diff options
author | James Bottomley <JBottomley@Parallels.com> | 2012-12-08 17:39:30 +0000 |
---|---|---|
committer | James Bottomley <JBottomley@Parallels.com> | 2012-12-08 17:39:30 +0000 |
commit | 36e847b832581dff67e3a84232e670a70b82978f (patch) | |
tree | 9b657e43ff591a09cd13e26d0be20022a1b85a9c | |
parent | 8bd31f297b8d2697b33c6d2ba6d52dea58fd87d1 (diff) | |
download | efitools-36e847b832581dff67e3a84232e670a70b82978f.tar.gz |
security_policy: fix five arg thunk and always install all possible policies
Chances are there's some platform that implements security2 but actually has
the Authenticode checker in the original security policy. For this case, make
sure we install both security policy handlers.
Experiment shows that arg5 is at 0x28(%rsp) not 32(%rsp).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-rw-r--r-- | lib/security_policy.c | 67 |
1 files changed, 37 insertions, 30 deletions
diff --git a/lib/security_policy.c b/lib/security_policy.c index 74f49aa..06b028b 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -135,14 +135,16 @@ security2_policy_authentication ( { EFI_STATUS status; - status = security_policy_check_mok(FileBuffer, FileSize); + /* Chain original security policy */ + status = uefi_call_wrapper(es2fa, 5, This, DevicePath, FileBuffer, + FileSize, BootPolicy); + + /* if OK, don't bother with MOK check */ if (status == EFI_SUCCESS) return status; - /* chain previous policy (UEFI security validation) */ - status = uefi_call_wrapper(es2fa, 5, This, DevicePath, FileBuffer, - FileSize, BootPolicy); + status = security_policy_check_mok(FileBuffer, FileSize); return status; } @@ -164,10 +166,19 @@ security_policy_authentication ( UINTN FileSize; CHAR16* DevPathStr; + /* Chain original security policy */ + status = uefi_call_wrapper(esfas, 3, This, AuthenticationStatus, + DevicePathConst); + + /* if OK avoid checking MOK: It's a bit expensive to + * read the whole file in again (esfas already did this) */ + if (status == EFI_SUCCESS) + goto out; + status = uefi_call_wrapper(BS->LocateDevicePath, 3, &SIMPLE_FS_PROTOCOL, &DevPath, &h); if (status != EFI_SUCCESS) - goto chain; + goto out; DevPathStr = DevicePathToStr(DevPath); @@ -175,23 +186,16 @@ security_policy_authentication ( EFI_FILE_MODE_READ); FreePool(DevPathStr); if (status != EFI_SUCCESS) - goto chain; + goto out; status = simple_file_read_all(f, &FileSize, &FileBuffer); simple_file_close(f); if (status != EFI_SUCCESS) - goto chain; + goto out; status = security_policy_check_mok(FileBuffer, FileSize); FreePool(FileBuffer); - if (status == EFI_SUCCESS) - goto out; - - chain: - status = uefi_call_wrapper(esfas, 3, This, AuthenticationStatus, - DevicePathConst); - out: FreePool(OrigDevPath); return status; @@ -236,7 +240,7 @@ security_policy_authentication ( asm ( ".type security2_policy_authentication,@function\n" "thunk_security2_policy_authentication:\n\t" - "mov 32(%rsp), %r10 # ARG5\n\t" + "mov 0x28(%rsp), %r10 # ARG5\n\t" "push %rdi\n\t" "push %rsi\n\t" "mov %r10, %rdi\n\t" @@ -297,31 +301,34 @@ security_policy_install(void) EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; EFI_STATUS status; - if (es2fa || esfas) + if (esfas) /* Already Installed */ return EFI_ALREADY_STARTED; - status = uefi_call_wrapper(BS->LocateProtocol, 3, - &SECURITY2_PROTOCOL_GUID, NULL, - &security2_protocol); + /* Don't bother with status here. The call is allowed + * to fail, since SECURITY2 was introduced in PI 1.2.1 + * If it fails, use security2_protocol == NULL as indicator */ + uefi_call_wrapper(BS->LocateProtocol, 3, + &SECURITY2_PROTOCOL_GUID, NULL, + &security2_protocol); - if (status == EFI_NOT_FOUND) - status = uefi_call_wrapper(BS->LocateProtocol, 3, + status = uefi_call_wrapper(BS->LocateProtocol, 3, &SECURITY_PROTOCOL_GUID, NULL, &security_protocol); if (status != EFI_SUCCESS) + /* This one is mandatory, so there's a serious problem */ return status; if (security2_protocol) { es2fa = security2_protocol->FileAuthentication; security2_protocol->FileAuthentication = thunk_security2_policy_authentication; - } else { - esfas = security_protocol->FileAuthenticationState; - security_protocol->FileAuthenticationState = - thunk_security_policy_authentication; } + esfas = security_protocol->FileAuthenticationState; + security_protocol->FileAuthenticationState = + thunk_security_policy_authentication; + return EFI_SUCCESS; } @@ -342,9 +349,12 @@ security_policy_uninstall(void) security_protocol->FileAuthenticationState = esfas; esfas = NULL; + } else { + /* nothing installed */ + return EFI_NOT_STARTED; + } - return EFI_SUCCESS; - } else if (es2fa) { + if (es2fa) { EFI_SECURITY2_PROTOCOL *security2_protocol; status = uefi_call_wrapper(BS->LocateProtocol, 3, @@ -358,9 +368,6 @@ security_policy_uninstall(void) es2fa = NULL; return EFI_SUCCESS; - } else { - /* nothing installed */ - return EFI_NOT_STARTED; } } |