#define SHIM_VENDOR L"Shim"
#endif
-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
-EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
-EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
-EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
-
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
static BOOLEAN is_sha2_hash (EFI_GUID Type)
{
- EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
- EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
- EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
-
- if (CompareGuid(&Type, &Sha224) == 0)
+ if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0)
return TRUE;
- else if (CompareGuid(&Type, &Sha256) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0)
return TRUE;
- else if (CompareGuid(&Type, &Sha384) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0)
return TRUE;
- else if (CompareGuid(&Type, &Sha512) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0)
return TRUE;
return FALSE;
static UINT32 sha_size (EFI_GUID Type)
{
- EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
- EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
- EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
- EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
-
- if (CompareGuid(&Type, &Sha1) == 0)
+ if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0)
return SHA1_DIGEST_SIZE;
- else if (CompareGuid(&Type, &Sha224) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0)
return SHA224_DIGEST_LENGTH;
- else if (CompareGuid(&Type, &Sha256) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0)
return SHA256_DIGEST_SIZE;
- else if (CompareGuid(&Type, &Sha384) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0)
return SHA384_DIGEST_LENGTH;
- else if (CompareGuid(&Type, &Sha512) == 0)
+ else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0)
return SHA512_DIGEST_LENGTH;
return 0;
static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
{
- EFI_GUID CertType = X509_GUID;
UINT32 hash_sig_size;
- if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ if (CompareGuid (&Type, &X509_GUID) == 0 && SigSize != 0)
return TRUE;
if (!is_sha2_hash (Type))
MokListNode *list;
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
- EFI_GUID CertType = X509_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
void *end = Data + DataSize;
}
list[count].Type = CertList->SignatureType;
- if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
+ if (CompareGuid (&CertList->SignatureType, &X509_GUID) == 0) {
list[count].MokSize = CertList->SignatureSize -
sizeof(EFI_GUID);
list[count].Mok = (void *)Cert->SignatureData;
static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
- EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
- EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
- EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
- EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
int length;
- if (CompareGuid(&Type, &Sha1) == 0) {
+ if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0) {
length = SHA1_DIGEST_SIZE;
text[0] = L"SHA1 hash";
- } else if (CompareGuid(&Type, &Sha224) == 0) {
+ } else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0) {
length = SHA224_DIGEST_LENGTH;
text[0] = L"SHA224 hash";
- } else if (CompareGuid(&Type, &Sha256) == 0) {
+ } else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0) {
length = SHA256_DIGEST_SIZE;
text[0] = L"SHA256 hash";
- } else if (CompareGuid(&Type, &Sha384) == 0) {
+ } else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0) {
length = SHA384_DIGEST_LENGTH;
text[0] = L"SHA384 hash";
- } else if (CompareGuid(&Type, &Sha512) == 0) {
+ } else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0) {
length = SHA512_DIGEST_LENGTH;
text[0] = L"SHA512 hash";
} else {
static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
{
EFI_STATUS efi_status;
- EFI_GUID CertType = X509_GUID;
if (!Mok || MokSize == 0)
return;
- if (CompareGuid (&Type, &CertType) == 0) {
+ if (CompareGuid (&Type, &X509_GUID) == 0) {
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
efi_status = get_sha1sum(Mok, MokSize, hash);
static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS status;
UINT32 attributes;
void *old_data = NULL;
UINTN new_size;
status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_APPEND_WRITE,
}
status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
- shim_lock_guid, &attributes);
+ SHIM_LOCK_GUID, &attributes);
if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
return status;
}
CopyMem(new_data + old_size, MokNew, MokNewSize);
status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS,
new_size, new_data);
static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
if (authenticate) {
efi_status = uefi_call_wrapper(RT->GetVariable, 5, auth_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if (efi_status != EFI_SUCCESS ||
if (!MokNewSize) {
/* Delete MOK */
efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
static EFI_STATUS mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
CHAR16 *title;
if (auth) {
if (MokX) {
- LibDeleteVariable(L"MokXNew", &shim_lock_guid);
- LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
} else {
- LibDeleteVariable(L"MokNew", &shim_lock_guid);
- LibDeleteVariable(L"MokAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
}
}
static EFI_STATUS mok_reset_prompt (BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
CHAR16 *prompt;
}
if (MokX) {
- LibDeleteVariable(L"MokXNew", &shim_lock_guid);
- LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
} else {
- LibDeleteVariable(L"MokNew", &shim_lock_guid);
- LibDeleteVariable(L"MokAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
}
return EFI_SUCCESS;
static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- EFI_GUID CertType = X509_GUID;
EFI_STATUS efi_status;
EFI_SIGNATURE_LIST *CertList;
EFI_SIGNATURE_DATA *CertData;
continue;
DataSize += sizeof(EFI_SIGNATURE_LIST);
- if (CompareGuid(&(list[i].Type), &CertType) == 0)
+ if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
DataSize += sizeof(EFI_GUID);
DataSize += list[i].MokSize;
}
CertList->SignatureType = list[i].Type;
CertList->SignatureHeaderSize = 0;
- if (CompareGuid(&(list[i].Type), &CertType) == 0) {
+ if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_GUID);
CertList->SignatureSize = list[i].MokSize + sizeof(EFI_GUID);
- CertData->SignatureOwner = shim_lock_guid;
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
CopyMem(CertData->SignatureData, list[i].Mok, list[i].MokSize);
} else {
CertList->SignatureListSize = list[i].MokSize +
}
efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS,
DataSize, Data);
static void delete_cert (void *key, UINT32 key_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID CertType = X509_GUID;
int i;
for (i = 0; i < mok_num; i++) {
- if (CompareGuid(&(mok[i].Type), &CertType) != 0)
+ if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
continue;
if (mok[i].MokSize == key_size &&
static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- EFI_GUID CertType = X509_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
}
efi_status = uefi_call_wrapper(RT->GetVariable, 5, auth_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if (efi_status != EFI_SUCCESS ||
return EFI_ACCESS_DENIED;
efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
- shim_lock_guid, &attributes);
+ SHIM_LOCK_GUID, &attributes);
if (efi_status != EFI_SUCCESS) {
if (MokX)
console_errorbox(L"Failed to retrieve MokListX");
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
/* Search and destroy */
for (i = 0; i < del_num; i++) {
- if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
+ if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
} else if (is_sha2_hash(del_key[i].Type)) {
static EFI_STATUS mok_deletion_prompt (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
CHAR16 *title;
}
if (MokX) {
- LibDeleteVariable(L"MokXDel", &shim_lock_guid);
- LibDeleteVariable(L"MokXDelAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokXDel", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokXDelAuth", &SHIM_LOCK_GUID);
} else {
- LibDeleteVariable(L"MokDel", &shim_lock_guid);
- LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokDel", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
}
if (MokDel)
}
static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
SIMPLE_TEXT_OUTPUT_MODE SavedMode;
MokSBvar *var = MokSB;
ret = console_yes_no((CHAR16 *[]){L"Enable Secure Boot", NULL});
if (ret == 0) {
- LibDeleteVariable(L"MokSB", &shim_lock_guid);
+ LibDeleteVariable(L"MokSB", &SHIM_LOCK_GUID);
return EFI_ABORTED;
}
if (var->MokSBState == 0) {
efi_status = uefi_call_wrapper(RT->SetVariable,
5, L"MokSBState",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
1, &sbval);
} else {
efi_status = uefi_call_wrapper(RT->SetVariable,
5, L"MokSBState",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
}
static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) {
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
SIMPLE_TEXT_OUTPUT_MODE SavedMode;
MokDBvar *var = MokDB;
ret = console_yes_no((CHAR16 *[]){L"Use DB certs/hashes", NULL});
if (ret == 0) {
- LibDeleteVariable(L"MokDB", &shim_lock_guid);
+ LibDeleteVariable(L"MokDB", &SHIM_LOCK_GUID);
return EFI_ABORTED;
}
if (var->MokDBState == 0) {
efi_status = uefi_call_wrapper(RT->SetVariable,
5, L"MokDBState",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
1, &dbval);
} else {
efi_status = uefi_call_wrapper(RT->SetVariable, 5,
L"MokDBState",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
}
static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
UINT8 hash[PASSWORD_CRYPT_SIZE];
UINT8 clear = 0;
return EFI_ABORTED;
uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS,
0, NULL);
efi_status = uefi_call_wrapper(RT->SetVariable, 5,
L"MokPWStore",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS,
MokPWSize, MokPW);
}
mokpw_done:
- LibDeleteVariable(L"MokPW", &shim_lock_guid);
+ LibDeleteVariable(L"MokPW", &SHIM_LOCK_GUID);
if (MokPW)
FreePool(MokPW);
static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash)
{
EFI_STATUS status = EFI_SUCCESS;
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_SIGNATURE_LIST *CertList;
EFI_SIGNATURE_DATA *CertData;
UINTN mokbuffersize;
UINT8 sha256[SHA256_DIGEST_SIZE];
UINT8 sha1[SHA1_DIGEST_SIZE];
SHIM_LOCK *shim_lock;
- EFI_GUID shim_guid = SHIM_LOCK_GUID;
PE_COFF_LOADER_IMAGE_CONTEXT context;
-
- status = LibLocateProtocol(&shim_guid, (VOID **)&shim_lock);
+ status = LibLocateProtocol(&SHIM_LOCK_GUID,
+ (VOID **) &shim_lock);
if (status != EFI_SUCCESS)
goto out;
CertList->SignatureListSize = mokbuffersize;
CertList->SignatureHeaderSize = 0;
- CertData->SignatureOwner = shim_lock_guid;
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
if (!hash) {
if (!verify_certificate(CertData->SignatureData, datasize))
static BOOLEAN verify_pw(BOOLEAN *protected)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
SIMPLE_TEXT_OUTPUT_MODE SavedMode;
UINT8 pwhash[PASSWORD_CRYPT_SIZE];
*protected = FALSE;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore",
- &shim_lock_guid, &attributes, &size,
+ &SHIM_LOCK_GUID, &attributes, &size,
pwhash);
/*
int choice = 0;
int mok_changed = 0;
EFI_STATUS efi_status;
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINT8 auth[PASSWORD_CRYPT_SIZE];
UINTN auth_size = PASSWORD_CRYPT_SIZE;
UINT32 attributes;
UINT32 MokXDelAuth = 0;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if ((efi_status == EFI_SUCCESS) &&
MokAuth = 1;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if ((efi_status == EFI_SUCCESS) &&
MokDelAuth = 1;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokXAuth",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if ((efi_status == EFI_SUCCESS) &&
MokXAuth = 1;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokXDelAuth",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
&attributes, &auth_size, auth);
if ((efi_status == EFI_SUCCESS) &&
static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
void *MokNew = NULL;
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokNew", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokNew");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokDel", (UINT8 **)&MokDel, &MokDelSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokDel", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokDel", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokDel");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokSB", (UINT8 **)&MokSB, &MokSBSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokSB", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokSB", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokSB");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokPW", (UINT8 **)&MokPW, &MokPWSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokPW", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokPW", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokPW");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokDB", (UINT8 **)&MokDB, &MokDBSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokDB", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokDB", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokDB");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokXNew", (UINT8 **)&MokXNew, &MokXNewSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokXNew", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokXNew");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
}
status = get_variable(L"MokXDel", (UINT8 **)&MokXDel, &MokXDelSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (status == EFI_SUCCESS) {
- if (LibDeleteVariable(L"MokXDel", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokXDel", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
console_notify(L"Failed to delete MokXDel");
}
} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
if (MokXDel)
FreePool (MokXDel);
- LibDeleteVariable(L"MokAuth", &shim_lock_guid);
- LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
- LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
- LibDeleteVariable(L"MokXDelAuth", &shim_lock_guid);
+ LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
+ LibDeleteVariable(L"MokXDelAuth", &SHIM_LOCK_GUID);
return EFI_SUCCESS;
}
#include <efi.h>
#include <efilib.h>
-#include "ucs2.h"
-#include "variables.h"
-#include "tpm.h"
+#include "shim.h"
EFI_LOADED_IMAGE *this_image = NULL;
-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
-
int
get_fallback_verbose(void)
{
- EFI_GUID guid = SHIM_LOCK_GUID;
UINT8 *data = NULL;
UINTN dataSize = 0;
EFI_STATUS efi_status;
return state;
efi_status = get_variable(L"FALLBACK_VERBOSE",
- &data, &dataSize, guid);
+ &data, &dataSize, SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status)) {
state = 0;
return state;
EFI_STATUS rc;
void *buffer = NULL;
UINTN bs = 0;
- EFI_GUID finfo = EFI_FILE_INFO_ID;
/* The API here is "Call it once with bs=0, it fills in bs,
* then allocate a buffer and ask again to get it filled. */
- rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, &bs, NULL);
+ rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, NULL);
if (rc == EFI_BUFFER_TOO_SMALL) {
buffer = AllocateZeroPool(bs);
if (!buffer) {
Print(L"Could not allocate memory\n");
return EFI_OUT_OF_RESOURCES;
}
- rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo,
+ rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID,
&bs, buffer);
}
/* This checks *either* the error from the first GetInfo, if it isn't
static int i = 0;
CHAR16 varname[] = L"Boot0000";
CHAR16 hexmap[] = L"0123456789ABCDEF";
- EFI_GUID global = EFI_GLOBAL_VARIABLE;
EFI_STATUS rc;
for(; i <= 0xffff; i++) {
varname[6] = hexmap[(i & 0x00f0) >> 4];
varname[7] = hexmap[(i & 0x000f) >> 0];
- void *var = LibGetVariable(varname, &global);
+ void *var = LibGetVariable(varname, &GV_GUID);
if (!var) {
int size = sizeof(UINT32) + sizeof (UINT16) +
StrLen(label)*2 + 2 + DevicePathSize(hddp) +
}
rc = uefi_call_wrapper(RT->SetVariable, 5, varname,
- &global, EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS,
+ &GV_GUID, EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
size, data);
FreePool(data);
int i = 0;
CHAR16 varname[] = L"Boot0000";
CHAR16 hexmap[] = L"0123456789ABCDEF";
- EFI_GUID global = EFI_GLOBAL_VARIABLE;
EFI_STATUS rc;
UINTN max_candidate_size = calc_masked_boot_option_size(size);
varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
UINTN candidate_size = max_candidate_size;
- rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
+ rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &GV_GUID,
NULL, &candidate_size, candidate);
if (EFI_ERROR(rc))
continue;
{
CHAR16 *oldbootorder;
UINTN size;
- EFI_GUID global = EFI_GLOBAL_VARIABLE;
- oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
+ oldbootorder = LibGetVariableAndSize(L"BootOrder", &GV_GUID, &size);
if (oldbootorder) {
nbootorder = size / sizeof (CHAR16);
bootorder = oldbootorder;
{
UINTN size;
UINTN len = 0;
- EFI_GUID global = EFI_GLOBAL_VARIABLE;
CHAR16 *newbootorder = NULL;
EFI_STATUS rc;
for (j = 0 ; j < size / sizeof (CHAR16); j++)
VerbosePrintUnprefixed(L"%04x ", newbootorder[j]);
Print(L"\n");
- rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
+ rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &GV_GUID,
NULL, &len, NULL);
if (rc == EFI_BUFFER_TOO_SMALL)
- LibDeleteVariable(L"BootOrder", &global);
+ LibDeleteVariable(L"BootOrder", &GV_GUID);
- rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global,
+ rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &GV_GUID,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
EFI_STATUS rc;
void *buffer = NULL;
UINTN bs = 0;
- EFI_GUID finfo = EFI_FILE_INFO_ID;
/* The API here is "Call it once with bs=0, it fills in bs,
* then allocate a buffer and ask again to get it filled. */
- rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, &bs, NULL);
+ rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, NULL);
if (rc == EFI_BUFFER_TOO_SMALL) {
buffer = AllocateZeroPool(bs);
if (!buffer) {
Print(L"Could not allocate memory\n");
return EFI_OUT_OF_RESOURCES;
}
- rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo,
+ rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID,
&bs, buffer);
}
/* This checks *either* the error from the first GetInfo, if it isn't
__attribute__((__optimize__("0")))
debug_hook(void)
{
- EFI_GUID guid = SHIM_LOCK_GUID;
UINT8 *data = NULL;
UINTN dataSize = 0;
EFI_STATUS efi_status;
volatile register int x = 0;
extern char _etext, _edata;
- efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, guid);
+ efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize,
+ SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status)) {
return;
}
static EFI_HANDLE
get_nic_handle (EFI_MAC_ADDRESS *mac)
{
- EFI_GUID http_binding_guid = EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID;
EFI_DEVICE_PATH *unpacked = NULL;
EFI_DEVICE_PATH *Node;
EFI_DEVICE_PATH *temp_path = NULL;
protocol */
status = uefi_call_wrapper(BS->LocateHandleBuffer, 5,
ByProtocol,
- &http_binding_guid,
+ &EFI_HTTP_BINDING_GUID,
NULL,
&NoHandles,
&buffer);
static EFI_STATUS
set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node)
{
- EFI_GUID ip6_config_guid = EFI_IP6_CONFIG_PROTOCOL_GUID;
EFI_IP6_CONFIG_PROTOCOL *ip6cfg;
EFI_IP6_CONFIG_MANUAL_ADDRESS ip6;
EFI_IPv6_ADDRESS gateway;
EFI_STATUS status;
- status = uefi_call_wrapper(BS->HandleProtocol, 3,
- nic,
- &ip6_config_guid,
- (VOID **)&ip6cfg);
+ status = uefi_call_wrapper(BS->HandleProtocol, 3, nic,
+ &EFI_IP6_CONFIG_GUID, (VOID **)&ip6cfg);
if (EFI_ERROR (status))
return status;
static EFI_STATUS
set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node)
{
- EFI_GUID ip4_config2_guid = EFI_IP4_CONFIG2_PROTOCOL_GUID;
EFI_IP4_CONFIG2_PROTOCOL *ip4cfg2;
EFI_IP4_CONFIG2_MANUAL_ADDRESS ip4;
EFI_IPv4_ADDRESS gateway;
EFI_STATUS status;
- status = uefi_call_wrapper(BS->HandleProtocol, 3,
- nic,
- &ip4_config2_guid,
- (VOID **)&ip4cfg2);
+ status = uefi_call_wrapper(BS->HandleProtocol, 3, nic,
+ &EFI_IP4_CONFIG2_GUID, (VOID **)&ip4cfg2);
if (EFI_ERROR (status))
return status;
CHAR8 *hostname, CHAR8 *uri, BOOLEAN is_ip6,
VOID **buffer, UINT64 *buf_size)
{
- EFI_GUID http_binding_guid = EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID;
- EFI_GUID http_protocol_guid = EFI_HTTP_PROTOCOL_GUID;
EFI_SERVICE_BINDING *service;
EFI_HANDLE http_handle;
EFI_HTTP_PROTOCOL *http;
/* Open HTTP Service Binding Protocol */
status = uefi_call_wrapper(BS->OpenProtocol, 6, device,
- &http_binding_guid, (VOID **)&service,
+ &EFI_HTTP_BINDING_GUID, (VOID **)&service,
image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL);
if (EFI_ERROR (status))
return status;
/* Get the http protocol */
status = uefi_call_wrapper(BS->HandleProtocol, 3, http_handle,
- &http_protocol_guid, (VOID **)&http);
+ &EFI_HTTP_PROTOCOL_GUID, (VOID **)&http);
if (EFI_ERROR (status)) {
perror(L"Failed to get http\n");
goto error;
#ifndef SHIM_HTTP_H
#define SHIM_HTTP_H
-#define EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID \
- { \
- 0xbdc8e6af, 0xd9bc, 0x4379, {0xa7, 0x2a, 0xe0, 0xc4, 0xe7, 0x5d, 0xae, 0x1c } \
- }
-
-#define EFI_HTTP_PROTOCOL_GUID \
- { \
- 0x7a59b29b, 0x910b, 0x4171, {0x82, 0x42, 0xa8, 0x5a, 0x0d, 0xf2, 0x5b, 0x5b } \
- }
-
typedef struct _EFI_HTTP_PROTOCOL EFI_HTTP_PROTOCOL;
///
#include <efiip.h>
-#define EFI_IP4_CONFIG2_PROTOCOL_GUID \
- { \
- 0x5b446ed1, 0xe30b, 0x4faa, {0x87, 0x1a, 0x36, 0x54, 0xec, 0xa3, 0x60, 0x80 } \
- }
-
typedef struct _EFI_IP4_CONFIG2_PROTOCOL EFI_IP4_CONFIG2_PROTOCOL;
#include <efiip.h>
-#define EFI_IP6_CONFIG_PROTOCOL_GUID \
- { \
- 0x937fe521, 0x95ae, 0x4d1a, {0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
- }
-
typedef struct _EFI_IP6_CONFIG_PROTOCOL EFI_IP6_CONFIG_PROTOCOL;
///
console_reset(void);
#define NOSEL 0x7fffffff
-#define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \
- { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} }
-
typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL;
typedef enum {
#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
-#define EFI_CERT_X509_GUID \
- (EFI_GUID) { \
- 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
- }
-
-#define EFI_CERT_RSA2048_GUID \
- (EFI_GUID) { \
- 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
- }
-
-
-#define EFI_CERT_TYPE_PKCS7_GUID \
- (EFI_GUID) { \
- 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
- }
-
-/*
- * WIN_CERTIFICATE_UEFI_GUID.CertType
- */
-#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
- {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
-
/*
* WIN_CERTIFICATE_UEFI_GUID.CertData
*/
#include <efi.h>
+extern EFI_GUID BDS_GUID;
extern EFI_GUID GV_GUID;
extern EFI_GUID SIG_DB;
extern EFI_GUID X509_GUID;
extern EFI_GUID RSA2048_GUID;
extern EFI_GUID PKCS7_GUID;
extern EFI_GUID IMAGE_PROTOCOL;
-extern EFI_GUID SIMPLE_FS_PROTOCOL;
+extern EFI_GUID EFI_FILE_INFO_GUID;
+extern EFI_GUID EFI_FILE_SYSTEM_INFO_GUID;
+extern EFI_GUID EFI_CERT_RSA2048_GUID;
extern EFI_GUID EFI_CERT_SHA1_GUID;
extern EFI_GUID EFI_CERT_SHA256_GUID;
-extern EFI_GUID MOK_OWNER;
+extern EFI_GUID EFI_CERT_SHA224_GUID;
+extern EFI_GUID EFI_CERT_SHA384_GUID;
+extern EFI_GUID EFI_CERT_SHA512_GUID;
+extern EFI_GUID EFI_CERT_TYPE_PKCS7_GUID;
+extern EFI_GUID EFI_CERT_TYPE_RSA2048_SHA256_GUID;
+extern EFI_GUID EFI_CERT_TYPE_X509_GUID;
+extern EFI_GUID EFI_CONSOLE_CONTROL_GUID;
+extern EFI_GUID EFI_HTTP_BINDING_GUID;
+extern EFI_GUID EFI_HTTP_PROTOCOL_GUID;
+extern EFI_GUID EFI_IP4_CONFIG2_GUID;
+extern EFI_GUID EFI_IP6_CONFIG_GUID;
+extern EFI_GUID EFI_LOADED_IMAGE_GUID;
+extern EFI_GUID EFI_TPM_GUID;
+extern EFI_GUID EFI_TPM2_GUID;
+extern EFI_GUID EFI_SECURE_BOOT_DB_GUID;
+extern EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID;
extern EFI_GUID SECURITY_PROTOCOL_GUID;
extern EFI_GUID SECURITY2_PROTOCOL_GUID;
+extern EFI_GUID SHIM_LOCK_GUID;
#endif /* SHIM_GUID_H */
#include <efilib.h>
-#define EFI_TPM_GUID {0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd }};
-#define EFI_TPM2_GUID {0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }};
-
#define TPM_ALG_SHA 0x00000004
#define EV_IPL 0x0000000d
#include <efilib.h>
#include <stdarg.h>
#include <stdbool.h>
-#include <console.h>
-#include <variables.h>
-#include <errors.h>
+
+#include "shim.h"
+
#include <Library/BaseCryptLib.h>
#include <openssl/err.h>
#include <openssl/crypto.h>
-#include "shim.h"
-
static int
count_lines(CHAR16 *str_arr[])
{
setup_verbosity(VOID)
{
EFI_STATUS status;
- EFI_GUID guid = SHIM_LOCK_GUID;
UINT8 verbose_check;
UINTN verbose_check_size;
verbose_check_size = 1;
status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check,
- &verbose_check_size, guid);
+ &verbose_check_size, SHIM_LOCK_GUID);
verbose = 0;
if (!EFI_ERROR(status))
verbose = verbose_check;
VOID setup_console (int text)
{
EFI_STATUS status;
- EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID;
EFI_CONSOLE_CONTROL_PROTOCOL *concon;
static EFI_CONSOLE_CONTROL_SCREEN_MODE mode =
EfiConsoleControlScreenGraphics;
EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode;
- status = LibLocateProtocol(&console_control_guid, (VOID **)&concon);
+ status = LibLocateProtocol(&EFI_CONSOLE_CONTROL_GUID,
+ (VOID **)&concon);
if (status != EFI_SUCCESS)
return;
* see COPYING file
*/
-#include <guid.h>
+#include "shim.h"
-/* all the necessary guids */
+EFI_GUID BDS_GUID = { 0x8108ac4e, 0x9f11, 0x4d59, { 0x85, 0x0e, 0xe2, 0x1a, 0x52, 0x2c, 0x59, 0xb2 } };
EFI_GUID GV_GUID = EFI_GLOBAL_VARIABLE;
EFI_GUID SIG_DB = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }};
-
EFI_GUID X509_GUID = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} };
EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} };
EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} };
EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL;
-EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL;
+EFI_GUID EFI_FILE_INFO_GUID = EFI_FILE_INFO_ID;
+EFI_GUID EFI_FILE_SYSTEM_INFO_GUID = EFI_FILE_SYSTEM_INFO_ID;
+EFI_GUID EFI_CERT_RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} };
EFI_GUID EFI_CERT_SHA1_GUID = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }};
EFI_GUID EFI_CERT_SHA256_GUID = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } };
-EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
+EFI_GUID EFI_CERT_TYPE_PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} };
+EFI_GUID EFI_CERT_TYPE_RSA2048_SHA256_GUID = { 0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } };
+EFI_GUID EFI_CERT_TYPE_X509_GUID = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} };
+EFI_GUID EFI_CONSOLE_CONTROL_GUID = { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} };
+EFI_GUID EFI_HTTP_BINDING_GUID = { 0xbdc8e6af, 0xd9bc, 0x4379, {0xa7, 0x2a, 0xe0, 0xc4, 0xe7, 0x5d, 0xae, 0x1c } };
+EFI_GUID EFI_HTTP_PROTOCOL_GUID = { 0x7a59b29b, 0x910b, 0x4171, {0x82, 0x42, 0xa8, 0x5a, 0x0d, 0xf2, 0x5b, 0x5b } };
+EFI_GUID EFI_IP4_CONFIG2_GUID = { 0x5b446ed1, 0xe30b, 0x4faa, {0x87, 0x1a, 0x36, 0x54, 0xec, 0xa3, 0x60, 0x80 } };
+EFI_GUID EFI_IP6_CONFIG_GUID = { 0x937fe521, 0x95ae, 0x4d1a, {0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } };
+EFI_GUID EFI_LOADED_IMAGE_GUID = EFI_LOADED_IMAGE_PROTOCOL_GUID;
+EFI_GUID EFI_TPM_GUID = { 0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd } };
+EFI_GUID EFI_TPM2_GUID = { 0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f } };
+EFI_GUID EFI_SECURE_BOOT_DB_GUID = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f } };
+EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL;
EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };
EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } };
+EFI_GUID SHIM_LOCK_GUID = {0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } };
#include "shim.h"
-static EFI_GUID FILE_INFO = EFI_FILE_INFO_ID;
-static EFI_GUID FS_INFO = EFI_FILE_SYSTEM_INFO_ID;
-
EFI_STATUS
simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UINT64 mode)
{
EFI_FILE *root;
efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device,
- &SIMPLE_FS_PROTOCOL, (void **)&drive);
+ &EFI_SIMPLE_FILE_SYSTEM_GUID, (void **)&drive);
if (efi_status != EFI_SUCCESS) {
Print(L"Unable to find simple file protocol (%d)\n", efi_status);
char buf[4096];
UINTN size = sizeof(buf);
EFI_FILE_INFO *fi = (void *)buf;
-
- status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO,
+
+ status = uefi_call_wrapper(file->GetInfo, 4, file, &EFI_FILE_INFO_GUID,
&size, fi);
if (status != EFI_SUCCESS) {
Print(L"Failed to get file info\n");
*size = sizeof(buf);
fi = (void *)buf;
-
- efi_status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO,
- size, fi);
+ efi_status = uefi_call_wrapper(file->GetInfo, 4, file,
+ &EFI_FILE_INFO_GUID, size, fi);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to get file info\n");
return efi_status;
int val;
uefi_call_wrapper(BS->LocateHandleBuffer, 5, ByProtocol,
- &SIMPLE_FS_PROTOCOL, NULL, &count, &vol_handles);
+ &EFI_SIMPLE_FILE_SYSTEM_GUID, NULL, &count, &vol_handles);
if (!count || !vol_handles)
return EFI_NOT_FOUND;
status = uefi_call_wrapper(BS->HandleProtocol, 3,
vol_handles[i],
- &SIMPLE_FS_PROTOCOL,
+ &EFI_SIMPLE_FILE_SYSTEM_GUID,
(void **)&drive);
if (status != EFI_SUCCESS || !drive)
continue;
if (status != EFI_SUCCESS)
continue;
- status = uefi_call_wrapper(root->GetInfo, 4, root, &FS_INFO,
- &size, fi);
+ status = uefi_call_wrapper(root->GetInfo, 4, root,
+ &EFI_FILE_SYSTEM_INFO_GUID, &size, fi);
if (status != EFI_SUCCESS)
continue;
name = fi->VolumeLabel;
-
- if (!name || StrLen(name) == 0 || StrCmp(name, L" ") == 0)
+ if (!name || StrLen(name) == 0 || StrCmp(name, L" ") == 0)
name = DevicePathToStr(DevicePathFromHandle(vol_handles[i]));
entries[i] = AllocatePool((StrLen(name) + 2) * sizeof(CHAR16));
FreePool(entries);
FreePool(vol_handles);
-
return EFI_SUCCESS;
}
*count = 0;
status = simple_dir_read_all(image, name, entries, &tot);
-
if (status != EFI_SUCCESS)
goto out;
ptr = next = *entries;
l->SignatureListSize = sizeof(sig);
l->SignatureSize = 16 +32; /* UEFI defined */
CopyMem(&d->SignatureData, hash, SHA256_DIGEST_SIZE);
- d->SignatureOwner = MOK_OWNER;
+ d->SignatureOwner = SHIM_LOCK_GUID;
if (CompareGuid(&owner, &SIG_DB) == 0)
status = SetSecureVariable(var, sig, sizeof(sig), owner,
__perror_ret; \
})
-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
-
/*
* The vendor certificate used for validating the second stage loader
*/
EFI_SIGNATURE_DATA *Cert;
UINTN CertSize;
BOOLEAN IsFound = FALSE;
- EFI_GUID CertType = X509_GUID;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
+ if (CompareGuid (&CertList->SignatureType, &EFI_CERT_TYPE_X509_GUID) == 0) {
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertSize = CertList->SignatureSize - sizeof(EFI_GUID);
if (verify_x509(Cert->SignatureData, CertSize)) {
static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
UINT8 *sha256hash, UINT8 *sha1hash)
{
- EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
- EFI_GUID shim_var = SHIM_LOCK_GUID;
EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
- SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID,
- L"dbx", secure_var) ==
- DATA_FOUND) {
+ SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx",
+ EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
LogError(L"binary sha256hash found in vendor dbx\n");
return EFI_SECURITY_VIOLATION;
}
if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
- SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID,
- L"dbx", secure_var) ==
- DATA_FOUND) {
+ SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx",
+ EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
LogError(L"binary sha1hash found in vendor dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
- sha256hash, L"dbx",
- secure_var) == DATA_FOUND) {
+ if (cert &&
+ check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx",
+ EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
LogError(L"cert sha256hash found in vendor dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
- EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+ if (check_db_hash(L"dbx", EFI_SECURE_BOOT_DB_GUID, sha256hash,
+ SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) {
LogError(L"binary sha256hash found in system dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
- EFI_CERT_SHA1_GUID) == DATA_FOUND) {
+ if (check_db_hash(L"dbx", EFI_SECURE_BOOT_DB_GUID, sha1hash,
+ SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) {
LogError(L"binary sha1hash found in system dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
- DATA_FOUND) {
+ if (cert &&
+ check_db_cert(L"dbx", EFI_SECURE_BOOT_DB_GUID,
+ cert, sha256hash) == DATA_FOUND) {
LogError(L"cert sha256hash found in system dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (check_db_hash(L"MokListX", shim_var, sha256hash, SHA256_DIGEST_SIZE,
- EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+ if (check_db_hash(L"MokListX", SHIM_LOCK_GUID, sha256hash,
+ SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) {
LogError(L"binary sha256hash found in Mok dbx\n");
return EFI_SECURITY_VIOLATION;
}
- if (cert && check_db_cert(L"MokListX", shim_var, cert, sha256hash) ==
- DATA_FOUND) {
+ if (cert &&
+ check_db_cert(L"MokListX", SHIM_LOCK_GUID,
+ cert, sha256hash) == DATA_FOUND) {
LogError(L"cert sha256hash found in Mok dbx\n");
return EFI_SECURITY_VIOLATION;
}
static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
UINT8 *sha256hash, UINT8 *sha1hash)
{
- EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
- EFI_GUID shim_var = SHIM_LOCK_GUID;
-
if (!ignore_db) {
- if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE,
+ if (check_db_hash(L"db", EFI_SECURE_BOOT_DB_GUID, sha256hash, SHA256_DIGEST_SIZE,
EFI_CERT_SHA256_GUID) == DATA_FOUND) {
update_verification_method(VERIFIED_BY_HASH);
return EFI_SUCCESS;
} else {
LogError(L"check_db_hash(db, sha256hash) != DATA_FOUND\n");
}
- if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE,
+ if (check_db_hash(L"db", EFI_SECURE_BOOT_DB_GUID, sha1hash, SHA1_DIGEST_SIZE,
EFI_CERT_SHA1_GUID) == DATA_FOUND) {
verification_method = VERIFIED_BY_HASH;
update_verification_method(VERIFIED_BY_HASH);
} else {
LogError(L"check_db_hash(db, sha1hash) != DATA_FOUND\n");
}
- if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
+ if (cert && check_db_cert(L"db", EFI_SECURE_BOOT_DB_GUID, cert, sha256hash)
== DATA_FOUND) {
verification_method = VERIFIED_BY_CERT;
update_verification_method(VERIFIED_BY_CERT);
}
}
- if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE,
- EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+ if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash,
+ SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID)
+ == DATA_FOUND) {
verification_method = VERIFIED_BY_HASH;
update_verification_method(VERIFIED_BY_HASH);
return EFI_SUCCESS;
} else {
LogError(L"check_db_hash(MokList, sha256hash) != DATA_FOUND\n");
}
- if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
- DATA_FOUND) {
+ if (cert && check_db_cert(L"MokList", SHIM_LOCK_GUID, cert, sha256hash)
+ == DATA_FOUND) {
verification_method = VERIFIED_BY_CERT;
update_verification_method(VERIFIED_BY_CERT);
return EFI_SUCCESS;
* Ensure that the MOK database hasn't been set or modified from an OS
*/
static EFI_STATUS verify_mok (void) {
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS status = EFI_SUCCESS;
UINT8 *MokListData = NULL;
UINTN MokListDataSize = 0;
UINT32 attributes;
status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize,
- shim_lock_guid, &attributes);
+ SHIM_LOCK_GUID, &attributes);
if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
perror(L"MokList is compromised!\nErase all keys in MokList!\n");
- if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokList", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
perror(L"Failed to erase MokList\n");
return EFI_SECURITY_VIOLATION;
}
EFI_STATUS status = EFI_SECURITY_VIOLATION;
WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
unsigned int size = datasize;
- EFI_GUID shim_var = SHIM_LOCK_GUID;
if (context->SecDir->Size != 0) {
if (context->SecDir->Size >= size) {
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
update_verification_method(VERIFIED_BY_CERT);
- tpm_measure_variable(L"Shim", shim_var, sizeof(shim_cert), shim_cert);
+ tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
+ sizeof(shim_cert), shim_cert);
status = EFI_SUCCESS;
drain_openssl_errors();
return status;
vendor_cert, vendor_cert_size,
sha256hash, SHA256_DIGEST_SIZE)) {
update_verification_method(VERIFIED_BY_CERT);
- tpm_measure_variable(L"Shim", shim_var, vendor_cert_size, vendor_cert);
+ tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
+ vendor_cert_size, vendor_cert);
status = EFI_SUCCESS;
drain_openssl_errors();
return status;
static int
should_use_fallback(EFI_HANDLE image_handle)
{
- EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL;
EFI_LOADED_IMAGE *li;
unsigned int pathlen = 0;
CHAR16 *bootpath = NULL;
int ret = 0;
rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
- &loaded_image_protocol, (void **)&li);
+ &EFI_LOADED_IMAGE_GUID, (void **)&li);
if (EFI_ERROR(rc)) {
perror(L"Could not get image for bootx64.efi: %r\n", rc);
return 0;
static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
int *datasize, CHAR16 *PathName)
{
- EFI_GUID simple_file_system_protocol = SIMPLE_FILE_SYSTEM_PROTOCOL;
- EFI_GUID file_info_id = EFI_FILE_INFO_ID;
EFI_STATUS efi_status;
EFI_HANDLE device;
EFI_FILE_INFO *fileinfo = NULL;
* Open the device
*/
efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device,
- &simple_file_system_protocol,
+ &EFI_SIMPLE_FILE_SYSTEM_GUID,
(void **)&drive);
-
if (efi_status != EFI_SUCCESS) {
perror(L"Failed to find fs: %r\n", efi_status);
goto error;
* Find out how big the file is in order to allocate the storage
* buffer
*/
- efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub, &file_info_id,
+ efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub, &EFI_FILE_INFO_GUID,
&buffersize, fileinfo);
if (efi_status == EFI_BUFFER_TOO_SMALL) {
goto error;
}
efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub,
- &file_info_id, &buffersize,
+ &EFI_FILE_INFO_GUID, &buffersize,
fileinfo);
}
*/
EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
{
- EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL;
EFI_STATUS efi_status;
EFI_LOADED_IMAGE *li, li_bak;
CHAR16 *PathName = NULL;
* binary in order to find our path
*/
efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
- &loaded_image_protocol, (void **)&li);
-
+ &EFI_LOADED_IMAGE_GUID, (void **)&li);
if (efi_status != EFI_SUCCESS) {
perror(L"Unable to init protocol\n");
return efi_status;
*/
EFI_STATUS measure_mok()
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status, ret = EFI_SUCCESS;
UINT8 *Data = NULL;
UINTN DataSize = 0;
- efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid);
+ efi_status = get_variable(L"MokList", &Data, &DataSize, SHIM_LOCK_GUID);
if (!EFI_ERROR(efi_status)) {
efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
DataSize, 14, (CHAR8 *)"MokList");
ret = efi_status;
}
- efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid);
+ efi_status = get_variable(L"MokListX", &Data, &DataSize, SHIM_LOCK_GUID);
if (!EFI_ERROR(efi_status)) {
efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
DataSize, 14, (CHAR8 *)"MokListX");
}
efi_status = get_variable(L"MokSBState", &Data, &DataSize,
- shim_lock_guid);
+ SHIM_LOCK_GUID);
if (!EFI_ERROR(efi_status)) {
efi_status = tpm_measure_variable(L"MokSBState",
- shim_lock_guid,
+ SHIM_LOCK_GUID,
DataSize, Data);
if (!EFI_ERROR(efi_status)) {
efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)
*/
EFI_STATUS mirror_mok_list()
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
UINT8 *Data = NULL;
UINTN DataSize = 0;
EFI_SIGNATURE_DATA *CertData = NULL;
uint8_t *p = NULL;
- efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid);
+ efi_status = get_variable(L"MokList", &Data, &DataSize, SHIM_LOCK_GUID);
if (efi_status != EFI_SUCCESS)
DataSize = 0;
CertData = (EFI_SIGNATURE_DATA *)p;
p += sizeof (EFI_GUID);
- CertList->SignatureType = EFI_CERT_X509_GUID;
+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
CertList->SignatureListSize = vendor_cert_size
+ sizeof (*CertList)
+ sizeof (*CertData)
if (FullDataSize) {
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS,
FullDataSize, FullData);
*/
EFI_STATUS mirror_mok_list_x()
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
UINT8 *Data = NULL;
UINTN DataSize = 0;
- efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid);
+ efi_status = get_variable(L"MokListX", &Data, &DataSize,
+ SHIM_LOCK_GUID);
if (efi_status != EFI_SUCCESS)
return efi_status;
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListXRT",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, Data);
*/
EFI_STATUS mirror_mok_sb_state()
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
UINT8 *Data = NULL;
UINTN DataSize = 0;
- efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid);
+ efi_status = get_variable(L"MokSBState", &Data, &DataSize, SHIM_LOCK_GUID);
if (efi_status == EFI_SUCCESS) {
UINT8 *Data_RT = NULL;
UINTN DataSize_RT = 0;
efi_status = get_variable(L"MokSBStateRT", &Data_RT,
- &DataSize_RT, shim_lock_guid);
+ &DataSize_RT, SHIM_LOCK_GUID);
if (efi_status == EFI_SUCCESS) {
efi_status = uefi_call_wrapper(RT->SetVariable, 5,
L"MokSBStateRT",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS
| EFI_VARIABLE_NON_VOLATILE,
efi_status = uefi_call_wrapper(RT->SetVariable, 5,
L"MokSBStateRT",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, Data);
static BOOLEAN check_var(CHAR16 *varname)
{
EFI_STATUS efi_status;
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN size = sizeof(UINT32);
UINT32 MokVar;
UINT32 attributes;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, varname,
- &shim_lock_guid, &attributes,
+ &SHIM_LOCK_GUID, &attributes,
&size, (void *)&MokVar);
if (efi_status == EFI_SUCCESS || efi_status == EFI_BUFFER_TOO_SMALL)
*/
static EFI_STATUS check_mok_sb (void)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS status = EFI_SUCCESS;
UINT8 MokSBState;
UINTN MokSBStateSize = sizeof(MokSBState);
user_insecure_mode = 0;
ignore_db = 0;
- status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState", &shim_lock_guid,
- &attributes, &MokSBStateSize, &MokSBState);
+ status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState",
+ &SHIM_LOCK_GUID, &attributes,
+ &MokSBStateSize, &MokSBState);
if (status != EFI_SUCCESS)
return EFI_SECURITY_VIOLATION;
*/
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
perror(L"MokSBState is compromised! Clearing it\n");
- if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokSBState", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
perror(L"Failed to erase MokSBState\n");
}
status = EFI_SECURITY_VIOLATION;
static EFI_STATUS check_mok_db (void)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS status = EFI_SUCCESS;
UINT8 MokDBState;
UINTN MokDBStateSize = sizeof(MokDBState);
UINT32 attributes;
- status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState", &shim_lock_guid,
- &attributes, &MokDBStateSize, &MokDBState);
+ status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState",
+ &SHIM_LOCK_GUID, &attributes,
+ &MokDBStateSize, &MokDBState);
if (status != EFI_SUCCESS)
return EFI_SECURITY_VIOLATION;
*/
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
perror(L"MokDBState is compromised! Clearing it\n");
- if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) {
+ if (LibDeleteVariable(L"MokDBState", &SHIM_LOCK_GUID) != EFI_SUCCESS) {
perror(L"Failed to erase MokDBState\n");
}
status = EFI_SECURITY_VIOLATION;
static EFI_STATUS mok_ignore_db()
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status = EFI_SUCCESS;
UINT8 Data = 1;
UINTN DataSize = sizeof(UINT8);
if (ignore_db) {
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokIgnoreDB",
- &shim_lock_guid,
+ &SHIM_LOCK_GUID,
EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, (void *)&Data);
}
-EFI_GUID bds_guid = { 0x8108ac4e, 0x9f11, 0x4d59, { 0x85, 0x0e, 0xe2, 0x1a, 0x52, 0x2c, 0x59, 0xb2 } };
-
static inline EFI_STATUS
get_load_option_optional_data(UINT8 *data, UINTN data_size,
UINT8 **od, UINTN *ods)
if (li->LoadOptionsSize > 16) {
if (CompareGuid((EFI_GUID *)(li->LoadOptions
+ (li->LoadOptionsSize - 16)),
- &bds_guid) == 0)
+ &BDS_GUID) == 0)
li->LoadOptionsSize -= 16;
}
EFI_STATUS
install_shim_protocols(void)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
SHIM_LOCK *shim_lock;
EFI_STATUS efi_status;
* replacements. So even though it will participate and verify
* the kernel, the systab never finds out.
*/
- efi_status = LibLocateProtocol(&shim_lock_guid, (VOID **)&shim_lock);
+ efi_status = LibLocateProtocol(&SHIM_LOCK_GUID, (VOID **)&shim_lock);
if (!EFI_ERROR(efi_status))
uninstall_shim_protocols();
* Install the protocol
*/
efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
- &shim_lock_handle, &shim_lock_guid,
+ &shim_lock_handle, &SHIM_LOCK_GUID,
EFI_NATIVE_INTERFACE, &shim_lock_interface);
if (EFI_ERROR(efi_status)) {
console_error(L"Could not install security protocol",
void
uninstall_shim_protocols(void)
{
- EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-
/*
* If we're back here then clean everything up before exiting
*/
uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
- &shim_lock_guid, &shim_lock_interface);
+ &SHIM_LOCK_GUID, &shim_lock_interface);
if (!secure_mode())
return;
__attribute__((__optimize__("0")))
debug_hook(void)
{
- EFI_GUID guid = SHIM_LOCK_GUID;
UINT8 *data = NULL;
UINTN dataSize = 0;
EFI_STATUS efi_status;
if (x)
return;
- efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, guid);
+ efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize,
+ SHIM_LOCK_GUID);
if (EFI_ERROR(efi_status)) {
return;
}
Print(L"Pausing for debugger attachment.\n");
Print(L"To disable this, remove the EFI variable SHIM_DEBUG-%g .\n",
- &guid);
+ &SHIM_LOCK_GUID);
x = 1;
while (x++) {
/* Make this so it can't /totally/ DoS us. */
#include "shim_cert.h"
#endif
-extern EFI_GUID SHIM_LOCK_GUID;
-
INTERFACE_DECL(_SHIM_LOCK);
typedef
UINTN measuredcount = 0;
VARIABLE_RECORD *measureddata = NULL;
-EFI_GUID tpm_guid = EFI_TPM_GUID;
-EFI_GUID tpm2_guid = EFI_TPM2_GUID;
-
static BOOLEAN tpm_present(efi_tpm_protocol_t *tpm)
{
EFI_STATUS status;
*tpm = NULL;
*tpm2 = NULL;
- status = LibLocateProtocol(&tpm2_guid, (VOID **)tpm2);
+ status = LibLocateProtocol(&EFI_TPM2_GUID, (VOID **)tpm2);
/* TPM 2.0 */
if (status == EFI_SUCCESS) {
BOOLEAN old_caps;
return EFI_SUCCESS;
}
} else {
- status = LibLocateProtocol(&tpm_guid, (VOID **)tpm);
+ status = LibLocateProtocol(&EFI_TPM_GUID, (VOID **)tpm);
if (EFI_ERROR(status))
return status;
UINT32 eventnum = 0;
EFI_PHYSICAL_ADDRESS lastevent;
- status = LibLocateProtocol(&tpm_guid, (VOID **)&tpm);
+ status = LibLocateProtocol(&EFI_TPM_GUID, (VOID **)&tpm);
if (status != EFI_SUCCESS)
return EFI_SUCCESS;