efi_loader: add signature verification functions
In this commit, implemented are a couple of helper functions which will be used to materialize variable authentication as well as image authentication in later patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This commit is contained in:
AKASHI Takahiro
committed by
Heinrich Schuchardt
Heinrich Schuchardt
parent
9bf09b5120
commit
593e17d673
@@ -18,6 +18,7 @@
|
||||
|
||||
#include <efi.h>
|
||||
#include <charset.h>
|
||||
#include <pe.h>
|
||||
|
||||
#ifdef CONFIG_EFI_LOADER
|
||||
#include <asm/setjmp.h>
|
||||
@@ -329,6 +330,10 @@ struct efi_runtime_services {
|
||||
EFI_GUID(0x8be4df61, 0x93ca, 0x11d2, 0xaa, 0x0d, \
|
||||
0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c)
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, \
|
||||
0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
||||
|
||||
#define EFI_FDT_GUID \
|
||||
EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, \
|
||||
0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
|
||||
@@ -1682,4 +1687,86 @@ struct efi_load_file_protocol {
|
||||
#define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MIN 0x00001000
|
||||
#define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MAX 0x00004000
|
||||
|
||||
/* Certificate types in signature database */
|
||||
#define EFI_CERT_SHA256_GUID \
|
||||
EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, \
|
||||
0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
|
||||
#define EFI_CERT_RSA2048_GUID \
|
||||
EFI_GUID(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, \
|
||||
0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6)
|
||||
#define EFI_CERT_X509_GUID \
|
||||
EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, \
|
||||
0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
|
||||
#define EFI_CERT_X509_SHA256_GUID \
|
||||
EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \
|
||||
0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
|
||||
#define EFI_CERT_TYPE_PKCS7_GUID \
|
||||
EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
|
||||
0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
|
||||
|
||||
/**
|
||||
* win_certificate_uefi_guid - A certificate that encapsulates
|
||||
* a GUID-specific signature
|
||||
*
|
||||
* @hdr: Windows certificate header
|
||||
* @cert_type: Certificate type
|
||||
* @cert_data: Certificate data
|
||||
*/
|
||||
struct win_certificate_uefi_guid {
|
||||
WIN_CERTIFICATE hdr;
|
||||
efi_guid_t cert_type;
|
||||
u8 cert_data[];
|
||||
} __attribute__((__packed__));
|
||||
|
||||
/**
|
||||
* efi_variable_authentication_2 - A time-based authentication method
|
||||
* descriptor
|
||||
*
|
||||
* This structure describes an authentication information for
|
||||
* a variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
|
||||
* and should be included as part of a variable's value.
|
||||
* Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
|
||||
*
|
||||
* @time_stamp: Descriptor's time stamp
|
||||
* @auth_info: Authentication info
|
||||
*/
|
||||
struct efi_variable_authentication_2 {
|
||||
struct efi_time time_stamp;
|
||||
struct win_certificate_uefi_guid auth_info;
|
||||
} __attribute__((__packed__));
|
||||
|
||||
/**
|
||||
* efi_signature_data - A format of signature
|
||||
*
|
||||
* This structure describes a single signature in signature database.
|
||||
*
|
||||
* @signature_owner: Signature owner
|
||||
* @signature_data: Signature data
|
||||
*/
|
||||
struct efi_signature_data {
|
||||
efi_guid_t signature_owner;
|
||||
u8 signature_data[];
|
||||
} __attribute__((__packed__));
|
||||
|
||||
/**
|
||||
* efi_signature_list - A format of signature database
|
||||
*
|
||||
* This structure describes a list of signatures with the same type.
|
||||
* An authenticated variable's value is a concatenation of one or more
|
||||
* efi_signature_list's.
|
||||
*
|
||||
* @signature_type: Signature type
|
||||
* @signature_list_size: Size of signature list
|
||||
* @signature_header_size: Size of signature header
|
||||
* @signature_size: Size of signature
|
||||
*/
|
||||
struct efi_signature_list {
|
||||
efi_guid_t signature_type;
|
||||
u32 signature_list_size;
|
||||
u32 signature_header_size;
|
||||
u32 signature_size;
|
||||
/* u8 signature_header[signature_header_size]; */
|
||||
/* struct efi_signature_data signatures[...][signature_size]; */
|
||||
} __attribute__((__packed__));
|
||||
|
||||
#endif
|
||||
|
||||
@@ -26,6 +26,7 @@ static inline void *guidcpy(void *dst, const void *src)
|
||||
#if CONFIG_IS_ENABLED(EFI_LOADER)
|
||||
|
||||
#include <linux/list.h>
|
||||
#include <linux/oid_registry.h>
|
||||
|
||||
/* Maximum number of configuration tables */
|
||||
#define EFI_MAX_CONFIGURATION_TABLES 16
|
||||
@@ -178,6 +179,11 @@ extern const efi_guid_t efi_guid_hii_config_routing_protocol;
|
||||
extern const efi_guid_t efi_guid_hii_config_access_protocol;
|
||||
extern const efi_guid_t efi_guid_hii_database_protocol;
|
||||
extern const efi_guid_t efi_guid_hii_string_protocol;
|
||||
/* GUIDs for authentication */
|
||||
extern const efi_guid_t efi_guid_image_security_database;
|
||||
extern const efi_guid_t efi_guid_sha256;
|
||||
extern const efi_guid_t efi_guid_cert_x509;
|
||||
extern const efi_guid_t efi_guid_cert_x509_sha256;
|
||||
|
||||
/* GUID of RNG protocol */
|
||||
extern const efi_guid_t efi_guid_rng_protocol;
|
||||
@@ -680,6 +686,72 @@ void efi_deserialize_load_option(struct efi_load_option *lo, u8 *data);
|
||||
unsigned long efi_serialize_load_option(struct efi_load_option *lo, u8 **data);
|
||||
efi_status_t efi_bootmgr_load(efi_handle_t *handle);
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT
|
||||
#include <image.h>
|
||||
|
||||
/**
|
||||
* efi_image_regions - A list of memory regions
|
||||
*
|
||||
* @max: Maximum number of regions
|
||||
* @num: Number of regions
|
||||
* @reg: array of regions
|
||||
*/
|
||||
struct efi_image_regions {
|
||||
int max;
|
||||
int num;
|
||||
struct image_region reg[];
|
||||
};
|
||||
|
||||
/**
|
||||
* efi_sig_data - A decoded data of struct efi_signature_data
|
||||
*
|
||||
* This structure represents an internal form of signature in
|
||||
* signature database. A listed list may represent a signature list.
|
||||
*
|
||||
* @next: Pointer to next entry
|
||||
* @onwer: Signature owner
|
||||
* @data: Pointer to signature data
|
||||
* @size: Size of signature data
|
||||
*/
|
||||
struct efi_sig_data {
|
||||
struct efi_sig_data *next;
|
||||
efi_guid_t owner;
|
||||
void *data;
|
||||
size_t size;
|
||||
};
|
||||
|
||||
/**
|
||||
* efi_signature_store - A decoded data of signature database
|
||||
*
|
||||
* This structure represents an internal form of signature database.
|
||||
*
|
||||
* @next: Pointer to next entry
|
||||
* @sig_type: Signature type
|
||||
* @sig_data_list: Pointer to signature list
|
||||
*/
|
||||
struct efi_signature_store {
|
||||
struct efi_signature_store *next;
|
||||
efi_guid_t sig_type;
|
||||
struct efi_sig_data *sig_data_list;
|
||||
};
|
||||
|
||||
struct x509_certificate;
|
||||
struct pkcs7_message;
|
||||
|
||||
bool efi_signature_verify_cert(struct x509_certificate *cert,
|
||||
struct efi_signature_store *dbx);
|
||||
bool efi_signature_verify_signers(struct pkcs7_message *msg,
|
||||
struct efi_signature_store *dbx);
|
||||
bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg,
|
||||
struct efi_signature_store *db,
|
||||
struct x509_certificate **cert);
|
||||
|
||||
efi_status_t efi_image_region_add(struct efi_image_regions *regs,
|
||||
const void *start, const void *end,
|
||||
int nocheck);
|
||||
#endif /* CONFIG_EFI_SECURE_BOOT */
|
||||
|
||||
#else /* CONFIG_IS_ENABLED(EFI_LOADER) */
|
||||
|
||||
/* Without CONFIG_EFI_LOADER we don't have a runtime section, stub it out */
|
||||
|
||||
Reference in New Issue
Block a user