1 // SPDX-License-Identifier: BSD-2-Clause-Patent
10 #if defined __GNUC__ && defined __GNUC_MINOR__
11 # define GNUC_PREREQ(maj, min) \
12 ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
14 # define GNUC_PREREQ(maj, min) 0
16 #if defined __clang_major__ && defined __clang_minor__
17 # define CLANG_PREREQ(maj, min) \
18 ((__clang_major__ << 16) + __clang_minor__ >= ((maj) << 16) + (min))
20 # define CLANG_PREREQ(maj, min) 0
23 #if defined(__x86_64__)
24 /* gcc 4.5.4 is the first documented release with -mabi=ms */
25 /* gcc 4.7.1 is the first one with __builtin_ms_va_list */
26 #if !GNUC_PREREQ(4, 7) && !CLANG_PREREQ(3, 4)
27 #error On x86_64 you must have a compiler new enough to support __attribute__((__ms_abi__))
30 #if CLANG_PREREQ(3, 4)
31 #pragma GCC diagnostic ignored "-Wpointer-bool-conversion"
34 #if !defined(GNU_EFI_USE_EXTERNAL_STDARG)
35 #define GNU_EFI_USE_EXTERNAL_STDARG
38 #if !defined(GNU_EFI_USE_MS_ABI)
39 #define GNU_EFI_USE_MS_ABI
42 #ifdef NO_BUILTIN_VA_FUNCS
43 #undef NO_BUILTIN_VA_FUNCS
55 #ifndef SHIM_UNIT_TEST
58 #undef uefi_call_wrapper
62 #if defined(__x86_64__) && !defined(HAVE_USE_MS_ABI)
63 #error something has gone wrong with the gnu-efi includes and defines
68 #include "include/test.h"
72 #ifndef DEFAULT_LOADER
73 #define DEFAULT_LOADER L"\\grubx64.efi"
75 #ifndef DEFAULT_LOADER_CHAR
76 #define DEFAULT_LOADER_CHAR "\\grubx64.efi"
79 #define EFI_ARCH L"x64"
82 #define DEBUGDIR L"/usr/lib/debug/usr/share/shim/x64/"
86 #if defined(__i686__) || defined(__i386__)
87 #ifndef DEFAULT_LOADER
88 #define DEFAULT_LOADER L"\\grubia32.efi"
90 #ifndef DEFAULT_LOADER_CHAR
91 #define DEFAULT_LOADER_CHAR "\\grubia32.efi"
94 #define EFI_ARCH L"ia32"
97 #define DEBUGDIR L"/usr/lib/debug/usr/share/shim/ia32/"
101 #if defined(__aarch64__)
102 #ifndef DEFAULT_LOADER
103 #define DEFAULT_LOADER L"\\grubaa64.efi"
105 #ifndef DEFAULT_LOADER_CHAR
106 #define DEFAULT_LOADER_CHAR "\\grubaa64.efi"
109 #define EFI_ARCH L"aa64"
112 #define DEBUGDIR L"/usr/lib/debug/usr/share/shim/aa64/"
117 #ifndef DEFAULT_LOADER
118 #define DEFAULT_LOADER L"\\grubarm.efi"
120 #ifndef DEFAULT_LOADER_CHAR
121 #define DEFAULT_LOADER_CHAR "\\grubarm.efi"
124 #define EFI_ARCH L"arm"
127 #define DEBUGDIR L"/usr/lib/debug/usr/share/shim/arm/"
132 #define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH
135 #define FALLBACK L"\\fb" EFI_ARCH L".efi"
136 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
138 #if defined(VENDOR_DB_FILE)
139 # define vendor_authorized vendor_db
140 # define vendor_authorized_size vendor_db_size
141 # define vendor_authorized_category VENDOR_ADDEND_DB
142 #elif defined(VENDOR_CERT_FILE)
143 # define vendor_authorized vendor_cert
144 # define vendor_authorized_size vendor_cert_size
145 # define vendor_authorized_category VENDOR_ADDEND_X509
147 # define vendor_authorized vendor_null
148 # define vendor_authorized_size vendor_null_size
149 # define vendor_authorized_category VENDOR_ADDEND_NONE
152 #if defined(VENDOR_DBX_FILE)
153 # define vendor_deauthorized vendor_dbx
154 # define vendor_deauthorized_size vendor_dbx_size
156 # define vendor_deauthorized vendor_deauthorized_null
157 # define vendor_deauthorized_size vendor_deauthorized_null_size
160 #include "include/asm.h"
161 #include "include/compiler.h"
162 #include "include/list.h"
163 #include "include/configtable.h"
164 #include "include/console.h"
165 #include "include/crypt_blowfish.h"
166 #include "include/efiauthenticated.h"
167 #include "include/errors.h"
168 #include "include/execute.h"
169 #include "include/guid.h"
170 #include "include/http.h"
171 #include "include/httpboot.h"
172 #include "include/ip4config2.h"
173 #include "include/ip6config.h"
174 #include "include/load-options.h"
175 #include "include/mok.h"
176 #include "include/netboot.h"
177 #include "include/passwordcrypt.h"
178 #include "include/peimage.h"
179 #include "include/pe.h"
180 #include "include/replacements.h"
181 #include "include/sbat.h"
182 #include "include/sbat_var_defs.h"
183 #include "include/ssp.h"
184 #if defined(OVERRIDE_SECURITY_POLICY)
185 #include "include/security_policy.h"
187 #include "include/simple_file.h"
188 #include "include/str.h"
189 #include "include/tpm.h"
190 #include "include/cc.h"
191 #include "include/ucs2.h"
192 #include "include/variables.h"
193 #include "include/hexdump.h"
197 #ifndef SHIM_UNIT_TEST
198 #include "Cryptlib/Include/OpenSslSupport.h"
205 INTERFACE_DECL(_SHIM_LOCK
);
209 (*EFI_SHIM_LOCK_VERIFY
) (
216 (*EFI_SHIM_LOCK_HASH
) (
219 PE_COFF_LOADER_IMAGE_CONTEXT
*context
,
226 (*EFI_SHIM_LOCK_CONTEXT
) (
228 IN
unsigned int datasize
,
229 PE_COFF_LOADER_IMAGE_CONTEXT
*context
232 typedef struct _SHIM_LOCK
{
233 EFI_SHIM_LOCK_VERIFY Verify
;
234 EFI_SHIM_LOCK_HASH Hash
;
235 EFI_SHIM_LOCK_CONTEXT Context
;
238 extern EFI_STATUS
shim_init(void);
239 extern void shim_fini(void);
240 extern EFI_STATUS EFIAPI
LogError_(const char *file
, int line
, const char *func
,
241 const CHAR16
*fmt
, ...);
242 extern EFI_STATUS EFIAPI
VLogError(const char *file
, int line
, const char *func
,
243 const CHAR16
*fmt
, ms_va_list args
);
244 extern VOID
LogHexdump_(const char *file
, int line
, const char *func
,
245 const void *data
, size_t sz
);
246 extern VOID
PrintErrors(VOID
);
247 extern VOID
ClearErrors(VOID
);
248 extern VOID
restore_loaded_image(VOID
);
249 extern EFI_STATUS
start_image(EFI_HANDLE image_handle
, CHAR16
*ImagePath
);
250 extern EFI_STATUS
import_mok_state(EFI_HANDLE image_handle
);
252 extern UINT32 vendor_authorized_size
;
253 extern UINT8
*vendor_authorized
;
255 extern UINT32 vendor_deauthorized_size
;
256 extern UINT8
*vendor_deauthorized
;
258 extern UINT32 user_cert_size
;
259 extern UINT8
*user_cert
;
261 #if defined(ENABLE_SHIM_CERT)
262 extern UINT32 build_cert_size
;
263 extern UINT8
*build_cert
;
264 #endif /* defined(ENABLE_SHIM_CERT) */
266 extern UINT8 user_insecure_mode
;
267 extern UINT8 ignore_db
;
268 extern UINT8 trust_mok_list
;
269 extern UINT8 mok_policy
;
271 extern UINT8 in_protocol
;
272 extern void *load_options
;
273 extern UINT32 load_options_size
;
275 BOOLEAN
secure_mode (void);
278 verify_buffer (char *data
, int datasize
,
279 PE_COFF_LOADER_IMAGE_CONTEXT
*context
,
280 UINT8
*sha256hash
, UINT8
*sha1hash
);
282 #ifndef SHIM_UNIT_TEST
283 #define perror_(file, line, func, fmt, ...) ({ \
284 UINTN __perror_ret = 0; \
285 _Static_assert((fmt) != NULL, \
286 "format specifier cannot be NULL"); \
288 __perror_ret = console_print((fmt), ##__VA_ARGS__); \
289 LogError_(file, line, func, fmt, ##__VA_ARGS__); \
292 #define perror(fmt, ...) ({ \
293 _Static_assert((fmt) != NULL, \
294 "format specifier cannot be NULL"); \
295 perror_(__FILE__, __LINE__ - 1, __func__, fmt, ##__VA_ARGS__); \
297 #define LogError(fmt, ...) ({ \
298 _Static_assert((fmt) != NULL, \
299 "format specifier cannot be NULL"); \
300 LogError_(__FILE__, __LINE__ - 1, __func__, fmt, ##__VA_ARGS__);\
303 #define perror(fmt, ...) ({ \
304 _Static_assert((fmt) != NULL, \
305 "format specifier cannot be NULL"); \
307 #define LogError(fmt, ...) ({ \
308 _Static_assert((fmt) != NULL, \
309 "format specifier cannot be NULL"); \
313 #ifdef ENABLE_SHIM_DEVEL
314 #define FALLBACK_VERBOSE_VAR_NAME L"FALLBACK_DEVEL_VERBOSE"
315 #define VERBOSE_VAR_NAME L"SHIM_DEVEL_VERBOSE"
316 #define DEBUG_VAR_NAME L"SHIM_DEVEL_DEBUG"
318 #define FALLBACK_VERBOSE_VAR_NAME L"FALLBACK_VERBOSE"
319 #define VERBOSE_VAR_NAME L"SHIM_VERBOSE"
320 #define DEBUG_VAR_NAME L"SHIM_DEBUG"
323 #define SHIM_RETAIN_PROTOCOL_VAR_NAME L"ShimRetainProtocol"
325 char *translate_slashes(char *out
, const char *str
);