| Age | Commit message (Collapse) | Author |
|---|
|
Previously we were returning EFI_ACCESS_DENIED at some places and
EFI_SECURITY_VIOLATION at others. When we're checking whether to run
MokManager, we're checking EFI_SECURITY_VIOLATION, which is more or less
analogous with what the spec says StartImage() returns. So we should
always have that as the return code.
I believe this will fix github issue #44.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
According to TCG EFI Protocol Specification, this structure is not packed.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
EFI TrEE Protocol uses the same protocol GUID as EFI TCG2 protocol, and
defines the capability structure version 1.0. Hence, the structure and
name are all align the EFI TrEE Protocol.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Some machines have already embedded MokSBStateRT varaible with
EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim
vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState
fail because the variable cannot be set with different attribute again, and gets
error massage every time when booting.
Fix it with checking the MokSBStateRT existence and deleting it before
mirroring it.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
|
|
Currently generate_hash() attempts to include any trailing data at the
end of the binary in the resulting digest, but it won't include such
data if the size computed is wrong because context->SecDir->Size is
invalid. In this case the return code is EFI_SUCCESS, and the hash will
match any a binary as if the Attribute Certificate Table and anything
after it are missing. This is wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Update to the edk2 commit dab62c5ec8a88def3ee99c04d644720cb201de08
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Although the prototype of memset() is already defined in OpenSslSupport.h,
the function was never implemented. It was fine since a macro was
designed to replace all memset() with SetMem() after including
OpenSslSupport.h. However, since openssl 1.0.2j, a new function pointer
in crypto/mem_clr.c requires the "real" memset() or the program would
crash due to the NULL function pointer access. This commit implements
memset() (just a wrapper of SetMem()) to avoid the potential crash.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Certain AMI BIOS (Intel NUC5i3MYBE BIOS version 0037) may make the strict
check on the last 3 arguments passed to get_event_log() and don't expect
NULL pointers are passed. In order to work around this failure
(EFI_INVALID_PARAMETER), pass them even though we really don't use it.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
|
|
According to TCG EFI Protocol Specification for TPM 2.0 family,
all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG
shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka
EFI TCG 2.0 final events table. Hence, it is necessary to trigger the
internal switch through calling get_event_log() in order to allow
to retrieve the logs from OS runtime.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
|
|
* debian/patches/binutils-version-matching: dropped, fixed upstream.
|
|
|
|
|
|
For starters; don't allow the "module signing" OID; which ought to
only ever be used for signing kernel modules, not signing EFI binaries.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
new_data in write_db() wasn't freed after SetVariable.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Try to append the MOK/MOKX list first and then fallback to the normal
SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
We got the bug report about the usage of APPEND_WRITE that may cause the
failure when writing a variable in Lenovo machines. Although
EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years,
unfortunately, some vendors just ignore it and never implement the
attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to
make MokManager work on those machines.
https://github.com/rhinstaller/shim/issues/55
Signed-off-by: Gary Lin <glin@suse.com>
|
|
In the branch I wrote the code on, "size" was a thing. On this branch
it isn't.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Authenticode Certificate length is available in Certificate Table
(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
Code in 'check_backlist()' method uses length from signature header,
whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
the length in signature header. This causes a security vulnerability issue :
Good Scenario : Assume shim1.crt is used for signing grub.efi and
shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
compromised and therefore it was added in 'dbx' database. Now, when
shim.efi will attempt to load grub.efi, it will fail loading with
log message "Binary is blacklisted" because 'check_blacklist' call
will detect the presence of 'shim1.crt' in 'dbx'.
Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
WIN_CERTIFICATE.dwLength.
(Open grub.efi/vmlinuz signed binary with hex editor.
Go to 0x128 address and read out the address from 0x128 until
0x12B in little Indian order from right to left.
Jump to the address from 0x128 address area.
First 8bytes are the signature header area which consist of
signature size(4bytes), revision(2bytes) and type(2bytes).
So tamper the first 4 bytes for signature size and save the binary.
)
With this tampered grub.efi, shim.efi loads it successfully because
'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
database.
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
|
|
Update to the edk2 commit 8ff7187cfd998d2b6db43075a4a7908281b6da00
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Update to the edk2 commit 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Also update the path to the openssl headers.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl
Signed-off-by: Gary Lin <glin@suse.com>
|
|
When fallback.efi is not present, the should_use_fallback error path
attempts to close a file that has already been closed, resulting in a
hang. This issue only affects certain systems.
This is a regression from version 0.8 and was introduced by commit
4794822.
Signed-off-by: Benjamin Antin <ben.antin@endlessm.com>
|
|
Fix the compilation error from gcc:
shim.c: In function ‘handle_image’:
shim.c:1121:15: error: unused variable ‘size’ [-Werror=unused-variable]
unsigned int size;
^~~~
Signed-off-by: Gary Lin <glin@suse.com>
|
|
see comments here:
https://github.com/rhinstaller/shim/commit/d9a4c912c0aa72905ca793b555dcb0afb33e3b30
|
|
MokDBState is a 8-bit unsigned integer. Looks like a typo here.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
