summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2023-12-05BS Variables for bootmgr revocationsJan Setje-Eilers
This adds support for applying SkuSiPolicy UEFI BS variables. These varaibles are needed for non-dbx based Windows revocations and are described here: https://support.microsoft.com/en-us/topic/kb5027455-guidance-for-blocking-vulnerable-windows-boot-managers-522bb851-0a61-44ad-aa94-ad11119c5e91 Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
2023-06-21Rename 'msecs' to 'usecs' to avoid potential confusionKamil Aronowski
The function msleep uses gBS->Stall which waits for a specified number of microseconds. Reference: https://edk2-docs.gitbook.io/edk-ii-uefi-driver-writer-s-guide/5_uefi_services/51_services_that_uefi_drivers_commonly_use/517_stall This reference even mentions an example sleeping for 10 microseconds: // Wait 10 uS. Notice the letter 'u'. Therefore it's a good idea to call the function 'usleep' rather than 'msleep', so no one confuses it with milliseconds, and to change the argument name to match as well. Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
2023-06-21Skip testing msleep()Kamil Aronowski
In preparation for renaming msleep() to usleep(), in some cases tests were failing due to a mismatch between our declaration of the usleep() function and what is being provided by unistd.h. This change simply makes our function declared only when not in a unit test environment. Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
2022-08-16Enable TDX measurement to RTMR registerLu Ken
Intel Trust Domain Extensions (Intel TDX) extends Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD)[1]. A TD runs in a CPU mode that is designed to protect the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625. To support CC measurement/attestation with Intel TDX technology, these 4 RTMR registers will be extended by TDX service like TPM/TPM2 PCR: - RTMR[0] for TDVF configuration - RTMR[1] for the TD OS loader and kernel - RTMR[2] for the OS application - RTMR[3] reserved for special usage only Add a TDX Implementation for CC Measurement protocol along with TPM/TPM2 protocol. References: [1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf [2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf [3] https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf Signed-off-by: Lu Ken <ken.lu@intel.com> [rharwood: style pass on code and commit message] Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-17PE Loader: support and require NXPeter Jones
This adds support in our PE loader for NX support utilizing the EFI_MEMORY_ATTRIBUTE protocol. Specifically, it changes the loader such that: - binaries without the EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag set in the Optional Header are rejected as EFI_UNSUPPORTED - binaries with non-discardable sections that have both the EFI_SCN_MEM_WRITE and EFI_SCN_MEM_EXECUTE flags set are rejected as EFI_UNSUPPORTED - if the EFI_MEMORY_ATTRIBUTE protocol is installed, then: - sections without the EFI_SCN_MEM_READ flag set will be marked with EFI_MEMORY_RP - sections without the EFI_SCN_MEM_WRITE flag set will be marked with EFI_MEMORY_RO - sections without the EFI_SCN_MEM_EXECUTE flag set will be marked with EFI_MEMORY_XP Signed-off-by: Peter Jones <pjones@redhat.com>
2022-05-17shim: use SHIM_DEVEL_VERBOSE when built in devel modePeter Jones
This makes SHIM_VERBOSE / SHIM_DEVEL_VERBOSE work the same way as SHIM_DEBUG / SHIM_DEVEL_DEBUG when shim is built with ENABLE_SHIM_DEVEL set. Signed-off-by: Peter Jones <pjones@redhat.com>
2022-05-17Use ASCII as fallback if Unicode Box Drawing characters failTony Persson
Many ASRock boards will not render MokManager correctly if the Unicode Box Drawing characters are used. Signed-off-by: Tony Persson <tony@tonypersson.se>
2022-03-30MokManager: removed Locate graphic output protocol fail error messageLee, Chun-Yi
On some platform, like GCP or OVMF which does NOT provide EFI_GRAPHICS_OUTPUT_PROTOCOL when no display device (or the display device be disabled). It causes that the "Error: Locate graphic output protocol fail: (0xE) Not Found." always be showed on console when we enroll MOK through MokManager. The message box blocked the process of enrolling MOK and scared user. The error message is introduced by 55163bc82c517 since 15.2. This patch removed the error message. Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
2021-12-10Minor coverity fixes15.5-rc2Peter Jones
- one missing free - one minor deadcode issue - two unchecked allocations - one debug hexdump of a variable we just freed Signed-off-by: Peter Jones <pjones@redhat.com>
2021-10-12console: add a clear_screen() primitivePeter Jones
Several places in e.g. MokManager and our console library use ST->ConOut->ClearScreen directly, without checking for the existence of a console output device. This patch adds function to our console library to do that correctly, instead of using the bug-prone ad hoc implementation everywhere. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-10-12console: check that ST->ConIn and ST->ConOut are non-NULLPeter Jones
There's been some discussion on how to handle machines without console devices. The consensus so far has been that they should have dummy ConOut implementations, but that means the first vendor to build a machine without asking around is in for some surprises. This patch makes the places where our console library uses ST->ConIn or ST->ConOut check that they're present before doing so. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-09-07shim/mm/fb: move global state to its own source filePeter Jones
This moves the globals from shim.c (and lib/console.c) into their own file, to make it so that unit tests can more easily link against code that uses that state. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-09-07cleanup: always use BS and RT, not gBS and gRTPeter Jones
This just makes one less thing we have to make sure is the same between the test harnesses and the runtime code. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-09-07Make CopyMem() work with EFI's declarationPeter Jones
EFI_BOOT_SERVICES includes CopyMem() and SetMem() functions which are marked EFIAPI, and in the case of CopyMem() does not mark the source argument as CONST. This patch makes all our invocations work with that, so (once gnu-efi's implementation is fixed to match) we can use the existing implementation as the implementation in a mock EFI_BOOT_SERVICES. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-07-20Make test cases link against libefi.aPeter Jones
This allows us to use library functions from libefi.a in our test programs. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-25Make building outside of the top directory work.Peter Jones
This also makes the cross-build targets (and not the others) /use/ this functionality, so we'll catch it if we break it again. This fixes issue #340. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-22Fix boot failures due to variable size constraintsupstream/shim-15.3-rc4shim-15.3-rc4Chris Coulson
There are multiple issues in the MOK variable mirroring code due to volatile variable size constraints, which all result in boot failures: - If a signature is encountered which doesn't fit in to a single variable, the code enters an infinite loop because the cursor isn't advanced in mirror_mok_db() after the call to mirror_one_esl(). - If an ESL is encountered which doesn't fit in to a single variable, it looks like the intention is for the ESL to be split across multiple variables. However, mirror_one_esl() will write the maximum variable size on each call, regardless of how much data is remaining for the current ESL. If the size of a ESL isn't a multiple of the maximum variable size, the final call to mirror_one_esl() will append data from the start of the next ESL and the cursor in mirror_mok_db() will be advanced to an arbitrary location in the next ESL. This either results in garbage being mirrored (if you're lucky), or in my case - another infinite loop as it appears to encounter a signature that doesn't fit in to a single variable. - If no signatures can be mirrored when mirror_mok_db() is called with only_first=TRUE, it tries to create a variable with a single SHA256 signature in it. But mirror_mok_db() returns an error (EFI_INVALID_PARAMETER) regardless of whether this succeeds.
2021-03-22Make 'make test' work on gcc 4.8.5Peter Jones
2021-03-18Ensure that MOK variable mirroring creates well formed ESLsChris Coulson
The MOK variable mirroring makes use of variable_create_esl, which can only create a well-formed EFI_SIGNATURE_LIST containing a single signature. Fix fill_esl and variable_create_esl to support creating a EFI_SIGNATURE_LIST with one or more supplied EFI_SIGNATURE_DATA structures. Introduce variable_create_esl_with_one_signature and fill_esl_with_one_signature for code that does want to create a EFI_SIGNATURE_LIST containing a single signature constructed from a supplied signature data buffer and owner GUID.
2021-03-17Sort input file names in lib/MakefileThomas Frauendorfer | Miray Software
The order in which the foreach() returns files differes from Debian on WSL1 and Debian running natively. When shim is build on these two platforms the resulting binaries differ. This patch manually sorts the input file list to create identical binaries. Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
2021-03-12More va_* workPeter Jones
Be much more explicit about exactly which va_* stuff comes from which ABI in both shim and gnu-efi. This fixes the problem where we see: | (null):0:(null)() v->name:"(null)" v->rtname:"(null)" | (null):0:(null)() v->data_size:0 v->data:0x0 and similar messages where everything is NULL. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-12get_variable_attr(): fix a nit scan-build found.Peter Jones
scan-build believes we can hit a situation where get_variable_attr() is called with NULL data, in which case we're not correctly returning an error. This adds the error return. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-10Add more string test cases.Peter Jones
This adds test cases for the rest of our ASCII string functions. While doing so, it fixes two minor bugs: - strcasecmp() now handles utf8 correctly - strncpy() no longer does the stpncpy() behavior of clearing leftover buffer Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-10Add some test cases, and make "make test" actually work.Peter Jones
Note the one test case I'm not 100% sure about. Someone let me know. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-10Fix stdarg to work the same everywhere.Peter Jones
This gets us the same working definition for VA_* va_* etc everywhere, and it's the same definition edk2 is using. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-10Consolidate most of our standard lib functions to libPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-10Restructure our includes.Peter Jones
This re-structures our includes so we can be sure everything is always including all the system headers in a uniform, predictable way. Temporarily it also adds a bunch of junk at all the places we use variadic functions to specifically pick either the MS (cdecl) or ELF ABIs. I'm not 100% sure that's all correct (see later patch) but it's enough to allow this to build. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-09Don't use WCHAR even when we're assigning wide string literalsPeter Jones
Note that there are still some occurrences of WCHAR in Cryptlib/OpenSSL/, but they're only built on win32 platforms we don't support. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-09Re-organize a bunch of CFLAGS-related makefile bitsPeter Jones
Some of our makefile bits are a mess, as you may have noticed, making changes to them difficult to review. This patch attempts to make some parts of them vaguely less of a mess, in order to facilitate review of follow-up changes. To so it: - coalesces feature flags, optimizations, -W{no-,}, -W{no-}error, include directives, and define/undefine directives into (mostly) separate groups. - exports them as appropriate so the sub-makes can use them - Makes sure we have -Wextra -Werror everywhere, but adds -Wno-foo and -Wno-error=foo directives at the appropriate places to keep the net warnings the same. - makes the arch defines in Cryptlib and Cryptlib/OpenSSL use the appropriate ones, with no attempt to make them less stupid, without changing the overall order. - coalesces the various includes, with no attempt to make them less stupid, without changing the overall order. - One giant glaring whitespace fix in Cryptlib/OpenSSL/Makefile Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-09Add get_variable_size()/set_variable()del_variable() wrappers.Peter Jones
This get_variable_size() implementation success in either of two cases: - EFI_SUCCESS with *lenp == 0 if the variable isn't found - EFI_SUCCESS with *lenp > 0 on success In the event of other errors, it returns them to you. There's nothing particularly interesting about the set_variable() or del_variable() implementation here. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-25Fix all the places we need UNUSED on arguments.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-16Make the variable name and pointer const in all of our efi vars functionsPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-16Fix a bunch of trivial trailing whitespace issues.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-16console: Fix a typo in the EFI warning list in gnu-efiPeter Jones
Some versions of gnu-efi have a typo, in which "EFI_WARN_UNKNOWN_GLYPH" is accidentally "EFI_WARN_UNKOWN_GLYPH". Work around that, so that we can use the not-silly one in console.c's list of error and warning messages. This is a backport from devel for: commit 5f62b22ccd636d326b3229a2b196118701c6f3f7 Author: Peter Jones <pjones@redhat.com> Date: Mon Aug 26 16:12:05 2019 -0400 Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-16lib: move print_crypto_errors() out of console.cGary Lin
print_crypto_errors() will pull in the whole openssl library which bloats the size of fallback.efi. Move the function to an independent file (lib/print_crypto.c) to reduce the file size of fallback.efi from 1.3MB to 93KB. Signed-off-by: Gary Lin <glin@suse.com>
2021-02-16Make sure MIN() and MAX() are always defined.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-16SPDX: Clarify the attribution for James's lib/ codePeter Jones
At the time, this was explicitly contributed under the Tiano license, even though the original code[0] is LGPLv2.1. [0]: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-13get_variable: always allocate a NUL character at the end.Peter Jones
Sometimes we're loading structures that are parsed in string-like ways, but can't necessarily be trusted to be zero-terminated. Solve that by making sure we always have enough aligned, trailing zero bytes to always have at least one NUL character, no matter which character type is being parsed. Signed-off-by: Peter Jones <pjones@redhat.com>
2021-01-29Always use lower case for our local include file names.Peter Jones
clang-format doesn't allow you to specify an include sort order, and just assumes asciibetical is a pretty good order, which doesn't work as well as you would hope. This makes them all lower case so they don't need to be re-sorted. I also went through and checked that we're using quoted local includes at all the appropriate places. Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-25Also use a config table to mirror mok variables.Peter Jones
Everything was going just fine until I made a vendor_db with 17kB of sha256 sums in it. And then the same source tree that had worked fine without that threw errors and failed all over the place. I wrote some code to diagnose the problem, and of course it was a failure in mirroring MokList to MokListRT. As Patrick noted in 741c61abba7, some systems have obnoxiously low amounts of variable storage available: mok.c:550:import_mok_state() BS+RT variable info: MaximumVariableStorageSize:0x000000000000DFE4 RemainingVariableStorageSize:0x000000000000D21C MaximumVariableSize:0x0000000000001FC4 The most annoying part is that on at least this edk2 build, SetVariable() /does actually appear to set the variable/, but it returns EFI_INVALID_PARAMETER. I'm not planning on relying on that behavior. So... yeah, the largest *volatile* (i.e. RAM only) variable this edk2 build will let you create is less than two pages. It's only got 7.9G free, so I guess it's feeling like space is a little tight. We're also not quite preserving that return code well enough for his workaround to work. New plan. We try to create variables the normal way, but we don't consider not having enough space to be fatal. In that case, we create an EFI_SECURITY_LIST with one sha256sum in it, with a value of all 0, and try to add that so we're sure there's /something/ there that's innocuous. On systems where the first SetVariable() / QueryVariableInfo() lied to us, the correct variable should be there, otherwise the one with the zero-hash will be. We then also build a config table to hold this info and install that. The config table is a packed array of this struct: struct mok_variable_config_entry { CHAR8 name[256]; UINT64 data_size; UINT8 data[]; }; There will be N+1 entries, and the last entry is all 0 for name and data_size. The total allocation size will always be a multiple of 4096. In the typical RHEL 7.9 case that means it'll be around 5 pages. It's installed with this guid: c451ed2b-9694-45d3-baba-ed9f8988a389 Anything that can go wrong will. Signed-off-by: Peter Jones <pjones@redhat.com> Upstream: not yet, I don't want people to read this before Wednesday. Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-23Add support for vendor_db built-in shim authorized list.Peter Jones
Potential new signing strategies ( for example signing grub, fwupdate and vmlinuz with separate certificates ) require shim to support a vendor provided bundle of trusted certificates and hashes, which allows shim to trust EFI binaries matching either certificate by signature or hash in the vendor_db. Functionality is similar to vendor_dbx. This also improves the mirroring quite a bit. Upstream: pr#206
2020-07-23simple_file: fix uninitialized variable/unchecked returnPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com> Upstream: pr#212
2020-07-23MokManager: console mode modification for hi-dpi screen devicesIvan Hu
There are lots of hi-dpi laptops nowadays, as doing mok enrollment, the font is too small to see. https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1822043 This patch checks if the resolution is larger than Full HD (1920x1080) and current console output columns and rows is in a good mode. Then swith the console output to a better mode. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> Upstream-commit-id: cf05af6d899
2018-04-05Fix get_variable() usage in setup_verbosity()Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Make setup_console(-1) do GetMode() and call it from setup_verbosity()Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-13console: Fix indentationHans de Goede
The manual merge of the "console: Do not set EFI console to textmode until something is printed" patch has lead to a bunch of tabs being replaced with 7 spaces. This commit fixes this. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2018-03-12console: Do not set EFI console to textmode until something is printedHans de Goede
Remove the setup_console(1) calls from shim and instead make lib/console.c make that call when necessary. This avoids shim forcing the EFI console to switch to text-mode if nothing is printed. This commit also modifies MokManager to work the same way for consistency, even though MokManager will always print something. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2018-03-12console: Move setup_console() definition to higher in the fileHans de Goede
This is a preparation patch for making setup_console() private. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2018-03-12console: Add console_print and console_print_at helpersHans de Goede
This is a preparation commit for removing the setup_console(1) calls from MokManager and shim so that we don't force the EFI console to switch to text-mode. This commit replaces all direct calls to Print / PrintAt with calls to the new helpers (no functional changes) so that we can delay calling setup_console(1) till the first Print call in a follow-up patch. Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2018-03-12Don't use uefi_call_wrapper(), ever.Peter Jones
I'm pretty done with typing uefi_call_wrapper() and counting arguments every time. Instead, just make the compiler error if we don't have ms_abi. Also, make it so nothing can use uefi_call_wrapper() directly. Signed-off-by: Peter Jones <pjones@redhat.com>