| Message ID | 1481869523-7395-2-git-send-email-ivan.hu@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
On 16/12/16 06:25, Ivan Hu wrote: > UEFI 2.6 add the AuditMode global variable for secure boot, so also check the > AuditMode variable in this test. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 61 +++++++++++++++++++++++++++++--- > 1 file changed, 56 insertions(+), 5 deletions(-) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 69abaa5..2f7de50 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -47,10 +47,11 @@ typedef struct _EFI_SIGNATURE_LIST { > uint32_t SignatureSize; > } __attribute__((packed)) EFI_SIGNATURE_LIST; > > -#define VAR_SECUREBOOT_FOUND 1 > -#define VAR_SETUPMODE_FOUND 2 > -#define VAR_DB_FOUND 4 > -#define VAR_KEK_FOUND 8 > +#define VAR_SECUREBOOT_FOUND (1 << 0) > +#define VAR_SETUPMODE_FOUND (1 << 1) > +#define VAR_DB_FOUND (1 << 2) > +#define VAR_KEK_FOUND (1 << 3) > +#define VAR_AUDITMODE_FOUND (1 << 4) > > #define EFI_GLOBAL_VARIABLE \ > { \ > @@ -156,7 +157,7 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch > > switch (value) { > case 0: > - mode = " (User Mode)"; > + mode = ""; > break; > case 1: > mode = " (Setup Mode)"; > @@ -171,6 +172,47 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch > } > } > > +static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "AuditMode")) > + return; > + > + var_found |= VAR_AUDITMODE_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + if (var->datalen != 1) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid", > + "The secure boot variable %s size invalid.", varname); > + } else { > + char *mode; > + uint8_t value = (uint8_t)var->data[0]; > + > + switch (value) { > + case 0: > + mode = ""; > + break; > + case 1: > + mode = " (Audit Mode)"; > + break; > + default: > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid", > + "The secure boot variable %s data invalid.", varname); > + return; > + } > + fwts_log_info_verbatim(fw, " Value: 0x%2.2" PRIx8 "%s.", value, mode); > + fwts_passed(fw, "Secure boot relative variable %s check passed.", varname); > + } > +} > + > static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len) > { > uint8_t *var_data_addr; > @@ -305,6 +347,7 @@ static securebootcert_info securebootcert_info_table[] = { > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > { "KEK", securebootcert_key_ex_key }, > + { "AuditMode", securebootcert_audit_mode }, > { NULL, NULL } > }; > > @@ -372,6 +415,14 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_SETUPMODE_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable SetupMode not found."); > + if (!(var_found & VAR_AUDITMODE_FOUND)) { > + fwts_warning(fw, "The secure boot variable AuditMode not found."); > + fwts_advice(fw, > + "AuditMode global variable is defined in the UEFI " > + "Specification 2.6 for new secure boot architecture. " > + "It may because the firmware hasn't been updated to " > + "support the UEFI Specification 2.6."); > + } > if (securebooted) { > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > Thanks Ivan Acked-by: Colin Ian King <colin.king@canonical.com>
On 2016-12-15 10:25 PM, Ivan Hu wrote: > UEFI 2.6 add the AuditMode global variable for secure boot, so also check the > AuditMode variable in this test. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 61 +++++++++++++++++++++++++++++--- > 1 file changed, 56 insertions(+), 5 deletions(-) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 69abaa5..2f7de50 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -47,10 +47,11 @@ typedef struct _EFI_SIGNATURE_LIST { > uint32_t SignatureSize; > } __attribute__((packed)) EFI_SIGNATURE_LIST; > > -#define VAR_SECUREBOOT_FOUND 1 > -#define VAR_SETUPMODE_FOUND 2 > -#define VAR_DB_FOUND 4 > -#define VAR_KEK_FOUND 8 > +#define VAR_SECUREBOOT_FOUND (1 << 0) > +#define VAR_SETUPMODE_FOUND (1 << 1) > +#define VAR_DB_FOUND (1 << 2) > +#define VAR_KEK_FOUND (1 << 3) > +#define VAR_AUDITMODE_FOUND (1 << 4) > > #define EFI_GLOBAL_VARIABLE \ > { \ > @@ -156,7 +157,7 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch > > switch (value) { > case 0: > - mode = " (User Mode)"; > + mode = ""; > break; > case 1: > mode = " (Setup Mode)"; > @@ -171,6 +172,47 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch > } > } > > +static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname) > +{ > + > + bool ident = false; > + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; > + > + if (strcmp(varname, "AuditMode")) > + return; > + > + var_found |= VAR_AUDITMODE_FOUND; > + ident = compare_guid(&global_var_guid, var->guid); > + > + if (!ident) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", > + "The secure boot variable %s GUID invalid.", varname); > + return; > + } > + if (var->datalen != 1) { > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid", > + "The secure boot variable %s size invalid.", varname); > + } else { > + char *mode; > + uint8_t value = (uint8_t)var->data[0]; > + > + switch (value) { > + case 0: > + mode = ""; > + break; > + case 1: > + mode = " (Audit Mode)"; > + break; > + default: > + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid", > + "The secure boot variable %s data invalid.", varname); > + return; > + } > + fwts_log_info_verbatim(fw, " Value: 0x%2.2" PRIx8 "%s.", value, mode); > + fwts_passed(fw, "Secure boot relative variable %s check passed.", varname); > + } > +} > + > static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len) > { > uint8_t *var_data_addr; > @@ -305,6 +347,7 @@ static securebootcert_info securebootcert_info_table[] = { > { "SetupMode", securebootcert_setup_mode }, > { "db", securebootcert_data_base }, > { "KEK", securebootcert_key_ex_key }, > + { "AuditMode", securebootcert_audit_mode }, > { NULL, NULL } > }; > > @@ -372,6 +415,14 @@ static int securebootcert_test1(fwts_framework *fw) > if (!(var_found & VAR_SETUPMODE_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > "The secure boot variable SetupMode not found."); > + if (!(var_found & VAR_AUDITMODE_FOUND)) { > + fwts_warning(fw, "The secure boot variable AuditMode not found."); > + fwts_advice(fw, > + "AuditMode global variable is defined in the UEFI " > + "Specification 2.6 for new secure boot architecture. " > + "It may because the firmware hasn't been updated to " > + "support the UEFI Specification 2.6."); > + } > if (securebooted) { > if (!(var_found & VAR_DB_FOUND)) > fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", > Acked-by: Alex Hung <alex.hung@canonical.com>
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 69abaa5..2f7de50 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -47,10 +47,11 @@ typedef struct _EFI_SIGNATURE_LIST { uint32_t SignatureSize; } __attribute__((packed)) EFI_SIGNATURE_LIST; -#define VAR_SECUREBOOT_FOUND 1 -#define VAR_SETUPMODE_FOUND 2 -#define VAR_DB_FOUND 4 -#define VAR_KEK_FOUND 8 +#define VAR_SECUREBOOT_FOUND (1 << 0) +#define VAR_SETUPMODE_FOUND (1 << 1) +#define VAR_DB_FOUND (1 << 2) +#define VAR_KEK_FOUND (1 << 3) +#define VAR_AUDITMODE_FOUND (1 << 4) #define EFI_GLOBAL_VARIABLE \ { \ @@ -156,7 +157,7 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch switch (value) { case 0: - mode = " (User Mode)"; + mode = ""; break; case 1: mode = " (Setup Mode)"; @@ -171,6 +172,47 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch } } +static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname) +{ + + bool ident = false; + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE; + + if (strcmp(varname, "AuditMode")) + return; + + var_found |= VAR_AUDITMODE_FOUND; + ident = compare_guid(&global_var_guid, var->guid); + + if (!ident) { + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid", + "The secure boot variable %s GUID invalid.", varname); + return; + } + if (var->datalen != 1) { + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid", + "The secure boot variable %s size invalid.", varname); + } else { + char *mode; + uint8_t value = (uint8_t)var->data[0]; + + switch (value) { + case 0: + mode = ""; + break; + case 1: + mode = " (Audit Mode)"; + break; + default: + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid", + "The secure boot variable %s data invalid.", varname); + return; + } + fwts_log_info_verbatim(fw, " Value: 0x%2.2" PRIx8 "%s.", value, mode); + fwts_passed(fw, "Secure boot relative variable %s check passed.", varname); + } +} + static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len) { uint8_t *var_data_addr; @@ -305,6 +347,7 @@ static securebootcert_info securebootcert_info_table[] = { { "SetupMode", securebootcert_setup_mode }, { "db", securebootcert_data_base }, { "KEK", securebootcert_key_ex_key }, + { "AuditMode", securebootcert_audit_mode }, { NULL, NULL } }; @@ -372,6 +415,14 @@ static int securebootcert_test1(fwts_framework *fw) if (!(var_found & VAR_SETUPMODE_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", "The secure boot variable SetupMode not found."); + if (!(var_found & VAR_AUDITMODE_FOUND)) { + fwts_warning(fw, "The secure boot variable AuditMode not found."); + fwts_advice(fw, + "AuditMode global variable is defined in the UEFI " + "Specification 2.6 for new secure boot architecture. " + "It may because the firmware hasn't been updated to " + "support the UEFI Specification 2.6."); + } if (securebooted) { if (!(var_found & VAR_DB_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
UEFI 2.6 add the AuditMode global variable for secure boot, so also check the AuditMode variable in this test. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> --- src/uefi/securebootcert/securebootcert.c | 61 +++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 5 deletions(-)