summaryrefslogtreecommitdiff
path: root/MokManager.c
diff options
context:
space:
mode:
Diffstat (limited to 'MokManager.c')
-rw-r--r--MokManager.c84
1 files changed, 51 insertions, 33 deletions
diff --git a/MokManager.c b/MokManager.c
index 08e1d363..f7504d0d 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -35,7 +35,8 @@ typedef struct {
typedef struct {
UINT32 MokSBState;
- UINT8 hash[SHA256_DIGEST_SIZE];
+ UINT32 PWLen;
+ CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;
static EFI_INPUT_KEY get_keystroke (void)
@@ -108,7 +109,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
(CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
continue;
}
@@ -116,7 +117,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
(CertList->SignatureSize != 48)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
continue;
}
@@ -129,7 +130,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
count++;
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
}
return list;
@@ -414,7 +415,7 @@ static UINT8 list_keys (void *MokNew, UINTN MokNewSize)
Print(L"Doesn't look like a key or hash\n");
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
continue;
}
@@ -423,14 +424,14 @@ static UINT8 list_keys (void *MokNew, UINTN MokNewSize)
Print(L"Doesn't look like a valid hash\n");
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
continue;
}
MokNum++;
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureSize);
+ CertList->SignatureListSize);
}
keys = build_mok_list(MokNum, MokNew, MokNewSize);
@@ -615,8 +616,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate)
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokList",
&shim_lock_guid,
EFI_VARIABLE_NON_VOLATILE
- | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_APPEND_WRITE,
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
} else {
/* Write new MOK */
@@ -694,12 +694,13 @@ static INTN mok_sb_prompt (void *MokSB, void *data2, void *data3) {
EFI_STATUS efi_status;
UINTN MokSBSize = (UINTN)data2;
MokSBvar *var = MokSB;
- CHAR16 password[SB_PASSWORD_LEN];
- UINT8 fail_count = 0;
+ CHAR16 password[1];
+ UINT8 correct = 0, fail_count = 0;
UINT8 hash[SHA256_DIGEST_SIZE];
UINT32 length;
CHAR16 line[1];
UINT8 sbval = 1;
+ UINT8 pos;
LibDeleteVariable(L"MokSB", &shim_lock_guid);
@@ -710,32 +711,23 @@ static INTN mok_sb_prompt (void *MokSB, void *data2, void *data3) {
uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut);
- while (fail_count < 3) {
- Print(L"Enter Secure Boot passphrase: ");
- get_line(&length, password, SB_PASSWORD_LEN, 0);
-
- if (length != SB_PASSWORD_LEN) {
- Print(L"Invalid password length\n");
- fail_count++;
- continue;
- }
+ while (correct < 3) {
+ RandomBytes (&pos, sizeof(pos));
- efi_status = compute_pw_hash(NULL, 0, password,
- SB_PASSWORD_LEN, hash);
+ pos = pos % var->PWLen;
- if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to generate password hash\n");
- fail_count++;
- continue;
- }
+ Print(L"Enter password character %d: ", pos + 1);
+ get_line(&length, password, 1, 0);
- if (CompareMem(var->hash, hash, SHA256_DIGEST_SIZE) != 0) {
- Print(L"Password doesn't match\n");
+ if (password[0] != var->Password[pos]) {
+ Print(L"Invalid character\n");
fail_count++;
- continue;
+ } else {
+ correct++;
}
- break;
+ if (fail_count >= 3)
+ break;
}
if (fail_count >= 3) {
@@ -811,8 +803,7 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) {
continue;
}
- efi_status = compute_pw_hash(NULL, 0, password,
- SB_PASSWORD_LEN, hash);
+ efi_status = compute_pw_hash(NULL, 0, password, length, hash);
if (efi_status != EFI_SUCCESS) {
Print(L"Unable to generate password hash\n");
@@ -1630,12 +1621,39 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
return EFI_SUCCESS;
}
+static EFI_STATUS setup_rand (void)
+{
+ EFI_TIME time;
+ EFI_STATUS efi_status;
+ UINT64 seed;
+ BOOLEAN status;
+
+ efi_status = uefi_call_wrapper(RT->GetTime, 2, &time, NULL);
+
+ if (efi_status != EFI_SUCCESS)
+ return efi_status;
+
+ seed = ((UINT64)time.Year << 48) | ((UINT64)time.Month << 40) |
+ ((UINT64)time.Day << 32) | ((UINT64)time.Hour << 24) |
+ ((UINT64)time.Minute << 16) | ((UINT64)time.Second << 8) |
+ ((UINT64)time.Daylight);
+
+ status = RandomSeed((UINT8 *)&seed, sizeof(seed));
+
+ if (!status)
+ return EFI_ABORTED;
+
+ return EFI_SUCCESS;
+}
+
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *systab)
{
EFI_STATUS efi_status;
InitializeLib(image_handle, systab);
+ setup_rand();
+
efi_status = check_mok_request(image_handle);
return efi_status;
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-20 15:18:42 +0000