Feature request: image authentication test (Bugzilla Bug 2230)

[tianocore-issues]

This issue was created automatically with bugzilla2github

Bugzilla Bug 2230

Date: 2019-10-01T01:08:39+00:00
From: takahiro.akashi
To: Stuart Yoder <<stuart.yoder>>
CC: edhaya.chandran, eric.jin, gaojie, ilias.apalodimas, samer.el-haj-mahmoud, stuart.yoder, supreeth.venkatesh, takahiro.akashi, xypron.glpk

Last updated: 2022-09-01T10:12:46+00:00

[tianocore-issues]

Comment 9898

Date: 2019-10-01 01:08:39 +0000
From: takahiro.akashi

• Industry Specification: ---
• Release Observed: edk2-stable202105
• Releases to Fix: edk2-stable202105
• Target OS: ---
• Bugzilla Assignee(s): Stuart Yoder <<stuart.yoder>>

In UEFI SCT, there exist no test cases for image authentication.
So it will be difficult to determine the implementation of
image authentication be fully compliant with UEFI specification
and, more importantly, to detect any regressions in secure boot.
I would like to request adding test cases for this feature.

[tianocore-issues]

Comment 10015

Date: 2019-10-14 19:57:33 +0000
From: supreeth.venkatesh

Appreciate the contributions to test regressions secure boot.
would you be able to help contribute these tests?

[tianocore-issues]

Comment 10025

Date: 2019-10-15 04:18:39 +0000
From: takahiro.akashi

No, I have no plan to develop any tests for SCT right now.
Let me ask one question:
Who wrote the code and how did they test it?
Do they not have any test code?
I think that it is the best way to ask them for the contribution,
at least, as initial code base.

[tianocore-issues]

Comment 10028

Date: 2019-10-15 09:03:36 +0000
From: supreeth.venkatesh

edk2-test/uefi-sct has been open sourced with the intention of getting contributions. No worries, I will ask around in the list for contributions on secure boot specifically.

[tianocore-issues]

Comment 10145

Date: 2019-10-21 12:50:38 +0000
From: supreeth.venkatesh

Will look into it in the next version.

[tianocore-issues]

Comment 10226

Date: 2019-10-28 21:43:39 +0000
From: takahiro.akashi

Could you give me a rough estimate of time frame for "next version"?

[tianocore-issues]

Comment 10316

Date: 2019-11-04 14:05:50 +0000
From: supreeth.venkatesh

edk2-test-stable201910 was just released.
Most probably this feature request will be accommodated by next release scheduled in Jan/Feb 2020 time frame.

[tianocore-issues]

Comment 10786

Date: 2020-01-05 21:23:18 +0000
From: takahiro.akashi

Ping.
Have you had any progress on this topic?

[tianocore-issues]

Comment 11490

Date: 2020-03-03 00:50:25 +0000
From: takahiro.akashi

Ping.
Have you had any progress on this topic?
I haven't seen any activities around it in SCT
in the last five months since I first reported.

[tianocore-issues]

Comment 12502

Date: 2020-05-14 02:00:16 +0000
From: takahiro.akashi

Ping.
Have you had any progress on this topic?
Please update the current status and timeline.

[tianocore-issues]

Comment 14051

Date: 2020-10-20 14:11:31 +0000
From: Samer El-Haj-Mahmoud <<samer.el-haj-mahmoud>>

As far as I know, there are no plans or active development by the community to add such a feature. Contributions are always welcome as outlined in the TianoCore community contributions and rules.

That being said, the following pieces exist today:

1. There are SCT test cases for verifying the authenticated variables interface, including verifying that authenticated variables interface:

https://github.com/tianocore/edk2-test/blob/master/uefi-sct/SctPkg/TestCase/UEFI/EFI/RuntimeServices/VariableServices/BlackBoxTest/AuthVariableServicesBBTestFunction.c

2. There are also FWTS test cases for image authentication and full UEFI Secure Boot test form the OS (which is a more meaningful test than pre-boot before ExitBootServices is called, where SCT runs): https://git.launchpad.net/fwts/tree/src/uefi/securebootcert

3. In addition, FWTS has more authenticated variables tests that run after ExitBootServices: https://git.launchpad.net/fwts/tree/src/uefi/uefirtauthvar

With this in mind, is an SCT "image authentication" test still needed, since that seems to be already covered by FWTS

[tianocore-issues]

Comment 14054

Date: 2020-10-20 20:38:40 +0000
From: takahiro.akashi

@samer,

> 2. There are also FWTS test cases for image authentication and full UEFI Secure Boot test
> form the OS (which is a more meaningful test than pre-boot before ExitBootServices is called,
> where SCT runs): https://git.launchpad.net/fwts/tree/src/uefi/securebootcert

Please look into the code in details.
It doesn't test "image authentication", but only checks if the secure-boot related variables are
exactly what they are expected to be after secure boot.
That is, it never exercise "load_image" service by itself.

I don't care if "db" contains MS 3rd party certificate or not. That doesn't matter.
(and I guess that the test will fail on arm64.)

What I expect to see is, for example, a kind of test against

• what happens if an image is not signed at all
• what happens if an image is signed with a key which is not contained in "db"
• what happens if an image is signed, but with a key which is not contained in "db"
• what happens if an image is signed with a key which is contained in "db," but
  its hash value is in "dbx"
• what happens if intermediate certificates are also required in the verification
• and so on.

Those are quite basic behaviors of "load_image" service, and clearly defined
in UEFI specification. They must be verified by any kind of "CERTIFICATION" test suite.

> With this in mind, is an SCT "image authentication" test still needed, since that seems to be
> already covered by FWTS

Definitely yes.
FWTS doesn't meet my expectation at all.

[tianocore-issues]

Comment 17456

Date: 2021-10-07 10:48:21 +0000
From: Edhay <<edhaya.chandran>>

This will be covered as part of SecureBoot UEFI-SCT test.
Assigning to Stuart as the handler.

[tianocore-issues]

Comment 17731

Date: 2021-11-11 09:45:03 +0000
From: Edhay <<edhaya.chandran>>

The tests are ready as part of Arm SystemReady ACS suite.
They need to be consolidated and upstreamed.
Stuart and Edhay to work on the same.

[tianocore-issues]

Comment 19338

Date: 2022-07-27 17:00:59 +0000
From: Stuart Yoder <<stuart.yoder>>

This is the proposed specification for the Secure Boot tests:

https://github.com/stuyod01/edk2-test/blob/secure-boot/uefi-sct/Doc/UEFI-SCT-Case-Spec/SCT_Secure_Boot.md

[tianocore-issues]

Comment 19457

Date: 2022-09-01 10:11:54 +0000
From: Edhay <<edhaya.chandran>>

1. Post the docs to link tianocore

2. Can we add it in the GitHub along with code.

Edhay to confirm with Samer and provide to Stuart

[tianocore-issues]

Comment 19458

Date: 2022-09-01 10:12:46 +0000
From: Edhay <<edhaya.chandran>>

1. Post the docs to link tianocore

2. Can we add it in the GitHub along with code.

Edhay to confirm with Samer and provide to Stuart