Get rid of unused patches.
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
b20ba9cc96
commit
2d3b876a4b
@ -1,146 +0,0 @@
|
||||
From be73f6bd4f064015c9f12323e2fb2f51b8cdb631 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 22 Oct 2013 13:36:54 -0400
|
||||
Subject: [PATCH 2/5] Don't reject all binaries without a certificate database.
|
||||
|
||||
If a binary isn't signed, but its hash is enrolled in db, it won't have
|
||||
a certificate database. So in those cases, don't check it against
|
||||
certificate databases in db/dbx/etc, but we don't need to reject it
|
||||
outright.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
shim.c | 70 +++++++++++++++++++++++++++++++++++-------------------------------
|
||||
1 file changed, 37 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 58136db..3d1febb 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
|
||||
DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
||||
- sha256hash) == DATA_FOUND)
|
||||
+ if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
||||
+ sha256hash) == DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
|
||||
if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
|
||||
@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
|
||||
EFI_CERT_SHA1_GUID) == DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
|
||||
+ if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
|
||||
+ DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
|
||||
return EFI_SUCCESS;
|
||||
@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
update_verification_method(VERIFIED_BY_HASH);
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
- if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
|
||||
+ if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
|
||||
+ == DATA_FOUND) {
|
||||
verification_method = VERIFIED_BY_CERT;
|
||||
update_verification_method(VERIFIED_BY_CERT);
|
||||
return EFI_SUCCESS;
|
||||
@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
update_verification_method(VERIFIED_BY_HASH);
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
- if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
|
||||
+ if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
|
||||
+ DATA_FOUND) {
|
||||
verification_method = VERIFIED_BY_CERT;
|
||||
update_verification_method(VERIFIED_BY_CERT);
|
||||
return EFI_SUCCESS;
|
||||
@@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
UINT8 sha256hash[SHA256_DIGEST_SIZE];
|
||||
UINT8 sha1hash[SHA1_DIGEST_SIZE];
|
||||
EFI_STATUS status = EFI_ACCESS_DENIED;
|
||||
- WIN_CERTIFICATE_EFI_PKCS *cert;
|
||||
+ WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
|
||||
unsigned int size = datasize;
|
||||
|
||||
- if (context->SecDir->Size == 0) {
|
||||
- Print(L"Empty security header\n");
|
||||
- return EFI_INVALID_PARAMETER;
|
||||
- }
|
||||
-
|
||||
- cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
|
||||
+ if (context->SecDir->Size != 0) {
|
||||
+ cert = ImageAddress (data, size,
|
||||
+ context->SecDir->VirtualAddress);
|
||||
|
||||
- if (!cert) {
|
||||
- Print(L"Certificate located outside the image\n");
|
||||
- return EFI_INVALID_PARAMETER;
|
||||
- }
|
||||
+ if (!cert) {
|
||||
+ Print(L"Certificate located outside the image\n");
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
|
||||
- if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
|
||||
- Print(L"Unsupported certificate type %x\n",
|
||||
- cert->Hdr.wCertificateType);
|
||||
- return EFI_UNSUPPORTED;
|
||||
+ if (cert->Hdr.wCertificateType !=
|
||||
+ WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
|
||||
+ Print(L"Unsupported certificate type %x\n",
|
||||
+ cert->Hdr.wCertificateType);
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+ }
|
||||
}
|
||||
|
||||
status = generate_hash(data, datasize, context, sha256hash, sha1hash);
|
||||
@@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
if (status == EFI_SUCCESS)
|
||||
return status;
|
||||
|
||||
- /*
|
||||
- * Check against the shim build key
|
||||
- */
|
||||
- if (AuthenticodeVerify(cert->CertData,
|
||||
+ if (cert) {
|
||||
+ /*
|
||||
+ * Check against the shim build key
|
||||
+ */
|
||||
+ if (AuthenticodeVerify(cert->CertData,
|
||||
context->SecDir->Size - sizeof(cert->Hdr),
|
||||
shim_cert, sizeof(shim_cert), sha256hash,
|
||||
SHA256_DIGEST_SIZE)) {
|
||||
- status = EFI_SUCCESS;
|
||||
- return status;
|
||||
- }
|
||||
+ status = EFI_SUCCESS;
|
||||
+ return status;
|
||||
+ }
|
||||
|
||||
|
||||
- /*
|
||||
- * And finally, check against shim's built-in key
|
||||
- */
|
||||
- if (AuthenticodeVerify(cert->CertData,
|
||||
+ /*
|
||||
+ * And finally, check against shim's built-in key
|
||||
+ */
|
||||
+ if (AuthenticodeVerify(cert->CertData,
|
||||
context->SecDir->Size - sizeof(cert->Hdr),
|
||||
vendor_cert, vendor_cert_size, sha256hash,
|
||||
SHA256_DIGEST_SIZE)) {
|
||||
- status = EFI_SUCCESS;
|
||||
- return status;
|
||||
+ status = EFI_SUCCESS;
|
||||
+ return status;
|
||||
+ }
|
||||
}
|
||||
|
||||
status = EFI_ACCESS_DENIED;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 83b3a7cf6d4d4e91579864cfc75dadf2b7304da9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 28 Oct 2013 10:41:03 -0400
|
||||
Subject: [PATCH 4/5] We should be checking both mok and the system's SB
|
||||
settings
|
||||
|
||||
When we call hook_system_services(), we're currently only checking mok's
|
||||
setting. We should use secure_mode() instead so it'll check both.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
shim.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 537177d..9d0d884 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -1718,7 +1718,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||||
/*
|
||||
* Tell the user that we're in insecure mode if necessary
|
||||
*/
|
||||
- if (insecure_mode) {
|
||||
+ if (!secure_mode()) {
|
||||
Print(L"Booting in insecure mode\n");
|
||||
uefi_call_wrapper(BS->Stall, 1, 2000000);
|
||||
} else {
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,54 +0,0 @@
|
||||
From 556c445ea19fc257fe35ac1a67477e7352ba3fcd Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 30 Oct 2013 16:36:01 -0400
|
||||
Subject: [PATCH 5/5] Don't free GetVariable() return data without checking the
|
||||
status code.
|
||||
|
||||
This breaks every machine from before Secure Boot was a thing.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
shim.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 9d0d884..0081342 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -456,21 +456,30 @@ static BOOLEAN secure_mode (void)
|
||||
return FALSE;
|
||||
|
||||
status = get_variable(L"SecureBoot", &Data, &len, global_var);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ if (verbose)
|
||||
+ console_notify(L"Secure boot not enabled\n");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
sb = *Data;
|
||||
FreePool(Data);
|
||||
|
||||
- /* FIXME - more paranoia here? */
|
||||
- if (status != EFI_SUCCESS || sb != 1) {
|
||||
+ if (sb != 1) {
|
||||
if (verbose)
|
||||
console_notify(L"Secure boot not enabled\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
status = get_variable(L"SetupMode", &Data, &len, global_var);
|
||||
+ if (status == EFI_SUCCESS) {
|
||||
+ if (verbose)
|
||||
+ console_notify(L"Platform is in setup mode\n");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
setupmode = *Data;
|
||||
FreePool(Data);
|
||||
|
||||
- if (status == EFI_SUCCESS && setupmode == 1) {
|
||||
+ if (setupmode == 1) {
|
||||
if (verbose)
|
||||
console_notify(L"Platform is in setup mode\n");
|
||||
return FALSE;
|
||||
--
|
||||
1.8.3.1
|
||||
|
File diff suppressed because one or more lines are too long
@ -1,63 +0,0 @@
|
||||
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg@redhat.com>
|
||||
Date: Tue, 14 Aug 2012 06:50:00 -0400
|
||||
Subject: [PATCH] Use the file size, not the image size field, for
|
||||
verification.
|
||||
|
||||
---
|
||||
shim.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 2d9044d..6a3c054 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -555,7 +555,7 @@ done:
|
||||
/*
|
||||
* Read the binary header and grab appropriate information from it
|
||||
*/
|
||||
-static EFI_STATUS read_header(void *data,
|
||||
+static EFI_STATUS read_header(void *data, unsigned int datasize,
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT *context)
|
||||
{
|
||||
EFI_IMAGE_DOS_HEADER *DosHdr = data;
|
||||
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
|
||||
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
|
||||
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
|
||||
|
||||
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
|
||||
+ if (context->SecDir->VirtualAddress >= datasize) {
|
||||
Print(L"Malformed security header\n");
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
|
||||
/*
|
||||
* Once the image has been loaded it needs to be validated and relocated
|
||||
*/
|
||||
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
||||
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
|
||||
+ EFI_LOADED_IMAGE *li)
|
||||
{
|
||||
EFI_STATUS efi_status;
|
||||
char *buffer;
|
||||
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
||||
char *base, *end;
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT context;
|
||||
|
||||
- efi_status = read_header(data, &context);
|
||||
+ efi_status = read_header(data, datasize, &context);
|
||||
if (efi_status != EFI_SUCCESS) {
|
||||
Print(L"Failed to read header\n");
|
||||
return efi_status;
|
||||
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
|
||||
if (!secure_mode())
|
||||
return EFI_SUCCESS;
|
||||
|
||||
- status = read_header(buffer, &context);
|
||||
+ status = read_header(buffer, size, &context);
|
||||
|
||||
if (status != EFI_SUCCESS)
|
||||
return status;
|
||||
--
|
||||
1.7.11.2
|
||||
|
@ -1,129 +0,0 @@
|
||||
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 13 Aug 2012 17:06:46 -0400
|
||||
Subject: [PATCH] Allow specification of vendor_cert through a build command
|
||||
line option.
|
||||
|
||||
This allows you to specify the vendor_cert as a file on the command line
|
||||
during build.
|
||||
---
|
||||
Makefile | 16 +++++++++++-----
|
||||
cert.S | 32 ++++++++++++++++++++++++++++++++
|
||||
cert.h | 1 -
|
||||
shim.c | 6 +++---
|
||||
4 files changed, 46 insertions(+), 9 deletions(-)
|
||||
create mode 100644 cert.S
|
||||
delete mode 100644 cert.h
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 1e3a020..66b105f 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
||||
|
||||
-
|
||||
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
-Wall -mno-red-zone \
|
||||
$(EFI_INCLUDES)
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
endif
|
||||
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
||||
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
||||
+endif
|
||||
+
|
||||
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
|
||||
|
||||
-TARGET = shim.efi
|
||||
-OBJS = shim.o shim.so
|
||||
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
|
||||
+TARGET = shim.efi
|
||||
+OBJS = shim.o cert.o
|
||||
+SOURCES = shim.c shim.h signature.h PeImage.h
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
shim.o: $(SOURCES)
|
||||
|
||||
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
|
||||
+cert.o : cert.S
|
||||
+ $(CC) $(CFLAGS) -c -o $@ $<
|
||||
+
|
||||
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
|
||||
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
|
||||
|
||||
Cryptlib/libcryptlib.a:
|
||||
diff --git a/cert.S b/cert.S
|
||||
new file mode 100644
|
||||
index 0000000..129bab5
|
||||
--- /dev/null
|
||||
+++ b/cert.S
|
||||
@@ -0,0 +1,32 @@
|
||||
+#if defined(VENDOR_CERT_FILE)
|
||||
+ .globl vendor_cert
|
||||
+ .data
|
||||
+ .align 16
|
||||
+ .type vendor_cert, @object
|
||||
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
|
||||
+vendor_cert:
|
||||
+.incbin VENDOR_CERT_FILE
|
||||
+
|
||||
+ .globl vendor_cert_size
|
||||
+ .data
|
||||
+ .align 16
|
||||
+ .type vendor_cert_size, @object
|
||||
+ .size vendor_cert_size, 4
|
||||
+vendor_cert_size:
|
||||
+ .long vendor_cert_size - vendor_cert
|
||||
+#else
|
||||
+ .globl vendor_cert
|
||||
+ .bss
|
||||
+ .type vendor_cert, @object
|
||||
+ .size vendor_cert, 1
|
||||
+vendor_cert:
|
||||
+ .zero 1
|
||||
+
|
||||
+ .globl vendor_cert_size
|
||||
+ .data
|
||||
+ .align 4
|
||||
+ .type vendor_cert_size, @object
|
||||
+ .size vendor_cert_size, 4
|
||||
+vendor_cert_size:
|
||||
+ .long 1
|
||||
+#endif
|
||||
diff --git a/cert.h b/cert.h
|
||||
deleted file mode 100644
|
||||
index 380bc04..0000000
|
||||
--- a/cert.h
|
||||
+++ /dev/null
|
||||
@@ -1 +0,0 @@
|
||||
-static UINT8 vendor_cert[] = {0x00};
|
||||
diff --git a/shim.c b/shim.c
|
||||
index fc3dafc..2d9044d 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
|
||||
/*
|
||||
* The vendor certificate used for validating the second stage loader
|
||||
*/
|
||||
-
|
||||
-#include "cert.h"
|
||||
+extern UINT8 vendor_cert[];
|
||||
+extern UINT32 vendor_cert_size;
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
||||
|
||||
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
|
||||
if (!AuthenticodeVerify(cert->CertData,
|
||||
context->SecDir->Size - sizeof(cert->Hdr),
|
||||
- vendor_cert, sizeof(vendor_cert), hash,
|
||||
+ vendor_cert, vendor_cert_size, hash,
|
||||
SHA256_DIGEST_SIZE)) {
|
||||
Print(L"Invalid signature\n");
|
||||
status = EFI_ACCESS_DENIED;
|
||||
--
|
||||
1.7.11.2
|
||||
|
Loading…
Reference in New Issue
Block a user