From patchwork Fri Dec 16 06:25:22 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Hu <ivan.hu@canonical.com>
X-Patchwork-Id: 706337
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3tg0g91g6Sz9t2b;
	Fri, 16 Dec 2016 17:25:41 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1cHlxc-0005gS-3z; Fri, 16 Dec 2016 06:25:40 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <ivan.hu@canonical.com>) id 1cHlxU-0005fO-Kq
	for fwts-devel@lists.ubuntu.com; Fri, 16 Dec 2016 06:25:32 +0000
Received: from [175.41.48.77] (helo=canonical.com)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <ivan.hu@canonical.com>)
	id 1cHlxT-0001yt-Sv; Fri, 16 Dec 2016 06:25:32 +0000
From: Ivan Hu <ivan.hu@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH 1/2] securebootcert: add variable AuditMode checking
Date: Fri, 16 Dec 2016 14:25:22 +0800
Message-Id: <1481869523-7395-2-git-send-email-ivan.hu@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1481869523-7395-1-git-send-email-ivan.hu@canonical.com>
References: <1481869523-7395-1-git-send-email-ivan.hu@canonical.com>
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: fwts-devel-bounces@lists.ubuntu.com
Sender: fwts-devel-bounces@lists.ubuntu.com

UEFI 2.6 add the AuditMode global variable for secure boot, so also check the
AuditMode variable in this test.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Alex Hung <alex.hung@canonical.com>
---
 src/uefi/securebootcert/securebootcert.c | 61 +++++++++++++++++++++++++++++---
 1 file changed, 56 insertions(+), 5 deletions(-)

diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 69abaa5..2f7de50 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -47,10 +47,11 @@ typedef struct _EFI_SIGNATURE_LIST {
 	uint32_t	SignatureSize;
 } __attribute__((packed)) EFI_SIGNATURE_LIST;
 
-#define VAR_SECUREBOOT_FOUND	1
-#define VAR_SETUPMODE_FOUND	2
-#define VAR_DB_FOUND		4
-#define VAR_KEK_FOUND		8
+#define VAR_SECUREBOOT_FOUND	(1 << 0)
+#define VAR_SETUPMODE_FOUND	(1 << 1)
+#define VAR_DB_FOUND		(1 << 2)
+#define VAR_KEK_FOUND		(1 << 3)
+#define VAR_AUDITMODE_FOUND	(1 << 4)
 
 #define EFI_GLOBAL_VARIABLE \
 { \
@@ -156,7 +157,7 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch
 
 		switch (value) {
 		case 0:
-			mode = " (User Mode)";
+			mode = "";
 			break;
 		case 1:
 			mode = " (Setup Mode)";
@@ -171,6 +172,47 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch
 	}
 }
 
+static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname)
+{
+
+	bool ident = false;
+	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
+
+	if (strcmp(varname, "AuditMode"))
+		return;
+
+	var_found |= VAR_AUDITMODE_FOUND;
+	ident = compare_guid(&global_var_guid, var->guid);
+
+	if (!ident) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
+			"The secure boot variable %s GUID invalid.", varname);
+		return;
+	}
+	if (var->datalen != 1) {
+		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid",
+			"The secure boot variable %s size invalid.", varname);
+	} else {
+		char *mode;
+		uint8_t value = (uint8_t)var->data[0];
+
+		switch (value) {
+		case 0:
+			mode = "";
+			break;
+		case 1:
+			mode = " (Audit Mode)";
+			break;
+		default:
+			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid",
+				"The secure boot variable %s data invalid.", varname);
+			return;
+		}
+		fwts_log_info_verbatim(fw, "  Value: 0x%2.2" PRIx8 "%s.", value, mode);
+		fwts_passed(fw, "Secure boot relative variable %s check passed.", varname);
+	}
+}
+
 static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len)
 {
 	uint8_t *var_data_addr;
@@ -305,6 +347,7 @@ static securebootcert_info securebootcert_info_table[] = {
 	{ "SetupMode",		securebootcert_setup_mode },
 	{ "db",			securebootcert_data_base },
 	{ "KEK",		securebootcert_key_ex_key },
+	{ "AuditMode",		securebootcert_audit_mode },
 	{ NULL, NULL }
 };
 
@@ -372,6 +415,14 @@ static int securebootcert_test1(fwts_framework *fw)
 	if (!(var_found & VAR_SETUPMODE_FOUND))
 		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
 			"The secure boot variable SetupMode not found.");
+	if (!(var_found & VAR_AUDITMODE_FOUND)) {
+		fwts_warning(fw, "The secure boot variable AuditMode not found.");
+		fwts_advice(fw,
+			"AuditMode global variable is defined in the UEFI "
+			"Specification 2.6 for new secure boot architecture. "
+			"It may because the firmware hasn't been updated to "
+			"support the UEFI Specification 2.6.");
+	}
 	if (securebooted) {
 		if (!(var_found & VAR_DB_FOUND))
 			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",