diff --git a/MokVars.txt b/MokVars.txt index 64fe846..4b80a41 100644 --- a/MokVars.txt +++ b/MokVars.txt @@ -55,12 +55,12 @@ matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV State variables: -MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST +MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST as described in the UEFI specification. BS,NV MokListRT: A copy of MokList made available to the kernel at runtime. RT -MokListX: A list of blacklisted keys and hashes. An EFI_SIGNATURE_LIST +MokListX: A list of forbidden keys and hashes. An EFI_SIGNATURE_LIST as described in the UEFI specification. BS,NV MokListXRT: A copy of MokListX made available to the kernel at runtime. RT diff --git a/README.md b/README.md index c4663a7..ce6bad7 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ execute another application. It will initially attempt to do this via the standard EFI `LoadImage()` and `StartImage()` calls. If these fail (because Secure Boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If -this succeeds and if the binary or signing key are not blacklisted then shim +this succeeds and if the binary or signing key are not forbidden then shim will relocate and execute the binary. shim will also install a protocol which permits the second-stage bootloader diff --git a/README.tpm b/README.tpm index fd2252d..73dc468 100644 --- a/README.tpm +++ b/README.tpm @@ -9,14 +9,14 @@ PCR4: PCR7: - Any certificate in one of our certificate databases that matches a binary we try to load will be extended into PCR7. That includes: - - DBX - the system blacklist, logged as "dbx" - - MokListX - the Mok blacklist, logged as "MokListX" - - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx" - - DB - the system whitelist, logged as "db" - - vendor_db - shim's built-in vendor whitelist, logged as "db" - - MokList the Mok whitelist, logged as "MokList" - - vendor_cert - shim's built-in vendor whitelist, logged as "Shim" - - shim_cert - shim's build-time generated whitelist, logged as "Shim" + - DBX - the system denylist, logged as "dbx" + - MokListX - the Mok denylist, logged as "MokListX" + - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" + - DB - the system allowlist, logged as "db" + - vendor_db - shim's built-in vendor allowlist, logged as "db" + - MokList the Mok allowlist, logged as "MokList" + - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" + - shim_cert - shim's build-time generated allowlist, logged as "Shim" - MokSBState will be extended into PCR7 if it is set, logged as "MokSBState". diff --git a/shim.c b/shim.c index b25c63b..fc8f151 100644 --- a/shim.c +++ b/shim.c @@ -298,10 +298,10 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data, /* * Check whether the binary signature or hash are present in dbx or the - * built-in blacklist + * built-in denylist */ -static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, - UINT8 *sha256hash, UINT8 *sha1hash) +static EFI_STATUS check_denylist (WIN_CERTIFICATE_EFI_PKCS *cert, + UINT8 *sha256hash, UINT8 *sha1hash) { EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized; @@ -364,7 +364,7 @@ static void update_verification_method(verification_method_t method) /* * Check whether the binary signature or hash are present in db or MokList */ -static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, +static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert, UINT8 *sha256hash, UINT8 *sha1hash) { if (!ignore_db) { @@ -480,12 +480,12 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, EFI_STATUS efi_status; /* - * Ensure that the binary isn't blacklisted + * Ensure that the binary isn't forbidden */ drain_openssl_errors(); - efi_status = check_blacklist(sig, sha256hash, sha1hash); + efi_status = check_denylist(sig, sha256hash, sha1hash); if (EFI_ERROR(efi_status)) { - perror(L"Binary is blacklisted: %r\n", efi_status); + perror(L"Binary is forbidden: %r\n", efi_status); PrintErrors(); ClearErrors(); crypterr(efi_status); @@ -493,14 +493,14 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, } /* - * Check whether the binary is whitelisted in any of the firmware + * Check whether the binary is authorized in any of the firmware * databases */ drain_openssl_errors(); - efi_status = check_whitelist(sig, sha256hash, sha1hash); + efi_status = check_allowlist(sig, sha256hash, sha1hash); if (EFI_ERROR(efi_status)) { if (efi_status != EFI_NOT_FOUND) { - dprint(L"check_whitelist(): %r\n", efi_status); + dprint(L"check_allowlist(): %r\n", efi_status); PrintErrors(); ClearErrors(); crypterr(efi_status); @@ -603,13 +603,13 @@ verify_buffer (char *data, int datasize, } /* - * Ensure that the binary isn't blacklisted by hash + * Ensure that the binary isn't forbidden by hash */ drain_openssl_errors(); - ret_efi_status = check_blacklist(NULL, sha256hash, sha1hash); + ret_efi_status = check_denylist(NULL, sha256hash, sha1hash); if (EFI_ERROR(ret_efi_status)) { - perror(L"Binary is blacklisted\n"); - dprint(L"Binary is blacklisted: %r\n", ret_efi_status); +// perror(L"Binary is forbidden\n"); +// dprint(L"Binary is forbidden: %r\n", ret_efi_status); PrintErrors(); ClearErrors(); crypterr(ret_efi_status); @@ -617,15 +617,16 @@ verify_buffer (char *data, int datasize, } /* - * Check whether the binary is whitelisted by hash in any of the + * Check whether the binary is authorized by hash in any of the * firmware databases */ drain_openssl_errors(); - ret_efi_status = check_whitelist(NULL, sha256hash, sha1hash); + ret_efi_status = check_allowlist(NULL, sha256hash, sha1hash); if (EFI_ERROR(ret_efi_status)) { - dprint(L"check_whitelist: %r\n", ret_efi_status); + LogError(L"check_allowlist(): %r\n", ret_efi_status); + dprint(L"check_allowlist: %r\n", ret_efi_status); if (ret_efi_status != EFI_NOT_FOUND) { - dprint(L"check_whitelist(): %r\n", ret_efi_status); + dprint(L"check_allowlist(): %r\n", ret_efi_status); PrintErrors(); ClearErrors(); crypterr(ret_efi_status); @@ -699,7 +700,7 @@ verify_buffer (char *data, int datasize, } while (offset < context->SecDir->Size); if (ret_efi_status != EFI_SUCCESS) { - dprint(L"Binary is not whitelisted\n"); + dprint(L"Binary is not authorized\n"); PrintErrors(); ClearErrors(); crypterr(EFI_SECURITY_VIOLATION);