- Update update.sh to copy the openssl 1.1.0 source files
- Refresh the supplemental patch to reflect the change
Signed-off-by: Gary Lin <glin@suse.com>
- Update to edk2 commit 7c410b3d4180087020c7734bf67cdc4ad9fdb136
CryptoPkg/BaseCryptLib: Adding NULL checking in time() wrapper.
- Update headers in Cryptlib/Include/openssl/ to 1.1.0e
+ Also copy the openssl internal headers
Signed-off-by: Gary Lin <glin@suse.com>
- Remove the openssl version from update.sh since edk2 doesn't use the
version number in the directory name anymore.
- Refresh Cryptlib.diff to reflect the change
Signed-off-by: Gary Lin <glin@suse.com>
Edk2 renamed OpenSslSupport.h, so we have to follow the change.
Also merge some changes from edk2 CrtLibSupport.h
Signed-off-by: Gary Lin <glin@suse.com>
The commit 03b9f800 introduces an issue in case the gap between
SumOfBytesHashed and context->SecDir->VirtualAddress exists.
This would be a typo because a formal PE image always meet
SumOfBytesHashed + hashsize == context->SecDir->VirtualAddress either
the gap exists or not.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Update to edk2 commit 6e4489d8129d233ef0fe85eeb6eebfecafe9ea6e
(CryptoPkg: Refine type cast for pointer subtraction)
Also replaced CryptAes.c, CryptArc4.c, CryptTdes.c, CryptMd4.c,
CryptHmacMd5.c, and CryptHmacSha1.c with the Null version since
we don't really need those functions.
Signed-off-by: Gary Lin <glin@suse.com>
Under a strict memory protection policy, UEFI may give out EfiLoaderData
memory with the XN attribute set. So use EfiLoaderCode explicitly.
At the same time, use a page based allocation rather than a pool
allocation, which is more appropriate when loading PE/COFF images.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
This makes it so two builds of the same .deb on different hosts won't
have wildly different file offsets.
Signed-off-by: Peter Jones <pjones@redhat.com>
Previously we were returning EFI_ACCESS_DENIED at some places and
EFI_SECURITY_VIOLATION at others. When we're checking whether to run
MokManager, we're checking EFI_SECURITY_VIOLATION, which is more or less
analogous with what the spec says StartImage() returns. So we should
always have that as the return code.
I believe this will fix github issue #44.
Signed-off-by: Peter Jones <pjones@redhat.com>
EFI TrEE Protocol uses the same protocol GUID as EFI TCG2 protocol, and
defines the capability structure version 1.0. Hence, the structure and
name are all align the EFI TrEE Protocol.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Some machines have already embedded MokSBStateRT varaible with
EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim
vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState
fail because the variable cannot be set with different attribute again, and gets
error massage every time when booting.
Fix it with checking the MokSBStateRT existence and deleting it before
mirroring it.
Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Currently generate_hash() attempts to include any trailing data at the
end of the binary in the resulting digest, but it won't include such
data if the size computed is wrong because context->SecDir->Size is
invalid. In this case the return code is EFI_SUCCESS, and the hash will
match any a binary as if the Attribute Certificate Table and anything
after it are missing. This is wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
Although the prototype of memset() is already defined in OpenSslSupport.h,
the function was never implemented. It was fine since a macro was
designed to replace all memset() with SetMem() after including
OpenSslSupport.h. However, since openssl 1.0.2j, a new function pointer
in crypto/mem_clr.c requires the "real" memset() or the program would
crash due to the NULL function pointer access. This commit implements
memset() (just a wrapper of SetMem()) to avoid the potential crash.
Signed-off-by: Gary Lin <glin@suse.com>
Certain AMI BIOS (Intel NUC5i3MYBE BIOS version 0037) may make the strict
check on the last 3 arguments passed to get_event_log() and don't expect
NULL pointers are passed. In order to work around this failure
(EFI_INVALID_PARAMETER), pass them even though we really don't use it.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
According to TCG EFI Protocol Specification for TPM 2.0 family,
all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG
shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka
EFI TCG 2.0 final events table. Hence, it is necessary to trigger the
internal switch through calling get_event_log() in order to allow
to retrieve the logs from OS runtime.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
For starters; don't allow the "module signing" OID; which ought to
only ever be used for signing kernel modules, not signing EFI binaries.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Try to append the MOK/MOKX list first and then fallback to the normal
SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE.
Signed-off-by: Gary Lin <glin@suse.com>
We got the bug report about the usage of APPEND_WRITE that may cause the
failure when writing a variable in Lenovo machines. Although
EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years,
unfortunately, some vendors just ignore it and never implement the
attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to
make MokManager work on those machines.
https://github.com/rhinstaller/shim/issues/55
Signed-off-by: Gary Lin <glin@suse.com>
Authenticode Certificate length is available in Certificate Table
(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
Code in 'check_backlist()' method uses length from signature header,
whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
the length in signature header. This causes a security vulnerability issue :
Good Scenario : Assume shim1.crt is used for signing grub.efi and
shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
compromised and therefore it was added in 'dbx' database. Now, when
shim.efi will attempt to load grub.efi, it will fail loading with
log message "Binary is blacklisted" because 'check_blacklist' call
will detect the presence of 'shim1.crt' in 'dbx'.
Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
WIN_CERTIFICATE.dwLength.
(Open grub.efi/vmlinuz signed binary with hex editor.
Go to 0x128 address and read out the address from 0x128 until
0x12B in little Indian order from right to left.
Jump to the address from 0x128 address area.
First 8bytes are the signature header area which consist of
signature size(4bytes), revision(2bytes) and type(2bytes).
So tamper the first 4 bytes for signature size and save the binary.
)
With this tampered grub.efi, shim.efi loads it successfully because
'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
database.
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl
Signed-off-by: Gary Lin <glin@suse.com>
When fallback.efi is not present, the should_use_fallback error path
attempts to close a file that has already been closed, resulting in a
hang. This issue only affects certain systems.
This is a regression from version 0.8 and was introduced by commit
4794822.
Signed-off-by: Benjamin Antin <ben.antin@endlessm.com>
Fix the compilation error from gcc:
shim.c: In function ‘handle_image’:
shim.c:1121:15: error: unused variable ‘size’ [-Werror=unused-variable]
unsigned int size;
^~~~
Signed-off-by: Gary Lin <glin@suse.com>
