Compare commits
7 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
e66067a8e6 | ||
|
d854b5dba9 | ||
|
5fbba32ca2 | ||
|
08332a60c2 | ||
|
7eb349fa90 | ||
|
583daa9e89 | ||
|
b819c2be5b |
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,2 +1,3 @@
|
||||
/mokutil-*.tar.bz2
|
||||
/shim-*.tar.bz2
|
||||
*.tar.*
|
||||
clog
|
||||
*.rpm
|
||||
|
@ -1,59 +0,0 @@
|
||||
From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 31 May 2013 15:22:37 -0400
|
||||
Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized.
|
||||
|
||||
GCC 4.8.0 will try to use these by default, and you'll wind up looping
|
||||
across the (uninitialized!) trap handler for uninitialized instructions.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
Cryptlib/Makefile | 2 +-
|
||||
Cryptlib/OpenSSL/Makefile | 2 +-
|
||||
Makefile | 4 ++--
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
|
||||
index 925db8d..f1add83 100644
|
||||
--- a/Cryptlib/Makefile
|
||||
+++ b/Cryptlib/Makefile
|
||||
@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
||||
|
||||
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
- -Wall $(EFI_INCLUDES) -mno-red-zone
|
||||
+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
endif
|
||||
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
|
||||
index 7fde382..1bae841 100644
|
||||
--- a/Cryptlib/OpenSSL/Makefile
|
||||
+++ b/Cryptlib/OpenSSL/Makefile
|
||||
@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi
|
||||
LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
||||
|
||||
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
|
||||
+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \
|
||||
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 287fbcf..c8f6ec8 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
||||
|
||||
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
- -Wall -mno-red-zone \
|
||||
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
||||
+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \
|
||||
$(EFI_INCLUDES)
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 10 Jun 2013 18:08:50 -0400
|
||||
Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own
|
||||
signing.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
shim.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 94b9710..4edd0b6 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
return status;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
/*
|
||||
* Check against the shim build key
|
||||
*/
|
||||
@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
Print(L"Binary is verified by the vendor certificate\n");
|
||||
return status;
|
||||
}
|
||||
+#endif
|
||||
|
||||
|
||||
/*
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 30 May 2013 17:23:19 -0400
|
||||
Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t
|
||||
|
||||
---
|
||||
netboot.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git b/netboot.c a/netboot.c
|
||||
index c44aeac..90fb9cb 100644
|
||||
--- b/netboot.c
|
||||
+++ a/netboot.c
|
||||
@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr;
|
||||
static char *full_path;
|
||||
|
||||
|
||||
+/*
|
||||
+ * Not in the EFI header set yet, so I have to declare it here
|
||||
+ */
|
||||
+typedef struct {
|
||||
+ UINT32 MessageType:8;
|
||||
+ UINT32 TransactionId:24;
|
||||
+ UINT8 DhcpOptions[1024];
|
||||
+} EFI_PXE_BASE_CODE_DHCPV6_PACKET;
|
||||
+
|
||||
typedef struct {
|
||||
UINT16 OpCode;
|
||||
UINT16 Length;
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 May 2013 13:12:43 -0400
|
||||
Subject: [PATCH] Fix grub path
|
||||
|
||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
||||
---
|
||||
shim.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index f2b8f1d..d28e0cd 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -43,7 +43,7 @@
|
||||
#include "shim_cert.h"
|
||||
#include "ucs2.h"
|
||||
|
||||
-#define DEFAULT_LOADER L"\\grub.efi"
|
||||
+#define DEFAULT_LOADER L"\\grubx64.efi"
|
||||
#define FALLBACK L"\\fallback.efi"
|
||||
#define MOK_MANAGER L"\\MokManager.efi"
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,61 +0,0 @@
|
||||
From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 11 Jun 2013 14:58:25 -0400
|
||||
Subject: [PATCH] Fix some pointer casting issues.
|
||||
|
||||
This also fixes the size of an empty vendor_cert or dbx_cert.
|
||||
|
||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
||||
---
|
||||
cert.S | 2 +-
|
||||
shim.c | 9 +++++----
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/cert.S b/cert.S
|
||||
index 2ed9b6d..66a05b8 100644
|
||||
--- a/cert.S
|
||||
+++ b/cert.S
|
||||
@@ -32,5 +32,5 @@ vendor_cert:
|
||||
.size vendor_cert_size, 4
|
||||
.section .vendor_cert, "a", @progbits
|
||||
vendor_cert_size:
|
||||
- .long 1
|
||||
+ .long 0
|
||||
#endif
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 8ffcad6..a573037 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -59,7 +59,7 @@ static UINT32 load_options_size;
|
||||
*/
|
||||
extern UINT8 vendor_cert[];
|
||||
extern UINT32 vendor_cert_size;
|
||||
-extern EFI_SIGNATURE_LIST *vendor_dbx;
|
||||
+extern UINT8 vendor_dbx[];
|
||||
extern UINT32 vendor_dbx_size;
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
||||
@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
||||
{
|
||||
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
||||
+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
|
||||
|
||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
|
||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
|
||||
SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
|
||||
DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
|
||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
|
||||
SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
|
||||
DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
|
||||
+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
||||
sha256hash) == DATA_FOUND)
|
||||
return EFI_ACCESS_DENIED;
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,54 +0,0 @@
|
||||
From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
|
||||
Return-Path: jwboyer@redhat.com
|
||||
Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
|
||||
zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
|
||||
zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
|
||||
11:12:04 -0500 (EST)
|
||||
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
|
||||
by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
|
||||
for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
|
||||
Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
|
||||
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
|
||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
|
||||
Tue, 11 Dec 2012 11:12:03 -0500
|
||||
Date: Tue, 11 Dec 2012 11:12:01 -0500
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
To: pjones@redhat.com
|
||||
Cc: mjg59@srcf.ucam.org
|
||||
Subject: [PATCH] Fix SignatureSize field when importing a new cert
|
||||
Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=us-ascii
|
||||
Content-Disposition: inline
|
||||
User-Agent: Mutt/1.5.21 (2010-09-15)
|
||||
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
|
||||
Status: RO
|
||||
Content-Length: 842
|
||||
Lines: 25
|
||||
|
||||
The SignatureSize field should be the length of the certificate plus
|
||||
16 per the UEFI spec. Remove the extraneous addition of
|
||||
sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
|
||||
in MokListRT are parsable.
|
||||
---
|
||||
src/mokutil.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
|
||||
index ca46488..f94aee4 100644
|
||||
--- a/mokutil-0.1.0/src/mokutil.c
|
||||
+++ b/mokutil-0.1.0/src/mokutil.c
|
||||
@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
|
||||
CertList->SignatureListSize = sizes[i] +
|
||||
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
|
||||
CertList->SignatureHeaderSize = 0;
|
||||
- CertList->SignatureSize = sizes[i] +
|
||||
- sizeof(EFI_SIGNATURE_DATA) + 16;
|
||||
+ CertList->SignatureSize = sizes[i] + 16;
|
||||
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
||||
|
||||
fd = open (files[i], O_RDONLY);
|
||||
--
|
||||
1.8.0.1
|
||||
|
||||
|
File diff suppressed because one or more lines are too long
@ -1,63 +0,0 @@
|
||||
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg@redhat.com>
|
||||
Date: Tue, 14 Aug 2012 06:50:00 -0400
|
||||
Subject: [PATCH] Use the file size, not the image size field, for
|
||||
verification.
|
||||
|
||||
---
|
||||
shim.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 2d9044d..6a3c054 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -555,7 +555,7 @@ done:
|
||||
/*
|
||||
* Read the binary header and grab appropriate information from it
|
||||
*/
|
||||
-static EFI_STATUS read_header(void *data,
|
||||
+static EFI_STATUS read_header(void *data, unsigned int datasize,
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT *context)
|
||||
{
|
||||
EFI_IMAGE_DOS_HEADER *DosHdr = data;
|
||||
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
|
||||
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
|
||||
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
|
||||
|
||||
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
|
||||
+ if (context->SecDir->VirtualAddress >= datasize) {
|
||||
Print(L"Malformed security header\n");
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
|
||||
/*
|
||||
* Once the image has been loaded it needs to be validated and relocated
|
||||
*/
|
||||
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
||||
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
|
||||
+ EFI_LOADED_IMAGE *li)
|
||||
{
|
||||
EFI_STATUS efi_status;
|
||||
char *buffer;
|
||||
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
||||
char *base, *end;
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT context;
|
||||
|
||||
- efi_status = read_header(data, &context);
|
||||
+ efi_status = read_header(data, datasize, &context);
|
||||
if (efi_status != EFI_SUCCESS) {
|
||||
Print(L"Failed to read header\n");
|
||||
return efi_status;
|
||||
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
|
||||
if (!secure_mode())
|
||||
return EFI_SUCCESS;
|
||||
|
||||
- status = read_header(buffer, &context);
|
||||
+ status = read_header(buffer, size, &context);
|
||||
|
||||
if (status != EFI_SUCCESS)
|
||||
return status;
|
||||
--
|
||||
1.7.11.2
|
||||
|
@ -1,129 +0,0 @@
|
||||
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 13 Aug 2012 17:06:46 -0400
|
||||
Subject: [PATCH] Allow specification of vendor_cert through a build command
|
||||
line option.
|
||||
|
||||
This allows you to specify the vendor_cert as a file on the command line
|
||||
during build.
|
||||
---
|
||||
Makefile | 16 +++++++++++-----
|
||||
cert.S | 32 ++++++++++++++++++++++++++++++++
|
||||
cert.h | 1 -
|
||||
shim.c | 6 +++---
|
||||
4 files changed, 46 insertions(+), 9 deletions(-)
|
||||
create mode 100644 cert.S
|
||||
delete mode 100644 cert.h
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 1e3a020..66b105f 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
||||
|
||||
-
|
||||
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
||||
-Wall -mno-red-zone \
|
||||
$(EFI_INCLUDES)
|
||||
ifeq ($(ARCH),x86_64)
|
||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
||||
endif
|
||||
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
||||
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
||||
+endif
|
||||
+
|
||||
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
|
||||
|
||||
-TARGET = shim.efi
|
||||
-OBJS = shim.o shim.so
|
||||
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
|
||||
+TARGET = shim.efi
|
||||
+OBJS = shim.o cert.o
|
||||
+SOURCES = shim.c shim.h signature.h PeImage.h
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
shim.o: $(SOURCES)
|
||||
|
||||
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
|
||||
+cert.o : cert.S
|
||||
+ $(CC) $(CFLAGS) -c -o $@ $<
|
||||
+
|
||||
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
|
||||
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
|
||||
|
||||
Cryptlib/libcryptlib.a:
|
||||
diff --git a/cert.S b/cert.S
|
||||
new file mode 100644
|
||||
index 0000000..129bab5
|
||||
--- /dev/null
|
||||
+++ b/cert.S
|
||||
@@ -0,0 +1,32 @@
|
||||
+#if defined(VENDOR_CERT_FILE)
|
||||
+ .globl vendor_cert
|
||||
+ .data
|
||||
+ .align 16
|
||||
+ .type vendor_cert, @object
|
||||
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
|
||||
+vendor_cert:
|
||||
+.incbin VENDOR_CERT_FILE
|
||||
+
|
||||
+ .globl vendor_cert_size
|
||||
+ .data
|
||||
+ .align 16
|
||||
+ .type vendor_cert_size, @object
|
||||
+ .size vendor_cert_size, 4
|
||||
+vendor_cert_size:
|
||||
+ .long vendor_cert_size - vendor_cert
|
||||
+#else
|
||||
+ .globl vendor_cert
|
||||
+ .bss
|
||||
+ .type vendor_cert, @object
|
||||
+ .size vendor_cert, 1
|
||||
+vendor_cert:
|
||||
+ .zero 1
|
||||
+
|
||||
+ .globl vendor_cert_size
|
||||
+ .data
|
||||
+ .align 4
|
||||
+ .type vendor_cert_size, @object
|
||||
+ .size vendor_cert_size, 4
|
||||
+vendor_cert_size:
|
||||
+ .long 1
|
||||
+#endif
|
||||
diff --git a/cert.h b/cert.h
|
||||
deleted file mode 100644
|
||||
index 380bc04..0000000
|
||||
--- a/cert.h
|
||||
+++ /dev/null
|
||||
@@ -1 +0,0 @@
|
||||
-static UINT8 vendor_cert[] = {0x00};
|
||||
diff --git a/shim.c b/shim.c
|
||||
index fc3dafc..2d9044d 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
|
||||
/*
|
||||
* The vendor certificate used for validating the second stage loader
|
||||
*/
|
||||
-
|
||||
-#include "cert.h"
|
||||
+extern UINT8 vendor_cert[];
|
||||
+extern UINT32 vendor_cert_size;
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
||||
|
||||
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
||||
|
||||
if (!AuthenticodeVerify(cert->CertData,
|
||||
context->SecDir->Size - sizeof(cert->Hdr),
|
||||
- vendor_cert, sizeof(vendor_cert), hash,
|
||||
+ vendor_cert, vendor_cert_size, hash,
|
||||
SHA256_DIGEST_SIZE)) {
|
||||
Print(L"Invalid signature\n");
|
||||
status = EFI_ACCESS_DENIED;
|
||||
--
|
||||
1.7.11.2
|
||||
|
68
shim.spec
68
shim.spec
@ -1,17 +1,13 @@
|
||||
Name: shim
|
||||
Version: 0.4
|
||||
Version: 0.8
|
||||
Release: 1%{?dist}
|
||||
Summary: First-stage UEFI bootloader
|
||||
|
||||
License: BSD
|
||||
URL: http://www.codon.org.uk/~mjg59/shim/
|
||||
Source0: http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2
|
||||
Source0: https://github.com/mjg59/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
|
||||
Source1: fedora-ca.cer
|
||||
|
||||
# incorporate mokutil for packaging simplicity
|
||||
%global mokutilver 0.1.0
|
||||
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
||||
|
||||
# currently here's what's in our dbx:
|
||||
# grub2-efi-2.00-11.fc18.x86_64:
|
||||
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
|
||||
@ -20,37 +16,23 @@ Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
||||
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
|
||||
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
|
||||
# woops.
|
||||
Source3: dbx.esl
|
||||
Source2: dbx.esl
|
||||
|
||||
# this we'll always need, unless we phase in a rename of our grub binary.
|
||||
Patch0: 0001-Fix-grub-path.patch
|
||||
|
||||
# this we won't need in the next version of mokutil
|
||||
Patch1: mokutil-correct-moklistrt-size.patch
|
||||
|
||||
# this needs to be worked on upstream
|
||||
Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
|
||||
|
||||
# this will go away once a new gnu-efi actually works again
|
||||
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
|
||||
|
||||
# this will go away with shim 0.5
|
||||
Patch4: 0001-Fix-some-pointer-casting-issues.patch
|
||||
|
||||
BuildRequires: gnu-efi git openssl-devel openssl
|
||||
BuildRequires: git openssl-devel openssl
|
||||
BuildRequires: pesign >= 0.106-1
|
||||
BuildRequires: gnu-efi = 3.0q
|
||||
BuildRequires: gnu-efi = 3.0w
|
||||
BuildRequires: gnu-efi-devel = 3.0w
|
||||
|
||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||
# POSIX-style C library.
|
||||
# BuildRequires: OpenSSL
|
||||
Provides: bundled(openssl) = 0.9.8w
|
||||
Provides: bundled(openssl) = 0.9.8zb
|
||||
|
||||
# Shim is only required on platforms implementing the UEFI secure boot
|
||||
# protocol. The only one of those we currently wish to support is 64-bit x86.
|
||||
# Adding further platforms will require adding appropriate relocation code.
|
||||
ExclusiveArch: x86_64
|
||||
ExclusiveArch: x86_64 aarch64
|
||||
|
||||
# Figure out the right file path to use
|
||||
%if 0%{?rhel}
|
||||
@ -71,32 +53,23 @@ Summary: First-stage UEFI bootloader (unsigned data)
|
||||
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
||||
under secure boot environments.
|
||||
|
||||
%package -n mokutil
|
||||
Summary: Utilities for managing Secure Boot/MoK keys.
|
||||
|
||||
%description -n mokutil
|
||||
Utilities for managing the "Machine's Own Keys" list.
|
||||
|
||||
%prep
|
||||
%setup -q -n shim-%{version}
|
||||
%setup -q -a 2 -D -T
|
||||
%setup -q
|
||||
git init
|
||||
git config user.email "shim-owner@fedoraproject.org"
|
||||
git config user.email "%{name}-owner@fedoraproject.org"
|
||||
git config user.name "Fedora Ninjas"
|
||||
git add .
|
||||
git commit -a -q -m "%{version} baseline."
|
||||
git am %{patches} </dev/null
|
||||
git config --unset user.email
|
||||
git config --unset user.name
|
||||
|
||||
%build
|
||||
MAKEFLAGS=""
|
||||
if [ -f "%{SOURCE1}" ]; then
|
||||
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}"
|
||||
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE2}"
|
||||
fi
|
||||
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
||||
cd mokutil-%{mokutilver}
|
||||
%configure
|
||||
make %{?_smp_mflags}
|
||||
cd ..
|
||||
make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -106,10 +79,7 @@ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
|
||||
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
|
||||
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
|
||||
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
|
||||
cd mokutil-%{mokutilver}
|
||||
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||
# now install our .debug files...
|
||||
cd ..
|
||||
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
|
||||
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
|
||||
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
|
||||
@ -120,11 +90,13 @@ install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/s
|
||||
%dir %{_datadir}/shim
|
||||
%{_datadir}/shim/*
|
||||
|
||||
%files -n mokutil
|
||||
/usr/bin/mokutil
|
||||
/usr/share/man/man1/mokutil.1.gz
|
||||
|
||||
%changelog
|
||||
* Mon Oct 13 2014 Peter Jones <pjones@redhat.com> - 0.8-1
|
||||
- Update to 0.8
|
||||
Related: rhbz#1148230
|
||||
Related: rhbz#1148231
|
||||
Related: rhbz#1148232
|
||||
|
||||
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
|
||||
- Update to 0.4
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user