diff options
| author | Javier Martinez Canillas <javierm@redhat.com> | 2021-02-10 01:26:46 +0100 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2021-02-13 11:02:59 -0500 |
| commit | ee8f7ed3326cf680452a4eaf68208f5feb6ddb50 (patch) | |
| tree | 351d8a01fa247808506222f36324fe1029bd5c46 /pe.c | |
| parent | 16732ad12869c472dbe37bc0556625489e03cee2 (diff) | |
| download | efi-boot-shim-ee8f7ed3326cf680452a4eaf68208f5feb6ddb50.tar.gz efi-boot-shim-ee8f7ed3326cf680452a4eaf68208f5feb6ddb50.zip | |
Add a function to parse the SBAT metadata from the .sbat section
Parse the SBAT [0] Version-Based Revocation Metadata that's contained in a
.sbat data section of the loaded PE binary. This information is used along
with data in a SBAT variable to determine if a EFI binary has been revoked.
[0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Diffstat (limited to 'pe.c')
| -rw-r--r-- | pe.c | 32 |
1 files changed, 32 insertions, 0 deletions
@@ -1039,9 +1039,41 @@ handle_image (void *data, unsigned int datasize, } if (secure_mode ()) { + int res; + unsigned int i; + struct sbat sbat = { 0 }; + struct sbat_entry *entry = NULL; + + if (SBATBase && SBATSize) { + res = parse_sbat(SBATBase, SBATSize, buffer, &sbat); + if (res < 0) { + console_print(L"SBAT data not correct: %r\n", res); + return EFI_UNSUPPORTED; + } + + dprint(L"SBAT data\n"); + for (i = 0; i < sbat.size; i++) { + entry = sbat.entries[i]; + dprint(L"%a, %a, %a, %a, %a, %a\n", + entry->component_name, + entry->component_generation, + entry->vendor_name, + entry->vendor_package_name, + entry->vendor_version, + entry->vendor_url); + } + } else { + perror(L"SBAT data not found\n"); + return EFI_UNSUPPORTED; + } + efi_status = verify_buffer(data, datasize, &context, sha256hash, sha1hash); + if (sbat.entries) + for (i = 0; i < sbat.size; i++) + FreePool(sbat.entries[i]); + if (EFI_ERROR(efi_status)) { if (verbose) console_print(L"Verification failed: %r\n", efi_status); |