diff options
| author | Peter Jones <pjones@redhat.com> | 2020-07-23 12:36:56 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2020-07-23 22:22:04 -0400 |
| commit | dd3a5d71252a1f94e37f1a4c8841d253630b305a (patch) | |
| tree | 62599a58c09d806aae29b23e8ce17f3fec75f62a /shim.c | |
| parent | 7d542805ba5c48185128a2351bb315a5648fe3d7 (diff) | |
| download | efi-boot-shim-dd3a5d71252a1f94e37f1a4c8841d253630b305a.tar.gz efi-boot-shim-dd3a5d71252a1f94e37f1a4c8841d253630b305a.zip | |
Add support for vendor_db built-in shim authorized list.
Potential new signing strategies ( for example signing grub, fwupdate
and vmlinuz with separate certificates ) require shim to support a
vendor provided bundle of trusted certificates and hashes, which allows
shim to trust EFI binaries matching either certificate by signature or
hash in the vendor_db. Functionality is similar to vendor_dbx.
This also improves the mirroring quite a bit.
Upstream: pr#206
Diffstat (limited to 'shim.c')
| -rw-r--r-- | shim.c | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -646,6 +646,31 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, } } +#if defined(VENDOR_DB_FILE) + EFI_SIGNATURE_LIST *db = (EFI_SIGNATURE_LIST *)vendor_db; + + if (check_db_hash_in_ram(db, vendor_db_size, + sha256hash, SHA256_DIGEST_SIZE, + EFI_CERT_SHA256_GUID, L"vendor_db", + EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { + verification_method = VERIFIED_BY_HASH; + update_verification_method(VERIFIED_BY_HASH); + return EFI_SUCCESS; + } else { + LogError(L"check_db_hash(vendor_db, sha256hash) != DATA_FOUND\n"); + } + if (cert && + check_db_cert_in_ram(db, vendor_db_size, + cert, sha256hash, L"vendor_db", + EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { + verification_method = VERIFIED_BY_CERT; + update_verification_method(VERIFIED_BY_CERT); + return EFI_SUCCESS; + } else { + LogError(L"check_db_cert(vendor_db, sha256hash) != DATA_FOUND\n"); + } +#endif + if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash, SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { @@ -1076,6 +1101,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, } #endif /* defined(ENABLE_SHIM_CERT) */ +#if defined(VENDOR_CERT_FILE) /* * And finally, check against shim's built-in key */ @@ -1093,6 +1119,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, } else { LogError(L"AuthenticodeVerify(vendor_authorized) failed\n"); } +#endif /* defined(VENDOR_CERT_FILE) */ } LogError(L"Binary is not whitelisted\n"); |