proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-07-31 07:56:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix a bunch of trivial trailing whitespace issues.

Browse Source 
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2021-02-14 11:21:27 -05:00 committed by Javier Martinez Canillas
parent d230d02f99
commit a6c726fc81
10 changed files with 66 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
MokVars.txt
View File

@ -2,13 +2,13 @@ Variables used by Shim and Mokmanager
Request variables:
MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
UCS-2 representation of the password. The user will be asked to
re-enter the password to confirm. If the hash of the entered password
matches the contents of MokPW, the user will be prompted to copy MokPW
MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
UCS-2 representation of the password. The user will be asked to
re-enter the password to confirm. If the hash of the entered password
matches the contents of MokPW, the user will be prompted to copy MokPW
into MokPWState. BS,RT,NV
MokSB: Set by MokUtil when requesting a change in state of signature
MokSB: Set by MokUtil when requesting a change in state of signature
validation. A packed structure as follows:
typedef struct {
@ -17,15 +17,15 @@ typedef struct {
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;
If MokSBState is 0, the user will be prompted to disable signature
validation. Otherwise, the user will be prompted to enable it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
If MokSBState is 0, the user will be prompted to disable signature
validation. Otherwise, the user will be prompted to enable it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokSBState. BS,RT,NV
MokDB: Set by MokUtil when requesting a change in state of validation
MokDB: Set by MokUtil when requesting a change in state of validation
using db hashes and certs. A packed structure as follows:
typedef struct {
@ -34,28 +34,28 @@ typedef struct {
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokDBvar;
If MokDBState is 0, the user will be prompted to disable usage of db for
validation. Otherwise, the user will be prompted to allow it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
If MokDBState is 0, the user will be prompted to disable usage of db for
validation. Otherwise, the user will be prompted to allow it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokDBState. BS,RT,NV
MokNew: Set by MokUtil when requesting the addition or removal of keys
from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
MokNew: Set by MokUtil when requesting the addition or removal of keys
from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
specification. BS,RT,NV
MokAuth: A hash dependent upon the contents of MokNew and the sealing
password. The user's password in UCS-2 form should be appended to the
contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
The hash will be regenerated by MokManager after the user is requested
to enter their password to confirm enrolment of the keys. If the hash
MokAuth: A hash dependent upon the contents of MokNew and the sealing
password. The user's password in UCS-2 form should be appended to the
contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
The hash will be regenerated by MokManager after the user is requested
to enter their password to confirm enrolment of the keys. If the hash
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
State variables:
MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListRT: A copy of MokList made available to the kernel at runtime. RT
@ -65,15 +65,15 @@ as described in the UEFI specification. BS,NV
MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV
MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
verification. BS,NV
MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether
or not to import DB certs for its own verification purposes.
MokPWStore: A SHA-256 representation of the password set by the user
via MokPW. The user will be prompted to enter this password in order
MokPWStore: A SHA-256 representation of the password set by the user
via MokPW. The user will be prompted to enter this password in order
to interact with MokManager.

2
README.tpm
View File

@ -24,7 +24,7 @@ PCR8:
- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
line and all grub commands (including all of grub.cfg that gets run) are
measured into PCR8.
PCR9:
- If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
initramfs, and any multiboot modules loaded are measured into PCR9.

4
elf_x86_64_efi.lds
View File

@ -8,8 +8,8 @@ SECTIONS
ImageBase = .;
.hash : { *(.hash) } /* this MUST come first! */
. = ALIGN(4096);
.eh_frame :
{
.eh_frame :
{
*(.eh_frame)
}
. = ALIGN(4096);

21
include/configtable.h
View File

@ -7,7 +7,7 @@
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007
#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
@ -26,24 +26,24 @@ typedef struct {
///
UINT32 InfoSize;
///
/// If this image was a UEFI device driver (for option ROM, for example) this is the
/// null-terminated, user-friendly name for the device. If the image was for an application,
/// then this is the name of the application. If this cannot be determined, then a simple
/// If this image was a UEFI device driver (for option ROM, for example) this is the
/// null-terminated, user-friendly name for the device. If the image was for an application,
/// then this is the name of the application. If this cannot be determined, then a simple
/// NULL character should be put in this position.
/// CHAR16 Name[];
///
///
/// For device drivers, this is the device path of the device for which this device driver
/// was intended. In some cases, the driver itself may be stored as part of the system
/// firmware, but this field should record the device's path, not the firmware path. For
/// applications, this is the device path of the application. If this cannot be determined,
/// For device drivers, this is the device path of the device for which this device driver
/// was intended. In some cases, the driver itself may be stored as part of the system
/// firmware, but this field should record the device's path, not the firmware path. For
/// applications, this is the device path of the application. If this cannot be determined,
/// a simple end-of-path device node should be put in this position.
/// EFI_DEVICE_PATH_PROTOCOL DevicePath;
///
///
/// Zero or more image signatures. If the image contained no signatures,
/// Zero or more image signatures. If the image contained no signatures,
/// then this field is empty.
///
///EFI_SIGNATURE_LIST Signature;
@ -54,14 +54,13 @@ typedef struct {
///
/// Number of EFI_IMAGE_EXECUTION_INFO structures.
///
UINTN NumberOfImages;
UINTN NumberOfImages;
///
/// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.
///
EFI_IMAGE_EXECUTION_INFO InformationInfo[];
} EFI_IMAGE_EXECUTION_INFO_TABLE;
void *
configtable_get_table(EFI_GUID *guid);
EFI_IMAGE_EXECUTION_INFO_TABLE *

2
include/variables.h
View File

@ -26,7 +26,7 @@ CreatePkX509SignatureList (
IN UINT8 *X509Data,
IN UINTN X509DataSize,
IN EFI_GUID owner,
OUT EFI_SIGNATURE_LIST **PkCert
OUT EFI_SIGNATURE_LIST **PkCert
);
EFI_STATUS
CreateTimeBasedPayload (

17
include/wincert.h
View File

@ -8,28 +8,27 @@
///
typedef struct {
///
/// The length of the entire certificate,
/// including the length of the header, in bytes.
/// The length of the entire certificate,
/// including the length of the header, in bytes.
///
UINT32 dwLength;
///
/// The revision level of the WIN_CERTIFICATE
/// structure. The current revision level is 0x0200.
/// The revision level of the WIN_CERTIFICATE
/// structure. The current revision level is 0x0200.
///
UINT16 wRevision;
///
/// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
/// certificate types. The UEFI specification reserves the range of
/// certificate type values from 0x0EF0 to 0x0EFF.
/// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
/// certificate types. The UEFI specification reserves the range of
/// certificate type values from 0x0EF0 to 0x0EFF.
///
UINT16 wCertificateType;
///
/// The following is the actual certificate. The format of
/// The following is the actual certificate. The format of
/// the certificate depends on wCertificateType.
///
/// UINT8 bCertificate[ANYSIZE_ARRAY];
///
} WIN_CERTIFICATE;
#endif /* SHIM_WINCERT_H */

16
lib/configtable.c
View File

@ -49,22 +49,22 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
/* print what we have for debugging */
UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
#endif
CHAR16 *name = (CHAR16 *)(e->Data);
int skip = 0;
@ -93,12 +93,12 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
console_print(L"Device Path Size %d\n", Size);
#endif
if (Size > e->InfoSize) {
/* parse error; the platform obviously has a
/* parse error; the platform obviously has a
* corrupted image table; bail */
console_print(L"Image Execution Information table corrupt\n");
break;
}
if (CompareMem(dp, (void *)DevicePath, Size) == 0) {
#ifdef DEBUG_CONFIG
console_print(L"***FOUND\n");

2
lib/execute.c
View File

@ -49,7 +49,7 @@ generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, EFI_DEVICE_PATH **path, CHAR16
if (name[0] != '\\')
StrCat(*PathName, L"\\");
StrCat(*PathName, name);
*path = FileDevicePath(li->DeviceHandle, *PathName);
error:

6
lib/security_policy.c
View File

@ -54,7 +54,7 @@ extern EFI_STATUS thunk_security_policy_authentication(
const EFI_SECURITY_PROTOCOL *This,
UINT32 AuthenticationStatus,
const EFI_DEVICE_PATH_PROTOCOL *DevicePath
)
)
__attribute__((unused));
extern EFI_STATUS thunk_security2_policy_authentication(
@ -63,7 +63,7 @@ extern EFI_STATUS thunk_security2_policy_authentication(
VOID *FileBuffer,
UINTN FileSize,
BOOLEAN BootPolicy
)
)
__attribute__((unused));
static __attribute__((used)) EFI_STATUS
@ -106,7 +106,7 @@ security_policy_authentication (
)
{
EFI_STATUS efi_status, fail_status;
EFI_DEVICE_PATH *DevPath
EFI_DEVICE_PATH *DevPath
= DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst),
*OrigDevPath = DevPath;
EFI_HANDLE h;

4
testplan.txt
View File

@ -27,7 +27,7 @@ How to test a new shim build for RHEL/fedora:
-c "Red Hat Test Certificate"
9) copy grub.cfg to our test directory:
cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
rm -rf /boot/efi/EFI/BOOT/
mkdir /boot/efi/EFI/BOOT/
mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
@ -73,7 +73,7 @@ How to test a new shim build for RHEL/fedora:
removed Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c
removed BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c
[root@uefi efivars]#
[root@uefi efivars]#
25) reboot
26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just
have an old machine. In that case, go to the EFI shell and run: