mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-06-11 22:28:52 +00:00
Rename check_{white,black}list to check_{allow,deny}list
v2 - updated for conflicts and to include documentation (pjones)
This commit is contained in:
Chris Coulson
Javier Martinez Canillas
parent
2bdf0dd3a2
commit
25c8324637
@ -55,12 +55,12 @@ matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
|
||||
|
||||
State variables:
|
||||
|
||||
MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
|
||||
MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
|
||||
as described in the UEFI specification. BS,NV
|
||||
|
||||
MokListRT: A copy of MokList made available to the kernel at runtime. RT
|
||||
|
||||
MokListX: A list of blacklisted keys and hashes. An EFI_SIGNATURE_LIST
|
||||
MokListX: A list of forbidden keys and hashes. An EFI_SIGNATURE_LIST
|
||||
as described in the UEFI specification. BS,NV
|
||||
|
||||
MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
|
||||
|
||||
@ -5,7 +5,7 @@ execute another application. It will initially attempt to do this via the
|
||||
standard EFI `LoadImage()` and `StartImage()` calls. If these fail (because Secure
|
||||
Boot is enabled and the binary is not signed with an appropriate key, for
|
||||
instance) it will then validate the binary against a built-in certificate. If
|
||||
this succeeds and if the binary or signing key are not blacklisted then shim
|
||||
this succeeds and if the binary or signing key are not forbidden then shim
|
||||
will relocate and execute the binary.
|
||||
|
||||
shim will also install a protocol which permits the second-stage bootloader
|
||||
|
||||
16
README.tpm
16
README.tpm
@ -9,14 +9,14 @@ PCR4:
|
||||
PCR7:
|
||||
- Any certificate in one of our certificate databases that matches a binary
|
||||
we try to load will be extended into PCR7. That includes:
|
||||
- DBX - the system blacklist, logged as "dbx"
|
||||
- MokListX - the Mok blacklist, logged as "MokListX"
|
||||
- vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
|
||||
- DB - the system whitelist, logged as "db"
|
||||
- vendor_db - shim's built-in vendor whitelist, logged as "db"
|
||||
- MokList the Mok whitelist, logged as "MokList"
|
||||
- vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
|
||||
- shim_cert - shim's build-time generated whitelist, logged as "Shim"
|
||||
- DBX - the system denylist, logged as "dbx"
|
||||
- MokListX - the Mok denylist, logged as "MokListX"
|
||||
- vendor_dbx - shim's built-in vendor denylist, logged as "dbx"
|
||||
- DB - the system allowlist, logged as "db"
|
||||
- vendor_db - shim's built-in vendor allowlist, logged as "db"
|
||||
- MokList the Mok allowlist, logged as "MokList"
|
||||
- vendor_cert - shim's built-in vendor allowlist, logged as "Shim"
|
||||
- shim_cert - shim's build-time generated allowlist, logged as "Shim"
|
||||
- MokSBState will be extended into PCR7 if it is set, logged as
|
||||
"MokSBState".
|
||||
|
||||
|
||||
39
shim.c
39
shim.c
@ -298,10 +298,10 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
|
||||
|
||||
/*
|
||||
* Check whether the binary signature or hash are present in dbx or the
|
||||
* built-in blacklist
|
||||
* built-in denylist
|
||||
*/
|
||||
static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
||||
static EFI_STATUS check_denylist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
||||
{
|
||||
EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized;
|
||||
|
||||
@ -364,7 +364,7 @@ static void update_verification_method(verification_method_t method)
|
||||
/*
|
||||
* Check whether the binary signature or hash are present in db or MokList
|
||||
*/
|
||||
static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert,
|
||||
UINT8 *sha256hash, UINT8 *sha1hash)
|
||||
{
|
||||
if (!ignore_db) {
|
||||
@ -480,12 +480,12 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
|
||||
EFI_STATUS efi_status;
|
||||
|
||||
/*
|
||||
* Ensure that the binary isn't blacklisted
|
||||
* Ensure that the binary isn't forbidden
|
||||
*/
|
||||
drain_openssl_errors();
|
||||
efi_status = check_blacklist(sig, sha256hash, sha1hash);
|
||||
efi_status = check_denylist(sig, sha256hash, sha1hash);
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
perror(L"Binary is blacklisted: %r\n", efi_status);
|
||||
perror(L"Binary is forbidden: %r\n", efi_status);
|
||||
PrintErrors();
|
||||
ClearErrors();
|
||||
crypterr(efi_status);
|
||||
@ -493,14 +493,14 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether the binary is whitelisted in any of the firmware
|
||||
* Check whether the binary is authorized in any of the firmware
|
||||
* databases
|
||||
*/
|
||||
drain_openssl_errors();
|
||||
efi_status = check_whitelist(sig, sha256hash, sha1hash);
|
||||
efi_status = check_allowlist(sig, sha256hash, sha1hash);
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
if (efi_status != EFI_NOT_FOUND) {
|
||||
dprint(L"check_whitelist(): %r\n", efi_status);
|
||||
dprint(L"check_allowlist(): %r\n", efi_status);
|
||||
PrintErrors();
|
||||
ClearErrors();
|
||||
crypterr(efi_status);
|
||||
@ -603,13 +603,13 @@ verify_buffer (char *data, int datasize,
|
||||
}
|
||||
|
||||
/*
|
||||
* Ensure that the binary isn't blacklisted by hash
|
||||
* Ensure that the binary isn't forbidden by hash
|
||||
*/
|
||||
drain_openssl_errors();
|
||||
ret_efi_status = check_blacklist(NULL, sha256hash, sha1hash);
|
||||
ret_efi_status = check_denylist(NULL, sha256hash, sha1hash);
|
||||
if (EFI_ERROR(ret_efi_status)) {
|
||||
perror(L"Binary is blacklisted\n");
|
||||
dprint(L"Binary is blacklisted: %r\n", ret_efi_status);
|
||||
// perror(L"Binary is forbidden\n");
|
||||
// dprint(L"Binary is forbidden: %r\n", ret_efi_status);
|
||||
PrintErrors();
|
||||
ClearErrors();
|
||||
crypterr(ret_efi_status);
|
||||
@ -617,15 +617,16 @@ verify_buffer (char *data, int datasize,
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether the binary is whitelisted by hash in any of the
|
||||
* Check whether the binary is authorized by hash in any of the
|
||||
* firmware databases
|
||||
*/
|
||||
drain_openssl_errors();
|
||||
ret_efi_status = check_whitelist(NULL, sha256hash, sha1hash);
|
||||
ret_efi_status = check_allowlist(NULL, sha256hash, sha1hash);
|
||||
if (EFI_ERROR(ret_efi_status)) {
|
||||
dprint(L"check_whitelist: %r\n", ret_efi_status);
|
||||
LogError(L"check_allowlist(): %r\n", ret_efi_status);
|
||||
dprint(L"check_allowlist: %r\n", ret_efi_status);
|
||||
if (ret_efi_status != EFI_NOT_FOUND) {
|
||||
dprint(L"check_whitelist(): %r\n", ret_efi_status);
|
||||
dprint(L"check_allowlist(): %r\n", ret_efi_status);
|
||||
PrintErrors();
|
||||
ClearErrors();
|
||||
crypterr(ret_efi_status);
|
||||
@ -699,7 +700,7 @@ verify_buffer (char *data, int datasize,
|
||||
} while (offset < context->SecDir->Size);
|
||||
|
||||
if (ret_efi_status != EFI_SUCCESS) {
|
||||
dprint(L"Binary is not whitelisted\n");
|
||||
dprint(L"Binary is not authorized\n");
|
||||
PrintErrors();
|
||||
ClearErrors();
|
||||
crypterr(EFI_SECURITY_VIOLATION);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user