| Age | Commit message (Collapse) | Author |
|---|
|
Conflicts:
shim.c
|
|
|
|
Conflicts:
Makefile
shim.c
|
|
Cert needs to be modified inside the Index loop, not outside it. This is unlikely to
ever trigger since there will typically only be one X509 certificate per
EFI_SIGNATURE_LIST, but fix it anyway.
|
|
We could potentially find a valid signature and then fail to validate it
due to not breaking out of the outer while loop.
|
|
load_image() didn't allocate PathName, don't have it free it.
|
|
Type-checking the UEFI calls picked up a couple of problems. Fix them up.
|
|
|
|
|
|
read_header would fail if the binary was unsigned, even if we weren't then
going to verify the signature. Move that check to the verify function
instead.
|
|
Fixes for some small bugs noticed during review
|
|
|
|
Add a helper function and tidy up the calls for getting into MokManager
|
|
In some rare corner cases, it's useful to add a blacklist of things that
were allowed by a copy of shim that was never signed by the UEFI signing
service. In these cases it's okay for them to go into a local dbx,
rather than taking up precious flash.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Add support for setting an MOK password. The OS passes down a password hash.
MokManager then presents an option for setting a password. Selecting it
prompts the user for the same password again. If they match, the hash is
enrolled into a boot services variable and MokManager will prompt for the
password whenever it's started.
|
|
If we're configured to run untrusted code, print a message and skip the
validation checks.
|
|
Provide a mechanism for a physically present end user to disable signature
verification. This is handled by the OS passing down a variable that
contains a UINT32 and a SHA256 hash. If this variable is present, MokManager
prompts the user to choose whether to enable or disable signature validation
(depending on the value of the UINT32). They are then asked to type the
passphrase that matches the hash. This then saves a boot services variable
which is checked by shim, and if set will skip verification of signatures.
|
|
|
|
Some systems will show an error dialog if LoadImage() returned
EFI_ACCESS_DENIED, which then requires physical user interaction to skip.
Let's just remove the LoadImage/StartImage code, since the built-in code
is theoretically equivalent.
|
|
Using the same format as the UEFI key databases makes it easier for the
kernel to parse and extract keys from MOK, and also permits MOK to contain
multiple key or hash types. Additionally, add support for enrolling hashes.
|
|
We want to be able to generate hashes, so split out the hash generation
function from the verification function
|
|
In theory vendors could blacklist binaries with SHA1, so make sure we
calculate and check that hash as well.
|
|
If we can't verify grub, fall back to MokManager. This permits shipping a
copy of shim and MokManager without distributing a key, letting
distributions provide their own for user installation.
|
|
|
|
|
|
|
|
|
|
|
|
The RT variable, MokListRT, is a copy of MokList so that the
runtime applications can synchronize the key list without touching
the BS variable.
|
|
|
|
|
|
|
|
We have to make sure the machine owner key is stored in a BS
variable.
|
|
Conflicts:
shim.c
|
|
|
|
|
|
The break in check_db_cert is at the wrong level due to a typo in
indentation, and as a result only the last cert in the list can
correctly match. Rectify that.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
This allows you to specify the vendor_cert as a file on the command line
during build.
|
|
|
|
|
|
|
|
|
|
|
|
This was not quite as bugfree as would be hoped for.
|
|
|
|
|
|
|
|
|
|
|
