mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-14 15:45:30 +00:00
89d72301aa
When shim loads the second stage loader (e.g: GRUB) the FilePath field of the EFI_LOADED_IMAGE structure isn't updated with the path of the loaded binary. So it still contains the file path of the shim binary. This isn't a problem since the file path is currently not used. But should be used to set the DevicePath field of the EFI_IMAGE_LOAD_EVENT structure that is logged when measuring the PE/COFF binaries. In that case the TPM Event Log will have an incorrect file path for the measured binary, i.e: $ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements ... 00000a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |........4.\.E.F.| 00000a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| 00000a70 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 |\.s.h.i.m.x.6.4.| 00000a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.........| 00000a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 |................| 00000aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.....1....Xu....| 00000ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |.......grub_cmd | 00000ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.....| ... So update the EFI_LOADED_IMAGE structure with the second stage loader file path to have the correct value in the log, i.e: $ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements ... 00000a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |........4.\.E.F.| 00000a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| 00000a70 5c 00 67 00 72 00 75 00 62 00 78 00 36 00 34 00 |\.g.r.u.b.x.6.4.| 00000a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.........| 00000a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 |................| 00000aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.....1....Xu....| 00000ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |.......grub_cmd | 00000ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.....| ... Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Upstream-commit-id: cd7d42d493d |
||
|---|---|---|
| Cryptlib | ||
| include | ||
| lib | ||
| .gitignore | ||
| .syntastic_c_config | ||
| .travis.yml | ||
| buildid.c | ||
| BUILDING | ||
| cert.S | ||
| COPYRIGHT | ||
| crypt_blowfish.c | ||
| elf_aarch64_efi.lds | ||
| elf_arm_efi.lds | ||
| elf_ia32_efi.lds | ||
| elf_ia64_efi.lds | ||
| elf_x86_64_efi.lds | ||
| errlog.c | ||
| fallback.c | ||
| httpboot.c | ||
| make-certs | ||
| Make.coverity | ||
| Make.defaults | ||
| Make.rules | ||
| Make.scan-build | ||
| Makefile | ||
| model.c | ||
| mok.c | ||
| MokManager.c | ||
| MokVars.txt | ||
| netboot.c | ||
| PasswordCrypt.c | ||
| README | ||
| README.fallback | ||
| README.tpm | ||
| replacements.c | ||
| shim.c | ||
| shim.h | ||
| testplan.txt | ||
| TODO | ||
| tpm.c | ||
| travis-build.sh | ||
| version.c.in | ||
| version.h | ||
shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because secure boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not blacklisted then shim will relocate and execute the binary. shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation. This protocol has a GUID as described in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, and so calls to it should not be wrapped. On systems with a TPM chip enabled and supported by the system firmware, shim will extend various PCRs with the digests of the targets it is loading. A full list is in the file README.tpm . To use shim, simply place a DER-encoded public certificate in a file such as pub.cer and build with "make VENDOR_CERT_FILE=pub.cer". There are a couple of build options, and a couple of ways to customize the build, described in BUILDING.