| Age | Commit message (Collapse) | Author |
|---|
|
Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
directive before .reloc, but fails to do so.
As a result, binutils, which does not care about the actual binary
format's constraints in any way, does not enforce the section alignment,
and it will not load.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Our section headers on arm binaries need to include .sbat on fallback
and MokManger, and currently they do not.
The reason for this is that gnu-efi provides static, (mostly) hand-coded
section headers on arm and aarch64, due to having no efi-app-arm and
efi-app-aa64 target support in binutils. Additionally, the assembler
also generates (IMO pointless) relocations for _esbat/_sbat_size when
those are actually inside the section, and relocated symbols can't be
used in our section headers.
This patch moves the .sbat section to be after _edata, so the sections
don't overlap, and moves _esbat and _sbat_size to be after the section,
to avoid the relocation.
I'm not 100% sure we can't have overlapping sections, but now doesn't
seem like the time to find out.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
In cases where we accept vendor shim binaries with additional patches,
it may become necessary to identify those builds with additional SBAT
data. When we consider such patches, we should be proactive in asking
vendors to include that data in the .sbat sections of their trusted EFI
binaries.
This patch adds any data in data/sbat.*.csv (after a quick sanitizing
pass) after data/sbat.csv in the .sbat section, so that no changes to
the upstream data/sbat.csv are ever required.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The Secure Boot Advanced Targeting (SBAT) [0] is a Generation Number Based
Revocation mechanism that is meant to replace the DBX revocation file list.
Binaries must contain a .sbat data section that has a set entries, each of
them consisting of UTF-8 strings as comma separated values. Allow to embed
this information into the fwupd EFI binary at build time.
The SBAT metadata must contain at least two entries. One that defines the
SBAT version used and another one that defines the component generation.
This patch adds a sbat.csv that contains these two entries and downstream
users can override if additional entries are needed due changes that make
them diverge from upstream code and potentially add other vulnerabilities.
The same SBAT metadata is added to the fallback and MOK manager binaries
because these are built from the same shim source. These need to have SBAT
metadata as well to be booted if a .sbat section is mandatory.
[0]: https://github.com/rhboot/shim/blob/sbat/SBAT.md
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
When I added 4990d3f I inadvertantly made .data.ident and .rela.got
sections appear in the top-level section headers at file offsets not
aligned with PE->OptionalHeader.FileAlignment. This results in a
section table that looks like:
Sections:
Idx Name Size VMA LMA File off Algn
0 .eh_frame 00018648 0000000000005000 0000000000005000 00000400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .text 00093f45 000000000001e000 000000000001e000 00018c00 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .reloc 0000000a 00000000000b2000 00000000000b2000 000acc00 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .data.ident 000000e4 00000000000b3040 00000000000b3040 000ace40 2**5
CONTENTS, ALLOC, LOAD, DATA
4 .data 000291e8 00000000000b4000 00000000000b4000 000ad200 2**5
CONTENTS, ALLOC, LOAD, DATA
5 .vendor_cert 000003e2 00000000000de000 00000000000de000 000d6400 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .dynamic 000000f0 00000000000df000 00000000000df000 000d6800 2**3
CONTENTS, ALLOC, LOAD, DATA
7 .rela 0001aef8 00000000000e0000 00000000000e0000 000d6a00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rela.got 00000060 00000000000faef8 00000000000faef8 000f1af8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .dynsym 0000ecd0 00000000000fb000 00000000000fb000 000f1e00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
rather than:
Sections:
Idx Name Size VMA LMA File off Algn
0 .eh_frame 00018118 0000000000005000 0000000000005000 00000400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .text 00091898 000000000001e000 000000000001e000 00018600 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .reloc 0000000a 00000000000b0000 00000000000b0000 000aa000 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .data 00028848 00000000000b1000 00000000000b1000 000aa200 2**5
CONTENTS, ALLOC, LOAD, DATA
4 .vendor_cert 00000449 00000000000da000 00000000000da000 000d2c00 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynamic 00000100 00000000000db000 00000000000db000 000d3200 2**3
CONTENTS, ALLOC, LOAD, DATA
6 .rela 0001ae50 00000000000dc000 00000000000dc000 000d3400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .dynsym 0000ea78 00000000000f7000 00000000000f7000 000ee400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
(Note "File off" on sections #3 and #8 on the top one.)
This seems to work fine with edk2's loader and shim's loader, as well as
their Authenticode implementation, and pesign's as well.
While PE loaders seem to be fine with sections with alignments smaller
than PE->OptionalHeader.FileAlignment, MS's signtool.exe does ...
something else with them. I'm not sure what. What it definitely does
*not* do is extend the digest based on their file offset and size.
So just don't allow anything that small, and don't allow anything
smaller than SectionAlignment either, just to be on the safe side.
Since most of our stuff gets stripped into the debuginfo anyway, and
shim has relatively few sections, this should not be a very large
burden.
So just to be clear:
If you have a binary with a section that's not aligned on
PE->OptionalHeader.FileAlignment:
- pesign hashes it to A
- tiano hashes it to A
- shim hashes it to A
- signtool.exe hashes it to B
Because that makes sense.
This patch works around the bug in signtool.exe .
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This makes it so two builds of the same .deb on different hosts won't
have wildly different file offsets.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Revert "Do the same for ia32..."
and "Generate a sane PE header on shim, fallback, and MokManager."
This reverts commit 6744a7ef8eca44948565c3d1244ec931ed3f6fee.
and commit 0e7ba5947eb38b79de2051ecf3b95055e620475c.
These are premature and I can do this without such drastic measures.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Once again, on ia32 this time, we see:
00000120 47 84 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 |G...............|
Which is where the pointer on ia32 for the Base Relocation Table should
be. It points to 0x8447, which isn't a particularly reasonable address as
numbers go, and happens to have this data there:
00008440 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 65 00 |o.n.f.i.g.u.r.e.|
00008450 00 00 49 00 50 00 76 00 36 00 28 00 00 00 2c 00 |..I.P.v.6.(...,.|
00008460 25 00 73 00 2c 00 00 00 29 00 00 00 25 00 64 00 |%.s.,...)...%.d.|
00008470 2e 00 25 00 64 00 2e 00 25 00 64 00 2e 00 25 00 |..%.d...%.d...%.|
00008480 64 00 00 00 44 00 48 00 43 00 50 00 00 00 49 00 |d...D.H.C.P...I.|
00008490 50 00 76 00 34 00 28 00 00 00 2c 00 25 00 73 00 |P.v.4.(...,.%.s.|
And so that table is, in theory, this part:
00008447 00 67 00 75 00 72 00 65 00 | .g.u.r.e.|
00008450 00 |. |
Which is pretty clearly not a pointer table of any kind.
So give ia32 the same treatment as x86_64, and now all arches work basically
the same.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
With this change, the embedded certificate and dbx lists (vendor_cert,
vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
section named .vendor_cert, and so will look something like:
------
fenchurch:~/devel/github.com/shim$ objdump -h shim.efi
shim.efi: file format pei-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .eh_frame 000174a8 0000000000005000 0000000000005000 00000400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .text 000aa7e1 000000000001d000 000000000001d000 00017a00 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .reloc 0000000a 00000000000c8000 00000000000c8000 000c2200 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .data 00031228 00000000000c9000 00000000000c9000 000c2400 2**5
CONTENTS, ALLOC, LOAD, DATA
4 .vendor_cert 00000375 00000000000fb000 00000000000fb000 000f3800 2**0
CONTENTS, READONLY
5 .dynamic 000000f0 00000000000fc000 00000000000fc000 000f3c00 2**3
CONTENTS, ALLOC, LOAD, DATA
6 .rela 0002afa8 00000000000fd000 00000000000fd000 000f3e00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .dynsym 0000f1f8 0000000000128000 0000000000128000 0011ee00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
------
This simplifies a security audit, because it means that different
versions of shim with substantially the same code with different keys
will be more easily comperable, and therefore logic differences may be
more easily identified.
This also means that if there's a trusted build you want to use, you can
remove the certificates, implant new ones, and have it signed, and the
code sections won't change.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
