Laszlo, thanks for updates. I did one quick validation based on the shared zip file. The signature verification succeeded. This may just means the new updates (openssl-1.0.2c) should work well on Authenticode verification.
And it is just one static test based on Cryptest utility in CryptoPkg, since I have no full test environment now: 1. I stripped-off the p7 signature from the signed shim.efi file; 2. Use the certificate "Microsoft Corporation UEFI CA 2011" as trusted anchor; 3. Replace some static data in AuthenticodeVerify.c with these shim data (the Hash value was also stripped from the P7 data); The test result is passed. So looks the basic image verification should be OK. We may need extra efforts on root-cause. Will do more booting validations on my workstation later. :-) Peter, any suggestion against this? Best Regards & Thanks, LONG, Qin -----Original Message----- From: Laszlo Ersek [mailto:ler...@redhat.com] Sent: Monday, June 22, 2015 9:33 PM To: Long, Qin Cc: edk2-devel@lists.sourceforge.net; Peter Jones Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release *** Hi, On 06/20/15 18:59, Long, Qin wrote: > Ersek, > > I already checked some local Authenticode signature and Cryptest > utility, and Ard also helped to validate something, looks the new > update works well. > > Could you share me the signed shim binary? (I have no copy in my local > environment now). Then I can check if any issues. Thanks. I have no evidence either way if the root cause is in edk2, or shim, or grub; the only symptom I'm witnessing is that the combination of the updated CryptoPkg / OpenSSL version and Fedora's UEFI binaries leads to an infinite loop "somewhere" after such a binary is booted. The easiest way to reprocude it is by downloading https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso and booting it. The UEFI binary you're most probably interested in is from the following Fedora package: shim-signed-0.8-8 http://koji.fedoraproject.org/koji/buildinfo?buildID=612245 I thought that maybe you'd prefer a ZIP file, so I repacked it for you: http://people.redhat.com/~lersek/for_qin_long/shim-0.8-8.x86_64.zip Thanks! Laszlo > Best Regards & Thanks, > LONG, Qin > > -----Original Message----- > From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] > Sent: Saturday, June 20, 2015 9:01 PM > To: Laszlo Ersek > Cc: edk2-devel@lists.sourceforge.net > Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c > release *** > > On 20 June 2015 at 03:42, Laszlo Ersek <ler...@redhat.com> wrote: >> Hi, >> >> On 06/14/15 18:54, Long, Qin wrote: >>> [NOTE] >>> Just one day after 1.0.2b release, one new upgrade (1.0.2c) was >>> released to resolve ABI compatibility problems. This patch has to be >>> updated to catch this latest release. >>> No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch >>> series. >>> ================================================================ >>> OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is >>> updated to catch this latest release. >>> The changes between 1.0.2a-patch and 1.0.2b-patch is few: >>> > One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c) >>> Then remove the fix codes from EDKII-openssl-1.0.2b.patch >>> > Add few missed boundary check in CryptX509.c >>> ================================================================ >>> Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b. >>> The OpenSSL Project announced that the support for version 0.9.8 >>> will cease on 31st December 2015. This patch updates the EDKII >>> openssl support to the latest 1.0.2 branch. >>> >>> Long, Qin (3): >>> CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c >>> CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support >>> CryptoPkg: Wrapper files updates to support openssl-1.0.2c >>> >>> CryptoPkg/Include/OpenSslSupport.h | 8 +- >>> CryptoPkg/Include/memory.h | 16 + >>> .../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +- >>> .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +- >>> .../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- >>> .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++ >>> CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++--- >>> CryptoPkg/Library/OpensslLib/Install.sh | 146 ++--- >>> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 >>> ++++++++++++++------- >>> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +- >>> 13 files changed, 1013 insertions(+), 651 deletions(-) create mode >>> 100644 CryptoPkg/Include/memory.h delete mode 100644 >>> CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch >>> create mode 100644 >>> CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >>> >> >> Sorry that I'm late to the party, but this update seems to have broken >> Secure Boot under OVMF. I started out with a fresh varstore, enrolled >> the Microsoft keys manually, using the SecureBootConfigDxe forms, and >> then tried to boot Fedora 20. "Booting fedora shim" appears at the end >> of the debug log, and the VM spins into an infinite loop. >> >> I confirmed that with 0.9.8zf things work. >> > > I wonder what is going on here. My AArch64 boot tests work fine with these > patches applied, but they don't use shim. (They do use GRUB as an > intermediate loader calling LoadImage() to boot a signed kernel). > > Are there any plans or patches yet to move shim to a more recent OpenSSL > version? It shouldn't be affecting things like this, but it would allow a > quick check if someone has patches already. > > -- > Ard. > > ------------------------------------------------------------------------------ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
