diff --git a/.shim.metadata b/.shim.metadata new file mode 100644 index 0000000..7f2a942 --- /dev/null +++ b/.shim.metadata @@ -0,0 +1,7 @@ +d193e3e3cf19148c8ac867de8e1ae39f9b66afec SOURCES/DB.auth +7686b4eb198c0efb70dae703dc8d71885d462ab0 SOURCES/0.7.tar.gz +b8452a8a6a929d4938391d106e810fd517430bbc SOURCES/PK.auth +66895070de7ebfc2d49324ad24ee53debcc540db SOURCES/securebootca.cer +4c954f56aa4273f24bb45c6e8b0084a67999c251 SOURCES/KEK.auth +f4e556118ee4f4dec187db15dc8767b92e99461d SOURCES/mokutil-0.2.0.tar.bz2 +531f3d9eb430649609695efd3d97ff3f6b8b9326 SOURCES/0.3.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch b/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch new file mode 100644 index 0000000..5bbcb2d --- /dev/null +++ b/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch @@ -0,0 +1,124 @@ +From 0ca010d2f46a4bd49d79a529efb74680110012b5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 20 Nov 2013 12:20:23 -0500 +Subject: [PATCH] Fix path generation for Dhcpv4 bootloader. + +Right now we always look for e.g. "\grubx64.efi", which is completely +wrong. This makes it look for the path shim was loaded from and modify +that to end in a sanitized version of our default loader name. + +Resolves: rhbz#1032583 + +Signed-off-by: Peter Jones +--- + include/str.h | 45 +++++++++++++++++++++++++++++++++++++++++++++ + netboot.c | 28 +++++++++++++++++++++------- + 2 files changed, 66 insertions(+), 7 deletions(-) + create mode 100644 include/str.h + +diff --git a/include/str.h b/include/str.h +new file mode 100644 +index 0000000..0f3e003 +--- /dev/null ++++ b/include/str.h +@@ -0,0 +1,45 @@ ++#ifndef SHIM_STR_H ++#define SHIM_STR_H ++ ++static inline ++__attribute__((unused)) ++unsigned long strnlena(const CHAR8 *s, unsigned long n) ++{ ++ unsigned long i; ++ for (i = 0; i <= n; i++) ++ if (s[i] == '\0') ++ break; ++ return i; ++} ++ ++static inline ++__attribute__((unused)) ++CHAR8 * ++strncpya(CHAR8 *dest, const CHAR8 *src, unsigned long n) ++{ ++ unsigned long i; ++ ++ for (i = 0; i < n && src[i] != '\0'; i++) ++ dest[i] = src[i]; ++ for (; i < n; i++) ++ dest[i] = '\0'; ++ ++ return dest; ++} ++ ++static inline ++__attribute__((unused)) ++CHAR8 * ++strcata(CHAR8 *dest, const CHAR8 *src) ++{ ++ unsigned long dest_len = strlena(dest); ++ unsigned long i; ++ ++ for (i = 0; src[i] != '\0'; i++) ++ dest[dest_len + i] = src[i]; ++ dest[dest_len + i] = '\0'; ++ ++ return dest; ++} ++ ++#endif /* SHIM_STR_H */ +diff --git a/netboot.c b/netboot.c +index a83c82a..1732dc7 100644 +--- a/netboot.c ++++ b/netboot.c +@@ -38,6 +38,7 @@ + #include + #include "shim.h" + #include "netboot.h" ++#include "str.h" + + static inline unsigned short int __swap16(unsigned short int x) + { +@@ -305,19 +306,32 @@ static EFI_STATUS parseDhcp6() + + static EFI_STATUS parseDhcp4() + { +- CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR; +- full_path = AllocateZeroPool(strlen(template)+1); ++ CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); ++ UINTN template_len = strlen(template) + 1; ++ ++ UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); ++ UINTN i; ++ UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile; ++ ++ for (i = dir_len; i >= 0; i--) { ++ if (dir[i] == '/') ++ break; ++ } ++ dir_len = (i >= 0) ? i + 1 : 0; ++ ++ full_path = AllocateZeroPool(dir_len + template_len); + + if (!full_path) + return EFI_OUT_OF_RESOURCES; + ++ if (dir_len > 0) { ++ strncpya(full_path, dir, dir_len); ++ if (full_path[dir_len-1] == '/' && template[0] == '/') ++ full_path[dir_len-1] = '\0'; ++ } ++ strcata(full_path, template); + memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); + +- memcpy(full_path, template, strlen(template)); +- +- /* Note we don't capture the filename option here because we know its shim.efi +- * We instead assume the filename at the end of the path is going to be grubx64.efi +- */ + return EFI_SUCCESS; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch b/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch new file mode 100644 index 0000000..62712c3 --- /dev/null +++ b/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch @@ -0,0 +1,40 @@ +From 36c3ce078d59abe148cd5045c0a8d9b9f7ffb88e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 21 Nov 2013 11:26:08 -0500 +Subject: [PATCH] Lengths that might be -1 can't be unsigned, Peter. + +Signed-off-by: Peter Jones +--- + netboot.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/netboot.c b/netboot.c +index 1732dc7..07e2773 100644 +--- a/netboot.c ++++ b/netboot.c +@@ -307,10 +307,10 @@ static EFI_STATUS parseDhcp6() + static EFI_STATUS parseDhcp4() + { + CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); +- UINTN template_len = strlen(template) + 1; ++ INTN template_len = strlen(template) + 1; + +- UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); +- UINTN i; ++ INTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); ++ INTN i; + UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile; + + for (i = dir_len; i >= 0; i--) { +@@ -329,6 +329,8 @@ static EFI_STATUS parseDhcp4() + if (full_path[dir_len-1] == '/' && template[0] == '/') + full_path[dir_len-1] = '\0'; + } ++ if (dir_len == 0 && dir[0] != '/' && template[0] == '/') ++ template++; + strcata(full_path, template); + memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); + +-- +1.8.3.1 + diff --git a/SPECS/shim.spec b/SPECS/shim.spec new file mode 100644 index 0000000..1867183 --- /dev/null +++ b/SPECS/shim.spec @@ -0,0 +1,182 @@ +Name: shim +Version: 0.7 +Release: 4%{?dist} +Summary: First-stage UEFI bootloader + +License: BSD +URL: http://www.codon.org.uk/~mjg59/shim/ +Source0: https://github.com/mjg59/shim/archive/%{version}.tar.gz +Source1: securebootca.cer + +# incorporate mokutil for packaging simplicity +%global mokutilver 0.2.0 +Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.bz2 + +# currently here's what's in our dbx: +# nothing. +#Source3: dbx.esl +%global lockdownver 0.3 +Source4: https://github.com/vathpela/lockdown/archive/%{lockdownver}.tar.gz +Source5: DB.auth +Source6: KEK.auth +Source7: PK.auth +Patch0000: 0001-Fix-path-generation-for-Dhcpv4-bootloader.patch +Patch0002: 0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch + +BuildRequires: git openssl-devel openssl +BuildRequires: pesign >= 0.106-1 +BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u + +# for xxd +BuildRequires: vim-common + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8w + +# Shim is only required on platforms implementing the UEFI secure boot +# protocol. The only one of those we currently wish to support is 64-bit x86. +# Adding further platforms will require adding appropriate relocation code. +ExclusiveArch: x86_64 + +# Figure out the right file path to use +%if 0%{?rhel} +%global efidir redhat +%endif +%if 0%{?fedora} +%global efidir fedora +%endif + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. + +%package -n shim-unsigned +Summary: First-stage UEFI bootloader (unsigned data) + +%description -n shim-unsigned +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. + +%package -n mokutil +Summary: Utilities for managing Secure Boot/MoK keys. + +%description -n mokutil +Utilities for managing the "Machine's Own Keys" list. + +%prep +%setup -q +%setup -q -a 2 -D -T +%setup -q -a 4 -D -T + +git init +git config user.email "shim-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} DB.h +xxd -i KEK.auth > KEK.h +xxd -i PK.auth > PK.h +make DB_FILE=%{SOURCE5} KEK_FILE=%{SOURCE6} PK_FILE=%{SOURCE7} lockdown.efi + +%install +rm -rf $RPM_BUILD_ROOT +pesign -h -P -i shim.efi -h > shim.hash +install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ +install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi +install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash +install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi +install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi +cd mokutil-%{mokutilver} +make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install +cd ../lockdown-%{lockdownver} +install -m 0644 lockdown.efi $RPM_BUILD_ROOT%{_datadir}/shim/lockdown.efi + +%files -n shim-unsigned +%doc +%dir %{_datadir}/shim +%{_datadir}/shim/* + +%files -n mokutil +/usr/bin/mokutil +/usr/share/man/man1/mokutil.1.gz + +%changelog +* Thu Nov 21 2013 Peter Jones - 0.7-4 +- Make dhcpv4 paths work better when netbooting. + Resolves: rhbz#1032583 + +* Thu Nov 14 2013 Peter Jones - 0.7-3 +- Make lockdown include UEFI and other KEK/DB entries. + Resolves: rhbz#1030492 + +* Fri Nov 08 2013 Peter Jones - 0.7-2 +- Update lockdown to reflect SetupMode better as well + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.7-1 +- Fix logic to handle SetupMode efi variable. + Related: rhbz#996863 + +* Thu Oct 31 2013 Peter Jones - 0.6-1 +- Fix a FreePool(NULL) call on machines too old for SB + +* Fri Oct 04 2013 Peter Jones - 0.5-1 +- Update to 0.5 + +* Tue Aug 06 2013 Peter Jones - 0.4-3 +- Build with early RHEL test keys. + Related: rhbz#989442 + +* Thu Jul 25 2013 Peter Jones - 0.4-2 +- Fix minor RHEL 7.0 build issues + Resolves: rhbz#978766 +- Be less verbose by default + +* Tue Jun 11 2013 Peter Jones - 0.4-1 +- Update to 0.4 + +* Fri Jun 07 2013 Peter Jones - 0.3-2 +- Require gnu-efi-3.0q for now. +- Don't allow mmx or sse during compilation. +- Re-organize this so all real signing happens in shim-signed instead. +- Split out mokutil + +* Wed Dec 12 2012 Peter Jones - 0.2-3 +- Fix mokutil's idea of signature sizes. + +* Wed Nov 28 2012 Matthew Garrett - 0.2-2 +- Fix secure_mode() always returning true + +* Mon Nov 26 2012 Matthew Garrett - 0.2-1 +- Update shim +- Include mokutil +- Add debuginfo package since mokutil is a userspace executable + +* Mon Oct 22 2012 Peter Jones - 0.1-4 +- Produce an unsigned shim + +* Tue Aug 14 2012 Peter Jones - 0.1-3 +- Update how embedded cert and signing work. + +* Mon Aug 13 2012 Josh Boyer - 0.1-2 +- Add patch to fix image size calculation + +* Mon Aug 13 2012 Matthew Garrett - 0.1-1 +- initial release