[PATCH 3/3][Resend] securebootcert: add Ubuntu UEFI secure boot test - check Ubuntu CA presence
Colin Ian King
colin.king at canonical.com
Tue Mar 5 09:13:40 UTC 2013
On 05/03/13 09:09, Colin Ian King wrote:
> On 05/03/13 09:03, Ivan Hu wrote:
>> From: IvanHu <ivan.hu at canonical.com>
>>
>> Check the variable KEK existence and Ubuntu master CA certificate
>> presence
>> in KEK.
>>
>> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
>> ---
>> src/uefi/securebootcert/securebootcert.c | 37
>> ++++++++++++++++++++++++++++++
>> 1 file changed, 37 insertions(+)
>>
>> diff --git a/src/uefi/securebootcert/securebootcert.c
>> b/src/uefi/securebootcert/securebootcert.c
>> index 60d55cb..0675e15 100644
>> --- a/src/uefi/securebootcert/securebootcert.c
>> +++ b/src/uefi/securebootcert/securebootcert.c
>> @@ -253,10 +253,44 @@ static void
>> securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
>> "The Microsoft UEFI CA certificate not found .");
>> }
>>
>> +static void securebootcert_key_ex_key(fwts_framework *fw,
>> fwts_uefi_var *var, char *varname)
>> +{
>> +
>> + bool ident = false;
>> + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
>> +
>> + if (strcmp(varname, "KEK"))
>> + return;
>> +
>> + var_found |= VAR_KEK_FOUND;
>> + ident = compare_guid(&global_var_guid, var->guid);
>> +
>> + if (!ident) {
>> + fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableGUIDInvalid",
>> + "The secure boot variable %s GUID invalid.", varname);
>> + return;
>> + }
>> +
>> + fwts_release *release = fwts_release_get();
>> + if (release == NULL) {
>> + fwts_skipped(fw, "Not on Ubuntu system, it's not necessary
>> checking the Ubuntu Master CA certificate.");
>> + return;
>> + }
>
> Perhaps I should have explained the fwts_release API better. Best to do
> something like:
>
> fwts_release *release;
>
> ...
> ...
>
> release = fwts_release_get();
> if (release == NULL) {
> fwts_skipped(fw, "Cannot determine system.. etc...");
> return;
> }
>
> if (!strcmp(release->distributor, "Ubuntu")) {
> fwts_skipped(fw, "Not a Ubuntu system... etc..");
> return;
> }
>
Oh, and I forgot, we need to free up after using it:
fwts_release_free(release);
>> +
>> + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate
>> presence in %s", varname);
>> + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key,
>> ubuntu_key_len))
>> + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
>> + else {
>> + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate
>> presence in %s", varname);
>> + fwts_infoonly(fw);
>> + }
>> +}
>> +
>> static securebootcert_info securebootcert_info_table[] = {
>> { "SecureBoot", securebootcert_secure_boot },
>> { "SetupMode", securebootcert_setup_mode },
>> { "db", securebootcert_data_base },
>> + { "KEK", securebootcert_key_ex_key },
>> { NULL, NULL }
>> };
>>
>> @@ -358,6 +392,9 @@ static int securebootcert_test1(fwts_framework *fw)
>> if (!(var_found & VAR_DB_FOUND))
>> fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableNotFound",
>> "The secure boot variable DB not found.");
>> + if (!(var_found & VAR_KEK_FOUND))
>> + fwts_failed(fw, LOG_LEVEL_HIGH,
>> "SecureBootCertVariableNotFound",
>> + "The secure boot variable KEK not found.");
>>
>> fwts_uefi_free_variable_names(&name_list);
>>
>>
>
>
More information about the fwts-devel
mailing list