From patchwork Tue Aug 29 20:01:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Kiper X-Patchwork-Id: 9928205 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 75B2760380 for ; Tue, 29 Aug 2017 20:04:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4D93228A5B for ; Tue, 29 Aug 2017 20:04:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4B19528A65; Tue, 29 Aug 2017 20:04:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0F9F628A6E for ; Tue, 29 Aug 2017 20:04:14 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmmhZ-0002JY-2y; Tue, 29 Aug 2017 20:01:33 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmmhX-0002JP-Lv; Tue, 29 Aug 2017 20:01:31 +0000 Received: from [85.158.139.211] by server-11.bemta-5.messagelabs.com id C4/F5-01782-A18C5A95; Tue, 29 Aug 2017 20:01:30 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRWlGSWpSXmKPExsXSO6nOVVfixNJ Ig/sNAhZLPi5msVh19QCrA5PH0d2/mQIYo1gz85LyKxJYM6bMW89SsKq+4sz2HSwNjJPKuxg5 OYQEJjJJXJua2MXIBWT/ZpTY8PwMM4SzkVHi6p2LrBDOREaJl683MYG0sAioSqxa8pwRxGYT0 JG4+OUhO4gtIqAvMaezgQmkgVngBaPEklfLmUESwgK2EtMv/wBKcHDwCthIHNkWBTH0A5PElw 3TwJp5BQQlTs58wgJiMwtYScy9M4MVpJ5ZQFpi+T8OkDCnQKDEjltnwEpEBVQkppzcxgZiSwg YSpx+uI1xAqPgLCSTZiGZNAthEkRYS+LGv5dMGMLaEg8nToUKh0pMb7aACf899ocZwg6SePsc pATEVpSY0v2QfQEj1ypGjeLUorLUIl0jC72kosz0jJLcxMwcXUMDU73c1OLixPTUnMSkYr3k/ NxNjMA4q2dgYNzB2LfK7xCjJAeTkijv06NLI4X4kvJTKjMSizPii0pzUosPMcpwcChJ8H4+Bp QTLEpNT61Iy8wBRjxMWoKDR0mE9yhImre4IDG3ODMdInWK0Zhjw+r1X5g4FvRs+MIkxJKXn5c qJc67DaRUAKQ0ozQPbhAsEV1ilJUS5mVkYGAQ4ilILcrNLEGVf8UozsGoJAwxhSczrwRu3yug U5iATon1AjulJBEhJdXA6Hpwq/XEP05vopbNujppcpXXhNqk3XMZd63+6T6RteV503wjC7kLy pPfCTtPun/jSnIX93fzl8t26QVwKoXvfb5N8r/zN7tDE+VeWb027FnXcypl01fP+i/80t4uiu dvHBEwFdrz/cgbU/+4D0ZdqVl18v+mrvixtlWapd69rWVF7KKd6SuUDyqxFGckGmoxFxUnAgB /Ey2MPwMAAA== X-Env-Sender: daniel.kiper@oracle.com X-Msg-Ref: server-11.tower-206.messagelabs.com!1504036885!88306265!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=Known-good attachment (tgz) X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9395 invoked from network); 29 Aug 2017 20:01:27 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-11.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 29 Aug 2017 20:01:27 -0000 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v7TK1KY8026481 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Aug 2017 20:01:21 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v7TK1KgI029121 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Aug 2017 20:01:20 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v7TK1Kgf000624; Tue, 29 Aug 2017 20:01:20 GMT Received: from olila.local.net-space.pl (/10.175.188.240) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Aug 2017 13:01:19 -0700 Date: Tue, 29 Aug 2017 22:01:15 +0200 From: Daniel Kiper To: Tamas K Lengyel Message-ID: <20170829200115.GF4452@olila.local.net-space.pl> References: <20170515131252.GZ30364@olila.local.net-space.pl> <3e4a14aa5a70417487412e4a5049f89d@XCH-RTP-007.cisco.com> <20170516110450.GA30364@olila.local.net-space.pl> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: "xen-users@lists.xen.org" , "george.dunlap@citrix.com" , "Bill Jacobs \(billjac\)" , "xen-devel@lists.xen.org" Subject: Re: [Xen-devel] [Xen-users] UEFI Secure Boot Xen 4.9 X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Hey Tamas, Sorry for late reply. I was on vacation. On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: > On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper wrote: [...] > > UEFI will verify shim secure boot signature then shim will verify GRUB2 > > signature then GRUB2 will verify (with shim protocol) Xen signature and > > finally Xen will verify (with shim protocol) Linux kernel signature. Then > > your kernel can verify modules using whatever you want. > > > >> I would be happy to work to help achieve this. > > > > There is a chance that I will have something very raw at the beginning > > of June. If you wish to do tests drop me a line. > > Hi Daniel, > is there any news on this? I would be interested in giving this a shot too. Please look at https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html and at https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html Attachments contain the same patches as above but rebased on latest GRUB2 and Xen git repositories. Due to some travel I am going to restart work on this in the second half of September. If you have any questions please drop me a line. Daniel From 8458d7904886ca4bea059d103dac2ba50e53c13b Mon Sep 17 00:00:00 2001 From: Daniel Kiper Date: Sat, 8 Jul 2017 23:32:36 +0200 Subject: [PATCH] efi: Add EFI shim lock verifier This is based on git://git.savannah.gnu.org/grub.git phcoder/verifiers branch. Just an RFC. TODO: - disable the GRUB2 modules load/unload, - disable the dangerous modules, e.g. iorw, memrw. Signed-off-by: Daniel Kiper --- grub-core/Makefile.core.def | 6 +++ grub-core/commands/efi/shim_lock.c | 100 ++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 grub-core/commands/efi/shim_lock.c diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def index 16c4d0e..c38e4a8 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -905,6 +905,12 @@ module = { }; module = { + name = shim_lock; + common = commands/efi/shim_lock.c; + enable = x86_64_efi; +}; + +module = { name = hdparm; common = commands/hdparm.c; common = lib/hexdump.c; diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c new file mode 100644 index 0000000..40d2b25 --- /dev/null +++ b/grub-core/commands/efi/shim_lock.c @@ -0,0 +1,100 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2017 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + * + * EFI shim lock verifier. + * + */ + +#include +#include +#include +#include +#include + +GRUB_MOD_LICENSE ("GPLv3+"); + +#define GRUB_EFI_SHIM_LOCK_GUID \ + { 0x605dab50, 0xe046, 0x4300, \ + { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \ + } + +struct grub_efi_shim_lock_protocol +{ + grub_efi_status_t + (*verify) (void *buffer, + grub_uint32_t size); +}; +typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t; + +static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; +static grub_efi_shim_lock_protocol_t *sl; + +static grub_err_t +shim_lock_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type, + void **context __attribute__ ((unused)), enum grub_verify_flags *flags) +{ + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; + + if (!sl) + return GRUB_ERR_NONE; + + switch (type & GRUB_FILE_TYPE_MASK) + { + case GRUB_FILE_TYPE_LINUX_KERNEL: + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: + case GRUB_FILE_TYPE_BSD_KERNEL: + case GRUB_FILE_TYPE_XNU_KERNEL: + case GRUB_FILE_TYPE_PLAN9_KERNEL: + *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; + + default: + return GRUB_ERR_NONE; + } +} + +static grub_err_t +shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) +{ + if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) + return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); + + return GRUB_ERR_NONE; +} + +static void +shim_lock_close (void *context __attribute__ ((unused))) +{ +} + +struct grub_file_verifier shim_lock = + { + .name = "shim_lock", + .init = shim_lock_init, + .write = shim_lock_write, + .close = shim_lock_close + }; + +GRUB_MOD_INIT(shim_lock) +{ + sl = grub_efi_locate_protocol (&shim_lock_guid, 0); + grub_verifier_register (&shim_lock); +} + +GRUB_MOD_FINI(shim_lock) +{ + grub_verifier_unregister (&shim_lock); +} -- 1.7.10.4