Merge branch 'master' into mok-prototype3

Conflicts:
	shim.c

Makefile

@@ -14,24 +14,32 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
 EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
 EFI_LDS		= $(EFI_PATH)/elf_$(ARCH)_efi.lds
 
-
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
 		  -Wall -mno-red-zone \
 		  $(EFI_INCLUDES)
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -DEFI_FUNCTION_WRAPPER
 endif
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+
 LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
 
-TARGET		= shim.efi
-OBJS		= shim.o shim.so
-SOURCES		= shim.c shim.h signature.h PeImage.h cert.h
+VERSION		= 0.1
+
+TARGET	= shim.efi
+OBJS	= shim.o cert.o
+SOURCES	= shim.c shim.h signature.h PeImage.h
 
 all: $(TARGET)
 
 shim.o: $(SOURCES)
 
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
+cert.o : cert.S
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
 Cryptlib/libcryptlib.a:
@@ -56,3 +64,25 @@ clean:
 	$(MAKE) -C Cryptlib clean
 	$(MAKE) -C Cryptlib/OpenSSL clean
 	rm -f $(TARGET) $(OBJS)
+
+GITTAG = $(VERSION)
+
+test-archive:
+	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+	@mkdir -p /tmp/shim-$(VERSION)-tmp
+	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
+	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+	@rm -rf /tmp/shim-$(VERSION)
+	@echo "The archive is in shim-$(VERSION).tar.bz2"
+
+archive:
+	git tag $(GITTAG) refs/heads/master
+	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+	@mkdir -p /tmp/shim-$(VERSION)-tmp
+	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+	@rm -rf /tmp/shim-$(VERSION)
+	@echo "The archive is in shim-$(VERSION).tar.bz2"

cert.S

@@ -0,0 +1,32 @@
+#if defined(VENDOR_CERT_FILE)
+	.globl	vendor_cert_size
+	.data
+	.align	1
+	.type	vendor_cert_size, @object
+	.size	vendor_cert_size, 4
+vendor_cert_size:
+	.long	.L0 - vendor_cert
+	.globl	vendor_cert
+	.data
+	.align	1
+	.type	vendor_cert, @object
+	.size	vendor_cert_size, vendor_cert_size-vendor_cert
+vendor_cert:
+.incbin VENDOR_CERT_FILE
+.L0:
+#else
+	.globl	vendor_cert
+	.bss
+	.type	vendor_cert, @object
+	.size	vendor_cert, 1
+vendor_cert:
+	.zero	1
+
+	.globl	vendor_cert_size
+	.data
+	.align 4
+	.type	vendor_cert_size, @object
+	.size	vendor_cert_size, 4
+vendor_cert_size:
+	.long	1
+#endif

cert.h

@@ -1 +0,0 @@
-static UINT8 vendor_cert[] = {0x00};

shim.c

@@ -49,8 +49,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
 /*
  * The vendor certificate used for validating the second stage loader
  */
-
-#include "cert.h"
+extern UINT8 vendor_cert[];
+extern UINT32 vendor_cert_size;
 
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
 
@@ -232,9 +232,8 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, WIN_CERTIFICATE_EFI_PKCS *data
 							      Cert->SignatureData,
 							      CertList->SignatureSize,
 							      hash, SHA256_DIGEST_SIZE);
-					}
-			if (IsFound) {
-				break;
+				if (IsFound)
+					break;
 			}
 
 			Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
@@ -536,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 
 	if (!AuthenticodeVerify(cert->CertData,
 				context->SecDir->Size - sizeof(cert->Hdr),
-				vendor_cert, sizeof(vendor_cert), hash,
+				vendor_cert, vendor_cert_size, hash,
 				SHA256_DIGEST_SIZE)) {
 		Print(L"Invalid signature\n");
 		status = EFI_ACCESS_DENIED;
@@ -556,7 +555,7 @@ done:
 /*
  * Read the binary header and grab appropriate information from it
  */
-static EFI_STATUS read_header(void *data,
+static EFI_STATUS read_header(void *data, unsigned int datasize,
 			      PE_COFF_LOADER_IMAGE_CONTEXT *context)
 {
 	EFI_IMAGE_DOS_HEADER *DosHdr = data;
@@ -591,7 +590,7 @@ static EFI_STATUS read_header(void *data,
 	context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
 	context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
 
-	if (context->SecDir->VirtualAddress >= context->ImageSize) {
+	if (context->SecDir->VirtualAddress >= datasize) {
 		Print(L"Malformed security header\n");
 		return EFI_INVALID_PARAMETER;
 	}
@@ -607,7 +606,8 @@ static EFI_STATUS read_header(void *data,
 /*
  * Once the image has been loaded it needs to be validated and relocated
  */
-static EFI_STATUS handle_image (void *data, int datasize, EFI_LOADED_IMAGE *li)
+static EFI_STATUS handle_image (void *data, unsigned int datasize,
+				EFI_LOADED_IMAGE *li)
 {
 	EFI_STATUS efi_status;
 	char *buffer;
@@ -616,7 +616,7 @@ static EFI_STATUS handle_image (void *data, int datasize, EFI_LOADED_IMAGE *li)
 	char *base, *end;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
 
-	efi_status = read_header(data, &context);
+	efi_status = read_header(data, datasize, &context);
 	if (efi_status != EFI_SUCCESS) {
 		Print(L"Failed to read header\n");
 		return efi_status;
@@ -845,7 +845,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	if (!secure_mode())
 		return EFI_SUCCESS;
 
-	status = read_header(buffer, &context);
+	status = read_header(buffer, size, &context);
 
 	if (status != EFI_SUCCESS)
 		return status;