search

fwupd / fwupd-efi

EFI Application used by uefi-capsule plugin in fwupd
GNU Lesser General Public License v2.1
36 stars 18 forks source link

Provide some documentation about authentication of applied updates #105

Open rhertzog opened 3 days ago

rhertzog commented 3 days ago

Hello,

we recently went through the process of getting our shim signed by Microsoft and that entails a review of what the shim is allowed to load. And the fwupd.efi binary is one of the signed binaries that are allowed to be executed.

Thus the organization going through this process have to answers questions like those:

  • If your SHIM launches any other components, please provide further details on what is launched and how the component prevents execution of unauthenticated code.
  • Do any of the products in this submission take any user input? If so, what input validation is performed?
  • Do any of the products in this submission take any programmatic input (files on disk, UEFI variables, etc.)? If so, what input validation is performed?

It would thus be nice if the README or some other easy-to-find documentation could provide some description of fwupd.efi's implementation that would provide answers of the above questions.

From what I understood, the fwupd client tweaks some UEFI variables to request fwupd.efi to be called on next boot, and then this binary merely uses the UpdateCapsule UEFI call to apply the updates. Thus the updates are authenticated by the UEFI firmware, i.e. each capsule has its own signature that must validate with one of the keys enrolled in the UEFI keyring.

AFAIK, the fwupd.efi binary has no user-interaction, and it merely uses a couple of UEFI variables to figure out which capsules to execute.

It would be nice if you could provide that kind of overview (maybe with a few more details) for the benefit of other entities who have to go through this process.

(cf https://github.com/rhboot/shim-review/issues/435#issuecomment-2353477457 and subsequent messages for some context, and https://gist.github.com/rhertzog/7efd1f78212e2708ba64d3dc3190095f for our own answers to Microsoft if they can help you)

hughsie commented 22 hours ago

@rhertzog I was thinking of something like this, comments very welcome: https://docs.google.com/document/d/13hn9gzRFDw4dPgRwtiGb9DnUUEi9x4NJFQM-IOO2pUw/edit?usp=sharing

rhertzog commented 18 hours ago

@rhertzog I was thinking of something like this, comments very welcome

Looks great. I left a small comment to try to not present this as pre-filled answers that one can safely copy-paste.