diff options
Diffstat (limited to 'shim.c')
| -rw-r--r-- | shim.c | 30 |
1 files changed, 21 insertions, 9 deletions
@@ -962,10 +962,9 @@ static EFI_STATUS verify_mok (void) { * Check that the signature is valid and matches the binary */ static EFI_STATUS verify_buffer (char *data, int datasize, - PE_COFF_LOADER_IMAGE_CONTEXT *context) + PE_COFF_LOADER_IMAGE_CONTEXT *context, + UINT8 *sha256hash, UINT8 *sha1hash) { - UINT8 sha256hash[SHA256_DIGEST_SIZE]; - UINT8 sha1hash[SHA1_DIGEST_SIZE]; EFI_STATUS status = EFI_SECURITY_VIOLATION; WIN_CERTIFICATE_EFI_PKCS *cert = NULL; unsigned int size = datasize; @@ -1206,6 +1205,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, unsigned int alignment, alloc_size; EFI_PHYSICAL_ADDRESS alloc_address; int found_entry_point = 0; + UINT8 sha1hash[SHA1_DIGEST_SIZE]; + UINT8 sha256hash[SHA256_DIGEST_SIZE]; /* * The binary header contains relevant context and section pointers @@ -1219,8 +1220,17 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, /* * We only need to verify the binary if we're in secure mode */ + efi_status = generate_hash(data, datasize, &context, sha256hash, + sha1hash); + if (efi_status != EFI_SUCCESS) + return efi_status; + + /* Measure the binary into the TPM */ + tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); + if (secure_mode ()) { - efi_status = verify_buffer(data, datasize, &context); + efi_status = verify_buffer(data, datasize, &context, + sha256hash, sha1hash); if (EFI_ERROR(efi_status)) { console_error(L"Verification failed", efi_status); @@ -1711,6 +1721,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) { EFI_STATUS status = EFI_SUCCESS; PE_COFF_LOADER_IMAGE_CONTEXT context; + UINT8 sha1hash[SHA1_DIGEST_SIZE]; + UINT8 sha256hash[SHA256_DIGEST_SIZE]; loader_is_participating = 1; in_protocol = 1; @@ -1722,7 +1734,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) if (status != EFI_SUCCESS) goto done; - status = verify_buffer(buffer, size, &context); + status = generate_hash(buffer, size, &context, sha256hash, sha1hash); + if (status != EFI_SUCCESS) + goto done; + + status = verify_buffer(buffer, size, &context, sha256hash, sha1hash); done: in_protocol = 0; return status; @@ -1826,10 +1842,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) } } - /* Measure the binary into the TPM */ - tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, - 9, (CHAR8 *)"Second stage bootloader"); - /* * We need to modify the loaded image protocol entry before running * the new binary, so back it up |