ACK: [PATCH 1/2] securebootcert: add variable AuditMode checking

Fri Dec 16 11:21:33 UTC 2016

On 16/12/16 06:25, Ivan Hu wrote:
> UEFI 2.6 add the AuditMode global variable for secure boot, so also check the
> AuditMode variable in this test.
> 
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
>  src/uefi/securebootcert/securebootcert.c | 61 +++++++++++++++++++++++++++++---
>  1 file changed, 56 insertions(+), 5 deletions(-)
> 
> diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
> index 69abaa5..2f7de50 100644
> --- a/src/uefi/securebootcert/securebootcert.c
> +++ b/src/uefi/securebootcert/securebootcert.c
> @@ -47,10 +47,11 @@ typedef struct _EFI_SIGNATURE_LIST {
>  	uint32_t	SignatureSize;
>  } __attribute__((packed)) EFI_SIGNATURE_LIST;
>  
> -#define VAR_SECUREBOOT_FOUND	1
> -#define VAR_SETUPMODE_FOUND	2
> -#define VAR_DB_FOUND		4
> -#define VAR_KEK_FOUND		8
> +#define VAR_SECUREBOOT_FOUND	(1 << 0)
> +#define VAR_SETUPMODE_FOUND	(1 << 1)
> +#define VAR_DB_FOUND		(1 << 2)
> +#define VAR_KEK_FOUND		(1 << 3)
> +#define VAR_AUDITMODE_FOUND	(1 << 4)
>  
>  #define EFI_GLOBAL_VARIABLE \
>  { \
> @@ -156,7 +157,7 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch
>  
>  		switch (value) {
>  		case 0:
> -			mode = " (User Mode)";
> +			mode = "";
>  			break;
>  		case 1:
>  			mode = " (Setup Mode)";
> @@ -171,6 +172,47 @@ static void securebootcert_setup_mode(fwts_framework *fw, fwts_uefi_var *var, ch
>  	}
>  }
>  
> +static void securebootcert_audit_mode(fwts_framework *fw, fwts_uefi_var *var, char *varname)
> +{
> +
> +	bool ident = false;
> +	EFI_GUID global_var_guid = EFI_GLOBAL_VARIABLE;
> +
> +	if (strcmp(varname, "AuditMode"))
> +		return;
> +
> +	var_found |= VAR_AUDITMODE_FOUND;
> +	ident = compare_guid(&global_var_guid, var->guid);
> +
> +	if (!ident) {
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableGUIDInvalid",
> +			"The secure boot variable %s GUID invalid.", varname);
> +		return;
> +	}
> +	if (var->datalen != 1) {
> +		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableSizeInvalid",
> +			"The secure boot variable %s size invalid.", varname);
> +	} else {
> +		char *mode;
> +		uint8_t value = (uint8_t)var->data[0];
> +
> +		switch (value) {
> +		case 0:
> +			mode = "";
> +			break;
> +		case 1:
> +			mode = " (Audit Mode)";
> +			break;
> +		default:
> +			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableDataInvalid",
> +				"The secure boot variable %s data invalid.", varname);
> +			return;
> +		}
> +		fwts_log_info_verbatim(fw, "  Value: 0x%2.2" PRIx8 "%s.", value, mode);
> +		fwts_passed(fw, "Secure boot relative variable %s check passed.", varname);
> +	}
> +}
> +
>  static bool check_sigdb_presence(uint8_t *var_data, size_t datalen, uint8_t *key, uint32_t key_len)
>  {
>  	uint8_t *var_data_addr;
> @@ -305,6 +347,7 @@ static securebootcert_info securebootcert_info_table[] = {
>  	{ "SetupMode",		securebootcert_setup_mode },
>  	{ "db",			securebootcert_data_base },
>  	{ "KEK",		securebootcert_key_ex_key },
> +	{ "AuditMode",		securebootcert_audit_mode },
>  	{ NULL, NULL }
>  };
>  
> @@ -372,6 +415,14 @@ static int securebootcert_test1(fwts_framework *fw)
>  	if (!(var_found & VAR_SETUPMODE_FOUND))
>  		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
>  			"The secure boot variable SetupMode not found.");
> +	if (!(var_found & VAR_AUDITMODE_FOUND)) {
> +		fwts_warning(fw, "The secure boot variable AuditMode not found.");
> +		fwts_advice(fw,
> +			"AuditMode global variable is defined in the UEFI "
> +			"Specification 2.6 for new secure boot architecture. "
> +			"It may because the firmware hasn't been updated to "
> +			"support the UEFI Specification 2.6.");
> +	}
>  	if (securebooted) {
>  		if (!(var_found & VAR_DB_FOUND))
>  			fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound",
> 
Thanks Ivan

Acked-by: Colin Ian King <colin.king at canonical.com>