Improve debug output some

Signed-off-by: Peter Jones <pjones@redhat.com> Upstream: pr#213
author: Peter Jones <pjones@redhat.com> 2020-07-23 20:29:52 -0400
committer: Peter Jones <pjones@redhat.com> 2020-07-25 22:14:08 -0400
commit: fc4368fed53837e00d303600d8b628cb0392b629 (patch)
tree: 747256d09cbd25088439cc99b1abc3416889df14 /shim.c
parent: 705d47ac2c90b8de07a4ef3e1930de6c4b8fece0 (diff)
download: efi-boot-shim-fc4368fed53837e00d303600d8b628cb0392b629.tar.gz
efi-boot-shim-fc4368fed53837e00d303600d8b628cb0392b629.zip
1 files changed, 30 insertions, 6 deletions
diff --git a/shim.c b/shim.c
index d10a1ba1..9248642b 100644
--- a/shim.c
+++ b/shim.c
@@ -34,6 +34,7 @@
  */
 
 #include "shim.h"
+#include "hexdump.h"
 #if defined(ENABLE_SHIM_CERT)
 #include "shim_cert.h"
 #endif /* defined(ENABLE_SHIM_CERT) */
@@ -373,12 +374,18 @@ static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize)
 	 * and 64KB. For convenience, assume the number of value bytes
 	 * is 2, i.e. the second byte is 0x82.
 	 */
-	if (Cert[0] != 0x30 || Cert[1] != 0x82)
+	if (Cert[0] != 0x30 || Cert[1] != 0x82) {
+		dprint(L"cert[0:1] is [%02x%02x], should be [%02x%02x]\n",
+		       Cert[0], Cert[1], 0x30, 0x82);
 		return FALSE;
+	}
 
 	length = Cert[2]<<8 | Cert[3];
-	if (length != (CertSize - 4))
+	if (length != (CertSize - 4)) {
+		dprint(L"Cert length is %ld, expecting %ld\n",
+		       length, CertSize);
 		return FALSE;
+	}
 
 	return TRUE;
 }
@@ -426,19 +433,23 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 	EFI_SIGNATURE_DATA *Cert;
 	UINTN CertSize;
 	BOOLEAN IsFound = FALSE;
+	int i = 0;
 
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 		if (CompareGuid (&CertList->SignatureType, &EFI_CERT_TYPE_X509_GUID) == 0) {
 			Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
 			CertSize = CertList->SignatureSize - sizeof(EFI_GUID);
+			dprint(L"trying to verify cert %d (%s)\n", i++, dbname);
 			if (verify_x509(Cert->SignatureData, CertSize)) {
 				if (verify_eku(Cert->SignatureData, CertSize)) {
+					drain_openssl_errors();
 					IsFound = AuthenticodeVerify (data->CertData,
 								      data->Hdr.dwLength - sizeof(data->Hdr),
 								      Cert->SignatureData,
 								      CertSize,
 								      hash, SHA256_DIGEST_SIZE);
 					if (IsFound) {
+						dprint(L"AuthenticodeVerify() succeeded: %d\n", IsFound);
 						tpm_measure_variable(dbname, guid, CertSize, Cert->SignatureData);
 						drain_openssl_errors();
 						return DATA_FOUND;
@@ -447,7 +458,9 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 					}
 				}
 			} else if (verbose) {
-				console_notify(L"Not a DER encoding x.509 Certificate");
+				console_print(L"Not a DER encoded x.509 Certificate");
+				dprint(L"cert:\n");
+				dhexdumpat(Cert->SignatureData, CertSize, 0);
 			}
 		}
 
@@ -641,7 +654,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 			verification_method = VERIFIED_BY_CERT;
 			update_verification_method(VERIFIED_BY_CERT);
 			return EFI_SUCCESS;
-		} else {
+		} else if (cert) {
 			LogError(L"check_db_cert(db, sha256hash) != DATA_FOUND\n");
 		}
 	}
@@ -666,7 +679,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		verification_method = VERIFIED_BY_CERT;
 		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
-	} else {
+	} else if (cert) {
 		LogError(L"check_db_cert(vendor_db, sha256hash) != DATA_FOUND\n");
 	}
 #endif
@@ -685,7 +698,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		verification_method = VERIFIED_BY_CERT;
 		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
-	} else {
+	} else if (cert) {
 		LogError(L"check_db_cert(MokList, sha256hash) != DATA_FOUND\n");
 	}
 
@@ -993,6 +1006,11 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in,
 		goto done;
 	}
 
+	dprint(L"sha1 authenticode hash:\n");
+	dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0);
+	dprint(L"sha256 authenticode hash:\n");
+	dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0);
+
 done:
 	if (SectionHeader)
 		FreePool(SectionHeader);
@@ -1155,6 +1173,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (EFI_ERROR(ret_efi_status)) {
 		dprint(L"check_whitelist: %r\n", ret_efi_status);
 		if (ret_efi_status != EFI_NOT_FOUND) {
+			dprint(L"check_whitelist(): %r\n", ret_efi_status);
 			PrintErrors();
 			ClearErrors();
 			crypterr(ret_efi_status);
@@ -1803,6 +1822,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 
 	device = li->DeviceHandle;
 
+	dprint(L"attempting to load %s\n", PathName);
 	/*
 	 * Open the device
 	 */
@@ -2778,6 +2798,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 */
 	InitializeLib(image_handle, systab);
 
+	dprint(L"vendor_authorized:0x%08lx vendor_authorized_size:%lu\n",
+		      __FILE__, __LINE__, __func__, vendor_authorized, vendor_authorized_size);
+	dprint(L"vendor_deauthorized:0x%08lx vendor_deauthorized_size:%lu\n",
+		      __FILE__, __LINE__, __func__, vendor_deauthorized, vendor_deauthorized_size);
 	init_openssl();
 
 	/*
author	Peter Jones <pjones@redhat.com>	2020-07-23 20:29:52 -0400
committer	Peter Jones <pjones@redhat.com>	2020-07-25 22:14:08 -0400
commit	fc4368fed53837e00d303600d8b628cb0392b629 (patch)
tree	747256d09cbd25088439cc99b1abc3416889df14 /shim.c
parent	705d47ac2c90b8de07a4ef3e1930de6c4b8fece0 (diff)
download	efi-boot-shim-fc4368fed53837e00d303600d8b628cb0392b629.tar.gz efi-boot-shim-fc4368fed53837e00d303600d8b628cb0392b629.zip