Blob Blame History Raw
From 4bfb13d803f4d8efe544e0f2aa9cd712b8cb84b1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 1 Oct 2013 11:58:52 +0800
Subject: [PATCH 37/74] Silence the functions of shim protocol

When grub2 invokes the functions of shim protocol in gfx mode,
OutputString in shim could distort the screen.

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>

Conflicts:
	shim.c

(modified by pjones to include some newer Prints that weren't there when
Gary did the initial work here.)
---
 shim.c | 192 ++++++++++++++++++++++++++++++++++++++---------------------------
 1 file changed, 114 insertions(+), 78 deletions(-)

diff --git a/shim.c b/shim.c
index f9fa606..69af766 100644
--- a/shim.c
+++ b/shim.c
@@ -59,6 +59,14 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
 static CHAR16 *second_stage;
 static void *load_options;
 static UINT32 load_options_size;
+static UINT8 in_protocol;
+
+#define perror(fmt, ...) ({						\
+		UINTN __perror_ret = 0;					\
+		if (in_protocol)					\
+			__perror_ret = Print((fmt), ##__VA_ARGS__);	\
+		__perror_ret;						\
+	})
 
 EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
 
@@ -133,7 +141,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 #endif
 
 	if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) {
-		Print(L"Image has no relocation entry\n");
+		perror(L"Image has no relocation entry\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -141,7 +149,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 	RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1);
 
 	if (!RelocBase || !RelocBaseEnd) {
-		Print(L"Reloc table overflows binary\n");
+		perror(L"Reloc table overflows binary\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -154,19 +162,19 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 		Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION));
 
 		if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) {
-			Print(L"Reloc block size is invalid\n");
+			perror(L"Reloc block size is invalid\n");
 			return EFI_UNSUPPORTED;
 		}
 
 		RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock);
 		if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) {
-			Print(L"Reloc entry overflows binary\n");
+			perror(L"Reloc entry overflows binary\n");
 			return EFI_UNSUPPORTED;
 		}
 
 		FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress);
 		if (!FixupBase) {
-			Print(L"Invalid fixupbase\n");
+			perror(L"Invalid fixupbase\n");
 			return EFI_UNSUPPORTED;
 		}
 
@@ -215,7 +223,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 				break;
 
 			default:
-				Print(L"Unknown relocation\n");
+				perror(L"Unknown relocation\n");
 				return EFI_UNSUPPORTED;
 			}
 			Reloc += 1;
@@ -478,7 +486,7 @@ static BOOLEAN secure_mode (void)
 
 	status = get_variable(L"SecureBoot", &Data, &len, global_var);
 	if (status != EFI_SUCCESS) {
-		if (verbose)
+		if (verbose && !in_protocol)
 			console_notify(L"Secure boot not enabled");
 		return FALSE;
 	}
@@ -486,7 +494,7 @@ static BOOLEAN secure_mode (void)
 	FreePool(Data);
 
 	if (sb != 1) {
-		if (verbose)
+		if (verbose && !in_protocol)
 			console_notify(L"Secure boot not enabled");
 		return FALSE;
 	}
@@ -499,7 +507,7 @@ static BOOLEAN secure_mode (void)
 	FreePool(Data);
 
 	if (setupmode == 1) {
-		if (verbose)
+		if (verbose && !in_protocol)
 			console_notify(L"Platform is in setup mode");
 		return FALSE;
 	}
@@ -531,14 +539,14 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 	unsigned int PEHdr_offset = 0;
 
 	if (datasize_in < 0) {
-		Print(L"Invalid data size\n");
+		perror(L"Invalid data size\n");
 		return EFI_INVALID_PARAMETER;
 	}
 	size = datasize = (unsigned int)datasize_in;
 
 	if (datasize <= sizeof (*DosHdr) ||
 	    DosHdr->e_magic != EFI_IMAGE_DOS_SIGNATURE) {
-		Print(L"Invalid signature\n");
+		perror(L"Invalid signature\n");
 		return EFI_INVALID_PARAMETER;
 	}
 	PEHdr_offset = DosHdr->e_lfanew;
@@ -550,12 +558,12 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 	sha1ctx = AllocatePool(sha1ctxsize);
 
 	if (!sha256ctx || !sha1ctx) {
-		Print(L"Unable to allocate memory for hash context\n");
+		perror(L"Unable to allocate memory for hash context\n");
 		return EFI_OUT_OF_RESOURCES;
 	}
 
 	if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) {
-		Print(L"Unable to initialise hash\n");
+		perror(L"Unable to initialise hash\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -567,7 +575,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
-		Print(L"Unable to generate hash\n");
+		perror(L"Unable to generate hash\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -579,7 +587,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
-		Print(L"Unable to generate hash\n");
+		perror(L"Unable to generate hash\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -597,7 +605,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
-		Print(L"Unable to generate hash\n");
+		perror(L"Unable to generate hash\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -621,14 +629,14 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 			context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader +
 			(index * sizeof(*SectionPtr)));
 		if (!SectionPtr) {
-			Print(L"Malformed section %d\n", index);
+			perror(L"Malformed section %d\n", index);
 			status = EFI_INVALID_PARAMETER;
 			goto done;
 		}
 		/* Validate section size is within image. */
 		if (SectionPtr->SizeOfRawData >
 		    datasize - SumOfBytesHashed - SumOfSectionBytes) {
-			Print(L"Malformed section %d size\n", index);
+			perror(L"Malformed section %d size\n", index);
 			status = EFI_INVALID_PARAMETER;
 			goto done;
 		}
@@ -637,7 +645,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 	SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections);
 	if (SectionHeader == NULL) {
-		Print(L"Unable to allocate section header\n");
+		perror(L"Unable to allocate section header\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -669,7 +677,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 		hashbase  = ImageAddress(data, size, Section->PointerToRawData);
 
 		if (!hashbase) {
-			Print(L"Malformed section header\n");
+			perror(L"Malformed section header\n");
 			status = EFI_INVALID_PARAMETER;
 			goto done;
 		}
@@ -677,7 +685,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 		/* Verify hashsize within image. */
 		if (Section->SizeOfRawData >
 		    datasize - Section->PointerToRawData) {
-			Print(L"Malformed section raw size %d\n", index);
+			perror(L"Malformed section raw size %d\n", index);
 			status = EFI_INVALID_PARAMETER;
 			goto done;
 		}
@@ -685,7 +693,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 		    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
-			Print(L"Unable to generate hash\n");
+			perror(L"Unable to generate hash\n");
 			status = EFI_OUT_OF_RESOURCES;
 			goto done;
 		}
@@ -706,7 +714,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 		    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
-			Print(L"Unable to generate hash\n");
+			perror(L"Unable to generate hash\n");
 			status = EFI_OUT_OF_RESOURCES;
 			goto done;
 		}
@@ -714,7 +722,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in,
 
 	if (!(Sha256Final(sha256ctx, sha256hash)) ||
 	    !(Sha1Final(sha1ctx, sha1hash))) {
-		Print(L"Unable to finalise hash\n");
+		perror(L"Unable to finalise hash\n");
 		status = EFI_OUT_OF_RESOURCES;
 		goto done;
 	}
@@ -744,9 +752,9 @@ static EFI_STATUS verify_mok (void) {
 				   shim_lock_guid, &attributes);
 
 	if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
-		Print(L"MokList is compromised!\nErase all keys in MokList!\n");
+		perror(L"MokList is compromised!\nErase all keys in MokList!\n");
 		if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
-			Print(L"Failed to erase MokList\n");
+			perror(L"Failed to erase MokList\n");
                         return EFI_ACCESS_DENIED;
 		}
 	}
@@ -774,13 +782,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 				     context->SecDir->VirtualAddress);
 
 		if (!cert) {
-			Print(L"Certificate located outside the image\n");
+			perror(L"Certificate located outside the image\n");
 			return EFI_INVALID_PARAMETER;
 		}
 
 		if (cert->Hdr.wCertificateType !=
 		    WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
-			Print(L"Unsupported certificate type %x\n",
+			perror(L"Unsupported certificate type %x\n",
 				cert->Hdr.wCertificateType);
 			return EFI_UNSUPPORTED;
 		}
@@ -804,7 +812,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	status = check_blacklist(cert, sha256hash, sha1hash);
 
 	if (status != EFI_SUCCESS) {
-		Print(L"Binary is blacklisted\n");
+		perror(L"Binary is blacklisted\n");
 		return status;
 	}
 
@@ -857,7 +865,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
 	unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize;
 
 	if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) {
-		Print(L"Invalid image\n");
+		perror(L"Invalid image\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -877,7 +885,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
 	context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections;
 
 	if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES < context->NumberOfRvaAndSizes) {
-		Print(L"Image header too small\n");
+		perror(L"Image header too small\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -885,7 +893,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
 			- sizeof (EFI_IMAGE_DATA_DIRECTORY) * EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES;
 	if (((UINT32)PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) !=
 			context->NumberOfRvaAndSizes * sizeof (EFI_IMAGE_DATA_DIRECTORY)) {
-		Print(L"Image header overflows data directory\n");
+		perror(L"Image header overflows data directory\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -895,28 +903,28 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
 				+ PEHdr->Pe32.FileHeader.SizeOfOptionalHeader;
 	if (((UINT32)context->ImageSize - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER
 			<= context->NumberOfSections) {
-		Print(L"Image sections overflow image size\n");
+		perror(L"Image sections overflow image size\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if ((context->SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER
 			< (UINT32)context->NumberOfSections) {
-		Print(L"Image sections overflow section headers\n");
+		perror(L"Image sections overflow section headers\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) {
-		Print(L"Invalid image\n");
+		perror(L"Invalid image\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if (PEHdr->Te.Signature != EFI_IMAGE_NT_SIGNATURE) {
-		Print(L"Unsupported image type\n");
+		perror(L"Unsupported image type\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if (PEHdr->Pe32.FileHeader.Characteristics & EFI_IMAGE_FILE_RELOCS_STRIPPED) {
-		Print(L"Unsupported image - Relocations have been stripped\n");
+		perror(L"Unsupported image - Relocations have been stripped\n");
 		return EFI_UNSUPPORTED;
 	}
 
@@ -935,23 +943,24 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
 	context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
 
 	if (context->ImageSize < context->SizeOfHeaders) {
-		Print(L"Invalid image\n");
+		perror(L"Invalid image\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) >
 	    (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) {
-		Print(L"Invalid image\n");
+		perror(L"Invalid image\n");
 		return EFI_UNSUPPORTED;
 	}
 
 	if (context->SecDir->VirtualAddress >= datasize) {
-		Print(L"Malformed security header\n");
+		perror(L"Malformed security header\n");
 		return EFI_INVALID_PARAMETER;
 	}
 	return EFI_SUCCESS;
 }
 
+
 /*
  * Once the image has been loaded it needs to be validated and relocated
  */
@@ -971,7 +980,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 	 */
 	efi_status = read_header(data, datasize, &context);
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to read header: %r\n", efi_status);
+		perror(L"Failed to read header: %r\n", efi_status);
 		return efi_status;
 	}
 
@@ -993,7 +1002,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 	buffer = AllocatePool(context.ImageSize);
 
 	if (!buffer) {
-		Print(L"Failed to allocate image buffer\n");
+		perror(L"Failed to allocate image buffer\n");
 		return EFI_OUT_OF_RESOURCES;
 	}
 
@@ -1013,13 +1022,13 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 		end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1);
 
 		if (!base || !end) {
-			Print(L"Invalid section size\n");
+			perror(L"Invalid section size\n");
 			return EFI_UNSUPPORTED;
 		}
 
 		if (Section->VirtualAddress < context.SizeOfHeaders ||
 				Section->PointerToRawData < context.SizeOfHeaders) {
-			Print(L"Section is inside image headers\n");
+			perror(L"Section is inside image headers\n");
 			return EFI_UNSUPPORTED;
 		}
 
@@ -1038,7 +1047,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 	efi_status = relocate_coff(&context, buffer);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Relocation failed: %r\n", efi_status);
+		perror(L"Relocation failed: %r\n", efi_status);
 		FreePool(buffer);
 		return efi_status;
 	}
@@ -1056,7 +1065,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 	li->LoadOptionsSize = load_options_size;
 
 	if (!entry_point) {
-		Print(L"Invalid entry point\n");
+		perror(L"Invalid entry point\n");
 		FreePool(buffer);
 		return EFI_UNSUPPORTED;
 	}
@@ -1079,7 +1088,7 @@ should_use_fallback(EFI_HANDLE image_handle)
 	rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
 				       &loaded_image_protocol, (void **)&li);
 	if (EFI_ERROR(rc)) {
-		Print(L"Could not get image for bootx64.efi: %r\n", rc);
+		perror(L"Could not get image for bootx64.efi: %r\n", rc);
 		return 0;
 	}
 
@@ -1101,13 +1110,13 @@ should_use_fallback(EFI_HANDLE image_handle)
 	rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle,
 			       &FileSystemProtocol, (void **)&fio);
 	if (EFI_ERROR(rc)) {
-		Print(L"Could not get fio for li->DeviceHandle: %r\n", rc);
+		perror(L"Could not get fio for li->DeviceHandle: %r\n", rc);
 		return 0;
 	}
-	
+
 	rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh);
 	if (EFI_ERROR(rc)) {
-		Print(L"Could not open fio volume: %r\n", rc);
+		perror(L"Could not open fio volume: %r\n", rc);
 		return 0;
 	}
 
@@ -1185,7 +1194,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath,
 	*PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath));
 
 	if (!*PathName) {
-		Print(L"Failed to allocate path buffer\n");
+		perror(L"Failed to allocate path buffer\n");
 		efi_status = EFI_OUT_OF_RESOURCES;
 		goto error;
 	}
@@ -1226,14 +1235,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 				       (void **)&drive);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to find fs: %r\n", efi_status);
+		perror(L"Failed to find fs: %r\n", efi_status);
 		goto error;
 	}
 
 	efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to open fs: %r\n", efi_status);
+		perror(L"Failed to open fs: %r\n", efi_status);
 		goto error;
 	}
 
@@ -1244,14 +1253,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 				       EFI_FILE_MODE_READ, 0);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to open %s - %r\n", PathName, efi_status);
+		perror(L"Failed to open %s - %r\n", PathName, efi_status);
 		goto error;
 	}
 
 	fileinfo = AllocatePool(buffersize);
 
 	if (!fileinfo) {
-		Print(L"Unable to allocate file info buffer\n");
+		perror(L"Unable to allocate file info buffer\n");
 		efi_status = EFI_OUT_OF_RESOURCES;
 		goto error;
 	}
@@ -1267,7 +1276,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 		FreePool(fileinfo);
 		fileinfo = AllocatePool(buffersize);
 		if (!fileinfo) {
-			Print(L"Unable to allocate file info buffer\n");
+			perror(L"Unable to allocate file info buffer\n");
 			efi_status = EFI_OUT_OF_RESOURCES;
 			goto error;
 		}
@@ -1277,7 +1286,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 	}
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Unable to get file info: %r\n", efi_status);
+		perror(L"Unable to get file info: %r\n", efi_status);
 		goto error;
 	}
 
@@ -1286,7 +1295,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 	*data = AllocatePool(buffersize);
 
 	if (!*data) {
-		Print(L"Unable to allocate file buffer\n");
+		perror(L"Unable to allocate file buffer\n");
 		efi_status = EFI_OUT_OF_RESOURCES;
 		goto error;
 	}
@@ -1305,7 +1314,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
 	}
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize);
+		perror(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize);
 		goto error;
 	}
 
@@ -1335,6 +1344,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
 
 	loader_is_participating = 1;
+	in_protocol = 1;
 
 	if (!secure_mode())
 		return EFI_SUCCESS;
@@ -1342,9 +1352,35 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	status = read_header(buffer, size, &context);
 
 	if (status != EFI_SUCCESS)
-		return status;
+		goto done;
 
 	status = verify_buffer(buffer, size, &context);
+done:
+	in_protocol = 0;
+	return status;
+}
+
+static EFI_STATUS shim_hash (char *data, int datasize,
+			     PE_COFF_LOADER_IMAGE_CONTEXT *context,
+			     UINT8 *sha256hash, UINT8 *sha1hash)
+{
+	EFI_STATUS status;
+
+	in_protocol = 1;
+	status = generate_hash(data, datasize, context, sha256hash, sha1hash);
+	in_protocol = 0;
+
+	return status;
+}
+
+static EFI_STATUS shim_read_header(void *data, unsigned int datasize,
+				   PE_COFF_LOADER_IMAGE_CONTEXT *context)
+{
+	EFI_STATUS status;
+
+	in_protocol = 1;
+	status = read_header(data, datasize, context);
+	in_protocol = 0;
 
 	return status;
 }
@@ -1371,7 +1407,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 				       &loaded_image_protocol, (void **)&li);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Unable to init protocol\n");
+		perror(L"Unable to init protocol\n");
 		return efi_status;
 	}
 
@@ -1381,20 +1417,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 	efi_status = generate_path(li, ImagePath, &PathName);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status);
+		perror(L"Unable to generate path %s: %r\n", ImagePath, efi_status);
 		goto done;
 	}
 
 	if (findNetboot(li->DeviceHandle)) {
 		efi_status = parseNetbootinfo(image_handle);
 		if (efi_status != EFI_SUCCESS) {
-			Print(L"Netboot parsing failed: %r\n", efi_status);
+			perror(L"Netboot parsing failed: %r\n", efi_status);
 			return EFI_PROTOCOL_ERROR;
 		}
 		efi_status = FetchNetbootimage(image_handle, &sourcebuffer,
 					       &sourcesize);
 		if (efi_status != EFI_SUCCESS) {
-			Print(L"Unable to fetch TFTP image: %r\n", efi_status);
+			perror(L"Unable to fetch TFTP image: %r\n", efi_status);
 			return efi_status;
 		}
 		data = sourcebuffer;
@@ -1406,7 +1442,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 		efi_status = load_image(li, &data, &datasize, PathName);
 
 		if (efi_status != EFI_SUCCESS) {
-			Print(L"Failed to load image %s: %r\n", PathName, efi_status);
+			perror(L"Failed to load image %s: %r\n", PathName, efi_status);
 			goto done;
 		}
 	}
@@ -1423,7 +1459,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 	efi_status = handle_image(data, datasize, li);
 
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to load image: %r\n", efi_status);
+		perror(L"Failed to load image: %r\n", efi_status);
 		CopyMem(li, &li_bak, sizeof(li_bak));
 		goto done;
 	}
@@ -1495,7 +1531,7 @@ EFI_STATUS mirror_mok_list()
 		     ;
 	FullData = AllocatePool(FullDataSize);
 	if (!FullData) {
-		Print(L"Failed to allocate space for MokListRT\n");
+		perror(L"Failed to allocate space for MokListRT\n");
 		return EFI_OUT_OF_RESOURCES;
 	}
 	p = FullData;
@@ -1526,7 +1562,7 @@ EFI_STATUS mirror_mok_list()
 				       | EFI_VARIABLE_RUNTIME_ACCESS,
 				       FullDataSize, FullData);
 	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to set MokListRT: %r\n", efi_status);
+		perror(L"Failed to set MokListRT: %r\n", efi_status);
 	}
 
 	return efi_status;
@@ -1567,7 +1603,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 		efi_status = start_image(image_handle, MOK_MANAGER);
 
 		if (efi_status != EFI_SUCCESS) {
-			Print(L"Failed to start MokManager: %r\n", efi_status);
+			perror(L"Failed to start MokManager: %r\n", efi_status);
 			return efi_status;
 		}
 	}
@@ -1601,9 +1637,9 @@ static EFI_STATUS check_mok_sb (void)
 	 * modified by the OS
 	 */
 	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
-		Print(L"MokSBState is compromised! Clearing it\n");
+		perror(L"MokSBState is compromised! Clearing it\n");
 		if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) {
-			Print(L"Failed to erase MokSBState\n");
+			perror(L"Failed to erase MokSBState\n");
 		}
 		status = EFI_ACCESS_DENIED;
 	} else {
@@ -1642,9 +1678,9 @@ static EFI_STATUS check_mok_db (void)
 	 * modified by the OS
 	 */
 	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
-		Print(L"MokDBState is compromised! Clearing it\n");
+		perror(L"MokDBState is compromised! Clearing it\n");
 		if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) {
-			Print(L"Failed to erase MokDBState\n");
+			perror(L"Failed to erase MokDBState\n");
 		}
 		status = EFI_ACCESS_DENIED;
 	} else {
@@ -1674,7 +1710,7 @@ static EFI_STATUS mok_ignore_db()
 				| EFI_VARIABLE_RUNTIME_ACCESS,
 				DataSize, (void *)&Data);
 		if (efi_status != EFI_SUCCESS) {
-			Print(L"Failed to set MokIgnoreDB: %r\n", efi_status);
+			perror(L"Failed to set MokIgnoreDB: %r\n", efi_status);
 		}
 	}
 
@@ -1702,7 +1738,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
 	status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
 				   &LoadedImageProtocol, (void **) &li);
 	if (status != EFI_SUCCESS) {
-		Print (L"Failed to get load options: %r\n", status);
+		perror (L"Failed to get load options: %r\n", status);
 		return status;
 	}
 
@@ -1746,7 +1782,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
 	if (loader_len > 0) {
 		loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16));
 		if (!loader_str) {
-			Print(L"Failed to allocate loader string\n");
+			perror(L"Failed to allocate loader string\n");
 			return EFI_OUT_OF_RESOURCES;
 		}
 		for (i = 0; i < loader_len; i++)
@@ -1825,8 +1861,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 * call back in and use shim functions
 	 */
 	shim_lock_interface.Verify = shim_verify;
-	shim_lock_interface.Hash = generate_hash;
-	shim_lock_interface.Context = read_header;
+	shim_lock_interface.Hash = shim_hash;
+	shim_lock_interface.Context = shim_read_header;
 
 	systab = passed_systab;
 
-- 
1.9.3