rpms / shim

Clone
Source Code
GIT

Files

  1.   f12ea5ef3a6abe2764932effe8c43cb7dda65200
  2.   0002-Don-t-reject-all-binaries-without-a-certificate-data.patch
Blob Blame History Raw 
From be73f6bd4f064015c9f12323e2fb2f51b8cdb631 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 22 Oct 2013 13:36:54 -0400
Subject: [PATCH 2/5] Don't reject all binaries without a certificate database.

If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database.  So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 70 +++++++++++++++++++++++++++++++++++-------------------------------
 1 file changed, 37 insertions(+), 33 deletions(-)

diff --git a/shim.c b/shim.c
index 58136db..3d1febb 100644
--- a/shim.c
+++ b/shim.c
@@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
-	if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
-				 sha256hash) == DATA_FOUND)
+	if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
+					 sha256hash) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 
 	if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
 			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
-	if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
+	if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
+				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 
 	return EFI_SUCCESS;
@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 			update_verification_method(VERIFIED_BY_HASH);
 			return EFI_SUCCESS;
 		}
-		if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
+		if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
+					== DATA_FOUND) {
 			verification_method = VERIFIED_BY_CERT;
 			update_verification_method(VERIFIED_BY_CERT);
 			return EFI_SUCCESS;
@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		update_verification_method(VERIFIED_BY_HASH);
 		return EFI_SUCCESS;
 	}
-	if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
+	if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
+				DATA_FOUND) {
 		verification_method = VERIFIED_BY_CERT;
 		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
@@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
 	EFI_STATUS status = EFI_ACCESS_DENIED;
-	WIN_CERTIFICATE_EFI_PKCS *cert;
+	WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
 	unsigned int size = datasize;
 
-	if (context->SecDir->Size == 0) {
-		Print(L"Empty security header\n");
-		return EFI_INVALID_PARAMETER;
-	}
-
-	cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
+	if (context->SecDir->Size != 0) {
+		cert = ImageAddress (data, size,
+				     context->SecDir->VirtualAddress);
 
-	if (!cert) {
-		Print(L"Certificate located outside the image\n");
-		return EFI_INVALID_PARAMETER;
-	}
+		if (!cert) {
+			Print(L"Certificate located outside the image\n");
+			return EFI_INVALID_PARAMETER;
+		}
 
-	if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
-		Print(L"Unsupported certificate type %x\n",
-		      cert->Hdr.wCertificateType);
-		return EFI_UNSUPPORTED;
+		if (cert->Hdr.wCertificateType !=
+		    WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
+			Print(L"Unsupported certificate type %x\n",
+				cert->Hdr.wCertificateType);
+			return EFI_UNSUPPORTED;
+		}
 	}
 
 	status = generate_hash(data, datasize, context, sha256hash, sha1hash);
@@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (status == EFI_SUCCESS)
 		return status;
 
-	/*
-	 * Check against the shim build key
-	 */
-	if (AuthenticodeVerify(cert->CertData,
+	if (cert) {
+		/*
+		 * Check against the shim build key
+		 */
+		if (AuthenticodeVerify(cert->CertData,
 			       context->SecDir->Size - sizeof(cert->Hdr),
 			       shim_cert, sizeof(shim_cert), sha256hash,
 			       SHA256_DIGEST_SIZE)) {
-		status = EFI_SUCCESS;
-		return status;
-	}
+			status = EFI_SUCCESS;
+			return status;
+		}
 
 
-	/*
-	 * And finally, check against shim's built-in key
-	 */
-	if (AuthenticodeVerify(cert->CertData,
+		/*
+		 * And finally, check against shim's built-in key
+		 */
+		if (AuthenticodeVerify(cert->CertData,
 			       context->SecDir->Size - sizeof(cert->Hdr),
 			       vendor_cert, vendor_cert_size, sha256hash,
 			       SHA256_DIGEST_SIZE)) {
-		status = EFI_SUCCESS;
-		return status;
+			status = EFI_SUCCESS;
+			return status;
+		}
 	}
 
 	status = EFI_ACCESS_DENIED;
-- 
1.8.3.1
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.