| Age | Commit message (Collapse) | Author |
|---|
|
Add the ability for shim to load an optional configuration file. This
new file is called "options.csv". The configuration file is completely
optional. If used, it is located in the same directory as the booted
shim. The "options.csv" file currently allows a single entry. Other
options could be added to it in the future. The first and only entry in
the file is the name of the secondary boot loader shim will load. The
"options.csv" file is in Unicode LE format.
This allows a signed shim to directly load a UKI without the need to
rename it to grub. Shim's transitive trust is maintained. If the
alternative 2nd stage can not be verified, it will not boot.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
|
|
Move some functions currently used within fallback that will later also
be used in shim.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
|
|
This adds documentation for the ENABLE_CODESIGN_EKU build option.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This commit also supersedes PR#232 which was closed on Jul 1, 2021.
So that original codesign EKU codes cannot be bothered.
To enable the codesign check, ENABLE_CODESIGN_EKU can be set to 1.
To disable the codesign check, ENABLE_CODESIGN_EKU can be set to 0
or just omit this flag.
For example:
make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi
Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
|
|
Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to
check the signer certificate instead of the certificate directly from the
key database.
This commit supersedes the PR#232 and PR#661 (Apply the EKU checks) so
that author's original codes can be quite independent of other modification.
To answer the question in PR#232, author also changed the conditional
statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature()
in Cryptlib/Pk/CryptPkcs7Verify.c
Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Comments to clarify that revocations should only be recorded
in SbatLevel_Variable.txt and not in any other header files.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
Build changes to generate include/generated_sbat_var_defs.h from
SbatLevel_Variable.txt and use that header file. From here on
forward SbatLevel_Variable.txt should be the only place a new
revocation needs to be recorded.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
This adds the utility program generate_sbat_var_defs, which can be used
to generate the sbar_var_defs.h header file from the human readable
SbatLevel_Variable.txt file.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
Add revocations for
- January 2024 shim CVEs
- October 2023 grub CVEs
- Debian/Ubuntu (peimage) CVE-2024-2312
to SbatLevel_Variable.txt. This was missed when they were commited
to include/sbat_var_defs.h
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
For multiple reasons, it may be useful for different keys to be used to
sign different parts of the boot chain (e.g. a different key for GRUB
and the Linux kernel). Allow this by loading concatenated
EFI_SIGNATURE_LISTs from shim_certificate.efi rather than only the
first.
At the same time, be a bit more robust by checking for allocation
failures and overflows due to invalid data in the binary.
Use the smaller of VirtualSize and SizeOfRawData since the latter is
rounded up to the section alignment and therefore may contain
non-certificate data.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
|
|
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
|
|
When memory attributes cannot be updated due to misalignment with 4K or
when the size is 0, the debug printout lacks sufficient clarity to
indicate the issue. To enhance troubleshooting, it is crucial to
generate an error log that explicitly states the failure to execute the
expected action. This error log will be visible even when the debug
level log is not enabled, thereby significantly reducing debugging time.
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
|
|
Sometimes using a temp file to make test-random.h breaks builds because
clean and test get made in parallel.
Since debugging parallel make is anything but easy, it's better to just
not use the intermediate file. This patch makes it use a pipe instead.
Because we live in the worst possible world, we have to support RHEL 9,
in which xxd does not support "-n prefix", and so we have to build the
header variable definition lines in shell.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Only certain errors trigger fall back to the default loader name. This
change allows fall back when encountering `EFI_TFTP_ERROR` and
`EFI_HTTP_ERROR`.
This fixes the issue reported in
https://github.com/rhboot/shim/issues/649 that prevents boot on some
models of PC.
Signed-off-by: Nathan O'Meara <Nathan.OMeara@tanium.com>
|
|
This just turns off the clang-tidy warning about our SBAT_VAR_NAME
string compositing in the error message list in efi_main(), as it's the
only warning in the whole file and it's bugging me.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If HandleProtocol or OpenVolume fails, the entries array will become
non-contiguous, i.e. will have NULL pointers between valid volume
names in the array. Because of that count_lines may return a lower
number of entries than expected. As a result one may not browse all
valid filesystems in the file explorer.
Add a second index variable that will increment only on successfully
created filesystem entries. As a result, count_lines should return
proper length and there won't be any lost partitions or accesses to
invalid entries.
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
|
|
In case GetInfo of volume root fails, it is still possible
to form a volume name from the DevicePath. Do not skip given
SimpleFS volume handle and try to form a name from DevicePath.
That way we do not lose some filesystems from file browser.
This change already fixes the problem of a hanging platform
when trying to enroll a key from disk. However, there is still
a chance of having a non-contiguous array of entries, which
will be fixed in next commit.
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
|
|
The loop retrieving the SimpleFS volume labels and names may
skip some volumes if either HandleProtocol or OpenVolume or
GetInfo fails. Those skipped volumes would have uninitialized
pointers to their names in the respective entries indices. This
would lead to accessing random memory in console_select, because
count_lines would not catch the holes with non-existing entries.
On affected platforms the result is a hang of the MokManager while
trying to enroll a key from disk. The issue has been triggered on
a TianoCore EDK2 UEFIPayload based firmware for x86 platforms with
additional filesystem drivers: ExFAT, NTFS, EXT2 and EXT4.
Use AllocateZeroPool to ensure entries array will be initialized
with NULL pointers. Handling the non-existing entries will be
added in subsequent commits.
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
|
|
In 70366a286552760863bacb521fb00c654586b494, I introduced a test case
for test-mok-mirror to test the behavior when SetVariable() gives
EFI_OUT_OF_RESOURCES. Unfortunately this includes a memory error in its
cleanup functions:
==1972634== Invalid read of size 8
==1972634== at 0x4032F3: mock_sv_adjust_usage_data (mock-variables.c:468)
==1972634== by 0x40387B: mock_delete_variable (mock-variables.c:541)
==1972634== by 0x4014E8: mock_reset_variables (mock-variables.c:1353)
==1972634== by 0x401348: mock_finalize_vars_and_configs (mock-variables.c:1405)
==1972634== by 0x401731: main (test-mok-mirror.c:688)
==1972634== Address 0x1ffeffc4f8 is on thread 1's stack
==1972634== 6784 bytes below stack pointer
This is caused because the test data uses a linked-list data structure
in an array in the test data, and we try to iterate the list to free the
data, but of course the list pointers aren't initialized because it's an
array.
Whoops.
This patch makes it so we don't try to clean up that list, because we
don't need to.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds another test case for mirroring mok variables - in this case
there is arbitrarily not enough space in the SetVariable() storage
backend for some or all of the variables, and so some variables are
mirrored to both variables and the config space storage, and some only
to the config space storage.
Currently the test only ensures that the out-of-resources condition on
the variable storage is handled correctly; we don't (yet) test the
config space. That's an avenue for future work.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes a generic test_mok_mirror() which can validate the result of
(hopefully) any run of any result of import_mok_state(), and changes
test_mok_mirror_0() to use it, and also documents what's being tested
and the results it expects to see.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This splits up the API for setting default usage limits, adding a test
API function to set alternate usage limits.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When SetVariable() is called, currently the test for being out of space
is correct, but the accounting is backwards - success adds more space
available.
This fixes the accounting and (with SHIM_DEBUG) logs the variable size.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
CertList->SignatureSize is of type UINT32 which is always positive.
If CertList->SignatureListSize == 0, then
CertList->SignatureListSize <= CertList->SignatureSize
is also true.
Remove the redundant CertList->SignatureListSize == 0 checks.
A message "Corrupted signature list" is better suited then
"Invalid MOK detected! Ignoring MOK List." in this case.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
|
|
The extend operation still occurs even if `*_log_extend_event`
returns EFI_VOLUME_FULL.
Let's print a warning when we first see this error code, but otherwise
continue booting.
Bailing on this condition has caused machines with limited event log
space to become unbootable with TPM 2.0 enabled. (fixes #654)
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
|
|
If MokManager has to be entered but system is booting on disk on
EFI/BOOT/BOOTx.EFI entry, MokManager cannot be found because it's not in
that directory.
This indicates an issue with the BootOrder or the UEFI firmware is just
not taking BootOrder into account (seen on Lenovo ThinkPad P1 Gen 6 and
VMWare), or that the boot media has incorrectly been created without
MokManager.
This patch prints a related message and reboots after 10 seconds.
Reproducer:
1. Import a certificate using mokutil
2. Tell UEFI to boot on BOOTX64.EFI entry on next boot
Result without the patch with verbosity:
-----------------------------------------------------------------------
mok.c:1045:import_mok_state() checking mok request
shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi
Failed to open \EFI\BOOT\mmx64.efi - Not Found
Failed to load image \EFI\BOOT\mmx64.efi: Not Found
shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found
shim.c:1115 read_image() Failed to load image \EFI\BOOT\mmx64.efi: Not Found
Failed to start MokManager: Not Found
mok.c:1047:import_mok_state() mok returned Not Found
Something has gone seriously wrong: import_mok_state() failed: Not Found
-----------------------------------------------------------------------
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
|
We need to use is_removable_media_path(), and potentially other helpers,
from Mok as well as shim.
This moves it to a file just for Device Path utility functions to make
that simpler.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Without the patch:
-----------------------------------------------------------------------
Failed to open \EFI\BOOT\mmx64.efi - Not Found
Failed to load image 貘給: Not Found
-----------------------------------------------------------------------
With the patch:
-----------------------------------------------------------------------
Failed to open \EFI\BOOT\mmx64.efi - Not Found
Failed to load image \EFI\BOOT\mmx64.efi: Not Found
-----------------------------------------------------------------------
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
|
In original sbat.c:
...
else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes,
sbat_var_candidate) &&
!reset_sbat) {
...
The time omplexity of preserve_sbat_uefi_variable() is higher than
reset_sbat. Maybe we could swap both of them to calculate reset_sbat
first. Such that the shortcut performance can be improved.
Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
|
|
While booting a MacBookPro15,2 (the last Intel model, 2019), shim 15.8
gets stuck in RT->QueryVariableInfo(). Previously, these devices
shipped with EFI firmware version 1.10, and we had a quirk in place for
this (#364). However, Apple updated the firmware to version 2.40, but
it still doesn't implement runtime services.
This patch adds a test for Apple as the vendor, and treats that as
equivalent to having an older major UEFI version.
Signed-off-by: Eduard Acatrinei <eduard.acatrinei@certussoftware.ro>
|
|
Although file alignment for EFI apps is not clear, most of the UEFI
accept defaulf file alignment (0x200). Nevertheless some of the UEFI
bootloaders require file alignment to be 0x1000 (e.g. Lenovo Miix 630,
Lenovo Yoga C630, etc). Increase file alignment to the desired value.
Fixes #670
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
|
|
This updates our gnu-efi module to include the UEFI 2.10 error codes.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This allows the caller to make a more informed decision about how to
handle the error. In particular, by mapping HTTP errors to
EFI_INVALID_PARAMETER and EFI_NOT_FOUND, shim will try to fetch the
default second stage image like it does when loading images from disk.
Note that this also changes the default to return EFI_HTTP_ERROR instead
of EFI_ABORTED. This should not change any behavior as EFI_ABORTED
wasn't being handled before, but letting the caller decide what to do
with an unknown HTTP error is more appropriate.
Signed-off-by: Dan Nicholson <dbn@endlessos.org>
|
|
This allows the caller to make a more informed decision about how to
handle the error. The error code is available in the TftpError field of
the Mode interface. In particular, by mapping the TFTP errors to
EFI_INVALID_PARAMTER and EFI_NOT_FOUND, shim will try to fetch the
default second stage image like it does when loading images from disk.
Unfortunately, some firmware doesn't fill in the error fields, so a
generic EFI_TFTP_ERROR to EFI_NOT_FOUND conversion is included.
Signed-off-by: Dan Nicholson <dbn@endlessos.org>
|
|
The define can be dropped when gnu-efi is updated to include
de6f9259e8476495c78babbc25250a59de7f3942.
Signed-off-by: Dan Nicholson <dbn@endlessos.org>
|
|
When looking for load option optional data, the parser asserts that the
byte after the end of device path node is the same as what the file path
length says it should be. While unusual, it is valid if the end of
device path node comes before the end of the file path list.
That supports some unusual Dell load options where there are two device
paths in the list but the first is terminated by an End Entire Device
Path. Maybe they intended to use an End Device Path Instance node there?
Who knows. Either way, treating it as invalid ends up trying to read
paths from the beginning of the option with obviously poor results.
Fixes: #649
Signed-off-by: Dan Nicholson <dbn@endlessos.org>
|
|
The interface shouldn't be replaced at the shim_fini
stage When the vendor certificate doesn't exist.
Signed-off-by: jinlun <869793317@qq.com>
|
|
Windows bcdedit.exe creates boot entries where load options
begin with "WINDOWS\0" (in 8-bit chars), followed by some
Windows-specific data which is useless for shim. This data
causes shim error "Failed to open \EFI\mypath\䥗䑎坏S".
Resolves: #370
Signed-off-by: Lauri Kenttä <lauri.kentta@gmail.com>
|
|
I use compile_commands.json with vim all the time, so it's better if it
doesn't break.
This adds it to CI builds to try to ensure that better.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In some cases the -Werror / -Wfoo / -Wno-foo / -Wno-error=foo bits
aren't propagating in a way that clang is happy with, so we get errors
about unused variables and the like in Cryptlib and OpenSSL.
We're never going to fix those nits in this tree, so this patch tries
even harder to make the compiler ignore them, or at least not end the
build with a benign error.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This make target doesn't actually use any of the objects built by the
compiler, so there's no concern about using an untested compiler or
anything like that.
It doesn't really need the warnings to show either, and they're
obnoxious, so this commit takes them out for that build target.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now when doing test builds with clang, we wind up getting an error
from two different definitions of CLANG_PREREQ() in the headers.
It might be that we can just rip one of these out, but for now I'm just
making one of them conditional.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
cf https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2014231
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
|
|
This updates CI targets for Fedora distros to newer releases. It also
disables IA32 builds on f40 and f41. Something is broken in the include
files for the ia32-on-x64 buildroot, and I don't think anyone is
actually doing ia32-on-x64 builds in the wild anyway. At the same time,
ia32 is pretty much dead to begin with. This takes the test out.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
"make update" with newer distros is giving us:
fatal: detected dubious ownership in repository at '/__w/shim/shim'
To add an exception for this directory, call:
git config --global --add safe.directory /__w/shim/shim
So that's exactly what I'm trying.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
|
|
In case CSV entry contains boot argument (e.g. an image to load for shim)
it must be null-terminated. While populate_stanza() makes sure 'arguments'
end with '\0', add_boot_option() doesn't account for it in 'size'
calculations. E.g. for the following CSV entry:
shimx64.efi,6.6.0-0.rc0.20230904git708283abf896.6.fc40.x86_64,\EFI\Linux\5f93b3c9cf1c488a99786fb8e99fb840-6.6.0-0.rc0.20230904git708283abf896.6.fc40.x86_64.efi,Comment
the resulting variable after 'fallback' looks like:
# hexdump /sys/firmware/efi/efivars/Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c | tail -3
0000180 0038 0036 005f 0036 0034 002e 0065 0066
0000190 0069
0000192
Add trailing '\0' to 'size' calculations in add_boot_option() when
'arguments' is not empty. The resulting variable looks like:
# hexdump /sys/firmware/efi/efivars/Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c | tail -3
0000180 0038 0036 005f 0036 0034 002e 0065 0066
0000190 0069 0000
0000194
and the specified image is loaded by shim without issues.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
The code actually uses EFI_SECURE_BOOT_DB_GUID which is defined in
include/guid.h, drop the unused EFI_IMAGE_SECURITY_DATABASE_GUID define
from shim.c
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
Signed-off-by: William Douglas <william.douglas@intel.com>
|
