-ID: <Ysf1ilNmpZQN9+MP@hades> (raw)
In-Reply-To: <20220619052022.2694-2-masahisa.kojima@linaro.org>
On Sun, Jun 19, 2022 at 02:20:20PM +0900, Masahisa Kojima wrote:
> This commit adds the menu-driven UEFI Secure Boot Key
> enrollment interface. User can enroll the PK, KEK, db
> and dbx by selecting EFI Signature Lists file.
> After the PK is enrolled, UEFI Secure Boot is enabled and
> EFI Signature Lists file must be signed by KEK or PK.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> cmd/Makefile | 3 +
> cmd/eficonfig.c | 3 +
> cmd/eficonfig_sbkey.c | 202 ++++++++++++++++++++++++++++++++++++++++++
> include/efi_config.h | 3 +
> 4 files changed, 211 insertions(+)
> create mode 100644 cmd/eficonfig_sbkey.c
>
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 0afa687e94..9d87b639fc 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -64,6 +64,9 @@ obj-$(CONFIG_CMD_EEPROM) += eeprom.o
> obj-$(CONFIG_EFI) += efi.o
> obj-$(CONFIG_CMD_EFIDEBUG) += efidebug.o
> obj-$(CONFIG_CMD_EFICONFIG) += eficonfig.o
> +ifdef CONFIG_CMD_EFICONFIG
> +obj-$(CONFIG_EFI_SECURE_BOOT) += eficonfig_sbkey.o
> +endif
> obj-$(CONFIG_CMD_ELF) += elf.o
> obj-$(CONFIG_CMD_EROFS) += erofs.o
> obj-$(CONFIG_HUSH_PARSER) += exit.o
> diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c
> index e62f5e41a4..e6d2cba9c5 100644
> --- a/cmd/eficonfig.c
> +++ b/cmd/eficonfig.c
> @@ -1832,6 +1832,9 @@ static const struct eficonfig_item maintenance_menu_items[] = {
> {"Edit Boot Option", eficonfig_process_edit_boot_option},
> {"Change Boot Order", eficonfig_process_change_boot_order},
> {"Delete Boot Option", eficonfig_process_delete_boot_option},
> +#if (CONFIG_IS_ENABLED(EFI_SECURE_BOOT))
> + {"Secure Boot Configuration", eficonfig_process_secure_boot_config},
> +#endif
> {"Quit", eficonfig_process_quit},
> };
>
> diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
> new file mode 100644
> index 0000000000..a5c0dbe9b3
> --- /dev/null
> +++ b/cmd/eficonfig_sbkey.c
> @@ -0,0 +1,202 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Menu-driven UEFI Secure Boot key maintenance
> + *
> + * Copyright (c) 2022 Masahisa Kojima, Linaro Limited
> + */
> +
> +#include <ansi.h>
> +#include <common.h>
> +#include <charset.h>
> +#include <hexdump.h>
> +#include <log.h>
> +#include <malloc.h>
> +#include <menu.h>
> +#include <efi_loader.h>
> +#include <efi_config.h>
> +#include <efi_variable.h>
> +#include <crypto/pkcs7_parser.h>
> +
> +static bool is_secureboot_enabled(void)
> +{
> + efi_status_t ret;
> + u8 secure_boot;
> + efi_uintn_t size;
> +
> + size = sizeof(secure_boot);
> + ret = efi_get_variable_int(u"SecureBoot", &efi_global_variable_guid,
> + NULL, &size, &secure_boot, NULL);
> +
> + return secure_boot == 1;
> +}
> +
> +static efi_status_t eficonfig_process_enroll_key(void *data)
> +{
> + u32 attr;
> + char *buf = NULL;
> + efi_uintn_t size;
> + efi_status_t ret;
> + struct efi_file_handle *f;
> + struct efi_file_handle *root;
> + struct eficonfig_select_file_info file_info;
> +
> + file_info.current_path = calloc(1, EFICONFIG_FILE_PATH_BUF_SIZE);
> + if (!file_info.current_path)
> + goto out;
> +
> + ret = eficonfig_select_file_handler(&file_info);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + ret = efi_open_volume_int(file_info.current_volume, &root);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + ret = efi_file_open_int(root, &f, file_info.current_path, EFI_FILE_MODE_READ, 0);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + size = 0;
> + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, NULL));
> + if (ret != EFI_BUFFER_TOO_SMALL)
> + goto out;
> +
> + buf = calloc(1, size);
> + if (!buf) {
> + ret = EFI_OUT_OF_RESOURCES;
> + goto out;
> + }
> + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, buf));
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + size = ((struct efi_file_info *)buf)->file_size;
> + free(buf);
You should set buf to NULL here.
> +
> + buf = calloc(1, size);
> + if (!buf)
> + goto out;
> +
> + ret = efi_file_read_int(f, &size, buf);
> + if (ret != EFI_SUCCESS || size == 0)
> + goto out;
> +
> + attr = EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
> + EFI_VARIABLE_RUNTIME_ACCESS |
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> + /* PK can enroll only one certificate */
> + if (u16_strcmp(data, u"PK")) {
> + efi_uintn_t db_size = 0;
> +
> + /* check the variable exists. If exists, add APPEND_WRITE attribute */
> + ret = efi_get_variable_int(data, efi_auth_var_get_guid(data), NULL,
> + &db_size, NULL, NULL);
> + if (ret == EFI_BUFFER_TOO_SMALL)
> + attr |= EFI_VARIABLE_APPEND_WRITE;
> + }
> +
Why are we appending? Shouldn't we always overwrite the platform key?
> + ret = efi_set_variable_int((u16 *)data, efi_auth_var_get_guid((u16 *)data),
> + attr, size, buf, false);
> + if (ret != EFI_SUCCESS) {
> + eficonfig_print_msg("ERROR! Fail to update signature database");
> + goto out;
> + }
> +
> +out:
> + free(file_info.current_path);
> + free(buf);
> +
>
[...]
Thanks
/Ilias
next prev parent reply other threads:[~2022-07-08 9:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-19 5:20 [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance interface Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 1/3] eficonfig: add UEFI Secure Boot Key enrollment interface Masahisa Kojima
2022-07-08 9:14 ` Ilias Apalodimas [this message]
2022-07-08 10:37 ` Masahisa Kojima
2022-07-08 11:57 ` Ilias Apalodimas
2022-07-10 9:36 ` Heinrich Schuchardt
2022-07-11 13:24 ` Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 2/3] eficonfig: add "Show Signature Database" menu entry Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 3/3] eficonfig: add "Delete Key" " Masahisa Kojima
2022-07-10 10:10 ` Heinrich Schuchardt
2022-07-12 1:17 ` Takahiro Akashi
2022-07-12 7:13 ` Masahisa Kojima
2022-07-12 8:02 ` Heinrich Schuchardt
2022-07-12 11:15 ` Masahisa Kojima
2022-07-08 9:06 ` [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance interface Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ysf1ilNmpZQN9+MP@hades \
--to=ilias.apalodimas@linaro.org \
--cc=ashok.reddy.soma@xilinx.com \
--cc=francois.ozog@linaro.org \
--cc=jnhuang95@gmail.com \
--cc=macromorgan@hotmail.com \
--cc=mark.kettenis@xs4all.nl \
--cc=masahisa.kojima@linaro.org \
--cc=ovidiu.panait@windriver.com \
--cc=roland.gaudig@weidmueller.com \
--cc=sjg@chromium.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.