(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=12 2017-04-27T14:58:33+00:00 2017-04-27T14:58:33+00:00 Peter Jones pjones@redhat.com 2017-04-27T14:38:57+00:00 urn:sha1:ea5f7e15971358b972b3a42656f316db588f5311 Since 87060b2fc effectively means signing with signtool.exe simply does not work correctly, and that's sort of the biggest goal for shim, make this version 12. Signed-off-by: Peter Jones <pjones@redhat.com> 2017-04-27T14:58:33+00:00 John S. Gruber JohnSGruber@gmail.com 2017-04-24T18:44:59+00:00 urn:sha1:f4810191576cd4c766633442f6e7c5e2208c8f62 start is a UCS-2 character pointer and loader_len is a number of bytes. Adjust loader_len to count characters before adding to the start pointer. 2017-04-27T01:52:23+00:00 Peter Jones pjones@redhat.com 2017-04-27T01:52:23+00:00 urn:sha1:5c3bf329088f62094ddfd24e3b1c15a312102ce8 When I added 4990d3f I inadvertantly made .data.ident and .rela.got sections appear in the top-level section headers at file offsets not aligned with PE->OptionalHeader.FileAlignment. This results in a section table that looks like: Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 00018648 0000000000005000 0000000000005000 00000400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 00093f45 000000000001e000 000000000001e000 00018c00 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000b2000 00000000000b2000 000acc00 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data.ident 000000e4 00000000000b3040 00000000000b3040 000ace40 2**5 CONTENTS, ALLOC, LOAD, DATA 4 .data 000291e8 00000000000b4000 00000000000b4000 000ad200 2**5 CONTENTS, ALLOC, LOAD, DATA 5 .vendor_cert 000003e2 00000000000de000 00000000000de000 000d6400 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 6 .dynamic 000000f0 00000000000df000 00000000000df000 000d6800 2**3 CONTENTS, ALLOC, LOAD, DATA 7 .rela 0001aef8 00000000000e0000 00000000000e0000 000d6a00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 .rela.got 00000060 00000000000faef8 00000000000faef8 000f1af8 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 9 .dynsym 0000ecd0 00000000000fb000 00000000000fb000 000f1e00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA rather than: Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 00018118 0000000000005000 0000000000005000 00000400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 00091898 000000000001e000 000000000001e000 00018600 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000b0000 00000000000b0000 000aa000 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00028848 00000000000b1000 00000000000b1000 000aa200 2**5 CONTENTS, ALLOC, LOAD, DATA 4 .vendor_cert 00000449 00000000000da000 00000000000da000 000d2c00 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 5 .dynamic 00000100 00000000000db000 00000000000db000 000d3200 2**3 CONTENTS, ALLOC, LOAD, DATA 6 .rela 0001ae50 00000000000dc000 00000000000dc000 000d3400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .dynsym 0000ea78 00000000000f7000 00000000000f7000 000ee400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA (Note "File off" on sections #3 and #8 on the top one.) This seems to work fine with edk2's loader and shim's loader, as well as their Authenticode implementation, and pesign's as well. While PE loaders seem to be fine with sections with alignments smaller than PE->OptionalHeader.FileAlignment, MS's signtool.exe does ... something else with them. I'm not sure what. What it definitely does *not* do is extend the digest based on their file offset and size. So just don't allow anything that small, and don't allow anything smaller than SectionAlignment either, just to be on the safe side. Since most of our stuff gets stripped into the debuginfo anyway, and shim has relatively few sections, this should not be a very large burden. So just to be clear: If you have a binary with a section that's not aligned on PE->OptionalHeader.FileAlignment: - pesign hashes it to A - tiano hashes it to A - shim hashes it to A - signtool.exe hashes it to B Because that makes sense. This patch works around the bug in signtool.exe . Signed-off-by: Peter Jones <pjones@redhat.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-10T09:40:06+00:00 urn:sha1:513cbe2aea689bf968f171f894f3d4cdb43524d5 CryptPem only provides one function: RsaGetPrivateKeyFromPem(). Since we don't need to retrieve any private key, it's safe to disable the function. Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-10T09:23:29+00:00 urn:sha1:e9cc33d6f2b7f35c6f5e349fd83fb9ae0bc66226 Disable DES completely since it's already old and insecure. This makes MokManager not support the DES based password hash but probably no one is using it. Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-10T08:55:17+00:00 urn:sha1:80d49f758ead0180bfe6161931838e0578248303 MD4 is known to be insecure and shim never uses it. Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-07T09:14:09+00:00 urn:sha1:9bc647e2b23bcfd69a0077c0717fbc454c919a57 strcmp() and strcasecmp() are widely used in openssl. Implement those two functions to eliminate the gcc warnings and the potential crash. Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-07T07:57:09+00:00 urn:sha1:ae75df6232ad30f3e8736e9449692d58a7439260 X509_get_notBefore -> X509_getm_notBefore X509_get_notAfter -> X509_getm_notAfter Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-07T04:32:24+00:00 urn:sha1:e883479f35644d17db7efed710657c8543cfcb68 - Declare some functions in the proper headers + We missed them for a long time... - Cast offsetof to UINTN + The original casting triggers the gcc warning since int can not present the offset for the 64bit machines. - Cast the "char" array to "CHAR8 *" to avoid the gcc warnings - Implement atoi correctly Signed-off-by: Gary Lin <glin@suse.com> 2017-04-11T14:42:19+00:00 Gary Lin glin@suse.com 2017-04-07T03:27:26+00:00 urn:sha1:97469449fda5ba933a64280917e776487301a127 The changes in the openssl headers cause the inclusion of CrtLibSupport.h eariler than the inclusion of stddef.h, so "offsetof" was defined twice and this caused the followling build error: In file included from Cryptlib/Include/openssl/buffer.h:23:0, from Cryptlib/Include/openssl/x509.h:22, from shim.c:56: /usr/lib64/gcc/x86_64-suse-linux/6/include/stddef.h:417:0: error: "offsetof" redefined [-Werror] #define offsetof(TYPE, MEMBER) __builtin_offsetof (TYPE, MEMBER) In file included from Cryptlib/Include/limits.h:15:0, from Cryptlib/Include/openssl/ossl_typ.h:13, from Cryptlib/Include/openssl/x509.h:20, from shim.c:56: Cryptlib/Include/CrtLibSupport.h:192:0: note: this is the location of the previous definition #define offsetof(type, member) ( (int) & ((type*)0) -> member ) We can lower the priority of the gcc include path or just remove the path, but this might cause problem since the path was introduced on purpose(*). Instead, including stddef.h first is more feasible. (*) https://github.com/rhinstaller/shim/commit/d51739a416400ad348d8a1c7e3886abce11fff1b Signed-off-by: Gary Lin <glin@suse.com>