One of major missing features in current UEFI implementation is "secure boot." The ultimate goal of my attempt is to implement image authentication based on signature and provide UEFI secure boot support which would be fully compliant with UEFI specification, section 32[1]. (The code was originally developed by Patrick Wildt.)
While this patch/RFC is still rough-edged, the aim here is to get early feedbacks from the community as the patch is quite huge (in total) and also as it's a security enhancement.
Please note, however, this patch doesn't work on its own; there are a couple of functional dependencies[2], [3] and [4], that I have submitted before, in addition to related preparatory patches[5], [6], [7] and [8] for pytest support. For complete workable patch set, see my repository[9], which also contains exeperimental timestamp-based revocation suuport.
My "non-volatile" support[10], which is under reviews now, is not mandatory and so not included here, but this inevitably implies that, for example, signature database variables, like db and dbx, won't be persistent unless you explicitly run "env save" command and that UEFI variables are not separated from U-Boot environment. Anyhow, Linaro is also working on implementing real "secure storage" solution based on TF-A and OP-TEE.
Supported features: * image authentication based on db and dbx * supported signature types are EFI_CERT_SHA256_GUID (SHA256 digest for unsigned images) EFI_CERT_X509_GUID (x509 certificate for signed images) * SecureBoot/SignatureSupport variables * SetupMode and user mode * variable authentication based on PK and KEK EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS * pytest test cases
Unsupported features: * hash algorithms other than SHA256 * dbt: timestamp(RFC6131)-based certificate revocation * dbr: OS recovery * xxxDefault: default values for signature stores * transition to AuditMode and DeployedMode * recording rejected images in EFI_IMAGE_EXECUTION_INFO_TABLE * variable authentication based on PK and KEK EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS * real secure storage, including hardware-specific PK (Platform Key) installation
Known issues: * [3] and [4] have not been well reviewed yet. * Some test case(test_efi_var_auth1:1g) still fails. * Extensive clean-ups * not bisect-ready (for easier code modification) for now
TODO: * implement "unsupported" features, in particular, timestamp-based revocation * fix some workarounds in the source (marked as TODO/FIXME) * extensive test suite (or more test cases) to confirm compatibility with EDK2
Hints about how to use: (Please see other documents, or my pytest scripts, for details.) * You can create your own certificates with openssl. * You can sign your application with pesign (on Ubuntu). * You can create raw data for signature database with efitools, and install/manage authenticated variables with "env -set -e" command or efitools' "UpdateVars.efi" application.
[1] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf [2] https://lists.denx.de/pipermail/u-boot/2019-September/382911.html (support APPEND_WRITE) [3] https://lists.denx.de/pipermail/u-boot/2019-September/382573.html (import x509/pkcs7 parsers from linux) [4] https://lists.denx.de/pipermail/u-boot/2019-September/382917.html (extend rsa_verify() for UEFI secure boot) [5] https://lists.denx.de/pipermail/u-boot/2019-August/382027.html (sandbox: fix cpu property in test.dts for pytest) [6] https://lists.denx.de/pipermail/u-boot/2019-September/382914.html (extend "env [set|print] -e to manage UEFI variables v1) [7] https://lists.denx.de/pipermail/u-boot/2019-September/383343.html (install FILE_SYSTEM_PROTOCOL to a whole disk) [8] https://lists.denx.de/pipermail/u-boot/2019-September/383348.html (support Sandbox's "host" device) [9] http://git.linaro.org/people/takahiro.akashi/u-boot.git/ efi/secboot [10] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html (non-volatile variables support)
AKASHI Takahiro (15): lib: charset: add u16_str<n>cmp() test: add tests for u16_str<n>cmp() include: pe.h: add image-signing-related definitions include: image.h: add key info to image_sign_info include: image.h: export hash algorithm helper functions secure boot: rename CONFIG_SECURE_BOOT efi_loader: add signature verification functions efi_loader: variable: support variable authentication efi_loader: variable: add VendorKeys and SignatureSupport variables efi_loader: image_loader: support image authentication efi_loader: initialize secure boot state efi_loader: add CONFIG_EFI_SECURE_BOOT cmd: env: provide appropriate guid for well-defined variable efi_loader, pytest: add UEFI secure boot tests (image) efi_loader, pytest: add UEFI secure boot tests (authenticated variables)
Kconfig | 7 + arch/arm/cpu/armv7/ls102xa/Kconfig | 3 +- arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 +- arch/arm/mach-imx/Kconfig | 3 +- arch/powerpc/cpu/mpc85xx/Kconfig | 3 +- cmd/nvedit_efi.c | 31 +- include/charset.h | 15 + include/efi_api.h | 47 + include/efi_loader.h | 58 +- include/image.h | 17 +- include/pe.h | 16 + lib/charset.c | 25 + lib/efi_loader/Kconfig | 13 + lib/efi_loader/Makefile | 1 + lib/efi_loader/efi_boottime.c | 2 +- lib/efi_loader/efi_image_loader.c | 364 ++++++- lib/efi_loader/efi_setup.c | 5 + lib/efi_loader/efi_signature.c | 602 ++++++++++++ lib/efi_loader/efi_variable.c | 928 ++++++++++++++++-- test/py/tests/test_efi_secboot/conftest.py | 168 ++++ test/py/tests/test_efi_secboot/defs.py | 7 + .../py/tests/test_efi_secboot/test_authvar.py | 287 ++++++ test/py/tests/test_efi_secboot/test_signed.py | 97 ++ .../tests/test_efi_secboot/test_unsigned.py | 126 +++ test/unicode_ut.c | 13 + 25 files changed, 2714 insertions(+), 127 deletions(-) create mode 100644 lib/efi_loader/efi_signature.c create mode 100644 test/py/tests/test_efi_secboot/conftest.py create mode 100644 test/py/tests/test_efi_secboot/defs.py create mode 100644 test/py/tests/test_efi_secboot/test_authvar.py create mode 100644 test/py/tests/test_efi_secboot/test_signed.py create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py