From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
Simon Glass <sjg@chromium.org>,
Takahiro Akashi <takahiro.akashi@linaro.org>,
Francois Ozog <francois.ozog@linaro.org>,
Mark Kettenis <mark.kettenis@xs4all.nl>,
Chris Morgan <macromorgan@hotmail.com>,
Roland Gaudig <roland.gaudig@weidmueller.com>,
Huang Jianan <jnhuang95@gmail.com>,
Ashok Reddy Soma <ashok.reddy.soma@xilinx.com>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: Re: [RFC PATCH 1/3] eficonfig: add UEFI Secure Boot Key enrollment interface
Date: Fri, 8 Jul 2022 12:14:50 +0300 [thread overview]
Message-ID: <Ysf1ilNmpZQN9+MP@hades> (raw)
In-Reply-To: <20220619052022.2694-2-masahisa.kojima@linaro.org>
On Sun, Jun 19, 2022 at 02:20:20PM +0900, Masahisa Kojima wrote:
> This commit adds the menu-driven UEFI Secure Boot Key
> enrollment interface. User can enroll the PK, KEK, db
> and dbx by selecting EFI Signature Lists file.
> After the PK is enrolled, UEFI Secure Boot is enabled and
> EFI Signature Lists file must be signed by KEK or PK.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> cmd/Makefile | 3 +
> cmd/eficonfig.c | 3 +
> cmd/eficonfig_sbkey.c | 202 ++++++++++++++++++++++++++++++++++++++++++
> include/efi_config.h | 3 +
> 4 files changed, 211 insertions(+)
> create mode 100644 cmd/eficonfig_sbkey.c
>
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 0afa687e94..9d87b639fc 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -64,6 +64,9 @@ obj-$(CONFIG_CMD_EEPROM) += eeprom.o
> obj-$(CONFIG_EFI) += efi.o
> obj-$(CONFIG_CMD_EFIDEBUG) += efidebug.o
> obj-$(CONFIG_CMD_EFICONFIG) += eficonfig.o
> +ifdef CONFIG_CMD_EFICONFIG
> +obj-$(CONFIG_EFI_SECURE_BOOT) += eficonfig_sbkey.o
> +endif
> obj-$(CONFIG_CMD_ELF) += elf.o
> obj-$(CONFIG_CMD_EROFS) += erofs.o
> obj-$(CONFIG_HUSH_PARSER) += exit.o
> diff --git a/cmd/eficonfig.c b/cmd/eficonfig.c
> index e62f5e41a4..e6d2cba9c5 100644
> --- a/cmd/eficonfig.c
> +++ b/cmd/eficonfig.c
> @@ -1832,6 +1832,9 @@ static const struct eficonfig_item maintenance_menu_items[] = {
> {"Edit Boot Option", eficonfig_process_edit_boot_option},
> {"Change Boot Order", eficonfig_process_change_boot_order},
> {"Delete Boot Option", eficonfig_process_delete_boot_option},
> +#if (CONFIG_IS_ENABLED(EFI_SECURE_BOOT))
> + {"Secure Boot Configuration", eficonfig_process_secure_boot_config},
> +#endif
> {"Quit", eficonfig_process_quit},
> };
>
> diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
> new file mode 100644
> index 0000000000..a5c0dbe9b3
> --- /dev/null
> +++ b/cmd/eficonfig_sbkey.c
> @@ -0,0 +1,202 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Menu-driven UEFI Secure Boot key maintenance
> + *
> + * Copyright (c) 2022 Masahisa Kojima, Linaro Limited
> + */
> +
> +#include <ansi.h>
> +#include <common.h>
> +#include <charset.h>
> +#include <hexdump.h>
> +#include <log.h>
> +#include <malloc.h>
> +#include <menu.h>
> +#include <efi_loader.h>
> +#include <efi_config.h>
> +#include <efi_variable.h>
> +#include <crypto/pkcs7_parser.h>
> +
> +static bool is_secureboot_enabled(void)
> +{
> + efi_status_t ret;
> + u8 secure_boot;
> + efi_uintn_t size;
> +
> + size = sizeof(secure_boot);
> + ret = efi_get_variable_int(u"SecureBoot", &efi_global_variable_guid,
> + NULL, &size, &secure_boot, NULL);
> +
> + return secure_boot == 1;
> +}
> +
> +static efi_status_t eficonfig_process_enroll_key(void *data)
> +{
> + u32 attr;
> + char *buf = NULL;
> + efi_uintn_t size;
> + efi_status_t ret;
> + struct efi_file_handle *f;
> + struct efi_file_handle *root;
> + struct eficonfig_select_file_info file_info;
> +
> + file_info.current_path = calloc(1, EFICONFIG_FILE_PATH_BUF_SIZE);
> + if (!file_info.current_path)
> + goto out;
> +
> + ret = eficonfig_select_file_handler(&file_info);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + ret = efi_open_volume_int(file_info.current_volume, &root);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + ret = efi_file_open_int(root, &f, file_info.current_path, EFI_FILE_MODE_READ, 0);
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + size = 0;
> + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, NULL));
> + if (ret != EFI_BUFFER_TOO_SMALL)
> + goto out;
> +
> + buf = calloc(1, size);
> + if (!buf) {
> + ret = EFI_OUT_OF_RESOURCES;
> + goto out;
> + }
> + ret = EFI_CALL(f->getinfo(f, &efi_file_info_guid, &size, buf));
> + if (ret != EFI_SUCCESS)
> + goto out;
> +
> + size = ((struct efi_file_info *)buf)->file_size;
> + free(buf);
You should set buf to NULL here.
> +
> + buf = calloc(1, size);
> + if (!buf)
> + goto out;
> +
> + ret = efi_file_read_int(f, &size, buf);
> + if (ret != EFI_SUCCESS || size == 0)
> + goto out;
> +
> + attr = EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
> + EFI_VARIABLE_RUNTIME_ACCESS |
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> + /* PK can enroll only one certificate */
> + if (u16_strcmp(data, u"PK")) {
> + efi_uintn_t db_size = 0;
> +
> + /* check the variable exists. If exists, add APPEND_WRITE attribute */
> + ret = efi_get_variable_int(data, efi_auth_var_get_guid(data), NULL,
> + &db_size, NULL, NULL);
> + if (ret == EFI_BUFFER_TOO_SMALL)
> + attr |= EFI_VARIABLE_APPEND_WRITE;
> + }
> +
Why are we appending? Shouldn't we always overwrite the platform key?
> + ret = efi_set_variable_int((u16 *)data, efi_auth_var_get_guid((u16 *)data),
> + attr, size, buf, false);
> + if (ret != EFI_SUCCESS) {
> + eficonfig_print_msg("ERROR! Fail to update signature database");
> + goto out;
> + }
> +
> +out:
> + free(file_info.current_path);
> + free(buf);
> +
>
[...]
Thanks
/Ilias
next prev parent reply other threads:[~2022-07-08 9:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-19 5:20 [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance interface Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 1/3] eficonfig: add UEFI Secure Boot Key enrollment interface Masahisa Kojima
2022-07-08 9:14 ` Ilias Apalodimas [this message]
2022-07-08 10:37 ` Masahisa Kojima
2022-07-08 11:57 ` Ilias Apalodimas
2022-07-10 9:36 ` Heinrich Schuchardt
2022-07-11 13:24 ` Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 2/3] eficonfig: add "Show Signature Database" menu entry Masahisa Kojima
2022-06-19 5:20 ` [RFC PATCH 3/3] eficonfig: add "Delete Key" " Masahisa Kojima
2022-07-10 10:10 ` Heinrich Schuchardt
2022-07-12 1:17 ` Takahiro Akashi
2022-07-12 7:13 ` Masahisa Kojima
2022-07-12 8:02 ` Heinrich Schuchardt
2022-07-12 11:15 ` Masahisa Kojima
2022-07-08 9:06 ` [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance interface Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ysf1ilNmpZQN9+MP@hades \
--to=ilias.apalodimas@linaro.org \
--cc=ashok.reddy.soma@xilinx.com \
--cc=francois.ozog@linaro.org \
--cc=jnhuang95@gmail.com \
--cc=macromorgan@hotmail.com \
--cc=mark.kettenis@xs4all.nl \
--cc=masahisa.kojima@linaro.org \
--cc=ovidiu.panait@windriver.com \
--cc=roland.gaudig@weidmueller.com \
--cc=sjg@chromium.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox