diff options
| author | Peter Jones <pjones@redhat.com> | 2022-03-31 16:19:53 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-05-17 19:01:03 -0400 |
| commit | df96f48f28fa94b62d06f39a3b014133dd38def5 (patch) | |
| tree | 31e8dc150efa36e57aaa263f18149e4867d6cb42 | |
| parent | 226fee25ffcbd29988399ba080c7706eb1d52251 (diff) | |
| download | efi-boot-shim-df96f48f28fa94b62d06f39a3b014133dd38def5.tar.gz efi-boot-shim-df96f48f28fa94b62d06f39a3b014133dd38def5.zip | |
Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
This adds a new MoK variable, MokPolicy (&MokPolicyRT) that's intended
as a bitmask of machine owner policy choices, and the bit
MOK_POLICY_REQUIRE_NX. This bit specifies whether it is permissible to
load binaries which do not support NX mitigations, and it currently
defaults to allowing such binaries to be loaded.
The broader intention here is to migrate all of the MoK policy variables
that are really just on/off flags to this variable.
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | globals.c | 1 | ||||
| -rw-r--r-- | include/mok.h | 5 | ||||
| -rw-r--r-- | mok.c | 13 | ||||
| -rw-r--r-- | pe.c | 8 | ||||
| -rw-r--r-- | shim.h | 2 |
5 files changed, 26 insertions, 3 deletions
@@ -29,6 +29,7 @@ int loader_is_participating; UINT8 user_insecure_mode; UINT8 ignore_db; UINT8 trust_mok_list; +UINT8 mok_policy = 0; UINT32 verbose = 0; diff --git a/include/mok.h b/include/mok.h index 6f99a105..fb19423b 100644 --- a/include/mok.h +++ b/include/mok.h @@ -100,5 +100,10 @@ struct mok_variable_config_entry { UINT8 data[]; }; +/* + * bit definitions for MokPolicy + */ +#define MOK_POLICY_REQUIRE_NX 1 + #endif /* !SHIM_MOK_H_ */ // vim:fenc=utf-8:tw=75:noet @@ -184,6 +184,19 @@ struct mok_state_variable mok_state_variable_data[] = { .pcr = 14, .state = &trust_mok_list, }, + {.name = L"MokPolicy", + .name8 = "MokPolicy", + .rtname = L"MokPolicyRT", + .rtname8 = "MokPolicyRT", + .guid = &SHIM_LOCK_GUID, + .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_NON_VOLATILE, + .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, + .flags = MOK_MIRROR_DELETE_FIRST | + MOK_VARIABLE_LOG, + .pcr = 14, + .state = &mok_policy, + }, { NULL, } }; size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]); @@ -800,8 +800,9 @@ read_header(void *data, unsigned int datasize, DllFlags = PEHdr->Pe32.OptionalHeader.DllCharacteristics; } - if (!(DllFlags & EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) { - perror(L"Image does not support NX\n"); + if ((mok_policy & MOK_POLICY_REQUIRE_NX) && + !(DllFlags & EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) { + perror(L"Policy requires NX, but image does not support NX\n"); return EFI_UNSUPPORTED; } @@ -1203,7 +1204,8 @@ handle_image (void *data, unsigned int datasize, if (!(Section->Characteristics & EFI_IMAGE_SCN_MEM_DISCARDABLE) && (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) && - (Section->Characteristics & EFI_IMAGE_SCN_MEM_EXECUTE)) { + (Section->Characteristics & EFI_IMAGE_SCN_MEM_EXECUTE) && + (mok_policy & MOK_POLICY_REQUIRE_NX)) { perror(L"Section %d is writable and executable\n", i); return EFI_UNSUPPORTED; } @@ -263,6 +263,8 @@ extern UINT8 *build_cert; extern UINT8 user_insecure_mode; extern UINT8 ignore_db; extern UINT8 trust_mok_list; +extern UINT8 mok_policy; + extern UINT8 in_protocol; extern void *load_options; extern UINT32 load_options_size; |