[efi] Accept and trust CA certificates in the TlsCaCertificates variable

UEFI's built-in HTTPS boot mechanism requires the trusted CA
certificates to be provided via the TlsCaCertificates variable.
(There is no equivalent of the iPXE cross-signing mechanism, so it is
not possible for UEFI to automatically use public CA certificates.)

Users who have configured UEFI HTTPS boot to use a custom root of
trust (e.g. a private CA certificate) may find it useful to have iPXE
automatically pick up and use this same root of trust, so that iPXE
can seamlessly fetch files via HTTPS from the same servers that were
trusted by UEFI HTTPS boot, in addition to servers that iPXE can
validate through other means such as cross-signed certificates.

Parse the TlsCaCertificates variable at startup, add any certificates
to the certificate store, and mark these certificates as trusted.

There are no access restrictions on modifying the TlsCaCertificates
variable: anybody with access to write UEFI variables is permitted to
change the root of trust.  The UEFI security model assumes that anyone
with access to run code prior to ExitBootServices() or with access to
modify UEFI variables from within a loaded operating system is
supposed to be able to change the system's root of trust for TLS.

Any certificates parsed from TlsCaCertificates will show up in the
output of "certstat", and may be discarded using "certfree" if
unwanted.

Support for parsing TlsCaCertificates is enabled by default in EFI
builds, but may be disabled in config/general.h if needed.

As with the ${trust} setting, the contents of the TlsCaCertificates
variable will be ignored if iPXE has been compiled with an explicit
root of trust by specifying TRUST=... on the build command line.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/config/config_certs.c b/src/config/config_certs.c
new file mode 100644 (file)
index 0000000..a325d13
--- /dev/null
+++ b/src/config/config_certs.c
@@ -0,0 +1,36 @@
+/*
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <config/general.h>
+
+/** @file
+ *
+ * Certificate source configuration
+ *
+ */
+
+PROVIDE_REQUIRING_SYMBOL();
+
+#ifdef CERTS_EFI
+REQUIRE_OBJECT ( efi_cacert );
+#endif

diff --git a/src/config/defaults/efi.h b/src/config/defaults/efi.h
index d9814eab51afdb63138292a31c6b70d5cd2c7c42..a0e52e7a7a0da0221da354b03c04c1f3af68ea74 100644 (file)
--- a/src/config/defaults/efi.h
+++ b/src/config/defaults/efi.h
@@ -53,6 +53,8 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #define EFI_SETTINGS           /* EFI variable settings */
 
+#define CERTS_EFI              /* EFI certificate sources */
+
 #if defined ( __i386__ ) || defined ( __x86_64__ )
 #define IOAPI_X86
 #define ENTROPY_RDRAND

diff --git a/src/config/general.h b/src/config/general.h
index c40e4fdaeb6beb94bbb83f45b7d69a8c98e221b8..7ac77bfe6c31db60d5152b4aef2227fb825cd41b 100644 (file)
--- a/src/config/general.h
+++ b/src/config/general.h
@@ -174,6 +174,12 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define SHIM_CMD               /* EFI shim command (or dummy command) */
 //#define USB_CMD              /* USB commands */
 
+/*
+ * Certificate sources
+ *
+ */
+//#undef CERTS_EFI             /* EFI certificate sources */
+
 /*
  * ROM-specific options
  *

diff --git a/src/crypto/certstore.c b/src/crypto/certstore.c
index 31797c4cd200967883c744035f1edce764bc7aab..86f67a0af817210f6bc7071d509ded4f34cba520 100644 (file)
--- a/src/crypto/certstore.c
+++ b/src/crypto/certstore.c
@@ -266,3 +266,9 @@ static int certstore_apply_settings ( void ) {
 struct settings_applicator certstore_applicator __settings_applicator = {
        .apply = certstore_apply_settings,
 };
+
+/* Drag in objects via certificate store */
+REQUIRING_SYMBOL ( certstore );
+
+/* Drag in alternative certificate sources */
+REQUIRE_OBJECT ( config_certs );

diff --git a/src/crypto/rootcert.c b/src/crypto/rootcert.c
index 0835ff071ac15eb746e4fe6bea17e6d5703a40f4..e2b817c57847b7e391114cb9b8e29aaad86a9761 100644 (file)
--- a/src/crypto/rootcert.c
+++ b/src/crypto/rootcert.c
@@ -58,6 +58,9 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
        0xed, 0x1a,
 #endif
 
+/** Flag indicating if root of trust may be overridden at runtime */
+const int allow_trust_override = ALLOW_TRUST_OVERRIDE;
+
 /** Root certificate fingerprints */
 static const uint8_t fingerprints[] = { TRUSTED };
 

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 4101c8094141d57b476c11ea2544f77da002d30d..acb27411a47df2bb9ab0c2fb7dbc47e05ec4a83a 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1323,9 +1323,9 @@ int x509_is_valid ( struct x509_certificate *cert, struct x509_root *root ) {
  * @v issuer           Issuing X.509 certificate (or NULL)
  * @v root             Root certificate list
  */
-static void x509_set_valid ( struct x509_certificate *cert,
-                            struct x509_certificate *issuer,
-                            struct x509_root *root ) {
+void x509_set_valid ( struct x509_certificate *cert,
+                     struct x509_certificate *issuer,
+                     struct x509_root *root ) {
        unsigned int max_path_remaining;
 
        /* Sanity checks */

diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 15bb31b0e876fc5adbc25417dbb40852f445445a..c704dd44dd676f57dbacba227b8b6f14ab1b9c5d 100644 (file)
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -428,6 +428,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_usb_cmd                      ( ERRFILE_OTHER | 0x00640000 )
 #define ERRFILE_usb_settings         ( ERRFILE_OTHER | 0x00650000 )
 #define ERRFILE_weierstrass          ( ERRFILE_OTHER | 0x00660000 )
+#define ERRFILE_efi_cacert           ( ERRFILE_OTHER | 0x00670000 )
 
 /** @} */
 

diff --git a/src/include/ipxe/rootcert.h b/src/include/ipxe/rootcert.h
index d4be2e1bc91eb0e6f9820d0fa2ebf687caae0e43..d1a69723d3869d899c8e16d7cbe424aa5e388fc5 100644 (file)
--- a/src/include/ipxe/rootcert.h
+++ b/src/include/ipxe/rootcert.h
@@ -11,6 +11,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <ipxe/x509.h>
 
+extern const int allow_trust_override;
 extern struct x509_root root_certificates;
 
 #endif /* _IPXE_ROOTCERT_H */

diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index e71cee8a3b2ff413c48ceda2646e590926249b7a..e8cd0f303fcc54a76a1b07312e74f4b249e13fd9 100644 (file)
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -421,6 +421,9 @@ extern int x509_certificate ( const void *data, size_t len,
                              struct x509_certificate **cert );
 extern int x509_is_valid ( struct x509_certificate *cert,
                           struct x509_root *root );
+extern void x509_set_valid ( struct x509_certificate *cert,
+                            struct x509_certificate *issuer,
+                            struct x509_root *root );
 extern int x509_validate ( struct x509_certificate *cert,
                           struct x509_certificate *issuer,
                           time_t time, struct x509_root *root );

diff --git a/src/interface/efi/efi_cacert.c b/src/interface/efi/efi_cacert.c
new file mode 100644 (file)
index 0000000..5cc268b
--- /dev/null
+++ b/src/interface/efi/efi_cacert.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+/** @file
+ *
+ * EFI CA certificates
+ *
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <errno.h>
+#include <ipxe/init.h>
+#include <ipxe/x509.h>
+#include <ipxe/rootcert.h>
+#include <ipxe/efi/efi.h>
+#include <ipxe/efi/efi_siglist.h>
+#include <ipxe/efi/Guid/TlsAuthentication.h>
+
+/** List of EFI CA certificates */
+static struct x509_chain efi_cacerts = {
+       .refcnt = REF_INIT ( ref_no_free ),
+       .links = LIST_HEAD_INIT ( efi_cacerts.links ),
+};
+
+/**
+ * Retrieve EFI CA certificate
+ *
+ * @v data             TlsCaCertificate variable data
+ * @v len              Length of TlsCaCertificate
+ * @v offset           Offset within data
+ * @v next             Next offset, or negative error
+ */
+static int efi_cacert ( void *data, size_t len, size_t offset ) {
+       struct asn1_cursor *cursor;
+       struct x509_certificate *cert;
+       int next;
+       int rc;
+
+       /* Extract ASN.1 object */
+        next = efisig_asn1 ( virt_to_user ( data ), len, offset, &cursor );
+       if ( next < 0 ) {
+               rc = next;
+               DBGC ( &efi_cacerts, "EFICA could not parse at +%#zx: %s\n",
+                      offset, strerror ( rc ) );
+               goto err_asn1;
+       }
+
+       /* Append to list of EFI CA certificates */
+       if ( ( rc = x509_append_raw ( &efi_cacerts, cursor->data,
+                                     cursor->len ) ) != 0 ) {
+               DBGC ( &efi_cacerts, "EFICA could not append at +%#zx: %s\n",
+                      offset, strerror ( rc ) );
+               goto err_append;
+       }
+       cert = x509_last ( &efi_cacerts );
+       DBGC ( &efi_cacerts, "EFICA found certificate %s\n",
+              x509_name ( cert ) );
+
+       /* Mark certificate as valid (i.e. trusted) if permitted */
+       if ( allow_trust_override ) {
+               DBGC ( &efi_cacerts, "EFICA trusting certificate %s\n",
+                      x509_name ( cert ) );
+               x509_set_valid ( cert, NULL, &root_certificates );
+       }
+
+       /* Free ASN.1 object */
+       free ( cursor );
+
+       return next;
+
+ err_append:
+       free ( cursor );
+ err_asn1:
+       return rc;
+}
+
+/**
+ * Retrieve all EFI CA certificates
+ *
+ * @ret rc             Return status code
+ */
+static int efi_cacert_all ( void ) {
+       EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
+       EFI_GUID *guid = &efi_tls_ca_certificate_guid;
+       static CHAR16 *wname = EFI_TLS_CA_CERTIFICATE_VARIABLE;
+       int offset = 0;
+       UINT32 attrs;
+       UINTN size;
+       void *data;
+       EFI_STATUS efirc;
+       int rc;
+
+       /* Get variable length */
+       size = 0;
+       if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
+                                        NULL ) ) != EFI_BUFFER_TOO_SMALL ) {
+               rc = -EEFI ( efirc );
+               DBGC ( &efi_cacerts, "EFICA could not get %ls size: %s\n",
+                      wname, strerror ( rc ) );
+               goto err_len;
+       }
+
+       /* Allocate temporary buffer */
+       data = malloc ( size );
+       if ( ! data ) {
+               rc = -ENOMEM;
+               goto err_alloc;
+       }
+
+       /* Read variable */
+       if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
+                                        data ) ) != 0 ) {
+               rc = -EEFI ( efirc );
+               DBGC ( &efi_cacerts, "EFICA could not read %ls: %s\n",
+                      wname, strerror ( rc ) );
+               goto err_get;
+       }
+
+       /* Parse certificates */
+       while ( ( ( size_t ) offset ) < size ) {
+               offset = efi_cacert ( data, size, offset );
+               if ( offset < 0 ) {
+                       rc = offset;
+                       goto err_cacert;
+               }
+       }
+
+       /* Success */
+       rc = 0;
+
+ err_cacert:
+ err_get:
+       free ( data );
+ err_alloc:
+ err_len:
+       return rc;
+}
+
+/**
+ * Initialise EFI CA certificates
+ *
+ */
+static void efi_cacert_init ( void ) {
+       int rc;
+
+       /* Initialise all certificates */
+       if ( ( rc = efi_cacert_all() ) != 0 ) {
+               DBGC ( &efi_cacert, "EFICA could not initialise: %s\n",
+                      strerror ( rc ) );
+               /* Nothing we can do at this point */
+               return;
+       }
+}
+
+/** EFI CA certificates initialisation function */
+struct init_fn efi_cacert_init_fn __init_fn ( INIT_LATE ) = {
+       .initialise = efi_cacert_init,
+};
+
+/**
+ * Discard any EFI CA certificates
+ *
+ */
+static void efi_cacert_shutdown ( int booting __unused ) {
+
+       /* Drop our references to the certificates */
+       DBGC ( &efi_cacert, "EFICA discarding certificates\n" );
+       x509_truncate ( &efi_cacerts, NULL );
+       assert ( list_empty ( &efi_cacerts.links ) );
+}
+
+/** EFI CA certificates shutdown function */
+struct startup_fn efi_cacert_shutdown_fn __startup_fn ( STARTUP_NORMAL ) = {
+       .name = "efi_cacert",
+       .shutdown = efi_cacert_shutdown,
+};