[PATCH 3/3][Resend] securebootcert: add Ubuntu UEFI secure boot test - check Ubuntu CA presence

Colin Ian King colin.king at canonical.com
Tue Mar 5 09:09:33 UTC 2013 

On 05/03/13 09:03, Ivan Hu wrote:
> From: IvanHu <ivan.hu at canonical.com>
>
> Check the variable KEK existence and Ubuntu master CA certificate presence
> in KEK.
>
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
>   src/uefi/securebootcert/securebootcert.c |   37 ++++++++++++++++++++++++++++++
>   1 file changed, 37 insertions(+)
>
> diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
> index 60d55cb..0675e15 100644
> --- a/src/uefi/securebootcert/securebootcert.c
> +++ b/src/uefi/securebootcert/securebootcert.c
> @@ -253,10 +253,44 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
>   			"The Microsoft UEFI CA certificate not found .");
>   }
>
> +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
> +{
> +
> +	bool ident = false;
> +	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
> +
> +	if (strcmp(varname, "KEK"))
> +		return;
> +
> +	var_found |= VAR_KEK_FOUND;
> +	ident = compare_guid(&global_var_guid, var->guid);
> +
> +	if (!ident) {
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
> +			"The secure boot variable %s GUID invalid.", varname);
> +		return;
> +	}
> +
> +	fwts_release *release = fwts_release_get();
> +	if (release == NULL) {
> +		fwts_skipped(fw, "Not on Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate.");
> +		return;
> +	}

Perhaps I should have explained the fwts_release API better.  Best to do 
something like:

	fwts_release *release;

	...
	...

	release = fwts_release_get();
	if (release == NULL) {
		fwts_skipped(fw, "Cannot determine system.. etc...");
		return;
	}

	if (!strcmp(release->distributor, "Ubuntu")) {
		fwts_skipped(fw, "Not a Ubuntu system... etc..");
		return;
	}

> +
> +	fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname);
> +	if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len))
> +		fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
> +	else {
> +		fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname);
> +		fwts_infoonly(fw);
> +	}
> +}
> +
>   static securebootcert_info securebootcert_info_table[] = {
>   	{ "SecureBoot",		securebootcert_secure_boot },
>   	{ "SetupMode",		securebootcert_setup_mode },
>   	{ "db",			securebootcert_data_base },
> +	{ "KEK",		securebootcert_key_ex_key },
>   	{ NULL, NULL }
>   };
>
> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw)
>   	if (!(var_found & VAR_DB_FOUND))
>   		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
>   			"The secure boot variable DB not found.");
> +	if (!(var_found & VAR_KEK_FOUND))
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
> +			"The secure boot variable KEK not found.");
>
>   	fwts_uefi_free_variable_names(&name_list);
>
>

More information about the fwts-devel mailing list