Cryptographic Validation For Authenticated Variables #327
Conversation
…validation - Renamed script to validate_kek.py to reflect broader functionality - Added validate_single_kek() function to validate individual KEK files - Updated main() to detect and handle both file and folder inputs - Improved output messages: 'Cryptographic Signature: VALID/INVALID' and 'Expected Payload: True/False' - JSON output always generated for CI integration - Preserves git history through git mv
- Created validate-kek-updates.yml workflow that runs on PRs - Triggers when .bin files in KEK directories are added or modified - Validates cryptographic signatures and payloads for all changed KEK files - Fails CI if any KEK has an invalid signature - Warns (but doesn't fail) if payload doesn't match expected hash - Uploads validation results as artifacts - Adds detailed summary to PR with pass/fail status for each file
There was a problem hiding this comment.
Pull request overview
This pull request adds cryptographic verification capabilities to the UEFI authenticated variable tools by introducing a new verify command, a batch validation script, and automated CI workflow validation.
- Adds
verifycommand toauth_var_tool.pywith PKCS7 signature verification - Creates
validate_kek.pyscript for batch validation of KEK update files - Implements GitHub Actions workflow for automated KEK validation on pull requests
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 13 comments.
| File | Description |
|---|---|
| scripts/auth_var_tool.py | Adds cryptographic verification functionality with new verify command, PKCS7 certificate extraction, signature verification helpers, and enhanced describe output with human-readable hex strings |
| scripts/validate_kek.py | New script for validating KEK update files (single or batch) with JSON reporting, payload hash checking, and cryptographic signature verification |
| .github/workflows/validate-kek-updates.yml | New GitHub Actions workflow to automatically validate KEK files in pull requests, checking cryptographic signatures and expected payloads |
Comments suppressed due to low confidence (1)
scripts/auth_var_tool.py:669
- This import of module re is redundant, as it was previously imported on line 49.
import re
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| str | ||
| The content with hex strings converted to readable format where possible | ||
| """ | ||
| import re |
There was a problem hiding this comment.
The re module is imported at the module level (line 49), so this local import on line 669 is redundant. The module-level import should be used instead.
| import re |
| return datetime.datetime.now(datetime.timezone.utc) | ||
|
|
||
|
|
||
| def _get_hash_algorithm_from_oid(oid: str) -> hashes.HashAlgorithm | None: |
There was a problem hiding this comment.
The type hint uses Python 3.10+ union syntax (hashes.HashAlgorithm | None). While this is modern Python syntax, it could cause compatibility issues if the project supports Python 3.9 or earlier. Consider using Optional[hashes.HashAlgorithm] from the typing module or verify the minimum Python version requirement.
| Args: | ||
| kek_file: Path to KEK update file | ||
| quiet: If True, suppress validation output from the prototype |
There was a problem hiding this comment.
The documentation refers to "prototype" which seems like leftover wording from development. Consider updating to "verification process" or "verification output" for clarity.
| quiet: If True, suppress validation output from the prototype | |
| quiet: If True, suppress validation output from the verification process |
| fi | ||
| # Exit with error if any validation failed | ||
| if [ $VALIDATION_FAILED -eq 1 ]; then |
There was a problem hiding this comment.
[nitpick] The condition checks if VALIDATION_FAILED equals 1, but the variable is only ever set to 0 or 1. Consider using a more standard exit immediately after setting VALIDATION_FAILED=1 rather than waiting until the end, or accumulate errors differently. However, the current logic works correctly as written.
| except Exception: | ||
| signed_data, _ = decoder.decode(pkcs7_data, asn1Spec=rfc2315.SignedData()) |
There was a problem hiding this comment.
[nitpick] The bare except Exception catches all exceptions without discriminating between expected decoding failures and unexpected errors. Consider catching specific exceptions (like ASN1 decoding exceptions) for better error handling and debugging.
| except Exception: | ||
| # If that fails, try decoding directly as SignedData | ||
| signed_data, _ = decoder.decode(pkcs7_data, asn1Spec=rfc2315.SignedData()) |
There was a problem hiding this comment.
[nitpick] The bare except Exception catches all exceptions without discriminating between expected decoding failures and unexpected errors. Consider catching specific exceptions (like ASN1 decoding exceptions) or at least logging at a higher level for unexpected failures to aid debugging.
| subparsers = setup_format_parser(subparsers) | ||
| subparsers = setup_sign_parser(subparsers) | ||
| subparsers = setup_describe_parser(subparsers) | ||
| subparsers = setup_verify_parser(subparsers) |
There was a problem hiding this comment.
Variable subparsers is not used.
| subparsers = setup_format_parser(subparsers) | |
| subparsers = setup_sign_parser(subparsers) | |
| subparsers = setup_describe_parser(subparsers) | |
| subparsers = setup_verify_parser(subparsers) | |
| setup_format_parser(subparsers) | |
| setup_sign_parser(subparsers) | |
| setup_describe_parser(subparsers) | |
| setup_verify_parser(subparsers) |
| # Only replace if it looks like printable text | ||
| if decoded.isprintable() or all(c in '\t\n\r' or c.isprintable() for c in decoded): | ||
| return f'{indent}{hex_string} ("{decoded}")' | ||
| except (UnicodeDecodeError, AttributeError): |
There was a problem hiding this comment.
'except' clause does nothing but pass and there is no explanatory comment.
| except (UnicodeDecodeError, AttributeError): | |
| except (UnicodeDecodeError, AttributeError): | |
| # Decoding failed; ignore and try the next decoding strategy. |
| decoded = hex_bytes.decode('utf-8') | ||
| if decoded.isprintable() or all(c in '\t\n\r' or c.isprintable() for c in decoded): | ||
| return f'{indent}{hex_string} ("{decoded}")' | ||
| except UnicodeDecodeError: |
There was a problem hiding this comment.
'except' clause does nothing but pass and there is no explanatory comment.
| except UnicodeDecodeError: | |
| except UnicodeDecodeError: | |
| # Ignore decode errors: not all byte sequences are valid UTF-8, so skip these cases. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Flickdm
changed the title
1 participant
Description
This pull request adds a new "verify" command to the
auth_var_tool.pyscript, enhancing its ability to cryptographically verify UEFI authenticated variables. It also improves the output of the "describe" command by converting hex-encoded certificate fields into human-readable text. The most important changes are summarized below:New Verification Functionality:
verifycommand that verifies the cryptographic signature of authenticated variables, checking PKCS7 structure validity, signature correctness, and presence of the signing certificate. This includes new helper functions for extracting certificates and verifying signatures from PKCS7 data. [1] [2] [3] [4] [5] [6]Improvements to Describe Output:
describecommand to convert ASN.1 hex-encoded certificate fields (such as subject and issuer names) into human-readable strings, making the output more user-friendly. [1] [2]Documentation and Usage Examples:
verifycommand and its arguments, ensuring users are aware of the new functionality. [1] [2]These changes make the tool more robust for workflows that require verification of signed UEFI variables and improve the clarity of output for certificate inspection.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
Against every supplied KEK update
Appears to have caught a couple mistakes, reviewing them internally
Integration Instructions
N/A