]> git.proxmox.com Git - efi-boot-shim.git/commitdiff
Make cert.S not impossible to read.
authorPeter Jones <pjones@redhat.com>
Thu, 23 Jul 2020 04:08:30 +0000 (00:08 -0400)
committerPeter Jones <pjones@redhat.com>
Fri, 24 Jul 2020 00:53:24 +0000 (20:53 -0400)
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream: pr#206

cert.S
shim.c
shim.h

diff --git a/cert.S b/cert.S
index cfc4525b44c151bd7a544508ed879cabd8881897..520caaef3afa2647f3ae0c7835f1e5416b64826b 100644 (file)
--- a/cert.S
+++ b/cert.S
@@ -1,65 +1,44 @@
-       .globl cert_table
-       .type   cert_table, %object
-       .size   cert_table, 4
-       .section .vendor_cert, "a", %progbits
-cert_table:
+
 #if defined(VENDOR_CERT_FILE)
-       .long   vendor_cert_priv_end - vendor_cert_priv
-#else
-       .long   0
+# define vendor_authorized vendor_cert
+# define vendor_authorized_end vendor_cert_end
+# define vendor_authorized_size vendor_cert_size
+# define vendor_authorized_size_end vendor_cert_size_end
 #endif
+
 #if defined(VENDOR_DBX_FILE)
-       .long   vendor_dbx_priv_end - vendor_dbx_priv
-#else
-       .long   0
+# define vendor_deauthorized vendor_dbx
+# define vendor_deauthorized_end vendor_dbx_end
+# define vendor_deauthorized_size vendor_dbx_size
+# define vendor_deauthorized_size_end vendor_dbx_size_end
 #endif
-       .long   vendor_cert_priv - cert_table
-       .long   vendor_dbx_priv - cert_table
-#if defined(VENDOR_CERT_FILE)
-       .data
-       .align  1
-       .type   vendor_cert_priv, %object
-       .size   vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv
-       .section .vendor_cert, "a", %progbits
-vendor_cert_priv:
-.incbin VENDOR_CERT_FILE
-vendor_cert_priv_end:
-#else
-       .bss
-       .type   vendor_cert_priv, %object
-       .size   vendor_cert_priv, 1
-       .section .vendor_cert, "a", %progbits
-vendor_cert_priv:
-       .zero   1
 
-       .data
-       .align 4
-       .type   vendor_cert_size_priv, %object
-       .size   vendor_cert_size_priv, 4
+       .globl cert_table
+       .type   cert_table, %object
+       .size   cert_table, .Lcert_table_end - cert_table
+       .section .vendor_cert, "a", %progbits
+       .balignl 4, 0
+cert_table:
+       .4byte  .Lvendor_authorized_end - vendor_authorized
+       .4byte  .Lvendor_deauthorized_end - vendor_deauthorized
+       .4byte  vendor_authorized - cert_table
+       .4byte  vendor_deauthorized - cert_table
+       .balign 1, 0
+       .type   vendor_authorized, %object
+       .size   vendor_authorized, .Lvendor_authorized_end - vendor_authorized
        .section .vendor_cert, "a", %progbits
-vendor_cert_priv_end:
+vendor_authorized:
+#if defined(VENDOR_CERT_FILE)
+.incbin VENDOR_CERT_FILE
 #endif
-#if defined(VENDOR_DBX_FILE)
-       .data
-       .align  1
-       .type   vendor_dbx_priv, %object
-       .size   vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv
+.Lvendor_authorized_end:
+       .balign 1, 0
+       .type   vendor_deauthorized, %object
+       .size   vendor_deauthorized, .Lvendor_deauthorized_end - vendor_deauthorized
        .section .vendor_cert, "a", %progbits
-vendor_dbx_priv:
+vendor_deauthorized:
+#if defined(VENDOR_DBX_FILE)
 .incbin VENDOR_DBX_FILE
-vendor_dbx_priv_end:
-#else
-       .bss
-       .type   vendor_dbx_priv, %object
-       .size   vendor_dbx_priv, 1
-       .section .vendor_cert, "a", %progbits
-vendor_dbx_priv:
-       .zero   1
-
-       .data
-       .align 4
-       .type   vendor_dbx_size_priv, %object
-       .size   vendor_dbx_size_priv, 4
-       .section .vendor_cert, "a", %progbits
-vendor_dbx_priv_end:
 #endif
+.Lvendor_deauthorized_end:
+.Lcert_table_end:
diff --git a/shim.c b/shim.c
index 0e7e784b4c89190d4a05b25562a4d62a53448a8a..888ee6e8d7bbc42212c7136fe3feec40189d9a3c 100644 (file)
--- a/shim.c
+++ b/shim.c
@@ -68,16 +68,18 @@ static UINT32 load_options_size;
  * The vendor certificate used for validating the second stage loader
  */
 extern struct {
-       UINT32 vendor_cert_size;
-       UINT32 vendor_dbx_size;
-       UINT32 vendor_cert_offset;
-       UINT32 vendor_dbx_offset;
+       UINT32 vendor_authorized_size;
+       UINT32 vendor_deauthorized_size;
+       UINT32 vendor_authorized_offset;
+       UINT32 vendor_deauthorized_offset;
 } cert_table;
 
-UINT32 vendor_cert_size;
-UINT32 vendor_dbx_size;
-UINT8 *vendor_cert;
-UINT8 *vendor_dbx;
+UINT32 vendor_authorized_size = 0;
+UINT8 *vendor_authorized = NULL;
+
+UINT32 vendor_deauthorized_size = 0;
+UINT8 *vendor_deauthorized = NULL;
+
 #if defined(ENABLE_SHIM_CERT)
 UINT32 build_cert_size;
 UINT8 *build_cert;
@@ -554,22 +556,22 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
 static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
                                   UINT8 *sha256hash, UINT8 *sha1hash)
 {
-       EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
+       EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized;
 
-       if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
+       if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha256hash,
                        SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx",
                        EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
                LogError(L"binary sha256hash found in vendor dbx\n");
                return EFI_SECURITY_VIOLATION;
        }
-       if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
+       if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha1hash,
                                 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx",
                                 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
                LogError(L"binary sha1hash found in vendor dbx\n");
                return EFI_SECURITY_VIOLATION;
        }
        if (cert &&
-           check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx",
+           check_db_cert_in_ram(dbx, vendor_deauthorized_size, cert, sha256hash, L"dbx",
                                 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
                LogError(L"cert sha256hash found in vendor dbx\n");
                return EFI_SECURITY_VIOLATION;
@@ -1077,19 +1079,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
                /*
                 * And finally, check against shim's built-in key
                 */
-               if (vendor_cert_size &&
+               if (vendor_authorized_size &&
                    AuthenticodeVerify(cert->CertData,
                                       cert->Hdr.dwLength - sizeof(cert->Hdr),
-                                      vendor_cert, vendor_cert_size,
+                                      vendor_authorized, vendor_authorized_size,
                                       sha256hash, SHA256_DIGEST_SIZE)) {
                        update_verification_method(VERIFIED_BY_CERT);
                        tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
-                                            vendor_cert_size, vendor_cert);
+                                            vendor_authorized_size, vendor_authorized);
                        efi_status = EFI_SUCCESS;
                        drain_openssl_errors();
                        return efi_status;
                } else {
-                       LogError(L"AuthenticodeVerify(vendor_cert) failed\n");
+                       LogError(L"AuthenticodeVerify(vendor_authorized) failed\n");
                }
        }
 
@@ -2501,7 +2503,7 @@ shim_init(void)
        }
 
        if (secure_mode()) {
-               if (vendor_cert_size || vendor_dbx_size) {
+               if (vendor_authorized_size || vendor_deauthorized_size) {
                        /*
                         * If shim includes its own certificates then ensure
                         * that anything it boots has performed some
@@ -2606,14 +2608,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 
        verification_method = VERIFIED_BY_NOTHING;
 
-       vendor_cert_size = cert_table.vendor_cert_size;
-       vendor_dbx_size = cert_table.vendor_dbx_size;
-       vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-       vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
+       vendor_authorized_size = cert_table.vendor_authorized_size;
+       vendor_authorized = (UINT8 *)&cert_table + cert_table.vendor_authorized_offset;
+
+       vendor_deauthorized_size = cert_table.vendor_deauthorized_size;
+       vendor_deauthorized = (UINT8 *)&cert_table + cert_table.vendor_deauthorized_offset;
+
 #if defined(ENABLE_SHIM_CERT)
        build_cert_size = sizeof(shim_cert);
        build_cert = shim_cert;
 #endif /* defined(ENABLE_SHIM_CERT) */
+
        CHAR16 *msgs[] = {
                L"import_mok_state() failed",
                L"shim_init() failed",
diff --git a/shim.h b/shim.h
index a0fa5a75e7e1e7dc654968646d4841f629407cca..555498c667308a4e2aa92b30798000bbcc715490 100644 (file)
--- a/shim.h
+++ b/shim.h
 #define FALLBACK L"\\fb" EFI_ARCH L".efi"
 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
 
+#if defined(VENDOR_CERT_FILE)
+# define vendor_authorized vendor_cert
+# define vendor_authorized_size vendor_cert_size
+# define vendor_authorized_category VENDOR_ADDEND_X509
+#else
+# define vendor_authorized vendor_null
+# define vendor_authorized_size vendor_null_size
+# define vendor_authorized_category VENDOR_ADDEND_NONE
+#endif
+
+#if defined(VENDOR_DBX_FILE)
+# define vendor_deauthorized vendor_dbx
+# define vendor_deauthorized_size vendor_dbx_size
+#else
+# define vendor_deauthorized vendor_deauthorized_null
+# define vendor_deauthorized_size vendor_deauthorized_null_size
+#endif
+
 #include "include/asm.h"
 #include "include/configtable.h"
 #include "include/console.h"
@@ -166,10 +184,12 @@ extern VOID ClearErrors(VOID);
 extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
 extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
 
-extern UINT32 vendor_cert_size;
-extern UINT32 vendor_dbx_size;
-extern UINT8 *vendor_cert;
-extern UINT8 *vendor_dbx;
+extern UINT32 vendor_authorized_size;
+extern UINT8 *vendor_authorized;
+
+extern UINT32 vendor_deauthorized_size;
+extern UINT8 *vendor_deauthorized;
+
 #if defined(ENABLE_SHIM_CERT)
 extern UINT32 build_cert_size;
 extern UINT8 *build_cert;