From a1f2863584ef780eb0f974efe226f1c2524db681 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: Make vendor_cert/vendor_dbx actually replaceable by an external tool. This moves them both to be computed at runtime from a pointer+offset rather than just a pointer, so that their real address can be entirely derived from the section they're in. This means you can replace the whole .vendor_cert section with a new one with certs that don't have the same size. --- shim.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'shim.c') diff --git a/shim.c b/shim.c index f644f3f0..a923e7e9 100644 --- a/shim.c +++ b/shim.c @@ -63,10 +63,17 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, /* * The vendor certificate used for validating the second stage loader */ -extern UINT8 vendor_cert[]; -extern UINT32 vendor_cert_size; -extern UINT8 vendor_dbx[]; -extern UINT32 vendor_dbx_size; +extern struct { + UINT32 vendor_cert_size; + UINT32 vendor_dbx_size; + UINT32 vendor_cert_offset; + UINT32 vendor_dbx_offset; +} cert_table; + +UINT32 vendor_cert_size; +UINT32 vendor_dbx_size; +UINT8 *vendor_cert; +UINT8 *vendor_dbx; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} @@ -1493,6 +1500,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) UINTN verbose_check_size; EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + vendor_cert_size = cert_table.vendor_cert_size; + vendor_dbx_size = cert_table.vendor_dbx_size; + vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; + vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; + /* * Set up the shim lock protocol so that grub and MokManager can * call back in and use shim functions -- cgit v1.2.3