From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Cc: u-boot@lists.denx.de, Alexander Graf <agraf@csgraf.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: Re: [PATCH v2 3/6] efi_loader: don't load signature database from file
Date: Fri, 27 Aug 2021 13:12:03 +0900 [thread overview]
Message-ID: <20210827041203.GE52912@laputa> (raw)
In-Reply-To: <20210826134805.148975-4-heinrich.schuchardt@canonical.com>
On Thu, Aug 26, 2021 at 03:48:02PM +0200, Heinrich Schuchardt wrote:
> The UEFI specification requires that the signature database may only be
> stored in tamper-resistant storage. So these variable may not be read
> from an unsigned file.
I don't have a strong opinion here, but it seems to be too restrictive.
Nobody expects that file-based variable implementation is *safe*.
Leave it as it is so that people can easily experiment secure boot.
-Takahiro Akashi
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
> ---
> v2:
> no change
> ---
> include/efi_variable.h | 5 +++-
> lib/efi_loader/efi_var_common.c | 2 --
> lib/efi_loader/efi_var_file.c | 41 ++++++++++++++++++++-------------
> lib/efi_loader/efi_variable.c | 2 +-
> 4 files changed, 30 insertions(+), 20 deletions(-)
>
> diff --git a/include/efi_variable.h b/include/efi_variable.h
> index 4623a64142..2d97655e1f 100644
> --- a/include/efi_variable.h
> +++ b/include/efi_variable.h
> @@ -161,10 +161,13 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t *
> /**
> * efi_var_restore() - restore EFI variables from buffer
> *
> + * Only if @safe is set secure boot related variables will be restored.
> + *
> * @buf: buffer
> + * @safe: restoring from tamper-resistant storage
> * Return: status code
> */
> -efi_status_t efi_var_restore(struct efi_var_file *buf);
> +efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe);
>
> /**
> * efi_var_from_file() - read variables from file
> diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
> index cf7afecd60..b0c5b672c5 100644
> --- a/lib/efi_loader/efi_var_common.c
> +++ b/lib/efi_loader/efi_var_common.c
> @@ -32,10 +32,8 @@ static const struct efi_auth_var_name_type name_type[] = {
> {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
> {u"db", &efi_guid_image_security_database, EFI_AUTH_VAR_DB},
> {u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
> - /* not used yet
> {u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
> {u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
> - */
> };
>
> static bool efi_secure_boot;
> diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c
> index de076b8cbc..c7c6805ed0 100644
> --- a/lib/efi_loader/efi_var_file.c
> +++ b/lib/efi_loader/efi_var_file.c
> @@ -148,9 +148,10 @@ error:
> #endif
> }
>
> -efi_status_t efi_var_restore(struct efi_var_file *buf)
> +efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
> {
> struct efi_var_entry *var, *last_var;
> + u16 *data;
> efi_status_t ret;
>
> if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC ||
> @@ -160,21 +161,29 @@ efi_status_t efi_var_restore(struct efi_var_file *buf)
> return EFI_INVALID_PARAMETER;
> }
>
> - var = buf->var;
> last_var = (struct efi_var_entry *)((u8 *)buf + buf->length);
> - while (var < last_var) {
> - u16 *data = var->name + u16_strlen(var->name) + 1;
> -
> - if (var->attr & EFI_VARIABLE_NON_VOLATILE && var->length) {
> - ret = efi_var_mem_ins(var->name, &var->guid, var->attr,
> - var->length, data, 0, NULL,
> - var->time);
> - if (ret != EFI_SUCCESS)
> - log_err("Failed to set EFI variable %ls\n",
> - var->name);
> - }
> - var = (struct efi_var_entry *)
> - ALIGN((uintptr_t)data + var->length, 8);
> + for (var = buf->var; var < last_var;
> + var = (struct efi_var_entry *)
> + ALIGN((uintptr_t)data + var->length, 8)) {
> +
> + data = var->name + u16_strlen(var->name) + 1;
> +
> + /*
> + * Secure boot related and non-volatile variables shall only be
> + * restored from U-Boot's preseed.
> + */
> + if (!safe &&
> + (efi_auth_var_get_type(var->name, &var->guid) !=
> + EFI_AUTH_VAR_NONE ||
> + !(var->attr & EFI_VARIABLE_NON_VOLATILE)))
> + continue;
> + if (!var->length)
> + continue;
> + ret = efi_var_mem_ins(var->name, &var->guid, var->attr,
> + var->length, data, 0, NULL,
> + var->time);
> + if (ret != EFI_SUCCESS)
> + log_err("Failed to set EFI variable %ls\n", var->name);
> }
> return EFI_SUCCESS;
> }
> @@ -213,7 +222,7 @@ efi_status_t efi_var_from_file(void)
> log_err("Failed to load EFI variables\n");
> goto error;
> }
> - if (buf->length != len || efi_var_restore(buf) != EFI_SUCCESS)
> + if (buf->length != len || efi_var_restore(buf, false) != EFI_SUCCESS)
> log_err("Invalid EFI variables file\n");
> error:
> free(buf);
> diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
> index ba0874e9e7..a7d305ffbc 100644
> --- a/lib/efi_loader/efi_variable.c
> +++ b/lib/efi_loader/efi_variable.c
> @@ -426,7 +426,7 @@ efi_status_t efi_init_variables(void)
>
> if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
> ret = efi_var_restore((struct efi_var_file *)
> - __efi_var_file_begin);
> + __efi_var_file_begin, true);
> if (ret != EFI_SUCCESS)
> log_err("Invalid EFI variable seed\n");
> }
> --
> 2.30.2
>
next prev parent reply other threads:[~2021-08-27 4:12 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-26 13:47 [PATCH v2 0/6] efi_loader: fix secure boot mode transitions Heinrich Schuchardt
2021-08-26 13:48 ` [PATCH v2 1/6] efi_loader: stop recursion in efi_init_secure_state Heinrich Schuchardt
2021-08-27 2:26 ` AKASHI Takahiro
2021-08-26 13:48 ` [PATCH v2 2/6] efi_loader: correct determination of secure boot state Heinrich Schuchardt
2021-08-26 13:48 ` [PATCH v2 3/6] efi_loader: don't load signature database from file Heinrich Schuchardt
2021-08-27 4:12 ` AKASHI Takahiro [this message]
2021-08-27 4:42 ` Heinrich Schuchardt
2021-08-27 4:49 ` AKASHI Takahiro
2021-08-27 4:51 ` AKASHI Takahiro
2021-08-27 5:22 ` Heinrich Schuchardt
2021-08-26 13:48 ` [PATCH v2 4/6] efi_loader: correct secure boot state transition Heinrich Schuchardt
2021-08-26 13:48 ` [PATCH v2 5/6] efi_loader: writing AuditMode, DeployedMode Heinrich Schuchardt
2021-08-27 3:05 ` AKASHI Takahiro
2021-08-27 4:09 ` Heinrich Schuchardt
2021-08-27 9:23 ` Ilias Apalodimas
2021-08-26 13:48 ` [PATCH v2 6/6] efi_loader: always initialize the secure boot state Heinrich Schuchardt
2021-08-27 3:53 ` AKASHI Takahiro
2021-08-27 4:34 ` Heinrich Schuchardt
2021-08-27 4:47 ` AKASHI Takahiro
2021-08-27 4:53 ` Heinrich Schuchardt
2021-08-27 3:59 ` [PATCH v2 0/6] efi_loader: fix secure boot mode transitions AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210827041203.GE52912@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agraf@csgraf.de \
--cc=heinrich.schuchardt@canonical.com \
--cc=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.