proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-11 07:39:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
105 Commits 1 Branch 3 Tags 11 MiB
0848fab98d
Commit Graph

43 Commits

Author SHA1 Message Date
Matthew Garrett
0848fab98d Switch to using db format for MokList and MokNew 
Using the same format as the UEFI key databases makes it easier for the
kernel to parse and extract keys from MOK, and also permits MOK to contain
multiple key or hash types. Additionally, add support for enrolling hashes.
 2012-10-12 19:55:20 -04:00
Matthew Garrett
7f99a97c6b Split out hashing 
We want to be able to generate hashes, so split out the hash generation
function from the verification function
 2012-10-11 12:24:36 -04:00
Matthew Garrett
0e054ee1ce Add SHA1 support 
In theory vendors could blacklist binaries with SHA1, so make sure we
calculate and check that hash as well.
 2012-10-11 11:30:41 -04:00
Matthew Garrett
32b08c73d8 Fall back to MokManager if grub failed to validate 
If we can't verify grub, fall back to MokManager. This permits shipping a
copy of shim and MokManager without distributing a key, letting
distributions provide their own for user installation.
 2012-10-06 17:20:30 -04:00
Gary Ching-Pang Lin
000e235101 Use LibDeleteVariable in gnu-efi 2012-10-02 11:55:44 +08:00
Gary Ching-Pang Lin
ce2384495c Make sure the variables are not broken 2012-09-21 16:44:56 +08:00
Gary Ching-Pang Lin
03953e08bc Reject the binary when there is no key in MokList 2012-09-21 15:10:31 +08:00
Gary Ching-Pang Lin
b3ff35663b Check the MOK list correctly 2012-09-20 10:28:00 +08:00
Gary Ching-Pang Lin
5d4b6ba037 Abandon the variable, MokMgmt 2012-09-19 14:54:35 +08:00
Gary Ching-Pang Lin
ed2ecf8655 Copy the MOK list to a RT variable 
The RT variable, MokListRT, is a copy of MokList so that the
runtime applications can synchronize the key list without touching
the BS variable.
 2012-09-11 17:43:44 +08:00
Gary Ching-Pang Lin
28c581335e Use the machine owner keys to verify images 2012-09-11 16:39:12 +08:00
Gary Ching-Pang Lin
1395a9916b Always try StartImage first 2012-09-11 16:37:02 +08:00
Gary Ching-Pang Lin
5f00e44f9a Only launch MokManager when necessary 2012-09-11 16:34:25 +08:00
Gary Ching-Pang Lin
19e957f489 Retrieve attributes of variables 
We have to make sure the machine owner key is stored in a BS
variable.
 2012-09-11 16:31:05 +08:00
Gary Ching-Pang Lin
1fe0d49c9b Merge branch 'master' into mok-prototype3 
Conflicts:
	shim.c
 2012-09-07 18:22:34 +08:00
Gary Ching-Pang Lin
0d7c3dbde5 Load MokManager for MOK management 2012-09-07 18:11:45 +08:00
Gary Ching-Pang Lin
e235c85af1 Make the image loading process more generic 2012-09-07 17:43:21 +08:00
Peter Jones
3c2f1d6c3d Break out of our db checking loop at the appropriate time. 
The break in check_db_cert is at the wrong level due to a typo in
indentation, and as a result only the last cert in the list can
correctly match.  Rectify that.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2012-09-06 12:13:44 -04:00
Matthew Garrett
3682a89543 Use the file size, not the image size field, for verification. 2012-09-06 12:13:44 -04:00
Peter Jones
178b5681b8 Allow specification of vendor_cert through a build command line option. 
This allows you to specify the vendor_cert as a file on the command line
during build.
 2012-09-06 12:13:44 -04:00
Matthew Garrett
590b34492d Handle slightly stranger device paths 2012-07-13 00:30:22 -04:00
Matthew Garrett
d3ee0bed5e Make path generation more sensible 2012-07-11 10:58:15 -04:00
Matthew Garrett
8c173876d1 Make sure ImageBase is set appropriately in the loaded_image protocol 2012-07-11 10:57:46 -04:00
Matthew Garrett
85bbd2c4cc Re-add whitelisting - needed for protocol validation 2012-07-05 16:39:25 -04:00
Matthew Garrett
cc1116ced6 Check whether secure boot is enabled before performing verify call 2012-07-05 12:51:12 -04:00
Matthew Garrett
96b0c2f981 Fix up blacklist checking 
This was not quite as bugfree as would be hoped for.
 2012-07-02 14:43:18 -04:00
Matthew Garrett
f9435d9664 Remove whitelisting - the firmware will handle it via LoadImage/StartImage 2012-07-02 13:49:32 -04:00
Matthew Garrett
6d3e62ef2f Fix type of buffersize 2012-07-02 11:54:21 -04:00
Matthew Garrett
c08d0ceb05 Fix get_variable 2012-06-25 17:46:11 -04:00
Matthew Garrett
1a109376ab Add black/white listing 2012-06-25 10:59:08 -04:00
Matthew Garrett
301f41f053 Fix cert size 2012-06-19 15:25:02 -04:00
Matthew Garrett
49ebaa4b91 Uninstall protocol on exit 2012-06-18 17:31:42 -04:00
Matthew Garrett
019b0c5c13 Check binary against blacklist 2012-06-18 17:31:42 -04:00
Matthew Garrett
03685963c5 Attempt to start image using LoadImage/StartImage first 2012-06-18 17:31:42 -04:00
Matthew Garrett
b6db0dd4db Check that platform is in user mode before doing any validation 2012-06-18 17:31:42 -04:00
Matthew Garrett
0db1af8aeb Minor cleanups 2012-06-07 14:00:48 -04:00
Matthew Garrett
7db60bd8c2 Rename variables 2012-06-05 10:56:45 -04:00
Matthew Garrett
f4b2473401 Install a protocol for sharing code with grub 2012-06-05 10:52:30 -04:00
Matthew Garrett
f898777d22 Some cleanups 2012-05-30 22:08:09 -04:00
Matthew Garrett
7f0553356c Add image verification 2012-05-30 18:36:46 -04:00
Matthew Garrett
9d56c38fd1 Fix path generation 2012-05-08 03:00:51 -04:00
Matthew Garrett
0e6b01958a Some additional paranoia 2012-04-11 17:13:07 -04:00
Matthew Garrett
b2fe178094 Initial commit 2012-04-11 13:59:55 -04:00