From 2e3808918a95a6c2c9317fa48574350886f3da16 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Aug 2012 11:53:51 -0400 Subject: [PATCH] Add vendor cert-from-file magic --- shim-vendor-cert-file.patch | 129 ++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 shim-vendor-cert-file.patch diff --git a/shim-vendor-cert-file.patch b/shim-vendor-cert-file.patch new file mode 100644 index 0000000..09e8ab1 --- /dev/null +++ b/shim-vendor-cert-file.patch @@ -0,0 +1,129 @@ +From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 13 Aug 2012 17:06:46 -0400 +Subject: [PATCH] Allow specification of vendor_cert through a build command + line option. + +This allows you to specify the vendor_cert as a file on the command line +during build. +--- + Makefile | 16 +++++++++++----- + cert.S | 32 ++++++++++++++++++++++++++++++++ + cert.h | 1 - + shim.c | 6 +++--- + 4 files changed, 46 insertions(+), 9 deletions(-) + create mode 100644 cert.S + delete mode 100644 cert.h + +diff --git a/Makefile b/Makefile +index 1e3a020..66b105f 100644 +--- a/Makefile ++++ b/Makefile +@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds + +- + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ + -Wall -mno-red-zone \ + $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) + CFLAGS += -DEFI_FUNCTION_WRAPPER + endif ++ifneq ($(origin VENDOR_CERT_FILE), undefined) ++ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" ++endif ++ + LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) + +-TARGET = shim.efi +-OBJS = shim.o shim.so +-SOURCES = shim.c shim.h signature.h PeImage.h cert.h ++TARGET = shim.efi ++OBJS = shim.o cert.o ++SOURCES = shim.c shim.h signature.h PeImage.h + + all: $(TARGET) + + shim.o: $(SOURCES) + +-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a ++cert.o : cert.S ++ $(CC) $(CFLAGS) -c -o $@ $< ++ ++shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + + Cryptlib/libcryptlib.a: +diff --git a/cert.S b/cert.S +new file mode 100644 +index 0000000..129bab5 +--- /dev/null ++++ b/cert.S +@@ -0,0 +1,32 @@ ++#if defined(VENDOR_CERT_FILE) ++ .globl vendor_cert ++ .data ++ .align 16 ++ .type vendor_cert, @object ++ .size vendor_cert_size, vendor_cert_size-vendor_cert ++vendor_cert: ++.incbin VENDOR_CERT_FILE ++ ++ .globl vendor_cert_size ++ .data ++ .align 16 ++ .type vendor_cert_size, @object ++ .size vendor_cert_size, 4 ++vendor_cert_size: ++ .long vendor_cert_size - vendor_cert ++#else ++ .globl vendor_cert ++ .bss ++ .type vendor_cert, @object ++ .size vendor_cert, 1 ++vendor_cert: ++ .zero 1 ++ ++ .globl vendor_cert_size ++ .data ++ .align 4 ++ .type vendor_cert_size, @object ++ .size vendor_cert_size, 4 ++vendor_cert_size: ++ .long 1 ++#endif +diff --git a/cert.h b/cert.h +deleted file mode 100644 +index 380bc04..0000000 +--- a/cert.h ++++ /dev/null +@@ -1 +0,0 @@ +-static UINT8 vendor_cert[] = {0x00}; +diff --git a/shim.c b/shim.c +index fc3dafc..2d9044d 100644 +--- a/shim.c ++++ b/shim.c +@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB + /* + * The vendor certificate used for validating the second stage loader + */ +- +-#include "cert.h" ++extern UINT8 vendor_cert[]; ++extern UINT32 vendor_cert_size; + + #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} + +@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + + if (!AuthenticodeVerify(cert->CertData, + context->SecDir->Size - sizeof(cert->Hdr), +- vendor_cert, sizeof(vendor_cert), hash, ++ vendor_cert, vendor_cert_size, hash, + SHA256_DIGEST_SIZE)) { + Print(L"Invalid signature\n"); + status = EFI_ACCESS_DENIED; +-- +1.7.11.2 +