| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* add engine option documentation for sign-efi-sig-list
* fix sha256 computation for some efi binaries
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
A vmlinuz hash was failing because it was being aligned up to the
context.fileAlignment (which is 32) which adds a spurious 16 bytes to
the section size.
Additionally, only hash additional data if the remaining data is
larger than the security directory.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This was forgotten when the engine code was added, so include it now.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
* fix build on some systems due to library ordering
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
* engine based keys
* use SignedData for authenticated variables
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The EFI standard is ambiguous about which one to use for variable
updates (it is definite about using PKCS7 for signed binaries). Until
recently, the reference platform, tianocore, accepted both. However
after patch
commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <lubo.zhang@intel.com>
Date: Thu Jan 5 14:58:05 2017 +0800
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
The acceptance of PKCS7 got broken. This breakage seems to be
propagating to the UEFI ecosystem, so update the variable signing
tools to emit the SignedData type.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Add additional arguments to specify an openssl engine (-e for
sign-efi-sig-list and --engine for efi-update). If an engine is
specified, pass the keyfile to the engine load routines.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Since we have two uses of the code, consolidate into a library routine
so the signing can be done in a single place.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
follow the Commit: 4727744d42ec594d558e5d6c3fcf4c8d63d83186
for sign-efi-sig-list to fix efi-updatevar failure for AMI BIOS.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
* Fix fedora build
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Fedora has a whole load of weird and wonderful ideas beyond both
Debian and openSUSE about how to install gnu-efi. Fix the build rules
to accommodate its eccentricities.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
* openssl 1.1 support
* many other updates
Signed-off-by James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Can't dereference the cert any more. Unfortunately now there's no API
to get the cert->cert_info any more (thanks openssl!). Fortunately we
can fiddle it with i2d_re_X509_tbs.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
oid.h: Run oid.pl to regenerate oid.h include
Builds against musl libc are failing due to unknown types. This is
because lib/asn1/oid.h is stale and needs to be regenerated by running
lib/asn1/oid.pl to bring in the types.h include.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The EFI variable code is failing in January of every year. This is
because of a mismatch between EFI_TIME and struct tm. The month in
EFI_TIME is 1-12 and in struct tm it's 0-11 meaning that January is an
invalid month for EFI_TIME.
Fix this by adding one
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
PreLoader got broken when security_policy_install() was changed to
take an override, deny and allow function. Fix it by supplying the
default MoK policy functions.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The EFI_SECURITY2_PROTOCOL override hadn't been updated, so do that
now. Also remove the now unused security_policy_check_mok() function.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This is so we can use them externally as override, allow and deny
functions in PreLoader.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
New shim replacement system
use of pkcs7verify protocol
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
When manipulating signatures in user mode, it's often useful to read
all the signature lists individually, cat selected ones, authorise the
bundle and then write it. Adding a -e option to break out all the
individual signature lists saves messing about with dd in the global
esl.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Export useful deny checker which checks explicitly the hashes in
MokListX and dbx and an allow checker which checks the hashes first
and then does a VerifySignature to see if the signature is allowed.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Since the full list of hash algorithms is finite an known, just dump
the list of found hash algorithms to a variable for us to check
against. The default is going to be only a single algorithm: sha256.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Also add a table so we can look for them.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Apparently the grub chainloader does use this for some reason (in the
SUSE patched version)
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The way grub currently works on Linux is that it relies on the shim
protocol to verify images. Without this, the secure boot chain is
broken. Fix this by adding a shim replacement whose sole job is to
install the protocol and call the boot loader via the normal fashion
(meaning the bootloader must be signed with a key in the secure boot
database). The second stage loader can then use the protocol to
verify any images against the secure boot database as well.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Add a function which tries to locate the protocol but then tries to
load the Pkcs7VerifyDxe.efi file to provide it if it's not found.
This allows us to rely on pkcs7verify always being present in the
platform, because we can supply it simply by placing a signed copy
from tianocore in the root directory.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
The shim_protocol is necessary because it is used as a callback by
grub to verify the signature of linux kernel images. This means that
even if you're relying entirely on the secure boot keys, you cannot
simply replace shim.efi with grub.efi. Add a shim protocol installer
in preparation for adding a replacement shim that does nothing other
than install the protocols and execute grub.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This will be used later in the shim_protocol signature verifier.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This is a complete hack: the efi.h headers include a
Which allows arm32 to build efi binaries, but wreaks havoc if you just
want to use EFI definitions in normal C code. We hack around this in
the libraries by doing an extra
However, there should be a better way ...
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
This is a monster bunch. Firstly, eliminate the efi call wrapper
thunking. On the security policy override, this was done via an
x86_64 asm routine which won't work on non-x86.
The build arm objects using the -O binary objcopy method and take the
linker scripts from gnu-efi rather than hand rolling.
Confine the EFI building machinery to its own include file (not having
this correct was causing an OBS build failure on arm)
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Now that the x86 specific thunk is removed, efitools should build for arm
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
Remove the assembly thunk that converts between EFI and C calling conventions
on x86_64 and use the EFIAPI tag instead, which informs gcc to use the EFI
calling conventions for the function. This means security_policy.o can now be
built unconditionally for all architectures
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
It only currently does secure variables and is primarily designed
for embedding keys in EFI bios images.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
ktgsmith reports that we have a cocup constructing the EFI_TIMESTAMP because
the unix value tm_mon is 0-11 and the EFI_TIMESTAMP Month field is 1-12. Fix
this by adding one everywhere we use tm_mon.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
In fact, the hash calculation was working more by luck than judgement. We
need to be very careful dealing with the sections to make sure we use the
correct part of the optional header.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The UEFI spec mandates this, but Tianocore was hashing over the whole
certificate. Now that Tianocore is patched, construct the correct hash.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
It's getting a bit complex with hashes, blacklists, updates etc, so
consolidate
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Add the correct types for signature revocation hashes
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The UEFI spec includes the ability to blacklist in dbx by key hash rather than
by key (including a revocation timestamp). Implement this.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
dbt is the signature timestamp database supported by UEFI 2.4
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
There's an OS indication for the timestamp signature database, so
add the definition.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Remove an internal copy
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
These are rule preparations for multi-sign
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Generate pk signed updates for db and generate blacklists of DB and the
ms-uefi cert for dbx
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The switch between a variable length selector and a fixed one is wrong. It's
hardcoded to be rows - 10 instead of rows - 6 - title_lines. This means when
you have exactly the right number of rows in the selector it switches over to
a variable selector too early and displays non-existent selector lines (which
may run off the end of memory and crash).
Also tidy up the selector to keep a blank line between the title and the
beginning of the selector.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The original bug which required timestamps a year in the future is long gone,
so kill the hardcoding and use the correct timestamp from the current date.
Also fix a race condition where noPK.auth could have the same timestamp as
PK.auth on fast build machines and thus fail to update.
Convert all times to platform local and use ISO date format for the -t option.
Finally zero the timestamp for update requests as required by the spec
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
UEFI section 7.2.1 requires this and the current PKCS7 routines leave
attributes like s/mime types and signing time in there. Fix this by using the
PCKS7_NOATTRS flag.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
# Explicit paths specified without -i or -o; assuming --only paths...
# On branch master
# Your branch is up-to-date with 'origin/master'.
#
# Changes to be committed:
# modified: sign-efi-sig-list.c
#
# Untracked files:
# acer/
# lib/kernel_efivars.c.rej
# tmp.sig
#
# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# Date: Sun Dec 7 13:09:37 2014 -0800
#
# On branch master
# Your branch is ahead of 'origin/master' by 2 commits.
# (use "git push" to publish your local commits)
#
# Changes to be committed:
# modified: sign-efi-sig-list.c
#
# Untracked files:
# acer/
# lib/kernel_efivars.c.rej
# tmp.sig
#
|
|
On openSUSE at least, the FIPS module is loaded separately. Unfortunately
this will cause openssl to fail the FIPS verification on loading all ciphers:
139983138506384:error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match:fips.c:429:
The error is harmless, but annoying, so clear it out of the error buffer after
loading everything.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
# Explicit paths specified without -i or -o; assuming --only paths...
# On branch master
# Your branch is up-to-date with 'origin/master'.
#
# Changes to be committed:
# modified: sign-efi-sig-list.c
#
# Untracked files:
# acer/
# lib/kernel_efivars.c.rej
# tmp.sig
#
|
|
When trying it recently on a Gentoo box (running LVM), I encountered a problem
- all the programs would exit with "No efivarfs filesystem is mounted"
Tracking this down, it turns out that the output of the mount command
contains an extra field (in Gentoo anyway) when it is an LVM mount - so
for example, I get:
# mount -l
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
none on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
udev on /dev type devtmpfs
(rw,nosuid,relatime,size=10240k,nr_inodes=995888,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
/dev/mapper/vg1-root on / type ext4
(rw,noatime,discard,errors=remount-ro,data=ordered) *[root]*
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
efivarfs on /sys/firmware/efi/efivars type efivarfs
(rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
/dev/mapper/vg1-home on /home type ext4
(rw,relatime,discard,data=ordered) *[home]*
Note the entries in bold ('[root]' and '[home]'). These mess up the
sscanf parsing in the kernel_variable_init() function, getting it out of
step, and ultimately meaning that it fails to recognize the efivarfs
entry. Hence the error.
The enclosed small patch fixes this, by switching the final "%*s\n" in
the sscanf to "%*[^\n]\n", which will consume anything up to the newline.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Make init correctly detect the efivarfs filesystem path based on mount
output. Before this patch code only works when the efivarfs filesystem is
the last entry in the mount output.
Signed-off-by: Edwin de Caluwe <edwindecaluwe@gmail.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
This adds the xxdi.pl script to replace the call to 'xxd -i', removing a
build dependancy on vim-core, which some distros don't really want to
have (i.e. Gentoo and its build derivatives like ChromeOS and CoreOS.)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
This just tidies up the transition by actually adding a copy of LGPLv2.1 to
the COPYING file and also adding a future permission from contributors for the
code to change licence if a move into or out of lib/ is deemed necessary.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
The licence is changed to make all files in lib/ distributed under LGPL 2.1 to
make it easy for the library components to be incorporated into other works
not necessarily distributed under GPL. All other programmes are distributed
under GPLv2 with an openSSL additional permission so the binaries could be
linked with openSSL should someone wish to add cryptographic details.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Read back the memory we wrote to for installing it and verify that it was
changed.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
Fix
cert-to-efi-sig-list.c:60:4: warning: implicit declaration of function ‘str_to_guid’ [-Wimplicit-function-declaration]
by properly including guid.h
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
This adds a no wait keystroke check to PreLoader. If you boot up and hold
down the 'H' key, it will automatically start HashTool even if the hash of the
loader is already enrolled.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
This new function will check if a key has been pressed without waiting and
return true if it has.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
SetMem takes the arguments dest, size, character, not like the unix memset
prototype (thanks EFI committe). Fix this in a couple of places where a
variable wasn't getting zeroed.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
for in linux key manipulations
|
|
|
|
Enable a -d <sig>[-<entry>] option to delete signature <entry> of
Signature List <sig> or the entire signature list.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
For this to work, you must possess the secret key for the relevant
signing variable (PK for PK and KEK or KEK for db and dbx). We
actually check the private key against all public keys in the variable
to make sure everything is OK and then do a signed update.
so to add the hash of HelloWorld.efi to db, the command issued would be
efi-updatevar -k KEK.key -b HelloWorld.efi db
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
-g <guid> for -b now works
|
|
|
|
Also accept certificate file in DER format with .der or .cer extension.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
The .auth file generator is completely wrong: the PK and KEK have to
be signed with PK; DB has to be signed with KEK
|
|
|
|
For some weird reason, mount -l -t efivarfs is illegal on fedora. Just do
mount -l and grep for efivarfs.
|
|
keytool is basically vestigial. readvar does most of what ReadVar.efi does.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
This will be the basis for reconstructing most of the efi tools
as linux utilities
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
to override and explicit hash, there has to be a hash in dbx
|
|
|
|
If the MoK test fails, no need to check the image table as well.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Since the basis of the ease of matching on Mok is hashes only, we can't tell
when we're executing an efi utility that is signed with a revoked key. We can
fix this by looking at the entries in the image execution information table
and seeing why the image execution was failed.
There's a complication in this in that very few manufacturers seem to have
implemented the image execution information table to spec (most miss out the
required application name), so we have to parse it heuristically and try to
check for errors.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
In a long selector, if you scroll down, ESC isn't reported correctly. Fix By
making sure -1 is returned instead of adding it to the offset.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
Fix by preventing
|
|
|
|
some platforms (tianocore) are giving invalid parameter occasionally to the
request to save keys in the root->Open function. Still no idea why, but make
sure diagnosis is easier.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The console may be ill defined, add a reset to mode 0 (which is required to be
present) to fix this.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
The UEFI spec is confused (and has changed with later revisions) over whether
EFI_ACCESS_DENIED or EFI_SECURITY_VIOLATION should be returned for a signature
verification failure and subsequent refusal to execute. Originally
security_policy returned EFI_SECURITY_VIOLATION as required by the latest
Errata C. However this isn't correct on some platforms, so cache the security
failure return and return the cached value in the event that the MOK checks
fail.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
It works by deleting full signature lists. Make it work if the key is in
the middle of a signature list.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Must use a high positive number to initialise unselected variables, so
make it NOSEL and put it in console.h
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
We can only hash valid EFI binaries, so print error if hash fails.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
Within the same signature list for testing purposes.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
|
|
Move efi signature list traversal into a macro to make sure it goes correctly
every time. Also fix a bug traversing multiple signatures in the same
signature list.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Also tidy up some dangling functions now in variables.c
|
|
MS request, plus tidy up functions a bit
|
|
|
|
|
|
|
|
|
|
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Pull in generate_path() fix
|
|
Apparently it can use a forward slash '/' anywhere in the path name to
indicate the split between the device the file is on and the rest of the
name. Turn it back to a backslash '\' and make sure we don't have multiple
ones at the end.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
All ASN1 strings are ASCII like encodings. To display this in the EFI
SPrint() and equivalents you have to use %a. However for normal printf this
has to be %s, so abstract this difference
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
Use the asn1 parser to print subject and issuer
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
|
|
version: 1.2.3
Merge fixes from 1.2.3 into main trunk
|
|
|
|
|
|
|
|
If the filter is NULL, simple file dereferences *NULL. It just so happens on
a lot of systems this is zero and everything works, but on sime it isn't and
thus no files appear. Fix this by explicitly checking for NULL and replacing
it with a pointer to the empty string.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Split out hash enrollment functionality from HashTool into library functions
and add it to KeyTool. Also add showing of hash when examining keys.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
Platform will basically become unusable (it will crash on the next
Binary due to the dangling security policy pointer) so say so.
|
|
Chances are there's some platform that implements security2 but actually has
the Authenticode checker in the original security policy. For this case, make
sure we install both security policy handlers.
Experiment shows that arg5 is at 0x28(%rsp) not 32(%rsp).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
Apparently security2_policy was a PI 1.2.1 addition, so most current UEFI
systems only support the prior security_policy. Fix our security policy to
check for security2 first and fall back if it's not found
Also fix up the thunking between EFI and ELF so it actually works
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
It was broken when the multiple entries filter was introduced
|
|
|
|
|
|
|
|
|
|
plus split generate_path() out of simple_file
|
|
This library file has an installable security policy which overrides
the default policy in EFI_SECURITY2_ARCH_PROTOCOL with a MOK based one before
falling back to the previous policy.
The design of this is that the firstboot system can install the new security
policy (including static keys carried in its body) and then use the standard
UEFI execution mechanisms to spawn the next programs (so no need to load and
link the executables). The security policy change remains in force until the
first boot loader exits.
This is required because the new breed of EFI bootloaders (like gummiboot) use
the standard EFI execution calls to start kernels.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
set at 1.0.0
|
|
This allows us to pre-authorise some of the other pre-build binaries
(currently only HashTool.efi, Loader.efi and KeyTool.efi)
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There's no point having the old helloworld, which prints and exits
because UEFI secure boot systems don't have a shell, so replace with
one that does a splash screen message and waits for input
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
Have to expect either EFI_ACCESS_DENIED or EFI_SECURITY_VIOLATION if there's a
signature failure loading a binary
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
|
We previously did kek and db signing because a prior version of the UEFI spec
allowed it. It's now disallowed, so only sign with db key
|
|
|
