Compare commits
7 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
e66067a8e6 | ||
|
d854b5dba9 | ||
|
5fbba32ca2 | ||
|
08332a60c2 | ||
|
7eb349fa90 | ||
|
583daa9e89 | ||
|
b819c2be5b |
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
/mokutil-*.tar.bz2
|
*.tar.*
|
||||||
/shim-*.tar.bz2
|
clog
|
||||||
|
*.rpm
|
||||||
|
@ -1,59 +0,0 @@
|
|||||||
From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Fri, 31 May 2013 15:22:37 -0400
|
|
||||||
Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized.
|
|
||||||
|
|
||||||
GCC 4.8.0 will try to use these by default, and you'll wind up looping
|
|
||||||
across the (uninitialized!) trap handler for uninitialized instructions.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
Cryptlib/Makefile | 2 +-
|
|
||||||
Cryptlib/OpenSSL/Makefile | 2 +-
|
|
||||||
Makefile | 4 ++--
|
|
||||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
|
|
||||||
index 925db8d..f1add83 100644
|
|
||||||
--- a/Cryptlib/Makefile
|
|
||||||
+++ b/Cryptlib/Makefile
|
|
||||||
@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
|
||||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
|
||||||
|
|
||||||
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
||||||
- -Wall $(EFI_INCLUDES) -mno-red-zone
|
|
||||||
+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx
|
|
||||||
ifeq ($(ARCH),x86_64)
|
|
||||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
|
||||||
endif
|
|
||||||
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
|
|
||||||
index 7fde382..1bae841 100644
|
|
||||||
--- a/Cryptlib/OpenSSL/Makefile
|
|
||||||
+++ b/Cryptlib/OpenSSL/Makefile
|
|
||||||
@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi
|
|
||||||
LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
|
|
||||||
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
|
|
||||||
|
|
||||||
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
|
|
||||||
+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \
|
|
||||||
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone
|
|
||||||
ifeq ($(ARCH),x86_64)
|
|
||||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
|
||||||
diff --git a/Makefile b/Makefile
|
|
||||||
index 287fbcf..c8f6ec8 100644
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
|
||||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
|
||||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
|
||||||
|
|
||||||
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
||||||
- -Wall -mno-red-zone \
|
|
||||||
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
|
||||||
+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \
|
|
||||||
$(EFI_INCLUDES)
|
|
||||||
ifeq ($(ARCH),x86_64)
|
|
||||||
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
|
|
||||||
--
|
|
||||||
1.8.2.1
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 10 Jun 2013 18:08:50 -0400
|
|
||||||
Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own
|
|
||||||
signing.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
shim.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 94b9710..4edd0b6 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if 0
|
|
||||||
/*
|
|
||||||
* Check against the shim build key
|
|
||||||
*/
|
|
||||||
@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
Print(L"Binary is verified by the vendor certificate\n");
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
1.8.2.1
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Thu, 30 May 2013 17:23:19 -0400
|
|
||||||
Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t
|
|
||||||
|
|
||||||
---
|
|
||||||
netboot.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git b/netboot.c a/netboot.c
|
|
||||||
index c44aeac..90fb9cb 100644
|
|
||||||
--- b/netboot.c
|
|
||||||
+++ a/netboot.c
|
|
||||||
@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr;
|
|
||||||
static char *full_path;
|
|
||||||
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Not in the EFI header set yet, so I have to declare it here
|
|
||||||
+ */
|
|
||||||
+typedef struct {
|
|
||||||
+ UINT32 MessageType:8;
|
|
||||||
+ UINT32 TransactionId:24;
|
|
||||||
+ UINT8 DhcpOptions[1024];
|
|
||||||
+} EFI_PXE_BASE_CODE_DHCPV6_PACKET;
|
|
||||||
+
|
|
||||||
typedef struct {
|
|
||||||
UINT16 OpCode;
|
|
||||||
UINT16 Length;
|
|
||||||
--
|
|
||||||
1.8.2.1
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 May 2013 13:12:43 -0400
|
|
||||||
Subject: [PATCH] Fix grub path
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
|
||||||
---
|
|
||||||
shim.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index f2b8f1d..d28e0cd 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -43,7 +43,7 @@
|
|
||||||
#include "shim_cert.h"
|
|
||||||
#include "ucs2.h"
|
|
||||||
|
|
||||||
-#define DEFAULT_LOADER L"\\grub.efi"
|
|
||||||
+#define DEFAULT_LOADER L"\\grubx64.efi"
|
|
||||||
#define FALLBACK L"\\fallback.efi"
|
|
||||||
#define MOK_MANAGER L"\\MokManager.efi"
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.2.1
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 11 Jun 2013 14:58:25 -0400
|
|
||||||
Subject: [PATCH] Fix some pointer casting issues.
|
|
||||||
|
|
||||||
This also fixes the size of an empty vendor_cert or dbx_cert.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
|
||||||
---
|
|
||||||
cert.S | 2 +-
|
|
||||||
shim.c | 9 +++++----
|
|
||||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/cert.S b/cert.S
|
|
||||||
index 2ed9b6d..66a05b8 100644
|
|
||||||
--- a/cert.S
|
|
||||||
+++ b/cert.S
|
|
||||||
@@ -32,5 +32,5 @@ vendor_cert:
|
|
||||||
.size vendor_cert_size, 4
|
|
||||||
.section .vendor_cert, "a", @progbits
|
|
||||||
vendor_cert_size:
|
|
||||||
- .long 1
|
|
||||||
+ .long 0
|
|
||||||
#endif
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 8ffcad6..a573037 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -59,7 +59,7 @@ static UINT32 load_options_size;
|
|
||||||
*/
|
|
||||||
extern UINT8 vendor_cert[];
|
|
||||||
extern UINT32 vendor_cert_size;
|
|
||||||
-extern EFI_SIGNATURE_LIST *vendor_dbx;
|
|
||||||
+extern UINT8 vendor_dbx[];
|
|
||||||
extern UINT32 vendor_dbx_size;
|
|
||||||
|
|
||||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
|
||||||
@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
|
||||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
|
||||||
{
|
|
||||||
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
|
||||||
+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
|
|
||||||
|
|
||||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
|
|
||||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
|
|
||||||
SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
|
|
||||||
DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
|
|
||||||
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
|
|
||||||
SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
|
|
||||||
DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
|
|
||||||
+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
|
|
||||||
sha256hash) == DATA_FOUND)
|
|
||||||
return EFI_ACCESS_DENIED;
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.2.1
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
|
|
||||||
Return-Path: jwboyer@redhat.com
|
|
||||||
Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
|
|
||||||
zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
|
|
||||||
zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
|
|
||||||
11:12:04 -0500 (EST)
|
|
||||||
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
|
|
||||||
by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
|
|
||||||
for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
|
|
||||||
Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
|
|
||||||
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
|
|
||||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
|
|
||||||
Tue, 11 Dec 2012 11:12:03 -0500
|
|
||||||
Date: Tue, 11 Dec 2012 11:12:01 -0500
|
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
|
||||||
To: pjones@redhat.com
|
|
||||||
Cc: mjg59@srcf.ucam.org
|
|
||||||
Subject: [PATCH] Fix SignatureSize field when importing a new cert
|
|
||||||
Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=us-ascii
|
|
||||||
Content-Disposition: inline
|
|
||||||
User-Agent: Mutt/1.5.21 (2010-09-15)
|
|
||||||
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
|
|
||||||
Status: RO
|
|
||||||
Content-Length: 842
|
|
||||||
Lines: 25
|
|
||||||
|
|
||||||
The SignatureSize field should be the length of the certificate plus
|
|
||||||
16 per the UEFI spec. Remove the extraneous addition of
|
|
||||||
sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
|
|
||||||
in MokListRT are parsable.
|
|
||||||
---
|
|
||||||
src/mokutil.c | 3 +--
|
|
||||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
|
|
||||||
index ca46488..f94aee4 100644
|
|
||||||
--- a/mokutil-0.1.0/src/mokutil.c
|
|
||||||
+++ b/mokutil-0.1.0/src/mokutil.c
|
|
||||||
@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
|
|
||||||
CertList->SignatureListSize = sizes[i] +
|
|
||||||
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
|
|
||||||
CertList->SignatureHeaderSize = 0;
|
|
||||||
- CertList->SignatureSize = sizes[i] +
|
|
||||||
- sizeof(EFI_SIGNATURE_DATA) + 16;
|
|
||||||
+ CertList->SignatureSize = sizes[i] + 16;
|
|
||||||
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
||||||
|
|
||||||
fd = open (files[i], O_RDONLY);
|
|
||||||
--
|
|
||||||
1.8.0.1
|
|
||||||
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
@ -1,63 +0,0 @@
|
|||||||
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
|
||||||
Date: Tue, 14 Aug 2012 06:50:00 -0400
|
|
||||||
Subject: [PATCH] Use the file size, not the image size field, for
|
|
||||||
verification.
|
|
||||||
|
|
||||||
---
|
|
||||||
shim.c | 11 ++++++-----
|
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index 2d9044d..6a3c054 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -555,7 +555,7 @@ done:
|
|
||||||
/*
|
|
||||||
* Read the binary header and grab appropriate information from it
|
|
||||||
*/
|
|
||||||
-static EFI_STATUS read_header(void *data,
|
|
||||||
+static EFI_STATUS read_header(void *data, unsigned int datasize,
|
|
||||||
PE_COFF_LOADER_IMAGE_CONTEXT *context)
|
|
||||||
{
|
|
||||||
EFI_IMAGE_DOS_HEADER *DosHdr = data;
|
|
||||||
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
|
|
||||||
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
|
|
||||||
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
|
|
||||||
|
|
||||||
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
|
|
||||||
+ if (context->SecDir->VirtualAddress >= datasize) {
|
|
||||||
Print(L"Malformed security header\n");
|
|
||||||
return EFI_INVALID_PARAMETER;
|
|
||||||
}
|
|
||||||
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
|
|
||||||
/*
|
|
||||||
* Once the image has been loaded it needs to be validated and relocated
|
|
||||||
*/
|
|
||||||
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
|
||||||
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
|
|
||||||
+ EFI_LOADED_IMAGE *li)
|
|
||||||
{
|
|
||||||
EFI_STATUS efi_status;
|
|
||||||
char *buffer;
|
|
||||||
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
|
|
||||||
char *base, *end;
|
|
||||||
PE_COFF_LOADER_IMAGE_CONTEXT context;
|
|
||||||
|
|
||||||
- efi_status = read_header(data, &context);
|
|
||||||
+ efi_status = read_header(data, datasize, &context);
|
|
||||||
if (efi_status != EFI_SUCCESS) {
|
|
||||||
Print(L"Failed to read header\n");
|
|
||||||
return efi_status;
|
|
||||||
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
|
|
||||||
if (!secure_mode())
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
|
|
||||||
- status = read_header(buffer, &context);
|
|
||||||
+ status = read_header(buffer, size, &context);
|
|
||||||
|
|
||||||
if (status != EFI_SUCCESS)
|
|
||||||
return status;
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
@ -1,129 +0,0 @@
|
|||||||
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 13 Aug 2012 17:06:46 -0400
|
|
||||||
Subject: [PATCH] Allow specification of vendor_cert through a build command
|
|
||||||
line option.
|
|
||||||
|
|
||||||
This allows you to specify the vendor_cert as a file on the command line
|
|
||||||
during build.
|
|
||||||
---
|
|
||||||
Makefile | 16 +++++++++++-----
|
|
||||||
cert.S | 32 ++++++++++++++++++++++++++++++++
|
|
||||||
cert.h | 1 -
|
|
||||||
shim.c | 6 +++---
|
|
||||||
4 files changed, 46 insertions(+), 9 deletions(-)
|
|
||||||
create mode 100644 cert.S
|
|
||||||
delete mode 100644 cert.h
|
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
|
||||||
index 1e3a020..66b105f 100644
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
|
||||||
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
|
||||||
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
|
||||||
|
|
||||||
-
|
|
||||||
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
||||||
-Wall -mno-red-zone \
|
|
||||||
$(EFI_INCLUDES)
|
|
||||||
ifeq ($(ARCH),x86_64)
|
|
||||||
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
|
||||||
endif
|
|
||||||
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
|
||||||
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
|
|
||||||
|
|
||||||
-TARGET = shim.efi
|
|
||||||
-OBJS = shim.o shim.so
|
|
||||||
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
|
|
||||||
+TARGET = shim.efi
|
|
||||||
+OBJS = shim.o cert.o
|
|
||||||
+SOURCES = shim.c shim.h signature.h PeImage.h
|
|
||||||
|
|
||||||
all: $(TARGET)
|
|
||||||
|
|
||||||
shim.o: $(SOURCES)
|
|
||||||
|
|
||||||
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
|
|
||||||
+cert.o : cert.S
|
|
||||||
+ $(CC) $(CFLAGS) -c -o $@ $<
|
|
||||||
+
|
|
||||||
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
|
|
||||||
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
|
|
||||||
|
|
||||||
Cryptlib/libcryptlib.a:
|
|
||||||
diff --git a/cert.S b/cert.S
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..129bab5
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/cert.S
|
|
||||||
@@ -0,0 +1,32 @@
|
|
||||||
+#if defined(VENDOR_CERT_FILE)
|
|
||||||
+ .globl vendor_cert
|
|
||||||
+ .data
|
|
||||||
+ .align 16
|
|
||||||
+ .type vendor_cert, @object
|
|
||||||
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
|
|
||||||
+vendor_cert:
|
|
||||||
+.incbin VENDOR_CERT_FILE
|
|
||||||
+
|
|
||||||
+ .globl vendor_cert_size
|
|
||||||
+ .data
|
|
||||||
+ .align 16
|
|
||||||
+ .type vendor_cert_size, @object
|
|
||||||
+ .size vendor_cert_size, 4
|
|
||||||
+vendor_cert_size:
|
|
||||||
+ .long vendor_cert_size - vendor_cert
|
|
||||||
+#else
|
|
||||||
+ .globl vendor_cert
|
|
||||||
+ .bss
|
|
||||||
+ .type vendor_cert, @object
|
|
||||||
+ .size vendor_cert, 1
|
|
||||||
+vendor_cert:
|
|
||||||
+ .zero 1
|
|
||||||
+
|
|
||||||
+ .globl vendor_cert_size
|
|
||||||
+ .data
|
|
||||||
+ .align 4
|
|
||||||
+ .type vendor_cert_size, @object
|
|
||||||
+ .size vendor_cert_size, 4
|
|
||||||
+vendor_cert_size:
|
|
||||||
+ .long 1
|
|
||||||
+#endif
|
|
||||||
diff --git a/cert.h b/cert.h
|
|
||||||
deleted file mode 100644
|
|
||||||
index 380bc04..0000000
|
|
||||||
--- a/cert.h
|
|
||||||
+++ /dev/null
|
|
||||||
@@ -1 +0,0 @@
|
|
||||||
-static UINT8 vendor_cert[] = {0x00};
|
|
||||||
diff --git a/shim.c b/shim.c
|
|
||||||
index fc3dafc..2d9044d 100644
|
|
||||||
--- a/shim.c
|
|
||||||
+++ b/shim.c
|
|
||||||
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
|
|
||||||
/*
|
|
||||||
* The vendor certificate used for validating the second stage loader
|
|
||||||
*/
|
|
||||||
-
|
|
||||||
-#include "cert.h"
|
|
||||||
+extern UINT8 vendor_cert[];
|
|
||||||
+extern UINT32 vendor_cert_size;
|
|
||||||
|
|
||||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
|
||||||
|
|
||||||
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
||||||
|
|
||||||
if (!AuthenticodeVerify(cert->CertData,
|
|
||||||
context->SecDir->Size - sizeof(cert->Hdr),
|
|
||||||
- vendor_cert, sizeof(vendor_cert), hash,
|
|
||||||
+ vendor_cert, vendor_cert_size, hash,
|
|
||||||
SHA256_DIGEST_SIZE)) {
|
|
||||||
Print(L"Invalid signature\n");
|
|
||||||
status = EFI_ACCESS_DENIED;
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
68
shim.spec
68
shim.spec
@ -1,17 +1,13 @@
|
|||||||
Name: shim
|
Name: shim
|
||||||
Version: 0.4
|
Version: 0.8
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: First-stage UEFI bootloader
|
Summary: First-stage UEFI bootloader
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://www.codon.org.uk/~mjg59/shim/
|
URL: http://www.codon.org.uk/~mjg59/shim/
|
||||||
Source0: http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2
|
Source0: https://github.com/mjg59/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
|
||||||
Source1: fedora-ca.cer
|
Source1: fedora-ca.cer
|
||||||
|
|
||||||
# incorporate mokutil for packaging simplicity
|
|
||||||
%global mokutilver 0.1.0
|
|
||||||
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
|
||||||
|
|
||||||
# currently here's what's in our dbx:
|
# currently here's what's in our dbx:
|
||||||
# grub2-efi-2.00-11.fc18.x86_64:
|
# grub2-efi-2.00-11.fc18.x86_64:
|
||||||
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
|
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
|
||||||
@ -20,37 +16,23 @@ Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
|
|||||||
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
|
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
|
||||||
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
|
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
|
||||||
# woops.
|
# woops.
|
||||||
Source3: dbx.esl
|
Source2: dbx.esl
|
||||||
|
|
||||||
# this we'll always need, unless we phase in a rename of our grub binary.
|
BuildRequires: git openssl-devel openssl
|
||||||
Patch0: 0001-Fix-grub-path.patch
|
|
||||||
|
|
||||||
# this we won't need in the next version of mokutil
|
|
||||||
Patch1: mokutil-correct-moklistrt-size.patch
|
|
||||||
|
|
||||||
# this needs to be worked on upstream
|
|
||||||
Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
|
|
||||||
|
|
||||||
# this will go away once a new gnu-efi actually works again
|
|
||||||
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
|
|
||||||
|
|
||||||
# this will go away with shim 0.5
|
|
||||||
Patch4: 0001-Fix-some-pointer-casting-issues.patch
|
|
||||||
|
|
||||||
BuildRequires: gnu-efi git openssl-devel openssl
|
|
||||||
BuildRequires: pesign >= 0.106-1
|
BuildRequires: pesign >= 0.106-1
|
||||||
BuildRequires: gnu-efi = 3.0q
|
BuildRequires: gnu-efi = 3.0w
|
||||||
|
BuildRequires: gnu-efi-devel = 3.0w
|
||||||
|
|
||||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||||
# POSIX-style C library.
|
# POSIX-style C library.
|
||||||
# BuildRequires: OpenSSL
|
# BuildRequires: OpenSSL
|
||||||
Provides: bundled(openssl) = 0.9.8w
|
Provides: bundled(openssl) = 0.9.8zb
|
||||||
|
|
||||||
# Shim is only required on platforms implementing the UEFI secure boot
|
# Shim is only required on platforms implementing the UEFI secure boot
|
||||||
# protocol. The only one of those we currently wish to support is 64-bit x86.
|
# protocol. The only one of those we currently wish to support is 64-bit x86.
|
||||||
# Adding further platforms will require adding appropriate relocation code.
|
# Adding further platforms will require adding appropriate relocation code.
|
||||||
ExclusiveArch: x86_64
|
ExclusiveArch: x86_64 aarch64
|
||||||
|
|
||||||
# Figure out the right file path to use
|
# Figure out the right file path to use
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
@ -71,32 +53,23 @@ Summary: First-stage UEFI bootloader (unsigned data)
|
|||||||
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
||||||
under secure boot environments.
|
under secure boot environments.
|
||||||
|
|
||||||
%package -n mokutil
|
|
||||||
Summary: Utilities for managing Secure Boot/MoK keys.
|
|
||||||
|
|
||||||
%description -n mokutil
|
|
||||||
Utilities for managing the "Machine's Own Keys" list.
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n shim-%{version}
|
%setup -q
|
||||||
%setup -q -a 2 -D -T
|
|
||||||
git init
|
git init
|
||||||
git config user.email "shim-owner@fedoraproject.org"
|
git config user.email "%{name}-owner@fedoraproject.org"
|
||||||
git config user.name "Fedora Ninjas"
|
git config user.name "Fedora Ninjas"
|
||||||
git add .
|
git add .
|
||||||
git commit -a -q -m "%{version} baseline."
|
git commit -a -q -m "%{version} baseline."
|
||||||
git am %{patches} </dev/null
|
git am %{patches} </dev/null
|
||||||
|
git config --unset user.email
|
||||||
|
git config --unset user.name
|
||||||
|
|
||||||
%build
|
%build
|
||||||
MAKEFLAGS=""
|
MAKEFLAGS=""
|
||||||
if [ -f "%{SOURCE1}" ]; then
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}"
|
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE2}"
|
||||||
fi
|
fi
|
||||||
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
|
||||||
cd mokutil-%{mokutilver}
|
|
||||||
%configure
|
|
||||||
make %{?_smp_mflags}
|
|
||||||
cd ..
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
@ -106,10 +79,7 @@ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
|
|||||||
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
|
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
|
||||||
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
|
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
|
||||||
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
|
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
|
||||||
cd mokutil-%{mokutilver}
|
|
||||||
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
|
||||||
# now install our .debug files...
|
# now install our .debug files...
|
||||||
cd ..
|
|
||||||
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
|
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
|
||||||
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
|
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
|
||||||
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
|
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
|
||||||
@ -120,11 +90,13 @@ install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/s
|
|||||||
%dir %{_datadir}/shim
|
%dir %{_datadir}/shim
|
||||||
%{_datadir}/shim/*
|
%{_datadir}/shim/*
|
||||||
|
|
||||||
%files -n mokutil
|
|
||||||
/usr/bin/mokutil
|
|
||||||
/usr/share/man/man1/mokutil.1.gz
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 13 2014 Peter Jones <pjones@redhat.com> - 0.8-1
|
||||||
|
- Update to 0.8
|
||||||
|
Related: rhbz#1148230
|
||||||
|
Related: rhbz#1148231
|
||||||
|
Related: rhbz#1148232
|
||||||
|
|
||||||
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
|
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
|
||||||
- Update to 0.4
|
- Update to 0.4
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user