efi-boot-shim

mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-15 13:29:13 +00:00

Go to file

Peter Jones 5c3bf32908 Don't allow anything with a small alignment in our PE files. When I added `4990d3f` I inadvertantly made .data.ident and .rela.got sections appear in the top-level section headers at file offsets not aligned with PE->OptionalHeader.FileAlignment. This results in a section table that looks like: Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 00018648 0000000000005000 0000000000005000 00000400 23 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 00093f45 000000000001e000 000000000001e000 00018c00 24 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000b2000 00000000000b2000 000acc00 20 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data.ident 000000e4 00000000000b3040 00000000000b3040 000ace40 25 CONTENTS, ALLOC, LOAD, DATA 4 .data 000291e8 00000000000b4000 00000000000b4000 000ad200 25 CONTENTS, ALLOC, LOAD, DATA 5 .vendor_cert 000003e2 00000000000de000 00000000000de000 000d6400 20 CONTENTS, ALLOC, LOAD, READONLY, DATA 6 .dynamic 000000f0 00000000000df000 00000000000df000 000d6800 23 CONTENTS, ALLOC, LOAD, DATA 7 .rela 0001aef8 00000000000e0000 00000000000e0000 000d6a00 23 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 .rela.got 00000060 00000000000faef8 00000000000faef8 000f1af8 23 CONTENTS, ALLOC, LOAD, READONLY, DATA 9 .dynsym 0000ecd0 00000000000fb000 00000000000fb000 000f1e00 23 CONTENTS, ALLOC, LOAD, READONLY, DATA rather than: Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 00018118 0000000000005000 0000000000005000 00000400 23 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 00091898 000000000001e000 000000000001e000 00018600 24 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000b0000 00000000000b0000 000aa000 20 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00028848 00000000000b1000 00000000000b1000 000aa200 25 CONTENTS, ALLOC, LOAD, DATA 4 .vendor_cert 00000449 00000000000da000 00000000000da000 000d2c00 20 CONTENTS, ALLOC, LOAD, READONLY, DATA 5 .dynamic 00000100 00000000000db000 00000000000db000 000d3200 23 CONTENTS, ALLOC, LOAD, DATA 6 .rela 0001ae50 00000000000dc000 00000000000dc000 000d3400 23 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .dynsym 0000ea78 00000000000f7000 00000000000f7000 000ee400 23 CONTENTS, ALLOC, LOAD, READONLY, DATA (Note "File off" on sections #3 and #8 on the top one.) This seems to work fine with edk2's loader and shim's loader, as well as their Authenticode implementation, and pesign's as well. While PE loaders seem to be fine with sections with alignments smaller than PE->OptionalHeader.FileAlignment, MS's signtool.exe does ... something else with them. I'm not sure what. What it definitely does not do is extend the digest based on their file offset and size. So just don't allow anything that small, and don't allow anything smaller than SectionAlignment either, just to be on the safe side. Since most of our stuff gets stripped into the debuginfo anyway, and shim has relatively few sections, this should not be a very large burden. So just to be clear: If you have a binary with a section that's not aligned on PE->OptionalHeader.FileAlignment: - pesign hashes it to A - tiano hashes it to A - shim hashes it to A - signtool.exe hashes it to B Because that makes sense. This patch works around the bug in signtool.exe . Signed-off-by: Peter Jones <pjones@redhat.com>		2017-04-26 21:52:23 -04:00
Cryptlib	Cryptlib: replace CryptPem with the Null version	2017-04-11 10:42:19 -04:00
include	Add HTTP and IpConfig headers	2016-09-06 14:49:52 -04:00
lib	More incorrect unsigned vs signed fixups from yours truly.	2015-06-29 14:41:21 -04:00
.gitignore	Add ident-like blobs to shim.efi for version checking.	2013-10-03 11:11:09 -04:00
cert.S	Add support for 32-bit ARM	2014-08-12 10:54:05 -04:00
COPYRIGHT	Add copyright file	2012-07-09 11:03:12 -04:00
crypt_blowfish.c	MokManager: support blowfish-based crypt() hash	2013-09-26 11:58:01 -04:00
crypt_blowfish.h	MokManager: support blowfish-based crypt() hash	2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds	Don't allow anything with a small alignment in our PE files.	2017-04-26 21:52:23 -04:00
elf_arm_efi.lds	Don't allow anything with a small alignment in our PE files.	2017-04-26 21:52:23 -04:00
elf_ia32_efi.lds	Don't allow anything with a small alignment in our PE files.	2017-04-26 21:52:23 -04:00
elf_ia64_efi.lds	Make shim_version live in a special aligned section.	2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds	Don't allow anything with a small alignment in our PE files.	2017-04-26 21:52:23 -04:00
fallback.c	Improve BOOT${ARCH}.CSV support.	2016-09-06 14:39:15 -04:00
hexdump.h	Add a utility hexdump() call we can use when we need it.	2015-11-17 11:39:28 -05:00
httpboot.c	Fix some i386 type casting errors	2017-03-27 14:16:42 -04:00
httpboot.h	Fix some type errors gcc7 finds in http boot code.	2017-02-27 15:45:54 -05:00
make-certs	Sign MokManager with a locally-generated key	2012-11-26 13:43:50 -05:00
Makefile	make tag: always tag latest-release as well	2017-04-10 12:27:52 -04:00
MokManager.c	MokManager: Update to new openssl API	2017-04-11 10:42:19 -04:00
MokVars.txt	Add support for disabling db for verification	2013-10-02 11:29:34 -04:00
netboot.c	Make translate_slashes() public	2016-09-06 14:49:52 -04:00
netboot.h	netboot.h: fix build error on 32-bit systems	2013-11-12 10:25:40 -05:00
PasswordCrypt.c	Cryptlib: remove DES	2017-04-11 10:42:19 -04:00
PasswordCrypt.h	MokManager: support Tradition DES hash	2013-09-26 11:58:01 -04:00
README	Replace build instructions in README with something not completely wrong.	2014-07-21 16:15:07 -04:00
README.fallback	Improve BOOT${ARCH}.CSV support.	2016-09-06 14:39:15 -04:00
replacements.c	Ensure that apps launched by shim get correct BS->Exit() behavior	2015-06-11 13:25:56 -04:00
replacements.h	Ensure that apps launched by shim get correct BS->Exit() behavior	2015-06-11 13:25:56 -04:00
shim.c	shim: Remove the obsolete OBJ_cleanup	2017-04-11 10:42:19 -04:00
shim.h	Ensure that apps launched by shim get correct BS->Exit() behavior	2015-06-11 13:25:56 -04:00
testplan.txt	Another testplan error.	2014-10-02 01:01:46 -04:00
TODO	Update for Josh's changes.	2013-10-02 13:33:52 -04:00
tpm.c	shim/tpm: correct the definition of the capability structure version 1.0	2017-02-06 11:18:07 -05:00
tpm.h	shim/tpm: the EFI_TCG2_BOOT_SERVICE_CAPABILITY structure shouldn't be packed	2017-02-06 11:18:07 -05:00
ucs2.h	Don't test for the 0 character on the wrong half of the UCS2-LE char.	2015-11-17 11:41:12 -05:00
version.c.in	Make shim_version live in a special aligned section.	2017-02-23 16:08:42 -05:00
version.h	Add ident-like blobs to shim.efi for version checking.	2013-10-03 11:11:09 -04:00

README

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".