diff options
| author | Gary Ching-Pang Lin <glin@suse.com> | 2013-09-26 11:58:03 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2013-09-26 11:58:03 -0400 |
| commit | 59dcd9d1b8c45027d9aa5a1958579ae9872df6c7 (patch) | |
| tree | a445c69a81d87765a059cde250ef9eff9516a432 | |
| parent | 6d6aff1bab14ccdf4b4efe14a5fd2115b2c1e838 (diff) | |
| download | efi-boot-shim-59dcd9d1b8c45027d9aa5a1958579ae9872df6c7.tar.gz efi-boot-shim-59dcd9d1b8c45027d9aa5a1958579ae9872df6c7.zip | |
integrate security override
| -rw-r--r-- | include/security_policy.h | 4 | ||||
| -rw-r--r-- | lib/Makefile | 2 | ||||
| -rw-r--r-- | lib/security_policy.c | 77 | ||||
| -rw-r--r-- | shim.c | 11 |
4 files changed, 33 insertions, 61 deletions
diff --git a/include/security_policy.h b/include/security_policy.h index a1c1002d..b0109ce0 100644 --- a/include/security_policy.h +++ b/include/security_policy.h @@ -1,5 +1,7 @@ +typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len); + EFI_STATUS -security_policy_install(void); +security_policy_install(SecurityHook authentication); EFI_STATUS security_policy_uninstall(void); void diff --git a/lib/Makefile b/lib/Makefile index e85c1fd5..c1b9ab34 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) diff --git a/lib/security_policy.c b/lib/security_policy.c index e7becbf4..f1b08420 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -10,7 +10,6 @@ #include <efilib.h> #include <guid.h> -#include <sha256.h> #include <variables.h> #include <simple_file.h> #include <errors.h> @@ -50,59 +49,7 @@ struct _EFI_SECURITY_PROTOCOL { static UINT8 *security_policy_esl = NULL; static UINTN security_policy_esl_len; - -static EFI_STATUS -security_policy_check_mok(void *data, UINTN len) -{ - EFI_STATUS status; - UINT8 hash[SHA256_DIGEST_SIZE]; - UINT32 attr; - UINT8 *VarData; - UINTN VarLen; - - /* first check is MokSBState. If we're in insecure mode, boot - * anyway regardless of dbx contents */ - status = get_variable_attr(L"MokSBState", &VarData, &VarLen, - MOK_OWNER, &attr); - if (status == EFI_SUCCESS) { - UINT8 MokSBState = VarData[0]; - - FreePool(VarData); - if ((attr & EFI_VARIABLE_RUNTIME_ACCESS) == 0 - && MokSBState) - return EFI_SUCCESS; - } - - status = sha256_get_pecoff_digest_mem(data, len, hash); - if (status != EFI_SUCCESS) - return status; - - if (find_in_variable_esl(L"dbx", SIG_DB, hash, SHA256_DIGEST_SIZE) - == EFI_SUCCESS) - /* MOK list cannot override dbx */ - return EFI_SECURITY_VIOLATION; - - status = get_variable_attr(L"MokList", &VarData, &VarLen, MOK_OWNER, - &attr); - if (status != EFI_SUCCESS) - goto check_tmplist; - - FreePool(VarData); - - if (attr & EFI_VARIABLE_RUNTIME_ACCESS) - goto check_tmplist; - - if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS) - return EFI_SUCCESS; - - check_tmplist: - if (security_policy_esl - && find_in_esl(security_policy_esl, security_policy_esl_len, hash, - SHA256_DIGEST_SIZE) == EFI_SUCCESS) - return EFI_SUCCESS; - - return EFI_SECURITY_VIOLATION; -} +static SecurityHook extra_check = NULL; static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; @@ -143,7 +90,10 @@ security2_policy_authentication ( if (status == EFI_SUCCESS) return status; - auth = security_policy_check_mok(FileBuffer, FileSize); + if (extra_check) + auth = extra_check(FileBuffer, FileSize); + else + return EFI_SECURITY_VIOLATION; if (auth == EFI_SECURITY_VIOLATION || auth == EFI_ACCESS_DENIED) /* return previous status, which is the correct one @@ -202,7 +152,10 @@ security_policy_authentication ( if (status != EFI_SUCCESS) goto out; - status = security_policy_check_mok(FileBuffer, FileSize); + if (extra_check) + status = extra_check(FileBuffer, FileSize); + else + status = EFI_SECURITY_VIOLATION; FreePool(FileBuffer); if (status == EFI_ACCESS_DENIED || status == EFI_SECURITY_VIOLATION) @@ -307,7 +260,7 @@ asm ( ); EFI_STATUS -security_policy_install(void) +security_policy_install(SecurityHook hook) { EFI_SECURITY_PROTOCOL *security_protocol; EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; @@ -325,8 +278,8 @@ security_policy_install(void) &security2_protocol); status = uefi_call_wrapper(BS->LocateProtocol, 3, - &SECURITY_PROTOCOL_GUID, NULL, - &security_protocol); + &SECURITY_PROTOCOL_GUID, NULL, + &security_protocol); if (status != EFI_SUCCESS) /* This one is mandatory, so there's a serious problem */ return status; @@ -341,6 +294,9 @@ security_policy_install(void) security_protocol->FileAuthenticationState = thunk_security_policy_authentication; + if (hook) + extra_check = hook; + return EFI_SUCCESS; } @@ -380,6 +336,9 @@ security_policy_uninstall(void) es2fa = NULL; } + if (extra_check) + extra_check = NULL; + return EFI_SUCCESS; } @@ -45,6 +45,7 @@ #include "guid.h" #include "variables.h" #include "efiauthenticated.h" +#include "security_policy.h" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -1538,6 +1539,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_interface); /* + * Install the security protocol hook + */ + security_policy_install(shim_verify); + + /* * Enter MokManager if necessary */ efi_status = check_mok_request(image_handle); @@ -1561,6 +1567,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_guid, &shim_lock_interface); /* + * Clean up the security protocol hook + */ + security_policy_uninstall(); + + /* * Free the space allocated for the alternative 2nd stage loader */ if (load_options_size > 0) |