diff --git a/MokManager.c b/MokManager.c index 603c2ee..a83162d 100644 --- a/MokManager.c +++ b/MokManager.c @@ -19,11 +19,6 @@ #define SHIM_VENDOR L"Shim" #endif -EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; -EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} }; -EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} }; -EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} }; - #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" @@ -93,18 +88,13 @@ done: static BOOLEAN is_sha2_hash (EFI_GUID Type) { - EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; - EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; - EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; - EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; - - if (CompareGuid(&Type, &Sha224) == 0) + if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0) return TRUE; - else if (CompareGuid(&Type, &Sha256) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0) return TRUE; - else if (CompareGuid(&Type, &Sha384) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0) return TRUE; - else if (CompareGuid(&Type, &Sha512) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0) return TRUE; return FALSE; @@ -112,21 +102,15 @@ static BOOLEAN is_sha2_hash (EFI_GUID Type) static UINT32 sha_size (EFI_GUID Type) { - EFI_GUID Sha1 = EFI_CERT_SHA1_GUID; - EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; - EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; - EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; - EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; - - if (CompareGuid(&Type, &Sha1) == 0) + if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0) return SHA1_DIGEST_SIZE; - else if (CompareGuid(&Type, &Sha224) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0) return SHA224_DIGEST_LENGTH; - else if (CompareGuid(&Type, &Sha256) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0) return SHA256_DIGEST_SIZE; - else if (CompareGuid(&Type, &Sha384) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0) return SHA384_DIGEST_LENGTH; - else if (CompareGuid(&Type, &Sha512) == 0) + else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0) return SHA512_DIGEST_LENGTH; return 0; @@ -134,10 +118,9 @@ static UINT32 sha_size (EFI_GUID Type) static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize) { - EFI_GUID CertType = X509_GUID; UINT32 hash_sig_size; - if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0) + if (CompareGuid (&Type, &X509_GUID) == 0 && SigSize != 0) return TRUE; if (!is_sha2_hash (Type)) @@ -191,7 +174,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { MokListNode *list; EFI_SIGNATURE_LIST *CertList = Data; EFI_SIGNATURE_DATA *Cert; - EFI_GUID CertType = X509_GUID; UINTN dbsize = DataSize; UINTN count = 0; void *end = Data + DataSize; @@ -223,7 +205,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { } list[count].Type = CertList->SignatureType; - if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { + if (CompareGuid (&CertList->SignatureType, &X509_GUID) == 0) { list[count].MokSize = CertList->SignatureSize - sizeof(EFI_GUID); list[count].Mok = (void *)Cert->SignatureData; @@ -472,30 +454,25 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) static void show_sha_digest (EFI_GUID Type, UINT8 *hash) { - EFI_GUID Sha1 = EFI_CERT_SHA1_GUID; - EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; - EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; - EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; - EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; CHAR16 *text[5]; POOL_PRINT hash_string1; POOL_PRINT hash_string2; int i; int length; - if (CompareGuid(&Type, &Sha1) == 0) { + if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0) { length = SHA1_DIGEST_SIZE; text[0] = L"SHA1 hash"; - } else if (CompareGuid(&Type, &Sha224) == 0) { + } else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0) { length = SHA224_DIGEST_LENGTH; text[0] = L"SHA224 hash"; - } else if (CompareGuid(&Type, &Sha256) == 0) { + } else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0) { length = SHA256_DIGEST_SIZE; text[0] = L"SHA256 hash"; - } else if (CompareGuid(&Type, &Sha384) == 0) { + } else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0) { length = SHA384_DIGEST_LENGTH; text[0] = L"SHA384 hash"; - } else if (CompareGuid(&Type, &Sha512) == 0) { + } else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0) { length = SHA512_DIGEST_LENGTH; text[0] = L"SHA512 hash"; } else { @@ -578,12 +555,11 @@ static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize) static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize) { EFI_STATUS efi_status; - EFI_GUID CertType = X509_GUID; if (!Mok || MokSize == 0) return; - if (CompareGuid (&Type, &CertType) == 0) { + if (CompareGuid (&Type, &X509_GUID) == 0) { UINT8 hash[SHA1_DIGEST_SIZE]; X509 *X509Cert; efi_status = get_sha1sum(Mok, MokSize, hash); @@ -893,7 +869,6 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status; UINT32 attributes; void *old_data = NULL; @@ -902,7 +877,7 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) UINTN new_size; status = uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_APPEND_WRITE, @@ -912,7 +887,7 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) } status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size, - shim_lock_guid, &attributes); + SHIM_LOCK_GUID, &attributes); if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { return status; } @@ -935,7 +910,7 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) CopyMem(new_data + old_size, MokNew, MokNewSize); status = uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, new_size, new_data); @@ -955,7 +930,6 @@ out: static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; CHAR16 *db_name; CHAR16 *auth_name; @@ -973,7 +947,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, if (authenticate) { efi_status = uefi_call_wrapper(RT->GetVariable, 5, auth_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || @@ -1000,7 +974,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, if (!MokNewSize) { /* Delete MOK */ efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1020,7 +994,6 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, static EFI_STATUS mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth, BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; CHAR16 *title; @@ -1045,11 +1018,11 @@ static EFI_STATUS mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int aut if (auth) { if (MokX) { - LibDeleteVariable(L"MokXNew", &shim_lock_guid); - LibDeleteVariable(L"MokXAuth", &shim_lock_guid); + LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); } else { - LibDeleteVariable(L"MokNew", &shim_lock_guid); - LibDeleteVariable(L"MokAuth", &shim_lock_guid); + LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); } } @@ -1061,7 +1034,6 @@ static EFI_STATUS mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int aut static EFI_STATUS mok_reset_prompt (BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; CHAR16 *prompt; @@ -1082,11 +1054,11 @@ static EFI_STATUS mok_reset_prompt (BOOLEAN MokX) } if (MokX) { - LibDeleteVariable(L"MokXNew", &shim_lock_guid); - LibDeleteVariable(L"MokXAuth", &shim_lock_guid); + LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); } else { - LibDeleteVariable(L"MokNew", &shim_lock_guid); - LibDeleteVariable(L"MokAuth", &shim_lock_guid); + LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); } return EFI_SUCCESS; @@ -1095,8 +1067,6 @@ static EFI_STATUS mok_reset_prompt (BOOLEAN MokX) static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num, BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - EFI_GUID CertType = X509_GUID; EFI_STATUS efi_status; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *CertData; @@ -1115,7 +1085,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num, continue; DataSize += sizeof(EFI_SIGNATURE_LIST); - if (CompareGuid(&(list[i].Type), &CertType) == 0) + if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) DataSize += sizeof(EFI_GUID); DataSize += list[i].MokSize; } @@ -1137,13 +1107,13 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num, CertList->SignatureType = list[i].Type; CertList->SignatureHeaderSize = 0; - if (CompareGuid(&(list[i].Type), &CertType) == 0) { + if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) { CertList->SignatureListSize = list[i].MokSize + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); CertList->SignatureSize = list[i].MokSize + sizeof(EFI_GUID); - CertData->SignatureOwner = shim_lock_guid; + CertData->SignatureOwner = SHIM_LOCK_GUID; CopyMem(CertData->SignatureData, list[i].Mok, list[i].MokSize); } else { CertList->SignatureListSize = list[i].MokSize + @@ -1156,7 +1126,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num, } efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, DataSize, Data); @@ -1174,11 +1144,10 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num, static void delete_cert (void *key, UINT32 key_size, MokListNode *mok, INTN mok_num) { - EFI_GUID CertType = X509_GUID; int i; for (i = 0; i < mok_num; i++) { - if (CompareGuid(&(mok[i].Type), &CertType) != 0) + if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0) continue; if (mok[i].MokSize == key_size && @@ -1285,8 +1254,6 @@ static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size, static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - EFI_GUID CertType = X509_GUID; EFI_STATUS efi_status; CHAR16 *db_name; CHAR16 *auth_name; @@ -1310,7 +1277,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) } efi_status = uefi_call_wrapper(RT->GetVariable, 5, auth_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || @@ -1332,7 +1299,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) return EFI_ACCESS_DENIED; efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize, - shim_lock_guid, &attributes); + SHIM_LOCK_GUID, &attributes); if (efi_status != EFI_SUCCESS) { if (MokX) console_errorbox(L"Failed to retrieve MokListX"); @@ -1349,7 +1316,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) } console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL}); uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1372,7 +1339,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) } console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL}); uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1400,7 +1367,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) /* Search and destroy */ for (i = 0; i < del_num; i++) { - if (CompareGuid(&(del_key[i].Type), &CertType) == 0) { + if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) { delete_cert(del_key[i].Mok, del_key[i].MokSize, mok, mok_num); } else if (is_sha2_hash(del_key[i].Type)) { @@ -1424,7 +1391,6 @@ error: static EFI_STATUS mok_deletion_prompt (void *MokDel, UINTN MokDelSize, BOOLEAN MokX) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; CHAR16 *title; @@ -1448,11 +1414,11 @@ static EFI_STATUS mok_deletion_prompt (void *MokDel, UINTN MokDelSize, BOOLEAN M } if (MokX) { - LibDeleteVariable(L"MokXDel", &shim_lock_guid); - LibDeleteVariable(L"MokXDelAuth", &shim_lock_guid); + LibDeleteVariable(L"MokXDel", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXDelAuth", &SHIM_LOCK_GUID); } else { - LibDeleteVariable(L"MokDel", &shim_lock_guid); - LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); + LibDeleteVariable(L"MokDel", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); } if (MokDel) @@ -1489,7 +1455,6 @@ static CHAR16 get_password_charater (CHAR16 *prompt) } static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; SIMPLE_TEXT_OUTPUT_MODE SavedMode; MokSBvar *var = MokSB; @@ -1574,14 +1539,14 @@ static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) { ret = console_yes_no((CHAR16 *[]){L"Enable Secure Boot", NULL}); if (ret == 0) { - LibDeleteVariable(L"MokSB", &shim_lock_guid); + LibDeleteVariable(L"MokSB", &SHIM_LOCK_GUID); return EFI_ABORTED; } if (var->MokSBState == 0) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBState", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 1, &sbval); @@ -1592,7 +1557,7 @@ static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) { } else { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBState", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1609,7 +1574,6 @@ static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) { } static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; SIMPLE_TEXT_OUTPUT_MODE SavedMode; MokDBvar *var = MokDB; @@ -1694,14 +1658,14 @@ static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) { ret = console_yes_no((CHAR16 *[]){L"Use DB certs/hashes", NULL}); if (ret == 0) { - LibDeleteVariable(L"MokDB", &shim_lock_guid); + LibDeleteVariable(L"MokDB", &SHIM_LOCK_GUID); return EFI_ABORTED; } if (var->MokDBState == 0) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokDBState", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 1, &dbval); @@ -1712,7 +1676,7 @@ static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) { } else { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokDBState", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1729,7 +1693,6 @@ static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) { } static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINT8 hash[PASSWORD_CRYPT_SIZE]; UINT8 clear = 0; @@ -1756,7 +1719,7 @@ static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return EFI_ABORTED; uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); @@ -1781,7 +1744,7 @@ static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, MokPWSize, MokPW); @@ -1791,7 +1754,7 @@ static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) { } mokpw_done: - LibDeleteVariable(L"MokPW", &shim_lock_guid); + LibDeleteVariable(L"MokPW", &SHIM_LOCK_GUID); if (MokPW) FreePool(MokPW); @@ -1837,7 +1800,6 @@ static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) { EFI_STATUS status = EFI_SUCCESS; - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *CertData; UINTN mokbuffersize; @@ -1847,11 +1809,10 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) UINT8 sha256[SHA256_DIGEST_SIZE]; UINT8 sha1[SHA1_DIGEST_SIZE]; SHIM_LOCK *shim_lock; - EFI_GUID shim_guid = SHIM_LOCK_GUID; PE_COFF_LOADER_IMAGE_CONTEXT context; - - status = LibLocateProtocol(&shim_guid, (VOID **)&shim_lock); + status = LibLocateProtocol(&SHIM_LOCK_GUID, + (VOID **) &shim_lock); if (status != EFI_SUCCESS) goto out; @@ -1901,7 +1862,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) CertList->SignatureListSize = mokbuffersize; CertList->SignatureHeaderSize = 0; - CertData->SignatureOwner = shim_lock_guid; + CertData->SignatureOwner = SHIM_LOCK_GUID; if (!hash) { if (!verify_certificate(CertData->SignatureData, datasize)) @@ -2043,7 +2004,6 @@ static EFI_STATUS mok_key_enroll(void) static BOOLEAN verify_pw(BOOLEAN *protected) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; SIMPLE_TEXT_OUTPUT_MODE SavedMode; UINT8 pwhash[PASSWORD_CRYPT_SIZE]; @@ -2054,7 +2014,7 @@ static BOOLEAN verify_pw(BOOLEAN *protected) *protected = FALSE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", - &shim_lock_guid, &attributes, &size, + &SHIM_LOCK_GUID, &attributes, &size, pwhash); /* @@ -2182,7 +2142,6 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, int choice = 0; int mok_changed = 0; EFI_STATUS efi_status; - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINT8 auth[PASSWORD_CRYPT_SIZE]; UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; @@ -2203,7 +2162,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINT32 MokXDelAuth = 0; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && @@ -2211,7 +2170,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && @@ -2219,7 +2178,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, MokDelAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokXAuth", - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && @@ -2227,7 +2186,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, MokXAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokXDelAuth", - &shim_lock_guid, + &SHIM_LOCK_GUID, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && @@ -2414,7 +2373,6 @@ out: static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; void *MokNew = NULL; @@ -2427,9 +2385,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokNew", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokNew"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2437,9 +2395,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokDel", (UINT8 **)&MokDel, &MokDelSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokDel", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokDel", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokDel"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2447,9 +2405,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokSB", (UINT8 **)&MokSB, &MokSBSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokSB", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokSB", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokSB"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2457,9 +2415,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokPW", (UINT8 **)&MokPW, &MokPWSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokPW", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokPW", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokPW"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2467,9 +2425,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokDB", (UINT8 **)&MokDB, &MokDBSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokDB", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokDB", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokDB"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2477,9 +2435,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokXNew", (UINT8 **)&MokXNew, &MokXNewSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokXNew", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokXNew"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2487,9 +2445,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) } status = get_variable(L"MokXDel", (UINT8 **)&MokXDel, &MokXDelSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (status == EFI_SUCCESS) { - if (LibDeleteVariable(L"MokXDel", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokXDel", &SHIM_LOCK_GUID) != EFI_SUCCESS) { console_notify(L"Failed to delete MokXDel"); } } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { @@ -2521,10 +2479,10 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) FreePool (MokXDel); - LibDeleteVariable(L"MokAuth", &shim_lock_guid); - LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); - LibDeleteVariable(L"MokXAuth", &shim_lock_guid); - LibDeleteVariable(L"MokXDelAuth", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXDelAuth", &SHIM_LOCK_GUID); return EFI_SUCCESS; } diff --git a/fallback.c b/fallback.c index 46894af..a58c7d1 100644 --- a/fallback.c +++ b/fallback.c @@ -10,18 +10,13 @@ #include #include -#include "ucs2.h" -#include "variables.h" -#include "tpm.h" +#include "shim.h" EFI_LOADED_IMAGE *this_image = NULL; -EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; - int get_fallback_verbose(void) { - EFI_GUID guid = SHIM_LOCK_GUID; UINT8 *data = NULL; UINTN dataSize = 0; EFI_STATUS efi_status; @@ -32,7 +27,7 @@ get_fallback_verbose(void) return state; efi_status = get_variable(L"FALLBACK_VERBOSE", - &data, &dataSize, guid); + &data, &dataSize, SHIM_LOCK_GUID); if (EFI_ERROR(efi_status)) { state = 0; return state; @@ -103,18 +98,17 @@ get_file_size(EFI_FILE_HANDLE fh, UINTN *retsize) EFI_STATUS rc; void *buffer = NULL; UINTN bs = 0; - EFI_GUID finfo = EFI_FILE_INFO_ID; /* The API here is "Call it once with bs=0, it fills in bs, * then allocate a buffer and ask again to get it filled. */ - rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, &bs, NULL); + rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, NULL); if (rc == EFI_BUFFER_TOO_SMALL) { buffer = AllocateZeroPool(bs); if (!buffer) { Print(L"Could not allocate memory\n"); return EFI_OUT_OF_RESOURCES; } - rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, + rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, buffer); } /* This checks *either* the error from the first GetInfo, if it isn't @@ -210,7 +204,6 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, static int i = 0; CHAR16 varname[] = L"Boot0000"; CHAR16 hexmap[] = L"0123456789ABCDEF"; - EFI_GUID global = EFI_GLOBAL_VARIABLE; EFI_STATUS rc; for(; i <= 0xffff; i++) { @@ -219,7 +212,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, varname[6] = hexmap[(i & 0x00f0) >> 4]; varname[7] = hexmap[(i & 0x000f) >> 0]; - void *var = LibGetVariable(varname, &global); + void *var = LibGetVariable(varname, &GV_GUID); if (!var) { int size = sizeof(UINT32) + sizeof (UINT16) + StrLen(label)*2 + 2 + DevicePathSize(hddp) + @@ -248,9 +241,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, } rc = uefi_call_wrapper(RT->SetVariable, 5, varname, - &global, EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS, + &GV_GUID, EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, size, data); FreePool(data); @@ -412,7 +405,6 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, int i = 0; CHAR16 varname[] = L"Boot0000"; CHAR16 hexmap[] = L"0123456789ABCDEF"; - EFI_GUID global = EFI_GLOBAL_VARIABLE; EFI_STATUS rc; UINTN max_candidate_size = calc_masked_boot_option_size(size); @@ -429,7 +421,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; UINTN candidate_size = max_candidate_size; - rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global, + rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &GV_GUID, NULL, &candidate_size, candidate); if (EFI_ERROR(rc)) continue; @@ -466,9 +458,8 @@ set_boot_order(void) { CHAR16 *oldbootorder; UINTN size; - EFI_GUID global = EFI_GLOBAL_VARIABLE; - oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size); + oldbootorder = LibGetVariableAndSize(L"BootOrder", &GV_GUID, &size); if (oldbootorder) { nbootorder = size / sizeof (CHAR16); bootorder = oldbootorder; @@ -482,7 +473,6 @@ update_boot_order(void) { UINTN size; UINTN len = 0; - EFI_GUID global = EFI_GLOBAL_VARIABLE; CHAR16 *newbootorder = NULL; EFI_STATUS rc; @@ -497,12 +487,12 @@ update_boot_order(void) for (j = 0 ; j < size / sizeof (CHAR16); j++) VerbosePrintUnprefixed(L"%04x ", newbootorder[j]); Print(L"\n"); - rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global, + rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &GV_GUID, NULL, &len, NULL); if (rc == EFI_BUFFER_TOO_SMALL) - LibDeleteVariable(L"BootOrder", &global); + LibDeleteVariable(L"BootOrder", &GV_GUID); - rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global, + rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &GV_GUID, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, @@ -688,18 +678,17 @@ find_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname) EFI_STATUS rc; void *buffer = NULL; UINTN bs = 0; - EFI_GUID finfo = EFI_FILE_INFO_ID; /* The API here is "Call it once with bs=0, it fills in bs, * then allocate a buffer and ask again to get it filled. */ - rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, &bs, NULL); + rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, NULL); if (rc == EFI_BUFFER_TOO_SMALL) { buffer = AllocateZeroPool(bs); if (!buffer) { Print(L"Could not allocate memory\n"); return EFI_OUT_OF_RESOURCES; } - rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &finfo, + rc = uefi_call_wrapper(fh->GetInfo, 4, fh, &EFI_FILE_INFO_GUID, &bs, buffer); } /* This checks *either* the error from the first GetInfo, if it isn't @@ -960,14 +949,14 @@ static void __attribute__((__optimize__("0"))) debug_hook(void) { - EFI_GUID guid = SHIM_LOCK_GUID; UINT8 *data = NULL; UINTN dataSize = 0; EFI_STATUS efi_status; volatile register int x = 0; extern char _etext, _edata; - efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, guid); + efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, + SHIM_LOCK_GUID); if (EFI_ERROR(efi_status)) { return; } diff --git a/httpboot.c b/httpboot.c index 3493183..4a37889 100644 --- a/httpboot.c +++ b/httpboot.c @@ -254,7 +254,6 @@ extract_hostname (CONST CHAR8 *url, CHAR8 **hostname) static EFI_HANDLE get_nic_handle (EFI_MAC_ADDRESS *mac) { - EFI_GUID http_binding_guid = EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID; EFI_DEVICE_PATH *unpacked = NULL; EFI_DEVICE_PATH *Node; EFI_DEVICE_PATH *temp_path = NULL; @@ -269,7 +268,7 @@ get_nic_handle (EFI_MAC_ADDRESS *mac) protocol */ status = uefi_call_wrapper(BS->LocateHandleBuffer, 5, ByProtocol, - &http_binding_guid, + &EFI_HTTP_BINDING_GUID, NULL, &NoHandles, &buffer); @@ -325,16 +324,13 @@ is_unspecified_addr (EFI_IPv6_ADDRESS ip6) static EFI_STATUS set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) { - EFI_GUID ip6_config_guid = EFI_IP6_CONFIG_PROTOCOL_GUID; EFI_IP6_CONFIG_PROTOCOL *ip6cfg; EFI_IP6_CONFIG_MANUAL_ADDRESS ip6; EFI_IPv6_ADDRESS gateway; EFI_STATUS status; - status = uefi_call_wrapper(BS->HandleProtocol, 3, - nic, - &ip6_config_guid, - (VOID **)&ip6cfg); + status = uefi_call_wrapper(BS->HandleProtocol, 3, nic, + &EFI_IP6_CONFIG_GUID, (VOID **)&ip6cfg); if (EFI_ERROR (status)) return status; @@ -367,16 +363,13 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) static EFI_STATUS set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node) { - EFI_GUID ip4_config2_guid = EFI_IP4_CONFIG2_PROTOCOL_GUID; EFI_IP4_CONFIG2_PROTOCOL *ip4cfg2; EFI_IP4_CONFIG2_MANUAL_ADDRESS ip4; EFI_IPv4_ADDRESS gateway; EFI_STATUS status; - status = uefi_call_wrapper(BS->HandleProtocol, 3, - nic, - &ip4_config2_guid, - (VOID **)&ip4cfg2); + status = uefi_call_wrapper(BS->HandleProtocol, 3, nic, + &EFI_IP4_CONFIG2_GUID, (VOID **)&ip4cfg2); if (EFI_ERROR (status)) return status; @@ -656,8 +649,6 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, CHAR8 *hostname, CHAR8 *uri, BOOLEAN is_ip6, VOID **buffer, UINT64 *buf_size) { - EFI_GUID http_binding_guid = EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID; - EFI_GUID http_protocol_guid = EFI_HTTP_PROTOCOL_GUID; EFI_SERVICE_BINDING *service; EFI_HANDLE http_handle; EFI_HTTP_PROTOCOL *http; @@ -669,7 +660,7 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, /* Open HTTP Service Binding Protocol */ status = uefi_call_wrapper(BS->OpenProtocol, 6, device, - &http_binding_guid, (VOID **)&service, + &EFI_HTTP_BINDING_GUID, (VOID **)&service, image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); if (EFI_ERROR (status)) return status; @@ -684,7 +675,7 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, /* Get the http protocol */ status = uefi_call_wrapper(BS->HandleProtocol, 3, http_handle, - &http_protocol_guid, (VOID **)&http); + &EFI_HTTP_PROTOCOL_GUID, (VOID **)&http); if (EFI_ERROR (status)) { perror(L"Failed to get http\n"); goto error; diff --git a/include/Http.h b/include/Http.h index d8c397d..4b3746a 100644 --- a/include/Http.h +++ b/include/Http.h @@ -22,16 +22,6 @@ #ifndef SHIM_HTTP_H #define SHIM_HTTP_H -#define EFI_HTTP_SERVICE_BINDING_PROTOCOL_GUID \ - { \ - 0xbdc8e6af, 0xd9bc, 0x4379, {0xa7, 0x2a, 0xe0, 0xc4, 0xe7, 0x5d, 0xae, 0x1c } \ - } - -#define EFI_HTTP_PROTOCOL_GUID \ - { \ - 0x7a59b29b, 0x910b, 0x4171, {0x82, 0x42, 0xa8, 0x5a, 0x0d, 0xf2, 0x5b, 0x5b } \ - } - typedef struct _EFI_HTTP_PROTOCOL EFI_HTTP_PROTOCOL; /// diff --git a/include/Ip4Config2.h b/include/Ip4Config2.h index 8c0bced..efacaf8 100644 --- a/include/Ip4Config2.h +++ b/include/Ip4Config2.h @@ -20,11 +20,6 @@ This Protocol is introduced in UEFI Specification 2.5 #include -#define EFI_IP4_CONFIG2_PROTOCOL_GUID \ - { \ - 0x5b446ed1, 0xe30b, 0x4faa, {0x87, 0x1a, 0x36, 0x54, 0xec, 0xa3, 0x60, 0x80 } \ - } - typedef struct _EFI_IP4_CONFIG2_PROTOCOL EFI_IP4_CONFIG2_PROTOCOL; diff --git a/include/Ip6Config.h b/include/Ip6Config.h index e9d3def..f99ce01 100644 --- a/include/Ip6Config.h +++ b/include/Ip6Config.h @@ -17,11 +17,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include -#define EFI_IP6_CONFIG_PROTOCOL_GUID \ - { \ - 0x937fe521, 0x95ae, 0x4d1a, {0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \ - } - typedef struct _EFI_IP6_CONFIG_PROTOCOL EFI_IP6_CONFIG_PROTOCOL; /// diff --git a/include/console.h b/include/console.h index c11d9bc..5d9cd64 100644 --- a/include/console.h +++ b/include/console.h @@ -26,9 +26,6 @@ void console_reset(void); #define NOSEL 0x7fffffff -#define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \ - { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} } - typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; typedef enum { diff --git a/include/efiauthenticated.h b/include/efiauthenticated.h index 671966e..a9c395f 100644 --- a/include/efiauthenticated.h +++ b/include/efiauthenticated.h @@ -60,28 +60,6 @@ typedef struct { #define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 #define WIN_CERT_TYPE_EFI_GUID 0x0EF1 -#define EFI_CERT_X509_GUID \ - (EFI_GUID) { \ - 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \ - } - -#define EFI_CERT_RSA2048_GUID \ - (EFI_GUID) { \ - 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ - } - - -#define EFI_CERT_TYPE_PKCS7_GUID \ - (EFI_GUID) { \ - 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \ - } - -/* - * WIN_CERTIFICATE_UEFI_GUID.CertType - */ -#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ - {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } - /* * WIN_CERTIFICATE_UEFI_GUID.CertData */ diff --git a/include/guid.h b/include/guid.h index b2c1f8f..81689d6 100644 --- a/include/guid.h +++ b/include/guid.h @@ -3,17 +3,36 @@ #include +extern EFI_GUID BDS_GUID; extern EFI_GUID GV_GUID; extern EFI_GUID SIG_DB; extern EFI_GUID X509_GUID; extern EFI_GUID RSA2048_GUID; extern EFI_GUID PKCS7_GUID; extern EFI_GUID IMAGE_PROTOCOL; -extern EFI_GUID SIMPLE_FS_PROTOCOL; +extern EFI_GUID EFI_FILE_INFO_GUID; +extern EFI_GUID EFI_FILE_SYSTEM_INFO_GUID; +extern EFI_GUID EFI_CERT_RSA2048_GUID; extern EFI_GUID EFI_CERT_SHA1_GUID; extern EFI_GUID EFI_CERT_SHA256_GUID; -extern EFI_GUID MOK_OWNER; +extern EFI_GUID EFI_CERT_SHA224_GUID; +extern EFI_GUID EFI_CERT_SHA384_GUID; +extern EFI_GUID EFI_CERT_SHA512_GUID; +extern EFI_GUID EFI_CERT_TYPE_PKCS7_GUID; +extern EFI_GUID EFI_CERT_TYPE_RSA2048_SHA256_GUID; +extern EFI_GUID EFI_CERT_TYPE_X509_GUID; +extern EFI_GUID EFI_CONSOLE_CONTROL_GUID; +extern EFI_GUID EFI_HTTP_BINDING_GUID; +extern EFI_GUID EFI_HTTP_PROTOCOL_GUID; +extern EFI_GUID EFI_IP4_CONFIG2_GUID; +extern EFI_GUID EFI_IP6_CONFIG_GUID; +extern EFI_GUID EFI_LOADED_IMAGE_GUID; +extern EFI_GUID EFI_TPM_GUID; +extern EFI_GUID EFI_TPM2_GUID; +extern EFI_GUID EFI_SECURE_BOOT_DB_GUID; +extern EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID; extern EFI_GUID SECURITY_PROTOCOL_GUID; extern EFI_GUID SECURITY2_PROTOCOL_GUID; +extern EFI_GUID SHIM_LOCK_GUID; #endif /* SHIM_GUID_H */ diff --git a/include/tpm.h b/include/tpm.h index 0b0cd66..3864239 100644 --- a/include/tpm.h +++ b/include/tpm.h @@ -3,9 +3,6 @@ #include -#define EFI_TPM_GUID {0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd }}; -#define EFI_TPM2_GUID {0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }}; - #define TPM_ALG_SHA 0x00000004 #define EV_IPL 0x0000000d diff --git a/lib/console.c b/lib/console.c index b647dd1..358c78b 100644 --- a/lib/console.c +++ b/lib/console.c @@ -8,15 +8,13 @@ #include #include #include -#include -#include -#include + +#include "shim.h" + #include #include #include -#include "shim.h" - static int count_lines(CHAR16 *str_arr[]) { @@ -417,13 +415,12 @@ VOID setup_verbosity(VOID) { EFI_STATUS status; - EFI_GUID guid = SHIM_LOCK_GUID; UINT8 verbose_check; UINTN verbose_check_size; verbose_check_size = 1; status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, - &verbose_check_size, guid); + &verbose_check_size, SHIM_LOCK_GUID); verbose = 0; if (!EFI_ERROR(status)) verbose = verbose_check; @@ -432,13 +429,13 @@ setup_verbosity(VOID) VOID setup_console (int text) { EFI_STATUS status; - EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; EFI_CONSOLE_CONTROL_PROTOCOL *concon; static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = EfiConsoleControlScreenGraphics; EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; - status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); + status = LibLocateProtocol(&EFI_CONSOLE_CONTROL_GUID, + (VOID **)&concon); if (status != EFI_SUCCESS) return; diff --git a/lib/guid.c b/lib/guid.c index 5f5a03f..57c02fb 100644 --- a/lib/guid.c +++ b/lib/guid.c @@ -4,19 +4,36 @@ * see COPYING file */ -#include +#include "shim.h" -/* all the necessary guids */ +EFI_GUID BDS_GUID = { 0x8108ac4e, 0x9f11, 0x4d59, { 0x85, 0x0e, 0xe2, 0x1a, 0x52, 0x2c, 0x59, 0xb2 } }; EFI_GUID GV_GUID = EFI_GLOBAL_VARIABLE; EFI_GUID SIG_DB = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }}; - EFI_GUID X509_GUID = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} }; EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} }; EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} }; EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL; -EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL; +EFI_GUID EFI_FILE_INFO_GUID = EFI_FILE_INFO_ID; +EFI_GUID EFI_FILE_SYSTEM_INFO_GUID = EFI_FILE_SYSTEM_INFO_ID; +EFI_GUID EFI_CERT_RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} }; EFI_GUID EFI_CERT_SHA1_GUID = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}; EFI_GUID EFI_CERT_SHA256_GUID = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } }; -EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; +EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} }; +EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} }; +EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} }; +EFI_GUID EFI_CERT_TYPE_PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} }; +EFI_GUID EFI_CERT_TYPE_RSA2048_SHA256_GUID = { 0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }; +EFI_GUID EFI_CERT_TYPE_X509_GUID = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} }; +EFI_GUID EFI_CONSOLE_CONTROL_GUID = { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} }; +EFI_GUID EFI_HTTP_BINDING_GUID = { 0xbdc8e6af, 0xd9bc, 0x4379, {0xa7, 0x2a, 0xe0, 0xc4, 0xe7, 0x5d, 0xae, 0x1c } }; +EFI_GUID EFI_HTTP_PROTOCOL_GUID = { 0x7a59b29b, 0x910b, 0x4171, {0x82, 0x42, 0xa8, 0x5a, 0x0d, 0xf2, 0x5b, 0x5b } }; +EFI_GUID EFI_IP4_CONFIG2_GUID = { 0x5b446ed1, 0xe30b, 0x4faa, {0x87, 0x1a, 0x36, 0x54, 0xec, 0xa3, 0x60, 0x80 } }; +EFI_GUID EFI_IP6_CONFIG_GUID = { 0x937fe521, 0x95ae, 0x4d1a, {0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } }; +EFI_GUID EFI_LOADED_IMAGE_GUID = EFI_LOADED_IMAGE_PROTOCOL_GUID; +EFI_GUID EFI_TPM_GUID = { 0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd } }; +EFI_GUID EFI_TPM2_GUID = { 0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f } }; +EFI_GUID EFI_SECURE_BOOT_DB_GUID = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f } }; +EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL; EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; +EFI_GUID SHIM_LOCK_GUID = {0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } }; diff --git a/lib/simple_file.c b/lib/simple_file.c index f7762cc..2b82313 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -9,9 +9,6 @@ #include "shim.h" -static EFI_GUID FILE_INFO = EFI_FILE_INFO_ID; -static EFI_GUID FS_INFO = EFI_FILE_SYSTEM_INFO_ID; - EFI_STATUS simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UINT64 mode) { @@ -20,7 +17,7 @@ simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UIN EFI_FILE *root; efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device, - &SIMPLE_FS_PROTOCOL, (void **)&drive); + &EFI_SIMPLE_FILE_SYSTEM_GUID, (void **)&drive); if (efi_status != EFI_SUCCESS) { Print(L"Unable to find simple file protocol (%d)\n", efi_status); @@ -81,8 +78,8 @@ simple_dir_read_all_by_handle(EFI_HANDLE image, EFI_FILE *file, CHAR16* name, EF char buf[4096]; UINTN size = sizeof(buf); EFI_FILE_INFO *fi = (void *)buf; - - status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO, + + status = uefi_call_wrapper(file->GetInfo, 4, file, &EFI_FILE_INFO_GUID, &size, fi); if (status != EFI_SUCCESS) { Print(L"Failed to get file info\n"); @@ -151,10 +148,9 @@ simple_file_read_all(EFI_FILE *file, UINTN *size, void **buffer) *size = sizeof(buf); fi = (void *)buf; - - efi_status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO, - size, fi); + efi_status = uefi_call_wrapper(file->GetInfo, 4, file, + &EFI_FILE_INFO_GUID, size, fi); if (efi_status != EFI_SUCCESS) { Print(L"Failed to get file info\n"); return efi_status; @@ -199,7 +195,7 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) int val; uefi_call_wrapper(BS->LocateHandleBuffer, 5, ByProtocol, - &SIMPLE_FS_PROTOCOL, NULL, &count, &vol_handles); + &EFI_SIMPLE_FILE_SYSTEM_GUID, NULL, &count, &vol_handles); if (!count || !vol_handles) return EFI_NOT_FOUND; @@ -218,7 +214,7 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) status = uefi_call_wrapper(BS->HandleProtocol, 3, vol_handles[i], - &SIMPLE_FS_PROTOCOL, + &EFI_SIMPLE_FILE_SYSTEM_GUID, (void **)&drive); if (status != EFI_SUCCESS || !drive) continue; @@ -227,14 +223,13 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) if (status != EFI_SUCCESS) continue; - status = uefi_call_wrapper(root->GetInfo, 4, root, &FS_INFO, - &size, fi); + status = uefi_call_wrapper(root->GetInfo, 4, root, + &EFI_FILE_SYSTEM_INFO_GUID, &size, fi); if (status != EFI_SUCCESS) continue; name = fi->VolumeLabel; - - if (!name || StrLen(name) == 0 || StrCmp(name, L" ") == 0) + if (!name || StrLen(name) == 0 || StrCmp(name, L" ") == 0) name = DevicePathToStr(DevicePathFromHandle(vol_handles[i])); entries[i] = AllocatePool((StrLen(name) + 2) * sizeof(CHAR16)); @@ -264,7 +259,6 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) FreePool(entries); FreePool(vol_handles); - return EFI_SUCCESS; } @@ -304,7 +298,6 @@ simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, *count = 0; status = simple_dir_read_all(image, name, entries, &tot); - if (status != EFI_SUCCESS) goto out; ptr = next = *entries; diff --git a/lib/variables.c b/lib/variables.c index 1fd95a7..0abd6a0 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -323,7 +323,7 @@ variable_enroll_hash(CHAR16 *var, EFI_GUID owner, l->SignatureListSize = sizeof(sig); l->SignatureSize = 16 +32; /* UEFI defined */ CopyMem(&d->SignatureData, hash, SHA256_DIGEST_SIZE); - d->SignatureOwner = MOK_OWNER; + d->SignatureOwner = SHIM_LOCK_GUID; if (CompareGuid(&owner, &SIG_DB) == 0) status = SetSecureVariable(var, sig, sizeof(sig), owner, diff --git a/shim.c b/shim.c index d4d4747..925b2ea 100644 --- a/shim.c +++ b/shim.c @@ -71,8 +71,6 @@ static UINT32 load_options_size; __perror_ret; \ }) -EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; - /* * The vendor certificate used for validating the second stage loader */ @@ -438,10 +436,9 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, EFI_SIGNATURE_DATA *Cert; UINTN CertSize; BOOLEAN IsFound = FALSE; - EFI_GUID CertType = X509_GUID; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { + if (CompareGuid (&CertList->SignatureType, &EFI_CERT_TYPE_X509_GUID) == 0) { Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); CertSize = CertList->SignatureSize - sizeof(EFI_GUID); if (verify_x509(Cert->SignatureData, CertSize)) { @@ -570,52 +567,50 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data, static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, UINT8 *sha256hash, UINT8 *sha1hash) { - EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - EFI_GUID shim_var = SHIM_LOCK_GUID; EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, - SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, - L"dbx", secure_var) == - DATA_FOUND) { + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx", + EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { LogError(L"binary sha256hash found in vendor dbx\n"); return EFI_SECURITY_VIOLATION; } if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, - SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, - L"dbx", secure_var) == - DATA_FOUND) { + SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx", + EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { LogError(L"binary sha1hash found in vendor dbx\n"); return EFI_SECURITY_VIOLATION; } - if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert, - sha256hash, L"dbx", - secure_var) == DATA_FOUND) { + if (cert && + check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx", + EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { LogError(L"cert sha256hash found in vendor dbx\n"); return EFI_SECURITY_VIOLATION; } - if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) { + if (check_db_hash(L"dbx", EFI_SECURE_BOOT_DB_GUID, sha256hash, + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { LogError(L"binary sha256hash found in system dbx\n"); return EFI_SECURITY_VIOLATION; } - if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EFI_CERT_SHA1_GUID) == DATA_FOUND) { + if (check_db_hash(L"dbx", EFI_SECURE_BOOT_DB_GUID, sha1hash, + SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) { LogError(L"binary sha1hash found in system dbx\n"); return EFI_SECURITY_VIOLATION; } - if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) == - DATA_FOUND) { + if (cert && + check_db_cert(L"dbx", EFI_SECURE_BOOT_DB_GUID, + cert, sha256hash) == DATA_FOUND) { LogError(L"cert sha256hash found in system dbx\n"); return EFI_SECURITY_VIOLATION; } - if (check_db_hash(L"MokListX", shim_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) { + if (check_db_hash(L"MokListX", SHIM_LOCK_GUID, sha256hash, + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { LogError(L"binary sha256hash found in Mok dbx\n"); return EFI_SECURITY_VIOLATION; } - if (cert && check_db_cert(L"MokListX", shim_var, cert, sha256hash) == - DATA_FOUND) { + if (cert && + check_db_cert(L"MokListX", SHIM_LOCK_GUID, + cert, sha256hash) == DATA_FOUND) { LogError(L"cert sha256hash found in Mok dbx\n"); return EFI_SECURITY_VIOLATION; } @@ -636,18 +631,15 @@ static void update_verification_method(verification_method_t method) static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, UINT8 *sha256hash, UINT8 *sha1hash) { - EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - EFI_GUID shim_var = SHIM_LOCK_GUID; - if (!ignore_db) { - if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, + if (check_db_hash(L"db", EFI_SECURE_BOOT_DB_GUID, sha256hash, SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } else { LogError(L"check_db_hash(db, sha256hash) != DATA_FOUND\n"); } - if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, + if (check_db_hash(L"db", EFI_SECURE_BOOT_DB_GUID, sha1hash, SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) { verification_method = VERIFIED_BY_HASH; update_verification_method(VERIFIED_BY_HASH); @@ -655,7 +647,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, } else { LogError(L"check_db_hash(db, sha1hash) != DATA_FOUND\n"); } - if (cert && check_db_cert(L"db", secure_var, cert, sha256hash) + if (cert && check_db_cert(L"db", EFI_SECURE_BOOT_DB_GUID, cert, sha256hash) == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); @@ -665,16 +657,17 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, } } - if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) { + if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash, + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) + == DATA_FOUND) { verification_method = VERIFIED_BY_HASH; update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } else { LogError(L"check_db_hash(MokList, sha256hash) != DATA_FOUND\n"); } - if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) == - DATA_FOUND) { + if (cert && check_db_cert(L"MokList", SHIM_LOCK_GUID, cert, sha256hash) + == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; @@ -990,18 +983,17 @@ done: * Ensure that the MOK database hasn't been set or modified from an OS */ static EFI_STATUS verify_mok (void) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; UINT8 *MokListData = NULL; UINTN MokListDataSize = 0; UINT32 attributes; status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize, - shim_lock_guid, &attributes); + SHIM_LOCK_GUID, &attributes); if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) { perror(L"MokList is compromised!\nErase all keys in MokList!\n"); - if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokList", &SHIM_LOCK_GUID) != EFI_SUCCESS) { perror(L"Failed to erase MokList\n"); return EFI_SECURITY_VIOLATION; } @@ -1023,7 +1015,6 @@ static EFI_STATUS verify_buffer (char *data, int datasize, EFI_STATUS status = EFI_SECURITY_VIOLATION; WIN_CERTIFICATE_EFI_PKCS *cert = NULL; unsigned int size = datasize; - EFI_GUID shim_var = SHIM_LOCK_GUID; if (context->SecDir->Size != 0) { if (context->SecDir->Size >= size) { @@ -1107,7 +1098,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { update_verification_method(VERIFIED_BY_CERT); - tpm_measure_variable(L"Shim", shim_var, sizeof(shim_cert), shim_cert); + tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, + sizeof(shim_cert), shim_cert); status = EFI_SUCCESS; drain_openssl_errors(); return status; @@ -1125,7 +1117,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { update_verification_method(VERIFIED_BY_CERT); - tpm_measure_variable(L"Shim", shim_var, vendor_cert_size, vendor_cert); + tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, + vendor_cert_size, vendor_cert); status = EFI_SUCCESS; drain_openssl_errors(); return status; @@ -1515,7 +1508,6 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, static int should_use_fallback(EFI_HANDLE image_handle) { - EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_LOADED_IMAGE *li; unsigned int pathlen = 0; CHAR16 *bootpath = NULL; @@ -1526,7 +1518,7 @@ should_use_fallback(EFI_HANDLE image_handle) int ret = 0; rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, - &loaded_image_protocol, (void **)&li); + &EFI_LOADED_IMAGE_GUID, (void **)&li); if (EFI_ERROR(rc)) { perror(L"Could not get image for bootx64.efi: %r\n", rc); return 0; @@ -1683,8 +1675,6 @@ error: static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, int *datasize, CHAR16 *PathName) { - EFI_GUID simple_file_system_protocol = SIMPLE_FILE_SYSTEM_PROTOCOL; - EFI_GUID file_info_id = EFI_FILE_INFO_ID; EFI_STATUS efi_status; EFI_HANDLE device; EFI_FILE_INFO *fileinfo = NULL; @@ -1698,9 +1688,8 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, * Open the device */ efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device, - &simple_file_system_protocol, + &EFI_SIMPLE_FILE_SYSTEM_GUID, (void **)&drive); - if (efi_status != EFI_SUCCESS) { perror(L"Failed to find fs: %r\n", efi_status); goto error; @@ -1736,7 +1725,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, * Find out how big the file is in order to allocate the storage * buffer */ - efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub, &file_info_id, + efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub, &EFI_FILE_INFO_GUID, &buffersize, fileinfo); if (efi_status == EFI_BUFFER_TOO_SMALL) { @@ -1748,7 +1737,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, goto error; } efi_status = uefi_call_wrapper(grub->GetInfo, 4, grub, - &file_info_id, &buffersize, + &EFI_FILE_INFO_GUID, &buffersize, fileinfo); } @@ -1872,7 +1861,6 @@ static EFI_STATUS shim_read_header(void *data, unsigned int datasize, */ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) { - EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_STATUS efi_status; EFI_LOADED_IMAGE *li, li_bak; CHAR16 *PathName = NULL; @@ -1886,8 +1874,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) * binary in order to find our path */ efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, - &loaded_image_protocol, (void **)&li); - + &EFI_LOADED_IMAGE_GUID, (void **)&li); if (efi_status != EFI_SUCCESS) { perror(L"Unable to init protocol\n"); return efi_status; @@ -2022,12 +2009,11 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) */ EFI_STATUS measure_mok() { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status, ret = EFI_SUCCESS; UINT8 *Data = NULL; UINTN DataSize = 0; - efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); + efi_status = get_variable(L"MokList", &Data, &DataSize, SHIM_LOCK_GUID); if (!EFI_ERROR(efi_status)) { efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, DataSize, 14, (CHAR8 *)"MokList"); @@ -2040,7 +2026,7 @@ EFI_STATUS measure_mok() ret = efi_status; } - efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid); + efi_status = get_variable(L"MokListX", &Data, &DataSize, SHIM_LOCK_GUID); if (!EFI_ERROR(efi_status)) { efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, DataSize, 14, (CHAR8 *)"MokListX"); @@ -2054,10 +2040,10 @@ EFI_STATUS measure_mok() } efi_status = get_variable(L"MokSBState", &Data, &DataSize, - shim_lock_guid); + SHIM_LOCK_GUID); if (!EFI_ERROR(efi_status)) { efi_status = tpm_measure_variable(L"MokSBState", - shim_lock_guid, + SHIM_LOCK_GUID, DataSize, Data); if (!EFI_ERROR(efi_status)) { efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS) @@ -2082,7 +2068,6 @@ EFI_STATUS measure_mok() */ EFI_STATUS mirror_mok_list() { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINT8 *Data = NULL; UINTN DataSize = 0; @@ -2092,7 +2077,7 @@ EFI_STATUS mirror_mok_list() EFI_SIGNATURE_DATA *CertData = NULL; uint8_t *p = NULL; - efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); + efi_status = get_variable(L"MokList", &Data, &DataSize, SHIM_LOCK_GUID); if (efi_status != EFI_SUCCESS) DataSize = 0; @@ -2118,7 +2103,7 @@ EFI_STATUS mirror_mok_list() CertData = (EFI_SIGNATURE_DATA *)p; p += sizeof (EFI_GUID); - CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; CertList->SignatureListSize = vendor_cert_size + sizeof (*CertList) + sizeof (*CertData) @@ -2135,7 +2120,7 @@ EFI_STATUS mirror_mok_list() if (FullDataSize) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, FullDataSize, FullData); @@ -2153,17 +2138,17 @@ EFI_STATUS mirror_mok_list() */ EFI_STATUS mirror_mok_list_x() { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINT8 *Data = NULL; UINTN DataSize = 0; - efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid); + efi_status = get_variable(L"MokListX", &Data, &DataSize, + SHIM_LOCK_GUID); if (efi_status != EFI_SUCCESS) return efi_status; efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListXRT", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, Data); @@ -2180,22 +2165,21 @@ EFI_STATUS mirror_mok_list_x() */ EFI_STATUS mirror_mok_sb_state() { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINT8 *Data = NULL; UINTN DataSize = 0; - efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid); + efi_status = get_variable(L"MokSBState", &Data, &DataSize, SHIM_LOCK_GUID); if (efi_status == EFI_SUCCESS) { UINT8 *Data_RT = NULL; UINTN DataSize_RT = 0; efi_status = get_variable(L"MokSBStateRT", &Data_RT, - &DataSize_RT, shim_lock_guid); + &DataSize_RT, SHIM_LOCK_GUID); if (efi_status == EFI_SUCCESS) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE, @@ -2204,7 +2188,7 @@ EFI_STATUS mirror_mok_sb_state() efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, Data); @@ -2221,13 +2205,12 @@ EFI_STATUS mirror_mok_sb_state() static BOOLEAN check_var(CHAR16 *varname) { EFI_STATUS efi_status; - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN size = sizeof(UINT32); UINT32 MokVar; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, varname, - &shim_lock_guid, &attributes, + &SHIM_LOCK_GUID, &attributes, &size, (void *)&MokVar); if (efi_status == EFI_SUCCESS || efi_status == EFI_BUFFER_TOO_SMALL) @@ -2265,7 +2248,6 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) */ static EFI_STATUS check_mok_sb (void) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; UINT8 MokSBState; UINTN MokSBStateSize = sizeof(MokSBState); @@ -2274,8 +2256,9 @@ static EFI_STATUS check_mok_sb (void) user_insecure_mode = 0; ignore_db = 0; - status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState", &shim_lock_guid, - &attributes, &MokSBStateSize, &MokSBState); + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState", + &SHIM_LOCK_GUID, &attributes, + &MokSBStateSize, &MokSBState); if (status != EFI_SUCCESS) return EFI_SECURITY_VIOLATION; @@ -2285,7 +2268,7 @@ static EFI_STATUS check_mok_sb (void) */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { perror(L"MokSBState is compromised! Clearing it\n"); - if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokSBState", &SHIM_LOCK_GUID) != EFI_SUCCESS) { perror(L"Failed to erase MokSBState\n"); } status = EFI_SECURITY_VIOLATION; @@ -2304,14 +2287,14 @@ static EFI_STATUS check_mok_sb (void) static EFI_STATUS check_mok_db (void) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; UINT8 MokDBState; UINTN MokDBStateSize = sizeof(MokDBState); UINT32 attributes; - status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState", &shim_lock_guid, - &attributes, &MokDBStateSize, &MokDBState); + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState", + &SHIM_LOCK_GUID, &attributes, + &MokDBStateSize, &MokDBState); if (status != EFI_SUCCESS) return EFI_SECURITY_VIOLATION; @@ -2323,7 +2306,7 @@ static EFI_STATUS check_mok_db (void) */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { perror(L"MokDBState is compromised! Clearing it\n"); - if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) { + if (LibDeleteVariable(L"MokDBState", &SHIM_LOCK_GUID) != EFI_SUCCESS) { perror(L"Failed to erase MokDBState\n"); } status = EFI_SECURITY_VIOLATION; @@ -2338,7 +2321,6 @@ static EFI_STATUS check_mok_db (void) static EFI_STATUS mok_ignore_db() { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status = EFI_SUCCESS; UINT8 Data = 1; UINTN DataSize = sizeof(UINT8); @@ -2347,7 +2329,7 @@ static EFI_STATUS mok_ignore_db() if (ignore_db) { efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokIgnoreDB", - &shim_lock_guid, + &SHIM_LOCK_GUID, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, (void *)&Data); @@ -2360,8 +2342,6 @@ static EFI_STATUS mok_ignore_db() } -EFI_GUID bds_guid = { 0x8108ac4e, 0x9f11, 0x4d59, { 0x85, 0x0e, 0xe2, 0x1a, 0x52, 0x2c, 0x59, 0xb2 } }; - static inline EFI_STATUS get_load_option_optional_data(UINT8 *data, UINTN data_size, UINT8 **od, UINTN *ods) @@ -2581,7 +2561,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) if (li->LoadOptionsSize > 16) { if (CompareGuid((EFI_GUID *)(li->LoadOptions + (li->LoadOptionsSize - 16)), - &bds_guid) == 0) + &BDS_GUID) == 0) li->LoadOptionsSize -= 16; } @@ -2747,7 +2727,6 @@ static EFI_HANDLE shim_lock_handle; EFI_STATUS install_shim_protocols(void) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; SHIM_LOCK *shim_lock; EFI_STATUS efi_status; @@ -2768,7 +2747,7 @@ install_shim_protocols(void) * replacements. So even though it will participate and verify * the kernel, the systab never finds out. */ - efi_status = LibLocateProtocol(&shim_lock_guid, (VOID **)&shim_lock); + efi_status = LibLocateProtocol(&SHIM_LOCK_GUID, (VOID **)&shim_lock); if (!EFI_ERROR(efi_status)) uninstall_shim_protocols(); @@ -2776,7 +2755,7 @@ install_shim_protocols(void) * Install the protocol */ efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, - &shim_lock_handle, &shim_lock_guid, + &shim_lock_handle, &SHIM_LOCK_GUID, EFI_NATIVE_INTERFACE, &shim_lock_interface); if (EFI_ERROR(efi_status)) { console_error(L"Could not install security protocol", @@ -2800,13 +2779,11 @@ install_shim_protocols(void) void uninstall_shim_protocols(void) { - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - /* * If we're back here then clean everything up before exiting */ uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle, - &shim_lock_guid, &shim_lock_interface); + &SHIM_LOCK_GUID, &shim_lock_interface); if (!secure_mode()) return; @@ -2880,7 +2857,6 @@ static void __attribute__((__optimize__("0"))) debug_hook(void) { - EFI_GUID guid = SHIM_LOCK_GUID; UINT8 *data = NULL; UINTN dataSize = 0; EFI_STATUS efi_status; @@ -2890,7 +2866,8 @@ debug_hook(void) if (x) return; - efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, guid); + efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, + SHIM_LOCK_GUID); if (EFI_ERROR(efi_status)) { return; } @@ -2901,7 +2878,7 @@ debug_hook(void) Print(L"Pausing for debugger attachment.\n"); Print(L"To disable this, remove the EFI variable SHIM_DEBUG-%g .\n", - &guid); + &SHIM_LOCK_GUID); x = 1; while (x++) { /* Make this so it can't /totally/ DoS us. */ diff --git a/shim.h b/shim.h index 51e9c20..89d2432 100644 --- a/shim.h +++ b/shim.h @@ -95,8 +95,6 @@ #include "shim_cert.h" #endif -extern EFI_GUID SHIM_LOCK_GUID; - INTERFACE_DECL(_SHIM_LOCK); typedef diff --git a/tpm.c b/tpm.c index 340f0ce..a1c28a9 100644 --- a/tpm.c +++ b/tpm.c @@ -23,9 +23,6 @@ typedef struct { UINTN measuredcount = 0; VARIABLE_RECORD *measureddata = NULL; -EFI_GUID tpm_guid = EFI_TPM_GUID; -EFI_GUID tpm2_guid = EFI_TPM2_GUID; - static BOOLEAN tpm_present(efi_tpm_protocol_t *tpm) { EFI_STATUS status; @@ -126,7 +123,7 @@ static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm, *tpm = NULL; *tpm2 = NULL; - status = LibLocateProtocol(&tpm2_guid, (VOID **)tpm2); + status = LibLocateProtocol(&EFI_TPM2_GUID, (VOID **)tpm2); /* TPM 2.0 */ if (status == EFI_SUCCESS) { BOOLEAN old_caps; @@ -144,7 +141,7 @@ static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm, return EFI_SUCCESS; } } else { - status = LibLocateProtocol(&tpm_guid, (VOID **)tpm); + status = LibLocateProtocol(&EFI_TPM_GUID, (VOID **)tpm); if (EFI_ERROR(status)) return status; @@ -214,7 +211,7 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT32 eventnum = 0; EFI_PHYSICAL_ADDRESS lastevent; - status = LibLocateProtocol(&tpm_guid, (VOID **)&tpm); + status = LibLocateProtocol(&EFI_TPM_GUID, (VOID **)&tpm); if (status != EFI_SUCCESS) return EFI_SUCCESS;