Update to 0.5
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones
parent
fd458a376b
commit
ba65b5563e
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
/mokutil-*.tar.bz2
|
||||
/shim-*.tar.bz2
|
||||
/*.tar.gz
|
||||
clog
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 31 May 2013 15:22:37 -0400
|
||||
Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized.
|
||||
|
||||
GCC 4.8.0 will try to use these by default, and you'll wind up looping
|
||||
across the (uninitialized!) trap handler for uninitialized instructions.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
Cryptlib/Makefile | 2 +-
|
||||
Cryptlib/OpenSSL/Makefile | 2 +-
|
||||
Makefile | 4 ++--
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
|
||||
index 925db8d..f1add83 100644
|
||||
--- a/Cryptlib/Makefile
|
||||
+++ b/Cryptlib/Makefile
|
||||
@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
||||
|
||||
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
- -Wall $(EFI_INCLUDES) -mno-red-zone
|
||||
+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
endif
|
||||
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
|
||||
index 7fde382..1bae841 100644
|
||||
--- a/Cryptlib/OpenSSL/Makefile
|
||||
+++ b/Cryptlib/OpenSSL/Makefile
|
||||
@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi
|
||||
LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
||||
|
||||
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
|
||||
+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \
|
||||
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 287fbcf..c8f6ec8 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
||||
|
||||
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
- -Wall -mno-red-zone \
|
||||
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
||||
+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \
|
||||
$(EFI_INCLUDES)
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 10 Jun 2013 18:08:50 -0400
|
||||
Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own
|
||||
signing.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
shim.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 94b9710..4edd0b6 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
return status;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
/*
|
||||
* Check against the shim build key
|
||||
*/
|
||||
@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
Print(L"Binary is verified by the vendor certificate\n");
|
||||
return status;
|
||||
}
|
||||
+#endif
|
||||
|
||||
|
||||
/*
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@ -1,32 +0,0 @@
|
||||
From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 30 May 2013 17:23:19 -0400
|
||||
Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t
|
||||
|
||||
---
|
||||
netboot.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git b/netboot.c a/netboot.c
|
||||
index c44aeac..90fb9cb 100644
|
||||
--- b/netboot.c
|
||||
+++ a/netboot.c
|
||||
@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr;
|
||||
static char *full_path;
|
||||
|
||||
|
||||
+/*
|
||||
+ * Not in the EFI header set yet, so I have to declare it here
|
||||
+ */
|
||||
+typedef struct {
|
||||
+ UINT32 MessageType:8;
|
||||
+ UINT32 TransactionId:24;
|
||||
+ UINT8 DhcpOptions[1024];
|
||||
+} EFI_PXE_BASE_CODE_DHCPV6_PACKET;
|
||||
+
|
||||
typedef struct {
|
||||
UINT16 OpCode;
|
||||
UINT16 Length;
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 May 2013 13:12:43 -0400
|
||||
Subject: [PATCH] Fix grub path
|
||||
|
||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
||||
---
|
||||
shim.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index f2b8f1d..d28e0cd 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -43,7 +43,7 @@
|
||||
#include "shim_cert.h"
|
||||
#include "ucs2.h"
|
||||
|
||||
-#define DEFAULT_LOADER L"\\grub.efi"
|
||||
+#define DEFAULT_LOADER L"\\grubx64.efi"
|
||||
#define FALLBACK L"\\fallback.efi"
|
||||
#define MOK_MANAGER L"\\MokManager.efi"
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@ -1,61 +0,0 @@
|
||||
From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 11 Jun 2013 14:58:25 -0400
|
||||
Subject: [PATCH] Fix some pointer casting issues.
|
||||
|
||||
This also fixes the size of an empty vendor_cert or dbx_cert.
|
||||
|
||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
||||
---
|
||||
cert.S | 2 +-
|
||||
shim.c | 9 +++++----
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/cert.S b/cert.S
|
||||
index 2ed9b6d..66a05b8 100644
|
||||
--- a/cert.S
|
||||
+++ b/cert.S
|
||||
@@ -32,5 +32,5 @@ vendor_cert:
|
||||
.size vendor_cert_size, 4
|
||||
.section .vendor_cert, "a", @progbits
|
||||
vendor_cert_size:
|
||||
- .long 1
|
||||
+ .long 0
|
||||
#endif
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 8ffcad6..a573037 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -59,7 +59,7 @@ static UINT32 load_options_size;
|
||||
*/
|
||||
extern UINT8 vendor_cert[];
|
||||
extern UINT32 vendor_cert_size;
|
||||
-extern EFI_SIGNATURE_LIST *vendor_dbx;
|
||||
+extern UINT8 vendor_dbx[];
|
||||
extern UINT32 vendor_dbx_size;
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
||||
@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
||||
{
|
||||
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
||||
+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
|
||||
|
||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
|
||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
|
||||
SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
|
||||
DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
|
||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
|
||||
SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
|
||||
DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
|
||||
+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
||||
sha256hash) == DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
|
||||
Return-Path: jwboyer@redhat.com
|
||||
Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
|
||||
zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
|
||||
zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
|
||||
11:12:04 -0500 (EST)
|
||||
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
|
||||
by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
|
||||
for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
|
||||
Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
|
||||
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
|
||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
|
||||
Tue, 11 Dec 2012 11:12:03 -0500
|
||||
Date: Tue, 11 Dec 2012 11:12:01 -0500
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
To: pjones@redhat.com
|
||||
Cc: mjg59@srcf.ucam.org
|
||||
Subject: [PATCH] Fix SignatureSize field when importing a new cert
|
||||
Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=us-ascii
|
||||
Content-Disposition: inline
|
||||
User-Agent: Mutt/1.5.21 (2010-09-15)
|
||||
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
|
||||
Status: RO
|
||||
Content-Length: 842
|
||||
Lines: 25
|
||||
|
||||
The SignatureSize field should be the length of the certificate plus
|
||||
16 per the UEFI spec. Remove the extraneous addition of
|
||||
sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
|
||||
in MokListRT are parsable.
|
||||
---
|
||||
src/mokutil.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
|
||||
index ca46488..f94aee4 100644
|
||||
--- a/mokutil-0.1.0/src/mokutil.c
|
||||
+++ b/mokutil-0.1.0/src/mokutil.c
|
||||
@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
|
||||
CertList->SignatureListSize = sizes[i] +
|
||||
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
|
||||
CertList->SignatureHeaderSize = 0;
|
||||
- CertList->SignatureSize = sizes[i] +
|
||||
- sizeof(EFI_SIGNATURE_DATA) + 16;
|
||||
+ CertList->SignatureSize = sizes[i] + 16;
|
||||
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
||||
|
||||
fd = open (files[i], O_RDONLY);
|
||||
--
|
||||
1.8.0.1
|
||||
|
||||
|
||||
30
shim.spec
30
shim.spec
@ -1,5 +1,5 @@
|
||||
Name: shim
|
||||
Version: 0.4
|
||||
Version: 0.5
|
||||
Release: 1%{?dist}
|
||||
Summary: First-stage UEFI bootloader
|
||||
|
||||
@ -9,8 +9,8 @@ Source0: https://github.com/mjg59/shim/archive/%{version}.tar.gz
|
||||
Source1: fedora-ca.cer
|
||||
|
||||
# incorporate mokutil for packaging simplicity
|
||||
%global mokutilver 0.1.0
|
||||
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
||||
%global mokutilver 0.2.0
|
||||
Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.bz2
|
||||
|
||||
# currently here's what's in our dbx:
|
||||
# grub2-efi-2.00-11.fc18.x86_64:
|
||||
@ -22,24 +22,9 @@ Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
||||
# woops.
|
||||
Source3: dbx.esl
|
||||
|
||||
# this we'll always need, unless we phase in a rename of our grub binary.
|
||||
Patch0: 0001-Fix-grub-path.patch
|
||||
|
||||
# this we won't need in the next version of mokutil
|
||||
Patch1: mokutil-correct-moklistrt-size.patch
|
||||
|
||||
# this needs to be worked on upstream
|
||||
Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
|
||||
|
||||
# this will go away once a new gnu-efi actually works again
|
||||
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
|
||||
|
||||
# this will go away with shim 0.5
|
||||
Patch4: 0001-Fix-some-pointer-casting-issues.patch
|
||||
|
||||
BuildRequires: gnu-efi git openssl-devel openssl
|
||||
BuildRequires: pesign >= 0.106-1
|
||||
BuildRequires: gnu-efi = 3.0q
|
||||
BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u
|
||||
|
||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||
@ -78,7 +63,7 @@ Summary: Utilities for managing Secure Boot/MoK keys.
|
||||
Utilities for managing the "Machine's Own Keys" list.
|
||||
|
||||
%prep
|
||||
%setup -q -n shim-%{version}
|
||||
%setup -q
|
||||
%setup -q -a 2 -D -T
|
||||
git init
|
||||
git config user.email "shim-owner@fedoraproject.org"
|
||||
@ -92,7 +77,7 @@ MAKEFLAGS=""
|
||||
if [ -f "%{SOURCE1}" ]; then
|
||||
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}"
|
||||
fi
|
||||
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
||||
make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
||||
cd mokutil-%{mokutilver}
|
||||
%configure
|
||||
make %{?_smp_mflags}
|
||||
@ -125,6 +110,9 @@ install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/s
|
||||
/usr/share/man/man1/mokutil.1.gz
|
||||
|
||||
%changelog
|
||||
* Fri Oct 04 2013 Peter Jones <pjones@redhat.com> - 0.5-1
|
||||
- Update to 0.5
|
||||
|
||||
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
|
||||
- Update to 0.4
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user