Steve McIntyre [Wed, 1 Nov 2023 23:37:50 +0000 (23:37 +0000)]
Tweak building with pesign changes
We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
Steve McIntyre [Sun, 14 Mar 2021 16:04:15 +0000 (16:04 +0000)]
Improve how the dbx hashes are handled
Only include the hashes for the architecture we're building for - no
point in adding bloat and delay here.
Add a script "block_signed_deb" to scan a set of .deb files, extract
the hashes for .efi binaries and list them in the format wanted for
the dbx hashes file.
Split out the code to use that file from the rules file into a
separate helper.
Chris Coulson [Wed, 15 Jul 2020 11:33:27 +0000 (12:33 +0100)]
Include missing .text sections in PE/COFF binary
At the default -Os optimization level, gcc emits ".text.startup"
and ".text.unlikely" sections for static initializers and noreturn
functions which end up in the intermediate ELF binary:
$ objdump -h build-x64/shimx64.efi.so
build-x64/shimx64.efi.so: file format elf64-x86-64
These additional .text.* sections are omitted from the final PE/COFF
binary, resulting in a crash when processing the ctors. Taking a look at
_init_array in gdb:
Peter Jones [Fri, 19 Feb 2021 19:23:57 +0000 (14:23 -0500)]
sbat: Fix two NULL derefs found with "gcc -fanalyzer"
"gcc -fanalyzer" found two NULL pointer checks we're missing in sbat.c:
include/str.h: In function ‘get_sbat_field.part.0’:
sbat.c:20:14: error: dereference of NULL ‘offset’ [CWE-476] [-Werror=analyzer-null-dereference]
20 | if (!*offset)
and
include/str.h: In function ‘parse_sbat’:
sbat.c:140:27: error: dereference of NULL ‘current’ [CWE-476] [-Werror=analyzer-null-dereference]
140 | } while (entry && *current != '\0');
A following patch will make shim to verify its .sbat section and it
should be done before doing the OpenSSL initialization. But having
the debugger attached may be useful at this point.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Alex Burmashev [Tue, 16 Feb 2021 12:08:35 +0000 (07:08 -0500)]
pe.c: parse SBAT variable and perform basic verification
Per Peter Jones suggestion, we will be flexible in what data we expect
while parsing the variable. Three fields are mandatory:
component_generation, component_name_size, component_name
However we also support adding comments and additional information to be
added after component name, with ',' as a separator. Those information
will be ignored and not used for verification purposes.
So:
grub,1
and
grub,1,wow,this,is,my,comment
will provide exactly same set of data for verification.
Hai Huang [Tue, 10 Nov 2020 15:23:57 +0000 (10:23 -0500)]
Fix EV_EFI_VARIABLE_AUTHORITY event in eventlog
Currently, for an EV_EFI_VARIABLE_AUTHORITY event, the shim puts only
EFI_SIGNATURE_DATA.SignatureData in the VariableData field, but omits
EFI_SIGNATURE_DATA.SignatureOwner. According to reference implementation
in EDK2, the entire EFI_SIGNATURE_DATA is put into the VariableData
field, shown here:
https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c#L1032
Paul Moore [Tue, 20 Oct 2020 17:08:02 +0000 (13:08 -0400)]
build: add some basic $EFI_PATH checking
Not all distributions put the crt0-efi-$(ARCH).o file under
$LIB_DIR/gnuefi, some stash it directly in $LIB_DIR. In an effort
to make the build a bit more user friendly, check if $LIB_DIR/gnuefi
exits before setting $EFI_PATH to that value; if $LIB_DIR/gnuefi does
not exist, fallback to $LIB_DIR for $EFI_PATH.
Peter Jones [Tue, 16 Feb 2021 20:15:47 +0000 (15:15 -0500)]
SBAT: make the variable be CSV in our spec.
We noticed that we'd originally specified the SBAT variable as binary
records, but talked as if they're CSV. Woops. Anyway, this makes them
CSV, which also means they don't need the size field.
Chris Co [Tue, 16 Feb 2021 06:21:12 +0000 (06:21 +0000)]
sbat: add minor fixes to parse_sbat
Add parameter checking to parse_sbat().
Set end pointer to be sbat_base + sbat_size - 1. We directly
dereference the end pointer but this is technically outside of
our sbat_base buffer range.
Remove current and end while loops that account for extra CRLF
or LF characters before and after the .sbat section. We will
rely on automated tooling to verify the .sbat section is sane.
Remove the overwriting of *(end - 1) with '\0'. This behavior
causes a segfault in the unit test. parse_sbat_entry() expects
a very specific pattern "_,_,_,_,_,_\n" for every entry and uses
strchrnul() to process each individual field. When *(end - 1)='\0'
is present, it short-circuits the final \n and causes the final
get_sbat_field() to return NULL, thereby setting current = NULL.
Eventually parse_sbat attempts to access current in the do-while
condition and the segfault happens.
Peter Jones [Wed, 27 Jan 2021 17:14:01 +0000 (12:14 -0500)]
Add ENABLE_SHIM_DEVEL config to change what our debug variable name is
Currently, if you have two boot entries, say one for
\EFI\fedora\shimx64.efi and one for \EFI\devel\shimx64.efi, and you set
the efi variable SHIM_DEBUG=1, both of these will trigger, and you need
to write your debugging scripts to allow each of the builds to continue.
This is a pain.
This patch makes it so on your development build, it will instead check
SHIM_DEVEL_DEBUG, thus meaning you can have it pause for a debugger only
on the development branch and not the OS you need to boot to scp in a
new development build.