(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=0.8 2014-10-13T20:41:51+00:00 2014-10-13T20:41:51+00:00 Peter Jones pjones@redhat.com 2014-10-13T20:41:51+00:00 urn:sha1:4316fbd2a2bab522c4fffff5338441654eefd4b6 2014-10-02T05:01:54+00:00 Peter Jones pjones@redhat.com 2014-09-21T17:50:13+00:00 urn:sha1:6a115d038af259dd5b42f1651193eb0b8a83a5c8 I'm going to have to fix any errors that have this anyway, so may as well do it here properly. Signed-off-by: Peter Jones <pjones@redhat.com> 2014-10-01T02:49:21+00:00 Peter Jones pjones@redhat.com 2014-10-01T02:47:39+00:00 urn:sha1:c6281c6a195edee611858a8d802ff5f3dee34aa5 Revert "Do the same for ia32..." and "Generate a sane PE header on shim, fallback, and MokManager." This reverts commit 6744a7ef8eca44948565c3d1244ec931ed3f6fee. and commit 0e7ba5947eb38b79de2051ecf3b95055e620475c. These are premature and I can do this without such drastic measures. Signed-off-by: Peter Jones <pjones@redhat.com> 2014-09-21T20:25:27+00:00 Peter Jones pjones@redhat.com 2014-09-21T17:11:11+00:00 urn:sha1:6744a7ef8eca44948565c3d1244ec931ed3f6fee Once again, on ia32 this time, we see: 00000120 47 84 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 |G...............| Which is where the pointer on ia32 for the Base Relocation Table should be. It points to 0x8447, which isn't a particularly reasonable address as numbers go, and happens to have this data there: 00008440 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 65 00 |o.n.f.i.g.u.r.e.| 00008450 00 00 49 00 50 00 76 00 36 00 28 00 00 00 2c 00 |..I.P.v.6.(...,.| 00008460 25 00 73 00 2c 00 00 00 29 00 00 00 25 00 64 00 |%.s.,...)...%.d.| 00008470 2e 00 25 00 64 00 2e 00 25 00 64 00 2e 00 25 00 |..%.d...%.d...%.| 00008480 64 00 00 00 44 00 48 00 43 00 50 00 00 00 49 00 |d...D.H.C.P...I.| 00008490 50 00 76 00 34 00 28 00 00 00 2c 00 25 00 73 00 |P.v.4.(...,.%.s.| And so that table is, in theory, this part: 00008447 00 67 00 75 00 72 00 65 00 | .g.u.r.e.| 00008450 00 |. | Which is pretty clearly not a pointer table of any kind. So give ia32 the same treatment as x86_64, and now all arches work basically the same. Signed-off-by: Peter Jones <pjones@redhat.com> 2014-09-21T20:25:27+00:00 Peter Jones pjones@redhat.com 2014-09-20T18:03:03+00:00 urn:sha1:0e7ba5947eb38b79de2051ecf3b95055e620475c It turns out a7249a65 was masking a second problem - on some binaries, when we actually don't have any base relocations at all, binutils' "objcopy --target efi-app-x86_64" is generating a PE header with a base relocations pointer that happily points into the middle of our text section. So with shim processing base relocations correctly, it refuses to load those binaries. For example, on one binary I just built: 00000130 00 a0 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 |................| which says there's a Base Relocation Table at 0xa000 that's 0xa bytes long. That's here: 0000a000 58 00 29 00 00 00 00 00 48 00 44 00 28 00 50 00 |X.).....H.D.(.P.| 0000a010 61 00 72 00 74 00 25 00 64 00 2c 00 53 00 69 00 |a.r.t.%.d.,.S.i.| 0000a020 67 00 25 00 67 00 29 00 00 00 00 00 00 00 00 00 |g.%.g.).........| 0000a030 48 00 44 00 28 00 50 00 61 00 72 00 74 00 25 00 |H.D.(.P.a.r.t.%.| So the table is: 0000a000 58 00 29 00 00 00 00 00 48 00 |X.).....H. | That wouldn't be so bad, except those binaries are MokManager.efi, fallback.efi, and shim.efi, and sometimes they're .reloc, which we're actually trying to handle correctly now because grub builds with a real and valid .reloc table. So though I didn't think there was any hair left on this yak, more shaving ensues. With this change, instead of letting objcopy do whatever it likes, we switch to "-O binary" and merely link in a header that's appropriate for our binaries. This is the same method Ard wrote for aarch64, and it seems to work fine in either place (modulo some minor changes.) At some point this should be merged into gnu-efi instead of carrying our own crt0-efi-x86_64.S, but that's a less immediate problem. I did not need this problem. Signed-off-by: Peter Jones <pjones@redhat.com> 2014-08-12T14:54:05+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2014-08-12T13:33:22+00:00 urn:sha1:fa525bc4632e04346fae82a98ce23b31c6cfc86d This adds support for building the shim for a 32-bit ARM UEFI environment. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2014-08-12T14:54:05+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2014-08-12T13:33:21+00:00 urn:sha1:04cba93d64b5ffd3a05be82aacea5c2b2d0ea94c This adds support for building the shim for a 64-bit ARM UEFI environment. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2014-08-12T14:54:05+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2014-08-12T13:33:20+00:00 urn:sha1:99d7b5e858945b8bb160fe3fea77596b2daf07ff This patch cleans up and refactors the Makefiles to better allow new architectures to be added: - remove unused Makefile definitions - import Makefile definitions from top level rather than redefining - move x86 specific CFLAGS to inside ifeq() blocks - remove x86 inline asm - allow $(FORMAT) to be overridden: this is necessary as there exists no EFI or PE/COFF aware objcopy for ARM Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2014-06-25T14:03:08+00:00 Gary Ching-Pang Lin glin@suse.com 2013-11-04T09:51:55+00:00 urn:sha1:09283f08f001305db5a3299b53acba85bf6c9876 If ca.crt was added into the certificate database, ca.crt would be the first certificate in the signature. Because shim couldn't verify ca.crt with the embedded shim.cer, it failed to load MokManager.efi.signed and fallback.efi.signed. Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> 2014-04-11T18:41:22+00:00 Kees Cook kees@outflux.net 2012-12-03T23:52:48+00:00 urn:sha1:5495694c043de510aaf8ff5dcbe17b6547794083 This adds additional bounds-checking on the section sizes. Also adds -Wsign-compare to the Makefile and replaces some signed variables with unsigned counteparts for robustness. Signed-off-by: Kees Cook <kees@ubuntu.com>