From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 8DFEEC433EF
	for <u-boot@archiver.kernel.org>; Thu, 10 Feb 2022 05:14:02 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id E7DC181277;
	Thu, 10 Feb 2022 06:13:59 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="heacJvsU";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 5D3628128D; Thu, 10 Feb 2022 06:13:58 +0100 (CET)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com
 [IPv6:2607:f8b0:4864:20::436])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5788B811E1
 for <u-boot@lists.denx.de>; Thu, 10 Feb 2022 06:13:54 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pf1-x436.google.com with SMTP id n23so8269809pfo.1
 for <u-boot@lists.denx.de>; Wed, 09 Feb 2022 21:13:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=date:from:to:cc:subject:message-id:mail-followup-to:references
 :mime-version:content-disposition:in-reply-to;
 bh=+YUEcA2b8hFpO/otj86h9AYFxI5v4cv5SHbYL+KdCvo=;
 b=heacJvsU3y0JZnAIVTRH/xzzMJhwr3LvYhKqzIWi9Jiw5Yh6TJdLi8vxMZHYsYB72R
 K74q3joC+z3YGC0uxbIBSxWEljJyj91kWCFRc/UBtZZ2FLlGNcvXZsPysbltXRMk+2ew
 rdGRmqRL1a05MrA4ydXY9A4+bf4blhCgcvtOjzdsSad8Hvu+k7Tdkt1vEdyegwRPBxN7
 DSv4Puj98bynpCotXxE1tOyJYOaOGVNIFNZr2GW7PlGTh1x2Y0BjlxnC630ca0GYafwc
 9Ze2/4nMSuWwvCKvqrQggHbjo/ac/F7YdPUUYCYaVaWqjDDM6MlR8QHBXxVuF5fakFHV
 sCDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:cc:subject:message-id
 :mail-followup-to:references:mime-version:content-disposition
 :in-reply-to;
 bh=+YUEcA2b8hFpO/otj86h9AYFxI5v4cv5SHbYL+KdCvo=;
 b=JZCj+luvt5w38/lufNVHvctnx720SUTy/uBLdAJQNlZki7XULLebHQAXu45CVN95nk
 H4+IIVFFQkyLvnHk93Km92OBDV4uL821XorueIVD98GyCnh3ViKZvtDfd6VOPCbAVoC8
 4Iy1Yr0fL8JreTOowUq27bbdy0cDYgyZqFJ8EJjaiERVPm717SeyXUMNu9MnxNGqMMoW
 Bxj1JQWbS5U4f/xhMgK4zJKhmg+/RDdQE2+/wEcNerxfLYf6aRk4twINElPBHNf16De7
 eelWFB8hl/4IcSkWpTQB8Q/jV04vnTFW1amU3xcUQZyGobqCg0ImaRo0LoxfKSNGadbt
 6Ziw==
X-Gm-Message-State: AOAM5319WdXRI3eWrj1KLr8BTsivp1n5cAMUVidIY2Y8nlCAH9uEw5zg
 xW2gpAMCRyEAAl7PWGbKMI+vxg==
X-Google-Smtp-Source: ABdhPJxeCOWMdZBfIyuYzudipY9tZsb3Gsau4fKYIIge9NxzIwGJDosD6mid0+ILrF04N9QUNdoGcw==
X-Received: by 2002:a62:f207:: with SMTP id m7mr5931023pfh.44.1644470032416;
 Wed, 09 Feb 2022 21:13:52 -0800 (PST)
Received: from laputa ([2400:4050:c3e1:100:412e:384:fab9:f24])
 by smtp.gmail.com with ESMTPSA id s6sm15654826pgk.44.2022.02.09.21.13.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 09 Feb 2022 21:13:52 -0800 (PST)
Date: Thu, 10 Feb 2022 14:13:48 +0900
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: xypron.glpk@gmx.de, u-boot@lists.denx.de
Subject: Re: [RFC PATCH 1/2] efi_loader: fix dual signed image certification
Message-ID: <20220210051348.GD12412@laputa>
Mail-Followup-To: AKASHI Takahiro <takahiro.akashi@linaro.org>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>, xypron.glpk@gmx.de,
 u-boot@lists.denx.de
References: <20220204073202.4141198-1-ilias.apalodimas@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220204073202.4141198-1-ilias.apalodimas@linaro.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Hi Ilias,

Thank you for reviewing the logic.

On Fri, Feb 04, 2022 at 09:32:01AM +0200, Ilias Apalodimas wrote:
> The EFI spec allows for images to carry multiple signatures. Currently
> we don't adhere to the verification process for such images.

In this patch, you're trying to do three things:
* remove efi_image_unsigned_authenticate()
* pull efi_signature_lookup_digest() out of a while loop
* change the logic of authentication

I'd prefer to see those changes in separate patches for better reviewing.

> The spec says:
> "Multiple signatures are allowed to exist in the binary's certificate
> table (as per PE/COFF Section "Attribute Certificate Table"). Only one
> hash or signature is required to be present in db in order to pass
> validation, so long as neither the SHA-256 hash of the binary nor any
> present signature is reflected in dbx."

I have some concern about what the last phrase, "neither the SHA-256 hash
of the binary nor any present signature is reflected in dbx" means.
See the comment below.

> With our current implementation signing the image with two certificates
> and inserting both of them in db and one of them dbx doesn't always reject
> the image.  The rejection depends on the order that the image was signed
> and the order the certificates are read (and checked) in db.
> 
> While at it move the sha256 hash verification outside the signature
> checking loop, since it only needs to run once per image and get simplify
> the logic for authenticating an unsigned imahe using sha256 hashes.
> 
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  lib/efi_loader/efi_image_loader.c | 88 +++++++------------------------
>  1 file changed, 18 insertions(+), 70 deletions(-)
> 
> diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> index f41cfa4fccd5..5df35939f702 100644
> --- a/lib/efi_loader/efi_image_loader.c
> +++ b/lib/efi_loader/efi_image_loader.c
> @@ -516,53 +516,6 @@ err:
>  }
>  
>  #ifdef CONFIG_EFI_SECURE_BOOT
> -/**
> - * efi_image_unsigned_authenticate() - authenticate unsigned image with
> - * SHA256 hash
> - * @regs:	List of regions to be verified
> - *
> - * If an image is not signed, it doesn't have a signature. In this case,
> - * its message digest is calculated and it will be compared with one of
> - * hash values stored in signature databases.
> - *
> - * Return:	true if authenticated, false if not
> - */
> -static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs)
> -{
> -	struct efi_signature_store *db = NULL, *dbx = NULL;
> -	bool ret = false;
> -
> -	dbx = efi_sigstore_parse_sigdb(u"dbx");
> -	if (!dbx) {
> -		EFI_PRINT("Getting signature database(dbx) failed\n");
> -		goto out;
> -	}
> -
> -	db = efi_sigstore_parse_sigdb(u"db");
> -	if (!db) {
> -		EFI_PRINT("Getting signature database(db) failed\n");
> -		goto out;
> -	}
> -
> -	/* try black-list first */
> -	if (efi_signature_lookup_digest(regs, dbx, true)) {
> -		EFI_PRINT("Image is not signed and its digest found in \"dbx\"\n");
> -		goto out;
> -	}
> -
> -	/* try white-list */
> -	if (efi_signature_lookup_digest(regs, db, false))
> -		ret = true;
> -	else
> -		EFI_PRINT("Image is not signed and its digest not found in \"db\" or \"dbx\"\n");
> -
> -out:
> -	efi_sigstore_free(db);
> -	efi_sigstore_free(dbx);
> -
> -	return ret;
> -}
> -
>  /**
>   * efi_image_authenticate() - verify a signature of signed image
>   * @efi:	Pointer to image
> @@ -608,14 +561,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	if (!efi_image_parse(new_efi, efi_size, &regs, &wincerts,
>  			     &wincerts_len)) {
>  		EFI_PRINT("Parsing PE executable image failed\n");
> -		goto err;
> -	}
> -
> -	if (!wincerts) {
> -		/* The image is not signed */
> -		ret = efi_image_unsigned_authenticate(regs);
> -
> -		goto err;
> +		goto out;
>  	}
>  
>  	/*
> @@ -624,18 +570,18 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	db = efi_sigstore_parse_sigdb(u"db");
>  	if (!db) {
>  		EFI_PRINT("Getting signature database(db) failed\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	dbx = efi_sigstore_parse_sigdb(u"dbx");
>  	if (!dbx) {
>  		EFI_PRINT("Getting signature database(dbx) failed\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	if (efi_signature_lookup_digest(regs, dbx, true)) {
>  		EFI_PRINT("Image's digest was found in \"dbx\"\n");
> -		goto err;
> +		goto out;
>  	}
>  
>  	/*
> @@ -678,7 +624,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  			if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
>  				EFI_PRINT("Certificate type not supported: %pUs\n",
>  					  auth);
> -				continue;
> +				ret = false;
> +				goto out;

Why should we break the loop here?

>  			}
>  
>  			auth += sizeof(efi_guid_t);
> @@ -686,7 +633,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  		} else if (wincert->wCertificateType
>  				!= WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
>  			EFI_PRINT("Certificate type not supported\n");
> -			continue;
> +			ret = false;
> +			goto out;
>  		}
>  
>  		msg = pkcs7_parse_message(auth, auth_size);
> @@ -717,32 +665,32 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  		 */
>  		/* try black-list first */
>  		if (efi_signature_verify_one(regs, msg, dbx)) {
> +			ret = false;
>  			EFI_PRINT("Signature was rejected by \"dbx\"\n");
> -			continue;
> +			goto out;

If we go to "out" here, we have no chance to verify some cases:
1) An image has two signatures, for instance, one signed by SHA1 cert
   and the other signed by SHA256 cert. A user wants to reject SHA1 cert
   and put the cert in dbx.
   But this image can and should yet be verified by SHA256 cert.
2) A user knows that a given image is safe for some reason even though
   he or she doesn't trust the certficate which is used for signing
   the image.

-Takahiro Akashi

>  		}
>  
>  		if (!efi_signature_check_signers(msg, dbx)) {
> +			ret = false;
>  			EFI_PRINT("Signer(s) in \"dbx\"\n");
> -			continue;
> +			goto out;
>  		}
>  
>  		/* try white-list */
>  		if (efi_signature_verify(regs, msg, db, dbx)) {
>  			ret = true;
> -			break;
> +			continue;
>  		}
>  
>  		EFI_PRINT("Signature was not verified by \"db\"\n");
> +	}
>  
> -		if (efi_signature_lookup_digest(regs, db, false)) {
> -			ret = true;
> -			break;
> -		}
>  
> -		EFI_PRINT("Image's digest was not found in \"db\" or \"dbx\"\n");
> -	}
> +	/* last resort try the image sha256 hash in db */
> +	if (!ret && efi_signature_lookup_digest(regs, db, false))
> +		ret = true;
>  
> -err:
> +out:
>  	efi_sigstore_free(db);
>  	efi_sigstore_free(dbx);
>  	pkcs7_free_message(msg);
> -- 
> 2.32.0
>