| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
This is a modified upstream patch, so it applies fine to shim-15
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
When bd89dabf5fc767e3824 added the capability to use an
EFI_SECURITY_LIST as VENDOR_DB_FILE instead of VENDOR_CERT_FILE, and
then when I subsequently did the cleanup in 2ab1322fae6f3d3bcfbf, we
accidentally broke building with both of those disabled, due to the lack
of a definition of vendor_authorized when propagating MokDb forward.
This patch adds a default definition of vendor_authorized and
vendor_authorized_size, which point at 0 values, for building in the
case where neither option is in use.
Signed-off-by: Peter Jones <pjones@redhat.com>
This is a modified upstream patch, so it applies fine to shim-15
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
This is a modified upstream patch, so it applies fine to shim-15
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
This is a modified upstream patch, so it applies fine to shim-15
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
This is a modified upstream patch, so it applies fine to shim-15
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
Potential new signing strategies ( for example signing grub, fwupdate and
vmlinuz with separate certificates ) require shim to support a vendor
provided bundle of trusted certificates and hashes, which allows shim to
"whitelist" EFI binaries matching either certificate by signature, or hash
in the vendor_db.. Functionality is similar to vendor_dbx ( vendor blacklist
). Patch is a polished version of code, authored by P. Jones.
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
The shim_cert array was declared as a static array, and every user of
shim_cert.h would create a shim_cert array for its own and grow the file
size. To remove the unnecessary duplicate shim_cert arrays, this commit
declares shim_cert in shim.c while other users still can access the
array through the external variables: build_cert and build_cert_size.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 4e2d62f0f4e
|
|
If the build cert is enabled, we should also mirror it to MokListRT.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: aecbe1f99b6
|
|
The current code is incorrectly failing to load the fbaa64.efi image found
in Arm servers even though the UEFI shell code is able to properly load
and execute the same image.
The problem is due to the presence of a section header that has zero size
and address and marked "discardable" in the fbaa64.efi image.
Although there is already a check further down in the code to look for
the discardable bit and skip further verification checks if set, we never
get to that point due to the "end < base" check at the start of the loop.
Here is a dump of the fbaa64.efi image as compiled on an Arm machine
from the latest code in this repo:
% # First I used hexedit to change header byte from 'AA' to '86'
% # so that objdump was able to correctly parse the file:
% objdump -x -m aarch64 fbaa64.efi
fbaa64.efi: file format pei-x86-64
fbaa64.efi
architecture: i386:x86-64, flags 0x00000103:
HAS_RELOC, EXEC_P, D_PAGED
start address 0x0000000000000148
Characteristics 0x20e
executable
line numbers stripped
symbols stripped
debugging information removed
Time/Date Wed Dec 31 16:00:00 1969
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 20
SizeOfCode 000b15d0
SizeOfInitializedData 00000000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000000148
BaseOfCode 0000000000000148
ImageBase 0000000000000000
SectionAlignment 0000000000000020
FileAlignment 0000000000000008
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 000b1718
SizeOfHeaders 00000148
CheckSum 00000000
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000006
The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
Sections:
Idx Name Size VMA LMA File off Algn
0 .reloc 00000000 0000000000000000 0000000000000000 00000000 2**0
ALLOC, LOAD, READONLY, DATA
1 .text 000b15d0 0000000000000148 0000000000000148 00000148 2**4
CONTENTS, ALLOC, LOAD, CODE
SYMBOL TABLE:
no symbols
Signed-off-by: Maran Wilson <maran.wilson@oracle.com>
Reviewed-by: Aaron Young <aaron.young@oracle.com>
Reviewed-by: Jack Schwartz <jack.schwartz@oracle.com>
Upstream-commit-id: 6df7a8f5609
|
|
The generate_path_from_image_path() doesn't properly handle the case when
shim is invoked using a relative path (e.g: from the EFI shell). In that
function, always the last component is stripped from absolute file path
to calculate the dirname, and this is concatenated with the image path.
But if the path is a relative one, the function will wrongly concatenate
the dirname with the relative image path, i.e:
Shell> FS0:
FS0:\> cd EFI
FS0:\EFI\> BOOT\BOOTX64.EFI
Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found
Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found
start_image() returned Not found
Calculate the image path basename and concatenate that with the dirname.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Maran Wilson maran.wilson@oracle.com
Tested-by: Maran Wilson maran.wilson@oracle.com
Upstream-commit-id: a625fa5096c
|
|
This didn't seem to get documented anywhere, and this is as good a place as any.
Upstream-commit-id: 4fab7281a8c
|
|
Calling the TPM2 get_event_log causes the firmware to start logging
events to the final events table, but implementations may also continue
logging to the boot services event log. Any OS that wishes to
reconstruct the full PCR state must already look at both the final
events log and the boot services event log, so if this call is made
anywhere other than immediately before ExitBootServices() then the OS
must deduplicate events that occur in both, complicating things
immensely.
Linux already has support for copying up the boot services event log
across the ExitBootServices() boundary, so there's no reason to make
this call. Remove it.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Upstream-commit-id: fd7c3bd920b
|
|
$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
Time/Date Thu Jan 1 00:00:08 1970
$ _
"What is despair? I have known it—hear my song. Despair is when you’re
debugging a kernel driver and you look at a memory dump and you see that
a pointer has a value of 7."
- http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
objcopy only knows about -D for some targets.
ld only believes in --no-insert-timestamp in some versions.
dd takes off and nukes the site from orbit.
It's the only way to be sure.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I have come across systems that are unwilling to reserve enough memory for
a MokListRT big enough for big certificates.
This seems to be the case with firmware implementations that do not support
secureboot, which is probably the reason they went with much lower variable
storage.
This patch set makes sure we can still boot on those systems, by only
making the copy action fatal if the system has secure boot enabled, or if
the error was anything other than EFI_INVALID_PARAMETER.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Upstream-commit-id: 741c61abba7
|
|
VLogError() calculates the size of format strings by using calls to
SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
of "0" is special-cased to mean "there is no limit". So, we end up
writing our string to address 0x0. This was discovered because it
causes a crash on ARM where, unlike x86, it does not necessarily
have memory mapped at 0x0.
Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
handles the size calculation and allocation for us.
Signed-off-by: Peter Jones <pjones@redhat.com>
Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
[dannf: commit message ]
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
|
There's no reason to complicate the logic with a goto here, instead just
pull the logic we're jumping to out to a helper function.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When there is no key in MokList, import_mok_state() just skipped MokList
even though it should always mirror the vendor cert. Besides, the faulty
check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
MokSBStateRT, and MokIgnoreDB.
https://github.com/rhboot/shim/issues/154
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Without this, if a Mok variable doesn't exist in Boot Services, it will also
not be copied to Runtime, even if we have data to be added to it (vendor cert).
This patch makes sure that if we have extra data to append, we still mirror
the variable.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Don't return EFI_NOT_FOUND from tpm_log_event*() unless we're in
REQUIRE_TPM mode.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This was merged before it was really ready - verify_trusted_cert needs
to check each certificate against vendor_dbx, "dbx", and "MokListX", or
else it can enable a blacklisted certificate accidentally.
This reverts commit 8721bbe6fb1bfdfbc8bd16e05673929e4cbbdedc.
|
|
This reverts commit 6aa5a62515d62139a2d3b34626fac8910e864a3d.
Everything Hans said was correct. But StrnCat() is in gnu-efi 3.0.8,
and using just StrCpy() here confuses coverity. I'd rather have a CI
page that's not completely full of chaff, but a little bit of redundancy
in the code.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
scan-build doesn't like it when we assign return values but don't use
them.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I don't think the x86 binaries clang builds will actually work unless
they just infer -maccumulate-outgoing-args from __attribute__((__ms_abi__),
but it's nice to have the analyzer working.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Allow shim to perform verification against a list of trusted
certificates by simply concatenating the DER files.
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
|
There is currently no way for a caller of handle_image() to free the
memory allocated to hold the relocated executable. Fix by adding the
allocated memory address and number of pages as returned parameters
from handle_image().
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
|
Treat entry_point as a returned parameter from handle_image(), rather
than using a global variable.
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
|
relocate_coff() currently modifies the PE header within the raw data.
This appears to be unnecessary, and causes a verification failure if a
second attempt is made to verify the same data buffer.
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
|
StrnCat is not available in gnu-efi-3.0.5 (I did not check if it does
actually exists in 3.0.6). Moreover using strcat on a buffer where we've
just done: "buf[0] = '\0'" is a bit silly, we might as well drop the 0
termination and just use strcpy.
It seems there also is no StrnCpy in gnu-efi-3.0.5, but we are passing in
a pointer to the end of file_name minus 4, so strcpy will consume only
4 bytes anyways and there is no need for the "n".
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
The manual merge of the "console: Do not set EFI console to textmode until
something is printed" patch has lead to a bunch of tabs being replaced
with 7 spaces. This commit fixes this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
Remove the setup_console(1) calls from shim and instead make lib/console.c
make that call when necessary. This avoids shim forcing the EFI console to
switch to text-mode if nothing is printed.
This commit also modifies MokManager to work the same way for consistency,
even though MokManager will always print something.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
This is a preparation patch for making setup_console() private.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
This is a preparation commit for removing the setup_console(1) calls from
MokManager and shim so that we don't force the EFI console to switch to
text-mode.
This commit replaces all direct calls to Print / PrintAt with calls to
the new helpers (no functional changes) so that we can delay calling
setup_console(1) till the first Print call in a follow-up patch.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
