From 74e3cb9e883f95ed358337df8a9841a2f47fd153 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 3 Feb 2020 13:50:07 -0500
Subject: [PATCH 83/86] Add some of the authenticode-related defines from
pesign
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/include/efivar/efisec-types.h | 234 ++++++++++++++++++++++++++++++
src/include/efivar/efisec.h | 2 +
2 files changed, 236 insertions(+)
create mode 100644 src/include/efivar/efisec-types.h
diff --git a/src/include/efivar/efisec-types.h b/src/include/efivar/efisec-types.h
new file mode 100644
index 00000000000..5d7febfeaae
--- /dev/null
+++ b/src/include/efivar/efisec-types.h
@@ -0,0 +1,234 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * authenticode.h - Authenticode definitions and types
+ * Copyright 2019-2020 Peter Jones <pjones@redhat.com>
+ */
+
+#ifndef EFISEC_TYPES_H_
+#define EFISEC_TYPES_H_ 1
+
+#include <stdint.h>
+#include <efivar/efivar-types.h>
+
+/*
+ * Storage for specific hashes and cryptographic (not pkcs7) signatures
+ */
+typedef uint8_t efi_sha1_hash_t[20];
+typedef uint8_t efi_sha224_hash_t[28];
+typedef uint8_t efi_sha256_hash_t[32];
+typedef uint8_t efi_sha384_hash_t[48];
+typedef uint8_t efi_sha512_hash_t[64];
+typedef uint8_t efi_rsa2048_sig_t[256];
+
+/*
+ * Security database definitions and types
+ */
+
+#define EFI_GLOBAL_PLATFORM_KEY L"PK"
+#define EFI_GLOBAL_KEY_EXCHANGE_KEY L"KEK"
+#define EFI_IMAGE_SECURITY_DATABASE L"db"
+#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx"
+#define EFI_IMAGE_SECURITY_DATABASE2 L"dbt"
+#define EFI_IMAGE_SECURITY_DATABASE3 L"dbr"
+
+typedef struct {
+ efi_sha256_hash_t to_be_signed_hash;
+ efi_time_t time_of_revocation;
+} efi_cert_x509_sha256_t __attribute__((__aligned__(1)));
+
+typedef struct {
+ efi_sha384_hash_t to_be_signed_hash;
+ efi_time_t time_of_revocation;
+} efi_cert_x509_sha384_t __attribute__((__aligned__(1)));
+
+typedef struct {
+ efi_sha512_hash_t to_be_signed_hash;
+ efi_time_t time_of_revocation;
+} efi_cert_x509_sha512_t __attribute__((__aligned__(1)));
+
+typedef struct {
+ efi_guid_t signature_owner;
+ uint8_t signature_data[];
+} efi_signature_data_t __attribute__((__aligned__(1)));
+
+typedef struct {
+ efi_guid_t signature_type;
+ uint32_t signature_list_size;
+ uint32_t signature_header_size;
+ uint32_t signature_size;
+ // uint8_t signature_header[];
+ // efi_signature_data signatures[][signature_size];
+} efi_signature_list_t __attribute__((__aligned__(1)));
+
+/**********************************************************
+ * Stuff used by authenticode and authenticated variables *
+ **********************************************************/
+
+#define WIN_CERT_REVISION_1_0 ((uint16_t)0x0100)
+#define WIN_CERT_REVISION_2_0 ((uint16_t)0x0200)
+
+#define WIN_CERT_TYPE_PKCS_SIGNED_DATA ((uint16_t)0x0002)
+#define WIN_CERT_TYPE_EFI_PKCS115 ((uint16_t)0x0ef0)
+#define WIN_CERT_TYPE_EFI_GUID ((uint16_t)0x0ef1)
+
+typedef struct {
+ uint32_t length;
+ uint16_t revision;
+ uint16_t cert_type;
+} win_certificate_header_t;
+
+/*
+ * The spec says:
+ *
+ * This structure is the certificate header. There may be zero or more
+ * certificates.
+ * • If the wCertificateType field is set to WIN_CERT_TYPE_EFI_PKCS115,
+ * then the certificate follows the format described in
+ * WIN_CERTIFICATE_EFI_PKCS1_15.
+ * • If the wCertificateType field is set to WIN_CERT_TYPE_EFI_GUID, then
+ * the certificate follows the format described in
+ * WIN_CERTIFICATE_UEFI_GUID.
+ * • If the wCertificateType field is set to WIN_CERT_TYPE_PKCS_SIGNED_DATA
+ * then the certificate is formatted as described in the Authenticode
+ * specification.
+ *
+ * Which basically means we see the first two in EFI signature databases,
+ * and the third one in authenticode signatures. It goes on to say:
+ *
+ * Table 11.
+ * PE/COFF Certificates Types and UEFI Signature Database Certificate Types
+ * +---------------------------------------+-----------------------------------+
+ * | Image Certificate Type | Verified Using Signature Database |
+ * | | Type |
+ * +---------------------------------------+-----------------------------------+
+ * | WIN_CERT_TYPE_EFI_PKCS115 | EFI_CERT_RSA2048_GUID (public key)|
+ * | ( Signature Size = 256 bytes) | |
+ * +---------------------------------------+-----------------------------------+
+ * | WIN_CERT_TYPE_EFI_GUID | EFI_CERT_RSA2048_GUID (public key)|
+ * | ( CertType = | |
+ * | EFI_CERT_TYPE_RSA2048_SHA256_GUID ) | |
+ * +---------------------------------------+-----------------------------------+
+ * | WIN_CERT_TYPE_EFI_GUID | EFI_CERT_X509_GUID |
+ * | (CertType = EFI_CERT_TYPE_PKCS7_GUID) | EFI_CERT_RSA2048_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA256_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA384_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA512_GUID |
+ * | | (when applicable) |
+ * +---------------------------------------+-----------------------------------+
+ * | WIN_CERT_TYPE_PKCS_SIGNED_DATA | EFI_CERT_X509_GUID |
+ * | | EFI_CERT_RSA2048_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA256_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA384_GUID |
+ * | | (when applicable) |
+ * | | EFI_CERT_X509_SHA512_GUID |
+ * | | (when applicable) |
+ * +---------------------------------------+-----------------------------------+
+ * |(Always applicable regardless of | EFI_CERT_SHA1_GUID, |
+ * | whether a certificate is present or | EFI_CERT_SHA224_GUID, |
+ * | not) | EFI_CERT_SHA256_GUID, |
+ * | | EFI_CERT_SHA384_GUID, |
+ * | | EFI_CERT_SHA512_GUID |
+ * | | In this case, the database |
+ * | | contains the hash of the image. |
+ * +---------------------------------------+-----------------------------------+
+ */
+
+/*
+ * hdr.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA
+ */
+typedef struct {
+ win_certificate_header_t hdr;
+ uint8_t data[]; // pkcs7 signedData
+} win_certificate_pkcs_signed_data_t;
+
+/*
+ * hdr.cert_type = WIN_CERT_TYPE_EFI_PKCS115
+ */
+typedef struct {
+ win_certificate_header_t hdr;
+ efi_guid_t hash_alg;
+ uint8_t signature[];
+} win_certificate_efi_pkcs1_15_t;
+
+/*
+ * hdr.cert_type = WIN_CERT_TYPE_EFI_GUID
+ */
+typedef struct {
+ win_certificate_header_t hdr;
+ efi_guid_t type;
+ uint8_t data[];
+} win_certificate_uefi_guid_t;
+
+
+/*
+ * public_key: pubkey that may or may not be trusted
+ * signature: a RSA2048 signature of the SHA256 authenticode hash
+ */
+typedef struct {
+ efi_guid_t hash_type;
+ uint8_t public_key[256];
+ uint8_t signature[256];
+} efi_cert_rsa2048_sha256_t;
+
+typedef struct {
+ uint64_t monotonic_count;
+ win_certificate_uefi_guid_t auth_info;
+} efi_variable_authentication_t __attribute__((aligned (1)));
+
+typedef struct {
+ efi_time_t timestamp;
+ win_certificate_uefi_guid_t auth_info;
+} efi_variable_authentication_2_t __attribute__((aligned (1)));
+
+#define EFI_VARIABLE_AUTHENTICATION_3_CERT_ID_SHA256 ((uint8_t)1)
+
+/* XXX the spec doesn't say if this is supposed to be packed/align(1) */
+typedef struct {
+ uint8_t type;
+ uint32_t id_size;
+ uint8_t id[];
+} efi_variable_authentication_3_cert_id_t __attribute__((aligned (1)));
+
+#define EFI_VARIABLE_AUTHENTICATION_3_TIMESTAMP_TYPE ((uint8_t)1)
+#define EFI_VARIABLE_AUTHENTICATION_3_NONCE_TYPE ((uint8_t)2)
+
+/* XXX the spec doesn't say if this is supposed to be packed/align(1) */
+typedef struct {
+ uint8_t version;
+ uint8_t type;
+ uint32_t metadata_size; // this is everything except data[]
+ uint32_t flags;
+} efi_variable_authentication_3_header_t __attribute__((aligned (1)));
+
+#define EFI_VARIABLE_ENHANCED_AUTH_FLAG_UPDATE_CERT ((uint32_t)0x00000001)
+
+typedef struct {
+ uint32_t nonce_size;
+ uint8_t nonce[];
+} efi_variable_authentication_3_nonce_t;
+
+/* XXX the spec sort of implies that this is supposed to be packed/align(1) */
+typedef struct {
+ efi_variable_authentication_3_header_t hdr;
+ efi_time_t timestamp;
+ // if EFI_VARIABLE_ENHANCED_AUTH_FLAG_UPDATE_CERT is set:
+ // uint8_t newcert[];
+ // uint8_t signing_cert[];
+} efi_variable_timestamped_authentication_3 __attribute__((aligned (1)));
+
+/* XXX the spec sort of implies that this is supposed to be packed/align(1) */
+typedef struct {
+ efi_variable_authentication_3_header_t hdr;
+ efi_variable_authentication_3_nonce_t nonce;
+ // if EFI_VARIABLE_ENHANCED_AUTH_FLAG_UPDATE_CERT is set:
+ // uint8_t newcert[];
+ // uint8_t signing_cert[];
+} efi_variable_nonced_authentication_3 __attribute__((aligned (1)));
+
+#endif /* !SECURITY_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/src/include/efivar/efisec.h b/src/include/efivar/efisec.h
index 0ee5abe8bfd..f62bcedbf6f 100644
--- a/src/include/efivar/efisec.h
+++ b/src/include/efivar/efisec.h
@@ -9,6 +9,8 @@
#include <efivar/efivar.h>
+#include <efivar/efisec-types.h>
+
extern uint32_t efi_get_libefisec_version(void)
__attribute__((__visibility__("default")));
--
2.24.1