-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Auth: Add support to make KEK and DB files optional
This commit adds the patches to support the compilation flag AUTH_ONLY_PK_REQUIRED used to make KEK and DB authentication files optional, making only the PK file required. A pull request on the upstream repository has been submitted [1]. [1] xapi-project/varstored#23 Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
- Loading branch information
Showing
3 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
65 changes: 65 additions & 0 deletions
65
SOURCES/0001-Auth-Add-support-to-make-KEK-and-DB-files-optional.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
From 59b30336b5723abb31d1a8ea6e92cd1b4ec78908 Mon Sep 17 00:00:00 2001 | ||
From: Thierry Escande <thierry.escande@vates.tech> | ||
Date: Thu, 4 Apr 2024 19:10:58 +0200 | ||
Subject: [PATCH 1/2] Auth: Add support to make KEK and DB files optional | ||
Content-Type: text/plain; charset = "utf-8" | ||
Content-Transfert-Encoding: 8bit | ||
|
||
If the host doesn't have the authentication files correctly configured | ||
for secure boot, the VM NVRAM state is always in setup mode and allows | ||
the VM to boot even if it has SecureBoot enabled. | ||
|
||
This change allows varstored and varstore-sb-state to copy only the PK | ||
file (which is always present) and switch the VM to user mode. This will | ||
prevent the VM to boot if it has SecureBoot enabled, which is fine. | ||
Otherwise, the VM is stuck in setup mode allowing it to boot but with | ||
SecureBoot disabled, giving a false impression of security. | ||
|
||
It's opt-out by default so DB and KEK files are set to not required only | ||
if the build macro AUTH_ONLY_PK_REQUIRED is defined. | ||
|
||
Signed-off-by: Thierry Escande <thierry.escande@vates.tech> | ||
--- | ||
handler.c | 18 ++++++++++++++++-- | ||
1 file changed, 16 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/handler.c b/handler.c | ||
index 9305f88..85b8889 100644 | ||
--- a/handler.c | ||
+++ b/handler.c | ||
@@ -147,6 +147,20 @@ static const uint8_t EFI_IMAGE_SECURITY_DATABASE2[] = {'d',0,'b',0,'t',0}; | ||
|
||
#define AUTH_PATH_PREFIX "/var/lib/varstored" | ||
|
||
+/* | ||
+ * The macro AUTH_ONLY_PK_REQUIRED makes KEK and DB files optional, allowing | ||
+ * varstored and varstore-sb-state to copy only the PK file (which is always | ||
+ * present) and switch the VM to user mode. This will prevent the VM to boot | ||
+ * if it has SecureBoot enabled by the user but UEFI certificates are missing. | ||
+ */ | ||
+#ifdef AUTH_ONLY_PK_REQUIRED | ||
+#define AUTH_DB_REQUIRED false | ||
+#define AUTH_KEK_REQUIRED false | ||
+#else | ||
+#define AUTH_DB_REQUIRED true | ||
+#define AUTH_KEK_REQUIRED true | ||
+#endif | ||
+ | ||
/* | ||
* Array of auth_info structs containing the information about the keys | ||
* we need. Avoid switching to user mode before importing other keys by | ||
@@ -157,9 +171,9 @@ static struct auth_info auth_info[] = { | ||
{"dbx", EFI_IMAGE_SECURITY_DATABASE1, sizeof(EFI_IMAGE_SECURITY_DATABASE1), | ||
&gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/dbx.auth", true, false}, | ||
{"db", EFI_IMAGE_SECURITY_DATABASE, sizeof(EFI_IMAGE_SECURITY_DATABASE), | ||
- &gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/db.auth", false, true}, | ||
+ &gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/db.auth", false, AUTH_DB_REQUIRED}, | ||
{"KEK", EFI_KEY_EXCHANGE_KEY_NAME, sizeof(EFI_KEY_EXCHANGE_KEY_NAME), | ||
- &gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/KEK.auth", false, true}, | ||
+ &gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/KEK.auth", false, AUTH_KEK_REQUIRED}, | ||
{"PK", EFI_PLATFORM_KEY_NAME, sizeof(EFI_PLATFORM_KEY_NAME), | ||
&gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/PK.auth", false, true}, | ||
}; | ||
-- | ||
2.43.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
From 45c0fa8f2b6b78eb3f2404cb5269a89e46948603 Mon Sep 17 00:00:00 2001 | ||
From: Thierry Escande <thierry.escande@vates.tech> | ||
Date: Fri, 5 Apr 2024 10:31:22 +0200 | ||
Subject: [PATCH 2/2] Makefile: Add EXTRA_CFLAGS to CFLAGS | ||
Content-Type: text/plain; charset = "utf-8" | ||
Content-Transfert-Encoding: 8bit | ||
|
||
This patch allows passing of extra compilation flags from command line | ||
using 'make EXTRA_CFLAGS=-DFOO'. | ||
|
||
Signed-off-by: Thierry Escande <thierry.escande@vates.tech> | ||
--- | ||
Makefile | 3 +++ | ||
1 file changed, 3 insertions(+) | ||
|
||
diff --git a/Makefile b/Makefile | ||
index d345c11..7c43b11 100644 | ||
--- a/Makefile | ||
+++ b/Makefile | ||
@@ -19,6 +19,9 @@ CFLAGS = -I$(shell pwd)/include | ||
# _GNU_SOURCE for asprintf. | ||
CFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE | ||
|
||
+# EXTRA_CFLAGS can be set through make command line | ||
+CFLAGS += $(EXTRA_CFLAGS) | ||
+ | ||
CFLAGS += $$(pkg-config --cflags libxml-2.0) | ||
|
||
CFLAGS += -g -O2 -std=gnu99 \ | ||
-- | ||
2.43.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters