Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support loading additional certificates #446

Merged
merged 3 commits into from
May 17, 2022

Conversation

esnowberg
Copy link
Contributor

Please see the following as an RFC pull request for loading additional certificates from a signed EFI binary.

This work was originally done by @mjg59, I have ported parts of his code to 15.5 and refactored other pieces. #204

All testing was done using certmule (https://github.com/rhboot/certmule).

@esnowberg
Copy link
Contributor Author

@mjg59, since Sign-off-by's are now required, could I include yours for the second patch?

@mjg59
Copy link
Collaborator

mjg59 commented Feb 3, 2022

Yes, please feel free to add:

Signed-off-by: Matthew Garrett [email protected]

@esnowberg esnowberg force-pushed the 15.5-load-certs-poc-1 branch from 816ddd1 to 14f0ba6 Compare February 3, 2022 21:17
@esnowberg
Copy link
Contributor Author

Thanks @mjg59

@esnowberg
Copy link
Contributor Author

esnowberg commented Feb 3, 2022

Steps to test this change:

Clone certmule

$ git clone https://github.com/rhboot/certmule.git
$ cd certmule

Generate a Public and Private X.509 Key Pair

$ cat << EOF > key_gen.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Generic Key
emailAddress = [email protected]
[ myexts ]
basicConstraints=critical,CA:TRUE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

$ openssl req -new -nodes -utf8 -sha512 -days 36500 -config key_gen.config -batch -x509
-outform DER -out signing_key.x509 -keyout signing_key.priv

$ openssl x509 -in signing_key.x509 -inform der -out signing_key.pem -outform pem

$ cert-to-efi-sig-list signing_key.pem db.esl

Build certmule with the db.esl

$ make all

Create a MOK key to sign the shim_certificate

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=certmule key/"

$ openssl x509 -in MOK.crt -out MOK.cer -outform DER

$ openssl pkcs12 -export -out MOK.p12 -inkey MOK.key -in MOK.crt

$ pk12util -i MOK.p12 -d /etc/pki/pesign

Enroll the Public Key on the Target System

$ mokutil --import MOK.cer

Reboot and enroll the new MOK key thru MokManager
Now sign the shim certificate with the key just enrolled in MOK

$ pesign -i certmule.efi -o ./shim_certificate.efi -c "certmule key" -s

Move the shim certificate into the ESP next to your shim.

$ cp shim_certificate.efi /boot/efi/EFI/redhat

Now reboot and the contents of shim certificate will load into the MokList.

@frozencemetery frozencemetery added this to the shim 16 milestone Feb 8, 2022
@frozencemetery frozencemetery changed the base branch from shim-15.5 to main February 8, 2022 19:39
Copy link
Member

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retargeted this PR onto main since it's not planned for 15.5.

Inline there are some fussy style things - low urgency.

pe.c Show resolved Hide resolved
pe.c Outdated Show resolved Hide resolved
pe.c Outdated Show resolved Hide resolved
pe.c Outdated Show resolved Hide resolved
shim.c Outdated Show resolved Hide resolved

efi_status = read_image(image_handle, filename, PathName,
&data, &datasize);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra whitespace

shim.c Outdated Show resolved Hide resolved
shim.c Outdated Show resolved Hide resolved
shim.c Outdated Show resolved Hide resolved
shim.c Outdated Show resolved Hide resolved
@esnowberg
Copy link
Contributor Author

Thanks for your review @frozencemetery, I'll take care of the style changes above and send out a new pull request.

In the future we will want to examine binaries without wanting to
execute them.  Create verify_image based off existing handle_image
code.

Signed-off-by: Eric Snowberg <[email protected]>
Separate out image reading from image launch in order to be able to load
an image without executing it.

Signed-off-by: Matthew Garrett <[email protected]>
Signed-off-by: Eric Snowberg <[email protected]>
Heavily inspired by Matthew Garrett's patch "Allow additional certificates
to be loaded from a signed binary".

Add support for loading a binary, verifying its signature, and then
scanning it for embedded certificates. This is intended to make it
possible to decouple shim builds from vendor signatures. In order to
add new signatures to shim, an EFI Signature List should be generated
and then added to the .db section of a well-formed EFI binary. This
binary should then be signed with a key that shim already trusts (either
a built-in key, one present in the platform firmware or
one present in MOK) and placed in the same directory as shim with a
filename starting "shim_certificate" (eg, "shim_certificate_oracle").

Shim will read multiple files and incorporate the signatures from all of
them. Note that each section *must* be an EFI Signature List, not a raw
certificate.

Signed-off-by: Eric Snowberg <[email protected]>
@esnowberg esnowberg force-pushed the 15.5-load-certs-poc-1 branch from ac25527 to 5debfb8 Compare February 16, 2022 04:06
Copy link
Member

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing seems obviously wrong. (Will need vathpela's review too, of course.)

@jsetje jsetje requested review from frozencemetery and jsetje March 2, 2022 19:10
@jsetje jsetje removed the request for review from frozencemetery March 2, 2022 19:13
@vathpela vathpela merged commit 35d7378 into rhboot:main May 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants