search

xcp-ng / uefistored

Variables store for UEFI guests. Note: in XCP-ng 8.3+, we switched to varstored in order to share a common implementation with XenServer.
GNU General Public License v2.0
7 stars 3 forks source link

Secureboot certs uniform args #26

Closed beshleman closed 2 years ago

beshleman commented 3 years ago 
This commit adds support for secureboot-certs to accept any of the
following formats as input files:
    - EFI auth
    - DER-encoded X509
    - PEM-encoded X509

secureboot-certs internally converts all of these file formats into an
auth file.  Besides making life easier for users, this also allows users
to put multiple certificates together into a single auth file and pass
in that auth file to secureboot-certs.

This commit does NOT support passing in multiple PEM/DER encoded X509
certificates for a single UEFI variable. If a user wishes to do this,
they must use a tool like `create-auth` or `efitools` to bundle the X509
certificates into a single EFI auth file and pass that to
secureboot-certs.

Testing

This was tested using the following files (existing internally in on Vates Env B machine 22):

/root/test-certs
├── auth
│   ├── db.auth
│   ├── dbx.auth
│   ├── KEK.auth
│   └── PK.auth
├── crt
│   ├── db.crt
│   ├── KEK.crt
│   └── PK.crt
├── der
│   ├── db.der
│   ├── KEK.der
│   └── PK.der
└── test.sh

Then running test.sh:

#!/bin/bash

set -e

for ext in der crt auth;
do
    /root/secureboot-certs-test install ${ext}/PK.${ext} ${ext}/KEK.${ext} ${ext}/db.${ext} auth/dbx.auth
done

secureboot-certs-test is the script that contains this commit.

These certs are the proper certs for booting Windows (not Linux!). The dbx is from UEFI's 2014 release from the archive. It was tested separately that the dbx accepts DER/PEM certs, but the certs are not included here because typically the dbx includes hashes and/or certificates, not just certificates.

The certs were checked to be the correct values using secureboot-certs report. And Windows was verified to boot with SB enabled.

stormi commented 2 years ago

I just tested with a file in wrong format, and the output somewhat regressed, as we now get a backtrace and an exception rather than a user-friendly error message:

Traceback (most recent call last):
  File "/usr/sbin/secureboot-certs", line 807, in <module>
    install(session, args)
  File "/usr/sbin/secureboot-certs", line 363, in install
    paths[name] = convert_to_auth(name, p, priv)
  File "/usr/sbin/secureboot-certs", line 409, in convert_to_auth
    "file %s is not a valid auth file or x509 certificate" % path
RuntimeError: file /root/uefistored-debuginfo-1.1.1-1.0.stormi.1.xcpng8.2.x86_64.rpm is not a valid auth file or x509 certificate
beshleman commented 2 years ago

I just tested with a file in wrong format, and the output somewhat regressed, as we now get a backtrace and an exception rather than a user-friendly error message:

Traceback (most recent call last):
  File "/usr/sbin/secureboot-certs", line 807, in <module>
    install(session, args)
  File "/usr/sbin/secureboot-certs", line 363, in install
    paths[name] = convert_to_auth(name, p, priv)
  File "/usr/sbin/secureboot-certs", line 409, in convert_to_auth
    "file %s is not a valid auth file or x509 certificate" % path
RuntimeError: file /root/uefistored-debuginfo-1.1.1-1.0.stormi.1.xcpng8.2.x86_64.rpm is not a valid auth file or x509 certificate

Fixed in newest rev.