From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9D224C433FE
	for <u-boot@archiver.kernel.org>; Wed,  9 Nov 2022 16:04:52 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id C4ED78505F;
	Wed,  9 Nov 2022 17:04:50 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="stDwkpIl";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 877E88504E; Wed,  9 Nov 2022 17:04:49 +0100 (CET)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com
 [IPv6:2a00:1450:4864:20::332])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id B40AA8505F
 for <u-boot@lists.denx.de>; Wed,  9 Nov 2022 17:04:46 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-wm1-x332.google.com with SMTP id o30so11128276wms.2
 for <u-boot@lists.denx.de>; Wed, 09 Nov 2022 08:04:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=in-reply-to:content-disposition:mime-version:references:message-id
 :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
 bh=owKbtyqTPNrYCgFcm6b/oTJIbwQNv4npOGA9FfRmRAo=;
 b=stDwkpIlQdKcNZi7MfZEtJuWMbtMHrF1BCaE3k5Fg3ad4vW9VBrX5JpWSbSa5YsjPW
 HC6d3jcKveYcDn1UOHSQpp5vm4/lwSdvtpg5Ytz/XxQUuw1AtnZ+QwaMWVgKFTz/Iw9M
 cweefeuETTmWeof4jVLLzZ4N38I5AEoHdG7W9O6BrItcUDroM/C3ozl9sKTkPYuv7o6y
 sRH74B0Vu314poGzKXs3GoPuyTQ9hlcHGcMSwSyRwLy+8cIZ7JJgU4PyR+YNHf27nuIr
 SfI+TIdHHKqEUq1lGFk3Z0hON7rgX/Vu6JT1vKBqbDPC3A4HIe8LvyYZKA0D+BJ21eZv
 LJnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=in-reply-to:content-disposition:mime-version:references:message-id
 :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=owKbtyqTPNrYCgFcm6b/oTJIbwQNv4npOGA9FfRmRAo=;
 b=Z+xKDc3ZfAKuzaQAv7b76qWOAG+ClCoF1v6yHFF29RAQO10f4kt9UhOtuHw840Fq/l
 5fKiwjkeKu4YfuLeJuMQbihQv2ki8XDWkQs7fPbTizOOYSMLU/CIOLW/irITwVkNk9tN
 NLiRanFwfYbTwmBIQjwjBF/q7wbKXxElC34FCaohgG0ePUZVNfV8yc4PxdvqbcIbi/bE
 ZMUVBDHL0IP2cSHRD9lc3HA3U6tRUVCEaoZW3H3CHr6XAD67K+oES4OB7QOvoS6gPhtx
 2/tgE/R+xdincgUBDK1wXuuhI3ZmJpgYUNNSUad3olUg0ZPuMjVvavWQ/kljnYaOobpB
 qzYg==
X-Gm-Message-State: ACrzQf2PHpOjMwONJEaVYML9EmikD0df3PmjQ6W9cyUUkOzzcCx2KfU0
 IKlrcoic83xhEEYnTyMDRovuRw==
X-Google-Smtp-Source: AMsMyM7pAm+Z8uWavjVIGm4sQ5+Ft2s0z/PzfTWLV56bS5cmjjZ4ZCHzVnpc4nowf8ynZL/wjMGRaA==
X-Received: by 2002:a05:600c:539b:b0:3cf:51ce:cd7a with SMTP id
 hg27-20020a05600c539b00b003cf51cecd7amr45962196wmb.11.1668009886199; 
 Wed, 09 Nov 2022 08:04:46 -0800 (PST)
Received: from hera (ppp046103046165.access.hol.gr. [46.103.46.165])
 by smtp.gmail.com with ESMTPSA id
 p33-20020a05600c1da100b003c71358a42dsm2682230wms.18.2022.11.09.08.04.43
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 09 Nov 2022 08:04:44 -0800 (PST)
Date: Wed, 9 Nov 2022 18:04:42 +0200
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: kojima.masahisa@socionext.com, u-boot@lists.denx.de,
 Heinrich Schuchardt <xypron.glpk@gmx.de>, Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>,
 Etienne Carriere <etienne.carriere@linaro.org>,
 Roger Knecht <rknecht@pm.me>, Ovidiu Panait <ovidiu.panait@windriver.com>,
 Ashok Reddy Soma <ashok.reddy.soma@xilinx.com>
Subject: Re: [PATCH v7 4/5] eficonfig: add UEFI Secure Boot Key enrollment
 interface
Message-ID: <Y2vPmgeXiwFVcV2N@hera>
References: <20221109033728.5623-1-masahisa.kojima@linaro.org>
 <20221109033728.5623-5-masahisa.kojima@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221109033728.5623-5-masahisa.kojima@linaro.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Hi Kojima-san


On Wed, Nov 09, 2022 at 12:37:27PM +0900, Masahisa Kojima wrote:
> This commit adds the menu-driven UEFI Secure Boot Key
> enrollment interface. User can enroll PK, KEK, db
> and dbx by selecting file.
> Only the signed EFI Signature List(s) with an authenticated
> header, typically '.auth' file, is accepted.
> 
> To clear the PK, KEK, db and dbx, user needs to enroll the null key
> signed by PK or KEK.
> 
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> Changes in v7:
> - only accept .auth file.
> - remove creating time based authenticated variable
> - update commit message
> - use efi_file_size()
> 
> Changes in v6:
> - use efi_secure_boot_enabled()
> - replace with WIN_CERT_REVISION_2_0 from pe.h
> - call efi_build_signature_store() to check the valid EFI Signature List
> - update comment
> 
> Changes in v4:
> - add CONFIG_EFI_MM_COMM_TEE dependency
> - fix error handling
> 
> Changes in v3:
> - fix error handling
> 
> Changes in v2:
> - allow to enroll .esl file
> - fix typos
> - add function comments
> 
>  cmd/Makefile          |   5 +
>  cmd/eficonfig.c       |   3 +
>  cmd/eficonfig_sbkey.c | 242 ++++++++++++++++++++++++++++++++++++++++++
>  include/efi_config.h  |   5 +
>  4 files changed, 255 insertions(+)
>  create mode 100644 cmd/eficonfig_sbkey.c
> 
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 2444d116c0..0b6a96c1d9 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -66,6 +66,11 @@ obj-$(CONFIG_CMD_EEPROM) += eeprom.o
>  obj-$(CONFIG_EFI) += efi.o
>  obj-$(CONFIG_CMD_EFIDEBUG) += efidebug.o
>  obj-$(CONFIG_CMD_EFICONFIG) += eficonfig.o
> +ifdef CONFIG_CMD_EFICONFIG
> +ifdef CONFIG_EFI_MM_COMM_TEE
> +obj-$(CONFIG_EFI_SECURE_BOOT) += eficonfig_sbkey.o
> +endif
> +endif
>  obj-$(CONFIG_CMD_ELF) += elf.o
>  obj-$(CONFIG_CMD_EROFS) += erofs.o
>  obj-$(CONFIG_HUSH_PARSER) += exit.o
> diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c
> index 12babb76c2..d79194794b 100644
> --- a/cmd/eficonfig.c
> +++ b/cmd/eficonfig.c
> @@ -2435,6 +2435,9 @@ static const struct eficonfig_item maintenance_menu_items[] = {
>  	{"Edit Boot Option", eficonfig_process_edit_boot_option},
>  	{"Change Boot Order", eficonfig_process_change_boot_order},
>  	{"Delete Boot Option", eficonfig_process_delete_boot_option},
> +#if (CONFIG_IS_ENABLED(EFI_SECURE_BOOT) && CONFIG_IS_ENABLED(EFI_MM_COMM_TEE))
> +	{"Secure Boot Configuration", eficonfig_process_secure_boot_config},
> +#endif
>  	{"Quit", eficonfig_process_quit},
>  };
>  
> diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
> new file mode 100644
> index 0000000000..1e9eb3f51e
> --- /dev/null
> +++ b/cmd/eficonfig_sbkey.c
> @@ -0,0 +1,242 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + *  Menu-driven UEFI Secure Boot Key Maintenance
> + *
> + *  Copyright (c) 2022 Masahisa Kojima, Linaro Limited
> + */
> +
> +#include <ansi.h>
> +#include <common.h>
> +#include <charset.h>
> +#include <hexdump.h>
> +#include <log.h>
> +#include <malloc.h>
> +#include <menu.h>
> +#include <efi_loader.h>
> +#include <efi_config.h>
> +#include <efi_variable.h>
> +#include <crypto/pkcs7_parser.h>
> +
> +enum efi_sbkey_signature_type {
> +	SIG_TYPE_X509 = 0,
> +	SIG_TYPE_HASH,
> +	SIG_TYPE_CRL,
> +	SIG_TYPE_RSA2048,
> +};
> +
> +struct eficonfig_sigtype_to_str {
> +	efi_guid_t sig_type;
> +	char *str;
> +	enum efi_sbkey_signature_type type;
> +};
> +
> +static const struct eficonfig_sigtype_to_str sigtype_to_str[] = {
> +	{EFI_CERT_X509_GUID,		"X509",			SIG_TYPE_X509},
> +	{EFI_CERT_SHA256_GUID,		"SHA256",		SIG_TYPE_HASH},
> +	{EFI_CERT_X509_SHA256_GUID,	"X509_SHA256 CRL",	SIG_TYPE_CRL},
> +	{EFI_CERT_X509_SHA384_GUID,	"X509_SHA384 CRL",	SIG_TYPE_CRL},
> +	{EFI_CERT_X509_SHA512_GUID,	"X509_SHA512 CRL",	SIG_TYPE_CRL},
> +	/* U-Boot does not support the following signature types */
> +/*	{EFI_CERT_RSA2048_GUID,		"RSA2048",		SIG_TYPE_RSA2048}, */
> +/*	{EFI_CERT_RSA2048_SHA256_GUID,	"RSA2048_SHA256",	SIG_TYPE_RSA2048}, */
> +/*	{EFI_CERT_SHA1_GUID,		"SHA1",			SIG_TYPE_HASH}, */
> +/*	{EFI_CERT_RSA2048_SHA_GUID,	"RSA2048_SHA",		SIG_TYPE_RSA2048 }, */
> +/*	{EFI_CERT_SHA224_GUID,		"SHA224",		SIG_TYPE_HASH}, */
> +/*	{EFI_CERT_SHA384_GUID,		"SHA384",		SIG_TYPE_HASH}, */
> +/*	{EFI_CERT_SHA512_GUID,		"SHA512",		SIG_TYPE_HASH}, */
> +};
> +
> +/**
> + * file_have_auth_header() - check file has EFI_VARIABLE_AUTHENTICATION_2 header
> + * @buf:	pointer to file
> + * @size:	file size
> + * Return:	true if file has auth header, false otherwise
> + */
> +static bool file_have_auth_header(void *buf, efi_uintn_t size)
> +{
> +	struct efi_variable_authentication_2 *auth = buf;
> +
> +	if (auth->auth_info.hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID)
> +		return false;
> +
> +	if (guidcmp(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7))
> +		return false;
> +
> +	return true;
> +}
> +
> +/**
> + * eficonfig_process_enroll_key() - enroll key into signature database
> + *
> + * @data:	pointer to the data for each entry
> + * Return:	status code
> + */
> +static efi_status_t eficonfig_process_enroll_key(void *data)
> +{
> +	u32 attr;
> +	char *buf = NULL;
> +	efi_uintn_t size;
> +	efi_status_t ret;
> +	struct efi_file_handle *f;
> +	struct efi_file_handle *root;
> +	struct eficonfig_select_file_info file_info;
> +
> +	file_info.current_path = calloc(1, EFICONFIG_FILE_PATH_BUF_SIZE);
> +	if (!file_info.current_path) {
> +		ret = EFI_OUT_OF_RESOURCES;
> +		goto out;
> +	}
> +
> +	ret = eficonfig_process_select_file(&file_info);
> +	if (ret != EFI_SUCCESS)
> +		goto out;
> +
> +	ret = efi_open_volume_int(file_info.current_volume, &root);
> +	if (ret != EFI_SUCCESS)
> +		goto out;
> +
> +	ret = efi_file_open_int(root, &f, file_info.current_path, EFI_FILE_MODE_READ, 0);
> +	if (ret != EFI_SUCCESS)
> +		goto out;

I think it would be better here if we could use efi_file_from_path().
I think we can't easily do that atm since we can't convert the filename to
a device path with efi_dp_from_file() since we don't have the block info.

Since that requires a further clean up, I am fine keeping it as-is for now,
but add a comment saying we should replace that with efi_file_from_path()
eventually.

> +
> +	ret = efi_file_size(f, &size);
> +	if (ret != EFI_SUCCESS)
> +		goto out;
> +
> +	buf = calloc(1, size);
> +	if (!buf) {
> +		ret = EFI_OUT_OF_RESOURCES;
> +		goto out;
> +	}
> +	if (size == 0) {
> +		eficonfig_print_msg("ERROR! File is empty.");
> +		goto out;
> +	}
> +
> +	ret = efi_file_read_int(f, &size, buf);
> +	if (ret != EFI_SUCCESS) {
> +		eficonfig_print_msg("ERROR! Failed to read file.");
> +		goto out;
> +	}
> +	if (!file_have_auth_header(buf, size)) {
> +		eficonfig_print_msg("ERROR! Invalid file format. Only .auth variables is allowed.");
> +		ret = EFI_INVALID_PARAMETER;
> +		goto out;
> +	}
> +
> +	attr = EFI_VARIABLE_NON_VOLATILE |
> +	       EFI_VARIABLE_BOOTSERVICE_ACCESS |
> +	       EFI_VARIABLE_RUNTIME_ACCESS |
> +	       EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> +	/* PK can enroll only one certificate */
> +	if (u16_strcmp(data, u"PK")) {
> +		efi_uintn_t db_size = 0;
> +
> +		/* check the variable exists. If exists, add APPEND_WRITE attribute */
> +		ret = efi_get_variable_int(data, efi_auth_var_get_guid(data), NULL,
> +					   &db_size, NULL,  NULL);
> +		if (ret == EFI_BUFFER_TOO_SMALL)
> +			attr |= EFI_VARIABLE_APPEND_WRITE;
> +	}
> +
> +	ret = efi_set_variable_int((u16 *)data, efi_auth_var_get_guid((u16 *)data),
> +				   attr, size, buf, false);
> +	if (ret != EFI_SUCCESS)
> +		eficonfig_print_msg("ERROR! Failed to update signature database");
> +
> +out:
> +	free(file_info.current_path);
> +	free(buf);

Shouldn't we close the file handle here as well?

> +
> +	/* return to the parent menu */
> +	ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret;
> +
> +	return ret;
> +}
> +
> +static struct eficonfig_item key_config_menu_items[] = {
> +	{"Enroll New Key", eficonfig_process_enroll_key},
> +	{"Quit", eficonfig_process_quit},
> +};
> +
> +/**
> + * eficonfig_process_set_secure_boot_key() - display the key configuration menu
> + *
> + * @data:	pointer to the data for each entry
> + * Return:	status code
> + */
> +static efi_status_t eficonfig_process_set_secure_boot_key(void *data)
 
[...]