From 2cbe25e8c36f2a4b97166232431ab9e23814e897 Mon Sep 17 00:00:00 2001 From: Mario Limonciello Date: Thu, 9 Feb 2023 10:43:21 -0600 Subject: [PATCH] uefi-capsule: Copy in an updated shim if provided If a shim is in the fwupd libexec/efi directory, it's intended to be paired with the fwupd binary. --- plugins/uefi-capsule/fu-uefi-bootmgr.c | 18 ++++++++---------- plugins/uefi-capsule/fu-uefi-capsule-plugin.c | 2 +- plugins/uefi-capsule/fu-uefi-common.c | 17 +++++++++++++++-- plugins/uefi-capsule/fu-uefi-common.h | 2 +- plugins/uefi-capsule/fu-uefi-device.c | 2 +- plugins/uefi-capsule/fu-uefi-grub-device.c | 2 +- 6 files changed, 27 insertions(+), 16 deletions(-) diff --git a/plugins/uefi-capsule/fu-uefi-bootmgr.c b/plugins/uefi-capsule/fu-uefi-bootmgr.c index 1fd6f456d..33bb94a9a 100644 --- a/plugins/uefi-capsule/fu-uefi-bootmgr.c +++ b/plugins/uefi-capsule/fu-uefi-bootmgr.c @@ -278,13 +278,14 @@ fu_uefi_bootmgr_bootnext(FuDevice *device, g_autofree guint8 *opt = NULL; g_autofree gchar *source_app = NULL; g_autofree gchar *target_app = NULL; + g_autofree gchar *source_shim = NULL; /* skip for self tests */ if (g_getenv("FWUPD_UEFI_TEST") != NULL) return TRUE; /* if secure boot was turned on this might need to be installed separately */ - source_app = fu_uefi_get_built_app_path(error); + source_app = fu_uefi_get_built_app_path("fwupd", error); if (source_app == NULL) return FALSE; @@ -292,19 +293,16 @@ fu_uefi_bootmgr_bootnext(FuDevice *device, secure_boot = fu_efivar_secure_boot_enabled(NULL); if (secure_boot) { /* test to make sure shim is there if we need it */ + source_shim = fu_uefi_get_built_app_path("shim", error); + shim_app = fu_uefi_get_esp_app_path(device, esp_path, "shim", error); if (shim_app == NULL) return FALSE; - /* try to fallback to use UEFI removable path if the shim path doesn't exist */ - if (!g_file_test(shim_app, G_FILE_TEST_EXISTS)) { - if (fu_device_has_private_flag( - device, - FU_UEFI_DEVICE_FLAG_FALLBACK_TO_REMOVABLE_PATH)) { - g_free(shim_app); - shim_app = - fu_uefi_get_fallback_app_path(device, esp_path, "boot", error); - if (shim_app == NULL) + /* copy in an updated shim if we have one */ + if (g_file_test(source_shim, G_FILE_TEST_EXISTS)) { + if (!fu_uefi_cmp_asset(source_shim, shim_app)) { + if (!fu_uefi_copy_asset(source_shim, shim_app, error)) return FALSE; } } diff --git a/plugins/uefi-capsule/fu-uefi-capsule-plugin.c b/plugins/uefi-capsule/fu-uefi-capsule-plugin.c index c240cb9ca..c56b7e566 100644 --- a/plugins/uefi-capsule/fu-uefi-capsule-plugin.c +++ b/plugins/uefi-capsule/fu-uefi-capsule-plugin.c @@ -111,7 +111,7 @@ fu_uefi_capsule_plugin_fwupd_efi_probe(FuUefiCapsulePlugin *self, GError **error g_autofree gchar *fn = NULL; /* find the app binary */ - fn = fu_uefi_get_built_app_path(error); + fn = fu_uefi_get_built_app_path("fwupd", error); if (fn == NULL) return FALSE; self->fwupd_efi_file = g_file_new_for_path(fn); diff --git a/plugins/uefi-capsule/fu-uefi-common.c b/plugins/uefi-capsule/fu-uefi-common.c index e501c54ef..cbb38c4df 100644 --- a/plugins/uefi-capsule/fu-uefi-common.c +++ b/plugins/uefi-capsule/fu-uefi-common.c @@ -85,8 +85,21 @@ fu_uefi_get_esp_app_path(FuDevice *device, const gchar *esp_path, const gchar *c return g_strdup_printf("%s/%s%s.efi", base, cmd, suffix); } +/** + * fu_uefi_get_built_app_path: + * @basename: the prefix for the binary + * @error: (nullable): optional return location for an error + * + * Gets the path intended to be used for an EFI binary on the local system. + * The binary is matched against the correct architecture and if secure + * boot is enabled. + * + * Returns: The full path to the binary, or %NULL if not found + * + * Since: 1.8.1 + **/ gchar * -fu_uefi_get_built_app_path(GError **error) +fu_uefi_get_built_app_path(const gchar *binary, GError **error) { const gchar *suffix; g_autofree gchar *prefix = NULL; @@ -100,7 +113,7 @@ fu_uefi_get_built_app_path(GError **error) return NULL; prefix = fu_path_from_kind(FU_PATH_KIND_EFIAPPDIR); - source_path = g_strdup_printf("%s/fwupd%s.efi", prefix, suffix); + source_path = g_strdup_printf("%s/%s%s.efi", prefix, binary, suffix); source_path_signed = g_strdup_printf("%s.signed", source_path); source_path_exists = g_file_test(source_path, G_FILE_TEST_EXISTS); diff --git a/plugins/uefi-capsule/fu-uefi-common.h b/plugins/uefi-capsule/fu-uefi-common.h index 456bd3cc3..f480b05fe 100644 --- a/plugins/uefi-capsule/fu-uefi-common.h +++ b/plugins/uefi-capsule/fu-uefi-common.h @@ -69,7 +69,7 @@ fu_uefi_get_fallback_app_path(FuDevice *device, gchar * fu_uefi_get_esp_app_path(FuDevice *device, const gchar *esp_path, const gchar *cmd, GError **error); gchar * -fu_uefi_get_built_app_path(GError **error); +fu_uefi_get_built_app_path(const gchar *binary, GError **error); gboolean fu_uefi_get_bitmap_size(const guint8 *buf, gsize bufsz, diff --git a/plugins/uefi-capsule/fu-uefi-device.c b/plugins/uefi-capsule/fu-uefi-device.c index 9bac0b819..ef6a20715 100644 --- a/plugins/uefi-capsule/fu-uefi-device.c +++ b/plugins/uefi-capsule/fu-uefi-device.c @@ -504,7 +504,7 @@ fu_uefi_device_write_update_info(FuUefiDevice *self, static gboolean fu_uefi_check_asset(FuDevice *device, GError **error) { - g_autofree gchar *source_app = fu_uefi_get_built_app_path(error); + g_autofree gchar *source_app = fu_uefi_get_built_app_path("fwupd", error); if (source_app == NULL) { if (fu_efivar_secure_boot_enabled(NULL)) g_prefix_error(error, "missing signed bootloader for secure boot: "); diff --git a/plugins/uefi-capsule/fu-uefi-grub-device.c b/plugins/uefi-capsule/fu-uefi-grub-device.c index bb57cb7b4..2920cff6f 100644 --- a/plugins/uefi-capsule/fu-uefi-grub-device.c +++ b/plugins/uefi-capsule/fu-uefi-grub-device.c @@ -170,7 +170,7 @@ fu_uefi_grub_device_write_firmware(FuDevice *device, return FALSE; /* if secure boot was turned on this might need to be installed separately */ - source_app = fu_uefi_get_built_app_path(error); + source_app = fu_uefi_get_built_app_path("fwupd", error); if (source_app == NULL) return FALSE;