From ef8c9962a8bab7068acd47f0845df45616c0fda1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 26 Nov 2012 13:43:50 -0500 Subject: Sign MokManager with a locally-generated key shim needs to verify that MokManager hasn't been modified, but we want to be able to support configurations where shim is shipped without a vendor certificate. This patch adds support for generating a certificate at build time, incorporating the public half into shim and signing MokManager with the private half. It uses pesign and nss, but still requires openssl for key generation. Anyone using sbsign will need to figure this out for themselves. --- shim.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'shim.c') diff --git a/shim.c b/shim.c index 8130ed8c..4d490b91 100644 --- a/shim.c +++ b/shim.c @@ -40,6 +40,7 @@ #include "shim.h" #include "signature.h" #include "netboot.h" +#include "shim_cert.h" #define SECOND_STAGE L"\\grub.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -415,6 +416,8 @@ static BOOLEAN secure_mode (void) UINT8 sb, setupmode; UINT32 attributes; + return TRUE; + if (insecure_mode) return FALSE; @@ -695,6 +698,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize, return status; } + /* + * Check against the shim build key + */ + if (AuthenticodeVerify(cert->CertData, + context->SecDir->Size - sizeof(cert->Hdr), + shim_cert, sizeof(shim_cert), sha256hash, + SHA256_DIGEST_SIZE)) { + status = EFI_SUCCESS; + Print(L"Binary is verified by the vendor certificate\n"); + return status; + } + + /* * And finally, check against shim's built-in key */ @@ -1180,12 +1196,8 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) efi_status = start_image(image_handle, SECOND_STAGE); - if (efi_status != EFI_SUCCESS) { - if (efi_status == EFI_ACCESS_DENIED) - efi_status = start_image(image_handle, MOK_MANAGER); - else - Print(L"Failed to start grub\n"); - } + if (efi_status != EFI_SUCCESS) + efi_status = start_image(image_handle, MOK_MANAGER); done: return efi_status; -- cgit v1.2.3