proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-05-11 10:05:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4a156deee2
fwupd/plugins/uefi-pk/fu-plugin-uefi-pk.c
Richard Hughes 1981c63d58 Remove FuFirmwareImage and just use FuFirmware instead 
This allows us to 'nest' firmware formats, and removes a ton of duplication.

The aim here is to deprecate FuFirmwareImage -- it's almost always acting
as a 'child' FuFirmware instance, and even copies most of the vfuncs to allow
custom types. If I'm struggling to work out what should be a FuFirmware and
what should be a FuFirmwareImage then a plugin author has no hope.

For simple payloads we were adding bytes into an image and then the image into
a firmware. This gets really messy when most plugins are treating the FuFirmware
*as* the binary firmware file.

The GBytes saved in the FuFirmware would be considered the payload with the
aim of not using FuFirmwareImage in the single-image case.
2021-03-09 21:14:12 +00:00

191 lines
4.9 KiB
C
Raw Blame History

/*
* Copyright (C) 2020 Richard Hughes <richard@hughsie.com>
*
* SPDX-License-Identifier: LGPL-2.1+
*/
#include "config.h"
#include <gnutls/crypto.h>
#include <gnutls/abstract.h>
#include "fu-efi-signature.h"
#include "fu-efi-signature-list.h"
#include "fu-efivar.h"
#include "fu-plugin-vfuncs.h"
struct FuPluginData {
gboolean has_pk_test_key;
};
#define FU_UEFI_PK_CHECKSUM_AMI_TEST_KEY "a773113bafaf5129aa83fd0912e95da4fa555f91"
static void
_gnutls_datum_deinit (gnutls_datum_t *d)
{
gnutls_free (d->data);
gnutls_free (d);
}
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wunused-function"
G_DEFINE_AUTOPTR_CLEANUP_FUNC(gnutls_datum_t, _gnutls_datum_deinit)
G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_x509_crt_t, gnutls_x509_crt_deinit, NULL)
#pragma clang diagnostic pop
static gboolean
fu_plugin_uefi_pk_parse_buf (FuPlugin *plugin,
const gchar *buf,
gsize bufsz,
GError **error)
{
FuPluginData *priv = fu_plugin_get_data (plugin);
const gchar *needles[] = {
"DO NOT TRUST",
"DO NOT SHIP",
NULL,
};
for (guint i = 0; needles[i] != NULL; i++) {
if (g_strstr_len (buf, bufsz, needles[i]) != NULL) {
g_debug ("got %s, marking unsafe", buf);
priv->has_pk_test_key = TRUE;
break;
}
}
return TRUE;
}
static gboolean
fu_plugin_uefi_pk_parse_signature (FuPlugin *plugin,
FuEfiSignature *sig,
GError **error)
{
gchar buf[1024] = { '\0' };
gnutls_datum_t d = { 0 };
gnutls_x509_dn_t dn = { 0x0 };
gsize bufsz = sizeof(buf);
int rc;
g_auto(gnutls_x509_crt_t) crt = NULL;
g_autoptr(gnutls_datum_t) subject = NULL;
g_autoptr(GBytes) blob = NULL;
/* create certificate */
rc = gnutls_x509_crt_init (&crt);
if (rc < 0) {
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_INVALID_DATA,
"crt_init: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
/* parse certificate */
blob = fu_firmware_get_bytes (FU_FIRMWARE (sig), error);
if (blob == NULL)
return FALSE;
d.size = g_bytes_get_size (blob);
d.data = (unsigned char *) g_bytes_get_data (blob, NULL);
rc = gnutls_x509_crt_import (crt, &d, GNUTLS_X509_FMT_DER);
if (rc < 0) {
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_INVALID_DATA,
"crt_import: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
/* look in issuer */
if (gnutls_x509_crt_get_issuer_dn (crt, buf, &bufsz) == GNUTLS_E_SUCCESS) {
if (g_getenv ("FWUPD_UEFI_PK_VERBOSE") != NULL)
g_debug ("PK issuer: %s", buf);
if (!fu_plugin_uefi_pk_parse_buf (plugin,
buf, bufsz,
error))
return FALSE;
}
/* look in subject */
subject = (gnutls_datum_t *) gnutls_malloc (sizeof (gnutls_datum_t));
if (gnutls_x509_crt_get_subject (crt, &dn) == GNUTLS_E_SUCCESS) {
gnutls_x509_dn_get_str (dn, subject);
if (g_getenv ("FWUPD_UEFI_PK_VERBOSE") != NULL)
g_debug ("PK subject: %s", subject->data);
if (!fu_plugin_uefi_pk_parse_buf (plugin,
(const gchar *) subject->data,
subject->size,
error))
return FALSE;
}
/* success, certificate was parsed correctly */
return TRUE;
}
gboolean
fu_plugin_coldplug (FuPlugin *plugin, GError **error)
{
FuPluginData *priv = fu_plugin_get_data (plugin);
g_autoptr(FuFirmware) img = NULL;
g_autoptr(FuFirmware) pk = fu_efi_signature_list_new ();
g_autoptr(GBytes) pk_blob = NULL;
g_autoptr(GPtrArray) sigs = NULL;
pk_blob = fu_efivar_get_data_bytes (FU_EFIVAR_GUID_EFI_GLOBAL, "PK", NULL, error);
if (pk_blob == NULL)
return FALSE;
if (!fu_firmware_parse (pk, pk_blob, FU_FIRMWARE_FLAG_NONE, error)) {
g_prefix_error (error, "failed to parse PK: ");
return FALSE;
}
/* by checksum */
img = fu_firmware_get_image_by_checksum (pk, FU_UEFI_PK_CHECKSUM_AMI_TEST_KEY, NULL);
if (img != NULL) {
g_debug ("detected AMI test certificate");
priv->has_pk_test_key = TRUE;
}
/* by text */
sigs = fu_firmware_get_images (pk);
for (guint i = 0; i < sigs->len; i++) {
FuEfiSignature *sig = g_ptr_array_index (sigs, i);
if (!fu_plugin_uefi_pk_parse_signature (plugin, sig, error))
return FALSE;
}
/* success */
return TRUE;
}
void
fu_plugin_init (FuPlugin *plugin)
{
fu_plugin_alloc_data (plugin, sizeof (FuPluginData));
fu_plugin_set_build_hash (plugin, FU_BUILD_HASH);
}
void
fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
{
FuPluginData *priv = fu_plugin_get_data (plugin);
g_autoptr(FwupdSecurityAttr) attr = NULL;
/* create attr */
attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_PK);
fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL);
fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
fu_security_attrs_append (attrs, attr);
/* test key is not secure */
if (priv->has_pk_test_key) {
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
return;
}
/* success */
fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_VALID);
}
Reference in New Issue View Git Blame Copy Permalink