| Message ID | 20170829200115.GF4452@olila.local.net-space.pl (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > Hey Tamas, > > Sorry for late reply. I was on vacation. > > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > > [...] > >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 >> > signature then GRUB2 will verify (with shim protocol) Xen signature and >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then >> > your kernel can verify modules using whatever you want. >> > >> >> I would be happy to work to help achieve this. >> > >> > There is a chance that I will have something very raw at the beginning >> > of June. If you wish to do tests drop me a line. >> >> Hi Daniel, >> is there any news on this? I would be interested in giving this a shot too. > > Please look at > > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html > > and at > > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html > > Attachments contain the same patches as above but rebased on latest > GRUB2 and Xen git repositories. > > Due to some travel I am going to restart work on this in the second > half of September. > > If you have any questions please drop me a line. > Hi Daniel, thanks for the update, I'll give it a shot today to set it up. In a somewhat related note, are you aware of any work on getting secure boot + UEFI working in a guest? There is a PoC patch on OpenXT (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if there are any parallel efforts ongoing. Thanks, Tamas
On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: > On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > > Hey Tamas, > > > > Sorry for late reply. I was on vacation. > > > > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: > >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > > > > [...] > > > >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 > >> > signature then GRUB2 will verify (with shim protocol) Xen signature and > >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then > >> > your kernel can verify modules using whatever you want. > >> > > >> >> I would be happy to work to help achieve this. > >> > > >> > There is a chance that I will have something very raw at the beginning > >> > of June. If you wish to do tests drop me a line. > >> > >> Hi Daniel, > >> is there any news on this? I would be interested in giving this a shot too. > > > > Please look at > > > > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html > > > > and at > > > > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html > > > > Attachments contain the same patches as above but rebased on latest > > GRUB2 and Xen git repositories. > > > > Due to some travel I am going to restart work on this in the second > > half of September. > > > > If you have any questions please drop me a line. > > > > Hi Daniel, > thanks for the update, I'll give it a shot today to set it up. In a > somewhat related note, are you aware of any work on getting secure > boot + UEFI working in a guest? There is a PoC patch on OpenXT > (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if > there are any parallel efforts ongoing. I do not follow this issue in detail. However, I suppose that if OVMF supports UEFI secure boot (well, QEMU has to enable SMM support too; I do not know does it work with Xen or not) then guest should work without any issue. Just guessing... Daniel
On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: >> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote: >> > Hey Tamas, >> > >> > Sorry for late reply. I was on vacation. >> > >> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: >> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: >> > >> > [...] >> > >> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 >> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and >> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then >> >> > your kernel can verify modules using whatever you want. >> >> > >> >> >> I would be happy to work to help achieve this. >> >> > >> >> > There is a chance that I will have something very raw at the beginning >> >> > of June. If you wish to do tests drop me a line. >> >> >> >> Hi Daniel, >> >> is there any news on this? I would be interested in giving this a shot too. >> > >> > Please look at >> > >> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html >> > >> > and at >> > >> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html >> > >> > Attachments contain the same patches as above but rebased on latest >> > GRUB2 and Xen git repositories. >> > >> > Due to some travel I am going to restart work on this in the second >> > half of September. >> > >> > If you have any questions please drop me a line. >> > >> >> Hi Daniel, >> thanks for the update, I'll give it a shot today to set it up. In a >> somewhat related note, are you aware of any work on getting secure >> boot + UEFI working in a guest? There is a PoC patch on OpenXT >> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if >> there are any parallel efforts ongoing. > > I do not follow this issue in detail. However, I suppose that if OVMF > supports UEFI secure boot (well, QEMU has to enable SMM support too; > I do not know does it work with Xen or not) then guest should work > without any issue. Just guessing... > Sure, was just wondering if you are aware of anyone looking at that. In other news I was able to get your patches working and have been able to boot with Secure boot enabled as far as shim -> signed grub -> signed linux without initrd. If I boot a signed version of Xen from grub it goes as far as setup_efi_pci but then the system reboots without anything else being printed on the screen. I haven't been able to debug it any further yet. Tamas
On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel <tamas.k.lengyel@gmail.com> wrote: > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote: >>> > Hey Tamas, >>> > >>> > Sorry for late reply. I was on vacation. >>> > >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: >>> > >>> > [...] >>> > >>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then >>> >> > your kernel can verify modules using whatever you want. >>> >> > >>> >> >> I would be happy to work to help achieve this. >>> >> > >>> >> > There is a chance that I will have something very raw at the beginning >>> >> > of June. If you wish to do tests drop me a line. >>> >> >>> >> Hi Daniel, >>> >> is there any news on this? I would be interested in giving this a shot too. >>> > >>> > Please look at >>> > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html >>> > >>> > and at >>> > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html >>> > >>> > Attachments contain the same patches as above but rebased on latest >>> > GRUB2 and Xen git repositories. >>> > >>> > Due to some travel I am going to restart work on this in the second >>> > half of September. >>> > >>> > If you have any questions please drop me a line. >>> > >>> >>> Hi Daniel, >>> thanks for the update, I'll give it a shot today to set it up. In a >>> somewhat related note, are you aware of any work on getting secure >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if >>> there are any parallel efforts ongoing. >> >> I do not follow this issue in detail. However, I suppose that if OVMF >> supports UEFI secure boot (well, QEMU has to enable SMM support too; >> I do not know does it work with Xen or not) then guest should work >> without any issue. Just guessing... >> > > Sure, was just wondering if you are aware of anyone looking at that. > > In other news I was able to get your patches working and have been > able to boot with Secure boot enabled as far as shim -> signed grub -> > signed linux without initrd. If I boot a signed version of Xen from > grub it goes as far as setup_efi_pci but then the system reboots > without anything else being printed on the screen. I haven't been able > to debug it any further yet. > Daniel, just FYI the xen.mb.efi generated with your patches causes pesign to segfault: cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address Segmentation fault Tamas
On Mon, Sep 18, 2017 at 11:24:15AM -0400, Tamas K Lengyel wrote: > On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel > <tamas.k.lengyel@gmail.com> wrote: > > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: > >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > >>> > Hey Tamas, > >>> > > >>> > Sorry for late reply. I was on vacation. > >>> > > >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: > >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote: > >>> > > >>> > [...] > >>> > > >>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2 > >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and > >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then > >>> >> > your kernel can verify modules using whatever you want. > >>> >> > > >>> >> >> I would be happy to work to help achieve this. > >>> >> > > >>> >> > There is a chance that I will have something very raw at the beginning > >>> >> > of June. If you wish to do tests drop me a line. > >>> >> > >>> >> Hi Daniel, > >>> >> is there any news on this? I would be interested in giving this a shot too. > >>> > > >>> > Please look at > >>> > > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html > >>> > > >>> > and at > >>> > > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html > >>> > > >>> > Attachments contain the same patches as above but rebased on latest > >>> > GRUB2 and Xen git repositories. > >>> > > >>> > Due to some travel I am going to restart work on this in the second > >>> > half of September. > >>> > > >>> > If you have any questions please drop me a line. > >>> > > >>> > >>> Hi Daniel, > >>> thanks for the update, I'll give it a shot today to set it up. In a > >>> somewhat related note, are you aware of any work on getting secure > >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT > >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if > >>> there are any parallel efforts ongoing. > >> > >> I do not follow this issue in detail. However, I suppose that if OVMF > >> supports UEFI secure boot (well, QEMU has to enable SMM support too; > >> I do not know does it work with Xen or not) then guest should work > >> without any issue. Just guessing... > >> > > > > Sure, was just wondering if you are aware of anyone looking at that. > > > > In other news I was able to get your patches working and have been > > able to boot with Secure boot enabled as far as shim -> signed grub -> > > signed linux without initrd. If I boot a signed version of Xen from > > grub it goes as far as setup_efi_pci but then the system reboots > > without anything else being printed on the screen. I haven't been able > > to debug it any further yet. > > > > Daniel, > just FYI the xen.mb.efi generated with your patches causes pesign to segfault: > > cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address > Segmentation fault Thank you for doing the tests. I am going to restart work on this next week and post next version of patches in October. I will try to fix all issues spotted by you. Stay tuned... Daniel
From 8458d7904886ca4bea059d103dac2ba50e53c13b Mon Sep 17 00:00:00 2001 From: Daniel Kiper <daniel.kiper@oracle.com> Date: Sat, 8 Jul 2017 23:32:36 +0200 Subject: [PATCH] efi: Add EFI shim lock verifier This is based on git://git.savannah.gnu.org/grub.git phcoder/verifiers branch. Just an RFC. TODO: - disable the GRUB2 modules load/unload, - disable the dangerous modules, e.g. iorw, memrw. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/Makefile.core.def | 6 +++ grub-core/commands/efi/shim_lock.c | 100 ++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 grub-core/commands/efi/shim_lock.c diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def index 16c4d0e..c38e4a8 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -905,6 +905,12 @@ module = { }; module = { + name = shim_lock; + common = commands/efi/shim_lock.c; + enable = x86_64_efi; +}; + +module = { name = hdparm; common = commands/hdparm.c; common = lib/hexdump.c; diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c new file mode 100644 index 0000000..40d2b25 --- /dev/null +++ b/grub-core/commands/efi/shim_lock.c @@ -0,0 +1,100 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2017 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. + * + * EFI shim lock verifier. + * + */ + +#include <grub/dl.h> +#include <grub/efi/efi.h> +#include <grub/err.h> +#include <grub/file.h> +#include <grub/verify.h> + +GRUB_MOD_LICENSE ("GPLv3+"); + +#define GRUB_EFI_SHIM_LOCK_GUID \ + { 0x605dab50, 0xe046, 0x4300, \ + { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \ + } + +struct grub_efi_shim_lock_protocol +{ + grub_efi_status_t + (*verify) (void *buffer, + grub_uint32_t size); +}; +typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t; + +static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; +static grub_efi_shim_lock_protocol_t *sl; + +static grub_err_t +shim_lock_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type, + void **context __attribute__ ((unused)), enum grub_verify_flags *flags) +{ + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; + + if (!sl) + return GRUB_ERR_NONE; + + switch (type & GRUB_FILE_TYPE_MASK) + { + case GRUB_FILE_TYPE_LINUX_KERNEL: + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: + case GRUB_FILE_TYPE_BSD_KERNEL: + case GRUB_FILE_TYPE_XNU_KERNEL: + case GRUB_FILE_TYPE_PLAN9_KERNEL: + *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; + + default: + return GRUB_ERR_NONE; + } +} + +static grub_err_t +shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) +{ + if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) + return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); + + return GRUB_ERR_NONE; +} + +static void +shim_lock_close (void *context __attribute__ ((unused))) +{ +} + +struct grub_file_verifier shim_lock = + { + .name = "shim_lock", + .init = shim_lock_init, + .write = shim_lock_write, + .close = shim_lock_close + }; + +GRUB_MOD_INIT(shim_lock) +{ + sl = grub_efi_locate_protocol (&shim_lock_guid, 0); + grub_verifier_register (&shim_lock); +} + +GRUB_MOD_FINI(shim_lock) +{ + grub_verifier_unregister (&shim_lock); +} -- 1.7.10.4