Merge pull request #278 from chrisccoulson/efi-resurrect-deleted-test…

…-key efi: resurrect a deleted test key. #274 deleted a test key that was used by the mock dual signed shim. Rather than resurrecting the entire certificate chain, this brings back one deleted leaf key and then uses this to create one of the signatures on the mock dual signed binary.
canonical · Nov 28, 2023 · 2f23630 · 2f23630
2 parents 3db8128 + 16419c7
commit 2f23630
Show file tree

Hide file tree

Showing 12 changed files with 82 additions and 41 deletions.
diff --git a/efi/pe_test.go b/efi/pe_test.go
@@ -193,8 +193,8 @@ func (s *peSuite) TestPeImageHandleSecureBootSignaturesUnsigned(c *C) {
 
 func (s *peSuite) TestPeImageHandleSecureBootSignaturesDualSigned(c *C) {
 	s.testPeImageHandleSecureBootSignatures(c,
-		"testdata/amd64/mockshim.efi.signed.2.1.1+1.1.1",
+		"testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1",
 		[][]byte{
-			testutil.DecodeHexString(c, "f1260899324e0ba7d98058decd55df34faf9884b5429288e0e67bbb2917e4609"),
+			testutil.DecodeHexString(c, "713af30678aba44b6c437cfc4fec26d386d3e2fea75b055df010d4af7b11b484"),
 			testutil.DecodeHexString(c, "4c503fa92a4d6ab180962c29aa8324cc873e8f74b259fb28347443ac8fef6af8")})
 }
diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.shim.1 b/efi/testdata/amd64/mockgrub1.efi.signed.shim.1
diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.1.1
diff --git a/...ata/amd64/mockshim.efi.signed.2.1.1+1.1.1 → ...ata/amd64/mockshim.efi.signed.1.2.1+1.1.1 b/...ata/amd64/mockshim.efi.signed.2.1.1+1.1.1 → ...ata/amd64/mockshim.efi.signed.1.2.1+1.1.1
diff --git a/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1
diff --git a/efi/testdata/buildenv.yaml b/efi/testdata/buildenv.yaml
@@ -1,7 +1,7 @@
 go-arch: amd64
-go-version: go1.20.3
+go-version: go1.18.10
 kernel-version: |
-  Linux version 6.2.0-20-generic (buildd@lcy02-amd64-035) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-17ubuntu1) 12.2.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023
+  Linux version 6.2.0-37-generic (buildd@bos03-amd64-010) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~23.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #38-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 30 21:04:52 UTC 2023
 os-release:
   BUG_REPORT_URL: '"https://bugs.launchpad.net/ubuntu/"'
   HOME_URL: '"https://www.ubuntu.com/"'
@@ -20,58 +20,58 @@ packages:
   base-files: 12.3ubuntu2
   base-passwd: 3.6.1
   bash: 5.2.15-2ubuntu1
-  binutils: 2.40-2ubuntu4
-  binutils-common: 2.40-2ubuntu4
-  binutils-x86-64-linux-gnu: 2.40-2ubuntu4
+  binutils: 2.40-2ubuntu4.1
+  binutils-common: 2.40-2ubuntu4.1
+  binutils-x86-64-linux-gnu: 2.40-2ubuntu4.1
   bsdutils: 1:2.38.1-4ubuntu1
   coreutils: 9.1-1ubuntu2
   cpp: 4:12.2.0-3ubuntu1
-  cpp-12: 12.2.0-17ubuntu1
+  cpp-12: 12.3.0-1ubuntu1~23.04
   dash: 0.5.12-2ubuntu1
   debconf: 1.5.82
   debianutils: 5.7-0.4
   diffutils: 1:3.8-4
   dpkg: 1.21.21ubuntu1
   findutils: 4.9.0-3ubuntu1
   gcc: 4:12.2.0-3ubuntu1
-  gcc-12: 12.2.0-17ubuntu1
-  gcc-12-base: 12.2.0-17ubuntu1
-  gcc-13-base: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  gcc-12: 12.3.0-1ubuntu1~23.04
+  gcc-12-base: 12.3.0-1ubuntu1~23.04
+  gcc-13-base: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   grep: 3.8-5
   gzip: 1.12-1ubuntu1
   hostname: 3.23+nmu1ubuntu1
   init-system-helpers: 1.65.2
   install-info: 6.8-6build2
   libacl1: 2.3.1-3
-  libasan8: 13-20230320-1ubuntu1
-  libatomic1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libasan8: 13.1.0-2ubuntu2~23.04
+  libatomic1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libattr1: 1:2.5.1-4
   libaudit-common: 1:3.0.9-1
   libaudit1: 1:3.0.9-1
-  libbinutils: 2.40-2ubuntu4
+  libbinutils: 2.40-2ubuntu4.1
   libblkid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libbz2-1.0: 1.0.8-5build1
-  libc-bin: 2.37-0ubuntu2
-  libc6: 2.37-0ubuntu22.37-0ubuntu2
+  libc-bin: 2.37-0ubuntu2.1
+  libc6: 2.37-0ubuntu2.12.37-0ubuntu2.1
   libcap-ng0: 0.8.3-1build2
-  libcap2: 1:2.66-3ubuntu21:2.66-3ubuntu2
-  libcc1-0: 13-20230320-1ubuntu1
+  libcap2: 1:2.66-3ubuntu2.11:2.66-3ubuntu2.1
+  libcc1-0: 13.1.0-2ubuntu2~23.04
   libcrypt1: 1:4.4.33-21:4.4.33-2
-  libctf-nobfd0: 2.40-2ubuntu4
-  libctf0: 2.40-2ubuntu4
+  libctf-nobfd0: 2.40-2ubuntu4.1
+  libctf0: 2.40-2ubuntu4.1
   libdb5.3: 5.3.28+dfsg2-15.3.28+dfsg2-1
   libdebconfclient0: 0.267ubuntu1
-  libgcc-12-dev: 12.2.0-17ubuntu1
-  libgcc-s1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgcc-12-dev: 12.3.0-1ubuntu1~23.04
+  libgcc-s1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgcrypt20: 1.10.1-3ubuntu11.10.1-3ubuntu1
   libgmp10: 2:6.2.1+dfsg1-1.1ubuntu1
-  libgomp1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgomp1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgpg-error0: 1.46-11.46-1
-  libgprofng0: 2.40-2ubuntu4
+  libgprofng0: 2.40-2ubuntu4.1
   libisl23: 0.25-1
-  libitm1: 13-20230320-1ubuntu1
+  libitm1: 13.1.0-2ubuntu2~23.04
   libjansson4: 2.14-2
-  liblsan0: 13-20230320-1ubuntu1
+  liblsan0: 13.1.0-2ubuntu2~23.04
   liblz4-1: 1.9.4-11.9.4-1
   liblzma5: 5.4.1-0.25.4.1-0.2
   libmd0: 1.0.4-21.0.4-2
@@ -83,27 +83,27 @@ packages:
   libpam-runtime: 1.5.2-5ubuntu1
   libpam0g: 1.5.2-5ubuntu1
   libpcre2-8-0: 10.42-110.42-1
-  libquadmath0: 13-20230320-1ubuntu1
+  libquadmath0: 13.1.0-2ubuntu2~23.04
   libselinux1: 3.4-1build43.4-1build4
   libsmartcols1: 2.38.1-4ubuntu1
-  libssl3: 3.0.8-1ubuntu1.13.0.8-1ubuntu1.1
-  libstdc++6: 13-20230320-1ubuntu113-20230320-1ubuntu1
-  libsystemd0: 252.5-2ubuntu3252.5-2ubuntu3
-  libtinfo6: 6.4-26.4-2
-  libtsan2: 13-20230320-1ubuntu1
-  libubsan1: 13-20230320-1ubuntu1
-  libudev1: 252.5-2ubuntu3252.5-2ubuntu3
+  libssl3: 3.0.8-1ubuntu1.43.0.8-1ubuntu1.4
+  libstdc++6: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
+  libsystemd0: 252.5-2ubuntu3.1252.5-2ubuntu3.1
+  libtinfo6: 6.4-2ubuntu0.16.4-2ubuntu0.1
+  libtsan2: 13.1.0-2ubuntu2~23.04
+  libubsan1: 13.1.0-2ubuntu2~23.04
+  libudev1: 252.5-2ubuntu3.1252.5-2ubuntu3.1
   libuuid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libzstd1: 1.5.4+dfsg2-41.5.4+dfsg2-4
   login: 1:4.13+dfsg1-1ubuntu1
   make: 4.3-4.1build1
-  ncurses-base: 6.4-2
-  ncurses-bin: 6.4-2
-  perl-base: 5.36.0-7
+  ncurses-base: 6.4-2ubuntu0.1
+  ncurses-bin: 6.4-2ubuntu0.1
+  perl-base: 5.36.0-7ubuntu0.23.04.2
   sbsigntool: 0.9.4-3.1ubuntu2
   sed: 4.9-1
   sysvinit-utils: 3.06-2ubuntu1
-  tar: 1.34+dfsg-1.2
+  tar: 1.34+dfsg-1.2ubuntu0.1
   usrmerge: 33ubuntu1
   util-linux: 2.38.1-4ubuntu1
   util-linux-extra: 2.38.1-4ubuntu1

diff --git a/efi/testdata/src/keys/TestUefiSigning1.2.1.key b/efi/testdata/src/keys/TestUefiSigning1.2.1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7ah+sXr2ZghIf7piN+puZEtO+xTKqimlYVxH1DMogUBAylI+
+ZIGj0VSY5p+ILtJwTjYerRphvy3V1Pv9uGqIEFeNK7ct4LfyZYc/tvxMTzkEZBq0
+o3bv5Wi16A1E3eSMinQ1CIG15yWObzQd0HoBeaXUs9KpugLwmZqILQM/XPhe1Ke7
+2HmHO2hPailZnoDLOwtOS+Gto8stDBWOqOzrL/QXmmwr3Yw6H6fjY+AM8uSCQkAQ
+jFgvjxtCuEeQpC5FVYS5ulffwRztRE3sKt39GUfnmiR6/sqDddfW2Dogc3txxwet
+fuSyoUG6cHMioZoTjiflQ0CAq5XtyL9E7quDgQIDAQABAoIBAQDs83gOAGk25b9T
+CkPvOB+Eg8llcR93dTpcziMXoUIbTDLNBh8LGm54wX4JQroG5O3wLOl88bbPZCW0
+yuH3QtASaxhno6VsTjqxm52dFgQHYPPN0wqTiHw7IKFtkf09tyegy6gsqRbyNXHD
+0hR/zYU3Am4GNF3hBhlZLMflCT3dtCDAVWJfga5/qqiYgeC6MnQU8XKhZCpYlU/v
+96fbNDHbXaoXbXfNMFVTPSEEuYH/odod8vs/F8VmpHuX6ZxZAgkKi2qII2Xkl6bG
+DG/HVRzJNr87hm8lnfmEZoGh93jPd3uBu/01jsF4/NIrcZQb39M2HzFATmuHIB5k
+131YgGyBAoGBAP9u8Ew22PFU9Zk8YvXSZbWn3AMt0hPm28OSlnScLgvqoyS+PqlU
+T96z+NX1S9uxaLLEmFwbp61zeiXGjT6Z5XP7gfF3J9iWxzouKKSDNwRVp5U6eiTB
+tZCC7L9ocsDvCJeUP9SsxxHS/aVcqFr+cY7YekiDcNNvrQuWrC551HrJAoGBAO4v
+di96HpdiOVpzGHK/XD6s70cIIC6Q+G/LAUbf2s1gMcvLe0xBcdFriHvyeZ5lDOmz
+t5NFer7fQ3vBLlOw6rX8sZur12f5tU4r+Jv5yFHq3IWMLGYhEpoJKe0FKXkU4gN2
+1eyLhCl6GACD8gXS1LYdK6Lg9R/HKsSasHuLdGb5AoGAQN7n4DM9vWyaQyR27X9V
+nWDYG2aTp8JFpdGgrFTNzPD2Jeq69z4WWrTSSWRWs6DGuj/7gcj0OLTPHLDkRjXH
+dEE3qx9b20HPrxLx93XrjwpB2UBUrOkVN3JItgPMwPrz76sS2uxWUkyHZmu1xgZA
+yMppo+jdypTeGcdWSyddsyECgYA5UF5mCkK2NsKKS0vEwNtXkZF6TDBCREwjynui
+LFegN9eDrJEcxlq3A+MxwCUXwkUbL02rOHrS1zKL4u5c4SN5azbpuK36rRG9n8MQ
+9UgIvjUWRaahZK/vNOlLyYQzSJ0iLERJyUCiImkIJrfkQtlAgUBwzyTs4qYd7QMu
+l14JMQKBgQCJkEkQu3TFeBHY8BB5uieTiEb6sLtCi9IWrXIcKQ1M5ymDzZlk8jeM
+dhKv2KPIV1W6Hb5yTEzD/exJtRuwe13Jke/nshM9qht8lO8YVS6ozNfM7UIqc89J
+RoTLxQsOSg7Y/m1S987Ax0dVrJwi9GIOAx2z08rtstFiY7QASbFlfA==
+-----END RSA PRIVATE KEY-----
diff --git a/tools/make-efi-testdata/apps.go b/tools/make-efi-testdata/apps.go
@@ -94,9 +94,9 @@ func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []moc
 				"SBAT_VAR_LATEST=sbat,1,2022111500\\\\nshim,2\\\\ngrub,3\\\\n",
 				"WITH_SBAT=1",
 				"WITH_SBATLEVEL=1"},
-			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning2.1.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
-			signCerts: [][]byte{certs["TestUefiSigning2.1.1"], certs["TestUefiSigning1.1.1"]},
-			filename:  "mockshim.efi.signed.2.1.1+1.1.1",
+			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
+			signCerts: [][]byte{certs["TestUefiSigning1.2.1"], certs["TestUefiSigning1.1.1"]},
+			filename:  "mockshim.efi.signed.1.2.1+1.1.1",
 		},
 		{
 			path: filepath.Join(srcDir, "shim"),

diff --git a/tools/make-efi-testdata/certs.go b/tools/make-efi-testdata/certs.go
@@ -100,6 +100,20 @@ var certDatas = []certData{
 			CommonName:   "Test UEFI CA 2",
 		},
 	},
+	{
+		name:         "TestUefiSigning1.2.1",
+		issuer:       "TestUefiCA1.2",
+		extKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		keyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment,
+		serialNumber: big.NewInt(1),
+		subject: pkix.Name{
+			Country:      []string{"GB"},
+			Organization: []string{"Fake Corporation"},
+			Locality:     []string{"London"},
+			Province:     []string{"England"},
+			CommonName:   "Test UEFI Secure Boot Signing 1",
+		},
+	},
 	{
 		name:         "TestShimVendorCA",
 		isCA:         true,