Accepting request 298693 from home:gary_lin:branches:Virtualization

- Update ovmf-embed-default-keys.patch to embed the default dbx. Also add the dbx list from the UEFI website and enable it in the MS flavor. A script, strip_authinfo.pl, was added to strip the AuthInfo headers from dbxupdate.bin since those are not necessary in dbx. OBS-URL: https://build.opensuse.org/request/show/298693 OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=15
2015-04-23 04:52:06 +00:00 · 2015-04-23 04:52:06 +00:00 · 7270b3a3a9
commit 7270b3a3a9
parent 689b701afd
5 changed files with 169 additions and 7 deletions
--- a/dbxupdate.zip
+++ b/dbxupdate.zip
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce6a817ef01f7ee322f24d39218ef622efa4d06b4b3e301781ec36fd8511e2c9
+size 3108
--- a/ovmf-embed-default-keys.patch
+++ b/ovmf-embed-default-keys.patch
@ -1,8 +1,9 @@
-From 0fa64a89a4e442c96a31f1a80b97ddc04a6c3527 Mon Sep 17 00:00:00 2001
+From 718b2183d898df8ca9becb2e5945cdb53c4fd310 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 10 May 2013 10:27:51 +0800
-Subject: [PATCH] Add a stub to allow keys to be embedded at build time
+Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time

+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++
 .../VariableAuthenticated/RuntimeDxe/Default_DB.h  |   2 +
@ -15,7 +16,7 @@ Subject: [PATCH] Add a stub to allow keys to be embedded at build time
 create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h

 diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
-index 3f0698e..0f7b45f 100644
+index 1e9e190..03c8e26 100644
 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
 +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -32,6 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@ -28,7 +29,7 @@ index 3f0698e..0f7b45f 100644
 
 ///
 /// Global database array for scratch
-@@ -183,6 +186,11 @@ AutenticatedVariableServiceInitialize (
+@@ -145,6 +148,11 @@ AutenticatedVariableServiceInitialize (
   UINT8                   SecureBootEnable;
   UINT8                   CustomMode;
   UINT32                  ListSize;
@ -40,7 +41,7 @@ index 3f0698e..0f7b45f 100644
 
   //
   // Initialize hash context.
-@@ -193,6 +201,171 @@ AutenticatedVariableServiceInitialize (
+@@ -155,6 +163,171 @@ AutenticatedVariableServiceInitialize (
     return EFI_OUT_OF_RESOURCES;
   }
 
@ -237,7 +238,7 @@ index 0000000..23b90e4
 +unsigned char *Default_PK = NULL;
 +unsigned int Default_PK_len = 0;
 diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
-index 8a8d4ad..d305ded 100644
+index cbf7da0..e4ec2e0 100644
 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
 +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
@@ -45,6 +45,9 @@
@ -251,5 +252,89 @@ index 8a8d4ad..d305ded 100644
 [Packages]
   MdePkg/MdePkg.dec
 -- 
-2.1.2
+2.1.4
+
+
+From cc0bdc4ec72c751f0a6f3925ab5ffd6ada6cd8a8 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 22 Apr 2015 16:20:54 +0800
+Subject: [PATCH 2/2] Add a stub to set the default dbx
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ .../VariableAuthenticated/RuntimeDxe/AuthService.c | 29 ++++++++++++++++++++++
+ .../VariableAuthenticated/RuntimeDxe/Default_DBX.h |  2 ++
+ .../RuntimeDxe/VariableRuntimeDxe.inf              |  1 +
+ 3 files changed, 32 insertions(+)
+ create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+index 03c8e26..56bfda4 100644
+--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+@@ -35,6 +35,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ #include "Default_PK.h"
+ #include "Default_KEK.h"
+ #include "Default_DB.h"
+#include "Default_DBX.h"
+ 
+ ///
+ /// Global database array for scratch
+@@ -325,6 +326,34 @@ AutenticatedVariableServiceInitialize (
+   FreePool(SignatureGUID);
+   FreePool(Data);
+ 
+  // DBX
+  if (Default_DBX == NULL)
+	goto SKIP_KEYS;
+
+  Status = FindVariable (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             &gEfiImageSecurityDatabaseGuid,
+             &Variable,
+             &mVariableModuleGlobal->VariableGlobal,
+             FALSE
+             );
+  if (Variable.CurrPtr == NULL) {
+    Status = UpdateVariable (
+               EFI_IMAGE_SECURITY_DATABASE1,
+               &gEfiImageSecurityDatabaseGuid,
+               Default_DBX,
+               Default_DBX_len,
+               Attr,
+               0,
+               0,
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+ SKIP_KEYS:
+   //****
+ 
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+new file mode 100644
+index 0000000..5fd3cdc
+--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+@@ -0,0 +1,2 @@
+unsigned char *Default_DBX = NULL;
+unsigned int Default_DBX_len = 0;
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+index e4ec2e0..b390d0b 100644
+--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+@@ -48,6 +48,7 @@
+   Default_PK.h
+   Default_KEK.h
+   Default_DB.h
+  Default_DBX.h
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+-- 
+2.1.4

--- a/ovmf.changes
+++ b/ovmf.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Apr 23 03:33:36 UTC 2015 - glin@suse.com
+
+- Update ovmf-embed-default-keys.patch to embed the default dbx.
+  Also add the dbx list from the UEFI website and enable it in the
+  MS flavor. A script, strip_authinfo.pl, was added to strip the
+  AuthInfo headers from dbxupdate.bin since those are not necessary
+  in dbx.
+
 -------------------------------------------------------------------
 Mon Apr 20 03:43:56 UTC 2015 - glin@suse.com

--- a/ovmf.spec
+++ b/ovmf.spec
@ -39,6 +39,8 @@ Source7:        openSUSE-UEFI-CA-Certificate-2048.crt
 Source8:        openSUSE-UEFI-SIGN-Certificate-2048.crt
 Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       openSUSE-UEFI-SIGN-Certificate-4096.crt
+Source11:       http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
+Source12:       strip_authinfo.pl
 Source100:      %{name}-rpmlintrc
 Source101:      gdb_uefi.py.in
 Patch1:         %{name}-sle-11-gcc47.patch
@ -80,6 +82,7 @@ BuildRequires:  nasm
 %endif
 %ifarch x86_64
 BuildRequires:  openssl
+BuildRequires:  unzip
 %if 0%{?suse_version}
 BuildRequires:  vim-base
 %else
@ -271,6 +274,9 @@ build_with_keys()
 	xxd -i Default_PK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
 	xxd -i Default_KEK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
 	xxd -i Default_DB > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
+	if [ -e Default_DBX ]; then
+		xxd -i Default_DBX > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+	fi
 	build $BUILD_OPTIONS
 	cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin
 	cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin
@ -284,11 +290,17 @@ openssl x509 -in %{SOURCE3} -outform DER > Default_KEK
 openssl x509 -in %{SOURCE4} -outform DER > Default_DB
 build_with_keys suse

+#unpack the UEFI revocation list
+unzip %{SOURCE11} 
+
 # OVMF with MS keys
 cat %{SOURCE5} > Default_PK
 cat %{SOURCE5} > Default_KEK
 cat %{SOURCE6} > Default_DB
+chmod 755 %{SOURCE12}
+%{SOURCE12} dbxupdate.bin Default_DBX
 build_with_keys ms
+rm -f Default_DBX

 # OVMF with openSUSE keys
 openssl x509 -in %{SOURCE7} -outform DER > Default_PK
--- a/strip_authinfo.pl
+++ b/strip_authinfo.pl
@ -0,0 +1,53 @@
+#!/usr/bin/perl
+
+use strict;
+use FileHandle;
+
+if ($#ARGV != 1) {
+	print "Usage: stripe_authinfo <variable with AuthInfo> <stripped binary>\n";
+	exit;
+}
+
+my $file_in = $ARGV[0];
+my $file_out = $ARGV[1];
+
+sub read_file($)
+{
+	my ($file) = @_;
+	my $contents;
+	my $len;
+
+	open(FD, "<$file") || die $file;
+	binmode FD;
+	my @st = stat(FD);
+	die $file if (!@st);
+	$len = read(FD, $contents, $st[7]) || die $file;
+	close(FD) || die $file;
+	die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
+		if ($len != $st[7]);
+	return $contents;
+}
+
+my $authvar = read_file($file_in);
+my $authvar_len = length($authvar);
+
+# Skip the first 16 bytes (EFI_TIME) and check the following 8 bytes
+#
+# WIN_CERTIFICATE (8 bytes)
+#	UINT32	dwLength
+#	UINT16	wRevision 		0x0200
+#	UINT16	wCertificateType	0x0EF0 to 0x0EFF
+my($dwLength, $wRevision, $wCertificateType) = unpack("VSS", substr($authvar, 16, 8));
+
+# check the contents
+die "invalid certificate length" if ($dwLength > $authvar_len);
+die "invalid Revision" if ($wRevision != 0x200);
+die "invalid certificate type"
+	if ($wCertificateType != 0x0EF0 && $wCertificateType != 0x0EF1 && $wCertificateType != 0x0002);
+
+my $skip = $dwLength + 16;
+
+open(FD, ">$file_out") || die $file_out;
+binmode FD;
+print FD substr($authvar, $skip, $authvar_len - $skip);
+close FD || die $file_out;