mok: also mirror the build cert to MokListRT

If the build cert is enabled, we should also mirror it to MokListRT. Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: aecbe1f99b6
author: Gary Lin <glin@suse.com> 2018-12-19 12:40:02 +0800
committer: Peter Jones <pjones@redhat.com> 2020-07-23 20:52:12 -0400
commit: 3d62232feb296b238ca5d7963ba40a2c346767e7 (patch)
tree: cf16dac8e2b9bc5673a2a49898cd280e040dddde
parent: 7a3638173e406ce7cbd682213606e3152244fcb2 (diff)
download: efi-boot-shim-3d62232feb296b238ca5d7963ba40a2c346767e7.tar.gz
efi-boot-shim-3d62232feb296b238ca5d7963ba40a2c346767e7.zip
1 files changed, 72 insertions, 6 deletions
diff --git a/mok.c b/mok.c
index 2b9d796a..6150d8c8 100644
--- a/mok.c
+++ b/mok.c
@@ -68,6 +68,10 @@ struct mok_state_variable {
 	 */
 	UINT8 **addend_source;
 	UINT32 *addend_size;
+#if defined(ENABLE_SHIM_CERT)
+	UINT8 **build_cert;
+	UINT32 *build_cert_size;
+#endif /* defined(ENABLE_SHIM_CERT) */
 	UINT32 yes_attr;
 	UINT32 no_attr;
 	UINT32 flags;
@@ -90,6 +94,10 @@ struct mok_state_variable mok_state_variables[] = {
 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
 	 .addend_source = &vendor_cert,
 	 .addend_size = &vendor_cert_size,
+#if defined(ENABLE_SHIM_CERT)
+	 .build_cert = &build_cert,
+	 .build_cert_size = &build_cert_size,
+#endif /* defined(ENABLE_SHIM_CERT) */
 	 .flags = MOK_MIRROR_KEYDB |
 		  MOK_VARIABLE_LOG,
 	 .pcr = 14,
@@ -130,6 +138,22 @@ struct mok_state_variable mok_state_variables[] = {
 	{ NULL, }
 };
 
+inline BOOLEAN check_vendor_cert(struct mok_state_variable *v)
+{
+	return (v->addend_source && v->addend_size &&
+		*v->addend_source && *v->addend_size) ? TRUE : FALSE;
+}
+#if defined(ENABLE_SHIM_CERT)
+inline BOOLEAN check_build_cert(struct mok_state_variable *v)
+{
+	return (v->build_cert && v->build_cert_size &&
+		*v->build_cert && *v->build_cert_size) ? TRUE : FALSE;
+}
+#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v))
+#else
+#define check_addend(v) check_vendor_cert(v)
+#endif /* defined(ENABLE_SHIM_CERT) */
+
 static EFI_STATUS nonnull(1)
 mirror_one_mok_variable(struct mok_state_variable *v)
 {
@@ -138,15 +162,27 @@ mirror_one_mok_variable(struct mok_state_variable *v)
 	UINTN FullDataSize = 0;
 	uint8_t *p = NULL;
 
-	if ((v->flags & MOK_MIRROR_KEYDB) &&
-	    v->addend_source && *v->addend_source &&
-	    v->addend_size && *v->addend_size) {
+	if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) {
 		EFI_SIGNATURE_LIST *CertList = NULL;
 		EFI_SIGNATURE_DATA *CertData = NULL;
+#if defined(ENABLE_SHIM_CERT)
+		FullDataSize = v->data_size;
+		if (check_build_cert(v)) {
+			FullDataSize += sizeof (*CertList)
+					+ sizeof (EFI_GUID)
+					+ *v->build_cert_size;
+		}
+		if (check_vendor_cert(v)) {
+			FullDataSize += sizeof (*CertList)
+					+ sizeof (EFI_GUID)
+					+ *v->addend_size;
+		}
+#else
 		FullDataSize = v->data_size
 			     + sizeof (*CertList)
 			     + sizeof (EFI_GUID)
 			     + *v->addend_size;
+#endif /* defined(ENABLE_SHIM_CERT) */
 		FullData = AllocatePool(FullDataSize);
 		if (!FullData) {
 			perror(L"Failed to allocate space for MokListRT\n");
@@ -158,6 +194,35 @@ mirror_one_mok_variable(struct mok_state_variable *v)
 			CopyMem(p, v->data, v->data_size);
 			p += v->data_size;
 		}
+
+#if defined(ENABLE_SHIM_CERT)
+		if (check_build_cert(v) == FALSE)
+			goto skip_build_cert;
+
+		CertList = (EFI_SIGNATURE_LIST *)p;
+		p += sizeof (*CertList);
+		CertData = (EFI_SIGNATURE_DATA *)p;
+		p += sizeof (EFI_GUID);
+
+		CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
+		CertList->SignatureListSize = *v->build_cert_size
+					      + sizeof (*CertList)
+					      + sizeof (*CertData)
+					      -1;
+		CertList->SignatureHeaderSize = 0;
+		CertList->SignatureSize = *v->build_cert_size +
+					  sizeof (EFI_GUID);
+
+		CertData->SignatureOwner = SHIM_LOCK_GUID;
+		CopyMem(p, *v->build_cert, *v->build_cert_size);
+
+		p += *v->build_cert_size;
+
+		if (check_vendor_cert(v) == FALSE)
+			goto skip_vendor_cert;
+skip_build_cert:
+#endif /* defined(ENABLE_SHIM_CERT) */
+
 		CertList = (EFI_SIGNATURE_LIST *)p;
 		p += sizeof (*CertList);
 		CertData = (EFI_SIGNATURE_DATA *)p;
@@ -174,6 +239,9 @@ mirror_one_mok_variable(struct mok_state_variable *v)
 		CertData->SignatureOwner = SHIM_LOCK_GUID;
 		CopyMem(p, *v->addend_source, *v->addend_size);
 
+#if defined(ENABLE_SHIM_CERT)
+skip_vendor_cert:
+#endif /* defined(ENABLE_SHIM_CERT) */
 		if (v->data && v->data_size)
 			FreePool(v->data);
 		v->data = FullData;
@@ -247,9 +315,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
 		UINT32 attrs = 0;
 		BOOLEAN delete = FALSE, present, addend;
 
-		addend = (v->addend_source && v->addend_size &&
-			  *v->addend_source && *v->addend_size)
-			? TRUE : FALSE;
+		addend = check_addend(v);
 
 		efi_status = get_variable_attr(v->name,
 					       &v->data, &v->data_size,
author	Gary Lin <glin@suse.com>	2018-12-19 12:40:02 +0800
committer	Peter Jones <pjones@redhat.com>	2020-07-23 20:52:12 -0400
commit	3d62232feb296b238ca5d7963ba40a2c346767e7 (patch)
tree	cf16dac8e2b9bc5673a2a49898cd280e040dddde
parent	7a3638173e406ce7cbd682213606e3152244fcb2 (diff)
download	efi-boot-shim-3d62232feb296b238ca5d7963ba40a2c346767e7.tar.gz efi-boot-shim-3d62232feb296b238ca5d7963ba40a2c346767e7.zip