From 587b608b89def24717632fd5b3e548f2cf52c675 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Feb 2021 17:25:24 -0500 Subject: Fix all the places we need UNUSED on arguments. Signed-off-by: Peter Jones --- MokManager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index e94c82ba..5a851d86 100644 --- a/MokManager.c +++ b/MokManager.c @@ -2094,7 +2094,7 @@ static void free_menu(mok_menu_item * menu_item, CHAR16 ** menu_strings) FreePool(menu_item); } -static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, void *MokNew, UINTN MokNewSize, void *MokDel, UINTN MokDelSize, void *MokSB, UINTN MokSBSize, -- cgit v1.2.3 From f033a1da9f4c3acf7e3dfef906d01e348b6fcf42 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 9 Mar 2021 11:42:34 -0500 Subject: Restructure our includes. This re-structures our includes so we can be sure everything is always including all the system headers in a uniform, predictable way. Temporarily it also adds a bunch of junk at all the places we use variadic functions to specifically pick either the MS (cdecl) or ELF ABIs. I'm not 100% sure that's all correct (see later patch) but it's enough to allow this to build. Signed-off-by: Peter Jones --- Cryptlib/Include/OpenSslSupport.h | 13 +++++++----- Cryptlib/Include/ctype.h | 16 -------------- Cryptlib/Include/openssl/crypto.h | 1 + Cryptlib/Include/stdarg.h | 16 -------------- Cryptlib/Include/stddef.h | 15 -------------- Cryptlib/Include/stdlib.h | 16 -------------- Cryptlib/Include/string.h | 16 -------------- Cryptlib/Include/strings.h | 15 -------------- Cryptlib/InternalCryptLib.h | 2 ++ Cryptlib/Makefile | 14 +++++++++---- Cryptlib/OpenSSL/Makefile | 16 +++++++++----- Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 +++---- Make.defaults | 3 ++- Makefile | 7 ++++--- MokManager.c | 8 +------ PasswordCrypt.c | 6 ++---- crypt_blowfish.c | 5 ----- errlog.c | 29 +++++++++++++------------- fallback.c | 4 ---- httpboot.c | 4 ---- include/console.h | 8 +++---- include/hexdump.h | 17 ++++++++------- include/system/alloca.h | 10 +++++++++ include/system/ctype.h | 14 +++++++++++++ include/system/inttypes.h | 13 ++++++++++++ include/system/stdarg.h | 31 ++++++++++++++++++++++++++++ include/system/stdio.h | 13 ++++++++++++ include/system/stdlib.h | 16 ++++++++++++++ include/system/string.h | 14 +++++++++++++ include/system/strings.h | 10 +++++++++ include/test.h | 4 ++-- lib/Makefile | 39 +++++++++++++++++++++++++++++++++-- lib/configtable.c | 3 --- lib/console.c | 21 +++++++------------ lib/execute.c | 4 ---- lib/print_crypto.c | 5 ----- lib/security_policy.c | 4 ---- lib/shell.c | 3 --- lib/simple_file.c | 4 ---- lib/variables.c | 3 --- mok.c | 4 ---- netboot.c | 2 -- pe.c | 1 - replacements.c | 5 ----- sbat.c | 1 - shim.c | 1 - shim.h | 25 ++++++++++++++++------ test.c | 3 ++- tpm.c | 6 ------ 49 files changed, 262 insertions(+), 236 deletions(-) delete mode 100644 Cryptlib/Include/ctype.h delete mode 100644 Cryptlib/Include/stdarg.h delete mode 100644 Cryptlib/Include/stddef.h delete mode 100644 Cryptlib/Include/stdlib.h delete mode 100644 Cryptlib/Include/string.h delete mode 100644 Cryptlib/Include/strings.h create mode 100644 include/system/alloca.h create mode 100644 include/system/ctype.h create mode 100644 include/system/inttypes.h create mode 100644 include/system/stdarg.h create mode 100644 include/system/stdio.h create mode 100644 include/system/stdlib.h create mode 100644 include/system/string.h create mode 100644 include/system/strings.h (limited to 'MokManager.c') diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h index 0b555271..7af9650f 100644 --- a/Cryptlib/Include/OpenSslSupport.h +++ b/Cryptlib/Include/OpenSslSupport.h @@ -15,6 +15,14 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #ifndef __OPEN_SSL_SUPPORT_H__ #define __OPEN_SSL_SUPPORT_H__ +/* + * Include stddef.h to avoid redefining "offsetof" + */ +#include +#include +#include +#include + #include #include #include "Base.h" @@ -23,11 +31,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Library/MemoryAllocationLib.h" #include "Library/DebugLib.h" -/* - * Include stddef.h to avoid redefining "offsetof" - */ -#include - #define CONST const // diff --git a/Cryptlib/Include/ctype.h b/Cryptlib/Include/ctype.h deleted file mode 100644 index ee07f6bc..00000000 --- a/Cryptlib/Include/ctype.h +++ /dev/null @@ -1,16 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include - diff --git a/Cryptlib/Include/openssl/crypto.h b/Cryptlib/Include/openssl/crypto.h index bea4ca19..e201a123 100644 --- a/Cryptlib/Include/openssl/crypto.h +++ b/Cryptlib/Include/openssl/crypto.h @@ -117,6 +117,7 @@ #ifndef HEADER_CRYPTO_H # define HEADER_CRYPTO_H +# include # include # include diff --git a/Cryptlib/Include/stdarg.h b/Cryptlib/Include/stdarg.h deleted file mode 100644 index ee07f6bc..00000000 --- a/Cryptlib/Include/stdarg.h +++ /dev/null @@ -1,16 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include - diff --git a/Cryptlib/Include/stddef.h b/Cryptlib/Include/stddef.h deleted file mode 100644 index 8dfc36ff..00000000 --- a/Cryptlib/Include/stddef.h +++ /dev/null @@ -1,15 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include diff --git a/Cryptlib/Include/stdlib.h b/Cryptlib/Include/stdlib.h deleted file mode 100644 index ee07f6bc..00000000 --- a/Cryptlib/Include/stdlib.h +++ /dev/null @@ -1,16 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include - diff --git a/Cryptlib/Include/string.h b/Cryptlib/Include/string.h deleted file mode 100644 index ee07f6bc..00000000 --- a/Cryptlib/Include/string.h +++ /dev/null @@ -1,16 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include - diff --git a/Cryptlib/Include/strings.h b/Cryptlib/Include/strings.h deleted file mode 100644 index 8dfc36ff..00000000 --- a/Cryptlib/Include/strings.h +++ /dev/null @@ -1,15 +0,0 @@ -/** @file - Include file to support building OpenSSL Crypto Library. - -Copyright (c) 2010, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h index e9a4c20a..dc1a95e6 100644 --- a/Cryptlib/InternalCryptLib.h +++ b/Cryptlib/InternalCryptLib.h @@ -15,6 +15,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #ifndef __INTERNAL_CRYPT_LIB_H__ #define __INTERNAL_CRYPT_LIB_H__ +#include + #include "Library/BaseLib.h" #include "Library/BaseMemoryLib.h" #include "Library/MemoryAllocationLib.h" diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index bc5681c5..65a3918c 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -2,8 +2,14 @@ ifneq ($(CCACHE_DISABLE),) export CCACHE_DISABLE endif -INCLUDES = -I$(TOPDIR) -iquote $(TOPDIR) -I$(TOPDIR)/Include \ - $(EFI_INCLUDES) -I$(shell $(CC) -print-file-name=include) +CRYPTDIR = $(TOPDIR)/Cryptlib + +FEATUREFLAGS += -nostdinc + +INCLUDES = -I$(CRYPTDIR) -I$(CRYPTDIR)/Include \ + $(EFI_INCLUDES) \ + -isystem $(TOPDIR)/include/system \ + -isystem $(shell $(CC) -print-file-name=include) CFLAGS = $(FEATUREFLAGS) \ $(OPTIMIZATIONS) \ @@ -15,12 +21,12 @@ CFLAGS = $(FEATUREFLAGS) \ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,) ifeq ($(ARCH),x86_64) -FEATUREFLAGS += -m64 -mno-mmx -mno-sse -mno-red-zone -nostdinc $(CLANG_BUGS) +FEATUREFLAGS += -m64 -mno-mmx -mno-sse -mno-red-zone $(CLANG_BUGS) DEFINES += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 endif ifeq ($(ARCH),ia32) -FEATUREFLAGS += -m32 -mno-mmx -mno-sse -mno-red-zone -nostdinc $(CLANG_BUGS) +FEATUREFLAGS += -m32 -mno-mmx -mno-sse -mno-red-zone $(CLANG_BUGS) DEFINES += -DMDE_CPU_IA32 endif ifeq ($(ARCH),aarch64) diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 5bd72481..294e889a 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -2,17 +2,23 @@ ifneq ($(CCACHE_DISABLE),) export CCACHE_DISABLE endif +CRYPTDIR = $(TOPDIR)/Cryptlib +OSSLDIR = $(TOPDIR)/Cryptlib/OpenSSL + DEFINES = -DL_ENDIAN \ -D_CRT_SECURE_NO_DEPRECATE \ -D_CRT_NONSTDC_NO_DEPRECATE \ -DOPENSSL_SMALL_FOOTPRINT \ -DPEDANTIC -INCLUDES = -I$(TOPDIR) -I$(TOPDIR)/.. -I$(TOPDIR)/../Include/ -I$(TOPDIR)/crypto \ - -I$(shell $(CC) -print-file-name=include) \ - -I$(TOPDIR)/../Include $(EFI_INCLUDES) \ - -I$(TOPDIR)/crypto/asn1 -I$(TOPDIR)/crypto/evp \ - -I$(TOPDIR)/crypto/modes -I$(TOPDIR)/crypto/include +INCLUDES = -I$(OSSLDIR) -I$(CRYPTDIR) -I$(OSSLDIR)/Include/ \ + -I$(OSSLDIR)/crypto -I$(CRYPTDIR)/Include $(EFI_INCLUDES) \ + -I$(OSSLDIR)/crypto/asn1 -I$(OSSLDIR)/crypto/evp \ + -I$(OSSLDIR)/crypto/modes -I$(OSSLDIR)/crypto/include \ + -isystem $(TOPDIR)/include/system \ + -isystem $(shell $(CC) -print-file-name=include) + +FEATUREFLAGS += -nostdinc WERRFLAGS += -Wno-error=discarded-qualifiers \ -Wno-error=maybe-uninitialized \ diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c index fea73864..2d303ee8 100644 --- a/Cryptlib/OpenSSL/crypto/bio/b_print.c +++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c @@ -134,9 +134,9 @@ static int fmtfp(char **, char **, size_t *, size_t *, LDOUBLE, int, int, int); #endif static int doapr_outch(char **, char **, size_t *, size_t *, int); -static int _dopr(char **sbuffer, char **buffer, - size_t *maxlen, size_t *retlen, int *truncated, - const char *format, va_list args); +static int EFIAPI _dopr(char **sbuffer, char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, + const char *format, va_list args); /* format read states */ #define DP_S_DEFAULT 0 @@ -167,7 +167,7 @@ static int _dopr(char **sbuffer, char **buffer, #define char_to_int(p) (p - '0') #define OSSL_MAX(p,q) ((p >= q) ? p : q) -static int +static int EFIAPI _dopr(char **sbuffer, char **buffer, size_t *maxlen, diff --git a/Make.defaults b/Make.defaults index bef3cb51..ebb9e3c3 100644 --- a/Make.defaults +++ b/Make.defaults @@ -102,7 +102,8 @@ INCLUDES = -nostdinc \ -I$(shell $(CC) $(ARCH_CFLAGS) -print-file-name=include) \ -I$(TOPDIR)/Cryptlib -I$(TOPDIR)/Cryptlib/Include \ -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH_GNUEFI) -I$(EFI_INCLUDE)/protocol \ - -I$(TOPDIR)/include -iquote $(TOPDIR) -iquote $(shell pwd) + -I$(TOPDIR)/include -iquote $(TOPDIR) -iquote $(shell pwd) \ + -isystem $(TOPDIR)/include/system override DEFAULT_FEATUREFLAGS = \ -std=gnu11 \ diff --git a/Makefile b/Makefile index c1d13947..6a62e00a 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ override TOPDIR := $(shell pwd) endif override TOPDIR := $(abspath $(TOPDIR)) VPATH = $(TOPDIR) +export TOPDIR include $(TOPDIR)/Make.rules include $(TOPDIR)/Make.defaults @@ -134,15 +135,15 @@ gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: Cryptlib/libcryptlib.a: for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done - $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile + $(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile Cryptlib/OpenSSL/libopenssl.a: for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done - $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile + $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) if [ ! -d lib ]; then mkdir lib ; fi - $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile lib.a + $(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a buildid : $(TOPDIR)/buildid.c $(CC) -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf diff --git a/MokManager.c b/MokManager.c index 5a851d86..cd1492f8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1,18 +1,12 @@ // SPDX-License-Identifier: BSD-2-Clause-Patent +#include "shim.h" -#include -#include -#include #include #include #include #include #include -#include "shim.h" - -#include "hexdump.h" - #define PASSWORD_MAX 256 #define PASSWORD_MIN 1 #define SB_PASSWORD_LEN 16 diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 311c914b..1030a6dd 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -1,13 +1,11 @@ // SPDX-License-Identifier: BSD-2-Clause-Patent -#include -#include +#include "shim.h" + #include #include #include -#include "shim.h" - #define TRAD_DES_HASH_SIZE 13 /* (64/6+1) + (12/6) */ #define BSDI_DES_HASH_SIZE 20 /* (64/6+1) + (24/6) + 4 + 1 */ #define BLOWFISH_HASH_SIZE 31 /* 184/6+1 */ diff --git a/crypt_blowfish.c b/crypt_blowfish.c index 7a474f26..b1eb0e60 100644 --- a/crypt_blowfish.c +++ b/crypt_blowfish.c @@ -43,11 +43,6 @@ * Blowfish library (I can't be sure if I would think of something if I * hadn't seen his code). */ - -#include -#include - -/* Just to make sure the prototypes match the actual definitions */ #include "shim.h" typedef unsigned int BF_word; diff --git a/errlog.c b/errlog.c index 714d09d3..16af23b0 100644 --- a/errlog.c +++ b/errlog.c @@ -5,30 +5,29 @@ */ #include "shim.h" -#include "hexdump.h" static CHAR16 **errs = NULL; static UINTN nerrs = 0; -EFI_STATUS -vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, va_list args) +EFI_STATUS EFIAPI +vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, elf_va_list args) { - va_list args2; + elf_va_list args2; EFI_STATUS efi_status = EFI_SUCCESS; if (verbose) { - va_copy(args2, args); + elf_va_copy(args2, args); console_print(L"%a:%d:%a() ", file, line, func); efi_status = VPrint(fmt, args2); - va_end(args2); + elf_va_end(args2); } return efi_status; } -EFI_STATUS -VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_list args) +EFI_STATUS EFIAPI +VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, elf_va_list args) { - va_list args2; + elf_va_list args2; CHAR16 **newerrs; newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), @@ -39,11 +38,11 @@ VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_li newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); if (!newerrs[nerrs]) return EFI_OUT_OF_RESOURCES; - va_copy(args2, args); + elf_va_copy(args2, args); newerrs[nerrs+1] = VPoolPrint(fmt, args2); if (!newerrs[nerrs+1]) return EFI_OUT_OF_RESOURCES; - va_end(args2); + elf_va_end(args2); nerrs += 2; newerrs[nerrs] = NULL; @@ -52,15 +51,15 @@ VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_li return EFI_SUCCESS; } -EFI_STATUS +EFI_STATUS EFIAPI LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...) { - va_list args; + elf_va_list args; EFI_STATUS efi_status; - va_start(args, fmt); + elf_va_start(args, fmt); efi_status = VLogError(file, line, func, fmt, args); - va_end(args); + elf_va_end(args); return efi_status; } diff --git a/fallback.c b/fallback.c index fc81c5e4..ba90bb3b 100644 --- a/fallback.c +++ b/fallback.c @@ -3,10 +3,6 @@ * Copyright Red Hat, Inc. * Copyright Peter Jones */ - -#include -#include - #include "shim.h" #define NO_REBOOT L"FB_NO_REBOOT" diff --git a/httpboot.c b/httpboot.c index bedb99d2..fe08f3f7 100644 --- a/httpboot.c +++ b/httpboot.c @@ -7,10 +7,6 @@ * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel * Corporation. */ - -#include -#include - #include "shim.h" static UINTN diff --git a/include/console.h b/include/console.h index b2ab5fe4..d8af3cd3 100644 --- a/include/console.h +++ b/include/console.h @@ -17,9 +17,9 @@ EFI_STATUS console_get_keystroke(EFI_INPUT_KEY *key); -UINTN +UINTN EFIAPI console_print(const CHAR16 *fmt, ...); -UINTN +UINTN EFIAPI console_print_at(UINTN col, UINTN row, const CHAR16 *fmt, ...); void console_print_box_at(CHAR16 *str_arr[], int highlight, @@ -101,8 +101,8 @@ extern UINT32 verbose; #define dprint(fmt, ...) \ dprint_(L"%a:%d:%a() " fmt, __FILE__, __LINE__ - 1, __func__, \ ##__VA_ARGS__) -extern EFI_STATUS -vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, va_list args); +extern EFI_STATUS EFIAPI vdprint_(const CHAR16 *fmt, const char *file, int line, + const char *func, elf_va_list args); #define vdprint(fmt, ...) \ vdprint_(fmt, __FILE__, __LINE__ - 1, __func__, ##__VA_ARGS__) diff --git a/include/hexdump.h b/include/hexdump.h index 8b8b4557..36d77ec4 100644 --- a/include/hexdump.h +++ b/include/hexdump.h @@ -3,7 +3,8 @@ #ifndef STATIC_HEXDUMP_H #define STATIC_HEXDUMP_H -#include +#include "shim.h" +#include "include/console.h" static inline unsigned long UNUSED prepare_hex(const void *data, size_t size, char *buf, unsigned int position) @@ -80,8 +81,9 @@ prepare_text(const void *data, size_t size, char *buf, unsigned int position) * variadic hexdump formatted * think of it as: printf("%s%s\n", vformat(fmt, ap), hexdump(data,size)); */ -static inline void UNUSED -vhexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, va_list ap) +static inline void UNUSED EFIAPI +vhexdumpf(const char *file, int line, const char *func, const CHAR16 *const fmt, + const void *data, unsigned long size, size_t at, elf_va_list ap) { unsigned long display_offset = at; unsigned long offset = 0; @@ -115,13 +117,14 @@ vhexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt * think of it as: printf("%s%s", format(fmt, ...), hexdump(data,size)[lineN]); */ static inline void UNUSED -hexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, ...) +hexdumpf(const char *file, int line, const char *func, const CHAR16 *const fmt, + const void *data, unsigned long size, size_t at, ...) { - va_list ap; + elf_va_list ap; - va_start(ap, at); + elf_va_start(ap, at); vhexdumpf(file, line, func, fmt, data, size, at, ap); - va_end(ap); + elf_va_end(ap); } static inline void UNUSED diff --git a/include/system/alloca.h b/include/system/alloca.h new file mode 100644 index 00000000..dc11b60d --- /dev/null +++ b/include/system/alloca.h @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _ALLOCA_H +#define _ALLOCA_H + +#endif /* !_ALLOCA_H */ +#endif +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/ctype.h b/include/system/ctype.h new file mode 100644 index 00000000..c771bb69 --- /dev/null +++ b/include/system/ctype.h @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * ctype.h - standard ctype functions + */ +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _CTYPE_H +#define _CTYPE_H + + +#endif /* !_CTYPE_H */ +#endif /* !SHIM_UNIT_TEST */ +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/inttypes.h b/include/system/inttypes.h new file mode 100644 index 00000000..a35b0090 --- /dev/null +++ b/include/system/inttypes.h @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _INTTYPES_H +#define _INTTYPES_H + +#include +#include + +#endif /* !INTTYPES_H_ */ +#endif +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/stdarg.h b/include/system/stdarg.h new file mode 100644 index 00000000..346b760d --- /dev/null +++ b/include/system/stdarg.h @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * stdarg.h - try to make consistent va_* handling for EFI + */ +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _STDARG_H +#define _STDARG_H + +#include + +#endif /* !_STDARG_H */ +#endif +#ifndef SHIM_STDARG_H_ +#define SHIM_STDARG_H_ + +typedef __builtin_ms_va_list ms_va_list; +#define ms_va_copy(dest, start) __builtin_ms_va_copy(dest, start) +#define ms_va_start(marker, arg) __builtin_ms_va_start(marker, arg) +#define ms_va_arg(marker, type) __builtin_va_arg(marker, type) +#define ms_va_end(marker) __builtin_ms_va_end(marker) + +typedef __builtin_va_list elf_va_list; +#define elf_va_copy(dest, start) __builtin_va_copy(dest, start) +#define elf_va_start(marker, arg) __builtin_va_start(marker, arg) +#define elf_va_arg(marker, type) __builtin_va_arg(marker, type) +#define elf_va_end(marker) __builtin_va_end(marker) + +#endif /* !SHIM_STDARG_H_ */ +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/stdio.h b/include/system/stdio.h new file mode 100644 index 00000000..6ea60d71 --- /dev/null +++ b/include/system/stdio.h @@ -0,0 +1,13 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * stdio.h - sigh + */ +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _STDIO_H +#define _STDIO_H + +#endif /* !_STDIO_H */ +#endif +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/stdlib.h b/include/system/stdlib.h new file mode 100644 index 00000000..f2660f63 --- /dev/null +++ b/include/system/stdlib.h @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _STDLIB_H +#define _STDLIB_H + +/* + * I don't know why, but openssl expects to get size_t from stdlib.h + * instead of stddef.h, so... whatever. + */ +#include + +#endif /* !_STDLIB_H */ +#endif +// vim:fenc=utf-8:tw=75:noet diff --git a/include/system/string.h b/include/system/string.h new file mode 100644 index 00000000..21e46c1d --- /dev/null +++ b/include/system/string.h @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _STRING_H +#define _STRING_H + +#include + +__typeof__(__builtin_memset) memset; +__typeof__(__builtin_memcpy) memcpy; + +#endif /* _STRING_H */ +#endif diff --git a/include/system/strings.h b/include/system/strings.h new file mode 100644 index 00000000..c82bd917 --- /dev/null +++ b/include/system/strings.h @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +#ifdef SHIM_UNIT_TEST +#include_next +#else +#ifndef _STRINGS_H +#define _STRINGS_H + +#endif /* !_STRINGS_H */ +#endif +// vim:fenc=utf-8:tw=75:noet diff --git a/include/test.h b/include/test.h index 6fc178ba..8a970fd2 100644 --- a/include/test.h +++ b/include/test.h @@ -11,13 +11,13 @@ #include #if defined(__aarch64__) -#include +#include #elif defined(__arm__) #include #elif defined(__i386__) || defined(__i486__) || defined(__i686__) #include #elif defined(__x86_64__) -#include +#include #else #error what arch is this #endif diff --git a/lib/Makefile b/lib/Makefile index d9188c74..63893c3e 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -2,9 +2,44 @@ TARGET = lib.a LIBFILES = $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x))) +CRYPTDIR = $(TOPDIR)/Cryptlib + INCLUDES = $(EFI_INCLUDES) \ - -I$(TOPDIR)/../include \ - -I$(TOPDIR)/CryptLib/Include/openssl/ + -I$(TOPDIR)/include \ + -I$(CRYPTDIR)/Include/openssl/ \ + -I$(CRYPTDIR)/Include/ \ + -I$(CRYPTDIR) \ + -I$(TOPDIR) \ + -isystem $(TOPDIR)/include/system \ + -isystem $(shell $(CC) -print-file-name=include) + +CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,) + +ifeq ($(ARCH),x86_64) +FEATUREFLAGS += -m64 -mno-mmx -mno-sse -mno-red-zone -nostdinc $(CLANG_BUGS) +DEFINES += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ + -UNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 +endif +ifeq ($(ARCH),ia32) +FEATUREFLAGS += -m32 -mno-mmx -mno-sse -mno-red-zone -nostdinc $(CLANG_BUGS) +DEFINES += -DMDE_CPU_IA32 +endif +ifeq ($(ARCH),aarch64) +DEFINES += -DMDE_CPU_AARCH64 +endif +ifeq ($(ARCH),arm) +DEFINES += -DMDE_CPU_ARM +endif + +LDFLAGS = -nostdlib -znocombreloc + + +CFLAGS = $(FEATUREFLAGS) \ + $(OPTIMIZATIONS) \ + $(WARNFLAGS) \ + $(WERRFLAGS) \ + $(INCLUDES) \ + $(DEFINES) lib.a: $(LIBFILES) $(AR) rcs lib.a $(LIBFILES) diff --git a/lib/configtable.c b/lib/configtable.c index 8675fad1..66e97f63 100644 --- a/lib/configtable.c +++ b/lib/configtable.c @@ -4,9 +4,6 @@ * * read some platform configuration tables */ -#include -#include - #include "shim.h" void * diff --git a/lib/console.c b/lib/console.c index ffa8ea5c..32c6d55d 100644 --- a/lib/console.c +++ b/lib/console.c @@ -3,11 +3,6 @@ * Copyright 2012 * Copyright 2013 Red Hat Inc. */ -#include -#include -#include -#include - #include "shim.h" static UINT8 console_text_mode = 0; @@ -88,27 +83,27 @@ VOID console_fini(VOID) setup_console(0); } -UINTN +UINTN EFIAPI console_print(const CHAR16 *fmt, ...) { - va_list args; + elf_va_list args; UINTN ret; if (!console_text_mode) setup_console(1); - va_start(args, fmt); + elf_va_start(args, fmt); ret = VPrint(fmt, args); - va_end(args); + elf_va_end(args); return ret; } -UINTN +UINTN EFIAPI console_print_at(UINTN col, UINTN row, const CHAR16 *fmt, ...) { SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; - va_list args; + elf_va_list args; UINTN ret; if (!console_text_mode) @@ -116,9 +111,9 @@ console_print_at(UINTN col, UINTN row, const CHAR16 *fmt, ...) co->SetCursorPosition(co, col, row); - va_start(args, fmt); + elf_va_start(args, fmt); ret = VPrint(fmt, args); - va_end(args); + elf_va_end(args); return ret; } diff --git a/lib/execute.c b/lib/execute.c index f57a6321..642f94a3 100644 --- a/lib/execute.c +++ b/lib/execute.c @@ -3,10 +3,6 @@ * Copyright 2012 * Code Copyright 2012 Red Hat, Inc */ - -#include -#include - #include "shim.h" EFI_STATUS diff --git a/lib/print_crypto.c b/lib/print_crypto.c index 39dfd2c0..ccdb65b1 100644 --- a/lib/print_crypto.c +++ b/lib/print_crypto.c @@ -2,11 +2,6 @@ /* * Copyright 2019 SUSE LLC */ - -#include -#include -#include - #include "shim.h" #include diff --git a/lib/security_policy.c b/lib/security_policy.c index 6a9b13ed..6c42cc14 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -4,10 +4,6 @@ * * Install and remove a platform security2 override policy */ - -#include -#include - #include "shim.h" #if defined(OVERRIDE_SECURITY_POLICY) diff --git a/lib/shell.c b/lib/shell.c index 87f279d6..146d9a21 100644 --- a/lib/shell.c +++ b/lib/shell.c @@ -4,9 +4,6 @@ * * misc shell helper functions */ -#include -#include - #include "shim.h" EFI_STATUS diff --git a/lib/simple_file.c b/lib/simple_file.c index e6544709..5fd3e1a6 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -2,10 +2,6 @@ /* * Copyright 2012 */ - -#include -#include - #include "shim.h" EFI_STATUS diff --git a/lib/variables.c b/lib/variables.c index 6db069ef..57875e26 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -10,9 +10,6 @@ * Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.
* */ -#include -#include - #include "shim.h" EFI_STATUS diff --git a/mok.c b/mok.c index ac0276ec..6bd506be 100644 --- a/mok.c +++ b/mok.c @@ -6,10 +6,6 @@ #include "shim.h" -#include - -#include "hexdump.h" - /* * Check if a variable exists */ diff --git a/netboot.c b/netboot.c index 25a6df7f..450e9def 100644 --- a/netboot.c +++ b/netboot.c @@ -13,8 +13,6 @@ #include "shim.h" -#include - #define ntohs(x) __builtin_bswap16(x) /* supported both by GCC and clang */ #define htons(x) ntohs(x) diff --git a/pe.c b/pe.c index 45dd4714..73b05a51 100644 --- a/pe.c +++ b/pe.c @@ -5,7 +5,6 @@ */ #include "shim.h" -#include "hexdump.h" #include #include diff --git a/replacements.c b/replacements.c index 69dbd5a2..278a8e78 100644 --- a/replacements.c +++ b/replacements.c @@ -18,11 +18,6 @@ * National Security Policy and Scientific Developments, November 20, * 1969. */ - -#include -#include -#include - #include "shim.h" static EFI_SYSTEM_TABLE *systab; diff --git a/sbat.c b/sbat.c index f46bb8ab..d8750962 100644 --- a/sbat.c +++ b/sbat.c @@ -4,7 +4,6 @@ */ #include "shim.h" -#include "string.h" EFI_STATUS parse_sbat_section(char *section_base, size_t section_size, diff --git a/shim.c b/shim.c index 32bc3e81..6f627b1f 100644 --- a/shim.c +++ b/shim.c @@ -12,7 +12,6 @@ */ #include "shim.h" -#include "hexdump.h" #if defined(ENABLE_SHIM_CERT) #include "shim_cert.h" #endif /* defined(ENABLE_SHIM_CERT) */ diff --git a/shim.h b/shim.h index d28e16b7..61dafa82 100644 --- a/shim.h +++ b/shim.h @@ -26,6 +26,14 @@ #endif #endif +#include +#include +#include +#include +#include +#include +#include + #ifndef SHIM_UNIT_TEST #include #include @@ -34,9 +42,6 @@ #include #endif -#include -#include - #ifdef SHIM_UNIT_TEST #include "include/test.h" #endif @@ -158,9 +163,14 @@ #include "include/tpm.h" #include "include/ucs2.h" #include "include/variables.h" +#include "include/hexdump.h" #include "version.h" +#ifndef SHIM_UNIT_TEST +#include "Cryptlib/Include/OpenSslSupport.h" +#endif + INTERFACE_DECL(_SHIM_LOCK); typedef @@ -196,9 +206,12 @@ typedef struct _SHIM_LOCK { extern EFI_STATUS shim_init(void); extern void shim_fini(void); -extern EFI_STATUS LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...); -extern EFI_STATUS VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_list args); -extern VOID LogHexdump_(const char *file, int line, const char *func, const void *data, size_t sz); +extern EFI_STATUS EFIAPI LogError_(const char *file, int line, const char *func, + const CHAR16 *fmt, ...); +extern EFI_STATUS EFIAPI VLogError(const char *file, int line, const char *func, + const CHAR16 *fmt, elf_va_list args); +extern VOID LogHexdump_(const char *file, int line, const char *func, + const void *data, size_t sz); extern VOID PrintErrors(VOID); extern VOID ClearErrors(VOID); extern VOID restore_loaded_image(VOID); diff --git a/test.c b/test.c index b21e2191..aa0da1fd 100644 --- a/test.c +++ b/test.c @@ -12,7 +12,8 @@ UINT8 in_protocol = 0; int debug = DEFAULT_DEBUG_PRINT_STATE; -EFI_STATUS LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...) +EFI_STATUS EFIAPI +LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...) { assert(0); return EFI_SUCCESS; diff --git a/tpm.c b/tpm.c index e1fcb8be..808e0444 100644 --- a/tpm.c +++ b/tpm.c @@ -1,10 +1,4 @@ // SPDX-License-Identifier: BSD-2-Clause-Patent - -#include -#include -#include -#include - #include "shim.h" typedef struct { -- cgit v1.2.3 From 6ea93a28759d754778e483f86f95587a01c5fee8 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 23 Jul 2021 14:28:59 -0400 Subject: cleanup: always use BS and RT, not gBS and gRT This just makes one less thing we have to make sure is the same between the test harnesses and the runtime code. Signed-off-by: Peter Jones --- MokManager.c | 122 +++++++++++++++++++++++++------------------------- fallback.c | 56 +++++++++++------------ httpboot.c | 40 ++++++++--------- lib/console.c | 6 +-- lib/execute.c | 10 ++--- lib/security_policy.c | 2 +- lib/shell.c | 2 +- lib/simple_file.c | 20 ++++----- mok.c | 27 ++++++----- netboot.c | 4 +- pe.c | 8 ++-- replacements.c | 32 ++++++------- shim.c | 38 ++++++++-------- 13 files changed, 183 insertions(+), 184 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index cd1492f8..4b6ee146 100644 --- a/MokManager.c +++ b/MokManager.c @@ -735,7 +735,7 @@ done: static INTN reset_system() { - gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); + RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); console_notify(L"Failed to reboot\n"); return -1; } @@ -883,10 +883,10 @@ static EFI_STATUS write_db(CHAR16 * db_name, void *MokNew, UINTN MokNewSize) CopyMem(new_data, old_data, old_size); CopyMem(new_data + old_size, MokNew, MokNewSize); - efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - new_size, new_data); + efi_status = RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + new_size, new_data); out: if (old_size > 0) { FreePool(old_data); @@ -918,8 +918,8 @@ static EFI_STATUS store_keys(void *MokNew, UINTN MokNewSize, int authenticate, } if (authenticate) { - efi_status = gRT->GetVariable(auth_name, &SHIM_LOCK_GUID, - &attributes, &auth_size, auth); + efi_status = RT->GetVariable(auth_name, &SHIM_LOCK_GUID, + &attributes, &auth_size, auth); if (EFI_ERROR(efi_status) || (auth_size != SHA256_DIGEST_SIZE && auth_size != PASSWORD_CRYPT_SIZE)) { @@ -945,10 +945,10 @@ static EFI_STATUS store_keys(void *MokNew, UINTN MokNewSize, int authenticate, if (!MokNewSize) { /* Delete MOK */ - efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - 0, NULL); + efi_status = RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); } else { /* Write new MOK */ efi_status = write_db(db_name, MokNew, MokNewSize); @@ -1064,10 +1064,10 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, } if (DataSize == 0) { dprint(L"DataSize = 0; deleting variable %s\n", db_name); - efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - DataSize, Data); + efi_status = RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + DataSize, Data); dprint(L"efi_status:%llu\n", efi_status); return EFI_SUCCESS; } @@ -1109,10 +1109,10 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, ptr = (uint8_t *) ptr + CertList->SignatureListSize; } - efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - DataSize, Data); + efi_status = RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + DataSize, Data); if (Data) FreePool(Data); @@ -1262,8 +1262,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) auth_name = L"MokDelAuth"; } - efi_status = gRT->GetVariable(auth_name, &SHIM_LOCK_GUID, &attributes, - &auth_size, auth); + efi_status = RT->GetVariable(auth_name, &SHIM_LOCK_GUID, &attributes, + &auth_size, auth); if (EFI_ERROR(efi_status) || (auth_size != SHA256_DIGEST_SIZE && auth_size != PASSWORD_CRYPT_SIZE)) { @@ -1305,9 +1305,9 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) err_strs[1] = L"Erase all keys in MokList!"; } console_alertbox(err_strs); - gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); + RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); efi_status = EFI_ACCESS_DENIED; goto error; } @@ -1327,9 +1327,9 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) err_strs[1] = L"Reset MokList!"; } console_alertbox(err_strs); - gRT->SetVariable(db_name, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); + RT->SetVariable(db_name, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); efi_status = EFI_ABORTED; goto error; } @@ -1541,19 +1541,19 @@ static EFI_STATUS mok_sb_prompt(void *MokSB, UINTN MokSBSize) } if (var->MokSBState == 0) { - efi_status = gRT->SetVariable(L"MokSBState", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, &sbval); + efi_status = RT->SetVariable(L"MokSBState", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 1, &sbval); if (EFI_ERROR(efi_status)) { console_notify(L"Failed to set Secure Boot state"); return efi_status; } } else { - efi_status = gRT->SetVariable(L"MokSBState", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - 0, NULL); + efi_status = RT->SetVariable(L"MokSBState", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); if (EFI_ERROR(efi_status)) { console_notify(L"Failed to delete Secure Boot state"); return efi_status; @@ -1656,19 +1656,19 @@ static EFI_STATUS mok_db_prompt(void *MokDB, UINTN MokDBSize) } if (var->MokDBState == 0) { - efi_status = gRT->SetVariable(L"MokDBState", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, &dbval); + efi_status = RT->SetVariable(L"MokDBState", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 1, &dbval); if (EFI_ERROR(efi_status)) { console_notify(L"Failed to set DB state"); return efi_status; } } else { - efi_status = gRT->SetVariable(L"MokDBState", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - 0, NULL); + efi_status = RT->SetVariable(L"MokDBState", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); if (EFI_ERROR(efi_status)) { console_notify(L"Failed to delete DB state"); return efi_status; @@ -1707,9 +1707,9 @@ static EFI_STATUS mok_pw_prompt(void *MokPW, UINTN MokPWSize) if (console_yes_no(clear_p) == 0) return EFI_ABORTED; - gRT->SetVariable(L"MokPWStore", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); + RT->SetVariable(L"MokPWStore", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); goto mokpw_done; } @@ -1729,10 +1729,10 @@ static EFI_STATUS mok_pw_prompt(void *MokPW, UINTN MokPWSize) if (console_yes_no(set_p) == 0) return EFI_ABORTED; - efi_status = gRT->SetVariable(L"MokPWStore", &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - MokPWSize, MokPW); + efi_status = RT->SetVariable(L"MokPWStore", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + MokPWSize, MokPW); if (EFI_ERROR(efi_status)) { console_notify(L"Failed to set MOK password"); return efi_status; @@ -1994,8 +1994,8 @@ static BOOLEAN verify_pw(BOOLEAN * protected) *protected = FALSE; - efi_status = gRT->GetVariable(L"MokPWStore", &SHIM_LOCK_GUID, &attributes, - &size, pwhash); + efi_status = RT->GetVariable(L"MokPWStore", &SHIM_LOCK_GUID, &attributes, + &size, pwhash); /* * If anything can attack the password it could just set it to a * known value, so there's no safety advantage in failing to validate @@ -2122,29 +2122,29 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, UINT32 MokXAuth = 0; UINT32 MokXDelAuth = 0; - efi_status = gRT->GetVariable(L"MokAuth", &SHIM_LOCK_GUID, - &attributes, &auth_size, auth); + efi_status = RT->GetVariable(L"MokAuth", &SHIM_LOCK_GUID, + &attributes, &auth_size, auth); if (!EFI_ERROR(efi_status) && (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) MokAuth = 1; - efi_status = gRT->GetVariable(L"MokDelAuth", &SHIM_LOCK_GUID, - &attributes, &auth_size, auth); + efi_status = RT->GetVariable(L"MokDelAuth", &SHIM_LOCK_GUID, + &attributes, &auth_size, auth); if (!EFI_ERROR(efi_status) && (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) MokDelAuth = 1; - efi_status = gRT->GetVariable(L"MokXAuth", &SHIM_LOCK_GUID, - &attributes, &auth_size, auth); + efi_status = RT->GetVariable(L"MokXAuth", &SHIM_LOCK_GUID, + &attributes, &auth_size, auth); if (!EFI_ERROR(efi_status) && (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) MokXAuth = 1; - efi_status = gRT->GetVariable(L"MokXDelAuth", &SHIM_LOCK_GUID, - &attributes, &auth_size, auth); + efi_status = RT->GetVariable(L"MokXDelAuth", &SHIM_LOCK_GUID, + &attributes, &auth_size, auth); if (!EFI_ERROR(efi_status) && (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) @@ -2496,7 +2496,7 @@ static EFI_STATUS setup_rand(void) UINT64 seed; BOOLEAN status; - efi_status = gRT->GetTime(&time, NULL); + efi_status = RT->GetTime(&time, NULL); if (EFI_ERROR(efi_status)) return efi_status; diff --git a/fallback.c b/fallback.c index 302eeac1..ce907099 100644 --- a/fallback.c +++ b/fallback.c @@ -252,7 +252,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, first_new_option_size = StrLen(arguments) * sizeof (CHAR16); } - efi_status = gRT->SetVariable(varname, &GV_GUID, + efi_status = RT->SetVariable(varname, &GV_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -431,8 +431,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, while (1) { UINTN varname_size = buffer_size; - efi_status = gRT->GetNextVariableName(&varname_size, varname, - &vendor_guid); + efi_status = RT->GetNextVariableName(&varname_size, varname, + &vendor_guid); if (EFI_ERROR(efi_status)) { if (efi_status == EFI_BUFFER_TOO_SMALL) { VerbosePrint(L"Buffer too small for next variable name, re-allocating it to be %d bytes and retrying\n", @@ -464,8 +464,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, continue; UINTN candidate_size = max_candidate_size; - efi_status = gRT->GetVariable(varname, &GV_GUID, NULL, - &candidate_size, candidate); + efi_status = RT->GetVariable(varname, &GV_GUID, NULL, + &candidate_size, candidate); if (EFI_ERROR(efi_status)) continue; @@ -543,15 +543,15 @@ update_boot_order(void) for (j = 0 ; j < size / sizeof (CHAR16); j++) VerbosePrintUnprefixed(L"%04x ", newbootorder[j]); VerbosePrintUnprefixed(L"\n"); - efi_status = gRT->GetVariable(L"BootOrder", &GV_GUID, NULL, &len, NULL); + efi_status = RT->GetVariable(L"BootOrder", &GV_GUID, NULL, &len, NULL); if (efi_status == EFI_BUFFER_TOO_SMALL) LibDeleteVariable(L"BootOrder", &GV_GUID); - efi_status = gRT->SetVariable(L"BootOrder", &GV_GUID, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS, - size, newbootorder); + efi_status = RT->SetVariable(L"BootOrder", &GV_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + size, newbootorder); FreePool(newbootorder); return efi_status; } @@ -862,8 +862,8 @@ find_boot_options(EFI_HANDLE device) EFI_STATUS efi_status; EFI_FILE_IO_INTERFACE *fio = NULL; - efi_status = gBS->HandleProtocol(device, &FileSystemProtocol, - (void **) &fio); + efi_status = BS->HandleProtocol(device, &FileSystemProtocol, + (void **) &fio); if (EFI_ERROR(efi_status)) { console_print(L"Couldn't find file system: %r\n", efi_status); return efi_status; @@ -990,8 +990,8 @@ try_start_first_option(EFI_HANDLE parent_image_handle) return EFI_SUCCESS; } - efi_status = gBS->LoadImage(0, parent_image_handle, first_new_option, - NULL, 0, &image_handle); + efi_status = BS->LoadImage(0, parent_image_handle, first_new_option, + NULL, 0, &image_handle); if (EFI_ERROR(efi_status)) { CHAR16 *dps = DevicePathToStr(first_new_option); UINTN s = DevicePathSize(first_new_option); @@ -1011,14 +1011,14 @@ try_start_first_option(EFI_HANDLE parent_image_handle) } EFI_LOADED_IMAGE *image; - efi_status = gBS->HandleProtocol(image_handle, &LoadedImageProtocol, - (void *) &image); + efi_status = BS->HandleProtocol(image_handle, &LoadedImageProtocol, + (void *) &image); if (!EFI_ERROR(efi_status)) { image->LoadOptions = first_new_option_args; image->LoadOptionsSize = first_new_option_size; } - efi_status = gBS->StartImage(image_handle, NULL, NULL); + efi_status = BS->StartImage(image_handle, NULL, NULL); if (EFI_ERROR(efi_status)) { console_print(L"StartImage failed: %r\n", efi_status); msleep(500000000); @@ -1033,8 +1033,8 @@ get_fallback_no_reboot(void) UINT32 no_reboot; UINTN size = sizeof(UINT32); - efi_status = gRT->GetVariable(NO_REBOOT, &SHIM_LOCK_GUID, - NULL, &size, &no_reboot); + efi_status = RT->GetVariable(NO_REBOOT, &SHIM_LOCK_GUID, + NULL, &size, &no_reboot); if (!EFI_ERROR(efi_status)) { return no_reboot; } @@ -1047,11 +1047,11 @@ set_fallback_no_reboot(void) { EFI_STATUS efi_status; UINT32 no_reboot = 1; - efi_status = gRT->SetVariable(NO_REBOOT, &SHIM_LOCK_GUID, - EFI_VARIABLE_NON_VOLATILE - | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS, - sizeof(UINT32), &no_reboot); + efi_status = RT->SetVariable(NO_REBOOT, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + sizeof(UINT32), &no_reboot); return efi_status; } @@ -1129,8 +1129,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) */ debug_hook(); - efi_status = gBS->HandleProtocol(image, &LoadedImageProtocol, - (void *) &this_image); + efi_status = BS->HandleProtocol(image, &LoadedImageProtocol, + (void *) &this_image); if (EFI_ERROR(efi_status)) { console_print(L"Error: could not find loaded image: %r\n", efi_status); @@ -1191,7 +1191,7 @@ reset: msleep(fallback_verbose_wait); } - gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + RT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); return EFI_SUCCESS; } diff --git a/httpboot.c b/httpboot.c index 3340a7f9..dfa493bf 100644 --- a/httpboot.c +++ b/httpboot.c @@ -232,9 +232,9 @@ get_nic_handle (EFI_MAC_ADDRESS *mac) /* Get the list of handles that support the HTTP service binding protocol */ - efi_status = gBS->LocateHandleBuffer(ByProtocol, - &EFI_HTTP_BINDING_GUID, - NULL, &NoHandles, &buffer); + efi_status = BS->LocateHandleBuffer(ByProtocol, + &EFI_HTTP_BINDING_GUID, + NULL, &NoHandles, &buffer); if (EFI_ERROR(efi_status)) return NULL; @@ -306,8 +306,8 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) EFI_IPv6_ADDRESS gateway; EFI_STATUS efi_status; - efi_status = gBS->HandleProtocol(nic, &EFI_IP6_CONFIG_GUID, - (VOID **)&ip6cfg); + efi_status = BS->HandleProtocol(nic, &EFI_IP6_CONFIG_GUID, + (VOID **)&ip6cfg); if (EFI_ERROR(efi_status)) return efi_status; @@ -367,8 +367,8 @@ set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node) EFI_IPv4_ADDRESS gateway; EFI_STATUS efi_status; - efi_status = gBS->HandleProtocol(nic, &EFI_IP4_CONFIG2_GUID, - (VOID **)&ip4cfg2); + efi_status = BS->HandleProtocol(nic, &EFI_IP4_CONFIG2_GUID, + (VOID **)&ip4cfg2); if (EFI_ERROR(efi_status)) return efi_status; @@ -470,9 +470,9 @@ send_http_request (EFI_HTTP_PROTOCOL *http, CHAR8 *hostname, CHAR8 *uri) tx_token.Message = &tx_message; tx_token.Event = NULL; request_done = FALSE; - efi_status = gBS->CreateEvent(EVT_NOTIFY_SIGNAL, TPL_NOTIFY, - httpnotify, &request_done, - &tx_token.Event); + efi_status = BS->CreateEvent(EVT_NOTIFY_SIGNAL, TPL_NOTIFY, + httpnotify, &request_done, + &tx_token.Event); if (EFI_ERROR(efi_status)) { perror(L"Failed to Create Event for HTTP request: %r\n", efi_status); @@ -496,7 +496,7 @@ send_http_request (EFI_HTTP_PROTOCOL *http, CHAR8 *hostname, CHAR8 *uri) } error: - event_status = gBS->CloseEvent(tx_token.Event); + event_status = BS->CloseEvent(tx_token.Event); if (EFI_ERROR(event_status)) { perror(L"Failed to close Event for HTTP request: %r\n", event_status); @@ -534,9 +534,9 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size) rx_token.Message = &rx_message; rx_token.Event = NULL; response_done = FALSE; - efi_status = gBS->CreateEvent(EVT_NOTIFY_SIGNAL, TPL_NOTIFY, - httpnotify, &response_done, - &rx_token.Event); + efi_status = BS->CreateEvent(EVT_NOTIFY_SIGNAL, TPL_NOTIFY, + httpnotify, &response_done, + &rx_token.Event); if (EFI_ERROR(efi_status)) { perror(L"Failed to Create Event for HTTP response: %r\n", efi_status); @@ -632,7 +632,7 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size) } error: - event_status = gBS->CloseEvent(rx_token.Event); + event_status = BS->CloseEvent(rx_token.Event); if (EFI_ERROR(event_status)) { perror(L"Failed to close Event for HTTP response: %r\n", event_status); @@ -660,9 +660,9 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, *buf_size = 0; /* Open HTTP Service Binding Protocol */ - efi_status = gBS->OpenProtocol(device, &EFI_HTTP_BINDING_GUID, - (VOID **) &service, image, NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL); + efi_status = BS->OpenProtocol(device, &EFI_HTTP_BINDING_GUID, + (VOID **) &service, image, NULL, + EFI_OPEN_PROTOCOL_GET_PROTOCOL); if (EFI_ERROR(efi_status)) return efi_status; @@ -676,8 +676,8 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, } /* Get the http protocol */ - efi_status = gBS->HandleProtocol(http_handle, &EFI_HTTP_PROTOCOL_GUID, - (VOID **) &http); + efi_status = BS->HandleProtocol(http_handle, &EFI_HTTP_PROTOCOL_GUID, + (VOID **) &http); if (EFI_ERROR(efi_status)) { perror(L"Failed to get http\n"); goto error; diff --git a/lib/console.c b/lib/console.c index c310d213..5193b578 100644 --- a/lib/console.c +++ b/lib/console.c @@ -35,7 +35,7 @@ console_get_keystroke(EFI_INPUT_KEY *key) EFI_STATUS efi_status; do { - gBS->WaitForEvent(1, &ci->WaitForKey, &EventIndex); + BS->WaitForEvent(1, &ci->WaitForKey, &EventIndex); efi_status = ci->ReadKeyStroke(ci, key); } while (efi_status == EFI_NOT_READY); @@ -495,7 +495,7 @@ console_mode_handle(VOID) UINTN rows = 0, columns = 0; EFI_STATUS efi_status = EFI_SUCCESS; - efi_status = gBS->LocateProtocol(&gop_guid, NULL, (void **)&gop); + efi_status = BS->LocateProtocol(&gop_guid, NULL, (void **)&gop); if (EFI_ERROR(efi_status)) { console_error(L"Locate graphic output protocol fail", efi_status); return; @@ -679,7 +679,7 @@ setup_verbosity(VOID) VOID msleep(unsigned long msecs) { - gBS->Stall(msecs); + BS->Stall(msecs); } /* This is used in various things to determine if we should print to the diff --git a/lib/execute.c b/lib/execute.c index 642f94a3..0eb872e4 100644 --- a/lib/execute.c +++ b/lib/execute.c @@ -63,8 +63,8 @@ execute(EFI_HANDLE image, CHAR16 *name) EFI_DEVICE_PATH *devpath; CHAR16 *PathName; - efi_status = gBS->HandleProtocol(image, &IMAGE_PROTOCOL, - (void **) &li); + efi_status = BS->HandleProtocol(image, &IMAGE_PROTOCOL, + (void **) &li); if (EFI_ERROR(efi_status)) return efi_status; @@ -72,12 +72,12 @@ execute(EFI_HANDLE image, CHAR16 *name) if (EFI_ERROR(efi_status)) return efi_status; - efi_status = gBS->LoadImage(FALSE, image, devpath, NULL, 0, &h); + efi_status = BS->LoadImage(FALSE, image, devpath, NULL, 0, &h); if (EFI_ERROR(efi_status)) goto out; - efi_status = gBS->StartImage(h, NULL, NULL); - gBS->UnloadImage(h); + efi_status = BS->StartImage(h, NULL, NULL); + BS->UnloadImage(h); out: FreePool(PathName); diff --git a/lib/security_policy.c b/lib/security_policy.c index 6c42cc14..0f2569b0 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -123,7 +123,7 @@ security_policy_authentication ( * EFI_SECURITY_VIOLATION */ fail_status = efi_status; - efi_status = gBS->LocateDevicePath(&SIMPLE_FS_PROTOCOL, &DevPath, &h); + efi_status = BS->LocateDevicePath(&SIMPLE_FS_PROTOCOL, &DevPath, &h); if (EFI_ERROR(efi_status)) goto out; diff --git a/lib/shell.c b/lib/shell.c index 146d9a21..8be4fe08 100644 --- a/lib/shell.c +++ b/lib/shell.c @@ -16,7 +16,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV) *argc = 0; - efi_status = gBS->HandleProtocol(image, &LoadedImageProtocol, + efi_status = BS->HandleProtocol(image, &LoadedImageProtocol, (VOID **) &info); if (EFI_ERROR(efi_status)) { console_print(L"Failed to get arguments\n"); diff --git a/lib/simple_file.c b/lib/simple_file.c index 5fd3e1a6..f22852d4 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -11,8 +11,8 @@ simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UIN EFI_FILE_IO_INTERFACE *drive; EFI_FILE *root; - efi_status = gBS->HandleProtocol(device, &EFI_SIMPLE_FILE_SYSTEM_GUID, - (void **)&drive); + efi_status = BS->HandleProtocol(device, &EFI_SIMPLE_FILE_SYSTEM_GUID, + (void **)&drive); if (EFI_ERROR(efi_status)) { console_print(L"Unable to find simple file protocol (%d)\n", efi_status); @@ -40,8 +40,8 @@ simple_file_open(EFI_HANDLE image, CHAR16 *name, EFI_FILE **file, UINT64 mode) EFI_DEVICE_PATH *loadpath = NULL; CHAR16 *PathName = NULL; - efi_status = gBS->HandleProtocol(image, &IMAGE_PROTOCOL, - (void **) &li); + efi_status = BS->HandleProtocol(image, &IMAGE_PROTOCOL, + (void **) &li); if (EFI_ERROR(efi_status)) return simple_file_open_by_handle(image, name, file, mode); @@ -176,9 +176,9 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) CHAR16 **entries; int val; - efi_status = gBS->LocateHandleBuffer(ByProtocol, - &EFI_SIMPLE_FILE_SYSTEM_GUID, - NULL, &count, &vol_handles); + efi_status = BS->LocateHandleBuffer(ByProtocol, + &EFI_SIMPLE_FILE_SYSTEM_GUID, + NULL, &count, &vol_handles); if (EFI_ERROR(efi_status)) return efi_status; if (!count || !vol_handles) @@ -196,9 +196,9 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) CHAR16 *name; EFI_FILE_IO_INTERFACE *drive; - efi_status = gBS->HandleProtocol(vol_handles[i], - &EFI_SIMPLE_FILE_SYSTEM_GUID, - (void **) &drive); + efi_status = BS->HandleProtocol(vol_handles[i], + &EFI_SIMPLE_FILE_SYSTEM_GUID, + (void **) &drive); if (EFI_ERROR(efi_status) || !drive) continue; diff --git a/mok.c b/mok.c index 84e51f3e..af1756c2 100644 --- a/mok.c +++ b/mok.c @@ -16,8 +16,8 @@ static BOOLEAN check_var(CHAR16 *varname) UINT32 MokVar; UINT32 attributes; - efi_status = gRT->GetVariable(varname, &SHIM_LOCK_GUID, &attributes, - &size, (void *)&MokVar); + efi_status = RT->GetVariable(varname, &SHIM_LOCK_GUID, &attributes, + &size, (void *)&MokVar); if (!EFI_ERROR(efi_status) || efi_status == EFI_BUFFER_TOO_SMALL) return TRUE; @@ -27,7 +27,7 @@ static BOOLEAN check_var(CHAR16 *varname) #define SetVariable(name, guid, attrs, varsz, var) \ ({ \ EFI_STATUS efi_status_; \ - efi_status_ = gRT->SetVariable(name, guid, attrs, varsz, var); \ + efi_status_ = RT->SetVariable(name, guid, attrs, varsz, var); \ dprint_(L"%a:%d:%a() SetVariable(\"%s\", ... varsz=0x%llx) = %r\n", \ __FILE__, __LINE__ - 5, __func__, name, varsz, \ efi_status_); \ @@ -273,16 +273,16 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) uint64_t max_var_sz = 0; *max_var_szp = 0; - if (EFI_MAJOR_VERSION(gRT) < 2) { + if (EFI_MAJOR_VERSION(RT) < 2) { dprint(L"EFI %d.%d; no RT->QueryVariableInfo(). Using 1024!\n", - EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT)); + EFI_MAJOR_VERSION(RT), EFI_MINOR_VERSION(RT)); max_var_sz = remaining_sz = max_storage_sz = 1024; efi_status = EFI_SUCCESS; } else { dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n", - gRT->QueryVariableInfo); - efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, - &remaining_sz, &max_var_sz); + RT->QueryVariableInfo); + efi_status = RT->QueryVariableInfo(attrs, &max_storage_sz, + &remaining_sz, &max_var_sz); if (EFI_ERROR(efi_status)) { perror(L"Could not get variable storage info: %r\n", efi_status); @@ -1016,10 +1016,9 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) config_sz += sizeof(config_template); npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT; config_table = NULL; - efi_status = gBS->AllocatePages(AllocateAnyPages, - EfiBootServicesData, - npages, - (EFI_PHYSICAL_ADDRESS *)&config_table); + efi_status = BS->AllocatePages( + AllocateAnyPages, EfiBootServicesData, npages, + (EFI_PHYSICAL_ADDRESS *)&config_table); if (EFI_ERROR(efi_status) || !config_table) { console_print(L"Allocating %lu pages for mok config table failed: %r\n", npages, efi_status); @@ -1050,8 +1049,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) ZeroMem(&config_template, sizeof(config_template)); CopyMem(p, &config_template, sizeof(config_template)); - efi_status = gBS->InstallConfigurationTable(&MOK_VARIABLE_STORE, - config_table); + efi_status = BS->InstallConfigurationTable(&MOK_VARIABLE_STORE, + config_table); if (EFI_ERROR(efi_status)) { console_print(L"Couldn't install MoK configuration table\n"); } diff --git a/netboot.c b/netboot.c index 3f5c5198..cf5882c1 100644 --- a/netboot.c +++ b/netboot.c @@ -36,8 +36,8 @@ BOOLEAN findNetboot(EFI_HANDLE device) { EFI_STATUS efi_status; - efi_status = gBS->HandleProtocol(device, &PxeBaseCodeProtocol, - (VOID **) &pxe); + efi_status = BS->HandleProtocol(device, &PxeBaseCodeProtocol, + (VOID **) &pxe); if (EFI_ERROR(efi_status)) { pxe = NULL; return FALSE; diff --git a/pe.c b/pe.c index 13bc3975..5db45086 100644 --- a/pe.c +++ b/pe.c @@ -949,8 +949,8 @@ handle_image (void *data, unsigned int datasize, PAGE_SIZE); *alloc_pages = alloc_size / PAGE_SIZE; - efi_status = gBS->AllocatePages(AllocateAnyPages, EfiLoaderCode, - *alloc_pages, alloc_address); + efi_status = BS->AllocatePages(AllocateAnyPages, EfiLoaderCode, + *alloc_pages, alloc_address); if (EFI_ERROR(efi_status)) { perror(L"Failed to allocate image buffer\n"); return EFI_OUT_OF_RESOURCES; @@ -963,7 +963,7 @@ handle_image (void *data, unsigned int datasize, *entry_point = ImageAddress(buffer, context.ImageSize, context.EntryPoint); if (!*entry_point) { perror(L"Entry point is invalid\n"); - gBS->FreePages(*alloc_address, *alloc_pages); + BS->FreePages(*alloc_address, *alloc_pages); return EFI_UNSUPPORTED; } @@ -1004,7 +1004,7 @@ handle_image (void *data, unsigned int datasize, if (end < base) { perror(L"Section %d has negative size\n", i); - gBS->FreePages(*alloc_address, *alloc_pages); + BS->FreePages(*alloc_address, *alloc_pages); return EFI_UNSUPPORTED; } diff --git a/replacements.c b/replacements.c index daa2e0f4..bf781a8b 100644 --- a/replacements.c +++ b/replacements.c @@ -50,7 +50,7 @@ unhook_system_services(void) #if !defined(DISABLE_EBS_PROTECTION) systab->BootServices->ExitBootServices = system_exit_boot_services; #endif /* !defined(DISABLE_EBS_PROTECTION) */ - gBS = systab->BootServices; + BS = systab->BootServices; } static EFI_STATUS EFIAPI @@ -61,8 +61,8 @@ load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle, EFI_STATUS efi_status; unhook_system_services(); - efi_status = gBS->LoadImage(BootPolicy, ParentImageHandle, DevicePath, - SourceBuffer, SourceSize, ImageHandle); + efi_status = BS->LoadImage(BootPolicy, ParentImageHandle, DevicePath, + SourceBuffer, SourceSize, ImageHandle); hook_system_services(systab); if (EFI_ERROR(efi_status)) last_loaded_image = NULL; @@ -81,7 +81,7 @@ replacement_start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 * loader_is_participating = 1; uninstall_shim_protocols(); } - efi_status = gBS->StartImage(image_handle, exit_data_size, exit_data); + efi_status = BS->StartImage(image_handle, exit_data_size, exit_data); if (EFI_ERROR(efi_status)) { if (image_handle == last_loaded_image) { EFI_STATUS efi_status2 = install_shim_protocols(); @@ -91,9 +91,9 @@ replacement_start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 * efi_status2); console_print(L"shim cannot continue, sorry.\n"); msleep(5000000); - gRT->ResetSystem(EfiResetShutdown, - EFI_SECURITY_VIOLATION, - 0, NULL); + RT->ResetSystem(EfiResetShutdown, + EFI_SECURITY_VIOLATION, + 0, NULL); } } hook_system_services(systab); @@ -110,7 +110,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) verification_method == VERIFIED_BY_HASH) { unhook_system_services(); EFI_STATUS efi_status; - efi_status = gBS->ExitBootServices(image_key, map_key); + efi_status = BS->ExitBootServices(image_key, map_key); if (EFI_ERROR(efi_status)) hook_system_services(systab); return efi_status; @@ -119,7 +119,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) console_print(L"Bootloader has not verified loaded image.\n"); console_print(L"System is compromised. halting.\n"); msleep(5000000); - gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL); + RT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL); return EFI_SECURITY_VIOLATION; } #endif /* !defined(DISABLE_EBS_PROTECTION) */ @@ -134,8 +134,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, restore_loaded_image(); - efi_status = gBS->Exit(ImageHandle, ExitStatus, - ExitDataSize, ExitData); + efi_status = BS->Exit(ImageHandle, ExitStatus, + ExitDataSize, ExitData); if (EFI_ERROR(efi_status)) { EFI_STATUS efi_status2 = shim_init(); @@ -144,8 +144,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, efi_status2); console_print(L"shim cannot continue, sorry.\n"); msleep(5000000); - gRT->ResetSystem(EfiResetShutdown, - EFI_SECURITY_VIOLATION, 0, NULL); + RT->ResetSystem(EfiResetShutdown, + EFI_SECURITY_VIOLATION, 0, NULL); } } return efi_status; @@ -155,7 +155,7 @@ void hook_system_services(EFI_SYSTEM_TABLE *local_systab) { systab = local_systab; - gBS = systab->BootServices; + BS = systab->BootServices; /* We need to hook various calls to make this work... */ @@ -186,14 +186,14 @@ void unhook_exit(void) { systab->BootServices->Exit = system_exit; - gBS = systab->BootServices; + BS = systab->BootServices; } void hook_exit(EFI_SYSTEM_TABLE *local_systab) { systab = local_systab; - gBS = local_systab->BootServices; + BS = local_systab->BootServices; /* we need to hook Exit() so that we can allow users to quit the * bootloader and still e.g. start a new one or run an internal diff --git a/shim.c b/shim.c index 1e774f71..19b78b1b 100644 --- a/shim.c +++ b/shim.c @@ -721,8 +721,8 @@ should_use_fallback(EFI_HANDLE image_handle) EFI_STATUS efi_status; int ret = 0; - efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, - (void **)&li); + efi_status = BS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, + (void **)&li); if (EFI_ERROR(efi_status)) { perror(L"Could not get image for boot" EFI_ARCH L".efi: %r\n", efi_status); @@ -746,8 +746,8 @@ should_use_fallback(EFI_HANDLE image_handle) if (pathlen < 5 || StrCaseCmp(bootpath + pathlen - 4, L".EFI")) goto error; - efi_status = gBS->HandleProtocol(li->DeviceHandle, &FileSystemProtocol, - (void **) &fio); + efi_status = BS->HandleProtocol(li->DeviceHandle, &FileSystemProtocol, + (void **) &fio); if (EFI_ERROR(efi_status)) { perror(L"Could not get fio for li->DeviceHandle: %r\n", efi_status); @@ -803,8 +803,8 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, /* * Open the device */ - efi_status = gBS->HandleProtocol(device, &EFI_SIMPLE_FILE_SYSTEM_GUID, - (void **) &drive); + efi_status = BS->HandleProtocol(device, &EFI_SIMPLE_FILE_SYSTEM_GUID, + (void **) &drive); if (EFI_ERROR(efi_status)) { perror(L"Failed to find fs: %r\n", efi_status); goto error; @@ -1004,8 +1004,8 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) * We need to refer to the loaded image protocol on the running * binary in order to find our path */ - efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, - (void **)&shim_li); + efi_status = BS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, + (void **)&shim_li); if (EFI_ERROR(efi_status)) { perror(L"Unable to init protocol\n"); return efi_status; @@ -1156,8 +1156,8 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) load_options = NULL; load_options_size = 0; - efi_status = gBS->HandleProtocol(image_handle, &LoadedImageProtocol, - (void **) &li); + efi_status = BS->HandleProtocol(image_handle, &LoadedImageProtocol, + (void **) &li); if (EFI_ERROR(efi_status)) { perror (L"Failed to get load options: %r\n", efi_status); return efi_status; @@ -1245,10 +1245,10 @@ install_shim_protocols(void) /* * Install the protocol */ - efi_status = gBS->InstallProtocolInterface(&shim_lock_handle, - &SHIM_LOCK_GUID, - EFI_NATIVE_INTERFACE, - &shim_lock_interface); + efi_status = BS->InstallProtocolInterface(&shim_lock_handle, + &SHIM_LOCK_GUID, + EFI_NATIVE_INTERFACE, + &shim_lock_interface); if (EFI_ERROR(efi_status)) { console_error(L"Could not install security protocol", efi_status); @@ -1274,8 +1274,8 @@ uninstall_shim_protocols(void) /* * If we're back here then clean everything up before exiting */ - gBS->UninstallProtocolInterface(shim_lock_handle, &SHIM_LOCK_GUID, - &shim_lock_interface); + BS->UninstallProtocolInterface(shim_lock_handle, &SHIM_LOCK_GUID, + &shim_lock_interface); if (!secure_mode()) return; @@ -1429,7 +1429,7 @@ devel_egress(devel_egress_action action UNUSED) console_print(L"\ndoing %a\n", action); if (action == COLD_RESET) - gRT->ResetSystem(EfiResetCold, EFI_SECURITY_VIOLATION, 0, NULL); + RT->ResetSystem(EfiResetCold, EFI_SECURITY_VIOLATION, 0, NULL); #endif } @@ -1556,8 +1556,8 @@ die: devel_egress(COLD_RESET); #else msleep(5000000); - gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, - 0, NULL); + RT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, + 0, NULL); #endif } -- cgit v1.2.3 From 35ca373d20fbeeb80aff2202077d614bc89575c0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 16 Sep 2021 16:46:55 -0400 Subject: console: add a clear_screen() primitive Several places in e.g. MokManager and our console library use ST->ConOut->ClearScreen directly, without checking for the existence of a console output device. This patch adds function to our console library to do that correctly, instead of using the bug-prone ad hoc implementation everywhere. Signed-off-by: Peter Jones --- MokManager.c | 10 +++++----- include/console.h | 3 +++ lib/console.c | 13 ++++++++++++- 3 files changed, 20 insertions(+), 6 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index 4b6ee146..08b15d6d 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1005,7 +1005,7 @@ static EFI_STATUS mok_reset_prompt(BOOLEAN MokX) EFI_STATUS efi_status; CHAR16 *prompt[] = { NULL, NULL }; - ST->ConOut->ClearScreen(ST->ConOut); + clear_screen(); if (MokX) prompt[0] = L"Erase all stored keys in MokListX?"; @@ -1468,7 +1468,7 @@ static EFI_STATUS mok_sb_prompt(void *MokSB, UINTN MokSBSize) return EFI_INVALID_PARAMETER; } - ST->ConOut->ClearScreen(ST->ConOut); + clear_screen(); message[0] = L"Change Secure Boot state"; message[1] = NULL; @@ -1583,7 +1583,7 @@ static EFI_STATUS mok_db_prompt(void *MokDB, UINTN MokDBSize) return EFI_INVALID_PARAMETER; } - ST->ConOut->ClearScreen(ST->ConOut); + clear_screen(); message[0] = L"Change DB state"; message[1] = NULL; @@ -1691,7 +1691,7 @@ static EFI_STATUS mok_pw_prompt(void *MokPW, UINTN MokPWSize) return EFI_INVALID_PARAMETER; } - ST->ConOut->ClearScreen(ST->ConOut); + clear_screen(); SetMem(hash, PASSWORD_CRYPT_SIZE, 0); @@ -2008,7 +2008,7 @@ static BOOLEAN verify_pw(BOOLEAN * protected) if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) return TRUE; - ST->ConOut->ClearScreen(ST->ConOut); + clear_screen(); /* Draw the background */ console_save_and_set_mode(&SavedMode); diff --git a/include/console.h b/include/console.h index c832b20e..0c4a5137 100644 --- a/include/console.h +++ b/include/console.h @@ -50,6 +50,9 @@ void console_reset(void); void console_mode_handle(void); +void +clear_screen(void); + #define NOSEL 0x7fffffff typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; diff --git a/lib/console.c b/lib/console.c index 6b1e4c2f..7be5d543 100644 --- a/lib/console.c +++ b/lib/console.c @@ -580,7 +580,7 @@ console_mode_handle(VOID) efi_status = co->SetMode(co, mode_set); } - co->ClearScreen(co); + clear_screen(); if (EFI_ERROR(efi_status)) { console_error(L"Console set mode fail", efi_status); @@ -683,6 +683,17 @@ console_reset(void) co->ClearScreen(co); } +void +clear_screen(void) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + + if (!co) + return; + + co->ClearScreen(co); +} + VOID setup_verbosity(VOID) { -- cgit v1.2.3 From 4e513405b4f1641710115780d19dcec130c5208f Mon Sep 17 00:00:00 2001 From: Eric Snowberg Date: Tue, 5 Oct 2021 12:06:05 -0400 Subject: Introduce a new MOK variable called MokListTrustedRT Introduce a new MOK variable called MokListTrustedRT. It allows an end-user to decide if they want to trust MOKList keys within the soon to be booted Linux kernel. This variable does not change any functionality within shim itself. When Linux boots, if MokListTrustedRT is set and EFI_VARIABLE_NON_VOLATILE is not set, keys in MokListRT are loaded into the .machine keyring instead of the .platform keyring. Signed-off-by: Eric Snowberg --- MokManager.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- MokVars.txt | 6 +++ globals.c | 1 + mok.c | 17 +++++- shim.h | 1 + 5 files changed, 187 insertions(+), 5 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index 08b15d6d..c195cadc 100644 --- a/MokManager.c +++ b/MokManager.c @@ -40,6 +40,12 @@ typedef struct { CHAR16 Password[SB_PASSWORD_LEN]; } __attribute__ ((packed)) MokDBvar; +typedef struct { + UINT32 MokTMLState; + UINT32 PWLen; + CHAR16 Password[SB_PASSWORD_LEN]; +} __attribute__ ((packed)) MokTMLvar; + typedef struct { INT32 Timeout; } __attribute__ ((packed)) MokTimeoutvar; @@ -1678,6 +1684,121 @@ static EFI_STATUS mok_db_prompt(void *MokDB, UINTN MokDBSize) return EFI_SUCCESS; } +static EFI_STATUS mok_tml_prompt(void *MokTML, UINTN MokTMLSize) +{ + EFI_STATUS efi_status; + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + MokTMLvar *var = MokTML; + CHAR16 *message[4]; + CHAR16 pass1, pass2, pass3; + CHAR16 *str; + UINT8 fail_count = 0; + UINT8 dbval = 1; + UINT8 pos1, pos2, pos3; + int ret; + CHAR16 *untrust_tml[] = { L"Do not trust the MOK list", NULL }; + CHAR16 *trust_tml[] = { L"Trust the MOK list", NULL }; + + if (MokTMLSize != sizeof(MokTMLvar)) { + console_notify(L"Invalid MokTML variable contents"); + return EFI_INVALID_PARAMETER; + } + + clear_screen(); + + message[0] = L"Change Trusted MOK List Keyring state"; + message[1] = NULL; + + console_save_and_set_mode(&SavedMode); + console_print_box_at(message, -1, 0, 0, -1, -1, 1, 1); + console_restore_mode(&SavedMode); + + while (fail_count < 3) { + RandomBytes(&pos1, sizeof(pos1)); + pos1 = (pos1 % var->PWLen); + + do { + RandomBytes(&pos2, sizeof(pos2)); + pos2 = (pos2 % var->PWLen); + } while (pos2 == pos1); + + do { + RandomBytes(&pos3, sizeof(pos3)); + pos3 = (pos3 % var->PWLen); + } while (pos3 == pos2 || pos3 == pos1); + + str = PoolPrint(L"Enter password character %d: ", pos1 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return EFI_OUT_OF_RESOURCES; + } + pass1 = get_password_charater(str); + FreePool(str); + + str = PoolPrint(L"Enter password character %d: ", pos2 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return EFI_OUT_OF_RESOURCES; + } + pass2 = get_password_charater(str); + FreePool(str); + + str = PoolPrint(L"Enter password character %d: ", pos3 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return EFI_OUT_OF_RESOURCES; + } + pass3 = get_password_charater(str); + FreePool(str); + + if (pass1 != var->Password[pos1] || + pass2 != var->Password[pos2] || + pass3 != var->Password[pos3]) { + console_print(L"Invalid character\n"); + fail_count++; + } else { + break; + } + } + + if (fail_count >= 3) { + console_notify(L"Password limit reached"); + return EFI_ACCESS_DENIED; + } + + if (var->MokTMLState == 0) + ret = console_yes_no(trust_tml); + else + ret = console_yes_no(untrust_tml); + + if (ret == 0) { + LibDeleteVariable(L"MokListTrustedNew", &SHIM_LOCK_GUID); + return EFI_ABORTED; + } + + if (var->MokTMLState == 0) { + efi_status = RT->SetVariable(L"MokListTrusted", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 1, &dbval); + if (EFI_ERROR(efi_status)) { + console_notify(L"Failed to set MokListTrusted state"); + return efi_status; + } + } else { + efi_status = RT->SetVariable(L"MokListTrusted", &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + if (EFI_ERROR(efi_status)) { + console_notify(L"Failed to delete MokListTrusted state"); + return efi_status; + } + } + + return EFI_SUCCESS; +} + static EFI_STATUS mok_pw_prompt(void *MokPW, UINTN MokPWSize) { EFI_STATUS efi_status; @@ -2076,7 +2197,8 @@ typedef enum { MOK_SET_PW, MOK_CHANGE_DB, MOK_KEY_ENROLL, - MOK_HASH_ENROLL + MOK_HASH_ENROLL, + MOK_CHANGE_TML } mok_menu_item; static void free_menu(mok_menu_item * menu_item, CHAR16 ** menu_strings) @@ -2095,7 +2217,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, - void *MokXDel, UINTN MokXDelSize) + void *MokXDel, UINTN MokXDelSize, + void *MokTML, UINTN MokTMLSize) { CHAR16 **menu_strings = NULL; mok_menu_item *menu_item = NULL; @@ -2171,6 +2294,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, if (MokDB) menucount++; + if (MokTML) + menucount++; + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) @@ -2242,6 +2368,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, i++; } + if (MokTML) { + menu_strings[i] = L"Change MOK List Trusted State"; + menu_item[i] = MOK_CHANGE_TML; + i++; + } + menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; @@ -2352,6 +2484,17 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle UNUSED, case MOK_HASH_ENROLL: efi_status = mok_hash_enroll(); break; + case MOK_CHANGE_TML: + if (!MokTML) { + console_print(L"MokManager: internal error: %s", + L"MokListTrusted was ! NULL bs is now NULL\n"); + ret = EFI_ABORTED; + goto out; + } + efi_status = mok_tml_prompt(MokTML, MokTMLSize); + if (!EFI_ERROR(efi_status)) + MokTML = NULL; + break; } if (!EFI_ERROR(efi_status)) @@ -2376,7 +2519,7 @@ out: static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) { UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; - UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; + UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0; void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; @@ -2384,6 +2527,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; + void *MokTML = NULL; EFI_STATUS efi_status; efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize, @@ -2436,6 +2580,18 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) console_error(L"Could not retrieve MokDB", efi_status); } + efi_status = get_variable(L"MokListTrustedNew", (UINT8 **) & MokTML, + &MokTMLSize, SHIM_LOCK_GUID); + if (!EFI_ERROR(efi_status)) { + efi_status = LibDeleteVariable(L"MokListTrustedNew", + &SHIM_LOCK_GUID); + if (EFI_ERROR(efi_status)) + console_notify(L"Failed to delete MokListTrustedNew"); + } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokListTrustedNew", + efi_status); + } + efi_status = get_variable(L"MokXNew", (UINT8 **) & MokXNew, &MokXNewSize, SHIM_LOCK_GUID); if (!EFI_ERROR(efi_status)) { @@ -2458,7 +2614,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize, - MokXNew, MokXNewSize, MokXDel, MokXDelSize); + MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize); if (MokNew) FreePool(MokNew); @@ -2481,6 +2637,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) FreePool(MokXDel); + if (MokTML) + FreePool(MokTML); + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); diff --git a/MokVars.txt b/MokVars.txt index 4b80a413..cdfec2c8 100644 --- a/MokVars.txt +++ b/MokVars.txt @@ -77,3 +77,9 @@ or not to import DB certs for its own verification purposes. MokPWStore: A SHA-256 representation of the password set by the user via MokPW. The user will be prompted to enter this password in order to interact with MokManager. + +MokListTrusted: An 8-bit unsigned integer. If 1, it signifies to Linux +to trust CA keys in the MokList. BS,NV + +MokListTrustedRT: A copy of MokListTrusted made available to the kernel +at runtime. RT diff --git a/globals.c b/globals.c index 476e2e9c..4a1f432f 100644 --- a/globals.c +++ b/globals.c @@ -25,6 +25,7 @@ int loader_is_participating; UINT8 user_insecure_mode; UINT8 ignore_db; +UINT8 trust_mok_list; UINT32 verbose = 0; diff --git a/mok.c b/mok.c index 7755eea9..52dffc3e 100644 --- a/mok.c +++ b/mok.c @@ -46,7 +46,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || - check_var(L"MokXAuth")) { + check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) { efi_status = start_image(image_handle, MOK_MANAGER); if (EFI_ERROR(efi_status)) { @@ -166,6 +166,20 @@ struct mok_state_variable mok_state_variable_data[] = { MOK_VARIABLE_MEASURE, .pcr = 7, }, + {.name = L"MokListTrusted", + .name8 = "MokListTrusted", + .rtname = L"MokListTrustedRT", + .rtname8 = "MokListTrustedRT", + .guid = &SHIM_LOCK_GUID, + .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_NON_VOLATILE, + .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, + .flags = MOK_MIRROR_DELETE_FIRST | + MOK_VARIABLE_MEASURE | + MOK_VARIABLE_LOG, + .pcr = 14, + .state = &trust_mok_list, + }, { NULL, } }; size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]); @@ -897,6 +911,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) user_insecure_mode = 0; ignore_db = 0; + trust_mok_list = 0; UINT64 config_sz = 0; UINT8 *config_table = NULL; diff --git a/shim.h b/shim.h index 5e1ab36b..69442da3 100644 --- a/shim.h +++ b/shim.h @@ -255,6 +255,7 @@ extern UINT8 *build_cert; extern UINT8 user_insecure_mode; extern UINT8 ignore_db; +extern UINT8 trust_mok_list; extern UINT8 in_protocol; extern void *load_options; extern UINT32 load_options_size; -- cgit v1.2.3 From d0df9304c7a777557e1925dc9f75406ec00e6179 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 9 Dec 2021 17:21:45 -0500 Subject: Minor coverity fixes - one missing free - one minor deadcode issue - two unchecked allocations - one debug hexdump of a variable we just freed Signed-off-by: Peter Jones --- MokManager.c | 1 + fallback.c | 7 +++++-- include/hexdump.h | 7 ++++++- lib/variables.c | 2 ++ mok.c | 4 +++- 5 files changed, 17 insertions(+), 4 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index c195cadc..1359af83 100644 --- a/MokManager.c +++ b/MokManager.c @@ -339,6 +339,7 @@ static void show_x509_info(X509 * X509Cert, UINT8 * hash) for (i = 0; i < n; i++) { CatPrint(&serial_string, L"%02x:", hexbuf[i]); } + BN_free(bnser); } if (serial_string.str) diff --git a/fallback.c b/fallback.c index 5da867dd..8e6327be 100644 --- a/fallback.c +++ b/fallback.c @@ -230,8 +230,11 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, StrLen(label)*2 + 2 + DevicePathSize(hddp) + StrLen(arguments) * 2; - CHAR8 *data = AllocateZeroPool(size + 2); - CHAR8 *cursor = data; + CHAR8 *data, *cursor; + cursor = data = AllocateZeroPool(size + 2); + if (!data) + return EFI_OUT_OF_RESOURCES; + *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; cursor += sizeof (UINT32); *(UINT16 *)cursor = DevicePathSize(hddp); diff --git a/include/hexdump.h b/include/hexdump.h index 1a20339b..e8f4fe1a 100644 --- a/include/hexdump.h +++ b/include/hexdump.h @@ -71,7 +71,7 @@ prepare_text(const void *data, size_t size, char *buf, unsigned int position) else buf[offset++] = '.'; } - buf[offset++] = size > 0 ? '|' : 'X'; + buf[offset++] = '|'; buf[offset] = '\0'; } @@ -89,6 +89,11 @@ vhexdumpf(const char *file, int line, const char *func, const CHAR16 *const fmt, if (verbose == 0) return; + if (!data || !size) { + dprint(L"hexdump of a NULL pointer!\n"); + return; + } + while (offset < size) { char hexbuf[49]; char txtbuf[19]; diff --git a/lib/variables.c b/lib/variables.c index 3ec05478..8e63aa8f 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -68,6 +68,8 @@ fill_esl_with_one_signature(const uint8_t *data, const uint32_t data_len, if (out) { sd = AllocateZeroPool(sig_size); + if (!sd) + return EFI_OUT_OF_RESOURCES; if (owner) CopyMem(sd, (void *)owner, sizeof(EFI_GUID)); CopyMem(sd->SignatureData, (void *)data, data_len); diff --git a/mok.c b/mok.c index 52dffc3e..930e52a2 100644 --- a/mok.c +++ b/mok.c @@ -883,7 +883,9 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, } dprint(L"maybe mirroring \"%s\". original data:\n", v->name); - dhexdumpat(v->data, v->data_size, 0); + if (v->data && v->data_size) { + dhexdumpat(v->data, v->data_size, 0); + } ret = maybe_mirror_one_mok_variable(v, ret, only_first); dprint(L"returning %r\n", ret); -- cgit v1.2.3 From 2670c6a17edb239949152c471445fc533d8525aa Mon Sep 17 00:00:00 2001 From: Eric Snowberg Date: Thu, 17 Feb 2022 18:29:58 -0500 Subject: Allow MokListTrusted to be enabled by default Within previous versions of shim the MokListTrusted var did not exist. The user had to opt in to using the feature. Change the default behavior to an opt out model. Since old shims will not have the BS MokListTrusted set, use inverse logic that sets the MokListTrustedRT to 1 when the boot service variable is missing. Many Linux distros carry out of tree patches to trust the mok keys by default. These out of tree patches can be dropped when using a Linux kernel that supports MokListTrustedRT. Signed-off-by: Eric Snowberg --- MokManager.c | 10 ++++------ include/test-data-efivars-1.h | 4 ++++ mok.c | 15 ++++++++++++++- test-mok-mirror.c | 4 ++++ 4 files changed, 26 insertions(+), 7 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index 1359af83..ffcd6a6e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1776,27 +1776,25 @@ static EFI_STATUS mok_tml_prompt(void *MokTML, UINTN MokTMLSize) LibDeleteVariable(L"MokListTrustedNew", &SHIM_LOCK_GUID); return EFI_ABORTED; } - if (var->MokTMLState == 0) { efi_status = RT->SetVariable(L"MokListTrusted", &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, &dbval); + 0, NULL); if (EFI_ERROR(efi_status)) { - console_notify(L"Failed to set MokListTrusted state"); + console_notify(L"Failed to delete MokListTrusted state"); return efi_status; } } else { efi_status = RT->SetVariable(L"MokListTrusted", &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - 0, NULL); + 1, &dbval); if (EFI_ERROR(efi_status)) { - console_notify(L"Failed to delete MokListTrusted state"); + console_notify(L"Failed to set MokListTrusted state"); return efi_status; } } - return EFI_SUCCESS; } diff --git a/include/test-data-efivars-1.h b/include/test-data-efivars-1.h index 55090ede..2831bd23 100644 --- a/include/test-data-efivars-1.h +++ b/include/test-data-efivars-1.h @@ -102,5 +102,9 @@ static const unsigned char test_data_efivars_1_SbatLevelRT[] = { 0x32, 0x31, 0x30, 0x33, 0x30, 0x32, 0x31, 0x38, 0x0a }; +static const unsigned char test_data_efivars_1_MokListTrustedRT[] ={ + 0x01 +}; + #endif /* !TEST_DATA_EFIVARS_1_H_ */ // vim:fenc=utf-8:tw=75:noet diff --git a/mok.c b/mok.c index 28962853..f4de8081 100644 --- a/mok.c +++ b/mok.c @@ -84,6 +84,7 @@ categorize_deauthorized(struct mok_state_variable *v) #define MOK_MIRROR_DELETE_FIRST 0x02 #define MOK_VARIABLE_MEASURE 0x04 #define MOK_VARIABLE_LOG 0x08 +#define MOK_VARIABLE_INVERSE 0x10 struct mok_state_variable mok_state_variable_data[] = { {.name = L"MokList", @@ -176,6 +177,7 @@ struct mok_state_variable mok_state_variable_data[] = { .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, .flags = MOK_MIRROR_DELETE_FIRST | MOK_VARIABLE_MEASURE | + MOK_VARIABLE_INVERSE | MOK_VARIABLE_LOG, .pcr = 14, .state = &trust_mok_list, @@ -846,7 +848,13 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, efi_status = get_variable_attr(v->name, &v->data, &v->data_size, *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) { + if (efi_status == EFI_NOT_FOUND && + v->flags & MOK_VARIABLE_INVERSE) { + v->data = AllocateZeroPool(4); + v->data[0] = 0x01; + v->data_size = 1; + efi_status = EFI_SUCCESS; + } else if (efi_status == EFI_NOT_FOUND) { v->data = NULL; v->data_size = 0; } else if (EFI_ERROR(efi_status)) { @@ -868,6 +876,11 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, attrs, v->no_attr); delete = TRUE; } + if (v->flags & MOK_VARIABLE_INVERSE) { + FreePool(v->data); + v->data = NULL; + v->data_size = 0; + } } } if (delete == TRUE) { diff --git a/test-mok-mirror.c b/test-mok-mirror.c index 3479ddf8..f34f62a9 100644 --- a/test-mok-mirror.c +++ b/test-mok-mirror.c @@ -184,6 +184,10 @@ test_mok_mirror_0(void) .data_size = sizeof(test_data_efivars_1_SbatLevelRT), .data = test_data_efivars_1_SbatLevelRT }, + {.name = "MokListTrustedRT", + .data_size = sizeof(test_data_efivars_1_MokListTrustedRT), + .data = test_data_efivars_1_MokListTrustedRT + }, {.name = { 0, }, .data_size = 0, .data = NULL, -- cgit v1.2.3 From b560c523623bf8b32142220401de86ed44338c3d Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 3 Sep 2021 22:01:36 +0200 Subject: MokManager: remove redundant logical constraints CertList->SignatureSize is of type UINT32 which is always positive. If CertList->SignatureListSize == 0, then CertList->SignatureListSize <= CertList->SignatureSize is also true. Remove the redundant CertList->SignatureListSize == 0 checks. A message "Corrupted signature list" is better suited then "Invalid MOK detected! Ignoring MOK List." in this case. Signed-off-by: Heinrich Schuchardt --- MokManager.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'MokManager.c') diff --git a/MokManager.c b/MokManager.c index ffcd6a6e..52f5c0a0 100644 --- a/MokManager.c +++ b/MokManager.c @@ -142,17 +142,14 @@ static UINT32 count_keys(void *Data, UINTN DataSize) void *end = Data + DataSize; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - /* Use ptr arithmetics to ensure bounded access. Do not allow 0 - * SignatureListSize that will cause endless loop. */ - if ((void *)(CertList + 1) > end - || CertList->SignatureListSize == 0) { + /* Use ptr arithmetics to ensure bounded access. */ + if ((void *)(CertList + 1) > end) { console_notify (L"Invalid MOK detected! Ignoring MOK List."); return 0; } - if (CertList->SignatureListSize == 0 || - CertList->SignatureListSize <= CertList->SignatureSize) { + if (CertList->SignatureListSize <= CertList->SignatureSize) { console_errorbox(L"Corrupted signature list"); return 0; } -- cgit v1.2.3