Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

shim: skip verification for multiple signatures once one of them is matched #700

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

dennis-tseng99
Copy link
Contributor

@dennis-tseng99 dennis-tseng99 commented Oct 28, 2024

If a single signature is correctly verified for an image with multiple signatures, then the verify_one_signature() should be skipped to avoid cpu-consumption. In the mean time, it is wise to at least check the format of the remaining signatures to reduce the risk of corrupted or malformed signatures.

If an image signed by multiple keys matches any
one of vendor certificates, the image will be considered
valid and should stop checking the next signature.
This PR immediately stops do-while() next signature checking.
in verify_buffer_authenticode() when key matches.

Signed-off-by: Dennis Tseng <[email protected]>
@mikebeaton
Copy link
Contributor

@dennis-tseng99 - I think this change may not be correct:

76c0447e

"If at any point any assertion about the
binary or signature list being well-formed fails, the binary is
immediately rejected, though we do allow skipping over signatures
which have an unsupported sig->Hdr.wCertificateType."

@dennis-tseng99
Copy link
Contributor Author

dennis-tseng99 commented Oct 29, 2024

@mikebeaton, Thanks for your comment. Hope not to misunderstand your meaning.

If at any point any assertion about the
binary or signature list being well-formed fails, the binary is
immediately rejected

EDIT: if the format check for sig-list is necessary, then we should skip verify_one_signature() once one of signatures is correctly verified to avoid the high cpu consumption.

@mikebeaton To enhance data integrity, I do not remove the format check for rest signatures to avoid mal-format.

TPM measurement is cpu heavier than malformed checking. Verifying one valid signature and measuring its corresponding vendor cert’s TPM should be enough to ensure security and integrity, reducing extra overhead.

@mikebeaton
Copy link
Contributor

mikebeaton commented Oct 29, 2024

@mikebeaton, Thanks for your comment. Hope not to misunderstand your meaning.

If at any point any assertion about the
binary or signature list being well-formed fails, the binary is
immediately rejected

Actually, in this PR, do-while would not stop until verification gets SUCCESS or offset is too large. Even the well-formed fails happen, the binary would not be immediately rejected.

In the PR, verification would stop if it gets SUCCESS. Before the PR verification would fail after a success, if the binary was found to be malformed after the success. And I think the commit message I quoted means that that is the intended behaviour.

I'm not a maintainer. So if you don't agree with my reading, of course wait for the maintainers to comment!

EDIT: To put it another way, I think the requirements are, binary must be signed by at least one sig, and entire sig list must be valid. The second requirement is not checked with this PR, but should be, if I've understood the code and comment correctly.

If a single signature is correctly verified for an image with multiple signatures, then the verify_one_signature() should be skipped to avoid cpu-consumption. In the mean time, it is wise to at least check the format of the remaining signatures to reduce the risk of corrupted or malformed signatures.
@dennis-tseng99 dennis-tseng99 changed the title shim: immediately stop if signature is matched. shim: skip verification for multiple signatures once one of them is matched Oct 30, 2024
@mikebeaton
Copy link
Contributor

Hi! I still think this is unfortunately probably wrong. If modifying code like this then (I humbly suggest!) it is important to check whether the code being skipped has any side effects that might be wanted. In this case, the calls to verify_one_signature which you are skipping make calls to tpm_measure_variable - so I believe the answer is yes, there are non-trivial, and wanted, side effects to 'pointlessly' verifying all signatures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants