|
|
2e38089 |
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
|
|
|
2e38089 |
From: Peter Jones <pjones@redhat.com>
|
|
|
2e38089 |
Date: Mon, 13 Aug 2012 17:06:46 -0400
|
|
|
2e38089 |
Subject: [PATCH] Allow specification of vendor_cert through a build command
|
|
|
2e38089 |
line option.
|
|
|
2e38089 |
|
|
|
2e38089 |
This allows you to specify the vendor_cert as a file on the command line
|
|
|
2e38089 |
during build.
|
|
|
2e38089 |
---
|
|
|
2e38089 |
Makefile | 16 +++++++++++-----
|
|
|
2e38089 |
cert.S | 32 ++++++++++++++++++++++++++++++++
|
|
|
2e38089 |
cert.h | 1 -
|
|
|
2e38089 |
shim.c | 6 +++---
|
|
|
2e38089 |
4 files changed, 46 insertions(+), 9 deletions(-)
|
|
|
2e38089 |
create mode 100644 cert.S
|
|
|
2e38089 |
delete mode 100644 cert.h
|
|
|
2e38089 |
|
|
|
2e38089 |
diff --git a/Makefile b/Makefile
|
|
|
2e38089 |
index 1e3a020..66b105f 100644
|
|
|
2e38089 |
--- a/Makefile
|
|
|
2e38089 |
+++ b/Makefile
|
|
|
2e38089 |
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
|
|
|
2e38089 |
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
|
|
|
2e38089 |
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
|
|
|
2e38089 |
|
|
|
2e38089 |
-
|
|
|
2e38089 |
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
|
2e38089 |
-Wall -mno-red-zone \
|
|
|
2e38089 |
$(EFI_INCLUDES)
|
|
|
2e38089 |
ifeq ($(ARCH),x86_64)
|
|
|
2e38089 |
CFLAGS += -DEFI_FUNCTION_WRAPPER
|
|
|
2e38089 |
endif
|
|
|
2e38089 |
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
|
|
2e38089 |
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
|
|
|
2e38089 |
+endif
|
|
|
2e38089 |
+
|
|
|
2e38089 |
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
|
|
|
2e38089 |
|
|
|
2e38089 |
-TARGET = shim.efi
|
|
|
2e38089 |
-OBJS = shim.o shim.so
|
|
|
2e38089 |
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
|
|
|
2e38089 |
+TARGET = shim.efi
|
|
|
2e38089 |
+OBJS = shim.o cert.o
|
|
|
2e38089 |
+SOURCES = shim.c shim.h signature.h PeImage.h
|
|
|
2e38089 |
|
|
|
2e38089 |
all: $(TARGET)
|
|
|
2e38089 |
|
|
|
2e38089 |
shim.o: $(SOURCES)
|
|
|
2e38089 |
|
|
|
2e38089 |
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
|
|
|
2e38089 |
+cert.o : cert.S
|
|
|
2e38089 |
+ $(CC) $(CFLAGS) -c -o $@ $<
|
|
|
2e38089 |
+
|
|
|
2e38089 |
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
|
|
|
2e38089 |
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
|
|
|
2e38089 |
|
|
|
2e38089 |
Cryptlib/libcryptlib.a:
|
|
|
2e38089 |
diff --git a/cert.S b/cert.S
|
|
|
2e38089 |
new file mode 100644
|
|
|
2e38089 |
index 0000000..129bab5
|
|
|
2e38089 |
--- /dev/null
|
|
|
2e38089 |
+++ b/cert.S
|
|
|
2e38089 |
@@ -0,0 +1,32 @@
|
|
|
2e38089 |
+#if defined(VENDOR_CERT_FILE)
|
|
|
2e38089 |
+ .globl vendor_cert
|
|
|
2e38089 |
+ .data
|
|
|
2e38089 |
+ .align 16
|
|
|
2e38089 |
+ .type vendor_cert, @object
|
|
|
2e38089 |
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
|
|
|
2e38089 |
+vendor_cert:
|
|
|
2e38089 |
+.incbin VENDOR_CERT_FILE
|
|
|
2e38089 |
+
|
|
|
2e38089 |
+ .globl vendor_cert_size
|
|
|
2e38089 |
+ .data
|
|
|
2e38089 |
+ .align 16
|
|
|
2e38089 |
+ .type vendor_cert_size, @object
|
|
|
2e38089 |
+ .size vendor_cert_size, 4
|
|
|
2e38089 |
+vendor_cert_size:
|
|
|
2e38089 |
+ .long vendor_cert_size - vendor_cert
|
|
|
2e38089 |
+#else
|
|
|
2e38089 |
+ .globl vendor_cert
|
|
|
2e38089 |
+ .bss
|
|
|
2e38089 |
+ .type vendor_cert, @object
|
|
|
2e38089 |
+ .size vendor_cert, 1
|
|
|
2e38089 |
+vendor_cert:
|
|
|
2e38089 |
+ .zero 1
|
|
|
2e38089 |
+
|
|
|
2e38089 |
+ .globl vendor_cert_size
|
|
|
2e38089 |
+ .data
|
|
|
2e38089 |
+ .align 4
|
|
|
2e38089 |
+ .type vendor_cert_size, @object
|
|
|
2e38089 |
+ .size vendor_cert_size, 4
|
|
|
2e38089 |
+vendor_cert_size:
|
|
|
2e38089 |
+ .long 1
|
|
|
2e38089 |
+#endif
|
|
|
2e38089 |
diff --git a/cert.h b/cert.h
|
|
|
2e38089 |
deleted file mode 100644
|
|
|
2e38089 |
index 380bc04..0000000
|
|
|
2e38089 |
--- a/cert.h
|
|
|
2e38089 |
+++ /dev/null
|
|
|
2e38089 |
@@ -1 +0,0 @@
|
|
|
2e38089 |
-static UINT8 vendor_cert[] = {0x00};
|
|
|
2e38089 |
diff --git a/shim.c b/shim.c
|
|
|
2e38089 |
index fc3dafc..2d9044d 100644
|
|
|
2e38089 |
--- a/shim.c
|
|
|
2e38089 |
+++ b/shim.c
|
|
|
2e38089 |
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
|
|
|
2e38089 |
/*
|
|
|
2e38089 |
* The vendor certificate used for validating the second stage loader
|
|
|
2e38089 |
*/
|
|
|
2e38089 |
-
|
|
|
2e38089 |
-#include "cert.h"
|
|
|
2e38089 |
+extern UINT8 vendor_cert[];
|
|
|
2e38089 |
+extern UINT32 vendor_cert_size;
|
|
|
2e38089 |
|
|
|
2e38089 |
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
|
|
2e38089 |
|
|
|
2e38089 |
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
|
2e38089 |
|
|
|
2e38089 |
if (!AuthenticodeVerify(cert->CertData,
|
|
|
2e38089 |
context->SecDir->Size - sizeof(cert->Hdr),
|
|
|
2e38089 |
- vendor_cert, sizeof(vendor_cert), hash,
|
|
|
2e38089 |
+ vendor_cert, vendor_cert_size, hash,
|
|
|
2e38089 |
SHA256_DIGEST_SIZE)) {
|
|
|
2e38089 |
Print(L"Invalid signature\n");
|
|
|
2e38089 |
status = EFI_ACCESS_DENIED;
|
|
|
2e38089 |
--
|
|
|
2e38089 |
1.7.11.2
|
|
|
2e38089 |
|