Merge branch 'efi-resurrect-deleted-test-key' into efi-use-grub-prefi…

…x-for-detection
canonical · Nov 28, 2023 · 70d9ab5 · 70d9ab5
2 parents 0101bc9 + 16419c7
commit 70d9ab5
Show file tree

Hide file tree

Showing 12 changed files with 82 additions and 41 deletions.
diff --git a/efi/pe_test.go b/efi/pe_test.go
@@ -193,8 +193,8 @@ func (s *peSuite) TestPeImageHandleSecureBootSignaturesUnsigned(c *C) {
 
 func (s *peSuite) TestPeImageHandleSecureBootSignaturesDualSigned(c *C) {
 	s.testPeImageHandleSecureBootSignatures(c,
-		"testdata/amd64/mockshim.efi.signed.2.1.1+1.1.1",
+		"testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1",
 		[][]byte{
-			testutil.DecodeHexString(c, "f1260899324e0ba7d98058decd55df34faf9884b5429288e0e67bbb2917e4609"),
+			testutil.DecodeHexString(c, "713af30678aba44b6c437cfc4fec26d386d3e2fea75b055df010d4af7b11b484"),
 			testutil.DecodeHexString(c, "4c503fa92a4d6ab180962c29aa8324cc873e8f74b259fb28347443ac8fef6af8")})
 }
diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.shim.1 b/efi/testdata/amd64/mockgrub1.efi.signed.shim.1
diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.1.1
diff --git a/...ata/amd64/mockshim.efi.signed.2.1.1+1.1.1 → ...ata/amd64/mockshim.efi.signed.1.2.1+1.1.1 b/...ata/amd64/mockshim.efi.signed.2.1.1+1.1.1 → ...ata/amd64/mockshim.efi.signed.1.2.1+1.1.1
diff --git a/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1
diff --git a/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1
diff --git a/efi/testdata/buildenv.yaml b/efi/testdata/buildenv.yaml
@@ -1,7 +1,7 @@
 go-arch: amd64
-go-version: go1.20.3
+go-version: go1.18.10
 kernel-version: |
-  Linux version 6.2.0-20-generic (buildd@lcy02-amd64-035) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-17ubuntu1) 12.2.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023
+  Linux version 6.2.0-37-generic (buildd@bos03-amd64-010) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~23.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #38-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 30 21:04:52 UTC 2023
 os-release:
   BUG_REPORT_URL: '"https://bugs.launchpad.net/ubuntu/"'
   HOME_URL: '"https://www.ubuntu.com/"'
@@ -20,58 +20,58 @@ packages:
   base-files: 12.3ubuntu2
   base-passwd: 3.6.1
   bash: 5.2.15-2ubuntu1
-  binutils: 2.40-2ubuntu4
-  binutils-common: 2.40-2ubuntu4
-  binutils-x86-64-linux-gnu: 2.40-2ubuntu4
+  binutils: 2.40-2ubuntu4.1
+  binutils-common: 2.40-2ubuntu4.1
+  binutils-x86-64-linux-gnu: 2.40-2ubuntu4.1
   bsdutils: 1:2.38.1-4ubuntu1
   coreutils: 9.1-1ubuntu2
   cpp: 4:12.2.0-3ubuntu1
-  cpp-12: 12.2.0-17ubuntu1
+  cpp-12: 12.3.0-1ubuntu1~23.04
   dash: 0.5.12-2ubuntu1
   debconf: 1.5.82
   debianutils: 5.7-0.4
   diffutils: 1:3.8-4
   dpkg: 1.21.21ubuntu1
   findutils: 4.9.0-3ubuntu1
   gcc: 4:12.2.0-3ubuntu1
-  gcc-12: 12.2.0-17ubuntu1
-  gcc-12-base: 12.2.0-17ubuntu1
-  gcc-13-base: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  gcc-12: 12.3.0-1ubuntu1~23.04
+  gcc-12-base: 12.3.0-1ubuntu1~23.04
+  gcc-13-base: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   grep: 3.8-5
   gzip: 1.12-1ubuntu1
   hostname: 3.23+nmu1ubuntu1
   init-system-helpers: 1.65.2
   install-info: 6.8-6build2
   libacl1: 2.3.1-3
-  libasan8: 13-20230320-1ubuntu1
-  libatomic1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libasan8: 13.1.0-2ubuntu2~23.04
+  libatomic1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libattr1: 1:2.5.1-4
   libaudit-common: 1:3.0.9-1
   libaudit1: 1:3.0.9-1
-  libbinutils: 2.40-2ubuntu4
+  libbinutils: 2.40-2ubuntu4.1
   libblkid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libbz2-1.0: 1.0.8-5build1
-  libc-bin: 2.37-0ubuntu2
-  libc6: 2.37-0ubuntu22.37-0ubuntu2
+  libc-bin: 2.37-0ubuntu2.1
+  libc6: 2.37-0ubuntu2.12.37-0ubuntu2.1
   libcap-ng0: 0.8.3-1build2
-  libcap2: 1:2.66-3ubuntu21:2.66-3ubuntu2
-  libcc1-0: 13-20230320-1ubuntu1
+  libcap2: 1:2.66-3ubuntu2.11:2.66-3ubuntu2.1
+  libcc1-0: 13.1.0-2ubuntu2~23.04
   libcrypt1: 1:4.4.33-21:4.4.33-2
-  libctf-nobfd0: 2.40-2ubuntu4
-  libctf0: 2.40-2ubuntu4
+  libctf-nobfd0: 2.40-2ubuntu4.1
+  libctf0: 2.40-2ubuntu4.1
   libdb5.3: 5.3.28+dfsg2-15.3.28+dfsg2-1
   libdebconfclient0: 0.267ubuntu1
-  libgcc-12-dev: 12.2.0-17ubuntu1
-  libgcc-s1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgcc-12-dev: 12.3.0-1ubuntu1~23.04
+  libgcc-s1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgcrypt20: 1.10.1-3ubuntu11.10.1-3ubuntu1
   libgmp10: 2:6.2.1+dfsg1-1.1ubuntu1
-  libgomp1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgomp1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgpg-error0: 1.46-11.46-1
-  libgprofng0: 2.40-2ubuntu4
+  libgprofng0: 2.40-2ubuntu4.1
   libisl23: 0.25-1
-  libitm1: 13-20230320-1ubuntu1
+  libitm1: 13.1.0-2ubuntu2~23.04
   libjansson4: 2.14-2
-  liblsan0: 13-20230320-1ubuntu1
+  liblsan0: 13.1.0-2ubuntu2~23.04
   liblz4-1: 1.9.4-11.9.4-1
   liblzma5: 5.4.1-0.25.4.1-0.2
   libmd0: 1.0.4-21.0.4-2
@@ -83,27 +83,27 @@ packages:
   libpam-runtime: 1.5.2-5ubuntu1
   libpam0g: 1.5.2-5ubuntu1
   libpcre2-8-0: 10.42-110.42-1
-  libquadmath0: 13-20230320-1ubuntu1
+  libquadmath0: 13.1.0-2ubuntu2~23.04
   libselinux1: 3.4-1build43.4-1build4
   libsmartcols1: 2.38.1-4ubuntu1
-  libssl3: 3.0.8-1ubuntu1.13.0.8-1ubuntu1.1
-  libstdc++6: 13-20230320-1ubuntu113-20230320-1ubuntu1
-  libsystemd0: 252.5-2ubuntu3252.5-2ubuntu3
-  libtinfo6: 6.4-26.4-2
-  libtsan2: 13-20230320-1ubuntu1
-  libubsan1: 13-20230320-1ubuntu1
-  libudev1: 252.5-2ubuntu3252.5-2ubuntu3
+  libssl3: 3.0.8-1ubuntu1.43.0.8-1ubuntu1.4
+  libstdc++6: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
+  libsystemd0: 252.5-2ubuntu3.1252.5-2ubuntu3.1
+  libtinfo6: 6.4-2ubuntu0.16.4-2ubuntu0.1
+  libtsan2: 13.1.0-2ubuntu2~23.04
+  libubsan1: 13.1.0-2ubuntu2~23.04
+  libudev1: 252.5-2ubuntu3.1252.5-2ubuntu3.1
   libuuid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libzstd1: 1.5.4+dfsg2-41.5.4+dfsg2-4
   login: 1:4.13+dfsg1-1ubuntu1
   make: 4.3-4.1build1
-  ncurses-base: 6.4-2
-  ncurses-bin: 6.4-2
-  perl-base: 5.36.0-7
+  ncurses-base: 6.4-2ubuntu0.1
+  ncurses-bin: 6.4-2ubuntu0.1
+  perl-base: 5.36.0-7ubuntu0.23.04.2
   sbsigntool: 0.9.4-3.1ubuntu2
   sed: 4.9-1
   sysvinit-utils: 3.06-2ubuntu1
-  tar: 1.34+dfsg-1.2
+  tar: 1.34+dfsg-1.2ubuntu0.1
   usrmerge: 33ubuntu1
   util-linux: 2.38.1-4ubuntu1
   util-linux-extra: 2.38.1-4ubuntu1

diff --git a/efi/testdata/src/keys/TestUefiSigning1.2.1.key b/efi/testdata/src/keys/TestUefiSigning1.2.1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7ah+sXr2ZghIf7piN+puZEtO+xTKqimlYVxH1DMogUBAylI+
+ZIGj0VSY5p+ILtJwTjYerRphvy3V1Pv9uGqIEFeNK7ct4LfyZYc/tvxMTzkEZBq0
+o3bv5Wi16A1E3eSMinQ1CIG15yWObzQd0HoBeaXUs9KpugLwmZqILQM/XPhe1Ke7
+2HmHO2hPailZnoDLOwtOS+Gto8stDBWOqOzrL/QXmmwr3Yw6H6fjY+AM8uSCQkAQ
+jFgvjxtCuEeQpC5FVYS5ulffwRztRE3sKt39GUfnmiR6/sqDddfW2Dogc3txxwet
+fuSyoUG6cHMioZoTjiflQ0CAq5XtyL9E7quDgQIDAQABAoIBAQDs83gOAGk25b9T
+CkPvOB+Eg8llcR93dTpcziMXoUIbTDLNBh8LGm54wX4JQroG5O3wLOl88bbPZCW0
+yuH3QtASaxhno6VsTjqxm52dFgQHYPPN0wqTiHw7IKFtkf09tyegy6gsqRbyNXHD
+0hR/zYU3Am4GNF3hBhlZLMflCT3dtCDAVWJfga5/qqiYgeC6MnQU8XKhZCpYlU/v
+96fbNDHbXaoXbXfNMFVTPSEEuYH/odod8vs/F8VmpHuX6ZxZAgkKi2qII2Xkl6bG
+DG/HVRzJNr87hm8lnfmEZoGh93jPd3uBu/01jsF4/NIrcZQb39M2HzFATmuHIB5k
+131YgGyBAoGBAP9u8Ew22PFU9Zk8YvXSZbWn3AMt0hPm28OSlnScLgvqoyS+PqlU
+T96z+NX1S9uxaLLEmFwbp61zeiXGjT6Z5XP7gfF3J9iWxzouKKSDNwRVp5U6eiTB
+tZCC7L9ocsDvCJeUP9SsxxHS/aVcqFr+cY7YekiDcNNvrQuWrC551HrJAoGBAO4v
+di96HpdiOVpzGHK/XD6s70cIIC6Q+G/LAUbf2s1gMcvLe0xBcdFriHvyeZ5lDOmz
+t5NFer7fQ3vBLlOw6rX8sZur12f5tU4r+Jv5yFHq3IWMLGYhEpoJKe0FKXkU4gN2
+1eyLhCl6GACD8gXS1LYdK6Lg9R/HKsSasHuLdGb5AoGAQN7n4DM9vWyaQyR27X9V
+nWDYG2aTp8JFpdGgrFTNzPD2Jeq69z4WWrTSSWRWs6DGuj/7gcj0OLTPHLDkRjXH
+dEE3qx9b20HPrxLx93XrjwpB2UBUrOkVN3JItgPMwPrz76sS2uxWUkyHZmu1xgZA
+yMppo+jdypTeGcdWSyddsyECgYA5UF5mCkK2NsKKS0vEwNtXkZF6TDBCREwjynui
+LFegN9eDrJEcxlq3A+MxwCUXwkUbL02rOHrS1zKL4u5c4SN5azbpuK36rRG9n8MQ
+9UgIvjUWRaahZK/vNOlLyYQzSJ0iLERJyUCiImkIJrfkQtlAgUBwzyTs4qYd7QMu
+l14JMQKBgQCJkEkQu3TFeBHY8BB5uieTiEb6sLtCi9IWrXIcKQ1M5ymDzZlk8jeM
+dhKv2KPIV1W6Hb5yTEzD/exJtRuwe13Jke/nshM9qht8lO8YVS6ozNfM7UIqc89J
+RoTLxQsOSg7Y/m1S987Ax0dVrJwi9GIOAx2z08rtstFiY7QASbFlfA==
+-----END RSA PRIVATE KEY-----
diff --git a/tools/make-efi-testdata/apps.go b/tools/make-efi-testdata/apps.go
@@ -94,9 +94,9 @@ func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []moc
 				"SBAT_VAR_LATEST=sbat,1,2022111500\\\\nshim,2\\\\ngrub,3\\\\n",
 				"WITH_SBAT=1",
 				"WITH_SBATLEVEL=1"},
-			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning2.1.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
-			signCerts: [][]byte{certs["TestUefiSigning2.1.1"], certs["TestUefiSigning1.1.1"]},
-			filename:  "mockshim.efi.signed.2.1.1+1.1.1",
+			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
+			signCerts: [][]byte{certs["TestUefiSigning1.2.1"], certs["TestUefiSigning1.1.1"]},
+			filename:  "mockshim.efi.signed.1.2.1+1.1.1",
 		},
 		{
 			path: filepath.Join(srcDir, "shim"),

diff --git a/tools/make-efi-testdata/certs.go b/tools/make-efi-testdata/certs.go
@@ -100,6 +100,20 @@ var certDatas = []certData{
 			CommonName:   "Test UEFI CA 2",
 		},
 	},
+	{
+		name:         "TestUefiSigning1.2.1",
+		issuer:       "TestUefiCA1.2",
+		extKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		keyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment,
+		serialNumber: big.NewInt(1),
+		subject: pkix.Name{
+			Country:      []string{"GB"},
+			Organization: []string{"Fake Corporation"},
+			Locality:     []string{"London"},
+			Province:     []string{"England"},
+			CommonName:   "Test UEFI Secure Boot Signing 1",
+		},
+	},
 	{
 		name:         "TestShimVendorCA",
 		isCA:         true,