Support loading additional certificates #446
Conversation
|
@mjg59, since Sign-off-by's are now required, could I include yours for the second patch? |
|
Yes, please feel free to add: Signed-off-by: Matthew Garrett mgarrett@aurora.tech |
esnowberg
force-pushed
the
15.5-load-certs-poc-1
branch
from
816ddd1
to
14f0ba6
Compare
|
Thanks @mjg59 |
|
Steps to test this change: Clone certmule $ git clone https://github.com/rhboot/certmule.git Generate a Public and Private X.509 Key Pair $ cat << EOF > key_gen.config $ openssl req -new -nodes -utf8 -sha512 -days 36500 -config key_gen.config -batch -x509 $ openssl x509 -in signing_key.x509 -inform der -out signing_key.pem -outform pem $ cert-to-efi-sig-list signing_key.pem db.esl Build certmule with the db.esl $ make all Create a MOK key to sign the shim_certificate $ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=certmule key/" $ openssl x509 -in MOK.crt -out MOK.cer -outform DER $ openssl pkcs12 -export -out MOK.p12 -inkey MOK.key -in MOK.crt $ pk12util -i MOK.p12 -d /etc/pki/pesign Enroll the Public Key on the Target System $ mokutil --import MOK.cer Reboot and enroll the new MOK key thru MokManager $ pesign -i certmule.efi -o ./shim_certificate.efi -c "certmule key" -s Move the shim certificate into the ESP next to your shim. $ cp shim_certificate.efi /boot/efi/EFI/redhat Now reboot and the contents of shim certificate will load into the MokList. |
|
|
||
| efi_status = read_image(image_handle, filename, PathName, | ||
| &data, &datasize); | ||
|
|
|
Thanks for your review @frozencemetery, I'll take care of the style changes above and send out a new pull request. |
In the future we will want to examine binaries without wanting to execute them. Create verify_image based off existing handle_image code. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Separate out image reading from image launch in order to be able to load an image without executing it. Signed-off-by: Matthew Garrett <mgarrett@aurora.tech> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
esnowberg
force-pushed
the
15.5-load-certs-poc-1
branch
from
14f0ba6
to
ac25527
Compare
Heavily inspired by Matthew Garrett's patch "Allow additional certificates to be loaded from a signed binary". Add support for loading a binary, verifying its signature, and then scanning it for embedded certificates. This is intended to make it possible to decouple shim builds from vendor signatures. In order to add new signatures to shim, an EFI Signature List should be generated and then added to the .db section of a well-formed EFI binary. This binary should then be signed with a key that shim already trusts (either a built-in key, one present in the platform firmware or one present in MOK) and placed in the same directory as shim with a filename starting "shim_certificate" (eg, "shim_certificate_oracle"). Shim will read multiple files and incorporate the signatures from all of them. Note that each section *must* be an EFI Signature List, not a raw certificate. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
esnowberg
force-pushed
the
15.5-load-certs-poc-1
branch
from
ac25527
to
5debfb8
Compare
Please see the following as an RFC pull request for loading additional certificates from a signed EFI binary.
This work was originally done by @mjg59, I have ported parts of his code to 15.5 and refactored other pieces. #204
All testing was done using certmule (https://github.com/rhboot/certmule).