proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-22 15:13:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow shim to handle multiple trusted certificates

Browse Source 
Allow shim to perform verification against a list of trusted
certificates by simply concatenating the DER files.

Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
This commit is contained in:
Michael Brown 2018-03-13 23:50:01 +00:00 committed by Peter Jones
parent d7daa70e0d
commit 8721bbe6fb
1 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
shim.c
View File

@ -962,6 +962,35 @@ done:
return efi_status; return efi_status;
} }
/*
* Check that a trusted certificate signed the binary
*/
static BOOLEAN verify_trusted_cert(const WIN_CERTIFICATE_EFI_PKCS *cert,
const UINT8 *sha256hash,
const UINT8 *trusted_cert,
size_t trusted_cert_len)
{
const UINT8 *tmp;
ASN1_TYPE *asn1;
while (trusted_cert_len) {
if (AuthenticodeVerify(cert->CertData,
cert->Hdr.dwLength - sizeof(cert->Hdr),
trusted_cert, trusted_cert_len,
sha256hash, SHA256_DIGEST_SIZE))
return TRUE;
tmp = trusted_cert;
asn1 = d2i_ASN1_TYPE(NULL, &tmp, trusted_cert_len);
if (!asn1)
break;
ASN1_TYPE_free(asn1);
trusted_cert_len -= (tmp - trusted_cert);
trusted_cert = tmp;
}
return FALSE;
}
/* /*
* Check that the signature is valid and matches the binary * Check that the signature is valid and matches the binary
*/ */
@ -1044,10 +1073,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
* Check against the shim build key * Check against the shim build key
*/ */
if (sizeof(shim_cert) && if (sizeof(shim_cert) &&
AuthenticodeVerify(cert->CertData, verify_trusted_cert(cert, sha256hash,
cert->Hdr.dwLength - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert))) {
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
update_verification_method(VERIFIED_BY_CERT); update_verification_method(VERIFIED_BY_CERT);
tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
sizeof(shim_cert), shim_cert); sizeof(shim_cert), shim_cert);
@ -1063,10 +1090,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
* And finally, check against shim's built-in key * And finally, check against shim's built-in key
*/ */
if (vendor_cert_size && if (vendor_cert_size &&
AuthenticodeVerify(cert->CertData, verify_trusted_cert(cert, sha256hash,
cert->Hdr.dwLength - sizeof(cert->Hdr), vendor_cert, vendor_cert_size)) {
vendor_cert, vendor_cert_size,
sha256hash, SHA256_DIGEST_SIZE)) {
update_verification_method(VERIFIED_BY_CERT); update_verification_method(VERIFIED_BY_CERT);
tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
vendor_cert_size, vendor_cert); vendor_cert_size, vendor_cert);