| Age | Commit message (Collapse) | Author |
|---|
|
Build changes to generate include/generated_sbat_var_defs.h from
SbatLevel_Variable.txt and use that header file. From here on
forward SbatLevel_Variable.txt should be the only place a new
revocation needs to be recorded.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
This adds the utility program generate_sbat_var_defs, which can be used
to generate the sbar_var_defs.h header file from the human readable
SbatLevel_Variable.txt file.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
shim takes several forms of input from several sources that are not
necessarily trustworthy. As such, we need to take measures to validate
that we don't have unacceptable results from bad inputs. One such
measure is "fuzzing" the inputs which parse untrusted data by running
them with randomized or partially randomized input.
This change adds such testing using clang's "libFuzzer" to our CSV
parser. I've run this on 24-cores at 4GHz for half an hour, and so far
each fuzzer has converged on 79% coverage. I expect the 21% that's not
getting covered are the EFI API mock interfaces we're building in from
test.c and similar. So far no errors have been found, which is what was
expected since this particular API is being manually fuzzed with ~8kB of
/dev/urandom on every build since 2021-02-23.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds a make rule to generate compile_commands.json, which some
verifier tools depend on.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Some tests will need variables, and so we need a mock implementation of
the various calls relating to them.
This patch adds implementations for the EFI Runtime Services calls
GetVariable(), SetVariable(), GetNextVariableName(), and
QueryVariableInfo(). Additionally, it enforces tunable limits on
storage for variables, and (with only a little work) the limits can be
different for SetVariable() vs what is returned by QueryVariableInfo().
That is, it can lie to you like real systems do.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds compile_commands.json (used by https://github.com/neoclide/coc.nvim)
and clangd's .cache/ directory to .gitignore.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On some versions of binutils[0], including binutils-2.23.52.0.1-55.el7,
do not correctly initialize the data when computing the PE optional
header checksum. Unfortunately, this means that any time you get a
build that reproduces correctly using the version of objcopy from those
versions, it's just a matter of luck.
This patch introduces a new utility program, post-process-pe, which does
some basic validation of the resulting binaries, and if necessary,
performs some minor repairs:
- sets the timestamp to 0
- this was previously done with dd using constant offsets that aren't
really safe.
- re-computes the checksum.
[0] I suspect, but have not yet fully verified, that this is
accidentally fixed by the following upstream binutils commit:
commit cf7a3c01d82abdf110ef85ab770e5997d8ac28ac
Author: Alan Modra <amodra@gmail.com>
Date: Tue Dec 15 22:09:30 2020 +1030
Lose some COFF/PE static vars, and peicode.h constify
This patch tidies some COFF and PE code that unnecessarily used static
variables to communicate between functions.
v2 - MAP_PRIVATE was totally wrong...
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If the file Make.local exists, use it as a source of local build
configuration by including it in Make.defaults.
(cherry picked from commit 57e38a1ebf73 in the shim-15.2 branch)
Signed-off-by: Paul Moore <pmoore2@cisco.com>
|
|
This does a couple of straightforward tests on our CSV parser, and then
for good measure it does two with random data - one that's just random
data, one that's had all the zeros changed to nonzero values.
Note that building and running this test does not quite work yet /on
this branch/. In order to do that, we need some cleanups and
reorganizing that I don't want to push just yet, which can be found on
https://github.com/rhboot/shim/tree/test-reorg
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds a couple of make targets to do unit tests that are linked to
libc:
test-FOO : builds and runs test-FOO for any test-FOO.c
test : builds and runs all test-FOO tests
Note that building and running this test does not quite work yet /on
this branch/. In order to do that, we need some cleanups and
reorganizing that I don't want to push just yet, which can be found on
https://github.com/rhboot/shim/tree/test-reorg
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds stuff that only ever gets made as an artifact of building
(though build*/ generally doesn't, as of this commit.)
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This had gotten weird in a couple of ways. Easy to fix.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This was previously on devel as:
commit 2e29c0358888412e9addfb016cc72f6e89ffb536
Author: Peter Jones <pjones@redhat.com>
Date: Mon Jun 29 14:06:34 2020 -0400
Add .cer/.crt/.esl to .gitignore
But .cer and .crt were added independently in another commit since then.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
*.hash should be ignored by git status if ENABLE_SHIM_HASH is
configured.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data. When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.
This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I feel dirty.
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
