diff options
| author | Javier Martinez Canillas <javierm@redhat.com> | 2021-02-17 14:03:48 +0100 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2021-02-19 14:28:10 -0500 |
| commit | 8e34030ba544b4583c87e070d1a1e0e6b9ff5d60 (patch) | |
| tree | d2d5d80f1f814e519bc85c9e0ed2c768029e4a9f | |
| parent | 1919b566b05cf4fb582acf4f137764abeefd6b29 (diff) | |
| download | efi-boot-shim-8e34030ba544b4583c87e070d1a1e0e6b9ff5d60.tar.gz efi-boot-shim-8e34030ba544b4583c87e070d1a1e0e6b9ff5d60.zip | |
sbat: make shim to parse it's own .sbat section on init
This is needed for shim to verify itself when booting, to make sure that
shim binaries can't be executed anymore after been revoked by SBAT.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
| -rw-r--r-- | include/pe.h | 3 | ||||
| -rw-r--r-- | include/sbat.h | 2 | ||||
| -rw-r--r-- | pe.c | 2 | ||||
| -rw-r--r-- | shim.c | 15 |
4 files changed, 21 insertions, 1 deletions
diff --git a/include/pe.h b/include/pe.h index 7f2236e4..79bf440c 100644 --- a/include/pe.h +++ b/include/pe.h @@ -15,6 +15,9 @@ read_header(void *data, unsigned int datasize, PE_COFF_LOADER_IMAGE_CONTEXT *context); EFI_STATUS +handle_sbat(char *SBATBase, size_t SBATSize); + +EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IMAGE *li, EFI_IMAGE_ENTRY_POINT *entry_point, diff --git a/include/sbat.h b/include/sbat.h index 9230b587..ffde202d 100644 --- a/include/sbat.h +++ b/include/sbat.h @@ -6,6 +6,8 @@ #ifndef SBAT_H_ #define SBAT_H_ +extern UINTN _sbat, _esbat; + struct sbat_var { const CHAR8 *component_name; const CHAR8 *component_generation; @@ -823,7 +823,7 @@ read_header(void *data, unsigned int datasize, return EFI_SUCCESS; } -static EFI_STATUS +EFI_STATUS handle_sbat(char *SBATBase, size_t SBATSize) { unsigned int i; @@ -1858,12 +1858,14 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) L"import_mok_state() failed", L"shim_init() failed", L"import of SBAT data failed", + L"SBAT self-check failed", NULL }; enum { IMPORT_MOK_STATE, SHIM_INIT, IMPORT_SBAT, + SBAT_SELF_CHECK, } msg = IMPORT_MOK_STATE; /* @@ -1908,6 +1910,19 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) goto die; } + if (secure_mode ()) { + char *sbat_start = (char *)&_sbat; + char *sbat_end = (char *)&_esbat; + + efi_status = handle_sbat(sbat_start, sbat_end - sbat_start); + if (EFI_ERROR(efi_status)) { + perror(L"Verifiying shim SBAT data failed: %r\n", + efi_status); + msg = SBAT_SELF_CHECK;; + goto die; + } + } + init_openssl(); /* |