[U-Boot] [PATCH v2 00/16] efi_loader: add secure boot support

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

Some updates,

On Tue, Nov 26, 2019 at 09:51:04AM +0900, AKASHI Takahiro wrote:
> One of major missing features in current UEFI implementation is "secure boot."
> The ultimate goal of my attempt is to implement image authentication based
> on signature and provide UEFI secure boot support which would be fully
> compliant with UEFI specification, section 32[1].
> (The code was originally developed by Patrick Wildt.)
> 
> While this patch/RFC is still rough-edged, the aim here is to get early
> feedbacks from the community as the patch is quite huge (in total) and also
> as it's a security enhancement.

Oops, this sentence should have been deleted.

[...]

> Test:
> * my pytest, included in this patch set, passed.
> * efi_selftest passed. (At least no reguression.)
> * Travis CI tests, except the following two, have passed:
>   - test/py sandbox
>     test/py/tests/test_fs/test_unlink.py test_unlink2

I cannot reproduce this issue even if I re-submit a specific job.
It may be a transient error as Heinrich has reported on fat write before?

>   - test/py sandbox with clang
>     cmd/efidebug.c:703:15: error: result of comparison of constant 
>     9223372036854775822 with expression of type 'int' is always false 
>     [-Werror,-Wtautological-constant-out-of-range-compare]

Sent out a patch.

Thanks,
-Takahiro Akashi

>   But as you can see, those have nothing to do with my UEFI secure boot
>   patch and are existing bugs.
> 
> Known issues:
> * efitools is used in pytest, and its version must be v1.5.2 or later.
>   (Solution: You can define EFITOOLS_PATH in defs.py for your own efitools.)
> * Pytest depends on standalone "helloworld" app for sandbox
>   (Solution: You can define HELLO_PATH in defs.py or Heinrich's [7].)
> * Travis CI errors mentioned above
>         => I will send *separate* bug-fix patches once fixed.
> 
> 
> Hints about how to use:
> (Please see other documents, or my pytest scripts, for details.)
> * You can create your own certificates with openssl.
> * You can sign your application with sbsign (on Ubuntu).
> * You can create raw data for signature database with efitools, and
>   install/manage authenticated variables with "env -set -e" command
>   or efitools' "UpdateVars.efi" application.
> 
> 
> [1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
> [2] https://lists.denx.de/pipermail/u-boot/2019-November/390127.html
>     (import x509/pkcs7 parsers from linux)
> [3] https://lists.denx.de/pipermail/u-boot/2019-November/390150.html
>     (extend rsa_verify() for UEFI secure boot)
> [4] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot
> [5] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html
>     (non-volatile variables support)
> [6] https://bugzilla.tianocore.org/show_bug.cgi?id=2230
> [7] https://lists.denx.de/pipermail/u-boot/2019-November/389593.html
> 
> 
> Changes in v2 (Nov 26, 2019)
> * rebased to v2020.01-rc3
> * rename IMAGE_DIRECTORY_ENTRY_CERTTABLE to IMAGE_DIRECTORY_ENTRY_SECURITY
>   (patch#1,#9)
> * add comments (patch#1)
> * drop v1's patch#2 as it is no longer necessary
> * drop v1's patch#3 as other "SECURE_BOOT" architectures have renamed
>   this option and no longer use it
> * add structure descriptions (patch#3)
> * rework hash calculation code in efi_signature_verify() and remove
>   an odd constant, WinIndrectSha256 (patch#3)
> * move travis.yml changes to a seprate patch (patch#12, #16)
> * yield_fixture() -> fixture() (patch#12)
> * call console.restart_uboot() at every test case (13,#14)
> * add patch#15; enable UEFI-related configurations by default on sandbox
> * add patch#16; modify Travis CI environment to run UEFI secure boot test
> 
> Changes in v1 (Nov 13, 2019)
> * rebased to v2020.01-rc
> * remove already-merged patches
> * re-work the patch set for easier reviews, including
>   - move a config definition patch forward (patch#4)
>   - refactor/rename verification functions (patch#5/#10)
>   - split signature database parser as a separate patch (patch#6)
>   - split secure state transition code as a separate patch (patch#8)
>   - move most part of init_secure_boot() into init_variables() (patch#8)
>   - split test environment setup from test patches (patch#14)
> * add function descriptions (patch#5-#11)
> * make sure the section list is sorted in ascending order in hash
>   calculation of PE image (patch#10)
> * add a new "-at" (authenticated access) option to "env -e" (patch#13)
> * list required host packages, in particular udisks2, in pytest
>   (patch#14)
> * modify conftest.py to run under python3 (patch#14)
> * use a partition on a disk instead of a whole disk without partition
>   table (patch#14)
> * reduce depencendy on efitools, yet relying on its host tools (patch#14)
> * modify pytests to catch up wth latest changes of "env -e" syntax
>   (patch#15,#16)
> 
> RFC (Sept 18, 2019)
> 
> AKASHI Takahiro (16):
>   include: pe.h: add signature-related definitions
>   efi_loader: add CONFIG_EFI_SECURE_BOOT config option
>   efi_loader: add signature verification functions
>   efi_loader: add signature database parser
>   efi_loader: variable: support variable authentication
>   efi_loader: variable: add secure boot state transition
>   efi_loader: variable: add VendorKeys variable
>   efi_loader: image_loader: support image authentication
>   efi_loader: set up secure boot
>   cmd: env: use appropriate guid for authenticated UEFI variable
>   cmd: env: add "-at" option to "env set -e" command
>   efi_loader, pytest: set up secure boot environment
>   efi_loader, pytest: add UEFI secure boot tests (authenticated
>     variables)
>   efi_loader, pytest: add UEFI secure boot tests (image)
>   sandbox: add extra configurations for UEFI and related tests
>   travis: add packages for UEFI secure boot test
> 
>  .travis.yml                                   |  11 +-
>  cmd/nvedit.c                                  |   5 +-
>  cmd/nvedit_efi.c                              |  23 +-
>  configs/sandbox64_defconfig                   |   3 +
>  configs/sandbox_defconfig                     |   3 +
>  include/efi_api.h                             |  87 ++
>  include/efi_loader.h                          |  85 +-
>  include/pe.h                                  |  18 +
>  lib/efi_loader/Kconfig                        |  16 +
>  lib/efi_loader/Makefile                       |   1 +
>  lib/efi_loader/efi_boottime.c                 |   2 +-
>  lib/efi_loader/efi_image_loader.c             | 443 +++++++-
>  lib/efi_loader/efi_setup.c                    |  38 +
>  lib/efi_loader/efi_signature.c                | 811 +++++++++++++++
>  lib/efi_loader/efi_variable.c                 | 950 ++++++++++++++++--
>  test/py/README.md                             |   8 +
>  test/py/tests/test_efi_secboot/conftest.py    | 151 +++
>  test/py/tests/test_efi_secboot/defs.py        |  21 +
>  .../py/tests/test_efi_secboot/test_authvar.py | 282 ++++++
>  test/py/tests/test_efi_secboot/test_signed.py |  99 ++
>  .../tests/test_efi_secboot/test_unsigned.py   | 103 ++
>  21 files changed, 3032 insertions(+), 128 deletions(-)
>  create mode 100644 lib/efi_loader/efi_signature.c
>  create mode 100644 test/py/tests/test_efi_secboot/conftest.py
>  create mode 100644 test/py/tests/test_efi_secboot/defs.py
>  create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py
>  create mode 100644 test/py/tests/test_efi_secboot/test_signed.py
>  create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py
> 
> -- 
> 2.24.0
>