| Message ID | 1362531497-2048-1-git-send-email-ivan.hu@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
On Wed, Mar 6, 2013 at 8:58 AM, Ivan Hu <ivan.hu@canonical.com> wrote: > From: IvanHu <ivan.hu@canonical.com> > > Check the variable KEK existence and Ubuntu master CA certificate presence > in KEK. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 44 ++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 60d55cb..0a36c41 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -253,10 +253,51 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha > "The Microsoft UEFI CA certificate not found ."); > } > > +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "KEK")) > + return; > + > + var_found |= VAR_KEK_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + > + fwts_release *release = fwts_release_get(); > + if (release == NULL) { > + fwts_skipped(fw, "Cannot determine system, stop checking the Ubuntu Master CA certificate."); > + return; > + } > + > + if (strcmp(release->distributor, "Ubuntu") != 0) { > + fwts_skipped(fw, "Not a Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate."); > + fwts_release_free(release); > + return; > + } > + fwts_release_free(release); > + > + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); > + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) > + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); > + else { > + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname); > + fwts_infoonly(fw); > + } > +} > + > static securebootcert_info securebootcert_info_table[] = { > { "SecureBoot", securebootcert_secure_boot }, > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > + { "KEK", securebootcert_key_ex_key }, > { NULL, NULL } > }; > > @@ -358,6 +399,9 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable DB not found."); > + if (!(var_found & VAR_KEK_FOUND)) > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > + "The secure boot variable KEK not found."); > > fwts_uefi_free_variable_names(&name_list); > > -- > 1.7.10.4 > Acked-by: Keng-Yu Lin <kengyu@canonical.com>
On 06/03/13 00:58, Ivan Hu wrote: > From: IvanHu <ivan.hu@canonical.com> > > Check the variable KEK existence and Ubuntu master CA certificate presence > in KEK. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 44 ++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 60d55cb..0a36c41 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -253,10 +253,51 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha > "The Microsoft UEFI CA certificate not found ."); > } > > +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "KEK")) > + return; > + > + var_found |= VAR_KEK_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + > + fwts_release *release = fwts_release_get(); > + if (release == NULL) { > + fwts_skipped(fw, "Cannot determine system, stop checking the Ubuntu Master CA certificate."); > + return; > + } > + > + if (strcmp(release->distributor, "Ubuntu") != 0) { > + fwts_skipped(fw, "Not a Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate."); > + fwts_release_free(release); > + return; > + } > + fwts_release_free(release); > + > + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); > + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) > + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); > + else { > + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname); > + fwts_infoonly(fw); > + } > +} > + > static securebootcert_info securebootcert_info_table[] = { > { "SecureBoot", securebootcert_secure_boot }, > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > + { "KEK", securebootcert_key_ex_key }, > { NULL, NULL } > }; > > @@ -358,6 +399,9 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable DB not found."); > + if (!(var_found & VAR_KEK_FOUND)) > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > + "The secure boot variable KEK not found."); > > fwts_uefi_free_variable_names(&name_list); > > Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 60d55cb..0a36c41 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -253,10 +253,51 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha "The Microsoft UEFI CA certificate not found ."); } +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname) +{ + + bool ident = false; + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; + + if (strcmp(varname, "KEK")) + return; + + var_found |= VAR_KEK_FOUND; + ident = compare_guid(&global_var_guid, var->guid); + + if (!ident) { + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", + "The secure boot variable %s GUID invalid.", varname); + return; + } + + fwts_release *release = fwts_release_get(); + if (release == NULL) { + fwts_skipped(fw, "Cannot determine system, stop checking the Ubuntu Master CA certificate."); + return; + } + + if (strcmp(release->distributor, "Ubuntu") != 0) { + fwts_skipped(fw, "Not a Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate."); + fwts_release_free(release); + return; + } + fwts_release_free(release); + + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname); + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len)) + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed."); + else { + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname); + fwts_infoonly(fw); + } +} + static securebootcert_info securebootcert_info_table[] = { { "SecureBoot", securebootcert_secure_boot }, { "SetupMode", securebootcert_setup_mode }, { "db", securebootcert_data_base }, + { "KEK", securebootcert_key_ex_key }, { NULL, NULL } }; @@ -358,6 +399,9 @@ static int securebootcert_test1(fwts_framework *fw) if (!(var_found & VAR_DB_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", "The secure boot variable DB not found."); + if (!(var_found & VAR_KEK_FOUND)) + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", + "The secure boot variable KEK not found."); fwts_uefi_free_variable_names(&name_list);