Extract edk2/cacerts.bin (RHBZ#1559580) #137
Conversation
Introduce the p11_extract_edk2_cacerts() skeleton. At the moment it always fails, silently. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580 Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Extract the DER-encoded X.509 certificates in the EFI_SIGNATURE_LIST
format that is
- defined by the UEFI 2.7 spec (using one inner EFI_SIGNATURE_DATA object
per EFI_SIGNATURE_LIST, as specified for EFI_CERT_X509_GUID),
- and expected by edk2's HttpDxe when it configures the certificate list
for HTTPS boot from EFI_TLS_CA_CERTIFICATE_VARIABLE (see the
TlsConfigCertificate() function in "NetworkPkg/HttpDxe/HttpsSupport.c").
The intended command line is
p11-kit extract \
--format=edk2-cacerts \
--filter=ca-anchors \
--overwrite \
--purpose=server-auth \
$DEST/edk2/cacerts.bin
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
Thank you! I'll make some comments inline. Would you like to add a test which extracts a fixed set of certs and compares the result with a set file? That would prevent future regressions in that code. |
| #include <limits.h> /* SSIZE_MAX */ | ||
|
|
||
| /* types from the UEFI 2.7 spec, section "31.4.1 Signature Database" */ | ||
| #pragma pack (1) |
There was a problem hiding this comment.
I that pragma supported by gcc or clang? Isn't __attribute__((packed)) a better alternative for the compilers we use?
| * (DCDD3B50-F405-43FD-96BE-BD33B1734776, generated with "uuidgen"), in host | ||
| * byte order | ||
| */ | ||
| static const efi_guid agent_guid_host = { |
There was a problem hiding this comment.
Where is that GUID being use? Does it need to be unique per extraction?
|
I'm not really used to github pull requests (I work primarily on mailing lists), so please forgive if I don't get the format right etc... I'm unsure how I can respond to comments directly, so I'll do some manual quoting here. (1) Who is "gnutlsmirror"? May I know the person behind the persona? :) (2) Would you like to add a test which extracts a fixed set of certs and compares the result with a set file? Looking at Would this work for you? (3) Regarding Before I added that, I grepped the tree for So, I'm fine either way, but Also, gcc has supported https://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Structure_002dPacking-Pragmas.html (4) The "agent GUID" is used to populate the Given that this extractor is the "same agent" for each of the extracted certificates, the same value should be used. (Obviously I tested this against the firmware and it works fine.) Uniqueness is not required; for example Microsoft uses the same
(For completeness I shoudl mention that those CA certificates are not for web server authentication but for Secure Boot driver authentication.) |
|
Thank you for the patch! I have a couple of comments:
|
|
OK, I'll check out the C language testers, thanks for the reference. Regarding the avoidance of packed structures for better portability, I disagree. Packed structures are universally supported. They are used by all major projects that I'm involved with to various extents (edk2, QEMU, libvirt, kernel). Those projects build with multiple toolchains and for multiple OSes and architectures. For example, edk2 (which uses Replacing the packed structures with stand-alone field writes doesn't just give up on "improvements" to code readability; it turns the code into an unreadable mess, and loses any resemblance of the UEFI spec (which is what defines the format). A good example for such bad practice is
This leaves the reader completely in the dark about the actual structure of the output file. |
|
@ueno what I can do -- if you really dislike structure packing -- is:
This will take care of any unexpected padding between fields and at the end of the structures, and still keep the code readable. Is this acceptable? |
|
BTW I think such custom encoders would be greatly helped if
Can I add them? |
|
I don't strongly oppose to using packed structures, but my concern is that we sometimes receive bug reports on AIX or IRIX (#101) and I don't know if that pragma is available on such platforms. Anyway, given that those structures are not too complicated, I was thinking something like: static bool buffer_add_uint16 (p11_buffer *buffer, uint16_t value);
static bool buffer_add_uint32 (p11_buffer *buffer, uint32_t value);
static bool buffer_add_efi_guid (p11_buffer *buffer, efi_guid *value);
static bool buffer_add_efi_signature_list (p11_buffer *buffer, efi_signature_list *value);and: static bool
buffer_add_efi_guid (p11_buffer *buffer, efi_guid *value)
{
if (!buffer_add_uint32 (buffer, value->data1)
return false;
...
}There are similar code in p11-kit/rpc-message.c. |
|
OK, thanks. |
|
@gnutlsmirror was me, sorry for the confusion. I was logged with the wrong account. |
|
v2 coming up |
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1559580 for the feature description.
I have successfully tested this against firmware code I've written (and in part pushed) for https://bugzilla.redhat.com/show_bug.cgi?id=1536624 . Testing instructions are attached to that BZ: https://bugzilla.redhat.com/attachment.cgi?id=1413960
The intended invocation by
update-ca-trustis spelled out in the commit message of the second patch.Thanks!
Laszlo