From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v4 00/16] efi_loader: add secure boot support
Date: Thu, 9 Jan 2020 10:02:11 +0200 [thread overview]
Message-ID: <20200109080211.GA33620@apalos.home> (raw)
In-Reply-To: <a66bc8f2-9f1e-b62d-14dd-f34c8f2a7e2b@gmx.de>
On Thu, Jan 09, 2020 at 01:08:35AM +0100, Heinrich Schuchardt wrote:
> On 12/18/19 1:44 AM, AKASHI Takahiro wrote:
> > One of major missing features in current UEFI implementation is "secure boot."
> > The ultimate goal of my attempt is to implement image authentication based
> > on signature and provide UEFI secure boot support which would be fully
> > compliant with UEFI specification, section 32[1].
> > (The code was originally developed by Patrick Wildt.)
> >
> > Please note, however, this patch doesn't work on its own; there are
> > a couple of functional dependencies[2] and [3], that I have submitted
> > before. For complete workable patch set, see my repository[4],
> > which also contains experimental timestamp-based revocation suuport.
> >
> > My "non-volatile" support[5], which is under discussion, is not mandatory
> > and so not included here, but this inevitably implies that, for example,
> > signature database variables, like db and dbx, won't be persistent unless you
> > explicitly run "env save" command and that UEFI variables are not separated
> > from U-Boot environment. Anyhow, Linaro is also working on implementing
> > real "secure storage" solution based on TF-A and OP-TEE.
> >
>
> Device trees can be used for denial of service or to destroy hardware.
>
> How will you address the validation of device trees?
Although this is really simple to solve, factoring in the different vendor
needs makes it quite complex.
There's a couple of options we can consider and not all of them are sane.
1. U-Boot embeds the DTB. This is straightforward. On Arm devices TF-A
verifies U-boot so you natively end up with a verified DTB. If U-Boot does not
include the proper DTB (as is the case for several devices), one can always
complite the correct DTB and compile with EXT_DTB.
2. Use https://github.com/jiazhang0/SELoader which verifies non-PE files
3. Add some custom code and use UEFI keyring to verify non PE files. This is a
bad idea though since you'll 'polute' the UEFI keyring.
4. FIT for DTB (??)
In any case UEFI job is to verify PE/COFF executables and that's what this patch
provides. DTB verification is beyond UEFI secure boot patches imho.
Regards
/Ilias
>
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2020-01-09 8:02 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 0:44 [PATCH v4 00/16] efi_loader: add secure boot support AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 01/16] include: pe.h: add signature-related definitions AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 02/16] efi_loader: add CONFIG_EFI_SECURE_BOOT config option AKASHI Takahiro
2019-12-18 0:44 ` [PATCH v4 03/16] efi_loader: add signature verification functions AKASHI Takahiro
2020-01-14 23:43 ` Heinrich Schuchardt
2020-01-15 0:13 ` Heinrich Schuchardt
2020-01-17 2:20 ` AKASHI Takahiro
2020-01-17 5:37 ` Heinrich Schuchardt
2020-01-21 6:00 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 04/16] efi_loader: add signature database parser AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 05/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2020-01-08 22:54 ` Heinrich Schuchardt
2020-01-17 5:35 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 06/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 07/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 08/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2020-01-08 23:55 ` Heinrich Schuchardt
2020-01-17 5:11 ` AKASHI Takahiro
2020-01-17 5:51 ` Heinrich Schuchardt
2020-01-21 6:12 ` AKASHI Takahiro
2020-01-21 7:15 ` Heinrich Schuchardt
2020-01-22 1:13 ` AKASHI Takahiro
2020-01-22 7:42 ` AKASHI Takahiro
2020-01-23 17:41 ` Heinrich Schuchardt
2020-01-27 6:52 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 09/16] efi_loader: set up secure boot AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 10/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2020-01-21 7:13 ` Heinrich Schuchardt
2020-01-22 1:01 ` AKASHI Takahiro
2020-01-22 6:38 ` Heinrich Schuchardt
2020-01-22 7:15 ` AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 11/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 12/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 13/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 14/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-12-18 0:45 ` [PATCH v4 15/16] sandbox: add extra configurations for UEFI and related tests AKASHI Takahiro
2019-12-28 2:26 ` Simon Glass
2019-12-18 0:45 ` [PATCH v4 16/16] travis: add packages for UEFI secure boot test AKASHI Takahiro
2020-01-08 23:11 ` [PATCH v4 00/16] efi_loader: add secure boot support Heinrich Schuchardt
2020-01-09 0:08 ` Heinrich Schuchardt
2020-01-09 8:02 ` Ilias Apalodimas [this message]
2020-01-09 19:09 ` Heinrich Schuchardt
2020-01-09 20:03 ` Ilias Apalodimas
2020-01-17 5:59 ` AKASHI Takahiro
2020-01-17 6:39 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200109080211.GA33620@apalos.home \
--to=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox