| Age | Commit message (Collapse) | Author |
|---|
|
In Ubuntu 14.04, the following code in old Makefile:
mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
will create a directory named "{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}".
Signed-off-by: Ming Tan <ming.tan@intel.com>
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes it so shim's idea of Mok variables all resides in one table
of data, and we don't need a bunch of nearly identical ad-hoc functions
to handle each of them.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This commit fixes 2 issues with the TPM support code:
1) Remove "REQUIRE_TPM ?=" line from the Makefile, further down the Makefile
checks if REQUIRE_TPM is undefined, but the above line sets it to an empty
string, which is not the same as undefined. Without this handle_image fails
after the tpm_log_pe() call even if REQUIRE_TPM=1 once was not set when
building the shim
2) When secure-boot is disabled then shim_verify() would exit with the
status of tpm_log_pe(), which on systems with a TPM is an error. Combined
with the recent change to always install the shim protocols, this causes
grub to refuse to boot any kernel since the verify() call now always fails.
This commit fixes this by explicitly setting status = EFI_SUCCESS when
secure-boot is disabled.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
Currently TPM related errors are being silently discarded.
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
|
|
system
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
|
|
the builds differ.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
shim 13:
- OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working
- Better PCR usage for TPM
- TPM documentation in README.tpm
- More configurable build via make variables:
ENABLE_SHIM_CERT
ENABLE_SHIM_HASH
ENABLE_SBSIGN
LIBDIR
EFIDIR
VENDOR_CERT_FILE
VENDOR_DB_FILE
- Better MoK documentation in MokVars.txt
- Better debuginfo generation
- Lots of minor bug fixes.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
If you build with ENABLE_SHIM_CERT=1, the include chain right now winds
up meaning shim_cert is defined in a header that gets included in
netboot.c as well, which never uses it:
In file included from shim.h:125:0,
from netboot.c:36:
shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable]
static UINT8 shim_cert[] = {
^~~~~~~~~
cc1: all warnings being treated as errors
So make that okay by adding __attribute__((__unused__)) to the variable
decl.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
Cyphermox discovered that when you run this:
( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g'
on some debian machines, printf(1) doesn't interpret the \x.. characters,
and that results in this being the encoded text:
00000000 5c 78 66 66 5c 78 66 65 73 00 68 00 69 00 6d 00 |\xff\xfes.h.i.m.|
00000010 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 2c 00 |x.6.4...e.f.i.,.|
00000020 66 00 6f 00 6f 00 2c 00 2c 00 54 00 68 00 69 00 |f.o.o.,.,.T.h.i.|
which... yeah, that's wrong. So instead, use iconv instead of
printf+sed to encode it in UCS-2. Unfortunately, that means we don't
get endian markers, because for some reason iconv(1) doesn't have any way
to say it should include them. But that's okay; fallback already
handles not having them and just assumes the second byte being \x00
means UCS-2LE.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Commit 1e71734992 inadvertantly switched ARM's
LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set,
and so it got clobbered away.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
shim_cert.h is required by other pieces (such as netboot.o, cert.o) and
might not be built by the time these targets are reached. In that case the
build would fail as it can't find a required header.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
It should not be left around after clean since it's a generated file.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
the shim.crt target
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes shim not create its own keyring and sign MokManager and
fallback by default.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Otherwise device paths are definitely all kinds of screwed up, but other
stuff might be as well.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Since booting the entry with fallback in the stack of things that got
measured will result in all the wrong PCR values, in the cases where TPM
is present and enabled, use ->Reset() instead of loading the Boot####
variable and executing its target.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This lets you do:
mkdir build-x64 build-ia32
cd build-x64
make TOPDIR=.. -f ../Makefile
cd ../build-ia32
setarch i686 -B make ARCH=ia32 TOPDIR=.. -f ../Makefile
And not worry about generated sources and headers mixing and matching.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Allow to overwrite certain settings from the external.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Since 87060b2fc effectively means signing with signtool.exe simply does
not work correctly, and that's sort of the biggest goal for shim, make
this version 12.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes it so two builds of the same .deb on different hosts won't
have wildly different file offsets.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl
Signed-off-by: Gary Lin <glin@suse.com>
|
|
see comments here:
https://github.com/rhinstaller/shim/commit/d9a4c912c0aa72905ca793b555dcb0afb33e3b30
|
|
This commit adds the basic support for HTTPBoot, i.e. to fetch
the next stage loader with the HTTP protocol.
It requires gnu-efi >= 3.0.3 to support the URI device path and
Ip4Config2 or Ip6Config protocol support in the UEFI implementation.
To build shim.efi with HTTPBoot support:
make ENABLE_HTTPBOOT=1 shim.efi
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On baytrail, we've got 32-bit firmware, 32-bit efi utilities, and 64-bit
kernel. So since most distros will want 32+64 EFI media booting a
64-bit kernel, we have to name them better on the filesystem.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Nick Clifton wrote to me and explained:
Subject: SHIM - objcopy version check broken by RHEL 7.3 binutils
Hi Peter,
We (the tools group) have run across a small problem with the shim
package for RHEL 7.3, whilst testing out a new version of the
binutils. It complains that it needs a version of objcopy that is
>= 2.23, despite the fact that the version is actually 2.25.1.
I tracked the problem down to an extraneous space at the end of the
version string being produced by objcopy:
"GNU objcopy version 2.25.1-8.el7 "
The Makefile in the shim package uses this rule to test the version of
objcopy:
OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
But, because of that extra space, the sed expression clips the entire
line and so the test fails.
The extra space is there because normally the version number would be
followed by a date. For example:
"GNU objcopy version 2.23.52.0.1-56.el7 20130226"
So in this case the sed will extract the date, not the version number,
but the test will still pass.
I could fix the binutils to remove the space, although it would be a
bit messy and it would not fix the problem when a date is appended to
the version number. Instead, I would like to propose a small patch to
the shim Makefile. If you change the line to:
OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
then the test will work as intended, with or without an extra space at
the end of the version and with or without a date appended.
Would it be possible to have this change added to the shim package ?
Cheers
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Add support for measuring the MOK database and secure boot state into a
TPM, and do the same for the second stage loader. This avoids a hole in
TPM measurement between the firmware and the second stage loader.
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
