proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-07-26 03:57:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow specification of vendor_cert through a build command line option.

Browse Source 
This allows you to specify the vendor_cert as a file on the command line
during build.
This commit is contained in:
Peter Jones 2012-08-13 17:06:46 -04:00
parent 2295594a47
commit 178b5681b8
4 changed files with 46 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Makefile
View File

@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall -mno-red-zone \ -Wall -mno-red-zone \
$(EFI_INCLUDES) $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64) ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER CFLAGS += -DEFI_FUNCTION_WRAPPER
endif endif
ifneq ($(origin VENDOR_CERT_FILE), undefined)
CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
endif
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
TARGET = shim.efi TARGET = shim.efi
OBJS = shim.o shim.so OBJS = shim.o cert.o
SOURCES = shim.c shim.h signature.h PeImage.h cert.h SOURCES = shim.c shim.h signature.h PeImage.h
all: $(TARGET) all: $(TARGET)
shim.o: $(SOURCES) shim.o: $(SOURCES)
shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $<
shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
Cryptlib/libcryptlib.a: Cryptlib/libcryptlib.a:

32
cert.S Normal file
View File

@ -0,0 +1,32 @@
#if defined(VENDOR_CERT_FILE)
.globl vendor_cert
.data
.align 16
.type vendor_cert, @object
.size vendor_cert_size, vendor_cert_size-vendor_cert
vendor_cert:
.incbin VENDOR_CERT_FILE
.globl vendor_cert_size
.data
.align 16
.type vendor_cert_size, @object
.size vendor_cert_size, 4
vendor_cert_size:
.long vendor_cert_size - vendor_cert
#else
.globl vendor_cert
.bss
.type vendor_cert, @object
.size vendor_cert, 1
vendor_cert:
.zero 1
.globl vendor_cert_size
.data
.align 4
.type vendor_cert_size, @object
.size vendor_cert_size, 4
vendor_cert_size:
.long 1
#endif

1
cert.h
View File

@ -1 +0,0 @@
static UINT8 vendor_cert[] = {0x00};

6
shim.c
View File

@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
/* /*
* The vendor certificate used for validating the second stage loader * The vendor certificate used for validating the second stage loader
*/ */
extern UINT8 vendor_cert[];
#include "cert.h" extern UINT32 vendor_cert_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (!AuthenticodeVerify(cert->CertData, if (!AuthenticodeVerify(cert->CertData,
context->SecDir->Size - sizeof(cert->Hdr), context->SecDir->Size - sizeof(cert->Hdr),
vendor_cert, sizeof(vendor_cert), hash, vendor_cert, vendor_cert_size, hash,
SHA256_DIGEST_SIZE)) { SHA256_DIGEST_SIZE)) {
Print(L"Invalid signature\n"); Print(L"Invalid signature\n");
status = EFI_ACCESS_DENIED; status = EFI_ACCESS_DENIED;