Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide some documentation about authentication of applied updates #105

Closed
rhertzog opened this issue Sep 25, 2024 · 2 comments · Fixed by #107
Closed

Provide some documentation about authentication of applied updates #105

rhertzog opened this issue Sep 25, 2024 · 2 comments · Fixed by #107

Comments

@rhertzog
Copy link

rhertzog commented Sep 25, 2024
edited
Loading

Hello,

we recently went through the process of getting our shim signed by Microsoft and that entails a review of what the shim is allowed to load. And the fwupd.efi binary is one of the signed binaries that are allowed to be executed.

Thus the organization going through this process have to answers questions like those:

  • If your SHIM launches any other components, please provide further details on what is launched and how the component prevents execution of unauthenticated code.
  • Do any of the products in this submission take any user input? If so, what input validation is performed?
  • Do any of the products in this submission take any programmatic input (files on disk, UEFI variables, etc.)? If so, what input validation is performed?

It would thus be nice if the README or some other easy-to-find documentation could provide some description of fwupd.efi's implementation that would provide answers of the above questions.

From what I understood, the fwupd client tweaks some UEFI variables to request fwupd.efi to be called on next boot, and then this binary merely uses the UpdateCapsule UEFI call to apply the updates. Thus the updates are authenticated by the UEFI firmware, i.e. each capsule has its own signature that must validate with one of the keys enrolled in the UEFI keyring.

AFAIK, the fwupd.efi binary has no user-interaction, and it merely uses a couple of UEFI variables to figure out which capsules to execute.

It would be nice if you could provide that kind of overview (maybe with a few more details) for the benefit of other entities who have to go through this process.

(cf rhboot/shim-review#435 (comment) and subsequent messages for some context, and https://gist.github.com/rhertzog/7efd1f78212e2708ba64d3dc3190095f for our own answers to Microsoft if they can help you)
@rhertzog rhertzog mentioned this issue Sep 25, 2024
Closed
8 tasks
@hughsie
Copy link
Member

hughsie commented Sep 27, 2024

@rhertzog I was thinking of something like this, comments very welcome: https://docs.google.com/document/d/13hn9gzRFDw4dPgRwtiGb9DnUUEi9x4NJFQM-IOO2pUw/edit?usp=sharing

@rhertzog
Copy link
Author

@rhertzog I was thinking of something like this, comments very welcome

Looks great. I left a small comment to try to not present this as pre-filled answers that one can safely copy-paste.

hughsie added a commit that referenced this issue Sep 27, 2024
@hughsie
Add some notes for potential shim reviews
3dbc42e 
Fixes #105
@hughsie hughsie mentioned this issue Sep 27, 2024
Merged
hughsie added a commit that referenced this issue Sep 29, 2024
@hughsie
Add some notes for potential shim reviews
e45c5b8 
Fixes #105
hughsie added a commit that referenced this issue Sep 30, 2024
@hughsie
Add some notes for potential shim reviews
59daf7f 
Fixes #105
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add some notes for potential shim reviews fwupd/fwupd-efi
2 participants
@hughsie @rhertzog