diff options
| author | Eric Snowberg <eric.snowberg@oracle.com> | 2022-01-27 17:33:01 -0500 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-05-17 18:30:52 -0400 |
| commit | bb4b60e800823c1e48220935e3b9180c8c82e1a7 (patch) | |
| tree | 663b6050552c18e0a4e3615a19a140d9f306da6c | |
| parent | 6402f1fec4c9b19f8d570791827b13b9cad98827 (diff) | |
| download | efi-boot-shim-bb4b60e800823c1e48220935e3b9180c8c82e1a7.tar.gz efi-boot-shim-bb4b60e800823c1e48220935e3b9180c8c82e1a7.zip | |
Add verify_image
In the future we will want to examine binaries without wanting to
execute them. Create verify_image based off existing handle_image
code.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
| -rw-r--r-- | include/pe.h | 4 | ||||
| -rw-r--r-- | pe.c | 54 |
2 files changed, 58 insertions, 0 deletions
diff --git a/include/pe.h b/include/pe.h index b86e1b3a..ccc8798b 100644 --- a/include/pe.h +++ b/include/pe.h @@ -14,6 +14,10 @@ EFI_STATUS read_header(void *data, unsigned int datasize, PE_COFF_LOADER_IMAGE_CONTEXT *context); +EFI_STATUS verify_image(void *data, unsigned int datasize, + EFI_LOADED_IMAGE *li, + PE_COFF_LOADER_IMAGE_CONTEXT *context); + EFI_STATUS verify_sbat_section(char *SBATBase, size_t SBATSize); @@ -878,6 +878,60 @@ err: return efi_status; } +EFI_STATUS verify_image(void *data, unsigned int datasize, + EFI_LOADED_IMAGE *li, + PE_COFF_LOADER_IMAGE_CONTEXT *context) +{ + EFI_STATUS efi_status; + UINT8 sha1hash[SHA1_DIGEST_SIZE]; + UINT8 sha256hash[SHA256_DIGEST_SIZE]; + + /* + * The binary header contains relevant context and section pointers + */ + efi_status = read_header(data, datasize, context); + if (EFI_ERROR(efi_status)) { + perror(L"Failed to read header: %r\n", efi_status); + return efi_status; + } + + /* + * We only need to verify the binary if we're in secure mode + */ + efi_status = generate_hash(data, datasize, context, sha256hash, + sha1hash); + if (EFI_ERROR(efi_status)) + return efi_status; + + /* Measure the binary into the TPM */ +#ifdef REQUIRE_TPM + efi_status = +#endif + tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, + (EFI_PHYSICAL_ADDRESS)(UINTN)context->ImageAddress, + li->FilePath, sha1hash, 4); +#ifdef REQUIRE_TPM + if (efi_status != EFI_SUCCESS) { + return efi_status; + } +#endif + + if (secure_mode()) { + efi_status = verify_buffer(data, datasize, + context, sha256hash, sha1hash); + if (EFI_ERROR(efi_status)) { + if (verbose) + console_print(L"Verification failed: %r\n", efi_status); + else + console_error(L"Verification failed", efi_status); + return efi_status; + } else if (verbose) + console_print(L"Verification succeeded\n"); + } + + return EFI_SUCCESS; +} + /* * Once the image has been loaded it needs to be validated and relocated */ |