From: Michael Olbrich <m.olbrich@pengutronix.de>
To: barebox@lists.infradead.org
Subject: Re: [PATCH 08/13] boot_verify: allow to force unsigned image to boot
Date: Sun, 26 Mar 2017 10:25:58 +0200 [thread overview]
Message-ID: <20170326082558.l7iise2cwd5baxi4@pengutronix.de> (raw)
In-Reply-To: <1490496304-30850-8-git-send-email-plagnioj@jcrosoft.com>
On Sun, Mar 26, 2017 at 04:44:59AM +0200, Jean-Christophe PLAGNIOL-VILLARD wrote:
> request confirmation before booting an unsigned image
>
> with a default timeout
>
> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> ---
> commands/go.c | 9 +++++++--
> common/Kconfig | 8 ++++++++
> common/boot_verify.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
> common/bootm.c | 6 ++++++
> common/image-fit.c | 1 +
> common/uimage.c | 1 +
> include/boot_verify.h | 7 +++++++
> 7 files changed, 74 insertions(+), 5 deletions(-)
>
> diff --git a/commands/go.c b/commands/go.c
> index e0385a977..919bcddc7 100644
> --- a/commands/go.c
> +++ b/commands/go.c
> @@ -38,8 +38,13 @@ static int do_go(int argc, char *argv[])
> if (argc < 2)
> return COMMAND_ERROR_USAGE;
>
> - if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE)
> - return -ESECVIOLATION;
> + if (boot_get_verify_mode() < BOOT_VERIFY_AVAILABLE) {
> + int is_sec;
> +
> + is_sec = boot_can_start_unsigned();
> + if (is_sec)
> + return is_sec;
> + }
>
> if (!isdigit(*argv[1])) {
> fd = open(argv[1], O_RDONLY);
> diff --git a/common/Kconfig b/common/Kconfig
> index 00e98e859..2588651ae 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -648,6 +648,14 @@ config BOOT_FORCE_SIGNED_IMAGES
> are refused to boot. Effectively this means only Signed images can
> be booted.
>
> +config BOOT_FORCE_USER_SIGNED_IMAGES
> + bool
> + prompt "Force booting of signed images or confirm them"
> + depends on HAS_SECURE_BOOT
> + help
> + With this option enabled only signed images can be booted, unsigned images
> + need a user confirmation to boot.
> +
> config BLSPEC
> depends on BLOCK
> depends on FLEXIBLE_BOOTARGS
> diff --git a/common/boot_verify.c b/common/boot_verify.c
> index 9cbeb7a65..07ae07e16 100644
> --- a/common/boot_verify.c
> +++ b/common/boot_verify.c
> @@ -1,9 +1,17 @@
> +/*
> + * Copyright (c) 2016 Sascha Hauer <s.hauer@pengutronix.de>, Pengutronix
> + * Copyright (c) 2017 Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> + *
> + * Under GPLv2 Only
> + */
This belongs in the patch that introduces the file.
Michael
> #include <common.h>
> #include <boot_verify.h>
> +#include <console_countdown.h>
> #include <globalvar.h>
> #include <magicvar.h>
> #include <init.h>
>
> +static unsigned int boot_verify_confirm_timeout = 10;
> static enum boot_verify boot_verify_mode = BOOT_VERIFY_HASH;
>
> enum boot_verify boot_get_verify_mode(void)
> @@ -14,6 +22,7 @@ enum boot_verify boot_get_verify_mode(void)
> /* keep it for the most secure to the less */
> static const char * const boot_verify_names[] = {
> [BOOT_VERIFY_SIGNATURE] = "signature",
> + [BOOT_VERIFY_SIGNATURE_USER] = "signature-user",
> [BOOT_VERIFY_AVAILABLE] = "available",
> [BOOT_VERIFY_HASH] = "hash",
> [BOOT_VERIFY_NONE] = "none",
> @@ -40,6 +49,29 @@ void boot_set_is_secure_mode(int (*fn)(void))
> __is_secure_mode = fn;
> }
>
> +int boot_can_start_unsigned(void)
> +{
> + int ret;
> + char c;
> + int timeout = boot_verify_confirm_timeout;
> +
> + if (!is_secure_mode())
> + return 0;
> +
> + if (boot_verify_mode != BOOT_VERIFY_SIGNATURE_USER)
> + return -ESECVIOLATION;
> +
> + printf("Are you sure you wish to run an unsigned binary\n");
> + printf("in a secure environment?\n");
> + printf("press y to confirm\n");
> +
> + ret = console_countdown(timeout, CONSOLE_COUNTDOWN_ANYKEY, &c);
> + if (ret != -EINTR)
> + return -ESECVIOLATION;
> +
> + return c == 'y' ? 0 : -ESECVIOLATION;
> +}
> +
> static int init_boot_verify(void)
> {
> int size;
> @@ -47,16 +79,25 @@ static int init_boot_verify(void)
> if (IS_ENABLED(CONFIG_BOOT_FORCE_SIGNED_IMAGES))
> boot_verify_mode = BOOT_VERIFY_SIGNATURE;
>
> - if (is_secure_mode())
> - size = 1;
> - else
> + if (is_secure_mode()) {
> + if (IS_ENABLED(CONFIG_BOOT_FORCE_USER_SIGNED_IMAGES))
> + size = 2;
> + else
> + size = 1;
> + } else {
> size = ARRAY_SIZE(boot_verify_names);
> + }
>
> globalvar_add_simple_enum("boot.verify", (unsigned int *)&boot_verify_mode,
> boot_verify_names, size);
>
> + globalvar_add_simple_int("boot.verify_confirm_timeout",
> + &boot_verify_confirm_timeout, "%u");
> +
> return 0;
> }
> late_initcall(init_boot_verify);
>
> BAREBOX_MAGICVAR_NAMED(global_boot_verify, global.boot.verify, "boot default verify level");
> +BAREBOX_MAGICVAR_NAMED(global_boot_verify_confirm_timeout, global.boot.verify_confirm_timeout,
> + "Secure Boot Comfirm timeout in seconds before booting an unsigned image");
> diff --git a/common/bootm.c b/common/bootm.c
> index 1558f3c5d..73a3a99dd 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -579,6 +579,12 @@ int bootm_boot(struct bootm_data *bootm_data)
> printf("Passing control to %s handler\n", handler->name);
> }
>
> + if (!handler->is_secure_supported && is_secure_mode()) {
> + ret = boot_can_start_unsigned();
> + if (ret)
> + goto err_out;
> + }
> +
> ret = handler->bootm(data);
> if (data->dryrun)
> printf("Dryrun. Aborted\n");
> diff --git a/common/image-fit.c b/common/image-fit.c
> index 53f3173fc..0df735062 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -465,6 +465,7 @@ static int fit_config_verify_signature(struct fit_handle *handle, struct device_
> case BOOT_VERIFY_HASH:
> return 0;
> case BOOT_VERIFY_SIGNATURE:
> + case BOOT_VERIFY_SIGNATURE_USER:
> ret = -EINVAL;
> break;
> case BOOT_VERIFY_AVAILABLE:
> diff --git a/common/uimage.c b/common/uimage.c
> index d1947aa11..f25341c15 100644
> --- a/common/uimage.c
> +++ b/common/uimage.c
> @@ -30,6 +30,7 @@
> #include <rtc.h>
> #include <filetype.h>
> #include <memory.h>
> +#include <bootm.h>
>
> static inline int uimage_is_multi_image(struct uimage_handle *handle)
> {
> diff --git a/include/boot_verify.h b/include/boot_verify.h
> index ee830bf5c..12dcfbfdc 100644
> --- a/include/boot_verify.h
> +++ b/include/boot_verify.h
> @@ -3,6 +3,7 @@
>
> enum boot_verify {
> BOOT_VERIFY_SIGNATURE,
> + BOOT_VERIFY_SIGNATURE_USER,
> BOOT_VERIFY_AVAILABLE,
> BOOT_VERIFY_HASH,
> BOOT_VERIFY_NONE,
> @@ -19,10 +20,16 @@ static int inline is_secure_mode(void)
> return 0;
> }
>
> +static int inline boot_can_start_unsigned(void)
> +{
> + return 0;
> +}
> +
> static void inline boot_set_is_secure_mode(int (*fn)(void)) {}
> #else
> enum boot_verify boot_get_verify_mode(void);
> int is_secure_mode(void);
> +int boot_can_start_unsigned(void);
> void boot_set_is_secure_mode(int (*fn)(void));
> #endif
>
> --
> 2.11.0
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2017-03-26 8:26 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-25 8:31 [PATCH 00/13] add efi secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 01/13] bootm: move open to image_handler Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 02/13] boot_verify: use a new error ESECVIOLATION Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:59 ` Michael Olbrich
2017-03-26 2:44 ` [PATCH 03/13] bootm: make security generic Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 04/13] boot: invert the secure boot forcing support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 05/13] move boot verify to generic code Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 06/13] boot_verify: make it modifiable at start time Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:16 ` Michael Olbrich
2017-03-26 2:44 ` [PATCH 07/13] go: only use it if boot signature is not required Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:23 ` Michael Olbrich
2017-03-27 11:50 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 08/13] boot_verify: allow to force unsigned image to boot Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:25 ` Michael Olbrich [this message]
2017-03-26 2:45 ` [PATCH 09/13] boot_verify: add password request support Jean-Christophe PLAGNIOL-VILLARD
2017-03-27 6:11 ` Sascha Hauer
2017-03-26 2:45 ` [PATCH 10/13] efi: add more security related guid for the efivars Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 11/13] efi: fix lds for secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:30 ` Michael Olbrich
2017-03-26 2:45 ` [PATCH 12/13] efi: fix secure and setup mode report Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 13/13] efi: enable sercure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:57 ` [PATCH 01/13] bootm: move open to image_handler Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170326082558.l7iise2cwd5baxi4@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox