New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stub: allow loading and verifying kernel command line addons #27358
Conversation
@medhefgo this works when going directly shim -> uki, but when going shim -> sd-boot -> uki the shim protocol is no longer available, do we need to do something to keep it around? |
That's just one of the many delights that shim brings us. It will always uninstall the protocol before executing the image (and then also fail to reinstall it if it happens to return successfully). And you can't insert an extra shim in between as it kills auto-detection of UKIs. Best thing is to get shim to change or call shim from a known location with the UKI cmdline as arguments. This code assumes use of shim, but what about support for custom sb keys? Also, I really don't see how this code is any better than having a cmdline allowlist with globs. |
Interesting, thanks, I had no idea - I've asked the shim folks, we'll see what they say
Is there a way to get the firmware to validate a PE (without actually executing it) in case there's no first stage?
Fully cryptographically verified payload to me is better than partially or not verified payload. Even if allowlist happens, I don't think it would disqualify supporting this use case, they could both be supported. |
I ask because I tried to use LoadImage, which naively I thought should suffice, but I'm getting "invalid parameter" out of it |
Never mind, turns out I am an eejit. Works now - if there's no shim or shim validation fails, falls back to LoadImage. |
also needs docs for the sd-stub addition |
If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Example use case in sd-boot/sd-stub: systemd/systemd#27358
If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Also delete it on startup, so that we can be sure it was really set by a second stage. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Also delete it on startup, so that we can be sure it was really set by a second stage. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
If the ShimRetainProtocol variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Also delete it on startup, so that we can be sure it was really set by a second stage. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
And so what? not sure what that has to do with anything? The point i was making is that sbat data allows blocking any kind of old resources and concepts, not just one kind of sw package. the first line in sbat is the version of the sbat spec basically, and that means you can block the concept that "sbat version 1" is. that's the key take-away. |
Files placed in /EFI/Linux/UKI.efi.extra.d/ and /loader/addons/ are opened and verified using the LoadImage protocol, and will thus get verified via shim/firmware. If they are valid signed PE files, the .cmdline section will be extracted and appended. If there are multiple addons in each directory, they will be parsed in alphanumerical order. Optionally the .uname sections are also matched if present, so that they can be used to filter out addons as well if needed, and only addons that correspond exactly to the UKI being loaded are used. It is recommended to also always add a .sbat section to addons, so that they can be mass-revoked with just a policy update. The files must have a .addon.efi suffix. Files in the per-UKI directory are parsed, sorted, measured and appended first. Then, files in the generic directory are processed.
No issue with documenting stuff - updated now. Using measurements is not only about measured boot, but also attestation - if someone is playing games with ordering of addons, PCR12 will change, and an attestation service will notice it. |
still think we should quickly add osrel matching. but anyway, can come later. PR looks good. lets merge. |
@bluca I have some issues running this stuff. In particular, it seems that |
How are you testing it? IE, what's the chain, which shim version, and how did you create the addon |
chain is |
What if you add sd-boot after shim? |
also you are creating the addon with the linux stub - use the addon stub instead |
|
I don't think we plan to use sd-boot atm |
how do I generate the addon stub? |
sure, but it's to figure out what's the difference in the setups, for me shim -> sd-boot -> sd-stub -> addon works, and also sd-boot -> sd-stub -> addon works the addon stub is built automatically on latest main after this PR, it's in the same build dir as the linux one |
so: using the addon stub doesn't change the outcome, still access denied :/ |
actually I got confused, also |
You need to build shim from the main branch, then install systemd-boot normally with bootctl, and install shim as the entry point, the ESP layout will look like:
|
and shim is built with |
Ok apparently the issue was with ukify. Giving |
mmh that sounds wrong @keszybz shouldn't |
Anyways, I am happy to confirm that this works using shim->stub (without sd-boot) 🎉 |
If the ShimRetainProtocol variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Also delete it on startup, so that we can be sure it was really set by a second stage. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
No description provided.