Merge signature.h into efiauthenticated.h and guid.h

Conflicts:
	shim.c

Makefile

@@ -38,7 +38,7 @@ VERSION		= 0.4
 TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
 OBJS	= shim.o netboot.o cert.o dbx.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
-SOURCES	= shim.c shim.h netboot.c signature.h include/PeImage.h include/wincert.h
+SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h
 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
 MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
 FALLBACK_OBJS = fallback.o
@@ -71,7 +71,7 @@ cert.o : cert.S
 dbx.o : dbx.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
 fallback.o: $(FALLBACK_SRCS)

MokManager.c

@@ -4,12 +4,13 @@
 #include <openssl/x509.h>
 #include "console_control.h"
 #include "shim.h"
-#include "signature.h"
 #include "PeImage.h"
 #include "PasswordCrypt.h"
 
-#include "include/console.h"
+#include "guid.h"
-#include "include/simple_file.h"
+#include "console.h"
+#include "simple_file.h"
+#include "efiauthenticated.h"
 
 #define PASSWORD_MAX 256
 #define PASSWORD_MIN 1
@@ -115,8 +116,8 @@ done:
 static UINT32 count_keys(void *Data, UINTN DataSize)
 {
 	EFI_SIGNATURE_LIST *CertList = Data;
-	EFI_GUID CertType = EfiCertX509Guid;
+	EFI_GUID CertType = X509_GUID;
-	EFI_GUID HashType = EfiHashSha256Guid;
+	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINTN dbsize = DataSize;
 	UINT32 MokNum = 0;
 
@@ -152,8 +153,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
 	MokListNode *list;
 	EFI_SIGNATURE_LIST *CertList = Data;
 	EFI_SIGNATURE_DATA *Cert;
-	EFI_GUID CertType = EfiCertX509Guid;
+	EFI_GUID CertType = X509_GUID;
-	EFI_GUID HashType = EfiHashSha256Guid;
+	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINTN dbsize = DataSize;
 	UINTN count = 0;
 
@@ -1271,7 +1272,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash)
 			goto out;
 
 		CertList = mokbuffer;
-		CertList->SignatureType = EfiHashSha256Guid;
+		CertList->SignatureType = EFI_CERT_SHA256_GUID;
 		CertList->SignatureSize = 16 + SHA256_DIGEST_SIZE;
 		CertData = (EFI_SIGNATURE_DATA *)(((UINT8 *)mokbuffer) +
 						  sizeof(EFI_SIGNATURE_LIST));
@@ -1285,7 +1286,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash)
 			goto out;
 
 		CertList = mokbuffer;
-		CertList->SignatureType = EfiCertX509Guid;
+		CertList->SignatureType = X509_GUID;
 		CertList->SignatureSize = 16 + datasize;
 
 		memcpy(mokbuffer + sizeof(EFI_SIGNATURE_LIST) + 16, data,

include/guid.h

@@ -12,6 +12,7 @@ extern EFI_GUID RSA2048_GUID;
 extern EFI_GUID PKCS7_GUID;
 extern EFI_GUID IMAGE_PROTOCOL;
 extern EFI_GUID SIMPLE_FS_PROTOCOL;
+extern EFI_GUID EFI_CERT_SHA1_GUID;
 extern EFI_GUID EFI_CERT_SHA256_GUID;
 extern EFI_GUID MOK_OWNER;
 extern EFI_GUID SECURITY_PROTOCOL_GUID;

lib/guid.c

@@ -41,6 +41,7 @@ EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0
 EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} };
 EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL;
 EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL;
+EFI_GUID EFI_CERT_SHA1_GUID = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }};
 EFI_GUID EFI_CERT_SHA256_GUID  = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } };
 EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
 EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };

shim.c

@@ -38,11 +38,13 @@
 #include <Library/BaseCryptLib.h>
 #include "PeImage.h"
 #include "shim.h"
-#include "signature.h"
 #include "netboot.h"
 #include "shim_cert.h"
 #include "ucs2.h"
 
+#include "guid.h"
+#include "efiauthenticated.h"
+
 #define FALLBACK L"\\fallback.efi"
 #define MOK_MANAGER L"\\MokManager.efi"
 
@@ -228,7 +230,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 	EFI_SIGNATURE_DATA *Cert;
 	UINTN CertCount, Index;
 	BOOLEAN IsFound = FALSE;
-	EFI_GUID CertType = EfiCertX509Guid;
+	EFI_GUID CertType = X509_GUID;
 
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 		if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
@@ -364,11 +366,11 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
 
 	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
-				 SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
+				 SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
-				 SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
+				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 	if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
@@ -376,10 +378,10 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		return EFI_ACCESS_DENIED;
 
 	if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
-			  EfiHashSha256Guid) == DATA_FOUND)
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 	if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
-			  EfiHashSha1Guid) == DATA_FOUND)
+			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 	if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
@@ -397,13 +399,13 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	EFI_GUID shim_var = SHIM_LOCK_GUID;
 
 	if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE,
-			  EfiHashSha256Guid) == DATA_FOUND)
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND)
 		return EFI_SUCCESS;
 	if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE,
-			  EfiHashSha1Guid) == DATA_FOUND)
+			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
 		return EFI_SUCCESS;
 	if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE,
-			  EfiHashSha256Guid) == DATA_FOUND)
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND)
 		return EFI_SUCCESS;
 	if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND)
 		return EFI_SUCCESS;

signature.h

@@ -1,43 +0,0 @@
-#define SHA256_DIGEST_SIZE  32
-
-EFI_GUID EfiHashSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }};
-EFI_GUID EfiHashSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }};
-EFI_GUID EfiCertX509Guid = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 }};
-
-typedef struct {
-	///
-	/// An identifier which identifies the agent which added the signature to the list.
-	///
-	EFI_GUID          SignatureOwner;
-	///
-	/// The format of the signature is defined by the SignatureType.
-	///
-	UINT8             SignatureData[1];
-} __attribute__ ((packed)) EFI_SIGNATURE_DATA;
-
-typedef struct {
-	///
-	/// Type of the signature. GUID signature types are defined in below.
-	///
-	EFI_GUID            SignatureType;
-	///
-	/// Total size of the signature list, including this header.
-	///
-	UINT32              SignatureListSize;
-	///
-	/// Size of the signature header which precedes the array of signatures.
-	///
-	UINT32              SignatureHeaderSize;
-	///
-	/// Size of each signature.
-	///
-	UINT32              SignatureSize; 
-	///
-	/// Header before the array of signatures. The format of this header is specified 
-	/// by the SignatureType.
-	/// UINT8           SignatureHeader[SignatureHeaderSize];
-	///
-	/// An array of signatures. Each signature is SignatureSize bytes in length. 
-	/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
-	///
-} __attribute__ ((packed)) EFI_SIGNATURE_LIST;