efi: capsule: Add support for uefi capsule authentication
authorSughosh Ganu <sughosh.ganu@linaro.org>
Wed, 30 Dec 2020 13:57:09 +0000 (19:27 +0530)
committerHeinrich Schuchardt <xypron.glpk@gmx.de>
Thu, 31 Dec 2020 13:41:31 +0000 (14:41 +0100)
Add support for authenticating uefi capsules. Most of the signature
verification functionality is shared with the uefi secure boot
feature.

The root certificate containing the public key used for the signature
verification is stored as part of the device tree blob. The root
certificate is stored as an efi signature list(esl) file -- this file
contains the x509 certificate which is the root certificate.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
board/emulation/common/Makefile
board/emulation/common/qemu_capsule.c [new file with mode: 0644]
include/efi_api.h
include/efi_loader.h
lib/efi_loader/Kconfig
lib/efi_loader/efi_capsule.c
lib/efi_loader/efi_signature.c

index c5b452e7e341f9d2cab8ed32763bddf9b4c802a4..7ed447a69dce9d923ad161a36df96175d0e59045 100644 (file)
@@ -2,3 +2,4 @@
 
 obj-$(CONFIG_SYS_MTDPARTS_RUNTIME) += qemu_mtdparts.o
 obj-$(CONFIG_SET_DFU_ALT_INFO) += qemu_dfu.o
+obj-$(CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT) += qemu_capsule.o
diff --git a/board/emulation/common/qemu_capsule.c b/board/emulation/common/qemu_capsule.c
new file mode 100644 (file)
index 0000000..f1d4035
--- /dev/null
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2020 Linaro Limited
+ */
+
+#include <common.h>
+#include <efi_api.h>
+#include <efi_loader.h>
+#include <env.h>
+#include <fdtdec.h>
+
+DECLARE_GLOBAL_DATA_PTR;
+
+int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
+{
+       const void *fdt_blob = gd->fdt_blob;
+       const void *blob;
+       const char *cnode_name = "capsule-key";
+       const char *snode_name = "signature";
+       int sig_node;
+       int len;
+
+       sig_node = fdt_subnode_offset(fdt_blob, 0, snode_name);
+       if (sig_node < 0) {
+               EFI_PRINT("Unable to get signature node offset\n");
+               return -FDT_ERR_NOTFOUND;
+       }
+
+       blob = fdt_getprop(fdt_blob, sig_node, cnode_name, &len);
+
+       if (!blob || len < 0) {
+               EFI_PRINT("Unable to get capsule-key value\n");
+               *pkey = NULL;
+               *pkey_len = 0;
+               return -FDT_ERR_NOTFOUND;
+       }
+
+       *pkey = (void *)blob;
+       *pkey_len = len;
+
+       return 0;
+}
+
+bool efi_capsule_auth_enabled(void)
+{
+       return env_get("capsule_authentication_enabled") != NULL ?
+               true : false;
+}
index e82d4ca9ff4fdeac20fab82a96a08dc7ea790f30..ecb43a06070934bdbcbbbe998b89345a407c8092 100644 (file)
@@ -1812,6 +1812,24 @@ struct efi_variable_authentication_2 {
        struct win_certificate_uefi_guid auth_info;
 } __attribute__((__packed__));
 
+/**
+ * efi_firmware_image_authentication - Capsule authentication method
+ * descriptor
+ *
+ * This structure describes an authentication information for
+ * a capsule with IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED set
+ * and should be included as part of the capsule.
+ * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
+ *
+ * @monotonic_count: Count to prevent replay
+ * @auth_info: Authentication info
+ */
+struct efi_firmware_image_authentication {
+       uint64_t monotonic_count;
+       struct win_certificate_uefi_guid auth_info;
+} __attribute__((__packed__));
+
+
 /**
  * efi_signature_data - A format of signature
  *
index 7fd65eeb8db9f0da0fa5b3851707792389679dbb..4719fa93f06dece1e668e9e8ebadbc9cedf66bc5 100644 (file)
@@ -819,6 +819,8 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name);
 
 bool efi_secure_boot_enabled(void);
 
+bool efi_capsule_auth_enabled(void);
+
 bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
                     WIN_CERTIFICATE **auth, size_t *auth_len);
 
@@ -847,6 +849,10 @@ efi_status_t EFIAPI efi_query_capsule_caps(
                u64 *maximum_capsule_size,
                u32 *reset_type);
 
+efi_status_t efi_capsule_authenticate(const void *capsule,
+                                     efi_uintn_t capsule_size,
+                                     void **image, efi_uintn_t *image_size);
+
 #define EFI_CAPSULE_DIR L"\\EFI\\UpdateCapsule\\"
 
 /* Hook at initialization */
index e7804913574fb1646143ca47e88dbe6eaaaec79e..fdf245dea30b2a8156828f11ff7efa9432e7fc89 100644 (file)
@@ -153,6 +153,23 @@ config EFI_CAPSULE_FIRMWARE_MANAGEMENT
          Select this option if you want to enable capsule-based
          firmware update using Firmware Management Protocol.
 
+config EFI_CAPSULE_AUTHENTICATE
+       bool "Update Capsule authentication"
+       depends on EFI_CAPSULE_FIRMWARE
+       depends on EFI_CAPSULE_ON_DISK
+       depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
+       select SHA256
+       select RSA
+       select RSA_VERIFY
+       select RSA_VERIFY_WITH_PKEY
+       select X509_CERTIFICATE_PARSER
+       select PKCS7_MESSAGE_PARSER
+       select PKCS7_VERIFY
+       default n
+       help
+         Select this option if you want to enable capsule
+         authentication
+
 config EFI_CAPSULE_FIRMWARE_FIT
        bool "FMP driver for FIT image"
        depends on EFI_CAPSULE_FIRMWARE_MANAGEMENT
index 4ef2546267866cd32a2286088c84058744ba591e..dad1b0fcf7c06b4768da58504f90993778e72355 100644 (file)
 #include <mapmem.h>
 #include <sort.h>
 
+#include <crypto/pkcs7.h>
+#include <crypto/pkcs7_parser.h>
+#include <linux/err.h>
+
 const efi_guid_t efi_guid_capsule_report = EFI_CAPSULE_REPORT_GUID;
 static const efi_guid_t efi_guid_firmware_management_capsule_id =
                EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
@@ -191,6 +195,124 @@ skip:
        return NULL;
 }
 
+#if defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
+
+const efi_guid_t efi_guid_capsule_root_cert_guid =
+       EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID;
+
+__weak int efi_get_public_key_data(void **pkey, efi_uintn_t *pkey_len)
+{
+       /* The platform is supposed to provide
+        * a method for getting the public key
+        * stored in the form of efi signature
+        * list
+        */
+       return 0;
+}
+
+efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
+                                     void **image, efi_uintn_t *image_size)
+{
+       u8 *buf;
+       int ret;
+       void *fdt_pkey, *pkey;
+       efi_uintn_t pkey_len;
+       uint64_t monotonic_count;
+       struct efi_signature_store *truststore;
+       struct pkcs7_message *capsule_sig;
+       struct efi_image_regions *regs;
+       struct efi_firmware_image_authentication *auth_hdr;
+       efi_status_t status;
+
+       status = EFI_SECURITY_VIOLATION;
+       capsule_sig = NULL;
+       truststore = NULL;
+       regs = NULL;
+
+       /* Sanity checks */
+       if (capsule == NULL || capsule_size == 0)
+               goto out;
+
+       auth_hdr = (struct efi_firmware_image_authentication *)capsule;
+       if (capsule_size < sizeof(*auth_hdr))
+               goto out;
+
+       if (auth_hdr->auth_info.hdr.dwLength <=
+           offsetof(struct win_certificate_uefi_guid, cert_data))
+               goto out;
+
+       if (guidcmp(&auth_hdr->auth_info.cert_type, &efi_guid_cert_type_pkcs7))
+               goto out;
+
+       *image = (uint8_t *)capsule + sizeof(auth_hdr->monotonic_count) +
+               auth_hdr->auth_info.hdr.dwLength;
+       *image_size = capsule_size - auth_hdr->auth_info.hdr.dwLength -
+               sizeof(auth_hdr->monotonic_count);
+       memcpy(&monotonic_count, &auth_hdr->monotonic_count,
+              sizeof(monotonic_count));
+
+       /* data to be digested */
+       regs = calloc(sizeof(*regs) + sizeof(struct image_region) * 2, 1);
+       if (!regs)
+               goto out;
+
+       regs->max = 2;
+       efi_image_region_add(regs, (uint8_t *)*image,
+                            (uint8_t *)*image + *image_size, 1);
+
+       efi_image_region_add(regs, (uint8_t *)&monotonic_count,
+                            (uint8_t *)&monotonic_count + sizeof(monotonic_count),
+                            1);
+
+       capsule_sig = efi_parse_pkcs7_header(auth_hdr->auth_info.cert_data,
+                                            auth_hdr->auth_info.hdr.dwLength
+                                            - sizeof(auth_hdr->auth_info),
+                                            &buf);
+       if (IS_ERR(capsule_sig)) {
+               debug("Parsing variable's pkcs7 header failed\n");
+               capsule_sig = NULL;
+               goto out;
+       }
+
+       ret = efi_get_public_key_data(&fdt_pkey, &pkey_len);
+       if (ret < 0)
+               goto out;
+
+       pkey = malloc(pkey_len);
+       if (!pkey)
+               goto out;
+
+       memcpy(pkey, fdt_pkey, pkey_len);
+       truststore = efi_build_signature_store(pkey, pkey_len);
+       if (!truststore)
+               goto out;
+
+       /* verify signature */
+       if (efi_signature_verify(regs, capsule_sig, truststore, NULL)) {
+               debug("Verified\n");
+       } else {
+               debug("Verifying variable's signature failed\n");
+               goto out;
+       }
+
+       status = EFI_SUCCESS;
+
+out:
+       efi_sigstore_free(truststore);
+       pkcs7_free_message(capsule_sig);
+       free(regs);
+
+       return status;
+}
+#else
+efi_status_t efi_capsule_authenticate(const void *capsule, efi_uintn_t capsule_size,
+                                     void **image, efi_uintn_t *image_size)
+{
+       return EFI_UNSUPPORTED;
+}
+#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
+
+
 /**
  * efi_capsule_update_firmware - update firmware from capsule
  * @capsule_data:      Capsule
index 87525bdc804a1edeaff53184f3be3945b9f7c3a4..c7ec2754147f713dd571a5b5f1522a53c8054d42 100644 (file)
@@ -26,7 +26,7 @@ const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
 const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
 const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
 
-#ifdef CONFIG_EFI_SECURE_BOOT
+#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
 static u8 pkcs7_hdr[] = {
        /* SEQUENCE */
        0x30, 0x82, 0x05, 0xc7,
@@ -846,4 +846,4 @@ struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
 
        return efi_build_signature_store(db, db_size);
 }
-#endif /* CONFIG_EFI_SECURE_BOOT */
+#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */