When we call hook_system_services(), we're currently only checking mok's
setting. We should use secure_mode() instead so it'll check both.
Signed-off-by: Peter Jones <pjones@redhat.com>
When we call hook_system_services(), we're currently only checking mok's
setting. We should use secure_mode() instead so it'll check both.
Signed-off-by: Peter Jones <pjones@redhat.com>
This reverts commit 21e40f0174.
In principle I like the idea of what's going on here, but
generate_hash() really does need to have the expected result.
This reverts commit 21e40f0174.
In principle I like the idea of what's going on here, but
generate_hash() really does need to have the expected result.
If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database. So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.
Signed-off-by: Peter Jones <pjones@redhat.com>
If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database. So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.
Signed-off-by: Peter Jones <pjones@redhat.com>
This adds additional bounds-checking on the section sizes. Also adds
-Wsign-compare to the Makefile and replaces some signed variables with
unsigned counteparts for robustness.
Signed-off-by: Kees Cook <kees@ubuntu.com>
This adds additional bounds-checking on the section sizes. Also adds
-Wsign-compare to the Makefile and replaces some signed variables with
unsigned counteparts for robustness.
Signed-off-by: Kees Cook <kees@ubuntu.com>
This is:
Fix a bug in OpensslLib that PKCS7_verify will use over 8k stack space.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
from upstream.
This is:
Fix a bug in OpensslLib that PKCS7_verify will use over 8k stack space.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
from upstream.
Provide a mechanism for a physically present end user to disable the use
of db when doing signature verification. This is handled by the OS passing
down a variable that contains a UINT32 and a SHA256 hash. If this variable
is present, MokManager prompts the user to choose whether to enable or
disable the use of db for verification purposes (depending on the value of
the UINT32). They are then asked to type the passphrase that matches the
hash. This then saves a boot services variable which is checked by shim,
and if set will cause shim to not use db for verification purposes. If
db is to be ignored, shim will export a runtime variable called
'MokIgnoreDB' for the OS to query at runtime.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Provide a mechanism for a physically present end user to disable the use
of db when doing signature verification. This is handled by the OS passing
down a variable that contains a UINT32 and a SHA256 hash. If this variable
is present, MokManager prompts the user to choose whether to enable or
disable the use of db for verification purposes (depending on the value of
the UINT32). They are then asked to type the passphrase that matches the
hash. This then saves a boot services variable which is checked by shim,
and if set will cause shim to not use db for verification purposes. If
db is to be ignored, shim will export a runtime variable called
'MokIgnoreDB' for the OS to query at runtime.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
If we don't do this, an old key winds up being reused and
MokManager.efi.signed is signed with a different key than shim_cert
reflects.
Signed-off-by: Peter Jones <pjones@redhat.com>
If we don't do this, an old key winds up being reused and
MokManager.efi.signed is signed with a different key than shim_cert
reflects.
Signed-off-by: Peter Jones <pjones@redhat.com>
This gets rid of a lot of type casting that we don't need, and helps
reduce warnings when I switch a bunch of gnu-efi stuff to taking const
arguments.
Signed-off-by: Peter Jones <pjones@redhat.com>
This gets rid of a lot of type casting that we don't need, and helps
reduce warnings when I switch a bunch of gnu-efi stuff to taking const
arguments.
Signed-off-by: Peter Jones <pjones@redhat.com>
This shouldn't be exploitable unless you've got a way to make
InstallProtocol fail and still, for example, have memory free to
actually load and run something.
Signed-off-by: Peter Jones <pjones@redhat.com>
This shouldn't be exploitable unless you've got a way to make
InstallProtocol fail and still, for example, have memory free to
actually load and run something.
Signed-off-by: Peter Jones <pjones@redhat.com>
