efivalidate 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1d7ad40ad286efe0a7da67d7ba34b4abe48ec7a5
-  data.tar.gz: 0d1703778e05b919fb07b6cf1dd53a1386f071b4
+  metadata.gz: 037ca593ce0ba5a08920d051c191e5f9c4d3a71a
+  data.tar.gz: cd59412dc988879399f553b91a965cdca1a59a77
 SHA512:
-  metadata.gz: b2f62cb2753b799902811831043bae5875be6628ea27db53a8ba1331287e85f2706c012a07af6b06738496264ece9b9c318d8c86ae0762852aad696180352359
-  data.tar.gz: f257b58ad2c6ffb3bb3e709afeea22d73ec437e415ca37c5c67124e05fd6bf25336fd4fff99e9e0d7261c69e503c57958207f4d0c7ab8537727622a1c7a7c3e5
+  metadata.gz: 156c354cdf536fbc2a09b9a820cf29c023ebdcbd3042241f4286e0689d0b37441ef5b187fea248a6bd218b64d874e726923b2747412356263ce7543457976281
+  data.tar.gz: 8496a21db212539db45a5e6547e361c16a6b25a581855e899ec7c45ad7a73c3a13f543c93d3bba114745709d784cd8e5a218598f294cb288262712ca5513a9de

data/.gitignore

@@ -11,3 +11,5 @@
 
 # rspec failure tracking
 .rspec_status
+
+*.gem

data/FORMAT.md

@@ -0,0 +1,27 @@
+
+NOTE: In progress
+
+# Header
+
+* 0-4: "magic" = "EALF"
+* 5-8: number of hash rows
+* 9-12: file size in bytes
+* 13: ?? Hash function, 00 = sha1, 01 = sha256
+* Zeros?
+* 30: UInt16 Offset to hash table
+* 32: UInt16 Number of Unicode-16 characters following
+* 34: - NULL = UTF-16 null terminated EFI version string
+
+# 60 byte "rows"
+* 1 byte FD region (see `fdutil`)
+    * 0 = FD header / region
+    * 1 = BIOS / EFI
+    * 2 = Intel ME (Code + Data)
+    * 3 = Gigabit Ethernet (Unused)
+    * 4 = Platform Data & Bootloader
+* 1 byte sub-region
+* 2 byte index
+* 4 byte offset
+* 4 byte size
+* 16 bytes GUID for section or "FF"
+* 32 bytes SHA256 for section

data/README.md

@@ -1,8 +1,10 @@
-# Efivalidate
+# `efivalidate`
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/efivalidate`. To experiment with that code, run `bin/console` for an interactive prompt.
+Important: See `FORMAT.md`
 
-TODO: Delete this and the text above, and describe your gem
+`efivalidate` is a ruby utility to take a given input EFI payload from macOS and to compare it against
+Apple's validation schema.  Being written in ruby this can occur off-box to ensure that the utility itself
+hasn't been compromised
 
 ## Installation
 
@@ -22,7 +24,20 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+    $ efivalidate
+
+    Usage: efivalidate {input.bin} [PARAMS]
+
+      {input.bin} is a EFI payload saved using either `eficheck` or `BootRomFlash.efi`
+
+      --download-signatures
+
+          Attempts to download Apple's EFI signatures from their update service
+
+      --signatures-path
+
+          Points to a path on disk where known EFI signatures exist
+
 
 ## Development
 

data/efivalidate.gemspec

@@ -5,12 +5,12 @@ require "efivalidate/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "efivalidate"
-  spec.version       = Efivalidate::VERSION
+  spec.version       = EFIValidate::VERSION
   spec.authors       = ["Rick Mark"]
-  spec.email         = ["rickmark@outlook.com"]
+  spec.email         = ["rickmark@dropbox.com"]
 
   spec.summary       = %q{Validate Apple EFI images offline}
-  spec.description   = %q{Validate Apple EFI images offline}
+  spec.description   = %q{Implements an algorithm to compare Apple EFI against their EALF baselines.}
   spec.homepage      = "https://github.com/rickmark/efivalidate"
   spec.license       = "MIT"
 
@@ -30,6 +30,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_runtime_dependency 'iostruct', '~> 0.0.4'
+  spec.add_runtime_dependency 'uuidtools', '~> 2.1'
+
   spec.add_development_dependency "bundler", "~> 1.15"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"

data/exe/efivalidate

@@ -1,3 +1,29 @@
 #!/usr/bin/env ruby
+require 'bundler/setup'
 
 require "efivalidate"
+require 'optionparser'
+
+if ARGV.count != 2
+  puts "efivalidate EFI_FILE EALF_FILE"
+  exit -1
+end
+
+efi = ARGV[0]
+ealf = ARGV[1]
+
+parser = EFIValidate::EALFParser.read ealf
+validator = EFIValidate::EFIValidator.new parser, File.open(efi)
+
+validator.validate
+
+if validator.is_valid?
+  puts "EFI file matches EALF baseline. (#{parser.rows.count} hashes match)"
+else
+  puts "EFI file matched #{parser.rows.count - validator.errors.count} hashes from EALF.\n"
+  puts "EFI file has #{validator.errors.count} hash errors:\n\n"
+  validator.errors.each do |error|
+    puts "Actual Hash: #{error.hash}"
+    puts "Expected Hash from EALF:\n#{error.row.to_s}\n\n"
+  end
+end

data/lib/efivalidate/ealf_header.rb

@@ -0,0 +1,32 @@
+module EFIValidate
+  class EALFHeader < IOStruct.new 'a4LLC',
+                                  :ealf_magic,
+                                  :ealf_rows,
+                                  :ealf_size,
+                                  :ealf_hash_function,
+                                  :ealf_zeros,
+                                  :ealf_row_offset,
+                                  :ealf_signature_size
+
+    EALF_MAGIC = 'EALF'.freeze
+
+    EALF_ROW_SIZE = 28
+
+    EALF_HASH_FUNCTIONS = { 0 => { size: 20, function: -> { Digest::SHA1.new } }, 1 => { size: 32, funciton: -> { Digest::SHA2.new(256)} } }
+
+    EALF_HASH_SHA1 = 0
+    EALF_HASH_SHA256 = 1
+
+    def row_size
+      EALF_ROW_SIZE + self.hash_size
+    end
+
+    def hash_size
+      EFIValidate::EALFHeader::EALF_HASH_FUNCTIONS[self.ealf_hash_function][:size]
+    end
+
+    def create_hash
+      EFIValidate::EALFHeader::EALF_HASH_FUNCTIONS[self.ealf_hash_function][:funciton].call
+    end
+  end
+end

data/lib/efivalidate/ealf_parser.rb

@@ -0,0 +1,23 @@
+module EFIValidate
+  class EALFParser
+    class EALFParseError < Exception; end
+
+    attr_reader :header, :rows
+
+    def initialize(data)
+      @header = EFIValidate::EALFHeader.read(data, 97)
+
+      raise EALFParseError, 'File header magic mismatch.' unless @header.ealf_magic == EFIValidate::EALFHeader::EALF_MAGIC
+      raise EALFParseError, 'Only SHA256 EALF is supported.' unless @header.ealf_hash_function == EFIValidate::EALFHeader::EALF_HASH_SHA256
+
+      @rows = []
+      @header.ealf_rows.times do
+        @rows << EFIValidate::EALFRow.read(data, @header.row_size).tap { |row| row.header = @header }
+      end
+    end
+
+    def self.read(file)
+      EFIValidate::EALFParser.new(File.open(file))
+    end
+  end
+end

data/lib/efivalidate/ealf_row.rb

@@ -0,0 +1,30 @@
+require 'uuidtools'
+
+module EFIValidate
+  # A class that represents a region of an EFI firmware with a valid hash for the region
+  #
+  # A EALF file is a collection of regions an
+  class EALFRow < IOStruct.new 'CCvLLa16a*',
+                               :ealf_component,
+                               :ealf_region,
+                               :ealf_master,
+                               :ealf_offset,
+                               :ealf_length,
+                               :ealf_uuid,
+                               :ealf_hash
+
+    attr_accessor :header
+
+    def hash
+      self.ealf_hash.each_byte.map { |b| '%02x' % b }.join
+    end
+
+    def uuid
+      UUIDTools::UUID.parse_raw(self.ealf_uuid)
+    end
+
+    def to_s
+      "<#{'%02x' % ealf_component}:#{ '%02x' % self.ealf_region }:#{ "%04x" % self.ealf_master }:#{ "%08x" % self.ealf_offset }:#{ "%08x" % self.ealf_length}:#{self.uuid}:#{self.hash}>"
+    end
+  end
+end

data/lib/efivalidate/efi_validation_error.rb

@@ -0,0 +1,15 @@
+module EFIValidate
+  class EFIValidationError
+    attr_reader :row, :data, :hash
+
+    def initialize(row, data, hash)
+      @row = row
+      @data = data
+      @hash = hash
+    end
+
+    def to_s
+      @row.to_s
+    end
+  end
+end

data/lib/efivalidate/efi_validator.rb

@@ -0,0 +1,35 @@
+module EFIValidate
+  class EFIValidator
+    attr_reader :parser, :data, :errors
+
+    def initialize(parser, data)
+      @parser = parser
+      @data = data
+    end
+
+
+    def validate!
+      @errors = []
+
+      @parser.rows.each do |row|
+        @data.seek row.ealf_offset
+
+        section_data = @data.read row.ealf_length
+
+        calculated_hash = @parser.header.create_hash.hexdigest section_data
+
+        @errors << EFIValidationError.new(row, section_data, calculated_hash) unless calculated_hash == row.hash
+      end
+    end
+
+    def validate
+      self.validate! unless @errors
+    end
+
+    def is_valid?
+      self.validate
+
+      self.errors.count == 0
+    end
+  end
+end

data/lib/efivalidate/intel_firmware_descriptor.rb

@@ -0,0 +1,9 @@
+module EFIValidate
+  class IntelFirmwareDescriptor
+
+
+    def initalize(data)
+
+    end
+  end
+end

data/lib/efivalidate/version.rb

@@ -1,3 +1,3 @@
-module Efivalidate
-  VERSION = "0.1.0"
+module EFIValidate
+  VERSION = "1.0.0"
 end

data/lib/efivalidate.rb

@@ -1,5 +1,11 @@
 require "efivalidate/version"
+require 'iostruct'
 
-module Efivalidate
+module EFIValidate
   # Your code goes here...
+  autoload :EALFHeader, 'efivalidate/ealf_header'
+  autoload :EALFRow, 'efivalidate/ealf_row'
+  autoload :EALFParser, 'efivalidate/ealf_parser'
+  autoload :EFIValidator, 'efivalidate/efi_validator'
+  autoload :EFIValidationError, 'efivalidate/efi_validation_error'
 end

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: efivalidate
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Rick Mark
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-10-25 00:00:00.000000000 Z
+date: 2017-12-24 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: iostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+- !ruby/object:Gem::Dependency
+  name: uuidtools
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -52,9 +80,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: Validate Apple EFI images offline
+description: Implements an algorithm to compare Apple EFI against their EALF baselines.
 email:
-- rickmark@outlook.com
+- rickmark@dropbox.com
 executables:
 - efivalidate
 extensions: []
@@ -64,6 +92,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - CODE_OF_CONDUCT.md
+- FORMAT.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -73,6 +102,12 @@ files:
 - efivalidate.gemspec
 - exe/efivalidate
 - lib/efivalidate.rb
+- lib/efivalidate/ealf_header.rb
+- lib/efivalidate/ealf_parser.rb
+- lib/efivalidate/ealf_row.rb
+- lib/efivalidate/efi_validation_error.rb
+- lib/efivalidate/efi_validator.rb
+- lib/efivalidate/intel_firmware_descriptor.rb
 - lib/efivalidate/version.rb
 homepage: https://github.com/rickmark/efivalidate
 licenses:
@@ -95,7 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Validate Apple EFI images offline