proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-11-04 13:10:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into mok-prototype3

Browse Source 
Conflicts:
	shim.c
This commit is contained in:
Gary Ching-Pang Lin 2012-09-07 18:22:34 +08:00
commit 000c565c06
5 changed files with 870 additions and 809 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Makefile
View File

@ -14,24 +14,32 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall -mno-red-zone \ -Wall -mno-red-zone \
$(EFI_INCLUDES) $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64) ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER CFLAGS += -DEFI_FUNCTION_WRAPPER
endif endif
ifneq ($(origin VENDOR_CERT_FILE), undefined)
CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
endif
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
TARGET = shim.efi VERSION = 0.1
OBJS = shim.o shim.so
SOURCES = shim.c shim.h signature.h PeImage.h cert.h TARGET = shim.efi
OBJS = shim.o cert.o
SOURCES = shim.c shim.h signature.h PeImage.h
all: $(TARGET) all: $(TARGET)
shim.o: $(SOURCES) shim.o: $(SOURCES)
shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $<
shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
Cryptlib/libcryptlib.a: Cryptlib/libcryptlib.a:
@ -56,3 +64,25 @@ clean:
$(MAKE) -C Cryptlib clean $(MAKE) -C Cryptlib clean
$(MAKE) -C Cryptlib/OpenSSL clean $(MAKE) -C Cryptlib/OpenSSL clean
rm -f $(TARGET) $(OBJS) rm -f $(TARGET) $(OBJS)
GITTAG = $(VERSION)
test-archive:
@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
@mkdir -p /tmp/shim-$(VERSION)-tmp
@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
@rm -rf /tmp/shim-$(VERSION)
@echo "The archive is in shim-$(VERSION).tar.bz2"
archive:
git tag $(GITTAG) refs/heads/master
@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
@mkdir -p /tmp/shim-$(VERSION)-tmp
@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
@rm -rf /tmp/shim-$(VERSION)
@echo "The archive is in shim-$(VERSION).tar.bz2"

1584
PeImage.h
View File

File diff suppressed because it is too large Load Diff

32
cert.S Normal file
View File

@ -0,0 +1,32 @@
#if defined(VENDOR_CERT_FILE)
.globl vendor_cert_size
.data
.align 1
.type vendor_cert_size, @object
.size vendor_cert_size, 4
vendor_cert_size:
.long .L0 - vendor_cert
.globl vendor_cert
.data
.align 1
.type vendor_cert, @object
.size vendor_cert_size, vendor_cert_size-vendor_cert
vendor_cert:
.incbin VENDOR_CERT_FILE
.L0:
#else
.globl vendor_cert
.bss
.type vendor_cert, @object
.size vendor_cert, 1
vendor_cert:
.zero 1
.globl vendor_cert_size
.data
.align 4
.type vendor_cert_size, @object
.size vendor_cert_size, 4
vendor_cert_size:
.long 1
#endif

1
cert.h
View File

@ -1 +0,0 @@
static UINT8 vendor_cert[] = {0x00};

22
shim.c
View File

@ -49,8 +49,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
/* /*
* The vendor certificate used for validating the second stage loader * The vendor certificate used for validating the second stage loader
*/ */
extern UINT8 vendor_cert[];
#include "cert.h" extern UINT32 vendor_cert_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@ -232,9 +232,8 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, WIN_CERTIFICATE_EFI_PKCS *data
Cert->SignatureData, Cert->SignatureData,
CertList->SignatureSize, CertList->SignatureSize,
hash, SHA256_DIGEST_SIZE); hash, SHA256_DIGEST_SIZE);
} if (IsFound)
if (IsFound) { break;
break;
} }
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
@ -536,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (!AuthenticodeVerify(cert->CertData, if (!AuthenticodeVerify(cert->CertData,
context->SecDir->Size - sizeof(cert->Hdr), context->SecDir->Size - sizeof(cert->Hdr),
vendor_cert, sizeof(vendor_cert), hash, vendor_cert, vendor_cert_size, hash,
SHA256_DIGEST_SIZE)) { SHA256_DIGEST_SIZE)) {
Print(L"Invalid signature\n"); Print(L"Invalid signature\n");
status = EFI_ACCESS_DENIED; status = EFI_ACCESS_DENIED;
@ -556,7 +555,7 @@ done:
/* /*
* Read the binary header and grab appropriate information from it * Read the binary header and grab appropriate information from it
*/ */
static EFI_STATUS read_header(void *data, static EFI_STATUS read_header(void *data, unsigned int datasize,
PE_COFF_LOADER_IMAGE_CONTEXT *context) PE_COFF_LOADER_IMAGE_CONTEXT *context)
{ {
EFI_IMAGE_DOS_HEADER *DosHdr = data; EFI_IMAGE_DOS_HEADER *DosHdr = data;
@ -591,7 +590,7 @@ static EFI_STATUS read_header(void *data,
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
if (context->SecDir->VirtualAddress >= context->ImageSize) { if (context->SecDir->VirtualAddress >= datasize) {
Print(L"Malformed security header\n"); Print(L"Malformed security header\n");
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
@ -607,7 +606,8 @@ static EFI_STATUS read_header(void *data,
/* /*
* Once the image has been loaded it needs to be validated and relocated * Once the image has been loaded it needs to be validated and relocated
*/ */
static EFI_STATUS handle_image (void *data, int datasize, EFI_LOADED_IMAGE *li) static EFI_STATUS handle_image (void *data, unsigned int datasize,
EFI_LOADED_IMAGE *li)
{ {
EFI_STATUS efi_status; EFI_STATUS efi_status;
char *buffer; char *buffer;
@ -616,7 +616,7 @@ static EFI_STATUS handle_image (void *data, int datasize, EFI_LOADED_IMAGE *li)
char *base, *end; char *base, *end;
PE_COFF_LOADER_IMAGE_CONTEXT context; PE_COFF_LOADER_IMAGE_CONTEXT context;
efi_status = read_header(data, &context); efi_status = read_header(data, datasize, &context);
if (efi_status != EFI_SUCCESS) { if (efi_status != EFI_SUCCESS) {
Print(L"Failed to read header\n"); Print(L"Failed to read header\n");
return efi_status; return efi_status;
@ -845,7 +845,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (!secure_mode()) if (!secure_mode())
return EFI_SUCCESS; return EFI_SUCCESS;
status = read_header(buffer, &context); status = read_header(buffer, size, &context);
if (status != EFI_SUCCESS) if (status != EFI_SUCCESS)
return status; return status;