proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-05 11:26:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Skip signature checking if insecure

Browse Source 
If we're configured to run untrusted code, print a message and skip the
validation checks.
This commit is contained in:
Matthew Garrett 2012-10-17 18:36:07 -04:00
parent c1faa462e0
commit 7127b1abc9
1 changed files with 42 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
shim.c
View File

@ -54,6 +54,8 @@ extern UINT32 vendor_cert_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
static UINT8 insecure_mode;
typedef enum { typedef enum {
DATA_FOUND, DATA_FOUND,
DATA_NOT_FOUND, DATA_NOT_FOUND,
@ -360,6 +362,9 @@ static BOOLEAN secure_mode (void)
UINT8 sb, setupmode; UINT8 sb, setupmode;
UINT32 attributes; UINT32 attributes;
if (insecure_mode)
return FALSE;
status = get_variable(L"SecureBoot", global_var, &attributes, &charsize, status = get_variable(L"SecureBoot", global_var, &attributes, &charsize,
(void *)&sb); (void *)&sb);
@ -1038,9 +1043,6 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
UINT32 MokNew; UINT32 MokNew;
UINT32 attributes; UINT32 attributes;
if (!secure_mode())
return EFI_SUCCESS;
moknew_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokNew", moknew_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokNew",
&shim_lock_guid, &attributes, &shim_lock_guid, &attributes,
&size, (void *)&MokNew); &size, (void *)&MokNew);
@ -1064,6 +1066,36 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
return EFI_SUCCESS; return EFI_SUCCESS;
} }
static EFI_STATUS check_mok_sb (void)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS status = EFI_SUCCESS;
void *MokSBState = NULL;
UINTN MokSBStateSize = 0;
UINT32 attributes;
status = get_variable(L"MokSBState", shim_lock_guid, &attributes,
&MokSBStateSize, &MokSBState);
if (status != EFI_SUCCESS)
return EFI_ACCESS_DENIED;
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
Print(L"MokSBState is compromised! Clearing it\n");
if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) {
Print(L"Failed to erase MokSBState\n");
}
status = EFI_ACCESS_DENIED;
} else {
if (*(UINT8 *)MokSBState == 1) {
insecure_mode = 1;
}
}
return status;
}
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{ {
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@ -1079,6 +1111,13 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
InitializeLib(image_handle, systab); InitializeLib(image_handle, systab);
check_mok_sb();
if (insecure_mode) {
Print(L"Booting in insecure mode\n");
uefi_call_wrapper(BS->Stall, 1, 2000000);
}
efi_status = check_mok_request(image_handle); efi_status = check_mok_request(image_handle);
efi_status = mirror_mok_list(); efi_status = mirror_mok_list();