diff options
| author | Paul Moore <pmoore2@cisco.com> | 2020-10-29 09:49:36 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2021-01-29 15:53:34 -0500 |
| commit | 4b0a61dc9a952028c7b1ccc8914835d989ce661e (patch) | |
| tree | e3e842cf390a539eb51e677a00e5421b0bf2f061 | |
| parent | 1f123ac2359cd923e9144f944a4bddf597fddbb5 (diff) | |
| download | efi-boot-shim-4b0a61dc9a952028c7b1ccc8914835d989ce661e.tar.gz efi-boot-shim-4b0a61dc9a952028c7b1ccc8914835d989ce661e.zip | |
shim: compile time option to bypass the ExitBootServices() check
On systems where a second stage bootloader is not used, and the Linux
Kernel is booted directly from shim, shim's ExitBootServices() hook
can cause problems as the kernel never calls the shim's verification
protocol. In this case calling the shim verification protocol is
unnecessary and redundant as shim has already verified the kernel
when shim loaded the kernel as the second stage loader.
This functionality is disabled by default and must be enabled via the
DISABLE_EBS_PROTECTION macro/define at build time.
Signed-off-by: Paul Moore <pmoore2@cisco.com>
| -rw-r--r-- | Make.defaults | 4 | ||||
| -rw-r--r-- | replacements.c | 7 |
2 files changed, 11 insertions, 0 deletions
diff --git a/Make.defaults b/Make.defaults index 2e01646a..811db718 100644 --- a/Make.defaults +++ b/Make.defaults @@ -105,6 +105,10 @@ ifneq ($(origin REQUIRE_TPM), undefined) CFLAGS += -DREQUIRE_TPM endif +ifneq ($(origin DISABLE_EBS_PROTECTION), undefined) + CFLAGS += -DDISABLE_EBS_PROTECTION +endif + LIB_GCC = $(shell $(CC) $(ARCH_CFLAGS) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) FORMAT ?= --target efi-app-$(ARCH) diff --git a/replacements.c b/replacements.c index 944c779d..4a8a46a5 100644 --- a/replacements.c +++ b/replacements.c @@ -131,6 +131,7 @@ replacement_start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 * return efi_status; } +#if !defined(DISABLE_EBS_PROTECTION) static EFI_STATUS EFIAPI exit_boot_services(EFI_HANDLE image_key, UINTN map_key) { @@ -150,6 +151,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL); return EFI_SECURITY_VIOLATION; } +#endif /* !defined(DISABLE_EBS_PROTECTION) */ static EFI_STATUS EFIAPI do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, @@ -199,17 +201,22 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab) system_start_image = systab->BootServices->StartImage; systab->BootServices->StartImage = replacement_start_image; +#if !defined(DISABLE_EBS_PROTECTION) /* we need to hook ExitBootServices() so a) we can enforce the policy * and b) we can unwrap when we're done. */ system_exit_boot_services = systab->BootServices->ExitBootServices; systab->BootServices->ExitBootServices = exit_boot_services; +#endif /* defined(DISABLE_EBS_PROTECTION) */ } void unhook_exit(void) { +#if !defined(DISABLE_EBS_PROTECTION) systab->BootServices->Exit = system_exit; gBS = systab->BootServices; +#endif /* defined(DISABLE_EBS_PROTECTION) */ + return; } void |