Skip to content

Commit

Permalink
Auth: Add support to make KEK and DB files optional
Browse files Browse the repository at this point in the history 
This commit adds the patches to support the compilation flag
AUTH_ONLY_PK_REQUIRED used to make KEK and DB authentication files
optional, making only the PK file required.

A pull request on the upstream repository has been submitted [1].

[1] xapi-project/varstored#23

Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
  • Loading branch information
@tescande
tescande committed Apr 17, 2024
1 parent 76e3e25 commit 66ebc94
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 0 deletions.
65 changes: 65 additions & 0 deletions SOURCES/0001-Auth-Add-support-to-make-KEK-and-DB-files-optional.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
From 59b30336b5723abb31d1a8ea6e92cd1b4ec78908 Mon Sep 17 00:00:00 2001
From: Thierry Escande <thierry.escande@vates.tech>
Date: Thu, 4 Apr 2024 19:10:58 +0200
Subject: [PATCH 1/2] Auth: Add support to make KEK and DB files optional
Content-Type: text/plain; charset = "utf-8"
Content-Transfert-Encoding: 8bit

If the host doesn't have the authentication files correctly configured
for secure boot, the VM NVRAM state is always in setup mode and allows
the VM to boot even if it has SecureBoot enabled.

This change allows varstored and varstore-sb-state to copy only the PK
file (which is always present) and switch the VM to user mode. This will
prevent the VM to boot if it has SecureBoot enabled, which is fine.
Otherwise, the VM is stuck in setup mode allowing it to boot but with
SecureBoot disabled, giving a false impression of security.

It's opt-out by default so DB and KEK files are set to not required only
if the build macro AUTH_ONLY_PK_REQUIRED is defined.

Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
---
handler.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/handler.c b/handler.c
index 9305f88..85b8889 100644
--- a/handler.c
+++ b/handler.c
@@ -147,6 +147,20 @@ static const uint8_t EFI_IMAGE_SECURITY_DATABASE2[] = {'d',0,'b',0,'t',0};

#define AUTH_PATH_PREFIX "/var/lib/varstored"

+/*
+ * The macro AUTH_ONLY_PK_REQUIRED makes KEK and DB files optional, allowing
+ * varstored and varstore-sb-state to copy only the PK file (which is always
+ * present) and switch the VM to user mode. This will prevent the VM to boot
+ * if it has SecureBoot enabled by the user but UEFI certificates are missing.
+ */
+#ifdef AUTH_ONLY_PK_REQUIRED
+#define AUTH_DB_REQUIRED false
+#define AUTH_KEK_REQUIRED false
+#else
+#define AUTH_DB_REQUIRED true
+#define AUTH_KEK_REQUIRED true
+#endif
+
/*
* Array of auth_info structs containing the information about the keys
* we need. Avoid switching to user mode before importing other keys by
@@ -157,9 +171,9 @@ static struct auth_info auth_info[] = {
{"dbx", EFI_IMAGE_SECURITY_DATABASE1, sizeof(EFI_IMAGE_SECURITY_DATABASE1),
&gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/dbx.auth", true, false},
{"db", EFI_IMAGE_SECURITY_DATABASE, sizeof(EFI_IMAGE_SECURITY_DATABASE),
- &gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/db.auth", false, true},
+ &gEfiImageSecurityDatabaseGuid, AUTH_PATH_PREFIX "/db.auth", false, AUTH_DB_REQUIRED},
{"KEK", EFI_KEY_EXCHANGE_KEY_NAME, sizeof(EFI_KEY_EXCHANGE_KEY_NAME),
- &gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/KEK.auth", false, true},
+ &gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/KEK.auth", false, AUTH_KEK_REQUIRED},
{"PK", EFI_PLATFORM_KEY_NAME, sizeof(EFI_PLATFORM_KEY_NAME),
&gEfiGlobalVariableGuid, AUTH_PATH_PREFIX "/PK.auth", false, true},
};
--
2.43.0

32 changes: 32 additions & 0 deletions SOURCES/0002-Makefile-Add-EXTRA_CFLAGS-to-CFLAGS.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
From 45c0fa8f2b6b78eb3f2404cb5269a89e46948603 Mon Sep 17 00:00:00 2001
From: Thierry Escande <thierry.escande@vates.tech>
Date: Fri, 5 Apr 2024 10:31:22 +0200
Subject: [PATCH 2/2] Makefile: Add EXTRA_CFLAGS to CFLAGS
Content-Type: text/plain; charset = "utf-8"
Content-Transfert-Encoding: 8bit

This patch allows passing of extra compilation flags from command line
using 'make EXTRA_CFLAGS=-DFOO'.

Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
---
Makefile | 3 +++
1 file changed, 3 insertions(+)

diff --git a/Makefile b/Makefile
index d345c11..7c43b11 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,9 @@ CFLAGS = -I$(shell pwd)/include
# _GNU_SOURCE for asprintf.
CFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE

+# EXTRA_CFLAGS can be set through make command line
+CFLAGS += $(EXTRA_CFLAGS)
+
CFLAGS += $$(pkg-config --cflags libxml-2.0)

CFLAGS += -g -O2 -std=gnu99 \
--
2.43.0

3 changes: 3 additions & 0 deletions SPECS/varstored.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ Source10: secureboot-certs
Patch1000: varstored-1.0.0-tolerate-missing-dbx-on-disk.XCP-ng.patch
# Patch submitted upstream as https://github.com/xapi-project/varstored/pull/21
Patch1001: varstored-1.2.0-fix-return-code-for-varstore-sb-state-user.XCP-ng.patch
# Patch submitted upstream as https://github.com/xapi-project/varstored/pull/23
Patch1002: 0001-Auth-Add-support-to-make-KEK-and-DB-files-optional.patch
Patch1003: 0002-Makefile-Add-EXTRA_CFLAGS-to-CFLAGS.patch

BuildRequires: xen-libs-devel xen-dom0-libs-devel openssl openssl-devel libxml2-devel
BuildRequires: glib2-devel
Expand Down

0 comments on commit 66ebc94

Please sign in to comment.