| Age | Commit message (Collapse) | Author |
|---|
|
Currently when we process base relocations, we get the correct Data
Directory pointer from the headers (context->RelocDir), and that header
has been copied into our pristine allocated image when we copied up to
SizeOfHeaders. But the data it points to has not been mirrored in to
the new image, so it is whatever data AllocPool() gave us.
This patch changes relocate_coff() to refer to the base relocation table
from the image we loaded from disk, but apply the fixups to the new
copy.
I have no idea how x86_64 worked without this, but I can't make aarch64
work without it. I also don't know how Ard or Leif have seen aarch64
work. Maybe they haven't? Leif indicated on irc that they may have
only tested shim with simple "hello world" applications from gnu-efi;
they are certainly much less complex than grub.efi, and are generated
through a different linking process.
My only theory is that we're getting recycled data there pretty reliably
that just makes us /not/ process any relocations, but since our
ImageBase is 0, and I don't think we ever load grub with 0 as its base
virtual address, that doesn't follow. I'm open to any other ideas
anybody has.
I do know that on x86_64 (and presumably aarch64 as well), we don't
actually start seeing *symptoms* of this bug until the first chunk[0] of
94c9a77f is applied[1]. Once that is applied, relocate_coff() starts
seeing zero[2] for both RelocBase->VirtualAddress and
RelocBase->SizeOfBlock, because RelocBase is a (generated, relative)
pointer that only makes sense in the context of the original binary, not
our partial copy. Since RelocBase->SizeOfBlock is tested first,
relocate_base() gives us "Reloc block size is invalid"[3] and returns
EFI_UNSUPPORTED. At that point shim exits with an error.
[0] The second chunk of 94c9a77f patch makes no difference on this
issue.
[1] I don't see why at all.
[2] Which could really be any value since it's AllocatePool() and not
AllocateZeroPool() results, but 0 is all I've observed; I think
AllocatePool() has simply never recycled any memory in my test
cases.
[3] which is silent because perror() tries to avoid talking because that
has caused much crashing in the past; work needs to go in to 0.9 for
this.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Since in theory you could, for example, get an x86_64 binary signed that
also behaves as an ARM executable, we should be checking this before
people build on other architectures.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On aarch64 due to some terrifying include chain we wind up with
Cryptlib's definition of exit here. I'm not a glutton for punishment,
so I'm just changing the name so it's not coliding.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On archs where no EFI aware objcopy is available, the generated PE/COFF
header contains a .reloc section which is completely empty. Handle this by
- returning early from relocate_coff() with EFI_SUCCESS,
- ignoring discardable sections in the section loader.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
We don't need to .data entries; the second one should be .data*. He's
since fixed this in his tree, but I'd already pulled it and pushed to
master.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also update to Tiano Cryptlib r15802 and remove the execute mode
bits from the C and header files of openssl
|
|
This adds support for building the shim for a 32-bit ARM UEFI environment.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
This adds support for building the shim for a 64-bit ARM UEFI environment.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
This patch cleans up and refactors the Makefiles to better allow new
architectures to be added:
- remove unused Makefile definitions
- import Makefile definitions from top level rather than redefining
- move x86 specific CFLAGS to inside ifeq() blocks
- remove x86 inline asm
- allow $(FORMAT) to be overridden: this is necessary as there exists no
EFI or PE/COFF aware objcopy for ARM
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
Prevent unhook_system_services() from dereferencing a NULL systab, which
may occur if hook_system_services() has never been called.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
Upstream GNU-EFI contains changes to efistdarg.h resulting in the va_start,
va_arg and va_end macros to be #defined unconditionally. Make sure we #undef
them before overriding the definitions.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
These were really, really out of date.
|
|
Also update to Tiano Cryptlib r15638
|
|
MokSBState and MokDBState are just 1 byte variables, so a UINT8
local variable is sufficient to include the content.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
shim.c
|
|
If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says
we're not in Setup Mode.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
There are functions defined in lib to check the secure variables.
Use the functions to shun the duplicate code.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
shim.c
|
|
I was getting confused reading it, and I wrote it, so clearly it needs
more commentry.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
shim.c
|
|
When grub2 invokes the functions of shim protocol in gfx mode,
OutputString in shim could distort the screen.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
shim.c
(modified by pjones to include some newer Prints that weren't there when
Gary did the initial work here.)
|
|
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
The newlines are for Print(), not console_notify().
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
shim.c
|
|
If ca.crt was added into the certificate database, ca.crt would be the first
certificate in the signature. Because shim couldn't verify ca.crt with the
embedded shim.cer, it failed to load MokManager.efi.signed and
fallback.efi.signed.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
On some machines, even though the key event was signaled, ReadKeyStroke
still got EFI_NOT_READY. This commit handles the error status to avoid
console_get_keystroke from returning unexpected keys.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Conflicts:
MokManager.c
|
|
LibDeleteVariable assumes that the variable is RT+NV and it
won't work on a BS+NV variable.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
The variable is not used anymore.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
A non-DER encoding x509 certificate may be mistakenly enrolled into
db or MokList. This commit checks the first 4 bytes of the certificate
to ensure that it's DER encoding.
This commit also removes the iteration of the x509 signature list.
Per UEFI SPEC, each x509 signature list contains only one x509 certificate.
Besides, the size of certificate is incorrect. The size of the header must
be substracted from the signature size.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
The previous strategy is to locate the first available PXE_BASE_CODE
protocol and to fetch the second stage image from it, and this may
cause shim to fetch the wrong second stage image, i.e. grub.efi.
Consider the machine with the following boot order:
1. PXE Boot
2. Hard Drive
Assume that the EFI image, e.g. bootx64.efi, in the PXE server is
broken, then "PXE Boot" will fail and fallback to "Hard Drive". While
shim.efi in "Hard Drive" is loaded, it will find the PXE protocol is
available and fetch grub.efi from the PXE server, not grub.efi in the
disk.
This commit checks the DeviceHandle from Loaded Image. If the device
supports PXE, then shim fetches grub.efi with the PXE protocol. Otherwise,
shim loads grub.efi from the disk.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
Some UEFI implementations never care the boot options, so the
restored boot options could be just ignored and this results in
endless reboot. To avoid this situation, this commit makes
fallback.efi to load the first matched boot option even if there
is no boot option to be restored. It may not be perfect, but at
least the bootloader is loaded...
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
set_boot_order() already copies the old BootOrder to the variable,
bootorder. Besides, we can adjust BootOrder when adding the newly
generated boot option. So, we don't have to copy the old one again
in update_boot_order(). This avoid the duplicate entries in BootOrder.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In read_header, we adjust context->PEHdr's address by doshdr->e_lfanew.
If we're going to recompute that address, we have to adjust it here
too.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds additional bounds-checking on the section sizes. Also adds
-Wsign-compare to the Makefile and replaces some signed variables with
unsigned counteparts for robustness.
Signed-off-by: Kees Cook <kees@ubuntu.com>
|
|
Track use of the system's LoadImage(), and when the next StartImage()
call is for an image the system verified, allow that to count as
participating, since it has been verified by the system's db.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Because you know you wanted a test plan. You feel it deeply inside.
Note that none of the /negative/ cases are tested yet.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Some firmwares seem to ignore our boot entries and put their fallback
entries back on top. Right now that results in a lot of boot entries
for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 .
Instead of that happening, if we simply find existing entries that match
the entry we would create and move them to the top of the boot order,
the machine will continue to operate in failure mode (which we can't
avoid), but at least we won't create thousands of extra entries.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
UEFI 2.x section 3.1.2 provides for "short-form device path", where the
first element specified is a "hard drive media device path", so that you
can move a disk around on different buses without invalidating your
device path. Fallback has not been using this option, though in most
cases efibootmgr has.
Note that we still keep the full device path, because LoadImage()
isn't necessarily the layer where HD() works - one some systems BDS is
responsible for resolving the full path and passes that to LoadImage()
instead. So we have to do LoadImage() with the full path.
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The things we do for our tools. In this case, make the AllocatePool()
happen outside of a conditional, even though that conditional will
always bee satisfied. This way coverity won't think we're setting fi
to NULL and passing it to StrCaseCmp.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Coverity scan noticed that entries is uninitialized when we pass its
location to another function.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
CHAR16* vs CHAR16**, so the result is the same on all platforms.
Detected by coverity.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now we always look for e.g. "\grubx64.efi", which is completely
wrong. This makes it look for the path shim was loaded from and modify
that to end in a sanitized version of our default loader name.
Resolves: rhbz#1032583
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
%r when used in Print() will show a string representation of
an EFI_STATUS code.
Change-Id: I6db47f5213454603bd66177aca378ad01e9f0bd4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Also removed unused LIB_PATH from some Makefiles.
Change-Id: I7d28d18f7531b51b6121a2ffb88bcaedec57c467
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
If these are overridden on the command line, pass them along to
the sub-makes.
Change-Id: I531ccb5d2f5e4be8e99d4892cdcfffffc1ad9877
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
Exposed during parallel builds
Change-Id: I9867858166dcafd69438f37ee5da14a267ace8f4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
