else
TARGETS += $(MMNAME) $(FBNAME)
endif
-OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o pe.o
+OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c pe.c shim.h version.h $(wildcard include/*.h)
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat.o
+ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c shim.h version.h $(wildcard include/*.h)
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
-FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat.o
+FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
ORIG_FALLBACK_SRCS = fallback.c
SBATPATH = data/sbat.csv
VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
-sbat.o : | $(SBATPATH) $(VENDOR_SBATS)
-sbat.o : $(TOPDIR)/sbat.c
- $(CC) $(CFLAGS) -c -o $@ $<
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+ $(CC) $(CFLAGS) -x c -c -o $@ $<
$(OBJCOPY) --add-section .sbat=$(SBATPATH) $@
$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
}
#endif
- if (secure_mode ()) {
- efi_status = verify_buffer(data, datasize, &context,
- sha256hash, sha1hash);
-
- if (EFI_ERROR(efi_status)) {
- if (verbose)
- console_print(L"Verification failed: %r\n", efi_status);
- else
- console_error(L"Verification failed", efi_status);
- return efi_status;
- } else {
- if (verbose)
- console_print(L"Verification succeeded\n");
- }
- }
-
/* The spec says, uselessly, of SectionAlignment:
* =====
* The alignment (in bytes) of sections when they are loaded into
EFI_IMAGE_SECTION_HEADER *RelocSection = NULL;
+ char *SBATBase = NULL;
+ size_t SBATSize = 0;
+
/*
* Copy the executable's sections to their desired offsets
*/
RelocBaseEnd == end) {
RelocSection = Section;
}
+ } else if (CompareMem(Section->Name, ".sbat\0\0\0", 8) == 0) {
+ if (SBATBase || SBATSize) {
+ perror(L"Image has multiple resource sections\n");
+ return EFI_UNSUPPORTED;
+ }
+
+ if (Section->NumberOfRelocations != 0 ||
+ Section->PointerToRelocations != 0) {
+ perror(L"SBAT section has relocations\n");
+ return EFI_UNSUPPORTED;
+ }
+
+ /* If it has nonzero size, and our bounds check made
+ * sense, sizes match, then we believe it's okay. */
+ if (Section->SizeOfRawData &&
+ Section->SizeOfRawData == Section->Misc.VirtualSize &&
+ base && end) {
+ SBATBase = base;
+ /* +1 because of size vs last byte location */
+ SBATSize = end - base + 1;
+ }
}
if (Section->Characteristics & EFI_IMAGE_SCN_MEM_DISCARDABLE) {
}
}
+ if (secure_mode ()) {
+ efi_status = verify_buffer(data, datasize,
+ &context, sha256hash, sha1hash);
+
+ if (EFI_ERROR(efi_status)) {
+ if (verbose)
+ console_print(L"Verification failed: %r\n", efi_status);
+ else
+ console_error(L"Verification failed", efi_status);
+ return efi_status;
+ } else {
+ if (verbose)
+ console_print(L"Verification succeeded\n");
+ }
+ }
+
if (context.NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) {
perror(L"Image has no relocation entry\n");
FreePool(buffer);
return EFI_SUCCESS;
}
-
// vim:fenc=utf-8:tw=75:noet