From owner-freebsd-hackers@freebsd.org  Thu Oct 10 18:29:51 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B82A5145ECF
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Thu, 10 Oct 2019 18:29:51 +0000 (UTC)
 (envelope-from dcrosstech@gmail.com)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com
 [IPv6:2607:f8b0:4864:20::232])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46q04G4pgZz4QJc
 for <freebsd-hackers@freebsd.org>; Thu, 10 Oct 2019 18:29:50 +0000 (UTC)
 (envelope-from dcrosstech@gmail.com)
Received: by mail-oi1-x232.google.com with SMTP id a15so5810221oic.0
 for <freebsd-hackers@freebsd.org>; Thu, 10 Oct 2019 11:29:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=vyxyOmI7Dcn7lkpo+nJITq7keQTJTljrcH1q4jRbBa0=;
 b=AShwmQj0DFAICqDUHVjLy0vCEsfc5GVb443RadRx1TXIrg0YoZ74xDpHnVN+YrRtVx
 JF1N6jCl98MmbX3G74EJ0CiDGz4meGS5wwINbLD1ONeFNALrrhg/qzFTGdw47xgSSbh3
 w8XNvFxSWvOd8iLaxnBN4tHWnMIRSIPklR2NUOw40NRzQgKeIsszLEdgrqQV8LQgmRBn
 AT/z18hIP55jArRWNB99bu0tlo3wj13fUthABcdvSF/xgkpIkDGwUpEidveFtaJY2tXU
 gOI6lxQcR4CIEX5U6iuPP+Hyhbn8Ei7uQXsOjx1YeIjfSqxHnPVCrtDtbIuAyW4SNm6J
 WF5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=vyxyOmI7Dcn7lkpo+nJITq7keQTJTljrcH1q4jRbBa0=;
 b=qE0W2bea0cPwy0xnmlpnXAKTFJbvH0f8Ja1Capw05l7/UR4vlNi8Z/AOGBZPRVBcAI
 S15/Jf/fpWmxyYT+boVUOkKBV+wDnTrtZbLOru8iCrWcEl8CyFpzLPx5wo20d3jNajlx
 3iievi6KRfdC1P+HpZ0ZMQmDVMrjLF8nyzYZLN248w4d6hA34Jl4okdoW9QOaq6B81eo
 N3mE2PplSPoCeV4QG7HlVsIb0QYLrRsFTMmR2vNUGAfzyQG8IihZuHXFt60x8gMQv9E0
 zvq8AF1Sz12RPUkep0RjtBnd53zo93GtEKJmYxSFnvhTWsGJH+qdlH79nEoJwbKXiAhS
 iI0A==
X-Gm-Message-State: APjAAAVptwZ3AzPfu6M0kUIsc3m2TexcrT9EjtYz5pOeRhz0f0Rx9Qhp
 YxLQH1U5ZtKq2zTonOYvVrH4S5F8aCxCkCGUtvWxaQ==
X-Google-Smtp-Source: APXvYqxzUQmFdBXcvL/Mt/CetKi3tFm4KJ3FMLHv3El5i9lI/qK6Uh91TQLsVqvND8as/w9Ca/0SiFAg9Z1rBjEGmr0=
X-Received: by 2002:aca:3909:: with SMTP id g9mr9087888oia.107.1570732188774; 
 Thu, 10 Oct 2019 11:29:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAM9edeOTrNev=izkp2R3C5A0geHRe51m71BPn1OrXSn_QWFaGQ@mail.gmail.com>
 <CANCZdfqdbKgRqF7AhsfjNwQdzbwA7uSuQoWzWvHQrwkJ2p4AXg@mail.gmail.com>
 <CAM9edeP+bvKzOuuGMXLvgczzkaDCCuDJdH7C+nRanXp=3w6Fdg@mail.gmail.com>
In-Reply-To: <CAM9edeP+bvKzOuuGMXLvgczzkaDCCuDJdH7C+nRanXp=3w6Fdg@mail.gmail.com>
From: David Cross <dcrosstech@gmail.com>
Date: Thu, 10 Oct 2019 14:29:37 -0400
Message-ID: <CAM9edePsJuv-Vouc7RuBNpzEDUY2LE-q8Gs_xpyWrzZvSwxF5g@mail.gmail.com>
Subject: Re: uefisign and loader
To: Warner Losh <imp@bsdimp.com>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
X-Rspamd-Queue-Id: 46q04G4pgZz4QJc
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=AShwmQj0;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of dcrosstech@gmail.com designates
 2607:f8b0:4864:20::232 as permitted sender)
 smtp.mailfrom=dcrosstech@gmail.com
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[2.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 IP_SCORE(0.00)[ip: (-8.88), ipnet: 2607:f8b0::/32(-2.53), asn: 15169(-2.13),
 country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 18:29:51 -0000

Ok, it appears uefisign is just outright broken; after not being able to
boot even boot1 signed, I brought the signed image over to windows and used
signtool verify and got the error message:
"SignTool Error: WinVerifyTrust returned error: 0x80096010
    The digital signature of the object did not verify."


This is a different error then I get form SignTool boot1.efi from an
untrusted cert (signed via SignTool) which reports:
"..A certificate chain processed, but terminated in a root certificate
which is not trusted..."


Anyone actually use uefisign successfully?

On Mon, Oct 7, 2019 at 9:29 AM David Cross <dcrosstech@gmail.com> wrote:

>
>
> On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp@bsdimp.com> wrote:
>
>>
>>
>> On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech@gmail.com> wrote:
>>
>>> I've been working on getting secureboot working under freebsd (I today
>>> just
>>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>>> variables under freebsd, with an eye to try to get a patch to put this
>>> into
>>> efivar).  After setting the PK, the KEK, and the db, I was super excited
>>> to
>>> finally secure-boot my machine, and discovered that I could not uefisign
>>> loader.  Attempting to sign loader returns a cryptic: "section points
>>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>>> under 12.0 FWIW).
>>>
>>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
>>> its
>>> not really useful for me.
>>>
>>> Suggestions?
>>>
>>
>> Use loader.efi directly instead?
>>
>>>
>>>
> I currently do use loader.efi directly, however not being able to sign
> loader.efi directly complicates things a bit (using hash based signature
> lists for the 'db' variable); and it seems we *should* be able to sign
> loader.  From some other posts on the internet it seems that at some point
> we could.
>