SecurityPkg

Laurie Jarlstrom edited this page Nov 21, 2016 · 12 revisions
Clone this wiki locally

There are 4 security related features in SecurityPkg including TPM, User identification (UID), secure boot, and authenticated variable.

More information:

Table of Contents

TPM

The Trusted Platform Module (TPM) is a passive hardware device on the system board. UEFI TCG Measured Boot takes use of TPM device to construct the basic trusted computing environment based on S-CRTM (Static Core Root of Trust for Measurement). The implementation includes a set of TCG-compliant modules that provide the necessary functionality as described by the TCG specifications for the TPM component. These modules deeply rely on the TCG-defined specifications. Basically, they provide the capabilities to initialize and operate a TPM device and implement the TCG-defined services (performing measurement and logging data/events, physical presence, memory overwrite request, etc) for S-CRTM based attestation of the UEFI platform.

UID

The UID framework implements EFI_USER_MANAGER_PROTOCOL, EFI_USER_CREDENTIAL_PROTOCOL and EFI_DEFERRED_IMAGE_LOAD_PROTOCOL, and supports user identity management, user access privilege management, user identification policy management, static multi-factor authentication, and publishes the current user profile in the EFI System Configuration Table after user authentication.

Secure Boot

This secure boot mechanism allows the firmware to authenticate a UEFI image, such as an operating system loader or an option ROM. This provides the capability to ensure that the firmware drivers are loaded only in an owner-authorized fashion and provides a common means to ensure platforms security and integrity over systems running UEFI-based firmware.

Authenticated Variable

Authenticated variable service is an enhancement on Variable Service in UEFI, which provides a means to restrict operation on certain sensitive storage data. If the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is set, both the identity of operator and integrity of data will be authenticated before write the variable into storage.

Signing Tools

This section lists signing tools and resources for UEFI Secure Boot on Linux. It is far from an exhaustive list but hopefully will be a helpful starting point. This version was created Jan. 31, 2013 and will be updated periodically. Please send recommended changes to the edk2-devel@lists.01.org To join the email list goto: edk2-devel (NOTE: Do NOT send any personal information to the edk2-devel list.)

Linux tools for signing UEFI images

Tool Link
sbsigntool git://kernel.ubuntu.com/jk/sbsigntool
pesign https://github.com/vathpela/pesign

Linux Secure Boot Resources

    • UEFI Secure Boot support in several Linux distros,
    • creating keys and certificates,
    • signing images for development and production,
    • And more …

Link Description
Ubuntu
ubuntu OVMF tips, creating keys & certificates, configuring secure boot , signing test images with sbsign, updating key databases
jk.ozlabs.org creating keys & certificates, tools for signing variables and maintaining key databases
SUSE
overview Backgrounder
suse.com shim loader description
suse.com/details MOK description
en.opensuse.org Secure Boot in OVMF & lockdown.efi
en.opensuse.org Building EDK2
Fedora
fedoraproject.org Backgrounder
Secureboot Status
Testing Images for testing  
Linux Foundation
uefi-secure-boot using MS UEFI CA to sign images 

Signing - Secure Boot Results

a Linux Loaders and Kernels

  • EFI_STUB Kernel - has been signed with the Microsoft* SignTool and successfully secure booted. Fixes are available in tip:x86/efi branch at:
http://git.kernel.org/?p=linux/kernel/git/tip/tip.git;a=shortlog;h=refs/heads/x86/efi
  • efilinux Loader - has been signed with the Microsoft* SignTool and successfully secure booted. These fixes have been merged into the 'next' branch prior to being merged into the 'master' branch and a planned 1.1 release:
https://github.com/mfleming/efilinux
The .reloc section fix on x86-64 was merged into the efi-linux library’s sourceforge repository and a new version was released (3.0q).

UEFI Applications Built with UDK Linux Tool Chains

  • UDK GCC44 & GCC46 UDK Tool Chain
UEFI applications (such as HelloWorld.efi) built with the GCC44 and GCC46 UDK tool chains have been signed with the Microsoft* SignTool and successfully secure booted.
  • UDK UNIXGCC UDK Tool Chain
UEFI applications built with the UNIXGCC tool chain are not currently secure bootable. This problem is under investigation.

Images with Multiple Signatures

This section describes support for Authenticode-signed UEFI images with multiple signatures, references sample certificates and images and describes patches to enable this support .




1 Background



The Authenticode signature is in a location called the "Attribute Certificate Table" in a UEFI image. According to the UEFI and PE/COFF specifications, the Attribute Certificate Table is composed of a set of contiguous certificate entries (a list of certificates), and each certificate entry contains an independent Authenticode signature.



However, revision 2.3.1B of the UEFI Specification has no explicit description about the verification policy for the multiple certificate entries in a UEFI image, but the Authenticode specification does not preclude this case of multiple entries.



Currently, both the SignTool from MSFT and the DxeImageVerificationLib from the SecurityPkg on http://www.tianocore.org treat the Attribute Certificate Table as a single certificate. So if one re-signs a UEFI image with a new certificate, the MSFT SignTool will overwrite the old certificate entry with the new one. And the verification library assumes that there is only one certificate entry in the attribute certificate table.



Other Sign Tools are now emerging that can create UEFI images with multiple signatures.




2 Sample Images



Some sample UEFI images and their certificates can be found at: http://pjones.fedorapeople.org/multisign/



They are:









  • pjones.cer - public key with a DN that basically says "pjones"
  • PeterJones.cer - different public key with a DN that says "PeterJones" instead
  • hello-0.efi - "Normal, unsigned HelloWorld.efi
  • hello-1.efi - same binary, signed with "pjones"
  • hello-2.efi - same binary, signed with "pjones" and then with "PeterJones".


Note: the 28-Jun-2012 12:41 version of both .cer files [which] were corrupt.




3 DxeImageVerificationLib Patch



Verification of UEFI images with multiple signatures can be enabled with a small patch to the IsPkcsSignedDataVerifiedBySignatureList routine in SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c.



Patches are based based on SVN r13505

Rev2 handles N certificates in an image and validates each WIN_CERTIFICATE header found in the image

Rev1 only supported 2 certificates in an image.

  • Rev2 - patch <>
  • Rev1 – patch <>

4 Scenarios










  • Enroll pjones.cer in PK, KEK & DB,
    • both hello-1.efi and hello-2.efi run.
  • Enroll PeterJones.cer in PK, KEK & DB,
    • now only hello-2.efi runs.