Main

Timestamp:

May 27, 2024 6:56:45 PM (9 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

163365

Message:

Main: Add new Microsoft certs issued 2023 (KEK, Windows boot loader CA and 3rd party boot loader CA). Touch up the variable naming slightly to reflect the use of the certs in the DB better. Add a pointer where to get the certs (the github project has URLs which are the real authority). bugref:10699

Location:

trunk/src/VBox/Main

Files:

: 3 added
: 3 edited

Certificates/microsoft_corporation_kek_2k_ca_2023.crt (added)
Certificates/microsoft_uefi_ca_2023.crt (added)
Certificates/windows_uefi_ca_2023.crt (added)
Makefile.kmk (modified) (2 diffs)
include/TrustAnchorsAndCerts.h (modified) (1 diff)
src-server/UefiVariableStoreImpl.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/Main/Makefile.kmk

-              r104787
+              r104793
+ #
  # Trust anchors and certificates -> .cpp
+ # Source for the Microsoft Certificates: https://github.com/microsoft/secureboot_objects
+ #
  VBOX_SVC_CERTS_FILE = $(VBoxSVC_0_OUTDIR)/TrustAnchorsAndCerts.cpp
  VBOX_SVC_CERTS := \
         UefiMicrosoftKek=MicCorKEKCA2011_2011-06-24.crt \
+        UefiMicrosoftCa=MicCorUEFCA2011_2011-06-27.crt \
+        UefiMicrosoftProPca=MicWinProPCA2011_2011-10-19.crt \
+        UefiMicrosoftKek2023=microsoft_corporation_kek_2k_ca_2023.crt \
+        UefiMicrosoft3rdCa=MicCorUEFCA2011_2011-06-27.crt \
+        UefiMicrosoft3rdCa2023=microsoft_uefi_ca_2023.crt\
+        UefiMicrosoftWinCa=MicWinProPCA2011_2011-10-19.crt \
+        UefiMicrosoftWinCa2023=windows_uefi_ca_2023.crt \
         UefiOracleDefPk=OrclUefiDefPk2021_2021-09-29.crt
  VBOX_SVC_CERT_NAMES := $(foreach cert,$(VBOX_SVC_CERTS),$(firstword $(subst =,$(SPACE) ,$(cert))))
+ VBOX_SVC_CERT_NAMES := $(foreach cert,$(VBOX_SVC_CERTS),$(firstword $(subst =,$(SP),$(cert))))
  VBOX_SVC_PATH_CERTIFICATES := $(PATH_SUB_CURRENT)/Certificates
  $$(VBOX_SVC_CERTS_FILE): $(MAKEFILE_CURRENT) \
                 $(foreach cert,$(VBOX_SVC_CERTS),$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SPACE) ,$(cert)))) \
+                $(foreach cert,$(VBOX_SVC_CERTS),$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SP),$(cert)))) \
                 $(VBOX_BIN2C) \
                 | $$(dir $$@)
 …
                ''
         $(foreach cert,$(VBOX_SVC_CERTS), $(NLTAB)$(VBOX_BIN2C) -ascii --append \
                 "$(firstword $(subst =,$(SP) ,$(cert)))" \
                 "$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SP) ,$(cert)))" \
+                "$(firstword $(subst =,$(SP),$(cert)))" \
+                "$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SP),$(cert)))" \
                 "$@")

trunk/src/VBox/Main/include/TrustAnchorsAndCerts.h

-              r98103
+              r104793
 extern const unsigned g_cbUefiMicrosoftKek;
 extern const unsigned char g_abUefiMicrosoftCa[];
 extern const unsigned g_cbUefiMicrosoftCa;
+extern const unsigned char g_abUefiMicrosoft3rdCa[];
+extern const unsigned g_cbUefiMicrosoft3rdCa;
+extern const unsigned char g_abUefiMicrosoftProPca[];
+extern const unsigned g_cbUefiMicrosoftProPca;
+extern const unsigned char g_abUefiMicrosoft3rdCa2023[];
+extern const unsigned g_cbUefiMicrosoft3rdCa2023;
+extern const unsigned char g_abUefiMicrosoftWinCa[];
+extern const unsigned g_cbUefiMicrosoftWinCa;
+extern const unsigned char g_abUefiMicrosoftWinCa2023[];
+extern const unsigned g_cbUefiMicrosoftWinCa2023;
 extern const unsigned char g_abUefiOracleDefPk[];

trunk/src/VBox/Main/src-server/UefiVariableStoreImpl.cpp

-              r103532
+              r104793
     if (SUCCEEDED(hrc))
+    {
         hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoftCa, g_cbUefiMicrosoftCa,
+        hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoft3rdCa, g_cbUefiMicrosoft3rdCa,
                                              GuidMs, SignatureType_X509);
         if (SUCCEEDED(hrc))
+            hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoftProPca, g_cbUefiMicrosoftProPca,
+        {
+            hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoft3rdCa2023, g_cbUefiMicrosoft3rdCa2023,
                                                  GuidMs, SignatureType_X509);
+            if (SUCCEEDED(hrc))
+            {
+                hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoftWinCa, g_cbUefiMicrosoftWinCa,
+                                                     GuidMs, SignatureType_X509);
+                if (SUCCEEDED(hrc))
+                    hrc = i_uefiVarStoreAddSignatureToDb(&EfiGuidSecurityDb, "db", g_abUefiMicrosoftWinCa2023, g_cbUefiMicrosoftWinCa2023,
+                                                         GuidMs, SignatureType_X509);
+            }
+        }
+    }

Note: See TracChangeset for help on using the changeset viewer.

Changeset 104793 in vbox for trunk/src/VBox/Main

Legend:

trunk/src/VBox/Main/Makefile.kmk

trunk/src/VBox/Main/include/TrustAnchorsAndCerts.h

trunk/src/VBox/Main/src-server/UefiVariableStoreImpl.cpp

Download in other formats: