proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-06 20:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make vendor_cert/vendor_dbx actually replaceable by an external tool.

Browse Source 
This moves them both to be computed at runtime from a pointer+offset
rather than just a pointer, so that their real address can be entirely
derived from the section they're in.

This means you can replace the whole .vendor_cert section with a new one
with certs that don't have the same size.
This commit is contained in:
Peter Jones 2013-09-09 14:43:04 -04:00
parent 73de2ec2d8
commit 02388bcd58
4 changed files with 79 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -68,9 +68,6 @@ shim.o: $(SOURCES) shim_cert.h
cert.o : cert.S cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $< $(CC) $(CFLAGS) -c -o $@ $<
dbx.o : dbx.S
$(CC) $(CFLAGS) -c -o $@ $<
shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

95
cert.S
View File

@ -1,36 +1,67 @@
.globl cert_table
.data
.align 16
.type cert_table, @object
.size cert_table, 4
.section .vendor_cert, "a", @progbits
cert_table:
#if defined(VENDOR_CERT_FILE) #if defined(VENDOR_CERT_FILE)
.globl vendor_cert_size .long vendor_cert_priv_end - vendor_cert_priv
.data
.align 1
.type vendor_cert_size, @object
.size vendor_cert_size, 4
.section .vendor_cert, "a", @progbits
vendor_cert_size:
.long .L0 - vendor_cert
.globl vendor_cert
.data
.align 1
.type vendor_cert, @object
.size vendor_cert, .L0-vendor_cert
.section .vendor_cert, "a", @progbits
vendor_cert:
.incbin VENDOR_CERT_FILE
.L0:
#else #else
.globl vendor_cert
.bss
.type vendor_cert, @object
.size vendor_cert, 1
.section .vendor_cert, "a", @progbits
vendor_cert:
.zero 1
.globl vendor_cert_size
.data
.align 4
.type vendor_cert_size, @object
.size vendor_cert_size, 4
.section .vendor_cert, "a", @progbits
vendor_cert_size:
.long 0 .long 0
#endif #endif
#if defined(VENDOR_DBX_FILE)
.long vendor_dbx_priv_end - vendor_dbx_priv
#else
.long 0
#endif
.long vendor_cert_priv - cert_table
.long vendor_dbx_priv - cert_table
#if defined(VENDOR_CERT_FILE)
.data
.align 1
.type vendor_cert_priv, @object
.size vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv
.section .vendor_cert, "a", @progbits
vendor_cert_priv:
.incbin VENDOR_CERT_FILE
vendor_cert_priv_end:
#else
.bss
.type vendor_cert_priv, @object
.size vendor_cert_priv, 1
.section .vendor_cert, "a", @progbits
vendor_cert_priv:
.zero 1
.data
.align 4
.type vendor_cert_size_priv, @object
.size vendor_cert_size_priv, 4
.section .vendor_cert, "a", @progbits
vendor_cert_priv_end:
#endif
#if defined(VENDOR_DBX_FILE)
.data
.align 1
.type vendor_dbx_priv, @object
.size vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv
.section .vendor_cert, "a", @progbits
vendor_dbx_priv:
.incbin VENDOR_DBX_FILE
vendor_dbx_priv_end:
#else
.bss
.type vendor_dbx_priv, @object
.size vendor_dbx_priv, 1
.section .vendor_cert, "a", @progbits
vendor_dbx_priv:
.zero 1
.data
.align 4
.type vendor_dbx_size_priv, @object
.size vendor_dbx_size_priv, 4
.section .vendor_cert, "a", @progbits
vendor_dbx_priv_end:
#endif

36
dbx.S
View File

@ -1,36 +0,0 @@
#if defined(VENDOR_DBX_FILE)
.globl vendor_dbx_size
.data
.align 1
.type vendor_dbx_size, @object
.size vendor_dbx_size, 4
.section .vendor_cert, "a", @progbits
vendor_dbx_size:
.long .L0 - vendor_dbx
.globl vendor_dbx
.data
.align 1
.type vendor_dbx, @object
.size vendor_dbx, .L0-vendor_dbx
.section .vendor_cert, "a", @progbits
vendor_dbx:
.incbin VENDOR_DBX_FILE
.L0:
#else
.globl vendor_dbx
.bss
.type vendor_dbx, @object
.size vendor_dbx, 1
.section .vendor_cert, "a", @progbits
vendor_dbx:
.zero 1
.globl vendor_dbx_size
.data
.align 4
.type vendor_dbx_size, @object
.size vendor_dbx_size, 4
.section .vendor_cert, "a", @progbits
vendor_dbx_size:
.long 0
#endif

20
shim.c
View File

@ -63,10 +63,17 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
/* /*
* The vendor certificate used for validating the second stage loader * The vendor certificate used for validating the second stage loader
*/ */
extern UINT8 vendor_cert[]; extern struct {
extern UINT32 vendor_cert_size; UINT32 vendor_cert_size;
extern UINT8 vendor_dbx[]; UINT32 vendor_dbx_size;
extern UINT32 vendor_dbx_size; UINT32 vendor_cert_offset;
UINT32 vendor_dbx_offset;
} cert_table;
UINT32 vendor_cert_size;
UINT32 vendor_dbx_size;
UINT8 *vendor_cert;
UINT8 *vendor_dbx;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@ -1493,6 +1500,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
UINTN verbose_check_size; UINTN verbose_check_size;
EFI_GUID global_var = EFI_GLOBAL_VARIABLE; EFI_GUID global_var = EFI_GLOBAL_VARIABLE;
vendor_cert_size = cert_table.vendor_cert_size;
vendor_dbx_size = cert_table.vendor_dbx_size;
vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
/* /*
* Set up the shim lock protocol so that grub and MokManager can * Set up the shim lock protocol so that grub and MokManager can
* call back in and use shim functions * call back in and use shim functions