Accepting request 298693 from home:gary_lin:branches:Virtualization

- Update ovmf-embed-default-keys.patch to embed the default dbx.
  Also add the dbx list from the UEFI website and enable it in the
  MS flavor. A script, strip_authinfo.pl, was added to strip the
  AuthInfo headers from dbxupdate.bin since those are not necessary
  in dbx.

OBS-URL: https://build.opensuse.org/request/show/298693
OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=15

dbxupdate.zip

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce6a817ef01f7ee322f24d39218ef622efa4d06b4b3e301781ec36fd8511e2c9
+size 3108

ovmf-embed-default-keys.patch

@@ -1,8 +1,9 @@
-From 0fa64a89a4e442c96a31f1a80b97ddc04a6c3527 Mon Sep 17 00:00:00 2001
+From 718b2183d898df8ca9becb2e5945cdb53c4fd310 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 10 May 2013 10:27:51 +0800
-Subject: [PATCH] Add a stub to allow keys to be embedded at build time
+Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++
  .../VariableAuthenticated/RuntimeDxe/Default_DB.h  |   2 +
@@ -15,7 +16,7 @@ Subject: [PATCH] Add a stub to allow keys to be embedded at build time
  create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
 
 diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
-index 3f0698e..0f7b45f 100644
+index 1e9e190..03c8e26 100644
 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
 +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
 @@ -32,6 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@@ -28,7 +29,7 @@ index 3f0698e..0f7b45f 100644
  
  ///
  /// Global database array for scratch
-@@ -183,6 +186,11 @@ AutenticatedVariableServiceInitialize (
+@@ -145,6 +148,11 @@ AutenticatedVariableServiceInitialize (
    UINT8                   SecureBootEnable;
    UINT8                   CustomMode;
    UINT32                  ListSize;
@@ -40,7 +41,7 @@ index 3f0698e..0f7b45f 100644
  
    //
    // Initialize hash context.
-@@ -193,6 +201,171 @@ AutenticatedVariableServiceInitialize (
+@@ -155,6 +163,171 @@ AutenticatedVariableServiceInitialize (
      return EFI_OUT_OF_RESOURCES;
    }
  
@@ -237,7 +238,7 @@ index 0000000..23b90e4
 +unsigned char *Default_PK = NULL;
 +unsigned int Default_PK_len = 0;
 diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
-index 8a8d4ad..d305ded 100644
+index cbf7da0..e4ec2e0 100644
 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
 +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
 @@ -45,6 +45,9 @@
@@ -251,5 +252,89 @@ index 8a8d4ad..d305ded 100644
  [Packages]
    MdePkg/MdePkg.dec
 -- 
-2.1.2
+2.1.4
+
+
+From cc0bdc4ec72c751f0a6f3925ab5ffd6ada6cd8a8 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 22 Apr 2015 16:20:54 +0800
+Subject: [PATCH 2/2] Add a stub to set the default dbx
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ .../VariableAuthenticated/RuntimeDxe/AuthService.c | 29 ++++++++++++++++++++++
+ .../VariableAuthenticated/RuntimeDxe/Default_DBX.h |  2 ++
+ .../RuntimeDxe/VariableRuntimeDxe.inf              |  1 +
+ 3 files changed, 32 insertions(+)
+ create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+index 03c8e26..56bfda4 100644
+--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+@@ -35,6 +35,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ #include "Default_PK.h"
+ #include "Default_KEK.h"
+ #include "Default_DB.h"
++#include "Default_DBX.h"
+ 
+ ///
+ /// Global database array for scratch
+@@ -325,6 +326,34 @@ AutenticatedVariableServiceInitialize (
+   FreePool(SignatureGUID);
+   FreePool(Data);
+ 
++  // DBX
++  if (Default_DBX == NULL)
++	goto SKIP_KEYS;
++
++  Status = FindVariable (
++             EFI_IMAGE_SECURITY_DATABASE1,
++             &gEfiImageSecurityDatabaseGuid,
++             &Variable,
++             &mVariableModuleGlobal->VariableGlobal,
++             FALSE
++             );
++  if (Variable.CurrPtr == NULL) {
++    Status = UpdateVariable (
++               EFI_IMAGE_SECURITY_DATABASE1,
++               &gEfiImageSecurityDatabaseGuid,
++               Default_DBX,
++               Default_DBX_len,
++               Attr,
++               0,
++               0,
++               &Variable,
++               NULL
++               );
++    if (EFI_ERROR (Status)) {
++      return Status;
++    }
++  }
++
+ SKIP_KEYS:
+   //****
+ 
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+new file mode 100644
+index 0000000..5fd3cdc
+--- /dev/null
++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+@@ -0,0 +1,2 @@
++unsigned char *Default_DBX = NULL;
++unsigned int Default_DBX_len = 0;
+diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+index e4ec2e0..b390d0b 100644
+--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
++++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+@@ -48,6 +48,7 @@
+   Default_PK.h
+   Default_KEK.h
+   Default_DB.h
++  Default_DBX.h
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+-- 
+2.1.4
 

ovmf.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Apr 23 03:33:36 UTC 2015 - glin@suse.com
+
+- Update ovmf-embed-default-keys.patch to embed the default dbx.
+  Also add the dbx list from the UEFI website and enable it in the
+  MS flavor. A script, strip_authinfo.pl, was added to strip the
+  AuthInfo headers from dbxupdate.bin since those are not necessary
+  in dbx.
+
 -------------------------------------------------------------------
 Mon Apr 20 03:43:56 UTC 2015 - glin@suse.com
 

ovmf.spec

@@ -39,6 +39,8 @@ Source7:        openSUSE-UEFI-CA-Certificate-2048.crt
 Source8:        openSUSE-UEFI-SIGN-Certificate-2048.crt
 Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       openSUSE-UEFI-SIGN-Certificate-4096.crt
+Source11:       http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
+Source12:       strip_authinfo.pl
 Source100:      %{name}-rpmlintrc
 Source101:      gdb_uefi.py.in
 Patch1:         %{name}-sle-11-gcc47.patch
@@ -80,6 +82,7 @@ BuildRequires:  nasm
 %endif
 %ifarch x86_64
 BuildRequires:  openssl
+BuildRequires:  unzip
 %if 0%{?suse_version}
 BuildRequires:  vim-base
 %else
@@ -271,6 +274,9 @@ build_with_keys()
 	xxd -i Default_PK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
 	xxd -i Default_KEK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
 	xxd -i Default_DB > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
+	if [ -e Default_DBX ]; then
+		xxd -i Default_DBX > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h
+	fi
 	build $BUILD_OPTIONS
 	cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin
 	cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin
@@ -284,11 +290,17 @@ openssl x509 -in %{SOURCE3} -outform DER > Default_KEK
 openssl x509 -in %{SOURCE4} -outform DER > Default_DB
 build_with_keys suse
 
+#unpack the UEFI revocation list
+unzip %{SOURCE11} 
+
 # OVMF with MS keys
 cat %{SOURCE5} > Default_PK
 cat %{SOURCE5} > Default_KEK
 cat %{SOURCE6} > Default_DB
+chmod 755 %{SOURCE12}
+%{SOURCE12} dbxupdate.bin Default_DBX
 build_with_keys ms
+rm -f Default_DBX
 
 # OVMF with openSUSE keys
 openssl x509 -in %{SOURCE7} -outform DER > Default_PK

strip_authinfo.pl

@@ -0,0 +1,53 @@
+#!/usr/bin/perl
+
+use strict;
+use FileHandle;
+
+if ($#ARGV != 1) {
+	print "Usage: stripe_authinfo <variable with AuthInfo> <stripped binary>\n";
+	exit;
+}
+
+my $file_in = $ARGV[0];
+my $file_out = $ARGV[1];
+
+sub read_file($)
+{
+	my ($file) = @_;
+	my $contents;
+	my $len;
+
+	open(FD, "<$file") || die $file;
+	binmode FD;
+	my @st = stat(FD);
+	die $file if (!@st);
+	$len = read(FD, $contents, $st[7]) || die $file;
+	close(FD) || die $file;
+	die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
+		if ($len != $st[7]);
+	return $contents;
+}
+
+my $authvar = read_file($file_in);
+my $authvar_len = length($authvar);
+
+# Skip the first 16 bytes (EFI_TIME) and check the following 8 bytes
+#
+# WIN_CERTIFICATE (8 bytes)
+#	UINT32	dwLength
+#	UINT16	wRevision 		0x0200
+#	UINT16	wCertificateType	0x0EF0 to 0x0EFF
+my($dwLength, $wRevision, $wCertificateType) = unpack("VSS", substr($authvar, 16, 8));
+
+# check the contents
+die "invalid certificate length" if ($dwLength > $authvar_len);
+die "invalid Revision" if ($wRevision != 0x200);
+die "invalid certificate type"
+	if ($wCertificateType != 0x0EF0 && $wCertificateType != 0x0EF1 && $wCertificateType != 0x0002);
+
+my $skip = $dwLength + 16;
+
+open(FD, ">$file_out") || die $file_out;
+binmode FD;
+print FD substr($authvar, $skip, $authvar_len - $skip);
+close FD || die $file_out;