| Age | Commit message (Collapse) | Author |
|---|
|
This allows us to use library functions from libefi.a in our test
programs.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
test.c duplicates a couple of objects (StrnCmp, StrCmp) that are
in libefi.a, as well as SHIM_LOCK_GUID from lib/guid.o. While it's nice
to have these at some places, we need to disable them if we're actually
linking a test case against either of those.
This patch adds HAVE_foo guards around those objects.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In some test cases, it's useful to be able to call some of the very
common stuff in gnu-efi's efilib.h (i.e. CompareGuid()), but including
that header itself is too big for me to tackle right now.
This patch adds a few more decls to test.h.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
pause() is a posix function, and having it named the same as this makes
it hard to include the asm.h header in some test cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The load options handling is quite complicated and tries to accomodate
several scenarios, but there are currently multiple issues:
- If the supplied LoadOptions is an EFI_LOAD_OPTION structure,
second_stage gets initialized to the entire contents of the OptionalData
field and load_options is initialized to NULL, which means it isn't
possible to pass additional options to the second stage loader (and it
looks like the intention is for this to be supported).
- If the supplied LoadOptions contains 2 or more strings, the code seems
to assume that shim was executed from the UEFI shell and that the first
argument is the path of the shim executable, so it's ignored. But this
breaks the ability to pass additional options to the second stage loader
from BDS on firmware implementations that initialize LoadOptions to just
the OptionalData field of the EFI_LOAD_OPTION, which is what EDK2 seems
to do.
This is moot anyway because this case (strings == 2) doesn't actually seem
to work, as nothing sets loader_len and therefore second_stage is not set
to the custom loader path.
- If the supplied LoadOptions contains a single string that isn't shim's
path, nothing sets loader_len and therefore second_stage isn't set at the
end of set_second_stage.
- set_second_stage replaces L' ' characters with L'\0' - whilst this is
useful to NULL terminate the path for the second stage, it doesn't seem
quite right to do this for the remaining LoadOptions data. Grub's
chainloader command supplies additional arguments as a NULL-terminated
space-delimited string via LoadOptions. Making it NULL-delimited seems to
be incompatible with the kernel's commandline handling, which wouldn't
work for scenarios where you might want to direct-boot a kernel image
(wrapped in systemd's EFI stub) from shim.
- handle_image passes the original LoadOptions to the second stage if
load_options is NULL, which means that the second stage currently always
gets shim's load options.
I've made an attempt to try to fix things. After the initial
checks in set_second_stage, it now does this:
- Tries to parse LoadOptions as an EFI_LOAD_OPTION in order to extract
the OptionalData if it is.
- If it's not an EFI_LOAD_OPTION, check if the first string is the
current shim path and ignore it if it is (the UEFI shell case).
- Split LoadOptions in to a single NULL terminated string (used to
initialize second_stage) and the unmodified remaining data (used to
initialize load_options and load_options_size).
I've also modified handle_image to always set LoadOptions and
LoadOptionsSize. If shim is executed with no options, or is only
executed with a single option to override the second stage loader
path, the second stage is executed with LoadOptions = NULL and
LoadOptionsSize = 0 now.
I've tested this on EDK2 and I can load a custom loader with extra
options from both BDS and the UEFI shell:
FS0:\> shimx64.efi test.efi
LoadOptionsSize: 0
LoadOptions: (null)
FS0:\> shimx64.efi test.efi
LoadOptionsSize: 0
LoadOptions: (null)
FS0:\> shimx64.efi test.efi foo bar
LoadOptionsSize: 16
LoadOptions: foo bar
|
|
Use the stronger "will" rather than "will should". I'm not sure based on
what's there, but suspect "must" would be appropriate instead?
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
|
1. Use : instead of , to separate a list.
2. Fix spelling of therefore.
3. Pull unrelated clause out of parenthesized clause.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
|
An openSUSE user reported(*) that shim 15.4 failed to boot the system
with the following message:
"Could not create MokListXRT: Out of Resources"
In the beginning, I thought it's caused by the growing size of
vendor-dbx. However, we found the following messages after set
SHIM_VERBOSE:
max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
Even though the firmware claimed the remaining storage size is 0x85EC
and the maximum variable size is 0x8000, it still rejected MokListXRT
with size 0x1404. It seems that the return values from QueryVariableInfo()
are not reliable. Since this firmware didn't really support Secure Boot,
the variable mirroring is not so critical, so we can just accept the
failure of import_mok_state() and continue boot.
(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
Signed-off-by: Gary Lin <glin@suse.com>
|
|
On some versions of binutils[0], including binutils-2.23.52.0.1-55.el7,
do not correctly initialize the data when computing the PE optional
header checksum. Unfortunately, this means that any time you get a
build that reproduces correctly using the version of objcopy from those
versions, it's just a matter of luck.
This patch introduces a new utility program, post-process-pe, which does
some basic validation of the resulting binaries, and if necessary,
performs some minor repairs:
- sets the timestamp to 0
- this was previously done with dd using constant offsets that aren't
really safe.
- re-computes the checksum.
[0] I suspect, but have not yet fully verified, that this is
accidentally fixed by the following upstream binutils commit:
commit cf7a3c01d82abdf110ef85ab770e5997d8ac28ac
Author: Alan Modra <amodra@gmail.com>
Date: Tue Dec 15 22:09:30 2020 +1030
Lose some COFF/PE static vars, and peicode.h constify
This patch tidies some COFF and PE code that unnecessarily used static
variables to communicate between functions.
v2 - MAP_PRIVATE was totally wrong...
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
memory appears to be initialized randomly.
This patch changes it to not call RT->QueryVariableInfo() if the
EFI_RUNTIME_SERVICES table's major revision is less than two, and
assumes our maximum variable size is 1024 in that case.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Linux kernel is picky when reserving the memory for x86 and it only
expects BootServicesData:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
Otherwise, the following error would show during system boot:
Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
Although BootServicesData would be reclaimed after ExitBootService(),
linux kernel reserves MOK config table when it detects the existence of
the table, so it's fine to allocate the table as BootServicesData.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
directive before .reloc, but fails to do so.
As a result, binutils, which does not care about the actual binary
format's constraints in any way, does not enforce the section alignment,
and it will not load.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This is purely superficial, as the commit points at the shim-15.4 branch
already, but some people have found it confusing.
This fixes issue #356.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
up into a function that manages the whole mok state, and one that
handles the state machine for an individual state variable.
Unfortunately, the code that initializes the global ignore_db and
user_insecure_mode was copied from import_mok_state() into the new
import_one_mok_state() function, and thus re-initializes that state each
time it processes a MoK state variable, before even assessing if that
variable is set. As a result, we never honor either flag, and the
machine owner cannot disable trusting the system firmware's db/dbx
databases or disable validation altogether.
This patch removes the extra re-initialization, allowing those variables
to be set properly.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
|
|
Mark this officially as shim 15.4
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
For every problem, there exists a solution which is simple, elegant, and
wrong. d74629207188d290810db15dbfe91a89e7751ffb is that solution.
This patch leaves that intact, but adds a .rodata section wrapping
.rel/.rela and .dynsym/.dynstr., so that they are correctly
incorporated into the authenticode hash.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds dprint() to a bunch of our error returns.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
This fixes a memory leak caused by test_verify_sbat_null_sbat_section()
not calling cleanup_sbat_var().
Before:
==2591367== Memcheck, a memory error detector
==2591367== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2591367== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==2591367== Command: ./test-sbat
==2591367==
==2591367==
==2591367== HEAP SUMMARY:
==2591367== in use at exit: 56 bytes in 1 blocks
==2591367== total heap usage: 17 allocs, 16 frees, 5,382 bytes allocated
==2591367==
==2591367== 56 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2591367== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2591367== by 0x402AEB: parse_sbat_var_data (sbat.c:234)
==2591367== by 0x40189D: UnknownInlinedFun (test-sbat.c:445)
==2591367== by 0x40189D: main (test-sbat.c:1033)
==2591367==
==2591367== LEAK SUMMARY:
==2591367== definitely lost: 56 bytes in 1 blocks
==2591367== indirectly lost: 0 bytes in 0 blocks
==2591367== possibly lost: 0 bytes in 0 blocks
==2591367== still reachable: 0 bytes in 0 blocks
==2591367== suppressed: 0 bytes in 0 blocks
==2591367==
==2591367== For lists of detected and suppressed errors, rerun with: -s
==2591367== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
After:
==2645037== Memcheck, a memory error detector
==2645037== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2645037== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==2645037== Command: ./test-sbat
==2645037==
==2645037==
==2645037== HEAP SUMMARY:
==2645037== in use at exit: 0 bytes in 0 blocks
==2645037== total heap usage: 17 allocs, 17 frees, 5,382 bytes allocated
==2645037==
==2645037== All heap blocks were freed -- no leaks are possible
==2645037==
==2645037== For lists of detected and suppressed errors, rerun with: -s
==2645037== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Valgrind was showing me a memory leak in the tests, and it's because of
several minor problems:
- the allocation isn't actually ever a list entry, because the entry
array was before the linked list in the allocations
- the comparison for "first" when trying to free it is incorrect, so
that was never getting set.
- we never free the test variable data that was parsed
- we're never calling cleanup_sbat_var() from several test cases.
This fixes these issues.
Before:
==2525955==
==2525955== HEAP SUMMARY:
==2525955== in use at exit: 181 bytes in 3 blocks
==2525955== total heap usage: 17 allocs, 14 frees, 2,310 bytes allocated
==2525955==
==2525955== 15 bytes in 1 blocks are definitely lost in loss record 1 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x401D21: UnknownInlinedFun (test-sbat.c:937)
==2525955== by 0x401D21: main (test-sbat.c:1043)
==2525955==
==2525955== 56 bytes in 1 blocks are definitely lost in loss record 2 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x402ACB: parse_sbat_var_data (sbat.c:234)
==2525955== by 0x40189D: UnknownInlinedFun (test-sbat.c:445)
==2525955== by 0x40189D: main (test-sbat.c:1029)
==2525955==
==2525955== 110 bytes in 1 blocks are definitely lost in loss record 3 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x402ACB: parse_sbat_var_data (sbat.c:234)
==2525955== by 0x401D67: UnknownInlinedFun (test-sbat.c:943)
==2525955== by 0x401D67: main (test-sbat.c:1043)
==2525955==
==2525955== LEAK SUMMARY:
==2525955== definitely lost: 181 bytes in 3 blocks
==2525955== indirectly lost: 0 bytes in 0 blocks
==2525955== possibly lost: 0 bytes in 0 blocks
==2525955== still reachable: 0 bytes in 0 blocks
==2525955== suppressed: 0 bytes in 0 blocks
==2525955==
==2525955== For lists of detected and suppressed errors, rerun with: -s
==2525955== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
After:
==2591367== Memcheck, a memory error detector
==2591367== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2591367== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==2591367== Command: ./test-sbat
==2591367==
==2591367==
==2591367== HEAP SUMMARY:
==2591367== in use at exit: 56 bytes in 1 blocks
==2591367== total heap usage: 17 allocs, 16 frees, 5,382 bytes allocated
==2591367==
==2591367== 56 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2591367== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2591367== by 0x402AEB: parse_sbat_var_data (sbat.c:234)
==2591367== by 0x40189D: UnknownInlinedFun (test-sbat.c:445)
==2591367== by 0x40189D: main (test-sbat.c:1033)
==2591367==
==2591367== LEAK SUMMARY:
==2591367== definitely lost: 56 bytes in 1 blocks
==2591367== indirectly lost: 0 bytes in 0 blocks
==2591367== possibly lost: 0 bytes in 0 blocks
==2591367== still reachable: 0 bytes in 0 blocks
==2591367== suppressed: 0 bytes in 0 blocks
==2591367==
==2591367== For lists of detected and suppressed errors, rerun with: -s
==2591367== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
valgrind noticed test_parse_sbat_section_too_many_elem() this wasn't
doing cleanup properly.
This changes it to clean up without respect to the results.
Before:
==2432919==
==2432919== HEAP SUMMARY:
==2432919== in use at exit: 365 bytes in 4 blocks
==2432919== total heap usage: 17 allocs, 13 frees, 2,310 bytes allocated
==2432919==
==2432919== 15 bytes in 1 blocks are definitely lost in loss record 1 of 4
==2432919== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2432919== by 0x401D21: UnknownInlinedFun (test-sbat.c:936)
==2432919== by 0x401D21: main (test-sbat.c:1042)
==2432919==
==2432919== 56 bytes in 1 blocks are definitely lost in loss record 2 of 4
==2432919== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2432919== by 0x402B1B: parse_sbat_var_data (sbat.c:234)
==2432919== by 0x40189C: UnknownInlinedFun (test-sbat.c:444)
==2432919== by 0x40189C: main (test-sbat.c:1028)
==2432919==
==2432919== 110 bytes in 1 blocks are definitely lost in loss record 3 of 4
==2432919== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2432919== by 0x402B1B: parse_sbat_var_data (sbat.c:234)
==2432919== by 0x401D67: UnknownInlinedFun (test-sbat.c:942)
==2432919== by 0x401D67: main (test-sbat.c:1042)
==2432919==
==2432919== 184 bytes in 1 blocks are definitely lost in loss record 4 of 4
==2432919== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2432919== by 0x402CD3: parse_sbat_section (sbat.c:56)
==2432919== by 0x4015A8: UnknownInlinedFun (test-sbat.c:323)
==2432919== by 0x4015A8: main (test-sbat.c:1019)
==2432919==
==2432919== LEAK SUMMARY:
==2432919== definitely lost: 365 bytes in 4 blocks
==2432919== indirectly lost: 0 bytes in 0 blocks
==2432919== possibly lost: 0 bytes in 0 blocks
==2432919== still reachable: 0 bytes in 0 blocks
==2432919== suppressed: 0 bytes in 0 blocks
==2432919==
==2432919== For lists of detected and suppressed errors, rerun with: -s
==2432919== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
After:
==2525955==
==2525955== HEAP SUMMARY:
==2525955== in use at exit: 181 bytes in 3 blocks
==2525955== total heap usage: 17 allocs, 14 frees, 2,310 bytes allocated
==2525955==
==2525955== 15 bytes in 1 blocks are definitely lost in loss record 1 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x401D21: UnknownInlinedFun (test-sbat.c:937)
==2525955== by 0x401D21: main (test-sbat.c:1043)
==2525955==
==2525955== 56 bytes in 1 blocks are definitely lost in loss record 2 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x402ACB: parse_sbat_var_data (sbat.c:234)
==2525955== by 0x40189D: UnknownInlinedFun (test-sbat.c:445)
==2525955== by 0x40189D: main (test-sbat.c:1029)
==2525955==
==2525955== 110 bytes in 1 blocks are definitely lost in loss record 3 of 3
==2525955== at 0x4845464: calloc (vg_replace_malloc.c:1117)
==2525955== by 0x402ACB: parse_sbat_var_data (sbat.c:234)
==2525955== by 0x401D67: UnknownInlinedFun (test-sbat.c:943)
==2525955== by 0x401D67: main (test-sbat.c:1043)
==2525955==
==2525955== LEAK SUMMARY:
==2525955== definitely lost: 181 bytes in 3 blocks
==2525955== indirectly lost: 0 bytes in 0 blocks
==2525955== possibly lost: 0 bytes in 0 blocks
==2525955== still reachable: 0 bytes in 0 blocks
==2525955== suppressed: 0 bytes in 0 blocks
==2525955==
==2525955== For lists of detected and suppressed errors, rerun with: -s
==2525955== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If no TOPDIR is defined and a vendor sbat CSV is placed in
$(BUILDDIR)/data/sbat.*.csv, objcopy fails with the following
error.
objcopy --add-section .sbat=/shim/data/sbat.csv \
--set-section-flags .sbat=contents,alloc,load,readonly,data \
sbat_data.o
objcopy --add-section ".sbat.microsoft=sbat.microsoft.csv" sbat_data.o
objcopy --add-section ".sbat.microsoft=sbat.microsoft.csv" sbat_data.o
objcopy:stuf2iKG: can't add section '.sbat.microsoft': bad value
make: *** [Makefile:120: sbat_data.o] Error 1
The sbat.vendor.csv is getting included twice in VENDOR_SBATS.
Use sort to ensure unique entries in VENDOR_SBATS
Signed-off-by: Chris Co <chrco@microsoft.com>
|
|
Because a few shim builds were signed that did not properly initialize
the SBAT variable, and in doing so deleted valid SBAT variables, we need
to use a different name.
This changes the name from "SBAT" to "SbatLevel".
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
Currently, the check for the contents of the SBAT variable has an
inverted strncmp() test, causing it to delete the variable
inappropriately.
This patch fixes that check, preventing shim from always stepping on the
sbat variable, and adds test cases to validate the correct logic.
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
This moves the check for the SBAT variable's attributes and contents
into its own function, so that test cases can be written against it.
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
Currently if you're building in a subdirectory, we're not correctly
finding vendor sbat.foo.csv files if they're in
$(TOPDIR)/data/sbat.foo.csv rather than $(BUILDDIR)/data/sbat.foo.csv.
This patch makes it search both of those during the build.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This also makes the cross-build targets (and not the others) /use/ this
functionality, so we'll catch it if we break it again.
This fixes issue #340.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
xnox reports that with some versions of sbsign/sbcheck, it gets very
unhappy with non-contiguous sections and gaps between sections, which we
currently produce on targets with hand-coded headers. This is all wrong
behavior from sbsigntools, and has been fixed in newer versions, but
nevertheless it's not hard for us to avoid.
This patch re-arranges the sections so there are no gaps, by padding the
file-size of .data and .sbat up to the full page, moving .sbat to be
before .vendor_cert, and moving .vendor_cert and .rela out of the range
covered by _edata, while still leaving included in the calculation of
SizeOfInitializedData.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This hides more subtle failures way too well; nerf it out.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Here's the full shortlog since shim 15.2:
Alex Burmashev (4):
strndupa: allocate len + 1, so that \0 is not lost
add list_empty to linked list primitives
pe.c: parse SBAT variable and perform basic verification
Fix compilation for older gcc
Chris Co (2):
sbat: add minor fixes to parse_sbat
Add initial sbat unit testing code
Chris Coulson (8):
Fix sbsign command usage
Rename check_{white,black}list to check_{allow,deny}list
build: Pass the correct paths to sbsign
Include missing .text sections in PE/COFF binary
sbat: Don't assume VirtualSize == SizeOfRawData
Ensure that MOK variable mirroring creates well formed ESLs
Avoid creating unnecessary mirrored MOK variables
Fix boot failures due to variable size constraints
Colin Walters (1):
Convert README -> README.md
Dimitri John Ledkov (2):
Add testsuite to the github pull request workflow.
Drop comments, and make push workflow use same matrix as pullrequest.
Gary Lin (9):
src/netboot.c: remove the execute bit
lib: move print_crypto_errors() out of console.c
console: Move the countdown function to console.c
fallback: show a countdown menu before reset
sbat: fix the gcc warnings
sbat: fix the residual "resource section" for SBAT
Restore loaded image of shim at Exit()
Set the section flags for .sbat
arm and aarch64: include the aligned part in SizeOfRawData of sbat
Hai Huang (1):
Fix EV_EFI_VARIABLE_AUTHORITY event in eventlog
Jan Setje-Eilers (8):
Add Secure Boot Advanced Targeting (SBAT) specification document
Add --set-section-alignment '.sbat=512' to objcopy command line
Drop --set-section-alignment from Makefile since linker ALIGN(4096)
already enforces the alignment, clarify that objcopy only needs to
do the alignment in the SBAT spec.
If the SBAT UEFI variable is not set, initialize it as a bootservices
variable.
Javier Martinez Canillas (10):
Add a .sbat section to EFI binaries
Add a function to parse the SBAT metadata from the .sbat section
sbat: remove unused buffer parameter in parse_sbat() function
sbat: use correct type for parse_sbat_var() return value
Don't re-parse the SBAT EFI variable for each binary we load.
sbat: include NULL terminator when calculating buffer end in parse_sbat()
shim: initialize OpenSSL after parsing SBAT data
sbat: make shim to parse it's own .sbat section on init
shim: Fix a NULL pointer dereference caused by start not being set
shim: Use the default loader if an EFI_LOAD_OPTION can't be parsed
Jia Zhang (1):
Ignore *.hash
João Paulo Rechi Vita (8):
fallback: Store label size instead of calculating on every use
fallback: Consider all Boot* vars when checking for duplicates
fallback: Only use VerbosePrint for debug messages
fallback: Be silent by default
fallback: Print original BootOrder value in verbose mode
fallback: Wait before chainloading in verbose mode
fallback: Make verbose mode's wait time configurable
fallback: Allow defining FALLBACK_VERBOSE at build time
Lisa White (1):
Fix typo in a comment
Luca Boccassi (1):
Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
Mathieu Trudel-Lapierre (1):
Add mm/fb hashing to TODO, put that and related things under
'Reproducible builds'
Matthew Garrett (1):
build: Import gnu-efi as a submodule and build against it
Nicholas Bishop (1):
BUILDING: Fix a typo
Paul Menzel (1):
README: Remove superfluous *and*
Paul Moore (7):
shim: compile time option to bypass the ExitBootServices() check
build: add some basic $EFI_PATH checking
SBAT: fix some typos in the SBAT docs
SBAT: update the raw Markdown to look less terrible
openssl: fix various build errors and warnings
shim: attempt to improve the argument handling
build: load local build configuration from Make.local if present
Peter Jones (119):
Use github actions for CI builds
Split up push and PR CI/CD and build all patches in series on PRs
Try to kick the github PR workflow...
Add a .clang-format file.
Always use lower case for our local include file names.
Work around some clang-format oddnesses
Renaming PeImage.h to pe.h wasn't actually a good idea.
Fix pe.h -> peimage.h in /both/ places.
github workflows: Unify the x86 pull request build rules steps
github workflows: add the sbat branch to one PR builds run for
efi bins: add an easy way for vendors to add .sbat data
Remove my .syntastic_c_config, it doesn't belong in the repo.
includes: add strchra() and strchrnula() impls
Move a bunch of PE-related stuff out of shim.c
Refactor some PE handling code
Add some more PE helpers we need for SBAT
Add the beginning of .sbat parsing stuff
SBAT: parse a copy of the table that's got a NUL at the end
Add an example SBAT workflow document
Add some linked list primitives.
get_variable: always allocate a NUL character at the end.
add an ascii strndup() implementation.
sbat: make the includes work like everything else.
We're not using travis-build.sh any more.
Try to make coverity.mk work without cov-build installed.
Try to make scan-build.mk work without scan-build installed.
Add some more TODOs for shim 16
Add another unfortunate TODO entry.
Add some *more* TODO tasks.
Add fallback boot loop detection to TODO
Also ignore .sw?
Add screen logs to .gitignore
Add .cer/.crt/.esl to .gitignore
BUILDING: fix missing DISABLE_EBS_PROTECTION section
Re-alphabetize .gitignore.
.gitignore: add build dirs and shim_cert.h
.gitignore: ignore .gdbinit
Fix up a bunch of our license statements and add SPDX most places
SPDX: Clarify the attribution for crypt_blowfish
SPDX: Clarify the attribution for James's lib/ code
Make sure MIN() and MAX() are always defined.
console: Fix a typo in the EFI warning list in gnu-efi
Fix a bunch of trivial trailing whitespace issues.
Make httpboot.c always get built.
Make the variable name and pointer const in all of our efi vars functions
Add ENABLE_SHIM_DEVEL config to change what our debug variable name is
Use gcc -Os instead of -O0.
sbat: clang-format the whole thing.
SBAT: make the variable be CSV in our spec.
SBAT: Fix all the docs examples to start with version 1
Fix an off by one in strnlena()
shim: use an enum for efi_main's error messages.
sbat: drop the struct sbat and just use two variables instead
parse_sbat: handle the realloc failure leak and batch allocations.
pe.c: move sbat verification to its own function.
sbat: Fix two NULL derefs found with "gcc -fanalyzer"
tpm: minor cleanup: use EV_IPL not 0xd
Document struct mok_state_variable better.
SBAT: mirror SBAT to SbatRT and extend to PCR7 + log
Move the coverity and scan-build makefiles out of the top directory
Make 'make fanalyzer' targets
compiler.h: fix a typo and add some more function attribute macros
Fix all the places we need UNUSED on arguments.
Tidy up our string primitives...
Add a list_size() primitive
Move is_utf8_bom() to str.h
includes: include all gnu-efi includes at one place.
Fix our debuginfo paths hopefully
Add a stand-alone CSV parser.
SBAT: make our sbat section parser use the csv parser
SBAT: make our SBAT variable parser use the CSV parser
make 'make test' able to run unit test harnesses
Add a tester for our string functions.
Add test cases for our CSV parser.
Fix-up and enable a bunch of .sbat section parsing tests.
Make verify_sbat() more testable
Fix two errant 'shim,0' outdated sbat cases.
Add get_variable_size()/set_variable()del_variable() wrappers.
CI: try to update submodules
CI: show our compilation when it fails
Re-organize a bunch of CFLAGS-related makefile bits
Minor OpenSSL fixes
static analysis: make our build targets work better
More minor makefile cleanups
Switch to using -std=gnu11
Don't use WCHAR even when we're assigning wide string literals
Cryptlib: make some Str*() args const.
Restructure our includes.
Fix Cryptlib's va_* definitions.
Consolidate most of our standard lib functions to lib
Fix stdarg to work the same everywhere.
Add some test cases, and make "make test" actually work.
make: use -Wextra (minus some obnoxious bits)
Test our strncmp vs known failing ones as well
Add more string test cases.
set_sbat_uefi_variable(): avoid comparing unsafe data
shim: simplify sbat self-check logic.
linker scripts: put .sbat after _edata
arm arches: include .sbat in our section headers.
Fix the compiler when invoking scan-build/fanalyzer/etc
openssl: nerf some -W flags for clang.
get_variable_attr(): fix a nit scan-build found.
Fix include order
More va_* work
Don't even try to use builtins, just make sure we have the same types.
Make ENABLE_SHIM_DEVEL work better.
sbat variable: use UEFI_VAR_NV_BS_RT when we've got ENABLE_SHIM_DEVEL
set_sbat_uefi_variable(): add a pile of debug prints.
set_sbat_uefi_variable(): align some decisions that are off-by-one.
Fix a plausible NULL dereference.
'make test': try harder to make it build in the right order.
Nerf an unnecessary string test on arm.
arm and aarch64: fix some PE headers.
Make 'make test' work on gcc 4.8.5
Don't set LIBDIR in CI builds any more.
Fix cross-compilation from x86_64->i686
Try multi-arch CI building using cross compilation
Update 'make archive' to include gnu-efi
Bump version to 15.3
Steve McIntyre (5):
Second attempt at SBAT doc tweaks
Fixups after Peter's review
Fix bashisms in Make.coverity
Stop using EFI_PATH, and error out if people try to use it
Fix up build of test code using gcc 8
Thomas Frauendorfer | Miray Software (2):
Fix column size check in SBAT variable parsing.
Sort input file names in lib/Makefile
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
There are multiple issues in the MOK variable mirroring code due
to volatile variable size constraints, which all result in boot
failures:
- If a signature is encountered which doesn't fit in to a single
variable, the code enters an infinite loop because the cursor
isn't advanced in mirror_mok_db() after the call to
mirror_one_esl().
- If an ESL is encountered which doesn't fit in to a single
variable, it looks like the intention is for the ESL to be split
across multiple variables. However, mirror_one_esl() will write
the maximum variable size on each call, regardless of how much
data is remaining for the current ESL. If the size of a ESL isn't
a multiple of the maximum variable size, the final call to
mirror_one_esl() will append data from the start of the next
ESL and the cursor in mirror_mok_db() will be advanced to an
arbitrary location in the next ESL. This either results in garbage
being mirrored (if you're lucky), or in my case - another infinite
loop as it appears to encounter a signature that doesn't fit in to
a single variable.
- If no signatures can be mirrored when mirror_mok_db() is called
with only_first=TRUE, it tries to create a variable with a single
SHA256 signature in it. But mirror_mok_db() returns an error
(EFI_INVALID_PARAMETER) regardless of whether this succeeds.
|
|
This enables a pile of CI builds on fedora and centos, some using a cross
compilers:
- cross-compiler builds for f32, f33, f34, and f35 (currently rawhide):
x86_64 (yes, x86_64->x86_64)
i686 (x86_64->i686)
arm (x86_64->arm)
aarch64 (x86-64->aarch64)
- non-cross builds for centos7 and centos8
x86_64
i686
- we can't cross build on centos7 or centos8 because they don't have
the cross compiler packages
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Setting libdir will make it try to use /usr/lib*/libefi.a and such,
which is now wrong. Normally you don't *see* any problem, but when we're
cross compiling, it'll fail to find libefi.a.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
If the bootservices MOK payload fits in to a single volatile
runtime variable, don't create additional mirrored variables in
the second pass of mirror_mok_db().
|
|
The MOK variable mirroring makes use of variable_create_esl, which
can only create a well-formed EFI_SIGNATURE_LIST containing a single
signature. Fix fill_esl and variable_create_esl to support creating
a EFI_SIGNATURE_LIST with one or more supplied EFI_SIGNATURE_DATA
structures.
Introduce variable_create_esl_with_one_signature and
fill_esl_with_one_signature for code that does want to create a
EFI_SIGNATURE_LIST containing a single signature constructed from
a supplied signature data buffer and owner GUID.
|
|
If the LoadOptions string count is zero, then it's assumed that it is an
EFI_LOAD_OPTION and the OptionalData field attempt to be parsed. If that
fails as well, in the second stage was set to the default loader path.
But this behaviour was changed by the commit 018b74d2 ("shim: attempt to
improve the argument handling"), and not in that case the LoadOptions is
attempted to be used as a single string. This breaks some firmwares that
return something in the LoadOptions but are not a proper EFI device path.
Instead of making assumptions about the LoadOptions if can't be parsed
correctly, just use the default loader as it was done before that commit.
This fixes booting on a Gigabyte GA-Z97X-SLI mainboard that contains the
following bytes as LoadOptions: 0x41 0x4d 0x42 0x4f ('AMBO').
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Similar to x86_64, the .sbat section is aligned to 4096, so we should
include the aligned part in SizeOfRawData as objcopy does for x86_64.
For VirtualSize, _sbat_vsize is used to reflect the actually size of
sbat.
This also fixes a strange hash mismatching in openSUSE build service
when attaching signature to AArch64 EFI images from shim package.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
The order in which the foreach() returns files differes from
Debian on WSL1 and Debian running natively.
When shim is build on these two platforms the resulting binaries differ.
This patch manually sorts the input file list to create identical binaries.
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
|
|
If the file Make.local exists, use it as a source of local build
configuration by including it in Make.defaults.
(cherry picked from commit 57e38a1ebf73 in the shim-15.2 branch)
Signed-off-by: Paul Moore <pmoore2@cisco.com>
|
|
This fixes the SizeOfImage and SizeOfInitializedData headers on arm and
aa64.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Don't check SHIM_UNIT_TEST.
This fixes conflicting declarations for __builtin_ms_va_list on amd64:
In file included from shim.h:47,
from test.c:10:
../include/system/stdarg.h:30:27: error: conflicting types for '__builtin_ms_va_list'
typedef __builtin_va_list __builtin_ms_va_list;
^~~~~~~~~~~~~~~~~~~~
cc1: note: previous declaration of '__builtin_ms_va_list' was here
In file included from shim.h:47,
from test-csv.c:9:
../include/system/stdarg.h:30:27: error: conflicting types for '__builtin_ms_va_list'
typedef __builtin_va_list __builtin_ms_va_list;
^~~~~~~~~~~~~~~~~~~~
cc1: note: previous declaration of '__builtin_ms_va_list' was here
In file included from shim.h:47,
from csv.c:6:
../include/system/stdarg.h:30:27: error: conflicting types for '__builtin_ms_va_list'
typedef __builtin_va_list __builtin_ms_va_list;
^~~~~~~~~~~~~~~~~~~~
cc1: note: previous declaration of '__builtin_ms_va_list' was here
Signed-off-by: Steve McIntyre <93sam@debian.org>
|
|
We need to be using our patched version of gnu-efi
Signed-off-by: Steve McIntyre <93sam@debian.org>
|
|
Steve McIntyre reports:
<Sledge> yay, arm64 string test fail
<Sledge> testing gnuefi_signed_strncmp
<Sledge> test_strncmp:713:got 128, expected < 0
<Sledge> test_strncmp:713:Assertion `(gnuefi_signed_strncmp("sbat\314\234\014,", "sbat\314\034\014,", 9)) >= 0' failed.
<Sledge> gnuefi_signed_strncmp failed
<Sledge> looking at that code, this is a test to check how broken the gnuefi strncmp is, yes?
<Sledge> and we're not actually using this implementation in shim AFAICS?
That is a correct understanding, and as such this patch just removes
that test from running on Arm platforms, where it is still too broken to
even do this much.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
