arrfab / rpms / shim

Forked from rpms/shim 5 years ago
Clone
Source Code
GIT

Blame SOURCES/0001-Add-vendor-esl.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta
  1.   67f27a60ae0143cfd6a7cc24f4543c7a317a90a6
  2.   SOURCES
  3.   0001-Add-vendor-esl.patch
Blob History Raw
67f27a 
From bc1e30ee1e7940e0e70eab9afd55b6e355ef9899 Mon Sep 17 00:00:00 2001
67f27a 
From: Patrick Uiterwijk <patrick@puiterwijk.org>
67f27a 
Date: Sat, 21 Jul 2018 03:27:26 +0200
67f27a 
Subject: [PATCH] Add vendor_esl
67f27a
67f27a 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
67f27a 
---
67f27a 
 Makefile |  3 +++
67f27a 
 cert.S   | 30 ++++++++++++++++++++++++++++++
67f27a 
 shim.c   | 36 +++++++++++++++++++++++++++++++++++-
67f27a 
 3 files changed, 68 insertions(+), 1 deletion(-)
67f27a
67f27a 
diff --git a/Makefile b/Makefile
67f27a 
index 6ece282..78688e0 100644
67f27a 
--- a/Makefile
67f27a 
+++ b/Makefile
67f27a 
@@ -82,6 +82,9 @@ endif
67f27a 
 ifneq ($(origin VENDOR_CERT_FILE), undefined)
67f27a 
 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
67f27a 
 endif
67f27a 
+ifneq ($(origin VENDOR_ESL_FILE), undefined)
67f27a 
+	CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
67f27a 
+endif
67f27a 
 ifneq ($(origin VENDOR_DBX_FILE), undefined)
67f27a 
 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
67f27a 
 endif
67f27a 
diff --git a/cert.S b/cert.S
67f27a 
index cfc4525..7ad782a 100644
67f27a 
--- a/cert.S
67f27a 
+++ b/cert.S
67f27a 
@@ -8,12 +8,18 @@ cert_table:
67f27a 
 #else
67f27a 
 	.long	0
67f27a 
 #endif
67f27a 
+#if defined(VENDOR_ESL_FILE)
67f27a 
+	.long	vendor_esl_priv_end - vendor_esl_priv
67f27a 
+#else
67f27a 
+	.long	0
67f27a 
+#endif
67f27a 
 #if defined(VENDOR_DBX_FILE)
67f27a 
 	.long	vendor_dbx_priv_end - vendor_dbx_priv
67f27a 
 #else
67f27a 
 	.long	0
67f27a 
 #endif
67f27a 
 	.long	vendor_cert_priv - cert_table
67f27a 
+	.long	vendor_esl_priv - cert_table
67f27a 
 	.long	vendor_dbx_priv - cert_table
67f27a 
 #if defined(VENDOR_CERT_FILE)
67f27a 
 	.data
67f27a 
@@ -39,6 +45,30 @@ vendor_cert_priv:
67f27a 
 	.section .vendor_cert, "a", %progbits
67f27a 
 vendor_cert_priv_end:
67f27a 
 #endif
67f27a 
+#if defined(VENDOR_ESL_FILE)
67f27a 
+	.data
67f27a 
+	.align	1
67f27a 
+	.type	vendor_esl_priv, %object
67f27a 
+	.size	vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
67f27a 
+	.section .vendor_cert, "a", %progbits
67f27a 
+vendor_esl_priv:
67f27a 
+.incbin VENDOR_ESL_FILE
67f27a 
+vendor_esl_priv_end:
67f27a 
+#else
67f27a 
+	.bss
67f27a 
+	.type	vendor_esl_priv, %object
67f27a 
+	.size	vendor_esl_priv, 1
67f27a 
+	.section .vendor_cert, "a", %progbits
67f27a 
+vendor_esl_priv:
67f27a 
+	.zero	1
67f27a 
+
67f27a 
+	.data
67f27a 
+	.align 4
67f27a 
+	.type	vendor_esl_size_priv, %object
67f27a 
+	.size	vendor_esl_size_priv, 4
67f27a 
+	.section .vendor_cert, "a", %progbits
67f27a 
+vendor_esl_priv_end:
67f27a 
+#endif
67f27a 
 #if defined(VENDOR_DBX_FILE)
67f27a 
 	.data
67f27a 
 	.align	1
67f27a 
diff --git a/shim.c b/shim.c
67f27a 
index f8a1e67..d99134f 100644
67f27a 
--- a/shim.c
67f27a 
+++ b/shim.c
67f27a 
@@ -84,14 +84,18 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
67f27a 
  */
67f27a 
 extern struct {
67f27a 
 	UINT32 vendor_cert_size;
67f27a 
+	UINT32 vendor_esl_size;
67f27a 
 	UINT32 vendor_dbx_size;
67f27a 
 	UINT32 vendor_cert_offset;
67f27a 
+	UINT32 vendor_esl_offset;
67f27a 
 	UINT32 vendor_dbx_offset;
67f27a 
 } cert_table;
67f27a
67f27a 
 UINT32 vendor_cert_size;
67f27a 
+UINT32 vendor_esl_size;
67f27a 
 UINT32 vendor_dbx_size;
67f27a 
 UINT8 *vendor_cert;
67f27a 
+UINT8 *vendor_esl;
67f27a 
 UINT8 *vendor_dbx;
67f27a
67f27a 
 /*
67f27a 
@@ -1029,6 +1033,18 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
67f27a 
 			return status;
67f27a 
 		}
67f27a
67f27a 
+		/*
67f27a 
+		 * Check if there's a vendor ESL built-in
67f27a 
+		 */
67f27a 
+		if (vendor_esl_size &&
67f27a 
+			check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
67f27a 
+					     vendor_esl_size,
67f27a 
+					     cert,
67f27a 
+					     sha256hash) == DATA_FOUND) {
67f27a 
+			status = EFI_SUCCESS;
67f27a 
+			return status;
67f27a 
+		}
67f27a 
+
67f27a 
 		/*
67f27a 
 		 * And finally, check against shim's built-in key
67f27a 
 		 */
67f27a 
@@ -1973,6 +1989,22 @@ EFI_STATUS mirror_mok_list()
67f27a
67f27a 
 		CertData->SignatureOwner = SHIM_LOCK_GUID;
67f27a 
 		CopyMem(p, vendor_cert, vendor_cert_size);
67f27a 
+	} else if (vendor_esl_size) {
67f27a 
+		FullDataSize = DataSize
67f27a 
+			     + vendor_esl_size
67f27a 
+			     ;
67f27a 
+		FullData = AllocatePool(FullDataSize);
67f27a 
+		if (!FullData) {
67f27a 
+			perror(L"Failed to allocate space for MokListRT\n");
67f27a 
+			return EFI_OUT_OF_RESOURCES;
67f27a 
+		}
67f27a 
+		p = FullData;
67f27a 
+
67f27a 
+		if (efi_status == EFI_SUCCESS && DataSize > 0) {
67f27a 
+			CopyMem(p, Data, DataSize);
67f27a 
+			p += DataSize;
67f27a 
+		}
67f27a 
+		CopyMem(p, vendor_esl, vendor_esl_size);
67f27a 
 	} else {
67f27a 
 		FullDataSize = DataSize;
67f27a 
 		FullData = Data;
67f27a 
@@ -2606,7 +2638,7 @@ shim_init(void)
67f27a 
 	set_second_stage (global_image_handle);
67f27a
67f27a 
 	if (secure_mode()) {
67f27a 
-		if (vendor_cert_size || vendor_dbx_size) {
67f27a 
+		if (vendor_cert_size || vendor_esl_size || vendor_dbx_size) {
67f27a 
 			/*
67f27a 
 			 * If shim includes its own certificates then ensure
67f27a 
 			 * that anything it boots has performed some
67f27a 
@@ -2706,8 +2738,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
67f27a 
 	verification_method = VERIFIED_BY_NOTHING;
67f27a
67f27a 
 	vendor_cert_size = cert_table.vendor_cert_size;
67f27a 
+	vendor_esl_size = cert_table.vendor_esl_size;
67f27a 
 	vendor_dbx_size = cert_table.vendor_dbx_size;
67f27a 
 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
67f27a 
+	vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
67f27a 
 	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
67f27a
67f27a 
 	/*
67f27a 
--
67f27a 
2.18.0
67f27a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation