From: Peter Jones Date: Wed, 20 Mar 2013 17:18:34 +0000 (-0400) Subject: Move embedded certificates to their own section. X-Git-Tag: proxmox/15.7-1+pmx1~66^2~621 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=4541fce44f88d335b9a72e1cc07687e4198e4847;p=efi-boot-shim.git Move embedded certificates to their own section. With this change, the embedded certificate and dbx lists (vendor_cert, vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a section named .vendor_cert, and so will look something like: ------ fenchurch:~/devel/github.com/shim$ objdump -h shim.efi shim.efi: file format pei-x86-64 Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 000174a8 0000000000005000 0000000000005000 00000400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 000aa7e1 000000000001d000 000000000001d000 00017a00 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000c8000 00000000000c8000 000c2200 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00031228 00000000000c9000 00000000000c9000 000c2400 2**5 CONTENTS, ALLOC, LOAD, DATA 4 .vendor_cert 00000375 00000000000fb000 00000000000fb000 000f3800 2**0 CONTENTS, READONLY 5 .dynamic 000000f0 00000000000fc000 00000000000fc000 000f3c00 2**3 CONTENTS, ALLOC, LOAD, DATA 6 .rela 0002afa8 00000000000fd000 00000000000fd000 000f3e00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .dynsym 0000f1f8 0000000000128000 0000000000128000 0011ee00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA ------ This simplifies a security audit, because it means that different versions of shim with substantially the same code with different keys will be more easily comperable, and therefore logic differences may be more easily identified. This also means that if there's a trusted build you want to use, you can remove the certificates, implant new ones, and have it signed, and the code sections won't change. Signed-off-by: Peter Jones --- diff --git a/Makefile b/Makefile index e7f6e49..0c26392 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o -EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds +EFI_LDS = elf_$(ARCH)_efi.lds CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ @@ -88,6 +88,7 @@ Cryptlib/OpenSSL/libopenssl.a: objcopy -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel \ -j .rela -j .reloc -j .eh_frame \ + -j .vendor_cert \ --target=efi-app-$(ARCH) $^ $@ objcopy -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel \ diff --git a/cert.S b/cert.S index 70b9c3f..4be0a24 100644 --- a/cert.S +++ b/cert.S @@ -4,6 +4,7 @@ .align 1 .type vendor_cert_size, @object .size vendor_cert_size, 4 + .section .vendor_cert, "", @progbits vendor_cert_size: .long .L0 - vendor_cert .globl vendor_cert @@ -11,6 +12,7 @@ vendor_cert_size: .align 1 .type vendor_cert, @object .size vendor_cert, .L0-vendor_cert + .section .vendor_cert, "", @progbits vendor_cert: .incbin VENDOR_CERT_FILE .L0: @@ -19,6 +21,7 @@ vendor_cert: .bss .type vendor_cert, @object .size vendor_cert, 1 + .section .vendor_cert, "", @progbits vendor_cert: .zero 1 @@ -27,6 +30,7 @@ vendor_cert: .align 4 .type vendor_cert_size, @object .size vendor_cert_size, 4 + .section .vendor_cert, "", @progbits vendor_cert_size: .long 1 #endif diff --git a/dbx.S b/dbx.S index 03db1ae..9ccdb67 100644 --- a/dbx.S +++ b/dbx.S @@ -4,6 +4,7 @@ .align 1 .type vendor_dbx_size, @object .size vendor_dbx_size, 4 + .section .vendor_cert, "", @progbits vendor_dbx_size: .long .L0 - vendor_dbx .globl vendor_dbx @@ -11,6 +12,7 @@ vendor_dbx_size: .align 1 .type vendor_dbx, @object .size vendor_dbx, .L0-vendor_dbx + .section .vendor_cert, "", @progbits vendor_dbx: .incbin VENDOR_DBX_FILE .L0: @@ -19,6 +21,7 @@ vendor_dbx: .bss .type vendor_dbx, @object .size vendor_dbx, 1 + .section .vendor_cert, "", @progbits vendor_dbx: .zero 1 @@ -27,6 +30,7 @@ vendor_dbx: .align 4 .type vendor_dbx_size, @object .size vendor_dbx_size, 4 + .section .vendor_cert, "", @progbits vendor_dbx_size: .long 0 #endif diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds new file mode 100644 index 0000000..12d4085 --- /dev/null +++ b/elf_ia32_efi.lds @@ -0,0 +1,69 @@ +OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386") +OUTPUT_ARCH(i386) +ENTRY(_start) +SECTIONS +{ + . = 0; + ImageBase = .; + .hash : { *(.hash) } /* this MUST come first! */ + . = ALIGN(4096); + .text : + { + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + } + .reloc : + { + *(.reloc) + } + . = ALIGN(4096); + .data : + { + *(.rodata*) + *(.data) + *(.data1) + *(.data.*) + *(.sdata) + *(.got.plt) + *(.got) + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + } + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + .dynamic : { *(.dynamic) } + . = ALIGN(4096); + .rel : + { + *(.rel.data) + *(.rel.data.*) + *(.rel.got) + *(.rel.stab) + *(.data.rel.ro.local) + *(.data.rel.local) + *(.data.rel.ro) + *(.data.rel*) + } + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : + { + *(.rel.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +} diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds new file mode 100644 index 0000000..d8dea4b --- /dev/null +++ b/elf_ia64_efi.lds @@ -0,0 +1,75 @@ +OUTPUT_FORMAT("elf64-ia64-little") +OUTPUT_ARCH(ia64) +ENTRY(_start_plabel) +SECTIONS +{ + . = 0; + ImageBase = .; + .hash : { *(.hash) } /* this MUST come first! */ + . = ALIGN(4096); + .text : + { + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + } + . = ALIGN(4096); + __gp = ALIGN (8) + 0x200000; + .sdata : + { + *(.got.plt) + *(.got) + *(.srodata) + *(.sdata) + *(.sbss) + *(.scommon) + } + . = ALIGN(4096); + .data : + { + *(.rodata*) + *(.ctors) + *(.data*) + *(.gnu.linkonce.d*) + *(.plabel) /* data whose relocs we want to ignore */ + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + *(.dynbss) + *(.bss) + *(COMMON) + } + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + .dynamic : { *(.dynamic) } + . = ALIGN(4096); + .rela : + { + *(.rela.text) + *(.rela.data*) + *(.rela.sdata) + *(.rela.got) + *(.rela.gnu.linkonce.d*) + *(.rela.stab) + *(.rela.ctors) + } + . = ALIGN(4096); + .reloc : /* This is the PECOFF .reloc section! */ + { + *(.reloc) + } + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + /DISCARD/ : + { + *(.rela.plabel) + *(.rela.reloc) + *(.IA_64.unwind*) + *(.IA64.unwind*) + } +} diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds new file mode 100644 index 0000000..f981102 --- /dev/null +++ b/elf_x86_64_efi.lds @@ -0,0 +1,68 @@ +/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */ +OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64") +OUTPUT_ARCH(i386:x86-64) +ENTRY(_start) +SECTIONS +{ + . = 0; + ImageBase = .; + .hash : { *(.hash) } /* this MUST come first! */ + . = ALIGN(4096); + .eh_frame : + { + *(.eh_frame) + } + . = ALIGN(4096); + .text : + { + *(.text) + } + . = ALIGN(4096); + .reloc : + { + *(.reloc) + } + . = ALIGN(4096); + .data : + { + *(.rodata*) + *(.got.plt) + *(.got) + *(.data*) + *(.sdata) + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + *(.rel.local) + } + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + .dynamic : { *(.dynamic) } + . = ALIGN(4096); + .rela : + { + *(.rela.data*) + *(.rela.got) + *(.rela.stab) + } + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + .ignored.reloc : + { + *(.rela.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +}