diff options
| author | Matthew Garrett <mjg@redhat.com> | 2012-06-12 02:12:31 -0400 |
|---|---|---|
| committer | Matthew Garrett <mjg@redhat.com> | 2012-06-18 17:31:42 -0400 |
| commit | b6db0dd4db04d522632a43c3232d1099592d0ae2 (patch) | |
| tree | 280c42351fac07767c76febe3d0fa8763d1217fe | |
| parent | 0db1af8aeb4b30ac9aef9485946dc31a6fa9d5bb (diff) | |
| download | efi-boot-shim-b6db0dd4db04d522632a43c3232d1099592d0ae2.tar.gz efi-boot-shim-b6db0dd4db04d522632a43c3232d1099592d0ae2.zip | |
Check that platform is in user mode before doing any validation
| -rw-r--r-- | TODO | 1 | ||||
| -rw-r--r-- | shim.c | 47 |
2 files changed, 45 insertions, 3 deletions
@@ -1,4 +1,3 @@ -Fall through if not in user mode Check against blacklist Attempt to just LoadImage and StartImage? Support for netbooting
\ No newline at end of file @@ -50,6 +50,33 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB #include "cert.h" +static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, + unsigned int *size,void **buffer) +{ + EFI_STATUS efi_status; + UINT32 attributes; + char allocate = !!(*size); + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, + &attributes, size, NULL); + + if (efi_status != EFI_BUFFER_TOO_SMALL || !allocate) + return efi_status; + + if (allocate) + *buffer = AllocatePool(*size); + + if (!*buffer) { + Print(L"Unable to allocate variable buffer\n"); + return EFI_OUT_OF_RESOURCES; + } + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, + &attributes, size, *buffer); + + return efi_status; +} + /* * Perform basic bounds checking of the intra-image pointers */ @@ -173,17 +200,33 @@ static EFI_STATUS verify_buffer (char *data, int datasize, { unsigned int size = datasize; unsigned int ctxsize; - void *ctx; + void *ctx = NULL; + UINT8 sb, setupmode; UINT8 hash[SHA256_DIGEST_SIZE]; EFI_STATUS status = EFI_ACCESS_DENIED; char *hashbase; unsigned int hashsize; WIN_CERTIFICATE_EFI_PKCS *cert; unsigned int SumOfBytesHashed, SumOfSectionBytes; - unsigned int index, pos; + unsigned int index, pos, charsize = sizeof(char); EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionCache; + EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + + status = get_variable(L"SecureBoot", global_var, &charsize, (void *)&sb); + + /* FIXME - more paranoia here? */ + if (status != EFI_SUCCESS || sb != 1) { + status = EFI_SUCCESS; + goto done; + } + + status = get_variable(L"SetupMode", global_var, &charsize, (void *)&setupmode); + + if (status == EFI_SUCCESS && setupmode == 1) { + goto done; + } cert = ImageAddress (data, size, context->SecDir->VirtualAddress); |