Changeset 106968 in vbox for trunk/src/VBox

Timestamp:

Nov 12, 2024 4:35:48 PM (3 months ago)

Author:

vboxsync

Message:

SUPHardNt: Slightly relaxed the extension pack signing requirements in hardened builds. Mostly untested. jiraref:VBP-1451

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• Makefile.kmk (modified) (1 diff)
• SUPR3HardenedVerify.cpp (modified) (1 diff)
• win/SUPHardenedVerify-win.h (modified) (2 diffs)
• win/SUPHardenedVerifyImage-win.cpp (modified) (8 diffs)
• win/SUPR3HardenedMain-win.cpp (modified) (6 diffs)

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -120 +120 @@
         TimeRootOracle1=Timestamp-VBoxLegacyWinSha1CA.taf \
         TrustedCertVBox0=Trusted-OracleCorporationVirtualBox-05308b76ac2e15b29720fb4395f65f38.taf \
+        TrustedCertVBox1=Trusted-OracleAmerica-060e2f8f9e1b8be518d5fe2b69cfccb1.taf \
         AppleRoot0=AppleRoot-2bd06947947609fef46b8d2e40a6f7474d7f085e.taf \
         AppleRoot1=AppleRoot-G2-c499136c1803c27bc0a3a00d7f72807a1c77268d.taf

trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp

@@ -1875 +1875 @@
     {
 # ifdef VBOX_WITH_HARDENING
-        uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
+        /** @todo do we need to validate the fMaybe3rdParty claim here? I.e. only
+         *        apply it if 'ExtensionPacks' is part of the path. */
+        uint32_t fFlags = SUPHNTVI_F_REQUIRE_CODE_SIGNING;
         if (!fMaybe3rdParty)
             fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

@@ -146 +146 @@
  * was signed with. */
 #  define SUPHNTVI_F_REQUIRE_BUILD_CERT             RT_BIT(0)
+/** The signing certificate must be one the build certificate or one of the
+ * one used by Oracle to sign the extension pack. */
+#  define SUPHNTVI_F_REQUIRE_SPECIAL_TRUST_CERT     RT_BIT(1)
+/** Require regular code signing. */
+#  define SUPHNTVI_F_REQUIRE_CODE_SIGNING           RT_BIT(2)
 /** Require kernel code signing level. */
-#  define SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING    RT_BIT(1)
+#  define SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING    RT_BIT(3)
 /** Require the image to force the memory mapper to do signature checking. */
-#  define SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT  RT_BIT(2)
+#  define SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT  RT_BIT(4)
 /** Whether to allow image verification by catalog file. */
-#  define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION    RT_BIT(3)
+#  define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION    RT_BIT(5)
 /** The file owner must be TrustedInstaller, Builtin\\Administrators
  *  (S-1-5-32-544) or local system (S-1-5-21) on Vista+. */
-#  define SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER RT_BIT(4)
+#  define SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER RT_BIT(6)
 /** Ignore the image architecture (otherwise it must match the verification
  * code).  Used with resource images and such. */
@@ -229 +234 @@
 #endif /* IN_RING3 && !VBOX_PERMIT_EVEN_MORE */
 extern SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
-extern SUPSYSROOTDIRBUF g_SupLibHardenedAppBinNtPath;
 
 #   ifdef IN_RING0

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -130 +130 @@
 /** The build certificate. */
 static RTCRX509CERTIFICATE  g_BuildX509Cert;
+
+/** Store for certificates that we put special trust it, like the build
+ * certificate and the ones used by the Oracle extension pack. */
+static RTCRSTORE            g_hSpecialTrustStore = NIL_RTCRSTORE;
 
 /** Store for root software publisher certificates. */
@@ -771 +775 @@
     RT_NOREF1(hLdrMod);
 
-    if (fFlags & (SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING))
+    if (fFlags & (  SUPHNTVI_F_REQUIRE_BUILD_CERT
+                  | SUPHNTVI_F_REQUIRE_SPECIAL_TRUST_CERT
+                  | SUPHNTVI_F_REQUIRE_CODE_SIGNING
+                  | SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING))
         return rc;
 
@@ -1042 +1049 @@
 
     /*
-     * Standard code signing capabilites required.
+     * Standard code signing capabilites required (SUPHNTVI_F_REQUIRE_CODE_SIGNING is implied here).
      */
     int rc = RTCrPkcs7VerifyCertCallbackCodeSigning(pCert, hCertPaths, fFlags, NULL, pErrInfo);
@@ -1201 +1208 @@
                                  g_BuildX509Cert.TbsCertificate.SerialNumber.Asn1Core.uData.pv);
     }
+    /** @todo apply these to all signatures, but don't fail in a bad way for
+     *        stuff with extra signatures (typically from microsoft). */
+    else if (   (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SPECIAL_TRUST_CERT)
+             && pInfo->iSignature == 0)
+    {
+        PCRTCRCERTCTX const pCertCtx = RTCrStoreCertByIssuerAndSerialNo(g_hSpecialTrustStore,
+                                                                        &pSignerInfo->IssuerAndSerialNumber.Name,
+                                                                        &pSignerInfo->IssuerAndSerialNumber.SerialNumber);
+        if (!pCertCtx)
+            return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_SIGNED_WITH_SPECIALLY_TRUSTED_CERT,
+                                 "Signature #%u/%u: Not signed with the build certificate or any of the specially trusted ones (serial %.*Rhxs)",
+                                 pInfo->iSignature + 1, pInfo->cSignatures,
+                                 pSignerInfo->IssuerAndSerialNumber.SerialNumber.Asn1Core.cb,
+                                 pSignerInfo->IssuerAndSerialNumber.SerialNumber.Asn1Core.uData.pv);
+        RTCrCertCtxRelease(pCertCtx);
+    }
 
     /*
@@ -1272 +1295 @@
 
 #ifdef IN_RING3 /* Hack alert! (see above) */
-            if ((pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT) && g_uBuildTimestampHack == 0 && cTimes > 1)
+            if (   (pNtViRdr->fFlags & (SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_REQUIRE_SPECIAL_TRUST_CERT))
+                && g_uBuildTimestampHack == 0
+                && cTimes > 1)
                 g_uBuildTimestampHack = uTimestamp;
 #endif
@@ -1325 +1350 @@
 
                 /* This leniency is not applicable to build certificate requirements (signature #1 only). */
-                if (  !(pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
+                if (  !(pNtViRdr->fFlags & (SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_REQUIRE_SPECIAL_TRUST_CERT))
                     || pInfo->iSignature != 0)
                 {
@@ -1993 +2018 @@
          */
         rc = supHardNtViCertInit(&g_BuildX509Cert, g_abSUPBuildCert, g_cbSUPBuildCert, pErrInfo, "BuildCertificate");
+        SUPTAENTRY const aBuildCerts[1] = { { g_abSUPBuildCert, g_cbSUPBuildCert }, };
+        if (RT_SUCCESS(rc))
+            rc = supHardNtViCertStoreInit(&g_hSpecialTrustStore,
+                                          aBuildCerts, RT_ELEMENTS(aBuildCerts),
+                                          g_aSUPTrustedTAs, g_cSUPTrustedTAs,
+                                          NULL, 0,
+                                          pErrInfo, "SpecialTrustStore");
         if (RT_SUCCESS(rc))
             rc = supHardNtViCertStoreInit(&g_hSpcRootStore, g_aSUPSpcRootTAs, g_cSUPSpcRootTAs,
@@ -2076 +2108 @@
     RTCrStoreRelease(g_hSpcRootStore);
     g_hSpcRootStore = NIL_RTCRSTORE;
+
+    RTCrStoreRelease(g_hSpecialTrustStore);
+    g_hSpecialTrustStore = NIL_RTCRSTORE;
 }
 

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -318 +318 @@
 SUPSYSROOTDIRBUF            g_SupLibHardenedExeNtPath;
 /** The NT path of the application binary directory. */
-SUPSYSROOTDIRBUF            g_SupLibHardenedAppBinNtPath;
+static SUPSYSROOTDIRBUF     g_SupLibHardenedAppBinNtPath;
+/** The NT path of the extension packs directory. */
+static SUPSYSROOTDIRBUF     g_SupLibHardenedExtPacksNtPath;
 /** The offset into g_SupLibHardenedExeNtPath of the executable name (WCHAR,
  * not byte). This also gives the length of the exectuable directory path,
@@ -1509 +1511 @@
      *      1. System32      - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
      *      2. WinSxS        - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
-     *      3. VirtualBox    - build with:
+     *      3. ExtPacks      - VBox built with:
+     *         - regular code signing cert: regular code signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *         - kernel code signing cert:  kernel code signing and integrity checks.
+     *      4. VirtualBox    - VBox built with:
      *         - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
      *         - kernel code signing cert:  kernel code signing and integrity checks.
-     *      4. AppPatchDir   - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
-     *      5. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
-     *      6. Common Files  - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
-     *      7. x86 variations of 4 & 5 - ditto.
+     *      5. AppPatchDir   - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *      6. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *      7. Common Files  - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *      8. x86 variations of 5 & 6 - ditto.
      *
      * Note! VBOX_WITHOUT_KERNEL_CODE_SIGNING_CERT means the /IntegrityCheck does
@@ -1527 +1532 @@
     else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/))
         fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
+    else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedExtPacksNtPath.UniStr, true /*fCheckSlash*/))
+# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
+        fFlags |= SUPHNTVI_F_REQUIRE_CODE_SIGNING | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
+# else
+        fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
+# endif
     else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
 # ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
-        /** @todo r=bird: See SUPHNTVI_F_REQUIRE_BUILD_CERT comment below (in the
-         *        code that's actually used). */
         fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
 # else
@@ -1575 +1584 @@
      * Require trusted installer + some kind of signature on everything, except
      * for the VBox bits where we have extra requirements depending on the signing
-     * certificate used:
-     *         - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
-     *         - kernel code signing cert:  kernel code signing and integrity checks.
+     * certificate used. 
+     *     1. ExtPacks      - VBox built with:
+     *        - regular code signing cert: regular code signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *        - kernel code signing cert:  kernel code signing and integrity checks.
+     *     2. VirtualBox    - VBox built with:
+     *        - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
+     *        - kernel code signing cert:  kernel code signing and integrity checks.
+     *     3. Everything else: allow .cat-file verification, , owner TrustedInstaller/Administrators/LocalSystem.
      */
     uint32_t fFlags = 0;
-    if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
+    if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedExtPacksNtPath.UniStr, true /*fCheckSlash*/))
 # ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
-        /** @todo r=bird: Since extension packs are installed under
-         * g_SupLibHardenedAppBinNtPath and I'm pretty sure that everything loaded into
-         * a VBox VM process goes thru this validation step at DLL load time, this means
-         * only we can now sign extension packs.
-         *
-         * I suspect we have to relax the signing restrictions on the ExtensionPacks
-         * subdirectory to keep 3rd party extensions working.  */
+        fFlags |= SUPHNTVI_F_REQUIRE_CODE_SIGNING | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
+# else
+        fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
+# endif
+    else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
+# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
         fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
 # else
@@ -5993 +6006 @@
 
 /**
- * Initializes the application binary directory path.
+ * Initializes the application binary directory path and the extpacks path.
  *
  * This is called once or twice.
@@ -6036 +6049 @@
     g_SupLibHardenedAppBinNtPath.UniStr.MaximumLength = sizeof(g_SupLibHardenedAppBinNtPath.awcBuffer);
     SUP_DPRINTF(("supR3HardenedWinInitAppBin(%#x): '%ls'\n", fFlags, g_SupLibHardenedAppBinNtPath.UniStr.Buffer));
+
+    /* Extension packs: */
+    static wchar_t const s_wszExtPacks[] = L"\\ExtensionPacks";
+    if (g_SupLibHardenedAppBinNtPath.UniStr.Buffer[cwc - 1] == '\\' || g_SupLibHardenedAppBinNtPath.UniStr.Buffer[cwc - 1] == '/')
+        cwc--;
+    if (cwc + RT_ELEMENTS(s_wszExtPacks) > RT_ELEMENTS(g_SupLibHardenedExtPacksNtPath.awcBuffer))
+        supR3HardenedFatal("supR3HardenedWinInitAppBin: Location is too deep! (cwc=%#x)\n", cwc);
+    g_SupLibHardenedExtPacksNtPath.UniStr.Buffer = g_SupLibHardenedExtPacksNtPath.awcBuffer;
+    memcpy(g_SupLibHardenedExtPacksNtPath.UniStr.Buffer, g_SupLibHardenedAppBinNtPath.UniStr.Buffer, cwc * sizeof(WCHAR));
+    memcpy(&g_SupLibHardenedExtPacksNtPath.UniStr.Buffer[cwc], s_wszExtPacks, RT_ELEMENTS(s_wszExtPacks) * sizeof(WCHAR));
+    g_SupLibHardenedExtPacksNtPath.UniStr.Length = (cwc + RT_ELEMENTS(s_wszExtPacks) - 1) * sizeof(WCHAR);
+    g_SupLibHardenedExtPacksNtPath.UniStr.MaximumLength = sizeof(g_SupLibHardenedExtPacksNtPath.awcBuffer);
 }