commit d52f7bbb73401aab8a1d59e8d0d686ad9641035e Author: James Bottomley Date: Thu Jun 11 16:32:13 2020 -0700 Version 0.9.4 AKASHI Takahiro (1): sbsign: allow for adding intermediate certificates James Bottomley (8): sbverify: fix verification with intermediate certificates Tests: Add intermediate certificate tests to the sign-verify cases Fix some openssl 1.1.0 deprecated functions sbvarsign: remove unused global variable sbverify: refer to unused function Fix errors on 32 bit Enable -Werror for builds docs: add man page for sbkeysync Signed-off-by: James Bottomley commit e17dc20591236d21f086f16294ed691544cb6fc2 Author: James Bottomley Date: Sat Jun 6 15:21:11 2020 -0700 docs: add man page for sbkeysync Signed-off-by: James Bottomley commit ff96a590466a1881d2203988fcc39b51af11c519 Author: James Bottomley Date: Sat Jun 6 15:08:01 2020 -0700 Enable -Werror for builds Now that all the build warnings are eliminated, make sure they don't come back Signed-off-by: James Bottomley commit e3f7d2754147e76302d6b4e7f52f09bb9a2fed47 Author: James Bottomley Date: Sat Jun 6 15:34:02 2020 -0700 Fix errors on 32 bit print format and signed conversion due to big hex types Signed-off-by: James Bottomley commit 5aeb513916c7b1d37304e28571ad3daeda9e3cb0 Author: James Bottomley Date: Sat Jun 6 14:50:51 2020 -0700 sbverify: refer to unused function The function print_certificate_store_certs() is currently commented out leading to an unused function warning. Make verbose a level and call this function for levels > 1 (meaning you have to specify -v -v to see it). Signed-off-by: James Bottomley commit 6b7d5ccb288509512ff1e36357685262e6d4645c Author: James Bottomley Date: Sat Jun 6 14:50:33 2020 -0700 sbvarsign: remove unused global variable Signed-off-by: James Bottomley commit 311d6c2b9c1129114834f4df9b12a195a66dc4bc Author: James Bottomley Date: Sat Jun 6 14:44:54 2020 -0700 Fix some openssl 1.1.0 deprecated functions replace OPENSSL_config with OPENSSL_init_crypto and ASN1_STRING_data with ASN1_STRING_get0_data Signed-off-by: James Bottomley commit 6c2b07fa1c5a2cffffd76a0a0703d2de93cfad06 Author: James Bottomley Date: Fri Jun 5 18:34:55 2020 -0700 Tests: Add intermediate certificate tests to the sign-verify cases Signed-off-by: James Bottomley commit df27a417b92ebdcf4161fd115fc61a204ff7c202 Author: James Bottomley Date: Fri Jun 5 18:29:07 2020 -0700 sbverify: fix verification with intermediate certificates sbverify is currently failing if an intermediate certificate is added on signing but the binary is verified with the singing certificate. It fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This is happening because the x509_STORE only contains the signing certificate but the pkcs7 bundle in the binary contains the issuer certificate as well. Fix this by unconditionally approving any locally missing certificates on verify. Signed-off-by: James Bottomley commit 7d6210e4b1fd5ed16a671a07aaa14a98a9f7c33c Author: AKASHI Takahiro Date: Thu Jun 4 16:50:22 2020 +0900 sbsign: allow for adding intermediate certificates SignedData can have multiple certificates, but the current implementation of sbsign only allows a single one (as a signer). With this patch, "-addcert" options will be available on command line to specify a file in which any number of intermediate certificates in PEM format can be concatenated. $ sign --key --cert --addcert [...] image_file Background: I'm working on implementing UEFI secure boot on U-Boot and want to test my code against PE images with intermediate certificates in certificate chain. As far as I know, the only tool that supports it in signing is Microsoft's signtool.exe. So I'd like to have some corresponding tool on linux. Signed-off-by: AKASHI Takahiro Signed-off-by: James Bottomley commit fe88da5f66241d959b7aeca7502d401ad88df410 Author: James Bottomley Date: Thu Jan 9 09:33:38 2020 -0800 Version 0.9.3 James Bottomley (1): README: update git location and add mailing list information Laszlo Ersek (1): sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" assignment Steve McIntyre (1): Fix PE/COFF checksum calculation Signed-off-by: James Bottomley commit ea4e6db5d984ac3bb5988abb6dc63213afb4cff0 Author: James Bottomley Date: Thu Jan 9 09:29:39 2020 -0800 README: update git location and add mailing list information Now that a Mailing list is set up, update the README to point to it and mention the new maintained git location for this fork. Signed-off-by: James Bottomley commit 2ed8eebcc52eaeb60dd24addaed90e5f9a1419e5 Author: Laszlo Ersek Date: Thu Jan 9 18:13:02 2020 +0100 sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" assignment According to UEFI-2.8, section 8.3 "Time Services" / GetTime(), the "EFI_TIME.Year" field must be in the range [1900, 9999] (both bounds inclusive). It is not stated or even implied that "EFI_TIME.Year" would not be an absolute year number. According to POSIX, the "tm_year" field of "struct tm" is defined as "Years since 1900". In other words, "tm_year" is relative to 1900. In set_timestamp(), time() and gmtime() are suitable for populating "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp", as the UEFI spec specifically requires a stamp expressed in the GMT (UTC) zone. But we still need to offset "tm->tm_year" by 1900 for filling in "timestamp->Year". So let's do that now. While this issue does not seem to affect upstream edk2, SetVariable() calls with payloads containing an invalid "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" value do seem to be rejected at least on some Dell Inspiron machines (using a UEFI implementation from AMI). Reported-by: Eugene Khoruzhenko Reported-by: Paulo Henrique Lacerda de Amorim Ref: https://edk2.groups.io/g/devel/message/49402 Fixes: 953b00481f3957fc756a6dc7d10c570da32a08bc Signed-off-by: Laszlo Ersek Signed-off-by: James Bottomley commit 0dc3d4b5210dae158651d058f7ac68a9f178ae84 Author: Steve McIntyre <93sam@debian.org> Date: Fri Apr 19 23:14:46 2019 +0100 Fix PE/COFF checksum calculation Only count the cert_table header once when performing the calculation and counting buffer sizes. The problem entered because of a mismerge of multiple signature support and "be1f3d8 Update the PE checksum field using the somewhat-underdocumented algorithm, so that we match the Microsoft implementation in our signature generation.". Originally image->cert_table held the full certificate table including the Microsoft _WINH_CERTIFICATE header and image->sigbuf pointed to the pkcs11 signature inside, so the two had to be checksummed separately. After multiple signature support, image->sigbuf points to the full certificate table because we now need the headers to decide where one signature ends and the next begins, so the correct checksum only needs to sum over the entire image->sigbuf. Signed-off-by: Steve McIntyre <93sam@debian.org> Signed-off-by: James Bottomley