Harden shim against non-participating bootloaders.

It works like this: during startup of shim, we hook into the system's
ExitBootServices() and StartImage().  If the system's StartImage() is
called, we automatically unhook, because we're chainloading to something
the system can verify.

When shim's verify is called, we record what kind of certificate the
image was verified against.  If the call /succeeds/, we remove our
hooks.

If ExitBootServices() is called, we check how the bootloader verified
whatever it is loading.  If it was verified by its hash, we unhook
everything and call the system's EBS().  If it was verified by
certificate, we check if it has called shim_verify().  If it has, we
unhook everything and call the system's EBS()

If the bootloader has not verified anything, and is itself verified by
a certificate, we display a security violation warning and halt the
machine.

Makefile

@@ -17,7 +17,7 @@ EFI_LDS		= elf_$(ARCH)_efi.lds
 DEFAULT_LOADER	:= \\\\grub.efi
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \
-		  -mno-mmx -mno-sse \
+		  -mno-mmx -mno-sse -fno-builtin \
 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 		  $(EFI_INCLUDES)
@@ -36,9 +36,9 @@ LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
 VERSION		= 0.4
 
 TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
-OBJS	= shim.o netboot.o cert.o dbx.o
+OBJS	= shim.o netboot.o cert.o replacements.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
-SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h
+SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h replacements.c replacements.h
 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
 MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
 FALLBACK_OBJS = fallback.o

TODO

@@ -1,7 +1,3 @@
-Hardening startimage:
-- Don't allow non-participating bootloaders/kernels to call
-  ExitBootServices(), but trap in StartImage() so we can let them do
-  that.
 Versioned protocol:
 - Make shim and the bootloaders using it express how enlightened they
   are to one another, so we can stop earlier without tricks like

replacements.c

@@ -0,0 +1,147 @@
+/*
+ * shim - trivial UEFI first-stage bootloader
+ *
+ * Copyright 2012 Red Hat, Inc <mjg@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Significant portions of this code are derived from Tianocore
+ * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel
+ * Corporation.
+ */
+
+/*   Chemical agents lend themselves to covert use in sabotage against
+ * which it is exceedingly difficult to visualize any really effective
+ * defense... I will not dwell upon this use of CBW because, as one
+ * pursues the possibilities of such covert uses, one discovers that the
+ * scenarios resemble that in which the components of a nuclear weapon
+ * are smuggled into New York City and assembled in the basement of the
+ * Empire State Building.
+ *   In other words, once the possibility is recognized to exist, about
+ * all that one can do is worry about it.
+ *   -- Dr. Ivan L Bennett, Jr., testifying before the Subcommittee on
+ *      National Security Policy and Scientific Developments, November 20,
+ *      1969.
+ */
+
+#include <efi.h>
+#include <efiapi.h>
+#include <efilib.h>
+#include "shim.h"
+#include "replacements.h"
+
+/* oh for fuck's sakes.*/
+#ifndef EFI_SECURITY_VIOLATION
+#define EFI_SECURITY_VIOLATION 26
+#endif
+
+static EFI_SYSTEM_TABLE *systab;
+
+static typeof(systab->BootServices->StartImage) system_start_image;
+static typeof(systab->BootServices->Exit) system_exit;
+static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
+
+extern UINT8 insecure_mode;
+
+static void
+unhook_system_services(void)
+{
+	if (insecure_mode)
+		return;
+	systab->BootServices->Exit = system_exit;
+	systab->BootServices->StartImage = system_start_image;
+	systab->BootServices->ExitBootServices = system_exit_boot_services;
+}
+
+static EFI_STATUS EFIAPI
+start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
+{
+	EFI_STATUS status;
+	unhook_system_services();
+	status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data);
+	if (EFI_ERROR(status))
+		hook_system_services(systab);
+	return status;
+}
+
+static EFI_STATUS EFIAPI
+exit_boot_services(EFI_HANDLE image_key, UINTN map_key)
+{
+	if (loader_is_participating || verification_method == VERIFIED_BY_HASH) {
+		unhook_system_services();
+		EFI_STATUS status;
+		status = systab->BootServices->ExitBootServices(image_key, map_key);
+		if (status != EFI_SUCCESS)
+			hook_system_services(systab);
+		return status;
+	}
+
+	Print(L"Bootloader has not verified loaded image.\n");
+	Print(L"System is compromised.  halting.\n");
+	systab->BootServices->Stall(5000000);
+	systab->RuntimeServices->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL);
+	return EFI_SECURITY_VIOLATION;
+}
+
+static EFI_STATUS EFIAPI
+exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
+     UINTN ExitDataSize, CHAR16 *ExitData)
+{
+	EFI_STATUS status;
+	unhook_system_services();
+
+	status = systab->BootServices->Exit(ImageHandle, ExitStatus, ExitDataSize, ExitData);
+	if (EFI_ERROR(status))
+		hook_system_services(systab);
+	return status;
+}
+
+
+void
+hook_system_services(EFI_SYSTEM_TABLE *local_systab)
+{
+	if (insecure_mode)
+		return;
+	systab = local_systab;
+
+	/* We need to hook various calls to make this work... */
+
+	/* we need StartImage() so that we can allow chain booting to an
+	 * image trusted by the firmware */
+	system_start_image = systab->BootServices->StartImage;
+	systab->BootServices->StartImage = start_image;
+
+	/* we need to hook ExitBootServices() so a) we can enforce the policy
+	 * and b) we can unwrap when we're done. */
+	system_exit_boot_services = systab->BootServices->ExitBootServices;
+	systab->BootServices->ExitBootServices = exit_boot_services;
+
+	/* we need to hook Exit() so that we can allow users to quit the
+	 * bootloader and still e.g. start a new one or run an internal
+	 * shell. */
+	system_exit = systab->BootServices->Exit;
+	systab->BootServices->Exit = exit;
+}

replacements.h

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2013 Red Hat, Inc <pjones@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SHIM_REPLACEMENTS_H
+#define SHIM_REPLACEMENTS_H 1
+
+typedef enum {
+	VERIFIED_BY_NOTHING,
+	VERIFIED_BY_CERT,
+	VERIFIED_BY_HASH
+} verification_method_t;
+
+extern verification_method_t verification_method;
+extern int loader_is_participating;
+
+extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
+
+#endif /* SHIM_REPLACEMENTS_H */

shim.c

@@ -40,6 +40,7 @@
 #include "shim.h"
 #include "netboot.h"
 #include "shim_cert.h"
+#include "replacements.h"
 #include "ucs2.h"
 
 #include "guid.h"
@@ -75,9 +76,15 @@ UINT32 vendor_dbx_size;
 UINT8 *vendor_cert;
 UINT8 *vendor_dbx;
 
+/*
+ * indicator of how an image has been verified
+ */
+verification_method_t verification_method;
+int loader_is_participating;
+
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
 
-static UINT8 insecure_mode;
+UINT8 insecure_mode;
 
 typedef enum {
 	DATA_FOUND,
@@ -370,6 +377,12 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	return EFI_SUCCESS;
 }
 
+static void update_verification_method(verification_method_t method)
+{
+	if (verification_method == VERIFIED_BY_NOTHING)
+		verification_method = method;
+}
+
 /*
  * Check whether the binary signature or hash are present in db or MokList
  */
@@ -380,19 +393,34 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	EFI_GUID shim_var = SHIM_LOCK_GUID;
 
 	if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE,
-			  EFI_CERT_SHA256_GUID) == DATA_FOUND)
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+		update_verification_method(VERIFIED_BY_HASH);
 		return EFI_SUCCESS;
+	}
 	if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE,
-			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
+			  EFI_CERT_SHA1_GUID) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_HASH;
+		update_verification_method(VERIFIED_BY_HASH);
 		return EFI_SUCCESS;
+	}
 	if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE,
-			  EFI_CERT_SHA256_GUID) == DATA_FOUND)
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_HASH;
+		update_verification_method(VERIFIED_BY_HASH);
 		return EFI_SUCCESS;
-	if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND)
+	}
+	if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_CERT;
+		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
-	if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND)
+	}
+	if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
+		verification_method = VERIFIED_BY_CERT;
+		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
+	}
 
+	update_verification_method(VERIFIED_BY_NOTHING);
 	return EFI_ACCESS_DENIED;
 }
 
@@ -1169,6 +1197,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	EFI_STATUS status;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
 
+	loader_is_participating = 1;
+
 	if (!secure_mode())
 		return EFI_SUCCESS;
 
@@ -1262,6 +1292,8 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 		goto done;
 	}
 
+	loader_is_participating = 0;
+
 	/*
 	 * The binary is trusted and relocated. Run it
 	 */
@@ -1391,6 +1423,8 @@ static EFI_STATUS check_mok_sb (void)
 	if (status != EFI_SUCCESS)
 		return EFI_ACCESS_DENIED;
 
+	insecure_mode = 0;
+
 	/*
 	 * Delete and ignore the variable if it's been set from or could be
 	 * modified by the OS
@@ -1500,6 +1534,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	UINTN verbose_check_size;
 	EFI_GUID global_var = EFI_GLOBAL_VARIABLE;
 
+	verification_method = VERIFIED_BY_NOTHING;
+
 	vendor_cert_size = cert_table.vendor_cert_size;
 	vendor_dbx_size = cert_table.vendor_dbx_size;
 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
@@ -1541,6 +1577,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	if (insecure_mode) {
 		Print(L"Booting in insecure mode\n");
 		uefi_call_wrapper(BS->Stall, 1, 2000000);
+	} else {
+		/*
+		 * Install our hooks for ExitBootServices() and StartImage()
+		 */
+		hook_system_services(systab);
+		loader_is_participating = 0;
 	}
 
 	/*