Currently the only measurement the shim logs in the TPM is that of the EFI
application it directly loads. However, there are no measurements being taken
of application that are being verified through the shim_lock protocol. In this
patch we extend PCR4 for any binary for which Verify is being called through
the shim_lock protocol.
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
Originally, we check if the last 2 nodes in the device path are
IPv4()/Uri() or IPv6()/Uri() to determine whether httpboot is used or
not. However, since UEFI 2.7, the DNS node will be inserted between the
IP node and the URI node if the server provides the DNS server address.
This commit changes the matching rule to search IP node and URI node
and ignore any node between those two nodes.
Signed-off-by: Gary Lin <glin@suse.com>
Make sure if we chainload things, a chainloaded bootloader will be able to use
the latest systab replacements and protocols. They need to match for things
to validate correctly.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
shim 13:
- OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working
- Better PCR usage for TPM
- TPM documentation in README.tpm
- More configurable build via make variables:
ENABLE_SHIM_CERT
ENABLE_SHIM_HASH
ENABLE_SBSIGN
LIBDIR
EFIDIR
VENDOR_CERT_FILE
VENDOR_DB_FILE
- Better MoK documentation in MokVars.txt
- Better debuginfo generation
- Lots of minor bug fixes.
Signed-off-by: Peter Jones <pjones@redhat.com>
If you build with ENABLE_SHIM_CERT=1, the include chain right now winds
up meaning shim_cert is defined in a header that gets included in
netboot.c as well, which never uses it:
In file included from shim.h:125:0,
from netboot.c:36:
shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable]
static UINT8 shim_cert[] = {
^~~~~~~~~
cc1: all warnings being treated as errors
So make that okay by adding __attribute__((__unused__)) to the variable
decl.
Signed-off-by: Peter Jones <pjones@redhat.com>
Cyphermox discovered that when you run this:
( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g'
on some debian machines, printf(1) doesn't interpret the \x.. characters,
and that results in this being the encoded text:
00000000 5c 78 66 66 5c 78 66 65 73 00 68 00 69 00 6d 00 |\xff\xfes.h.i.m.|
00000010 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 2c 00 |x.6.4...e.f.i.,.|
00000020 66 00 6f 00 6f 00 2c 00 2c 00 54 00 68 00 69 00 |f.o.o.,.,.T.h.i.|
which... yeah, that's wrong. So instead, use iconv instead of
printf+sed to encode it in UCS-2. Unfortunately, that means we don't
get endian markers, because for some reason iconv(1) doesn't have any way
to say it should include them. But that's okay; fallback already
handles not having them and just assumes the second byte being \x00
means UCS-2LE.
Signed-off-by: Peter Jones <pjones@redhat.com>
Commit 1e71734992 inadvertantly switched ARM's
LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set,
and so it got clobbered away.
Signed-off-by: Peter Jones <pjones@redhat.com>
shim_cert.h is required by other pieces (such as netboot.o, cert.o) and
might not be built by the time these targets are reached. In that case the
build would fail as it can't find a required header.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
