efi-boot-shim.git/Makefile, branch 15.8

Bump version to 15.8

2024-01-22T19:18:05+00:00

What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539 * test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563 * Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565 * SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569 * Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576 * mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577 * Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578 * Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581 * Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587 * Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605 Signed-off-by: Peter Jones

compile_commands.json: remove stuff clang doesn't like

2023-08-25T18:14:45+00:00

This is a "creature comfort" change to make it so gcc-specific options don't make it into compile_commands.json. Signed-off-by: Peter Jones

Make some of the static analysis tools a little easier to run

2023-08-25T18:14:45+00:00

With "gcc -fanalyzer" and "scan-build", it's convenient to be able to continue even though the compiler has returned error on one or more source files. This makes it so compiler errors are ignored in some of those cases. Signed-off-by: Peter Jones

Add libFuzzer support for csv.c

2023-06-29T18:35:50+00:00

shim takes several forms of input from several sources that are not necessarily trustworthy. As such, we need to take measures to validate that we don't have unacceptable results from bad inputs. One such measure is "fuzzing" the inputs which parse untrusted data by running them with randomized or partially randomized input. This change adds such testing using clang's "libFuzzer" to our CSV parser. I've run this on 24-cores at 4GHz for half an hour, and so far each fuzzer has converged on 79% coverage. I expect the 21% that's not getting covered are the EFI API mock interfaces we're building in from test.c and similar. So far no errors have been found, which is what was expected since this particular API is being manually fuzzed with ~8kB of /dev/urandom on every build since 2021-02-23. Signed-off-by: Peter Jones

Split pe.c up even more.

2023-06-23T21:13:13+00:00

This moves the parts of pe.c that *don't* depend on Cryptlib into pe-relocate.c, so we can write test cases for them without having to make a second openssl build without EFI support. Signed-off-by: Peter Jones

Add a make rule for compile_commands.json

2023-06-23T21:12:58+00:00

This adds a make rule to generate compile_commands.json, which some verifier tools depend on. Signed-off-by: Peter Jones

Enable the NX compatibility flag by default.

2023-01-27T18:03:31+00:00

Currently by default, when we build shim we do not set the PE NX-compatibility DLL Characteristic flag. This signifies to the firmware that shim (including the components it loads) is not prepared for several related firmware changes: - non-executable stack - non-executable pages from AllocatePages()/AllocatePool()/etc. - non-writable 0 page (not strictly related but some firmware will be transitioning at the same time) - the need to use the UEFI 2.10 Memory Attribute Protocol to set page permissions. This patch changes that default to be enabled by default. Distributors of shim will need to ensure that either their builds disable this bit (using "post-process-pe -N"), or that the bootloaders and kernels you support loading are all compliant with this change. A new make variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. Signed-off-by: Peter Jones

Update version to 15.7

2022-11-16T21:35:47+00:00

Signed-off-by: Peter Jones

Make SBAT variable payload introspectable

2022-08-03T18:54:57+00:00

Given a set of EFI variables and boot assets, it should be possible to compute what the value of PCR 7 will be on the next boot. As shim manages the contents of the SbatLevel variable and this is measured to PCR 7, export the payloads that shim contains in a new COFF section (.sbatlevel) so that it can be introspected by code outside of shim. The new section works a bit like .vendor_cert - it contains a header and then the payload. In this case, the header contains no size fields because the strings are NULL terminated. Shim uses this new section internally in set_sbat_uefi_variable. The .sbatlevel section starts with a 4 byte version field which is not used by shim but may be useful for external auditors if the format of the section contents change in the future. Signed-off-by: Chris Coulson

bump version to shim-15.6

2022-06-01T18:25:48+00:00

Signed-off-by: Peter Jones