Blob Blame Raw
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 13 Aug 2012 17:06:46 -0400
Subject: [PATCH] Allow specification of vendor_cert through a build command
 line option.

This allows you to specify the vendor_cert as a file on the command line
during build.
---
 Makefile | 16 +++++++++++-----
 cert.S   | 32 ++++++++++++++++++++++++++++++++
 cert.h   |  1 -
 shim.c   |  6 +++---
 4 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100644 cert.S
 delete mode 100644 cert.h

diff --git a/Makefile b/Makefile
index 1e3a020..66b105f 100644
--- a/Makefile
+++ b/Makefile
@@ -14,24 +14,30 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
 EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
 EFI_LDS		= $(EFI_PATH)/elf_$(ARCH)_efi.lds
 
-
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
 		  -Wall -mno-red-zone \
 		  $(EFI_INCLUDES)
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -DEFI_FUNCTION_WRAPPER
 endif
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+
 LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
 
-TARGET		= shim.efi
-OBJS		= shim.o shim.so
-SOURCES		= shim.c shim.h signature.h PeImage.h cert.h
+TARGET	= shim.efi
+OBJS	= shim.o cert.o
+SOURCES	= shim.c shim.h signature.h PeImage.h
 
 all: $(TARGET)
 
 shim.o: $(SOURCES)
 
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
+cert.o : cert.S
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
 Cryptlib/libcryptlib.a:
diff --git a/cert.S b/cert.S
new file mode 100644
index 0000000..129bab5
--- /dev/null
+++ b/cert.S
@@ -0,0 +1,32 @@
+#if defined(VENDOR_CERT_FILE)
+	.globl	vendor_cert
+	.data
+	.align	16
+	.type	vendor_cert, @object
+	.size	vendor_cert_size, vendor_cert_size-vendor_cert
+vendor_cert:
+.incbin VENDOR_CERT_FILE
+
+	.globl	vendor_cert_size
+	.data
+	.align	16
+	.type	vendor_cert_size, @object
+	.size	vendor_cert_size, 4
+vendor_cert_size:
+	.long	vendor_cert_size - vendor_cert
+#else
+	.globl	vendor_cert
+	.bss
+	.type	vendor_cert, @object
+	.size	vendor_cert, 1
+vendor_cert:
+	.zero	1
+
+	.globl	vendor_cert_size
+	.data
+	.align 4
+	.type	vendor_cert_size, @object
+	.size	vendor_cert_size, 4
+vendor_cert_size:
+	.long	1
+#endif
diff --git a/cert.h b/cert.h
deleted file mode 100644
index 380bc04..0000000
--- a/cert.h
+++ /dev/null
@@ -1 +0,0 @@
-static UINT8 vendor_cert[] = {0x00};
diff --git a/shim.c b/shim.c
index fc3dafc..2d9044d 100644
--- a/shim.c
+++ b/shim.c
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
 /*
  * The vendor certificate used for validating the second stage loader
  */
-
-#include "cert.h"
+extern UINT8 vendor_cert[];
+extern UINT32 vendor_cert_size;
 
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
 
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 
 	if (!AuthenticodeVerify(cert->CertData,
 				context->SecDir->Size - sizeof(cert->Hdr),
-				vendor_cert, sizeof(vendor_cert), hash,
+				vendor_cert, vendor_cert_size, hash,
 				SHA256_DIGEST_SIZE)) {
 		Print(L"Invalid signature\n");
 		status = EFI_ACCESS_DENIED;
-- 
1.7.11.2