From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Mon, 13 Aug 2012 17:06:46 -0400

Subject: [PATCH] Allow specification of vendor_cert through a build command

 line option.

This allows you to specify the vendor_cert as a file on the command line

during build.

---

 Makefile | 16 +++++++++++-----

 cert.S   | 32 ++++++++++++++++++++++++++++++++

 cert.h   |  1 -

 shim.c   |  6 +++---

 4 files changed, 46 insertions(+), 9 deletions(-)

 create mode 100644 cert.S

 delete mode 100644 cert.h

diff --git a/Makefile b/Makefile

index 1e3a020..66b105f 100644

--- a/Makefile

+++ b/Makefile

@@ -14,24 +14,30 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/

 EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o

 EFI_LDS		= $(EFI_PATH)/elf_$(ARCH)_efi.lds

-

 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \

 		  -Wall -mno-red-zone \

 		  $(EFI_INCLUDES)

 ifeq ($(ARCH),x86_64)

 	CFLAGS	+= -DEFI_FUNCTION_WRAPPER

 endif

+ifneq ($(origin VENDOR_CERT_FILE), undefined)

+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"

+endif

+

 LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)

-TARGET		= shim.efi

-OBJS		= shim.o shim.so

-SOURCES		= shim.c shim.h signature.h PeImage.h cert.h

+TARGET	= shim.efi

+OBJS	= shim.o cert.o

+SOURCES	= shim.c shim.h signature.h PeImage.h

 all: $(TARGET)

 shim.o: $(SOURCES)

-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a

+cert.o : cert.S

+	$(CC) $(CFLAGS) -c -o $@ $<

+

+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o

 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)

 Cryptlib/libcryptlib.a:

diff --git a/cert.S b/cert.S

new file mode 100644

index 0000000..129bab5

--- /dev/null

+++ b/cert.S

@@ -0,0 +1,32 @@

+#if defined(VENDOR_CERT_FILE)

+	.globl	vendor_cert

+	.data

+	.align	16

+	.type	vendor_cert, @object

+	.size	vendor_cert_size, vendor_cert_size-vendor_cert

+vendor_cert:

+.incbin VENDOR_CERT_FILE

+

+	.globl	vendor_cert_size

+	.data

+	.align	16

+	.type	vendor_cert_size, @object

+	.size	vendor_cert_size, 4

+vendor_cert_size:

+	.long	vendor_cert_size - vendor_cert

+#else

+	.globl	vendor_cert

+	.bss

+	.type	vendor_cert, @object

+	.size	vendor_cert, 1

+vendor_cert:

+	.zero	1

+

+	.globl	vendor_cert_size

+	.data

+	.align 4

+	.type	vendor_cert_size, @object

+	.size	vendor_cert_size, 4

+vendor_cert_size:

+	.long	1

+#endif

diff --git a/cert.h b/cert.h

deleted file mode 100644

index 380bc04..0000000

--- a/cert.h

+++ /dev/null

@@ -1 +0,0 @@

-static UINT8 vendor_cert[] = {0x00};

diff --git a/shim.c b/shim.c

index fc3dafc..2d9044d 100644

--- a/shim.c

+++ b/shim.c

@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB

 /*

  * The vendor certificate used for validating the second stage loader

  */

-

-#include "cert.h"

+extern UINT8 vendor_cert[];

+extern UINT32 vendor_cert_size;

 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}

@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,

 	if (!AuthenticodeVerify(cert->CertData,

 				context->SecDir->Size - sizeof(cert->Hdr),

-				vendor_cert, sizeof(vendor_cert), hash,

+				vendor_cert, vendor_cert_size, hash,

 				SHA256_DIGEST_SIZE)) {

 		Print(L"Invalid signature\n");

 		status = EFI_ACCESS_DENIED;

-- 

1.7.11.2