]>
Commit | Line | Data |
---|---|---|
52ad194e | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
81c58355 MB |
2 | /* |
3 | * This program is free software; you can redistribute it and/or modify it | |
4 | * under the terms of the GNU Lesser General Public License as published by | |
5 | * the Free Software Foundation; either version 2.1 of the License, or | |
6 | * (at your option) any later version. | |
7 | * | |
8 | * This program is distributed in the hope that it will be useful, but | |
9 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
11 | * Lesser General Public License for more details. | |
12 | * | |
13 | * Port to systemd-boot | |
14 | * Copyright 2017 Max Resch <resch.max@gmail.com> | |
15 | * | |
16 | * Security Policy Handling | |
17 | * Copyright 2012 <James.Bottomley@HansenPartnership.com> | |
18 | * https://github.com/mjg59/efitools | |
19 | */ | |
20 | ||
21 | #include <efi.h> | |
22 | #include <efilib.h> | |
23 | ||
24 | #include "util.h" | |
25 | #include "shim.h" | |
26 | ||
27 | /* well known shim lock guid */ | |
28 | #define SHIM_LOCK_GUID | |
29 | ||
30 | struct ShimLock { | |
31 | EFI_STATUS __attribute__((sysv_abi)) (*shim_verify) (VOID *buffer, UINT32 size); | |
32 | ||
33 | /* context is actually a struct for the PE header, but it isn't needed so void is sufficient just do define the interface | |
34 | * see shim.c/shim.h and PeHeader.h in the github shim repo */ | |
35 | EFI_STATUS __attribute__((sysv_abi)) (*generate_hash) (VOID *data, UINT32 datasize, VOID *context, UINT8 *sha256hash, UINT8 *sha1hash); | |
36 | ||
37 | EFI_STATUS __attribute__((sysv_abi)) (*read_header) (VOID *data, UINT32 datasize, VOID *context); | |
38 | }; | |
39 | ||
40 | static const EFI_GUID simple_fs_guid = SIMPLE_FILE_SYSTEM_PROTOCOL; | |
41 | static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; | |
42 | ||
43 | static const EFI_GUID security_protocol_guid = { 0xa46423e3, 0x4617, 0x49f1, {0xb9, 0xff, 0xd1, 0xbf, 0xa9, 0x11, 0x58, 0x39 } }; | |
44 | static const EFI_GUID security2_protocol_guid = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; | |
45 | static const EFI_GUID shim_lock_guid = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; | |
46 | ||
47 | BOOLEAN shim_loaded(void) { | |
48 | struct ShimLock *shim_lock; | |
49 | ||
50 | return uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &shim_lock_guid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS; | |
51 | } | |
52 | ||
53 | static BOOLEAN shim_validate(VOID *data, UINT32 size) { | |
54 | struct ShimLock *shim_lock; | |
55 | ||
56 | if (!data) | |
57 | return FALSE; | |
58 | ||
59 | if (uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &shim_lock_guid, NULL, (VOID**) &shim_lock) != EFI_SUCCESS) | |
60 | return FALSE; | |
61 | ||
62 | if (!shim_lock) | |
63 | return FALSE; | |
64 | ||
52ad194e | 65 | return shim_lock->shim_verify(data, size) == EFI_SUCCESS; |
81c58355 MB |
66 | } |
67 | ||
68 | BOOLEAN secure_boot_enabled(void) { | |
69 | CHAR8 *b; | |
70 | UINTN size; | |
71 | BOOLEAN result; | |
72 | ||
73 | if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) { | |
74 | result = *b > 0; | |
75 | FreePool(b); | |
76 | return result; | |
77 | } | |
78 | ||
79 | return FALSE; | |
80 | } | |
81 | ||
82 | /* | |
83 | * See the UEFI Platform Initialization manual (Vol2: DXE) for this | |
84 | */ | |
85 | struct _EFI_SECURITY2_PROTOCOL; | |
86 | struct _EFI_SECURITY_PROTOCOL; | |
87 | struct _EFI_DEVICE_PATH_PROTOCOL; | |
88 | ||
89 | typedef struct _EFI_SECURITY2_PROTOCOL EFI_SECURITY2_PROTOCOL; | |
90 | typedef struct _EFI_SECURITY_PROTOCOL EFI_SECURITY_PROTOCOL; | |
91 | typedef struct _EFI_DEVICE_PATH_PROTOCOL EFI_DEVICE_PATH_PROTOCOL; | |
92 | ||
93 | typedef EFI_STATUS (EFIAPI *EFI_SECURITY_FILE_AUTHENTICATION_STATE) ( | |
94 | const EFI_SECURITY_PROTOCOL *This, | |
95 | UINT32 AuthenticationStatus, | |
96 | const EFI_DEVICE_PATH_PROTOCOL *File | |
97 | ); | |
98 | ||
99 | typedef EFI_STATUS (EFIAPI *EFI_SECURITY2_FILE_AUTHENTICATION) ( | |
100 | const EFI_SECURITY2_PROTOCOL *This, | |
101 | const EFI_DEVICE_PATH_PROTOCOL *DevicePath, | |
102 | VOID *FileBuffer, | |
103 | UINTN FileSize, | |
104 | BOOLEAN BootPolicy | |
105 | ); | |
106 | ||
107 | struct _EFI_SECURITY2_PROTOCOL { | |
108 | EFI_SECURITY2_FILE_AUTHENTICATION FileAuthentication; | |
109 | }; | |
110 | ||
111 | struct _EFI_SECURITY_PROTOCOL { | |
112 | EFI_SECURITY_FILE_AUTHENTICATION_STATE FileAuthenticationState; | |
113 | }; | |
114 | ||
115 | /* Handle to the original authenticator for security1 protocol */ | |
116 | static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; | |
117 | ||
118 | /* Handle to the original authenticator for security2 protocol */ | |
119 | static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; | |
120 | ||
121 | /* | |
122 | * Perform shim/MOK and Secure Boot authentication on a binary that's already been | |
123 | * loaded into memory. This function does the platform SB authentication first | |
124 | * but preserves its return value in case of its failure, so that it can be | |
125 | * returned in case of a shim/MOK authentication failure. This is done because | |
126 | * the SB failure code seems to vary from one implementation to another, and I | |
127 | * don't want to interfere with that at this time. | |
128 | */ | |
129 | static EFIAPI EFI_STATUS security2_policy_authentication (const EFI_SECURITY2_PROTOCOL *this, | |
130 | const EFI_DEVICE_PATH_PROTOCOL *device_path, | |
131 | VOID *file_buffer, UINTN file_size, BOOLEAN boot_policy) { | |
132 | EFI_STATUS status; | |
133 | ||
134 | /* Chain original security policy */ | |
135 | status = uefi_call_wrapper(es2fa, 5, this, device_path, file_buffer, file_size, boot_policy); | |
136 | ||
137 | /* if OK, don't bother with MOK check */ | |
138 | if (status == EFI_SUCCESS) | |
139 | return status; | |
140 | ||
141 | if (shim_validate(file_buffer, file_size)) | |
142 | return EFI_SUCCESS; | |
143 | ||
144 | return status; | |
145 | } | |
146 | ||
147 | /* | |
148 | * Perform both shim/MOK and platform Secure Boot authentication. This function loads | |
149 | * the file and performs shim/MOK authentication first simply to avoid double loads | |
150 | * of Linux kernels, which are much more likely to be shim/MOK-signed than platform-signed, | |
151 | * since kernels are big and can take several seconds to load on some computers and | |
152 | * filesystems. This also has the effect of returning whatever the platform code is for | |
153 | * authentication failure, be it EFI_ACCESS_DENIED, EFI_SECURITY_VIOLATION, or something | |
154 | * else. (This seems to vary between implementations.) | |
155 | */ | |
156 | static EFIAPI EFI_STATUS security_policy_authentication (const EFI_SECURITY_PROTOCOL *this, UINT32 authentication_status, | |
157 | const EFI_DEVICE_PATH_PROTOCOL *device_path_const) { | |
158 | EFI_STATUS status; | |
159 | EFI_DEVICE_PATH *dev_path; | |
160 | EFI_HANDLE h; | |
161 | EFI_FILE *root; | |
52ad194e | 162 | CHAR8 *file_buffer = NULL; |
81c58355 MB |
163 | UINTN file_size; |
164 | CHAR16 *dev_path_str; | |
165 | ||
166 | if (!device_path_const) | |
167 | return EFI_INVALID_PARAMETER; | |
168 | ||
169 | dev_path = DuplicateDevicePath((EFI_DEVICE_PATH*) device_path_const); | |
170 | ||
171 | status = uefi_call_wrapper(BS->LocateDevicePath, 3, (EFI_GUID*) &simple_fs_guid, &dev_path, &h); | |
172 | if (status != EFI_SUCCESS) { | |
173 | FreePool(dev_path); | |
174 | return status; | |
175 | } | |
176 | ||
177 | /* No need to check return value, this already happend in efi_main() */ | |
178 | root = LibOpenRoot(h); | |
179 | dev_path_str = DevicePathToStr(dev_path); | |
180 | FreePool(dev_path); | |
181 | ||
52ad194e | 182 | file_size = file_read(root, dev_path_str, 0, 0, &file_buffer); |
81c58355 MB |
183 | FreePool(dev_path_str); |
184 | uefi_call_wrapper(root->Close, 1, root); | |
185 | ||
186 | if (shim_validate(file_buffer, file_size)) | |
187 | status = EFI_SUCCESS; | |
52ad194e MB |
188 | else |
189 | /* Try using the platform's native policy.... */ | |
81c58355 | 190 | status = uefi_call_wrapper(esfas, 3, this, authentication_status, device_path_const); |
52ad194e | 191 | FreePool(file_buffer); |
81c58355 MB |
192 | |
193 | return status; | |
194 | } | |
195 | ||
196 | EFI_STATUS security_policy_install(void) { | |
197 | EFI_SECURITY_PROTOCOL *security_protocol; | |
198 | EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; | |
199 | EFI_STATUS status; | |
200 | ||
201 | /* Already Installed */ | |
202 | if (esfas) | |
203 | return EFI_ALREADY_STARTED; | |
204 | ||
205 | /* | |
52ad194e MB |
206 | * Don't bother with status here. The call is allowed |
207 | * to fail, since SECURITY2 was introduced in PI 1.2.1. | |
208 | * Use security2_protocol == NULL as indicator. | |
81c58355 MB |
209 | */ |
210 | uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security2_protocol_guid, NULL, (VOID**) &security2_protocol); | |
211 | ||
212 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security_protocol_guid, NULL, (VOID**) &security_protocol); | |
213 | /* This one is mandatory, so there's a serious problem */ | |
214 | if (status != EFI_SUCCESS) | |
215 | return status; | |
216 | ||
52ad194e MB |
217 | esfas = security_protocol->FileAuthenticationState; |
218 | security_protocol->FileAuthenticationState = security_policy_authentication; | |
219 | ||
220 | if (security2_protocol) { | |
81c58355 MB |
221 | es2fa = security2_protocol->FileAuthentication; |
222 | security2_protocol->FileAuthentication = security2_policy_authentication; | |
223 | } | |
224 | ||
81c58355 MB |
225 | return EFI_SUCCESS; |
226 | } | |
227 | ||
228 | EFI_STATUS security_policy_uninstall(void) { | |
229 | EFI_STATUS status; | |
230 | ||
231 | if (esfas) { | |
232 | EFI_SECURITY_PROTOCOL *security_protocol; | |
233 | ||
234 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security_protocol_guid, NULL, (VOID**) &security_protocol); | |
235 | ||
236 | if (status != EFI_SUCCESS) | |
237 | return status; | |
238 | ||
239 | security_protocol->FileAuthenticationState = esfas; | |
240 | esfas = NULL; | |
241 | } else | |
242 | /* nothing installed */ | |
243 | return EFI_NOT_STARTED; | |
244 | ||
245 | if (es2fa) { | |
246 | EFI_SECURITY2_PROTOCOL *security2_protocol; | |
247 | ||
248 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security2_protocol_guid, NULL, (VOID**) &security2_protocol); | |
249 | ||
250 | if (status != EFI_SUCCESS) | |
251 | return status; | |
252 | ||
253 | security2_protocol->FileAuthentication = es2fa; | |
254 | es2fa = NULL; | |
255 | } | |
256 | ||
257 | return EFI_SUCCESS; | |
258 | } |