| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds a make target that builds the tests with gcov so we can
identify coverage gaps in the test suite.
It also makes a special test-lto invocation, so that a developer can run
these tests with the somewhat different optimization results LTO will
have.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This moves the globals from shim.c (and lib/console.c) into their own
file, to make it so that unit tests can more easily link against code
that uses that state.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes sure we clean up the builds that aren't for the EFI
environment after we build and run the unit tests.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
A couple of places snuck in where building with COMPILER=clang didn't
work right; this makes them work again.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In the cloud, all boots are non-interactive with keyboard and console
access either typically not available or prohibited. Also clouds
always do firstboot via fallback. This currently results in an
unacceptable 5s boot delay whilst fallback offers interactive reset
options that cannot be actioned.
In Ubuntu, we'd like to make fallback noninteractive by default
without any boot delays, due to bootspeed impact on firstboot of the
preinstalled images.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1922581
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
|
The previous commit(*) merged .rel* and .dyn* into .rodata, and this
made ld to generate the wrong size for .rela* sections that covered
other unrelated sections. When the EFI image was loaded, _relocate()
went through the unexpected data and may cause unexpected crash.
This commit moves .rel* and .dyn* out of .rodata in the ld script but
also moves the related variables, such as _evrodata, _rodata_size,
and _rodata_vsize, to the end of the new .dyn section, so that the
crafted pe-coff section header for .rodata still covers our new
.rela and .dyn sections.
(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
Fix issue: https://github.com/rhboot/shim/issues/371
Signed-off-by: Gary Lin <glin@suse.com>
|
|
This moves set_second_stage() and some of the helper functions it uses
out of shim.c, so that it's easier to write test cases for.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On some versions of binutils[0], including binutils-2.23.52.0.1-55.el7,
do not correctly initialize the data when computing the PE optional
header checksum. Unfortunately, this means that any time you get a
build that reproduces correctly using the version of objcopy from those
versions, it's just a matter of luck.
This patch introduces a new utility program, post-process-pe, which does
some basic validation of the resulting binaries, and if necessary,
performs some minor repairs:
- sets the timestamp to 0
- this was previously done with dd using constant offsets that aren't
really safe.
- re-computes the checksum.
[0] I suspect, but have not yet fully verified, that this is
accidentally fixed by the following upstream binutils commit:
commit cf7a3c01d82abdf110ef85ab770e5997d8ac28ac
Author: Alan Modra <amodra@gmail.com>
Date: Tue Dec 15 22:09:30 2020 +1030
Lose some COFF/PE static vars, and peicode.h constify
This patch tidies some COFF and PE code that unnecessarily used static
variables to communicate between functions.
v2 - MAP_PRIVATE was totally wrong...
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Mark this officially as shim 15.4
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
For every problem, there exists a solution which is simple, elegant, and
wrong. d74629207188d290810db15dbfe91a89e7751ffb is that solution.
This patch leaves that intact, but adds a .rodata section wrapping
.rel/.rela and .dynsym/.dynstr., so that they are correctly
incorporated into the authenticode hash.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
If no TOPDIR is defined and a vendor sbat CSV is placed in
$(BUILDDIR)/data/sbat.*.csv, objcopy fails with the following
error.
objcopy --add-section .sbat=/shim/data/sbat.csv \
--set-section-flags .sbat=contents,alloc,load,readonly,data \
sbat_data.o
objcopy --add-section ".sbat.microsoft=sbat.microsoft.csv" sbat_data.o
objcopy --add-section ".sbat.microsoft=sbat.microsoft.csv" sbat_data.o
objcopy:stuf2iKG: can't add section '.sbat.microsoft': bad value
make: *** [Makefile:120: sbat_data.o] Error 1
The sbat.vendor.csv is getting included twice in VENDOR_SBATS.
Use sort to ensure unique entries in VENDOR_SBATS
Signed-off-by: Chris Co <chrco@microsoft.com>
|
|
Currently if you're building in a subdirectory, we're not correctly
finding vendor sbat.foo.csv files if they're in
$(TOPDIR)/data/sbat.foo.csv rather than $(BUILDDIR)/data/sbat.foo.csv.
This patch makes it search both of those during the build.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This also makes the cross-build targets (and not the others) /use/ this
functionality, so we'll catch it if we break it again.
This fixes issue #340.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Here's the full shortlog since shim 15.2:
Alex Burmashev (4):
strndupa: allocate len + 1, so that \0 is not lost
add list_empty to linked list primitives
pe.c: parse SBAT variable and perform basic verification
Fix compilation for older gcc
Chris Co (2):
sbat: add minor fixes to parse_sbat
Add initial sbat unit testing code
Chris Coulson (8):
Fix sbsign command usage
Rename check_{white,black}list to check_{allow,deny}list
build: Pass the correct paths to sbsign
Include missing .text sections in PE/COFF binary
sbat: Don't assume VirtualSize == SizeOfRawData
Ensure that MOK variable mirroring creates well formed ESLs
Avoid creating unnecessary mirrored MOK variables
Fix boot failures due to variable size constraints
Colin Walters (1):
Convert README -> README.md
Dimitri John Ledkov (2):
Add testsuite to the github pull request workflow.
Drop comments, and make push workflow use same matrix as pullrequest.
Gary Lin (9):
src/netboot.c: remove the execute bit
lib: move print_crypto_errors() out of console.c
console: Move the countdown function to console.c
fallback: show a countdown menu before reset
sbat: fix the gcc warnings
sbat: fix the residual "resource section" for SBAT
Restore loaded image of shim at Exit()
Set the section flags for .sbat
arm and aarch64: include the aligned part in SizeOfRawData of sbat
Hai Huang (1):
Fix EV_EFI_VARIABLE_AUTHORITY event in eventlog
Jan Setje-Eilers (8):
Add Secure Boot Advanced Targeting (SBAT) specification document
Add --set-section-alignment '.sbat=512' to objcopy command line
Drop --set-section-alignment from Makefile since linker ALIGN(4096)
already enforces the alignment, clarify that objcopy only needs to
do the alignment in the SBAT spec.
If the SBAT UEFI variable is not set, initialize it as a bootservices
variable.
Javier Martinez Canillas (10):
Add a .sbat section to EFI binaries
Add a function to parse the SBAT metadata from the .sbat section
sbat: remove unused buffer parameter in parse_sbat() function
sbat: use correct type for parse_sbat_var() return value
Don't re-parse the SBAT EFI variable for each binary we load.
sbat: include NULL terminator when calculating buffer end in parse_sbat()
shim: initialize OpenSSL after parsing SBAT data
sbat: make shim to parse it's own .sbat section on init
shim: Fix a NULL pointer dereference caused by start not being set
shim: Use the default loader if an EFI_LOAD_OPTION can't be parsed
Jia Zhang (1):
Ignore *.hash
João Paulo Rechi Vita (8):
fallback: Store label size instead of calculating on every use
fallback: Consider all Boot* vars when checking for duplicates
fallback: Only use VerbosePrint for debug messages
fallback: Be silent by default
fallback: Print original BootOrder value in verbose mode
fallback: Wait before chainloading in verbose mode
fallback: Make verbose mode's wait time configurable
fallback: Allow defining FALLBACK_VERBOSE at build time
Lisa White (1):
Fix typo in a comment
Luca Boccassi (1):
Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
Mathieu Trudel-Lapierre (1):
Add mm/fb hashing to TODO, put that and related things under
'Reproducible builds'
Matthew Garrett (1):
build: Import gnu-efi as a submodule and build against it
Nicholas Bishop (1):
BUILDING: Fix a typo
Paul Menzel (1):
README: Remove superfluous *and*
Paul Moore (7):
shim: compile time option to bypass the ExitBootServices() check
build: add some basic $EFI_PATH checking
SBAT: fix some typos in the SBAT docs
SBAT: update the raw Markdown to look less terrible
openssl: fix various build errors and warnings
shim: attempt to improve the argument handling
build: load local build configuration from Make.local if present
Peter Jones (119):
Use github actions for CI builds
Split up push and PR CI/CD and build all patches in series on PRs
Try to kick the github PR workflow...
Add a .clang-format file.
Always use lower case for our local include file names.
Work around some clang-format oddnesses
Renaming PeImage.h to pe.h wasn't actually a good idea.
Fix pe.h -> peimage.h in /both/ places.
github workflows: Unify the x86 pull request build rules steps
github workflows: add the sbat branch to one PR builds run for
efi bins: add an easy way for vendors to add .sbat data
Remove my .syntastic_c_config, it doesn't belong in the repo.
includes: add strchra() and strchrnula() impls
Move a bunch of PE-related stuff out of shim.c
Refactor some PE handling code
Add some more PE helpers we need for SBAT
Add the beginning of .sbat parsing stuff
SBAT: parse a copy of the table that's got a NUL at the end
Add an example SBAT workflow document
Add some linked list primitives.
get_variable: always allocate a NUL character at the end.
add an ascii strndup() implementation.
sbat: make the includes work like everything else.
We're not using travis-build.sh any more.
Try to make coverity.mk work without cov-build installed.
Try to make scan-build.mk work without scan-build installed.
Add some more TODOs for shim 16
Add another unfortunate TODO entry.
Add some *more* TODO tasks.
Add fallback boot loop detection to TODO
Also ignore .sw?
Add screen logs to .gitignore
Add .cer/.crt/.esl to .gitignore
BUILDING: fix missing DISABLE_EBS_PROTECTION section
Re-alphabetize .gitignore.
.gitignore: add build dirs and shim_cert.h
.gitignore: ignore .gdbinit
Fix up a bunch of our license statements and add SPDX most places
SPDX: Clarify the attribution for crypt_blowfish
SPDX: Clarify the attribution for James's lib/ code
Make sure MIN() and MAX() are always defined.
console: Fix a typo in the EFI warning list in gnu-efi
Fix a bunch of trivial trailing whitespace issues.
Make httpboot.c always get built.
Make the variable name and pointer const in all of our efi vars functions
Add ENABLE_SHIM_DEVEL config to change what our debug variable name is
Use gcc -Os instead of -O0.
sbat: clang-format the whole thing.
SBAT: make the variable be CSV in our spec.
SBAT: Fix all the docs examples to start with version 1
Fix an off by one in strnlena()
shim: use an enum for efi_main's error messages.
sbat: drop the struct sbat and just use two variables instead
parse_sbat: handle the realloc failure leak and batch allocations.
pe.c: move sbat verification to its own function.
sbat: Fix two NULL derefs found with "gcc -fanalyzer"
tpm: minor cleanup: use EV_IPL not 0xd
Document struct mok_state_variable better.
SBAT: mirror SBAT to SbatRT and extend to PCR7 + log
Move the coverity and scan-build makefiles out of the top directory
Make 'make fanalyzer' targets
compiler.h: fix a typo and add some more function attribute macros
Fix all the places we need UNUSED on arguments.
Tidy up our string primitives...
Add a list_size() primitive
Move is_utf8_bom() to str.h
includes: include all gnu-efi includes at one place.
Fix our debuginfo paths hopefully
Add a stand-alone CSV parser.
SBAT: make our sbat section parser use the csv parser
SBAT: make our SBAT variable parser use the CSV parser
make 'make test' able to run unit test harnesses
Add a tester for our string functions.
Add test cases for our CSV parser.
Fix-up and enable a bunch of .sbat section parsing tests.
Make verify_sbat() more testable
Fix two errant 'shim,0' outdated sbat cases.
Add get_variable_size()/set_variable()del_variable() wrappers.
CI: try to update submodules
CI: show our compilation when it fails
Re-organize a bunch of CFLAGS-related makefile bits
Minor OpenSSL fixes
static analysis: make our build targets work better
More minor makefile cleanups
Switch to using -std=gnu11
Don't use WCHAR even when we're assigning wide string literals
Cryptlib: make some Str*() args const.
Restructure our includes.
Fix Cryptlib's va_* definitions.
Consolidate most of our standard lib functions to lib
Fix stdarg to work the same everywhere.
Add some test cases, and make "make test" actually work.
make: use -Wextra (minus some obnoxious bits)
Test our strncmp vs known failing ones as well
Add more string test cases.
set_sbat_uefi_variable(): avoid comparing unsafe data
shim: simplify sbat self-check logic.
linker scripts: put .sbat after _edata
arm arches: include .sbat in our section headers.
Fix the compiler when invoking scan-build/fanalyzer/etc
openssl: nerf some -W flags for clang.
get_variable_attr(): fix a nit scan-build found.
Fix include order
More va_* work
Don't even try to use builtins, just make sure we have the same types.
Make ENABLE_SHIM_DEVEL work better.
sbat variable: use UEFI_VAR_NV_BS_RT when we've got ENABLE_SHIM_DEVEL
set_sbat_uefi_variable(): add a pile of debug prints.
set_sbat_uefi_variable(): align some decisions that are off-by-one.
Fix a plausible NULL dereference.
'make test': try harder to make it build in the right order.
Nerf an unnecessary string test on arm.
arm and aarch64: fix some PE headers.
Make 'make test' work on gcc 4.8.5
Don't set LIBDIR in CI builds any more.
Fix cross-compilation from x86_64->i686
Try multi-arch CI building using cross compilation
Update 'make archive' to include gnu-efi
Bump version to 15.3
Steve McIntyre (5):
Second attempt at SBAT doc tweaks
Fixups after Peter's review
Fix bashisms in Make.coverity
Stop using EFI_PATH, and error out if people try to use it
Fix up build of test code using gcc 8
Thomas Frauendorfer | Miray Software (2):
Fix column size check in SBAT variable parsing.
Sort input file names in lib/Makefile
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
We need to be using our patched version of gnu-efi
Signed-off-by: Steve McIntyre <93sam@debian.org>
|
|
This fixes ENABLE_SHIM_DEVEL to actually work, and also makes our "goto
die" failure behavior change (to wait considerably longer) based on it.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Be much more explicit about exactly which va_* stuff comes from which
ABI in both shim and gnu-efi. This fixes the problem where we see:
| (null):0:(null)() v->name:"(null)" v->rtname:"(null)"
| (null):0:(null)() v->data_size:0 v->data:0x0
and similar messages where everything is NULL.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If FALLBACK_VERBOSE is defined at build time the resulting fallback will
always be verbose despite having the EFI variable defined or not, which
facilitates testing in some scenarios.
Signed-off-by: João Paulo Rechi Vita <jprvita@endlessos.org>
|
|
Make it possible to configure at build time for how long fallback will
wait before moving to the next step when in verbose mode.
Also remind the user they can press the Pause key to pause the boot
process at that point.
Signed-off-by: João Paulo Rechi Vita <jprvita@endlessos.org>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This re-structures our includes so we can be sure everything is always
including all the system headers in a uniform, predictable way.
Temporarily it also adds a bunch of junk at all the places we use
variadic functions to specifically pick either the MS (cdecl) or ELF
ABIs.
I'm not 100% sure that's all correct (see later patch) but it's enough
to allow this to build.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Shim is rather more friendly with EFI internals than most code, and as a
result can end up making assumptions that are out of step with those made
by gnu-efi. Since both projects are developed independently, and since
distributions are often trying to build versions of shim against whatever
version of gnu-efi they are shipping, this can result in awkward build
failures. The easiest way to handle this is to use a git submodule and
import a known-good version of shim directly into the build tree. Given
static linking, this will also make reproducible builds easier.
Plus some changes from pjones:
- Fix up some more include paths
- more fine grained clean rules
- use our make ARCH
- use an rhboot/ repo for the gnu-efi remote
Signed-off-by: Matthew Garrett <mjg59@google.com>
|
|
Some of our makefile bits are a mess, as you may have noticed, making
changes to them difficult to review.
This patch attempts to make some parts of them vaguely less of a mess,
in order to facilitate review of follow-up changes. To so it:
- coalesces feature flags, optimizations, -W{no-,}, -W{no-}error,
include directives, and define/undefine directives into (mostly)
separate groups.
- exports them as appropriate so the sub-makes can use them
- Makes sure we have -Wextra -Werror everywhere, but adds -Wno-foo and
-Wno-error=foo directives at the appropriate places to keep the net
warnings the same.
- makes the arch defines in Cryptlib and Cryptlib/OpenSSL use the
appropriate ones, with no attempt to make them less stupid, without
changing the overall order.
- coalesces the various includes, with no attempt to make them less
stupid, without changing the overall order.
- One giant glaring whitespace fix in Cryptlib/OpenSSL/Makefile
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When using "objcopy -O binary", it silently drops the sections without
"alloc" or "load" or the sections with "unload". Since we didn't set any
section flags for .sbat, it just contains the "readonly" flag and
objcopy ignored the section totally when generating EFI images for
ARM32 and AArch64.
This commit sets the common read-only data section flags to .sbat so
that objcopy would always copy the section to the final EFI image.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
This adds a couple of make targets to do unit tests that are linked to
libc:
test-FOO : builds and runs test-FOO for any test-FOO.c
test : builds and runs all test-FOO tests
Note that building and running this test does not quite work yet /on
this branch/. In order to do that, we need some cleanups and
reorganizing that I don't want to push just yet, which can be found on
https://github.com/rhboot/shim/tree/test-reorg
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This adds a simple to use, one-function-call CSV parser that takes a
blob of data and gives you a linked list with an array of values.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I'm adding even more of this stuff, and it's feeling pretty cluttered,
so this moves the scan-build and coverity makefiles into include/, where
we'll see them less.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
already enforces the alignment, clarify that objcopy only needs to
do the alignment in the SBAT spec.
|
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This is a backport from devel of:
commit 634fd72ac6a6c6c9010c32506d524586826a8637
Author: Peter Jones <pjones@redhat.com>
Date: Fri Nov 22 15:14:22 2019 -0500
Make httpboot.c always get built.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The previous make target was passing all of the target's prerequisites
as boot images to sbsign, causing it to fail.
|
|
If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
user wants the build to be fully reproducible, so use a fixed string.
In case of a cross build, using uname -s -m -p -i o will still report
the host's kernel architecture, which will trip some CIs like
Debian's.
This is a backport from devel of:
commit 11fd3197d21f94b491ccfc1da6d38b14060e62d7
Author: Luca Boccassi <bluca@debian.org>
Date: Fri Feb 15 21:42:10 2019 +0000
Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
user wants the build to be fully reproducible, so use a fixed string.
In case of a cross build, using uname -s -m -p -i o will still report
the host's kernel architecture, which will trip some CIs like
Debian's.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data. When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.
This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The Secure Boot Advanced Targeting (SBAT) [0] is a Generation Number Based
Revocation mechanism that is meant to replace the DBX revocation file list.
Binaries must contain a .sbat data section that has a set entries, each of
them consisting of UTF-8 strings as comma separated values. Allow to embed
this information into the fwupd EFI binary at build time.
The SBAT metadata must contain at least two entries. One that defines the
SBAT version used and another one that defines the component generation.
This patch adds a sbat.csv that contains these two entries and downstream
users can override if additional entries are needed due changes that make
them diverge from upstream code and potentially add other vulnerabilities.
The same SBAT metadata is added to the fallback and MOK manager binaries
because these are built from the same shim source. These need to have SBAT
metadata as well to be booted if a .sbat section is mandatory.
[0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
This fixes several codepaths where MokList and MokListX are supposed to
be deleted, but are not. It also adds debug logging to much of the
deletion codepath.
|
|
$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
Time/Date Thu Jan 1 00:00:08 1970
$ _
"What is despair? I have known it—hear my song. Despair is when you’re
debugging a kernel driver and you look at a memory dump and you see that
a pointer has a value of 7."
- http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
objcopy only knows about -D for some targets.
ld only believes in --no-insert-timestamp in some versions.
dd takes off and nukes the site from orbit.
It's the only way to be sure.
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: a4a1fbe728c
|
|
When building in minimal chroot on build workers, like in Debian (where
make clean is called at the beginning of the build process), git will
not be available. Skip the git clean.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Upstream-commit-id: be352762a01
|
|
In Ubuntu 14.04, the following code in old Makefile:
mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
will create a directory named "{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}".
Signed-off-by: Ming Tan <ming.tan@intel.com>
Upstream-commit-id: 39b83455d68
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
