Request variables:
-MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
-UCS-2 representation of the password. The user will be asked to
-re-enter the password to confirm. If the hash of the entered password
-matches the contents of MokPW, the user will be prompted to copy MokPW
+MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
+UCS-2 representation of the password. The user will be asked to
+re-enter the password to confirm. If the hash of the entered password
+matches the contents of MokPW, the user will be prompted to copy MokPW
into MokPWState. BS,RT,NV
-MokSB: Set by MokUtil when requesting a change in state of signature
+MokSB: Set by MokUtil when requesting a change in state of signature
validation. A packed structure as follows:
typedef struct {
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;
-If MokSBState is 0, the user will be prompted to disable signature
-validation. Otherwise, the user will be prompted to enable it. PWLen
-is the length of the password, in characters. Password is a UCS-2
-representation of the password. The user will be prompted to enter
-three randomly chosen characters from the password. If successful,
-they will then be prompted to change the signature validation
+If MokSBState is 0, the user will be prompted to disable signature
+validation. Otherwise, the user will be prompted to enable it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
according to MokSBState. BS,RT,NV
-MokDB: Set by MokUtil when requesting a change in state of validation
+MokDB: Set by MokUtil when requesting a change in state of validation
using db hashes and certs. A packed structure as follows:
typedef struct {
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokDBvar;
-If MokDBState is 0, the user will be prompted to disable usage of db for
-validation. Otherwise, the user will be prompted to allow it. PWLen
-is the length of the password, in characters. Password is a UCS-2
-representation of the password. The user will be prompted to enter
-three randomly chosen characters from the password. If successful,
-they will then be prompted to change the signature validation
+If MokDBState is 0, the user will be prompted to disable usage of db for
+validation. Otherwise, the user will be prompted to allow it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
according to MokDBState. BS,RT,NV
-MokNew: Set by MokUtil when requesting the addition or removal of keys
-from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
+MokNew: Set by MokUtil when requesting the addition or removal of keys
+from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
specification. BS,RT,NV
-MokAuth: A hash dependent upon the contents of MokNew and the sealing
-password. The user's password in UCS-2 form should be appended to the
-contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
-The hash will be regenerated by MokManager after the user is requested
-to enter their password to confirm enrolment of the keys. If the hash
+MokAuth: A hash dependent upon the contents of MokNew and the sealing
+password. The user's password in UCS-2 form should be appended to the
+contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
+The hash will be regenerated by MokManager after the user is requested
+to enter their password to confirm enrolment of the keys. If the hash
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
State variables:
-MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
+MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListRT: A copy of MokList made available to the kernel at runtime. RT
MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
-MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
+MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV
-MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
+MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
verification. BS,NV
MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether
or not to import DB certs for its own verification purposes.
-MokPWStore: A SHA-256 representation of the password set by the user
-via MokPW. The user will be prompted to enter this password in order
+MokPWStore: A SHA-256 representation of the password set by the user
+via MokPW. The user will be prompted to enter this password in order
to interact with MokManager.
- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
line and all grub commands (including all of grub.cfg that gets run) are
measured into PCR8.
-
+
PCR9:
- If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
initramfs, and any multiboot modules loaded are measured into PCR9.
ImageBase = .;
.hash : { *(.hash) } /* this MUST come first! */
. = ALIGN(4096);
- .eh_frame :
- {
+ .eh_frame :
+ {
*(.eh_frame)
}
. = ALIGN(4096);
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
-#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007
+#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
///
UINT32 InfoSize;
///
- /// If this image was a UEFI device driver (for option ROM, for example) this is the
- /// null-terminated, user-friendly name for the device. If the image was for an application,
- /// then this is the name of the application. If this cannot be determined, then a simple
+ /// If this image was a UEFI device driver (for option ROM, for example) this is the
+ /// null-terminated, user-friendly name for the device. If the image was for an application,
+ /// then this is the name of the application. If this cannot be determined, then a simple
/// NULL character should be put in this position.
/// CHAR16 Name[];
///
///
- /// For device drivers, this is the device path of the device for which this device driver
- /// was intended. In some cases, the driver itself may be stored as part of the system
- /// firmware, but this field should record the device's path, not the firmware path. For
- /// applications, this is the device path of the application. If this cannot be determined,
+ /// For device drivers, this is the device path of the device for which this device driver
+ /// was intended. In some cases, the driver itself may be stored as part of the system
+ /// firmware, but this field should record the device's path, not the firmware path. For
+ /// applications, this is the device path of the application. If this cannot be determined,
/// a simple end-of-path device node should be put in this position.
/// EFI_DEVICE_PATH_PROTOCOL DevicePath;
///
///
- /// Zero or more image signatures. If the image contained no signatures,
+ /// Zero or more image signatures. If the image contained no signatures,
/// then this field is empty.
///
///EFI_SIGNATURE_LIST Signature;
///
/// Number of EFI_IMAGE_EXECUTION_INFO structures.
///
- UINTN NumberOfImages;
+ UINTN NumberOfImages;
///
/// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.
///
EFI_IMAGE_EXECUTION_INFO InformationInfo[];
} EFI_IMAGE_EXECUTION_INFO_TABLE;
-
void *
configtable_get_table(EFI_GUID *guid);
EFI_IMAGE_EXECUTION_INFO_TABLE *
IN UINT8 *X509Data,
IN UINTN X509DataSize,
IN EFI_GUID owner,
- OUT EFI_SIGNATURE_LIST **PkCert
+ OUT EFI_SIGNATURE_LIST **PkCert
);
EFI_STATUS
CreateTimeBasedPayload (
///
typedef struct {
///
- /// The length of the entire certificate,
- /// including the length of the header, in bytes.
+ /// The length of the entire certificate,
+ /// including the length of the header, in bytes.
///
UINT32 dwLength;
///
- /// The revision level of the WIN_CERTIFICATE
- /// structure. The current revision level is 0x0200.
+ /// The revision level of the WIN_CERTIFICATE
+ /// structure. The current revision level is 0x0200.
///
UINT16 wRevision;
///
- /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
- /// certificate types. The UEFI specification reserves the range of
- /// certificate type values from 0x0EF0 to 0x0EFF.
+ /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
+ /// certificate types. The UEFI specification reserves the range of
+ /// certificate type values from 0x0EF0 to 0x0EFF.
///
UINT16 wCertificateType;
///
- /// The following is the actual certificate. The format of
+ /// The following is the actual certificate. The format of
/// the certificate depends on wCertificateType.
///
/// UINT8 bCertificate[ANYSIZE_ARRAY];
///
} WIN_CERTIFICATE;
-
#endif /* SHIM_WINCERT_H */
/* print what we have for debugging */
UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+ d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
#endif
CHAR16 *name = (CHAR16 *)(e->Data);
int skip = 0;
console_print(L"Device Path Size %d\n", Size);
#endif
if (Size > e->InfoSize) {
- /* parse error; the platform obviously has a
+ /* parse error; the platform obviously has a
* corrupted image table; bail */
console_print(L"Image Execution Information table corrupt\n");
break;
}
-
+
if (CompareMem(dp, (void *)DevicePath, Size) == 0) {
#ifdef DEBUG_CONFIG
console_print(L"***FOUND\n");
if (name[0] != '\\')
StrCat(*PathName, L"\\");
StrCat(*PathName, name);
-
+
*path = FileDevicePath(li->DeviceHandle, *PathName);
error:
const EFI_SECURITY_PROTOCOL *This,
UINT32 AuthenticationStatus,
const EFI_DEVICE_PATH_PROTOCOL *DevicePath
- )
+ )
__attribute__((unused));
extern EFI_STATUS thunk_security2_policy_authentication(
VOID *FileBuffer,
UINTN FileSize,
BOOLEAN BootPolicy
- )
+ )
__attribute__((unused));
static __attribute__((used)) EFI_STATUS
)
{
EFI_STATUS efi_status, fail_status;
- EFI_DEVICE_PATH *DevPath
+ EFI_DEVICE_PATH *DevPath
= DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst),
*OrigDevPath = DevPath;
EFI_HANDLE h;
-c "Red Hat Test Certificate"
9) copy grub.cfg to our test directory:
cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
-10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
+10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
rm -rf /boot/efi/EFI/BOOT/
mkdir /boot/efi/EFI/BOOT/
mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
- [root@uefi efivars]#
+ [root@uefi efivars]#
25) reboot
26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just
have an old machine. In that case, go to the EFI shell and run: