| Age | Commit message (Collapse) | Author |
|---|
|
The things we do for our tools. In this case, make the AllocatePool()
happen outside of a conditional, even though that conditional will
always bee satisfied. This way coverity won't think we're setting fi
to NULL and passing it to StrCaseCmp.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The things we do for our tools. In this case, make the AllocatePool()
happen outside of a conditional, even though that conditional will
always bee satisfied. This way coverity won't think we're setting fi
to NULL and passing it to StrCaseCmp.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Coverity scan noticed that entries is uninitialized when we pass its
location to another function.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Coverity scan noticed that entries is uninitialized when we pass its
location to another function.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
CHAR16* vs CHAR16**, so the result is the same on all platforms.
Detected by coverity.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
CHAR16* vs CHAR16**, so the result is the same on all platforms.
Detected by coverity.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now we always look for e.g. "\grubx64.efi", which is completely
wrong. This makes it look for the path shim was loaded from and modify
that to end in a sanitized version of our default loader name.
Resolves: rhbz#1032583
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now we always look for e.g. "\grubx64.efi", which is completely
wrong. This makes it look for the path shim was loaded from and modify
that to end in a sanitized version of our default loader name.
Resolves: rhbz#1032583
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
%r when used in Print() will show a string representation of
an EFI_STATUS code.
Change-Id: I6db47f5213454603bd66177aca378ad01e9f0bd4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
%r when used in Print() will show a string representation of
an EFI_STATUS code.
Change-Id: I6db47f5213454603bd66177aca378ad01e9f0bd4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Also removed unused LIB_PATH from some Makefiles.
Change-Id: I7d28d18f7531b51b6121a2ffb88bcaedec57c467
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Also removed unused LIB_PATH from some Makefiles.
Change-Id: I7d28d18f7531b51b6121a2ffb88bcaedec57c467
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
If these are overridden on the command line, pass them along to
the sub-makes.
Change-Id: I531ccb5d2f5e4be8e99d4892cdcfffffc1ad9877
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
If these are overridden on the command line, pass them along to
the sub-makes.
Change-Id: I531ccb5d2f5e4be8e99d4892cdcfffffc1ad9877
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Exposed during parallel builds
Change-Id: I9867858166dcafd69438f37ee5da14a267ace8f4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Exposed during parallel builds
Change-Id: I9867858166dcafd69438f37ee5da14a267ace8f4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
fh->Read expects pointer to 32-bit int, use UINTN
Change-Id: If1a728efd51a9a24dfcd8123e84bf4c0713491fe
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
fh->Read expects pointer to 32-bit int, use UINTN
Change-Id: If1a728efd51a9a24dfcd8123e84bf4c0713491fe
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Change-Id: Iff3ee5ae0f0b95b282b99a23e465723b4e9f6104
Signed-off-by: Andrey Petrov <andrey.petrov@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Change-Id: Iff3ee5ae0f0b95b282b99a23e465723b4e9f6104
Signed-off-by: Andrey Petrov <andrey.petrov@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Function prototype/implementation mismatch.
Change-Id: I89aaae1b49d0372d3aed76fc21c194e0ae55f72e
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Function prototype/implementation mismatch.
Change-Id: I89aaae1b49d0372d3aed76fc21c194e0ae55f72e
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Change-Id: Ib93305f7f1691d1b142567507df1058de62dde06
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Change-Id: Ib93305f7f1691d1b142567507df1058de62dde06
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
() Fix the return value semantics. If the MokList doesn't
exist, we are OK. If the MokList was compromised but we
were able to erase it, that is OK too. Only if the list
can't be nuked do we return an error.
() Fix use of potentially uninitialized attribute variable
() Actually use the return value when called from verify_buffer.
Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
() Fix the return value semantics. If the MokList doesn't
exist, we are OK. If the MokList was compromised but we
were able to erase it, that is OK too. Only if the list
can't be nuked do we return an error.
() Fix use of potentially uninitialized attribute variable
() Actually use the return value when called from verify_buffer.
Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Do not use 0.6; on some machines it misunderstands the SetupMode
variable.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Do not use 0.6; on some machines it misunderstands the SetupMode
variable.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
After going back and inspecting this further, the logic for "SetupMode"
being present at all was incorrect. Also initialize our state earlier
so it's sure to always be set.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
After going back and inspecting this further, the logic for "SetupMode"
being present at all was incorrect. Also initialize our state earlier
so it's sure to always be set.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This breaks every machine from before Secure Boot was a thing.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This breaks every machine from before Secure Boot was a thing.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When we call hook_system_services(), we're currently only checking mok's
setting. We should use secure_mode() instead so it'll check both.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When we call hook_system_services(), we're currently only checking mok's
setting. We should use secure_mode() instead so it'll check both.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This reverts commit 21e40f0174814b3d91836e38c7cf95c8f2f1f3a4.
In principle I like the idea of what's going on here, but
generate_hash() really does need to have the expected result.
|
|
This reverts commit 21e40f0174814b3d91836e38c7cf95c8f2f1f3a4.
In principle I like the idea of what's going on here, but
generate_hash() really does need to have the expected result.
|
|
If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database. So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database. So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds additional bounds-checking on the section sizes. Also adds
-Wsign-compare to the Makefile and replaces some signed variables with
unsigned counteparts for robustness.
Signed-off-by: Kees Cook <kees@ubuntu.com>
|
|
This adds additional bounds-checking on the section sizes. Also adds
-Wsign-compare to the Makefile and replaces some signed variables with
unsigned counteparts for robustness.
Signed-off-by: Kees Cook <kees@ubuntu.com>
|
