| Age | Commit message (Collapse) | Author |
|---|
|
already enforces the alignment, clarify that objcopy only needs to
do the alignment in the SBAT spec.
|
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This is a backport from devel of:
commit 634fd72ac6a6c6c9010c32506d524586826a8637
Author: Peter Jones <pjones@redhat.com>
Date: Fri Nov 22 15:14:22 2019 -0500
Make httpboot.c always get built.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The previous make target was passing all of the target's prerequisites
as boot images to sbsign, causing it to fail.
|
|
If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
user wants the build to be fully reproducible, so use a fixed string.
In case of a cross build, using uname -s -m -p -i o will still report
the host's kernel architecture, which will trip some CIs like
Debian's.
This is a backport from devel of:
commit 11fd3197d21f94b491ccfc1da6d38b14060e62d7
Author: Luca Boccassi <bluca@debian.org>
Date: Fri Feb 15 21:42:10 2019 +0000
Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
user wants the build to be fully reproducible, so use a fixed string.
In case of a cross build, using uname -s -m -p -i o will still report
the host's kernel architecture, which will trip some CIs like
Debian's.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data. When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.
This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The Secure Boot Advanced Targeting (SBAT) [0] is a Generation Number Based
Revocation mechanism that is meant to replace the DBX revocation file list.
Binaries must contain a .sbat data section that has a set entries, each of
them consisting of UTF-8 strings as comma separated values. Allow to embed
this information into the fwupd EFI binary at build time.
The SBAT metadata must contain at least two entries. One that defines the
SBAT version used and another one that defines the component generation.
This patch adds a sbat.csv that contains these two entries and downstream
users can override if additional entries are needed due changes that make
them diverge from upstream code and potentially add other vulnerabilities.
The same SBAT metadata is added to the fallback and MOK manager binaries
because these are built from the same shim source. These need to have SBAT
metadata as well to be booted if a .sbat section is mandatory.
[0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
This fixes several codepaths where MokList and MokListX are supposed to
be deleted, but are not. It also adds debug logging to much of the
deletion codepath.
|
|
$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
Time/Date Thu Jan 1 00:00:08 1970
$ _
"What is despair? I have known it—hear my song. Despair is when you’re
debugging a kernel driver and you look at a memory dump and you see that
a pointer has a value of 7."
- http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
objcopy only knows about -D for some targets.
ld only believes in --no-insert-timestamp in some versions.
dd takes off and nukes the site from orbit.
It's the only way to be sure.
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: a4a1fbe728c
|
|
When building in minimal chroot on build workers, like in Debian (where
make clean is called at the beginning of the build process), git will
not be available. Skip the git clean.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Upstream-commit-id: be352762a01
|
|
In Ubuntu 14.04, the following code in old Makefile:
mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
will create a directory named "{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}".
Signed-off-by: Ming Tan <ming.tan@intel.com>
Upstream-commit-id: 39b83455d68
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes it so shim's idea of Mok variables all resides in one table
of data, and we don't need a bunch of nearly identical ad-hoc functions
to handle each of them.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This commit fixes 2 issues with the TPM support code:
1) Remove "REQUIRE_TPM ?=" line from the Makefile, further down the Makefile
checks if REQUIRE_TPM is undefined, but the above line sets it to an empty
string, which is not the same as undefined. Without this handle_image fails
after the tpm_log_pe() call even if REQUIRE_TPM=1 once was not set when
building the shim
2) When secure-boot is disabled then shim_verify() would exit with the
status of tpm_log_pe(), which on systems with a TPM is an error. Combined
with the recent change to always install the shim protocols, this causes
grub to refuse to boot any kernel since the verify() call now always fails.
This commit fixes this by explicitly setting status = EFI_SUCCESS when
secure-boot is disabled.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
Currently TPM related errors are being silently discarded.
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
|
|
system
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
|
|
the builds differ.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
shim 13:
- OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working
- Better PCR usage for TPM
- TPM documentation in README.tpm
- More configurable build via make variables:
ENABLE_SHIM_CERT
ENABLE_SHIM_HASH
ENABLE_SBSIGN
LIBDIR
EFIDIR
VENDOR_CERT_FILE
VENDOR_DB_FILE
- Better MoK documentation in MokVars.txt
- Better debuginfo generation
- Lots of minor bug fixes.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If you build with ENABLE_SHIM_CERT=1, the include chain right now winds
up meaning shim_cert is defined in a header that gets included in
netboot.c as well, which never uses it:
In file included from shim.h:125:0,
from netboot.c:36:
shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable]
static UINT8 shim_cert[] = {
^~~~~~~~~
cc1: all warnings being treated as errors
So make that okay by adding __attribute__((__unused__)) to the variable
decl.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
Cyphermox discovered that when you run this:
( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g'
on some debian machines, printf(1) doesn't interpret the \x.. characters,
and that results in this being the encoded text:
00000000 5c 78 66 66 5c 78 66 65 73 00 68 00 69 00 6d 00 |\xff\xfes.h.i.m.|
00000010 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 2c 00 |x.6.4...e.f.i.,.|
00000020 66 00 6f 00 6f 00 2c 00 2c 00 54 00 68 00 69 00 |f.o.o.,.,.T.h.i.|
which... yeah, that's wrong. So instead, use iconv instead of
printf+sed to encode it in UCS-2. Unfortunately, that means we don't
get endian markers, because for some reason iconv(1) doesn't have any way
to say it should include them. But that's okay; fallback already
handles not having them and just assumes the second byte being \x00
means UCS-2LE.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Commit 1e71734992 inadvertantly switched ARM's
LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set,
and so it got clobbered away.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
shim_cert.h is required by other pieces (such as netboot.o, cert.o) and
might not be built by the time these targets are reached. In that case the
build would fail as it can't find a required header.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
It should not be left around after clean since it's a generated file.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
the shim.crt target
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes shim not create its own keyring and sign MokManager and
fallback by default.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Otherwise device paths are definitely all kinds of screwed up, but other
stuff might be as well.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Since booting the entry with fallback in the stack of things that got
measured will result in all the wrong PCR values, in the cases where TPM
is present and enabled, use ->Reset() instead of loading the Boot####
variable and executing its target.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This lets you do:
mkdir build-x64 build-ia32
cd build-x64
make TOPDIR=.. -f ../Makefile
cd ../build-ia32
setarch i686 -B make ARCH=ia32 TOPDIR=.. -f ../Makefile
And not worry about generated sources and headers mixing and matching.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Allow to overwrite certain settings from the external.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
