efi-boot-shim.git/include, branch 15.7

Bump grub's sbat requirement to grub,3

2022-11-16T21:35:47+00:00

Due to the issues addressed in the 2022-11-15 batch of grub CVEs[0], we need to bump the sbat version from grub. This patch changes it from 2 to 3. [0] https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html Signed-off-by: Peter Jones

shim: Flush the memory region from i-cache before execution

2022-10-04T17:53:11+00:00

We've seen crashes in early GRUB code on an ARM Cortex-A72-based platform that point at seemingly harmless instructions. Flushing the i-cache of those instructions prior to executing has been shown to avoid the problem, which has parallels with this story: https://www.mail-archive.com/osv-dev@googlegroups.com/msg06203.html Add a cache flushing utility function and provide an implementation using a GCC intrinsic. This will need to be extended to support other compilers. Note that this intrinsic is a no-op for x86 platforms. This fixes issue #498. Signed-off-by: dann frazier

Discard load-options that start with a NUL

2022-09-01T19:38:02+00:00

In 6c8d08c0af4768c715b79c8ec25141d56e34f8b4 ("shim: Ignore UEFI LoadOptions that are just NUL characters."), a check was added to discard load options that are entirely NUL. We now see some firmwares that start LoadOptions with a NUL, and then follow it with garbage (path to directory containing loaders). Widen the check to just discard anything that starts with a NUL. Resolves: #490 Related: #95 See-also: https://bugzilla.redhat.com/show_bug.cgi?id=2113005 Signed-off-by: Robbie Harwood

Enable TDX measurement to RTMR register

2022-08-16T21:45:30+00:00

Intel Trust Domain Extensions (Intel TDX) extends Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD)[1]. A TD runs in a CPU mode that is designed to protect the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625. To support CC measurement/attestation with Intel TDX technology, these 4 RTMR registers will be extended by TDX service like TPM/TPM2 PCR: - RTMR[0] for TDVF configuration - RTMR[1] for the TD OS loader and kernel - RTMR[2] for the OS application - RTMR[3] reserved for special usage only Add a TDX Implementation for CC Measurement protocol along with TPM/TPM2 protocol. References: [1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf [2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf [3] https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf Signed-off-by: Lu Ken [rharwood: style pass on code and commit message] Signed-off-by: Robbie Harwood

Make SBAT variable payload introspectable

2022-08-03T18:54:57+00:00

Given a set of EFI variables and boot assets, it should be possible to compute what the value of PCR 7 will be on the next boot. As shim manages the contents of the SbatLevel variable and this is measured to PCR 7, export the payloads that shim contains in a new COFF section (.sbatlevel) so that it can be introspected by code outside of shim. The new section works a bit like .vendor_cert - it contains a header and then the payload. In this case, the header contains no size fields because the strings are NULL terminated. Shim uses this new section internally in set_sbat_uefi_variable. The .sbatlevel section starts with a 4 byte version field which is not used by shim but may be useful for external auditors if the format of the section contents change in the future. Signed-off-by: Chris Coulson

Update SBAT generation requirements for 05/24/22

2022-05-24T20:28:35+00:00

bump shim SBAT generation requirement to 2 for CVE-2022-28737 bump GRUB2 SBAT generation requirement to 2 for CVE-2021-3695 Signed-off-by: Jan Setje-Eilers

Give the Coverity scanner some more GCC blinders...

2022-05-23T20:49:53+00:00

Coverity complains: CID 373676 (#3 of 3): Unrecoverable parse warning (PARSE_ERROR) 1. arguments_provided_for_attribute: attribute "__malloc__" does not take arguments This is, of course, just plain wrong. Even so, I'm tired of looking at it, so this patch wraps the #define we use for that attribute in a check to see if it's being built by Coverity. Signed-off-by: Peter Jones

sbat policy: make our policy change actions symbolic

2022-05-18T20:37:23+00:00

There are a couple of places where the code we've got right now just uses integers to decode one of our MoK variables. That's bad. This patch replaces those with symbolic names. Signed-off-by: Peter Jones

peimage.h: make our signature macros force the type

2022-05-18T20:37:23+00:00

scan-build invoked clang in a way that complains about our SIGNATURE_XX() macro's sizes being used to assign to things that are that size in post-process-pe.c. This patch makes them cast the results to the appropriately sized type. Signed-off-by: Peter Jones

sbat.h: minor reformatting for legibility

2022-05-18T20:37:23+00:00

Signed-off-by: Peter Jones