From dd3a5d71252a1f94e37f1a4c8841d253630b305a Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 23 Jul 2020 12:36:56 -0400
Subject: Add support for vendor_db built-in shim authorized list.

Potential new signing strategies ( for example signing grub, fwupdate
and vmlinuz with separate certificates ) require shim to support a
vendor provided bundle of trusted certificates and hashes, which allows
shim to trust EFI binaries matching either certificate by signature or
hash in the vendor_db.  Functionality is similar to vendor_dbx.

This also improves the mirroring quite a bit.
Upstream: pr#206
---
 shim.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'shim.c')

diff --git a/shim.c b/shim.c
index 888ee6e8..ee62248c 100644
--- a/shim.c
+++ b/shim.c
@@ -646,6 +646,31 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		}
 	}
 
+#if defined(VENDOR_DB_FILE)
+	EFI_SIGNATURE_LIST *db = (EFI_SIGNATURE_LIST *)vendor_db;
+
+	if (check_db_hash_in_ram(db, vendor_db_size,
+				 sha256hash, SHA256_DIGEST_SIZE,
+				 EFI_CERT_SHA256_GUID, L"vendor_db",
+				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_HASH;
+		update_verification_method(VERIFIED_BY_HASH);
+		return EFI_SUCCESS;
+	} else {
+		LogError(L"check_db_hash(vendor_db, sha256hash) != DATA_FOUND\n");
+	}
+	if (cert &&
+	    check_db_cert_in_ram(db, vendor_db_size,
+				 cert, sha256hash, L"vendor_db",
+				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_CERT;
+		update_verification_method(VERIFIED_BY_CERT);
+		return EFI_SUCCESS;
+	} else {
+		LogError(L"check_db_cert(vendor_db, sha256hash) != DATA_FOUND\n");
+	}
+#endif
+
 	if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash,
 			  SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID)
 				== DATA_FOUND) {
@@ -1076,6 +1101,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 		}
 #endif /* defined(ENABLE_SHIM_CERT) */
 
+#if defined(VENDOR_CERT_FILE)
 		/*
 		 * And finally, check against shim's built-in key
 		 */
@@ -1093,6 +1119,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 		} else {
 			LogError(L"AuthenticodeVerify(vendor_authorized) failed\n");
 		}
+#endif /* defined(VENDOR_CERT_FILE) */
 	}
 
 	LogError(L"Binary is not whitelisted\n");
-- 
cgit v1.2.3