From 7270b3a3a9f08ba8c64564e47a3adb65b3e16f2f0f3c2933dcfa2e22568802e5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 23 Apr 2015 04:52:06 +0000 Subject: [PATCH] Accepting request 298693 from home:gary_lin:branches:Virtualization - Update ovmf-embed-default-keys.patch to embed the default dbx. Also add the dbx list from the UEFI website and enable it in the MS flavor. A script, strip_authinfo.pl, was added to strip the AuthInfo headers from dbxupdate.bin since those are not necessary in dbx. OBS-URL: https://build.opensuse.org/request/show/298693 OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=15 --- dbxupdate.zip | 3 ++ ovmf-embed-default-keys.patch | 99 ++++++++++++++++++++++++++++++++--- ovmf.changes | 9 ++++ ovmf.spec | 12 +++++ strip_authinfo.pl | 53 +++++++++++++++++++ 5 files changed, 169 insertions(+), 7 deletions(-) create mode 100644 dbxupdate.zip create mode 100644 strip_authinfo.pl diff --git a/dbxupdate.zip b/dbxupdate.zip new file mode 100644 index 0000000..bd8f423 --- /dev/null +++ b/dbxupdate.zip @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce6a817ef01f7ee322f24d39218ef622efa4d06b4b3e301781ec36fd8511e2c9 +size 3108 diff --git a/ovmf-embed-default-keys.patch b/ovmf-embed-default-keys.patch index 5ddebfd..0e310d2 100644 --- a/ovmf-embed-default-keys.patch +++ b/ovmf-embed-default-keys.patch @@ -1,8 +1,9 @@ -From 0fa64a89a4e442c96a31f1a80b97ddc04a6c3527 Mon Sep 17 00:00:00 2001 +From 718b2183d898df8ca9becb2e5945cdb53c4fd310 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 10 May 2013 10:27:51 +0800 -Subject: [PATCH] Add a stub to allow keys to be embedded at build time +Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time +Signed-off-by: Gary Ching-Pang Lin --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++ .../VariableAuthenticated/RuntimeDxe/Default_DB.h | 2 + @@ -15,7 +16,7 @@ Subject: [PATCH] Add a stub to allow keys to be embedded at build time create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c -index 3f0698e..0f7b45f 100644 +index 1e9e190..03c8e26 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -32,6 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. @@ -28,7 +29,7 @@ index 3f0698e..0f7b45f 100644 /// /// Global database array for scratch -@@ -183,6 +186,11 @@ AutenticatedVariableServiceInitialize ( +@@ -145,6 +148,11 @@ AutenticatedVariableServiceInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; @@ -40,7 +41,7 @@ index 3f0698e..0f7b45f 100644 // // Initialize hash context. -@@ -193,6 +201,171 @@ AutenticatedVariableServiceInitialize ( +@@ -155,6 +163,171 @@ AutenticatedVariableServiceInitialize ( return EFI_OUT_OF_RESOURCES; } @@ -237,7 +238,7 @@ index 0000000..23b90e4 +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf -index 8a8d4ad..d305ded 100644 +index cbf7da0..e4ec2e0 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -45,6 +45,9 @@ @@ -251,5 +252,89 @@ index 8a8d4ad..d305ded 100644 [Packages] MdePkg/MdePkg.dec -- -2.1.2 +2.1.4 + + +From cc0bdc4ec72c751f0a6f3925ab5ffd6ada6cd8a8 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Wed, 22 Apr 2015 16:20:54 +0800 +Subject: [PATCH 2/2] Add a stub to set the default dbx + +Signed-off-by: Gary Ching-Pang Lin +--- + .../VariableAuthenticated/RuntimeDxe/AuthService.c | 29 ++++++++++++++++++++++ + .../VariableAuthenticated/RuntimeDxe/Default_DBX.h | 2 ++ + .../RuntimeDxe/VariableRuntimeDxe.inf | 1 + + 3 files changed, 32 insertions(+) + create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h + +diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +index 03c8e26..56bfda4 100644 +--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c ++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +@@ -35,6 +35,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + #include "Default_PK.h" + #include "Default_KEK.h" + #include "Default_DB.h" ++#include "Default_DBX.h" + + /// + /// Global database array for scratch +@@ -325,6 +326,34 @@ AutenticatedVariableServiceInitialize ( + FreePool(SignatureGUID); + FreePool(Data); + ++ // DBX ++ if (Default_DBX == NULL) ++ goto SKIP_KEYS; ++ ++ Status = FindVariable ( ++ EFI_IMAGE_SECURITY_DATABASE1, ++ &gEfiImageSecurityDatabaseGuid, ++ &Variable, ++ &mVariableModuleGlobal->VariableGlobal, ++ FALSE ++ ); ++ if (Variable.CurrPtr == NULL) { ++ Status = UpdateVariable ( ++ EFI_IMAGE_SECURITY_DATABASE1, ++ &gEfiImageSecurityDatabaseGuid, ++ Default_DBX, ++ Default_DBX_len, ++ Attr, ++ 0, ++ 0, ++ &Variable, ++ NULL ++ ); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ } ++ + SKIP_KEYS: + //**** + +diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h +new file mode 100644 +index 0000000..5fd3cdc +--- /dev/null ++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h +@@ -0,0 +1,2 @@ ++unsigned char *Default_DBX = NULL; ++unsigned int Default_DBX_len = 0; +diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +index e4ec2e0..b390d0b 100644 +--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf ++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +@@ -48,6 +48,7 @@ + Default_PK.h + Default_KEK.h + Default_DB.h ++ Default_DBX.h + + [Packages] + MdePkg/MdePkg.dec +-- +2.1.4 diff --git a/ovmf.changes b/ovmf.changes index 8b92073..2ebb104 100644 --- a/ovmf.changes +++ b/ovmf.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Apr 23 03:33:36 UTC 2015 - glin@suse.com + +- Update ovmf-embed-default-keys.patch to embed the default dbx. + Also add the dbx list from the UEFI website and enable it in the + MS flavor. A script, strip_authinfo.pl, was added to strip the + AuthInfo headers from dbxupdate.bin since those are not necessary + in dbx. + ------------------------------------------------------------------- Mon Apr 20 03:43:56 UTC 2015 - glin@suse.com diff --git a/ovmf.spec b/ovmf.spec index 77a7ff0..c0ce9fc 100644 --- a/ovmf.spec +++ b/ovmf.spec @@ -39,6 +39,8 @@ Source7: openSUSE-UEFI-CA-Certificate-2048.crt Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt +Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip +Source12: strip_authinfo.pl Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in Patch1: %{name}-sle-11-gcc47.patch @@ -80,6 +82,7 @@ BuildRequires: nasm %endif %ifarch x86_64 BuildRequires: openssl +BuildRequires: unzip %if 0%{?suse_version} BuildRequires: vim-base %else @@ -271,6 +274,9 @@ build_with_keys() xxd -i Default_PK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h xxd -i Default_KEK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h xxd -i Default_DB > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h + if [ -e Default_DBX ]; then + xxd -i Default_DBX > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h + fi build $BUILD_OPTIONS cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin @@ -284,11 +290,17 @@ openssl x509 -in %{SOURCE3} -outform DER > Default_KEK openssl x509 -in %{SOURCE4} -outform DER > Default_DB build_with_keys suse +#unpack the UEFI revocation list +unzip %{SOURCE11} + # OVMF with MS keys cat %{SOURCE5} > Default_PK cat %{SOURCE5} > Default_KEK cat %{SOURCE6} > Default_DB +chmod 755 %{SOURCE12} +%{SOURCE12} dbxupdate.bin Default_DBX build_with_keys ms +rm -f Default_DBX # OVMF with openSUSE keys openssl x509 -in %{SOURCE7} -outform DER > Default_PK diff --git a/strip_authinfo.pl b/strip_authinfo.pl new file mode 100644 index 0000000..3dc7870 --- /dev/null +++ b/strip_authinfo.pl @@ -0,0 +1,53 @@ +#!/usr/bin/perl + +use strict; +use FileHandle; + +if ($#ARGV != 1) { + print "Usage: stripe_authinfo \n"; + exit; +} + +my $file_in = $ARGV[0]; +my $file_out = $ARGV[1]; + +sub read_file($) +{ + my ($file) = @_; + my $contents; + my $len; + + open(FD, "<$file") || die $file; + binmode FD; + my @st = stat(FD); + die $file if (!@st); + $len = read(FD, $contents, $st[7]) || die $file; + close(FD) || die $file; + die "$file: Wanted length ", $st[7], ", got ", $len, "\n" + if ($len != $st[7]); + return $contents; +} + +my $authvar = read_file($file_in); +my $authvar_len = length($authvar); + +# Skip the first 16 bytes (EFI_TIME) and check the following 8 bytes +# +# WIN_CERTIFICATE (8 bytes) +# UINT32 dwLength +# UINT16 wRevision 0x0200 +# UINT16 wCertificateType 0x0EF0 to 0x0EFF +my($dwLength, $wRevision, $wCertificateType) = unpack("VSS", substr($authvar, 16, 8)); + +# check the contents +die "invalid certificate length" if ($dwLength > $authvar_len); +die "invalid Revision" if ($wRevision != 0x200); +die "invalid certificate type" + if ($wCertificateType != 0x0EF0 && $wCertificateType != 0x0EF1 && $wCertificateType != 0x0002); + +my $skip = $dwLength + 16; + +open(FD, ">$file_out") || die $file_out; +binmode FD; +print FD substr($authvar, $skip, $authvar_len - $skip); +close FD || die $file_out;