Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper <daniel.kiper@oracle.com>]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Hey Tamas,

Sorry for late reply. I was on vacation.

On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:

[...]

> > UEFI will verify shim secure boot signature then shim will verify GRUB2
> > signature then GRUB2 will verify (with shim protocol) Xen signature and
> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
> > your kernel can verify modules using whatever you want.
> >
> >> I would be happy to work to help achieve this.
> >
> > There is a chance that I will have something very raw at the beginning
> > of June. If you wish to do tests drop me a line.
>
> Hi Daniel,
> is there any news on this? I would be interested in giving this a shot too.

Please look at

  https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html

and at

  https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html

Attachments contain the same patches as above but rebased on latest
GRUB2 and Xen git repositories.

Due to some travel I am going to restart work on this in the second
half of September.

If you have any questions please drop me a line.

Daniel

[-- Attachment #2: 0001-efi-Add-EFI-shim-lock-verifier.patch --]
[-- Type: text/x-diff, Size: 4023 bytes --]

>From 8458d7904886ca4bea059d103dac2ba50e53c13b Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Sat, 8 Jul 2017 23:32:36 +0200
Subject: [PATCH] efi: Add EFI shim lock verifier

This is based on git://git.savannah.gnu.org/grub.git phcoder/verifiers branch.

Just an RFC.

TODO:
  - disable the GRUB2 modules load/unload,
  - disable the dangerous modules, e.g. iorw, memrw.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/Makefile.core.def        |    6 +++
 grub-core/commands/efi/shim_lock.c |  100 ++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 grub-core/commands/efi/shim_lock.c

diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16c4d0e..c38e4a8 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -905,6 +905,12 @@ module = {
 };
 
 module = {
+  name = shim_lock;
+  common = commands/efi/shim_lock.c;
+  enable = x86_64_efi;
+};
+
+module = {
   name = hdparm;
   common = commands/hdparm.c;
   common = lib/hexdump.c;
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
new file mode 100644
index 0000000..40d2b25
--- /dev/null
+++ b/grub-core/commands/efi/shim_lock.c
@@ -0,0 +1,100 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2017  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  EFI shim lock verifier.
+ *
+ */
+
+#include <grub/dl.h>
+#include <grub/efi/efi.h>
+#include <grub/err.h>
+#include <grub/file.h>
+#include <grub/verify.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define GRUB_EFI_SHIM_LOCK_GUID \
+  { 0x605dab50, 0xe046, 0x4300, \
+    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
+  }
+
+struct grub_efi_shim_lock_protocol
+{
+  grub_efi_status_t
+  (*verify) (void *buffer,
+	     grub_uint32_t size);
+};
+typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
+
+static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+static grub_efi_shim_lock_protocol_t *sl;
+
+static grub_err_t
+shim_lock_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type,
+	       void **context __attribute__ ((unused)), enum grub_verify_flags *flags)
+{
+  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+
+  if (!sl)
+    return GRUB_ERR_NONE;
+
+  switch (type & GRUB_FILE_TYPE_MASK)
+    {
+    case GRUB_FILE_TYPE_LINUX_KERNEL:
+    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+    case GRUB_FILE_TYPE_BSD_KERNEL:
+    case GRUB_FILE_TYPE_XNU_KERNEL:
+    case GRUB_FILE_TYPE_PLAN9_KERNEL:
+      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+    default:
+      return GRUB_ERR_NONE;
+    }
+}
+
+static grub_err_t
+shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
+{
+  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
+
+  return GRUB_ERR_NONE;
+}
+
+static void
+shim_lock_close (void *context __attribute__ ((unused)))
+{
+}
+
+struct grub_file_verifier shim_lock =
+  {
+    .name = "shim_lock",
+    .init = shim_lock_init,
+    .write = shim_lock_write,
+    .close = shim_lock_close
+  };
+
+GRUB_MOD_INIT(shim_lock)
+{
+  sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
+  grub_verifier_register (&shim_lock);
+}
+
+GRUB_MOD_FINI(shim_lock)
+{
+  grub_verifier_unregister (&shim_lock);
+}
-- 
1.7.10.4


[-- Attachment #3: xen_mb2_efi_sb_rfc_rebase_20170829.tgz --]
[-- Type: application/x-gtar-compressed, Size: 7869 bytes --]

[-- Attachment #4: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel