[PATCH 3/3][Resend 2] securebootcert: add Ubuntu UEFI secure boot test - check Ubuntu CA presence
Keng-Yu Lin
kengyu at canonical.com
Fri Mar 8 07:51:06 UTC 2013
On Wed, Mar 6, 2013 at 8:58 AM, Ivan Hu <ivan.hu at canonical.com> wrote:
> From: IvanHu <ivan.hu at canonical.com>
>
> Check the variable KEK existence and Ubuntu master CA certificate presence
> in KEK.
>
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
> src/uefi/securebootcert/securebootcert.c | 44 ++++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
> index 60d55cb..0a36c41 100644
> --- a/src/uefi/securebootcert/securebootcert.c
> +++ b/src/uefi/securebootcert/securebootcert.c
> @@ -253,10 +253,51 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
> "The Microsoft UEFI CA certificate not found .");
> }
>
> +static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
> +{
> +
> + bool ident = false;
> + EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
> +
> + if (strcmp(varname, "KEK"))
> + return;
> +
> + var_found |= VAR_KEK_FOUND;
> + ident = compare_guid(&global_var_guid, var->guid);
> +
> + if (!ident) {
> + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
> + "The secure boot variable %s GUID invalid.", varname);
> + return;
> + }
> +
> + fwts_release *release = fwts_release_get();
> + if (release == NULL) {
> + fwts_skipped(fw, "Cannot determine system, stop checking the Ubuntu Master CA certificate.");
> + return;
> + }
> +
> + if (strcmp(release->distributor, "Ubuntu") != 0) {
> + fwts_skipped(fw, "Not a Ubuntu system, it's not necessary checking the Ubuntu Master CA certificate.");
> + fwts_release_free(release);
> + return;
> + }
> + fwts_release_free(release);
> +
> + fwts_log_info_verbatum(fw, "Check Ubuntu master CA certificate presence in %s", varname);
> + if (check_sigdb_presence(var->data, var->datalen, ubuntu_key, ubuntu_key_len))
> + fwts_passed(fw, "Ubuntu UEFI CA 2011 key check passed.");
> + else {
> + fwts_log_info_verbatum(fw, "No Ubuntu master CA certificate presence in %s", varname);
> + fwts_infoonly(fw);
> + }
> +}
> +
> static securebootcert_info securebootcert_info_table[] = {
> { "SecureBoot", securebootcert_secure_boot },
> { "SetupMode", securebootcert_setup_mode },
> { "db", securebootcert_data_base },
> + { "KEK", securebootcert_key_ex_key },
> { NULL, NULL }
> };
>
> @@ -358,6 +399,9 @@ static int securebootcert_test1(fwts_framework *fw)
> if (!(var_found & VAR_DB_FOUND))
> fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
> "The secure boot variable DB not found.");
> + if (!(var_found & VAR_KEK_FOUND))
> + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
> + "The secure boot variable KEK not found.");
>
> fwts_uefi_free_variable_names(&name_list);
>
> --
> 1.7.10.4
>
Acked-by: Keng-Yu Lin <kengyu at canonical.com>
More information about the fwts-devel
mailing list