From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
Alexander Graf <agraf@csgraf.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: Re: [PATCH v3 1/3] efi_loader: don't load signature database from file
Date: Mon, 6 Sep 2021 09:12:59 +0900 [thread overview]
Message-ID: <20210906001259.GA40187@laputa> (raw)
In-Reply-To: <20210902093531.17883-2-heinrich.schuchardt@canonical.com>
Heinrich,
On Thu, Sep 02, 2021 at 11:35:29AM +0200, Heinrich Schuchardt wrote:
> The UEFI specification requires that the signature database may only be
> stored in tamper-resistant storage. So these variable may not be read
> from an unsigned file.
Even with TF-A (or other methods) assumed, I think the behavior here is
too restrictive.
If you think TF-A provides the base for "chain of trust", all what you
need to do is to protect PK and all the other auth variables should be
allowed to be restored even from an unsafe file because the changes of
values will be verified anyway by UEFI system as long as SetVariable()
is used.
Please think about why UEFI specification defines both PK and KEK.
The ability of setting/modifying KEK will add more flexibility of system
configuration.
-Takahiro Akashi
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
> ---
> include/efi_variable.h | 5 +++-
> lib/efi_loader/efi_var_common.c | 2 --
> lib/efi_loader/efi_var_file.c | 41 ++++++++++++++++++++-------------
> lib/efi_loader/efi_variable.c | 2 +-
> 4 files changed, 30 insertions(+), 20 deletions(-)
>
> diff --git a/include/efi_variable.h b/include/efi_variable.h
> index 4623a64142..2d97655e1f 100644
> --- a/include/efi_variable.h
> +++ b/include/efi_variable.h
> @@ -161,10 +161,13 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t *
> /**
> * efi_var_restore() - restore EFI variables from buffer
> *
> + * Only if @safe is set secure boot related variables will be restored.
> + *
> * @buf: buffer
> + * @safe: restoring from tamper-resistant storage
> * Return: status code
> */
> -efi_status_t efi_var_restore(struct efi_var_file *buf);
> +efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe);
>
> /**
> * efi_var_from_file() - read variables from file
> diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
> index 3d92afe2eb..005c03ea5f 100644
> --- a/lib/efi_loader/efi_var_common.c
> +++ b/lib/efi_loader/efi_var_common.c
> @@ -32,10 +32,8 @@ static const struct efi_auth_var_name_type name_type[] = {
> {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
> {u"db", &efi_guid_image_security_database, EFI_AUTH_VAR_DB},
> {u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
> - /* not used yet
> {u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
> {u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
> - */
> };
>
> static bool efi_secure_boot;
> diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c
> index de076b8cbc..c7c6805ed0 100644
> --- a/lib/efi_loader/efi_var_file.c
> +++ b/lib/efi_loader/efi_var_file.c
> @@ -148,9 +148,10 @@ error:
> #endif
> }
>
> -efi_status_t efi_var_restore(struct efi_var_file *buf)
> +efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
> {
> struct efi_var_entry *var, *last_var;
> + u16 *data;
> efi_status_t ret;
>
> if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC ||
> @@ -160,21 +161,29 @@ efi_status_t efi_var_restore(struct efi_var_file *buf)
> return EFI_INVALID_PARAMETER;
> }
>
> - var = buf->var;
> last_var = (struct efi_var_entry *)((u8 *)buf + buf->length);
> - while (var < last_var) {
> - u16 *data = var->name + u16_strlen(var->name) + 1;
> -
> - if (var->attr & EFI_VARIABLE_NON_VOLATILE && var->length) {
> - ret = efi_var_mem_ins(var->name, &var->guid, var->attr,
> - var->length, data, 0, NULL,
> - var->time);
> - if (ret != EFI_SUCCESS)
> - log_err("Failed to set EFI variable %ls\n",
> - var->name);
> - }
> - var = (struct efi_var_entry *)
> - ALIGN((uintptr_t)data + var->length, 8);
> + for (var = buf->var; var < last_var;
> + var = (struct efi_var_entry *)
> + ALIGN((uintptr_t)data + var->length, 8)) {
> +
> + data = var->name + u16_strlen(var->name) + 1;
> +
> + /*
> + * Secure boot related and non-volatile variables shall only be
> + * restored from U-Boot's preseed.
> + */
> + if (!safe &&
> + (efi_auth_var_get_type(var->name, &var->guid) !=
> + EFI_AUTH_VAR_NONE ||
> + !(var->attr & EFI_VARIABLE_NON_VOLATILE)))
> + continue;
> + if (!var->length)
> + continue;
> + ret = efi_var_mem_ins(var->name, &var->guid, var->attr,
> + var->length, data, 0, NULL,
> + var->time);
> + if (ret != EFI_SUCCESS)
> + log_err("Failed to set EFI variable %ls\n", var->name);
> }
> return EFI_SUCCESS;
> }
> @@ -213,7 +222,7 @@ efi_status_t efi_var_from_file(void)
> log_err("Failed to load EFI variables\n");
> goto error;
> }
> - if (buf->length != len || efi_var_restore(buf) != EFI_SUCCESS)
> + if (buf->length != len || efi_var_restore(buf, false) != EFI_SUCCESS)
> log_err("Invalid EFI variables file\n");
> error:
> free(buf);
> diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
> index ba0874e9e7..a7d305ffbc 100644
> --- a/lib/efi_loader/efi_variable.c
> +++ b/lib/efi_loader/efi_variable.c
> @@ -426,7 +426,7 @@ efi_status_t efi_init_variables(void)
>
> if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
> ret = efi_var_restore((struct efi_var_file *)
> - __efi_var_file_begin);
> + __efi_var_file_begin, true);
> if (ret != EFI_SUCCESS)
> log_err("Invalid EFI variable seed\n");
> }
> --
> 2.32.0
>
next prev parent reply other threads:[~2021-09-06 0:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-02 9:35 [PATCH v3 0/3] efi_loader: secure boot using preseed cert db Heinrich Schuchardt
2021-09-02 9:35 ` [PATCH v3 1/3] efi_loader: don't load signature database from file Heinrich Schuchardt
2021-09-06 0:12 ` AKASHI Takahiro [this message]
2021-09-06 6:59 ` Heinrich Schuchardt
2021-09-02 9:35 ` [PATCH v3 2/3] efi_loader: efi_auth_var_type for AuditMode, DeployedMode Heinrich Schuchardt
2021-09-02 9:35 ` [PATCH v3 3/3] efi_loader: correct determination of secure boot state Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210906001259.GA40187@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agraf@csgraf.de \
--cc=heinrich.schuchardt@canonical.com \
--cc=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox