diff --git a/Makefile b/Makefile index 83b3df9..031e27f 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,7 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c signature.h include/PeImage.h include/wincert.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o @@ -71,7 +71,7 @@ cert.o : cert.S dbx.o : dbx.S $(CC) $(CFLAGS) -c -o $@ $< -shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) diff --git a/MokManager.c b/MokManager.c index f6bc6c2..b01c65e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -4,12 +4,13 @@ #include #include "console_control.h" #include "shim.h" -#include "signature.h" #include "PeImage.h" #include "PasswordCrypt.h" -#include "include/console.h" -#include "include/simple_file.h" +#include "guid.h" +#include "console.h" +#include "simple_file.h" +#include "efiauthenticated.h" #define PASSWORD_MAX 256 #define PASSWORD_MIN 1 @@ -115,8 +116,8 @@ done: static UINT32 count_keys(void *Data, UINTN DataSize) { EFI_SIGNATURE_LIST *CertList = Data; - EFI_GUID CertType = EfiCertX509Guid; - EFI_GUID HashType = EfiHashSha256Guid; + EFI_GUID CertType = X509_GUID; + EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINT32 MokNum = 0; @@ -152,8 +153,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { MokListNode *list; EFI_SIGNATURE_LIST *CertList = Data; EFI_SIGNATURE_DATA *Cert; - EFI_GUID CertType = EfiCertX509Guid; - EFI_GUID HashType = EfiHashSha256Guid; + EFI_GUID CertType = X509_GUID; + EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINTN count = 0; @@ -1271,7 +1272,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) goto out; CertList = mokbuffer; - CertList->SignatureType = EfiHashSha256Guid; + CertList->SignatureType = EFI_CERT_SHA256_GUID; CertList->SignatureSize = 16 + SHA256_DIGEST_SIZE; CertData = (EFI_SIGNATURE_DATA *)(((UINT8 *)mokbuffer) + sizeof(EFI_SIGNATURE_LIST)); @@ -1285,7 +1286,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) goto out; CertList = mokbuffer; - CertList->SignatureType = EfiCertX509Guid; + CertList->SignatureType = X509_GUID; CertList->SignatureSize = 16 + datasize; memcpy(mokbuffer + sizeof(EFI_SIGNATURE_LIST) + 16, data, diff --git a/include/guid.h b/include/guid.h index 10f865a..3c58be0 100644 --- a/include/guid.h +++ b/include/guid.h @@ -12,6 +12,7 @@ extern EFI_GUID RSA2048_GUID; extern EFI_GUID PKCS7_GUID; extern EFI_GUID IMAGE_PROTOCOL; extern EFI_GUID SIMPLE_FS_PROTOCOL; +extern EFI_GUID EFI_CERT_SHA1_GUID; extern EFI_GUID EFI_CERT_SHA256_GUID; extern EFI_GUID MOK_OWNER; extern EFI_GUID SECURITY_PROTOCOL_GUID; diff --git a/lib/guid.c b/lib/guid.c index 25db91a..56ec952 100644 --- a/lib/guid.c +++ b/lib/guid.c @@ -41,6 +41,7 @@ EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0 EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} }; EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL; EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL; +EFI_GUID EFI_CERT_SHA1_GUID = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}; EFI_GUID EFI_CERT_SHA256_GUID = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } }; EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; diff --git a/shim.c b/shim.c index e9e6771..9ffc94a 100644 --- a/shim.c +++ b/shim.c @@ -38,11 +38,13 @@ #include #include "PeImage.h" #include "shim.h" -#include "signature.h" #include "netboot.h" #include "shim_cert.h" #include "ucs2.h" +#include "guid.h" +#include "efiauthenticated.h" + #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -228,7 +230,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, EFI_SIGNATURE_DATA *Cert; UINTN CertCount, Index; BOOLEAN IsFound = FALSE; - EFI_GUID CertType = EfiCertX509Guid; + EFI_GUID CertType = X509_GUID; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { @@ -364,11 +366,11 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, - SHA256_DIGEST_SIZE, EfiHashSha256Guid) == + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, - SHA1_DIGEST_SIZE, EfiHashSha1Guid) == + SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, @@ -376,10 +378,10 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, return EFI_ACCESS_DENIED; if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EfiHashSha1Guid) == DATA_FOUND) + EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND) return EFI_ACCESS_DENIED; @@ -397,13 +399,13 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_GUID shim_var = SHIM_LOCK_GUID; if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EfiHashSha1Guid) == DATA_FOUND) + EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) return EFI_SUCCESS; diff --git a/signature.h b/signature.h deleted file mode 100644 index 722dbe6..0000000 --- a/signature.h +++ /dev/null @@ -1,43 +0,0 @@ -#define SHA256_DIGEST_SIZE 32 - -EFI_GUID EfiHashSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}; -EFI_GUID EfiHashSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}; -EFI_GUID EfiCertX509Guid = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 }}; - -typedef struct { - /// - /// An identifier which identifies the agent which added the signature to the list. - /// - EFI_GUID SignatureOwner; - /// - /// The format of the signature is defined by the SignatureType. - /// - UINT8 SignatureData[1]; -} __attribute__ ((packed)) EFI_SIGNATURE_DATA; - -typedef struct { - /// - /// Type of the signature. GUID signature types are defined in below. - /// - EFI_GUID SignatureType; - /// - /// Total size of the signature list, including this header. - /// - UINT32 SignatureListSize; - /// - /// Size of the signature header which precedes the array of signatures. - /// - UINT32 SignatureHeaderSize; - /// - /// Size of each signature. - /// - UINT32 SignatureSize; - /// - /// Header before the array of signatures. The format of this header is specified - /// by the SignatureType. - /// UINT8 SignatureHeader[SignatureHeaderSize]; - /// - /// An array of signatures. Each signature is SignatureSize bytes in length. - /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; - /// -} __attribute__ ((packed)) EFI_SIGNATURE_LIST;