summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorIlias Apalodimas <ilias.apalodimas@linaro.org>2022-02-14 11:14:22 +0200
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>2022-02-26 07:37:00 +0100
commitbdcc0a9594d4d3ae02f9f013e105e9a7430b3266 (patch)
treea92248201127d32fb242d80246730cbc169c8680 /lib
parent625d933eddc9aa3137ab6cc31f54a2f3404d937a (diff)
downloadu-boot-bdcc0a9594d4d3ae02f9f013e105e9a7430b3266.tar.gz
u-boot-bdcc0a9594d4d3ae02f9f013e105e9a7430b3266.tar.bz2
u-boot-bdcc0a9594d4d3ae02f9f013e105e9a7430b3266.zip
efi_loader: fix uefi secure boot with intermediate certs
The general rule of accepting or rejecting an image is 1. Is the sha256 of the image in dbx 2. Is the image signed with a certificate that's found in db and not in dbx 3. The image carries a cert which is signed by a cert in db (and not in dbx) and the image can be verified against the former 4. Is the sha256 of the image in db For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher", which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root". The latter is a self-signed CA certificate and with our current implementation allows shim to execute if we insert it in db. However it's the CA cert in the middle of the chain which usually ends up in the system's db. pkcs7_verify_one() might or might not return the root certificate for a given chain. But when verifying executables in UEFI, the trust anchor can be in the middle of the chain, as long as that certificate is present in db. Currently we only allow this check on self-signed certificates, so let's remove that check and allow all certs to try a match an entry in db. Open questions: - Does this break any aspect of variable authentication since efi_signature_verify() is used on those as well? Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/efi_loader/efi_signature.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 1bd1fdc95f..79ed077ae7 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -518,12 +518,11 @@ bool efi_signature_verify(struct efi_image_regions *regs,
goto out;
EFI_PRINT("Verifying last certificate in chain\n");
- if (signer->self_signed) {
- if (efi_lookup_certificate(signer, db))
- if (efi_signature_check_revocation(sinfo,
- signer, dbx))
- break;
- } else if (efi_verify_certificate(signer, db, &root)) {
+ if (efi_lookup_certificate(signer, db))
+ if (efi_signature_check_revocation(sinfo, signer, dbx))
+ break;
+ if (!signer->self_signed &&
+ efi_verify_certificate(signer, db, &root)) {
bool check;
check = efi_signature_check_revocation(sinfo, root,