proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-05-19 09:30:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
107 Commits 1 Branch 3 Tags 11 MiB
e65370d770
Commit Graph

44 Commits

Author SHA1 Message Date
Matthew Garrett
683959d7ad Remove LoadImage/StartImage support 
Some systems will show an error dialog if LoadImage() returned
EFI_ACCESS_DENIED, which then requires physical user interaction to skip.
Let's just remove the LoadImage/StartImage code, since the built-in code
is theoretically equivalent.
 2012-10-12 19:55:20 -04:00
Matthew Garrett
0a6565c5ed Switch to using db format for MokList and MokNew 
Using the same format as the UEFI key databases makes it easier for the
kernel to parse and extract keys from MOK, and also permits MOK to contain
multiple key or hash types. Additionally, add support for enrolling hashes.
 2012-10-12 19:55:20 -04:00
Matthew Garrett
f394b22e86 Split out hashing 
We want to be able to generate hashes, so split out the hash generation
function from the verification function
 2012-10-11 12:24:36 -04:00
Matthew Garrett
ce6a5748b0 Add SHA1 support 
In theory vendors could blacklist binaries with SHA1, so make sure we
calculate and check that hash as well.
 2012-10-11 11:30:41 -04:00
Matthew Garrett
8cf182af8b Fall back to MokManager if grub failed to validate 
If we can't verify grub, fall back to MokManager. This permits shipping a
copy of shim and MokManager without distributing a key, letting
distributions provide their own for user installation.
 2012-10-06 17:20:30 -04:00
Gary Ching-Pang Lin
f3104a7314 Use LibDeleteVariable in gnu-efi 2012-10-02 11:55:44 +08:00
Gary Ching-Pang Lin
6919a3f7c7 Make sure the variables are not broken 2012-09-21 16:44:56 +08:00
Gary Ching-Pang Lin
6577945fba Reject the binary when there is no key in MokList 2012-09-21 15:10:31 +08:00
Gary Ching-Pang Lin
a1239f096b Check the MOK list correctly 2012-09-20 10:28:00 +08:00
Gary Ching-Pang Lin
1041805a18 Abandon the variable, MokMgmt 2012-09-19 14:54:35 +08:00
Gary Ching-Pang Lin
a903fb1088 Copy the MOK list to a RT variable 
The RT variable, MokListRT, is a copy of MokList so that the
runtime applications can synchronize the key list without touching
the BS variable.
 2012-09-11 17:43:44 +08:00
Gary Ching-Pang Lin
1342297309 Use the machine owner keys to verify images 2012-09-11 16:39:12 +08:00
Gary Ching-Pang Lin
cec6a0a964 Always try StartImage first 2012-09-11 16:37:02 +08:00
Gary Ching-Pang Lin
e470969e4e Only launch MokManager when necessary 2012-09-11 16:34:25 +08:00
Gary Ching-Pang Lin
31d3bd054a Retrieve attributes of variables 
We have to make sure the machine owner key is stored in a BS
variable.
 2012-09-11 16:31:05 +08:00
Gary Ching-Pang Lin
000c565c06 Merge branch 'master' into mok-prototype3 
Conflicts:
	shim.c
 2012-09-07 18:22:34 +08:00
Gary Ching-Pang Lin
4b34567dd5 Load MokManager for MOK management 2012-09-07 18:11:45 +08:00
Gary Ching-Pang Lin
822d089e3d Make the image loading process more generic 2012-09-07 17:43:21 +08:00
Peter Jones
7430b90148 Break out of our db checking loop at the appropriate time. 
The break in check_db_cert is at the wrong level due to a typo in
indentation, and as a result only the last cert in the list can
correctly match.  Rectify that.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2012-09-06 12:13:44 -04:00
Matthew Garrett
ce78d2d250 Use the file size, not the image size field, for verification. 2012-09-06 12:13:44 -04:00
Peter Jones
8518b8cc1f Allow specification of vendor_cert through a build command line option. 
This allows you to specify the vendor_cert as a file on the command line
during build.
 2012-09-06 12:13:44 -04:00
Matthew Garrett
00ced0c125 Handle slightly stranger device paths 2012-07-13 00:30:22 -04:00
Matthew Garrett
bc6aaefa2d Make path generation more sensible 2012-07-11 10:58:15 -04:00
Matthew Garrett
5fe882ba74 Make sure ImageBase is set appropriately in the loaded_image protocol 2012-07-11 10:57:46 -04:00
Matthew Garrett
b2058cf897 Re-add whitelisting - needed for protocol validation 2012-07-05 16:39:25 -04:00
Matthew Garrett
6279b58e83 Check whether secure boot is enabled before performing verify call 2012-07-05 12:51:12 -04:00
Matthew Garrett
c13fc2f71f Fix up blacklist checking 
This was not quite as bugfree as would be hoped for.
 2012-07-02 14:43:18 -04:00
Matthew Garrett
1348448255 Remove whitelisting - the firmware will handle it via LoadImage/StartImage 2012-07-02 13:49:32 -04:00
Matthew Garrett
6eb1eca4f3 Fix type of buffersize 2012-07-02 11:54:21 -04:00
Matthew Garrett
f23d769727 Fix get_variable 2012-06-25 17:46:11 -04:00
Matthew Garrett
c16548d08b Add black/white listing 2012-06-25 10:59:08 -04:00
Matthew Garrett
3e890667fe Fix cert size 2012-06-19 15:25:02 -04:00
Matthew Garrett
0a232ca95c Uninstall protocol on exit 2012-06-18 17:31:42 -04:00
Matthew Garrett
3df68c187c Check binary against blacklist 2012-06-18 17:31:42 -04:00
Matthew Garrett
db54b0a4c6 Attempt to start image using LoadImage/StartImage first 2012-06-18 17:31:42 -04:00
Matthew Garrett
5bc80cec92 Check that platform is in user mode before doing any validation 2012-06-18 17:31:42 -04:00
Matthew Garrett
0db1af8aeb Minor cleanups 2012-06-07 14:00:48 -04:00
Matthew Garrett
7db60bd8c2 Rename variables 2012-06-05 10:56:45 -04:00
Matthew Garrett
f4b2473401 Install a protocol for sharing code with grub 2012-06-05 10:52:30 -04:00
Matthew Garrett
f898777d22 Some cleanups 2012-05-30 22:08:09 -04:00
Matthew Garrett
7f0553356c Add image verification 2012-05-30 18:36:46 -04:00
Matthew Garrett
9d56c38fd1 Fix path generation 2012-05-08 03:00:51 -04:00
Matthew Garrett
0e6b01958a Some additional paranoia 2012-04-11 17:13:07 -04:00
Matthew Garrett
b2fe178094 Initial commit 2012-04-11 13:59:55 -04:00