From 0535f5b0ae7396071a9613ee4e6c43f5b74f5d81 Mon Sep 17 00:00:00 2001 From: Li Zhou Date: Tue, 20 Sep 2022 11:35:19 +0800 Subject: [PATCH] Debian: shim-unsigned: porting from LAT This is done for moving packages that are related to secure boot out of LAT and into integ. Use shim version: 15+1533136590.3beb971. Although there was a debian package for shim here, it wasn't effective because LAT didn't use it (the shim version in use is 12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper version for this porting. I choose this version because it should be matched with the grub image. shim 15.3 introduced and now mandates SBAT. This means that shim 15.3+ will not launch any EFI binaries without a .sbat section. Use tis-shim.der (another format for tis-shim.crt) to verify grub image's signature. Test Plan: The tests are done with all the changes for this porting, which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because they are in a chain for secure boot verification. - PASS: secure boot OK on qemu. - PASS: secure boot OK on PowerEdge R430 lab. - PASS: secure boot NG on qemu/hardware when shim/grub-efi images are without the right signatures. Story: 2009221 Task: 46401 Signed-off-by: Li Zhou Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b --- ...place-the-debian-cert-file-with-ours.patch | 26 ++++ .../shim-unsigned/debian/deb_patches/series | 1 + security/shim-unsigned/debian/meta_data.yaml | 13 +- .../0001-Use-Titanium-certificate.patch | 125 ------------------ security/shim-unsigned/debian/patches/series | 1 - security/shim-unsigned/files/tis-shim.der | Bin 0 -> 865 bytes 6 files changed, 34 insertions(+), 132 deletions(-) create mode 100644 security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch create mode 100644 security/shim-unsigned/debian/deb_patches/series delete mode 100644 security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch delete mode 100644 security/shim-unsigned/debian/patches/series create mode 100644 security/shim-unsigned/files/tis-shim.der diff --git a/security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch b/security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch new file mode 100644 index 000000000..5319fe872 --- /dev/null +++ b/security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch @@ -0,0 +1,26 @@ +From 7bf206a8899a5df0bbc361a39eb5b38a6f0b0882 Mon Sep 17 00:00:00 2001 +From: Li Zhou +Date: Thu, 25 Aug 2022 18:10:28 +0800 +Subject: [PATCH] shim: replace the debian cert file with ours + +Signed-off-by: Li Zhou +--- + debian/rules | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/debian/rules b/debian/rules +index 58620be..0434c4d 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -11,7 +11,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) + distributor=ubuntu + COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 + else +- cert=debian/debian-uefi-ca.der ++ cert=tis-shim.der + distributor=debian + endif + +-- +2.17.1 + diff --git a/security/shim-unsigned/debian/deb_patches/series b/security/shim-unsigned/debian/deb_patches/series new file mode 100644 index 000000000..fb0ae0a11 --- /dev/null +++ b/security/shim-unsigned/debian/deb_patches/series @@ -0,0 +1 @@ +0001-shim-replace-the-debian-cert-file-with-ours.patch diff --git a/security/shim-unsigned/debian/meta_data.yaml b/security/shim-unsigned/debian/meta_data.yaml index 96b0f87e8..03a422700 100644 --- a/security/shim-unsigned/debian/meta_data.yaml +++ b/security/shim-unsigned/debian/meta_data.yaml @@ -1,13 +1,14 @@ --- -debver: 15.4-7 +debver: 15+1533136590.3beb971 debname: shim dl_path: - name: shim-debian-15.4-7.tar.gz - url: https://salsa.debian.org/efi-team/shim/-/archive/debian/15.4-7/shim-debian-15.4-7.tar.gz - md5sum: f2ceaa268acb6eb9bbe08b839371e04a - sha256sum: a4ec39a11c75c95f268403f27125dd002aaf8511afb4fe476bc2d89d97f41eb3 + name: shim-debian-15+1533136590.3beb971.tar.bz2 + url: "https://salsa.debian.org/efi-team/shim/-/archive/debian/\ + 15+1533136590.3beb971-10/shim-debian-15+1533136590.3beb971-10.tar.bz2" + md5sum: eb6db0c9b8b4257d77ed07a81cd3a7b8 + sha256sum: 06341378fc89836ee3355ff9ade263105a9ab445de8b065c0989eec8c55769c8 src_files: - - files/tis-shim.crt + - files/tis-shim.der revision: dist: $STX_DIST PKG_GITREVCOUNT: true diff --git a/security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch b/security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch deleted file mode 100644 index f38f06c38..000000000 --- a/security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch +++ /dev/null @@ -1,125 +0,0 @@ -From f6e8ace9a9783a1645cb6141ba5788790963cda3 Mon Sep 17 00:00:00 2001 -From: Yue Tao -Date: Mon, 15 Jan 2018 13:25:04 -0500 -Subject: [PATCH] Use Titanium certificate - -Signed-off-by: Scott Little -Signed-off-by: Yue Tao ---- - Make.defaults | 6 ++++++ - Makefile | 33 +++++++++++++++++++-------------- - 2 files changed, 25 insertions(+), 14 deletions(-) - -diff --git a/Make.defaults b/Make.defaults -index a775083..656669d 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -56,6 +56,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,) - - COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi) - -+# We compile a certificate into shim. Usually this is a one-time generated -+# certificate (make-certs script) however we want to include a custom -+# certificate for which we have the key. We use the key to sign the kernel and -+# grub down the road -+INTERNAL_CERT = tis-shim -+ - ifeq ($(ARCH),x86_64) - ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \ - $(CLANG_BUGS) -m64 \ -diff --git a/Makefile b/Makefile -index 8c66459..919e002 100644 ---- a/Makefile -+++ b/Makefile -@@ -37,9 +37,10 @@ TARGETS += $(MMNAME).signed $(FBNAME).signed - CFLAGS += -DENABLE_SHIM_CERT - else - TARGETS += $(MMNAME) $(FBNAME) -+CFLAGS += -DENABLE_SHIM_CERT - endif - OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o --KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer -+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer - ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) - MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o - ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) -@@ -75,14 +76,18 @@ endif - update : - git submodule update --init --recursive - --shim.crt: -- $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 $@ - $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@ - echo "};" >> $@ -@@ -93,15 +98,13 @@ version.c : $(TOPDIR)/version.c.in - -e "s,@@COMMIT@@,$(COMMIT_ID)," \ - < $< > $@ - --certdb/secmod.db: shim.crt -+certdb/secmod.db: $(INTERNAL_CERT).crt - -mkdir certdb -- $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K "" -- $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u -+ $(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K "" -+ $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u - - shim.o: $(SOURCES) --ifneq ($(origin ENABLE_SHIM_CERT),undefined) - shim.o: shim_cert.h --endif - shim.o: $(wildcard $(TOPDIR)/*.h) - - cert.o : $(TOPDIR)/cert.S -@@ -267,10 +270,10 @@ endif - $< $@ - - ifneq ($(origin ENABLE_SBSIGN),undefined) --%.efi.signed: %.efi shim.key shim.crt -+%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt - @$(SBSIGN) \ -- --key shim.key \ -- --cert shim.crt \ -+ --key $(INTERNAL_CERT).key \ -+ --cert $(INTERNAL_CERT).crt \ - --output $@ $< - else - %.efi.signed: %.efi certdb/secmod.db -@@ -302,9 +305,11 @@ clean-lib-objs: - fi - - clean-shim-objs: -+ @mv $(INTERNAL_CERT).crt $(INTERNAL_CERT).crt.back - @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) - @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid - @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] -+ @mv $(INTERNAL_CERT).crt.back $(INTERNAL_CERT).crt - @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi - - clean-openssl-objs: -@@ -331,7 +336,7 @@ tag: - archive: tag - @./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)" - --.PHONY : install-deps shim.key -+.PHONY : install-deps $(INTERNAL_CERT).key - - export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS - export FEATUREFLAGS WARNFLAGS WERRFLAGS --- -2.25.1 - diff --git a/security/shim-unsigned/debian/patches/series b/security/shim-unsigned/debian/patches/series deleted file mode 100644 index bfa4f472e..000000000 --- a/security/shim-unsigned/debian/patches/series +++ /dev/null @@ -1 +0,0 @@ -0001-Use-Titanium-certificate.patch diff --git a/security/shim-unsigned/files/tis-shim.der b/security/shim-unsigned/files/tis-shim.der new file mode 100644 index 0000000000000000000000000000000000000000..b29ee11b6a17d85aa32f00a3507b5e31b75806fd GIT binary patch literal 865 zcmXqLVvaRvVsc%;%*4pV#L2LB?zEa&>?(W)ylk9WZ60mkc^MhGSs4sm4Y>_C*_cCF z*o2v!9SwyI1VJ1Q9R;-@XdWy*;BwAtm9dR6}p(H(~E9 z%h_k<^{0n@Fx~f3sQ0O%RpZSW+`=rO^RGLet2LhMR8*~a@U-2v-+4>@k4@hgs-yiZ z=<+9p&0U8?dx~7XCiso1zp%J?{Mc8FR^kmt^grh#?9qj%c zeUtU_`L~8`%&PpSiwm3it5oKAv-^EX6>O5$imJ?=bD_@t;{lh&i1{9 zBm0WRoWI|fsTSM_+VxH4Q;&GmI`3vFE%jyZqui^yH=N+PeeO@teU8%X6|-*d)LZr0 zXm#HAPj2`7QUm6mW&ZlQ;F;UBMGwvdocI}?w&BRJQ!GK}XU*!7iq!Mw)APD;XsxyqXXQxd@6lIZuweP!-W`06LI8|pSDF9- literal 0 HcmV?d00001