bio_printf() was replaced with a dummy function and this made
several openssl functions useless. This commit adds the print
functions back, so that we don't have to implement our own
ASN1 time print function.
- The file path from DevicePathToStr may use slash as the file
seperator. Change all slashes to backslashes to avoid the strange
bootpath.
- Remove the redundant backslashes.
- ImagePath no longer requires the leading backslash.
- Fix a memory leak
Based on the patch from Michal Marek <mmarek@suse.com>
The password format is introduced for the password hash generated by crypt(),
so that the user can import the password hash from /etc/shadow. The packager,
especially those who packages 3rd party drivers, can utilize this feature to
import a 3rd party certificate without interfering the package installation.
This commit implements the sha256-based crypt() hash function.
Peter Jones [Thu, 26 Sep 2013 13:44:50 +0000 (09:44 -0400)]
MokManager needs to disable the graphics console.
Without this patch, on some machines we never see MokManager's UI. This
protocol has never (I think?) been officially published, and yet I still
have new hardware that needs it.
Steve Langasek [Mon, 23 Sep 2013 05:45:26 +0000 (22:45 -0700)]
Correct limits on the length of ipv6 addresses
The maximum length of a string representation of an ipv6 address is 39
characters (8 groups of 4 hex chars, with 7 colons in between). So don't
allocate more room than this - and more importantly, don't blindly accept
strings from the server that are longer than our buffer...
Steve Langasek [Fri, 20 Sep 2013 16:29:23 +0000 (11:29 -0500)]
Pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE
A wrong pointer was being passed to EFI_PXE_BASE_CODE_TFTP_READ_FILE,
preventing us from getting the file size back from the tftp call, ensuring
that we don't have enough information to properly secureboot-validate the
retrieved image.
Peter Jones [Mon, 23 Sep 2013 14:22:48 +0000 (10:22 -0400)]
Make SHIM_LOCK_GUID a first-class object with a symbol.
Right now the CA is checking if shim builds expose a particular version
of the shim protocol. To do this, they're looking for SHIM_LOCK_GUID's
value in the resulting binary.
Currently, with SHIM_LOCK_GUID as a macro that gets assigned to local
variables, that means they have to compensate for mov instructions mixed
in with the actual value. This is completely absurd, so promote it to a
first-class object with a symbol to make it both easy to find and
continuous.
Peter Jones [Wed, 20 Mar 2013 17:18:34 +0000 (13:18 -0400)]
Move embedded certificates to their own section.
With this change, the embedded certificate and dbx lists (vendor_cert,
vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
section named .vendor_cert, and so will look something like:
------
fenchurch:~/devel/github.com/shim$ objdump -h shim.efi
This simplifies a security audit, because it means that different
versions of shim with substantially the same code with different keys
will be more easily comperable, and therefore logic differences may be
more easily identified.
This also means that if there's a trusted build you want to use, you can
remove the certificates, implant new ones, and have it signed, and the
code sections won't change.
Peter Jones [Tue, 30 Apr 2013 14:30:04 +0000 (10:30 -0400)]
[fallback] Try to execute the first new boot option.
I'm told rebooting is sometimes unreliable when called here, and we'll
get bootx64.efi loaded anyway. I'll just assume that's true and try to
load the first option, since it's clearly what we'd prefer happens next.
Peter Jones [Fri, 15 Mar 2013 16:40:47 +0000 (12:40 -0400)]
Add a fallback loader for when shim is invoked as BOOTX64.EFI
If shim is invoked as \EFI\BOOT\BOOT*.EFI and a file exists named
\EFI\BOOT\FALLBACK.EFI, try it instead of our second stage. So don't
put fallback.efi on your install media in \EFI\BOOT, because that won't
do whatever it is you're hoping for, unless you're hoping not to start
the installer.
So here's the process for using this:
in /EFI/fedora/ (or whichever directory you happen to own), you put:
shim.efi
grub.efi
boot.csv - format is: shim.efi,Nice Label,cmdline arguments,comments
- filenames refer only to files in this directory, with no
leading characters such as L"./" or L"/EFI/fedora/"
- note that while this is CSV, the character encoding is
UCS-2
and if /EFI/BOOT/BOOTX64.EFI doesn't already exist, then in /EFI/BOOT:
shim.efi as BOOTX64.EFI
fallback.efi
The previous commit, 14d4b8e, caused shim failed to parse the name
of the 2nd stage loader in UEFI shell. Amend parsing of the name the
2nd stage loader to be compatible with UEFI shell.
Since Pause() doesn't clear the key from the input queue, the next
ReadKeyStroke reads the queued key instead of the new one. If the
user presses "Enter", MokManager exits directly without showing
the menu again.
This commit replaces the 2nd stage loader path with the first
argument in the Load Options and moves the rest arguments (if any)
to the Load Options for the 2nd stage loader.
For example, to make shim to load elilo.efi, just create a new
boot entry with efibootmgr:
Matthew Garrett [Sat, 24 Nov 2012 05:07:11 +0000 (00:07 -0500)]
Sign MokManager with a locally-generated key
shim needs to verify that MokManager hasn't been modified, but we want to
be able to support configurations where shim is shipped without a vendor
certificate. This patch adds support for generating a certificate at build
time, incorporating the public half into shim and signing MokManager with
the private half. It uses pesign and nss, but still requires openssl for
key generation. Anyone using sbsign will need to figure this out for
themselves.
Matthew Garrett [Thu, 1 Nov 2012 14:39:31 +0000 (10:39 -0400)]
Fix AuthenticodeVerify loop
Cert needs to be modified inside the Index loop, not outside it. This is unlikely to
ever trigger since there will typically only be one X509 certificate per
EFI_SIGNATURE_LIST, but fix it anyway.