| Age | Commit message (Collapse) | Author |
|---|
|
The function msleep uses gBS->Stall which waits for a specified number
of microseconds.
Reference: https://edk2-docs.gitbook.io/edk-ii-uefi-driver-writer-s-guide/5_uefi_services/51_services_that_uefi_drivers_commonly_use/517_stall
This reference even mentions an example sleeping for 10 microseconds: // Wait 10 uS. Notice the letter 'u'.
Therefore it's a good idea to call the function 'usleep' rather than
'msleep', so no one confuses it with milliseconds, and to change the
argument name to match as well.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
If the ShimRetainProtocol variable is set, avoid uninstalling our
protocol.
For example, this allows sd-stub in a UKI to use the shim protocol to
validate PE binaries, even if it is executed by a second stage, before
the kernel is loaded.
Ensure that the variable is volatile and for BootServices access.
Also delete it on startup, so that we can be sure it was really set by
a second stage.
Example use case in sd-boot/sd-stub:
https://github.com/systemd/systemd/pull/27358
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
|
This just makes one less thing we have to make sure is the same between
the test harnesses and the runtime code.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When EBS protection is disabled the code which hooks into EBS is
complied out, but on unhook it's the code which restores Exit() that
is disabled. This appears to be a mistake, and it can result in
writing NULL to EBS in the boot services table.
Fix this by moving the ifdefs to compile out the code to unhook EBS
instead of the code to unhook Exit(). Also ifdef the definition of
system_exit_boot_services to safeguard against its accidental use.
Fixes: 4b0a61dc9a95 ("shim: compile time option to bypass the ExitBootServices() check")
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
|
|
This re-structures our includes so we can be sure everything is always
including all the system headers in a uniform, predictable way.
Temporarily it also adds a bunch of junk at all the places we use
variadic functions to specifically pick either the MS (cdecl) or ELF
ABIs.
I'm not 100% sure that's all correct (see later patch) but it's enough
to allow this to build.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the
following messsages:
Unloading driver at 0x000B7D7B000
Synchronous Exception at 0x00000000BF5D5E68
AllocatePool: failed to allocate 800 bytes
Synchronous Exception at 0x00000000BF5D5E68
The similar error also showed when I modified MokManager to call
gBS->Exit() at the end of efi_main(). However, if MokManager just
returned, the error never showed. One significant difference is
whether the loaded image was restored or not, and the firmware seems
to need the original ImageBase pointer to do clean-up.
To avoid the potential crash, this commit adds restore_loaded_image() so
that we can restore the loaded image both in start_image() and
do_exit().
Signed-off-by: Gary Lin <glin@suse.com>
|
|
The license statements in our source files were getting to be a giant
mess, and mostly they all just say the same thing. I've switched most
of it to SPDX labels, but left copyright statements in place (where they
were not obviously incorrect copy-paste jobs that I did...).
If there's some change here you don't think is valid, let me know and
we can fix it up together.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On systems where a second stage bootloader is not used, and the Linux
Kernel is booted directly from shim, shim's ExitBootServices() hook
can cause problems as the kernel never calls the shim's verification
protocol. In this case calling the shim verification protocol is
unnecessary and redundant as shim has already verified the kernel
when shim loaded the kernel as the second stage loader.
This functionality is disabled by default and must be enabled via the
DISABLE_EBS_PROTECTION macro/define at build time.
Signed-off-by: Paul Moore <pmoore2@cisco.com>
|
|
This is a preparation commit for removing the setup_console(1) calls from
MokManager and shim so that we don't force the EFI console to switch to
text-mode.
This commit replaces all direct calls to Print / PrintAt with calls to
the new helpers (no functional changes) so that we can delay calling
setup_console(1) till the first Print call in a follow-up patch.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
This makes it so shim's idea of Mok variables all resides in one table
of data, and we don't need a bunch of nearly identical ad-hoc functions
to handle each of them.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I'm pretty done with typing uefi_call_wrapper() and counting arguments
every time. Instead, just make the compiler error if we don't have
ms_abi. Also, make it so nothing can use uefi_call_wrapper() directly.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also consistently name our status variable "efi_status" unless there's a
good reason not to, such as already having another one of those.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Make sure if we chainload things, a chainloaded bootloader will be able to use
the latest systab replacements and protocols. They need to match for things
to validate correctly.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now applications run by shim get our wrapper for Exit(), but it
doesn't do as much cleanup as it should - shim itself also exits, but
currently is not doing all the cleanup it should be doing.
This changes it so all of shim's cleanup is also performed.
Based on a patch and lots of review from Gary Lin.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
On aarch64 due to some terrifying include chain we wind up with
Cryptlib's definition of exit here. I'm not a glutton for punishment,
so I'm just changing the name so it's not coliding.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Prevent unhook_system_services() from dereferencing a NULL systab, which
may occur if hook_system_services() has never been called.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
Track use of the system's LoadImage(), and when the next StartImage()
call is for an image the system verified, allow that to count as
participating, since it has been verified by the system's db.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
If we never find a valid thing to boot, we need to undo the weird things
we've done.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
It works like this: during startup of shim, we hook into the system's
ExitBootServices() and StartImage(). If the system's StartImage() is
called, we automatically unhook, because we're chainloading to something
the system can verify.
When shim's verify is called, we record what kind of certificate the
image was verified against. If the call /succeeds/, we remove our
hooks.
If ExitBootServices() is called, we check how the bootloader verified
whatever it is loading. If it was verified by its hash, we unhook
everything and call the system's EBS(). If it was verified by
certificate, we check if it has called shim_verify(). If it has, we
unhook everything and call the system's EBS()
If the bootloader has not verified anything, and is itself verified by
a certificate, we display a security violation warning and halt the
machine.
|
