diff --git a/nix/tests/lanzaboote.nix b/nix/tests/lanzaboote.nix index d9e6458..e1888d3 100644 --- a/nix/tests/lanzaboote.nix +++ b/nix/tests/lanzaboote.nix @@ -144,7 +144,7 @@ let machine.crash() machine.start() '' + (if useSecureBoot then '' - machine.wait_for_console_text("Hash mismatch") + machine.wait_for_console_text("hash does not match") '' else '' # Just check that the system came up. print(machine.succeed("bootctl", timeout=120)) diff --git a/rust/uefi/stub/src/main.rs b/rust/uefi/stub/src/main.rs index 21254bd..bc5c6de 100644 --- a/rust/uefi/stub/src/main.rs +++ b/rust/uefi/stub/src/main.rs @@ -77,7 +77,7 @@ fn main(handle: Handle, mut system_table: SystemTable) -> Status { #[cfg(feature = "thin")] { - status = thin::boot_linux(handle, system_table) + status = thin::boot_linux(handle, system_table).status() } status diff --git a/rust/uefi/stub/src/thin.rs b/rust/uefi/stub/src/thin.rs index 13fa10b..bd431ea 100644 --- a/rust/uefi/stub/src/thin.rs +++ b/rust/uefi/stub/src/thin.rs @@ -1,12 +1,10 @@ -use alloc::vec::Vec; -use log::warn; +use log::{error, warn}; use sha2::{Digest, Sha256}; -use uefi::fs::FileSystem; -use uefi::{prelude::*, proto::loaded_image::LoadedImage, CStr16, CString16, Result}; +use uefi::{fs::FileSystem, guid, prelude::*, table::runtime::VariableVendor, CString16, Result}; use crate::common::{boot_linux_unchecked, extract_string}; use linux_bootloader::pe_section::pe_section; -use linux_bootloader::{linux_loader::InitrdLoader, uefi_helpers::booted_image_file}; +use linux_bootloader::uefi_helpers::booted_image_file; type Hash = sha2::digest::Output; @@ -59,53 +57,25 @@ impl EmbeddedConfiguration { } } -/// Boot the Linux kernel via the UEFI PE loader. +/// Verify some data against its expected hash. /// -/// This should only succeed when UEFI Secure Boot is off (or -/// broken...), because the Lanzaboote tool does not sign the kernel. -/// -/// In essence, we can use this routine to detect whether Secure Boot -/// is actually enabled. -fn boot_linux_uefi( - handle: Handle, - system_table: SystemTable, - kernel_data: Vec, - kernel_cmdline: &CStr16, - initrd_data: Vec, -) -> uefi::Result<()> { - let kernel_handle = system_table.boot_services().load_image( - handle, - uefi::table::boot::LoadImageSource::FromBuffer { - buffer: &kernel_data, - file_path: None, - }, - )?; - - let mut kernel_image = system_table - .boot_services() - .open_protocol_exclusive::(kernel_handle)?; - - unsafe { - kernel_image.set_load_options( - kernel_cmdline.as_ptr() as *const u8, - // This unwrap is "safe" in the sense that any - // command-line that doesn't fit 4G is surely broken. - u32::try_from(kernel_cmdline.num_bytes()).unwrap(), - ); +/// In case of a mismatch: +/// * If Secure Boot is active, an error message is logged, and the SECURITY_VIOLATION error is returned to stop the boot. +/// * If Secure Boot is not active, only a warning is logged, and the boot process is allowed to continue. +fn check_hash(data: &[u8], expected_hash: Hash, name: &str, secure_boot: bool) -> uefi::Result<()> { + let hash_correct = Sha256::digest(data) == expected_hash; + if !hash_correct { + if secure_boot { + error!("{name} hash does not match!"); + return Err(Status::SECURITY_VIOLATION.into()); + } else { + warn!("{name} hash does not match! Continuing anyway."); + } } - - let mut initrd_loader = InitrdLoader::new(system_table.boot_services(), handle, initrd_data)?; - - let status = system_table - .boot_services() - .start_image(kernel_handle) - .status(); - - initrd_loader.uninstall(system_table.boot_services())?; - status.to_result() + Ok(()) } -pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> Status { +pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> uefi::Result<()> { uefi_services::init(&mut system_table).unwrap(); // SAFETY: We get a slice that represents our currently running @@ -121,6 +91,40 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> Status .expect("Failed to extract configuration from binary. Did you run lzbt?") }; + // The firmware initialized SecureBoot to 1 if performing signature checks, and 0 if it doesn't. + // Applications are not supposed to modify this variable (in particular, don't change the value from 1 to 0). + let secure_boot_enabled = system_table + .runtime_services() + .get_variable( + cstr16!("SecureBoot"), + &VariableVendor(guid!("8be4df61-93ca-11d2-aa0d-00e098032b8c")), + &mut [1], + ) + .and_then(|(value, _)| match value { + [0] => Ok(false), + [1] => Ok(true), + [v] => { + warn!( + "Unexpected value of SecureBoot variable: {v}. Performing verification anyway." + ); + Ok(true) + } + _ => Err(Status::BAD_BUFFER_SIZE.into()), + }) + .unwrap_or_else(|err| { + if err.status() == Status::NOT_FOUND { + warn!("SecureBoot variable not found. Assuming Secure Boot is not supported."); + false + } else { + warn!("Failed to read SecureBoot variable: {err}. Performing verification anyway."); + true + } + }); + + if !secure_boot_enabled { + warn!("Secure Boot is not active!"); + } + let kernel_data; let initrd_data; @@ -139,57 +143,24 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> Status .expect("Failed to read initrd file into memory"); } - let is_kernel_hash_correct = Sha256::digest(&kernel_data) == config.kernel_hash; - let is_initrd_hash_correct = Sha256::digest(&initrd_data) == config.initrd_hash; + check_hash( + &kernel_data, + config.kernel_hash, + "Kernel", + secure_boot_enabled, + )?; + check_hash( + &initrd_data, + config.initrd_hash, + "Initrd", + secure_boot_enabled, + )?; - if !is_kernel_hash_correct { - warn!("Hash mismatch for kernel!"); - } - - if !is_initrd_hash_correct { - warn!("Hash mismatch for initrd!"); - } - - if is_kernel_hash_correct && is_initrd_hash_correct { - boot_linux_unchecked( - handle, - system_table, - kernel_data, - &config.cmdline, - initrd_data, - ) - .status() - } else { - // There is no good way to detect whether Secure Boot is - // enabled. This is unfortunate, because we want to give the - // user a way to recover from hash mismatches when Secure Boot - // is off. - // - // So in case we get a hash mismatch, we will try to load the - // Linux image using LoadImage. What happens then depends on - // whether Secure Boot is enabled: - // - // **With Secure Boot**, the firmware will reject loading the - // image with status::SECURITY_VIOLATION. - // - // **Without Secure Boot**, the firmware will just load the - // Linux kernel. - // - // This is the behavior we want. A slight turd is that we - // increase the attack surface here by exposing the unverfied - // Linux image to the UEFI firmware. But in case the PE loader - // of the firmware is broken, we have little hope of security - // anyway. - - warn!("Trying to continue as non-Secure Boot. This will fail when Secure Boot is enabled."); - - boot_linux_uefi( - handle, - system_table, - kernel_data, - &config.cmdline, - initrd_data, - ) - .status() - } + boot_linux_unchecked( + handle, + system_table, + kernel_data, + &config.cmdline, + initrd_data, + ) }