diff options
| -rw-r--r-- | include/mok.h | 101 | ||||
| -rw-r--r-- | mok.c | 89 | ||||
| -rw-r--r-- | shim.h | 1 |
3 files changed, 105 insertions, 86 deletions
diff --git a/include/mok.h b/include/mok.h new file mode 100644 index 00000000..96da397a --- /dev/null +++ b/include/mok.h @@ -0,0 +1,101 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * mok.h - structs for MoK data + * Copyright Peter Jones <pjones@redhat.com> + */ + +#ifndef SHIM_MOK_H_ +#define SHIM_MOK_H_ + +#include "shim.h" + +typedef enum { + VENDOR_ADDEND_DB, + VENDOR_ADDEND_X509, + VENDOR_ADDEND_NONE, +} vendor_addend_category_t; + +struct mok_state_variable; +typedef vendor_addend_category_t (vendor_addend_categorizer_t)(struct mok_state_variable *); + +/* + * MoK variables that need to have their storage validated. + * + * The order here is important, since this is where we measure for the + * tpm as well. + */ +struct mok_state_variable { + CHAR16 *name; /* UCS-2 BS|NV variable name */ + char *name8; /* UTF-8 BS|NV variable name */ + CHAR16 *rtname; /* UCS-2 RT variable name */ + char *rtname8; /* UTF-8 RT variable name */ + EFI_GUID *guid; /* variable GUID */ + + /* + * these are used during processing, they shouldn't be filled out + * in the static table below. + */ + UINT8 *data; + UINTN data_size; + + /* + * addend are added to the input variable, as part of the runtime + * variable, so that they're visible to the kernel. These are + * where we put vendor_cert / vendor_db / vendor_dbx + * + * These are indirect pointers just to make initialization saner... + */ + vendor_addend_categorizer_t *categorize_addend; /* determines format */ + /* + * we call categorize_addend() and it determines what kind of thing + * this is. That is, if this shim was built with VENDOR_CERT, for + * the DB entry it'll return VENDOR_ADDEND_X509; if you used + * VENDOR_DB instead, it'll return VENDOR_ADDEND_DB. If you used + * neither, it'll do VENDOR_ADDEND_NONE. + * + * The existing categorizers are for db and dbx; they differ + * because we don't currently support a CERT for dbx. + */ + UINT8 **addend; + UINT32 *addend_size; + + /* + * build_cert is our build-time cert. Like addend, this is added + * to the input variable, as part of the runtime variable, so that + * they're visible to the kernel. This is the ephemeral cert used + * for signing MokManager.efi and fallback.efi. + * + * These are indirect pointers just to make initialization saner... + */ + UINT8 **build_cert; + UINT32 *build_cert_size; + + UINT32 yes_attr; /* var attrs that must be set */ + UINT32 no_attr; /* var attrs that must not be set */ + UINT32 flags; /* flags on what and how to mirror */ + /* + * MOK_MIRROR_KEYDB mirror this as a key database + * MOK_MIRROR_DELETE_FIRST delete any existing variable first + * MOK_VARIABLE_MEASURE extend PCR 7 and log the hash change + * MOK_VARIABLE_LOG measure into whatever .pcr says and log + */ + UINTN pcr; /* PCR to measure and hash to */ + + /* + * if this is a state value, a pointer to our internal state to be + * mirrored. + */ + UINT8 *state; +}; + +extern size_t n_mok_state_variables; +extern struct mok_state_variable *mok_state_variables; + +struct mok_variable_config_entry { + CHAR8 name[256]; + UINT64 data_size; + UINT8 data[]; +}; + +#endif /* !SHIM_MOK_H_ */ +// vim:fenc=utf-8:tw=75:noet @@ -58,85 +58,6 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) return EFI_SUCCESS; } -typedef enum { - VENDOR_ADDEND_DB, - VENDOR_ADDEND_X509, - VENDOR_ADDEND_NONE, -} vendor_addend_category_t; - -struct mok_state_variable; -typedef vendor_addend_category_t (vendor_addend_categorizer_t)(struct mok_state_variable *); - -/* - * MoK variables that need to have their storage validated. - * - * The order here is important, since this is where we measure for the - * tpm as well. - */ -struct mok_state_variable { - CHAR16 *name; /* UCS-2 BS|NV variable name */ - char *name8; /* UTF-8 BS|NV variable name */ - CHAR16 *rtname; /* UCS-2 RT variable name */ - char *rtname8; /* UTF-8 RT variable name */ - EFI_GUID *guid; /* variable GUID */ - - /* - * these are used during processing, they shouldn't be filled out - * in the static table below. - */ - UINT8 *data; - UINTN data_size; - - /* - * addend are added to the input variable, as part of the runtime - * variable, so that they're visible to the kernel. These are - * where we put vendor_cert / vendor_db / vendor_dbx - * - * These are indirect pointers just to make initialization saner... - */ - vendor_addend_categorizer_t *categorize_addend; /* determines format */ - /* - * we call categorize_addend() and it determines what kind of thing - * this is. That is, if this shim was built with VENDOR_CERT, for - * the DB entry it'll return VENDOR_ADDEND_X509; if you used - * VENDOR_DB instead, it'll return VENDOR_ADDEND_DB. If you used - * neither, it'll do VENDOR_ADDEND_NONE. - * - * The existing categorizers are for db and dbx; they differ - * because we don't currently support a CERT for dbx. - */ - UINT8 **addend; - UINT32 *addend_size; - - /* - * build_cert is our build-time cert. Like addend, this is added - * to the input variable, as part of the runtime variable, so that - * they're visible to the kernel. This is the ephemeral cert used - * for signing MokManager.efi and fallback.efi. - * - * These are indirect pointers just to make initialization saner... - */ - UINT8 **build_cert; - UINT32 *build_cert_size; - - UINT32 yes_attr; /* var attrs that must be set */ - UINT32 no_attr; /* var attrs that must not be set */ - UINT32 flags; /* flags on what and how to mirror */ - /* - * MOK_MIRROR_KEYDB mirror this as a key database - * MOK_MIRROR_DELETE_FIRST delete any existing variable first - * MOK_VARIABLE_MEASURE extend PCR 7 and log the hash change - * MOK_VARIABLE_LOG measure into whatever .pcr says and log - */ - UINTN pcr; /* PCR to measure and hash to */ - - /* - * if this is a state value, a pointer to our internal state to be - * mirrored. - */ - UINT8 *state; -}; - static vendor_addend_category_t categorize_authorized(struct mok_state_variable *v) { @@ -164,7 +85,7 @@ categorize_deauthorized(struct mok_state_variable *v) #define MOK_VARIABLE_MEASURE 0x04 #define MOK_VARIABLE_LOG 0x08 -struct mok_state_variable mok_state_variables[] = { +struct mok_state_variable mok_state_variable_data[] = { {.name = L"MokList", .name8 = "MokList", .rtname = L"MokListRT", @@ -247,6 +168,8 @@ struct mok_state_variable mok_state_variables[] = { }, { NULL, } }; +size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]); +struct mok_state_variable *mok_state_variables = &mok_state_variable_data[0]; #define should_mirror_addend(v) (((v)->categorize_addend) && ((v)->categorize_addend(v) != VENDOR_ADDEND_NONE)) @@ -894,12 +817,6 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, return ret; } -struct mok_variable_config_entry { - CHAR8 name[256]; - UINT64 data_size; - UINT8 data[]; -}; - EFI_STATUS import_one_mok_state(struct mok_state_variable *v, BOOLEAN only_first) { @@ -172,6 +172,7 @@ #include "include/ip4config2.h" #include "include/ip6config.h" #include "include/load-options.h" +#include "include/mok.h" #include "include/netboot.h" #include "include/passwordcrypt.h" #include "include/peimage.h" |