diff --git a/0002-Don-t-reject-all-binaries-without-a-certificate-data.patch b/0002-Don-t-reject-all-binaries-without-a-certificate-data.patch deleted file mode 100644 index 220de58..0000000 --- a/0002-Don-t-reject-all-binaries-without-a-certificate-data.patch +++ /dev/null @@ -1,146 +0,0 @@ -From be73f6bd4f064015c9f12323e2fb2f51b8cdb631 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 22 Oct 2013 13:36:54 -0400 -Subject: [PATCH 2/5] Don't reject all binaries without a certificate database. - -If a binary isn't signed, but its hash is enrolled in db, it won't have -a certificate database. So in those cases, don't check it against -certificate databases in db/dbx/etc, but we don't need to reject it -outright. - -Signed-off-by: Peter Jones ---- - shim.c | 70 +++++++++++++++++++++++++++++++++++------------------------------- - 1 file changed, 37 insertions(+), 33 deletions(-) - -diff --git a/shim.c b/shim.c -index 58136db..3d1febb 100644 ---- a/shim.c -+++ b/shim.c -@@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, - SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == - DATA_FOUND) - return EFI_ACCESS_DENIED; -- if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, -- sha256hash) == DATA_FOUND) -+ if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert, -+ sha256hash) == DATA_FOUND) - return EFI_ACCESS_DENIED; - - if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, -@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, - if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EFI_CERT_SHA1_GUID) == DATA_FOUND) - return EFI_ACCESS_DENIED; -- if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND) -+ if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) == -+ DATA_FOUND) - return EFI_ACCESS_DENIED; - - return EFI_SUCCESS; -@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - update_verification_method(VERIFIED_BY_HASH); - return EFI_SUCCESS; - } -- if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) { -+ if (cert && check_db_cert(L"db", secure_var, cert, sha256hash) -+ == DATA_FOUND) { - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; -@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - update_verification_method(VERIFIED_BY_HASH); - return EFI_SUCCESS; - } -- if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) { -+ if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) == -+ DATA_FOUND) { - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; -@@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - UINT8 sha256hash[SHA256_DIGEST_SIZE]; - UINT8 sha1hash[SHA1_DIGEST_SIZE]; - EFI_STATUS status = EFI_ACCESS_DENIED; -- WIN_CERTIFICATE_EFI_PKCS *cert; -+ WIN_CERTIFICATE_EFI_PKCS *cert = NULL; - unsigned int size = datasize; - -- if (context->SecDir->Size == 0) { -- Print(L"Empty security header\n"); -- return EFI_INVALID_PARAMETER; -- } -- -- cert = ImageAddress (data, size, context->SecDir->VirtualAddress); -+ if (context->SecDir->Size != 0) { -+ cert = ImageAddress (data, size, -+ context->SecDir->VirtualAddress); - -- if (!cert) { -- Print(L"Certificate located outside the image\n"); -- return EFI_INVALID_PARAMETER; -- } -+ if (!cert) { -+ Print(L"Certificate located outside the image\n"); -+ return EFI_INVALID_PARAMETER; -+ } - -- if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { -- Print(L"Unsupported certificate type %x\n", -- cert->Hdr.wCertificateType); -- return EFI_UNSUPPORTED; -+ if (cert->Hdr.wCertificateType != -+ WIN_CERT_TYPE_PKCS_SIGNED_DATA) { -+ Print(L"Unsupported certificate type %x\n", -+ cert->Hdr.wCertificateType); -+ return EFI_UNSUPPORTED; -+ } - } - - status = generate_hash(data, datasize, context, sha256hash, sha1hash); -@@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - if (status == EFI_SUCCESS) - return status; - -- /* -- * Check against the shim build key -- */ -- if (AuthenticodeVerify(cert->CertData, -+ if (cert) { -+ /* -+ * Check against the shim build key -+ */ -+ if (AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), - shim_cert, sizeof(shim_cert), sha256hash, - SHA256_DIGEST_SIZE)) { -- status = EFI_SUCCESS; -- return status; -- } -+ status = EFI_SUCCESS; -+ return status; -+ } - - -- /* -- * And finally, check against shim's built-in key -- */ -- if (AuthenticodeVerify(cert->CertData, -+ /* -+ * And finally, check against shim's built-in key -+ */ -+ if (AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), - vendor_cert, vendor_cert_size, sha256hash, - SHA256_DIGEST_SIZE)) { -- status = EFI_SUCCESS; -- return status; -+ status = EFI_SUCCESS; -+ return status; -+ } - } - - status = EFI_ACCESS_DENIED; --- -1.8.3.1 - diff --git a/0004-We-should-be-checking-both-mok-and-the-system-s-SB-s.patch b/0004-We-should-be-checking-both-mok-and-the-system-s-SB-s.patch deleted file mode 100644 index 617c34d..0000000 --- a/0004-We-should-be-checking-both-mok-and-the-system-s-SB-s.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 83b3a7cf6d4d4e91579864cfc75dadf2b7304da9 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 28 Oct 2013 10:41:03 -0400 -Subject: [PATCH 4/5] We should be checking both mok and the system's SB - settings - -When we call hook_system_services(), we're currently only checking mok's -setting. We should use secure_mode() instead so it'll check both. - -Signed-off-by: Peter Jones ---- - shim.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index 537177d..9d0d884 100644 ---- a/shim.c -+++ b/shim.c -@@ -1718,7 +1718,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) - /* - * Tell the user that we're in insecure mode if necessary - */ -- if (insecure_mode) { -+ if (!secure_mode()) { - Print(L"Booting in insecure mode\n"); - uefi_call_wrapper(BS->Stall, 1, 2000000); - } else { --- -1.8.3.1 - diff --git a/0005-Don-t-free-GetVariable-return-data-without-checking-.patch b/0005-Don-t-free-GetVariable-return-data-without-checking-.patch deleted file mode 100644 index e342960..0000000 --- a/0005-Don-t-free-GetVariable-return-data-without-checking-.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 556c445ea19fc257fe35ac1a67477e7352ba3fcd Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 30 Oct 2013 16:36:01 -0400 -Subject: [PATCH 5/5] Don't free GetVariable() return data without checking the - status code. - -This breaks every machine from before Secure Boot was a thing. - -Signed-off-by: Peter Jones ---- - shim.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/shim.c b/shim.c -index 9d0d884..0081342 100644 ---- a/shim.c -+++ b/shim.c -@@ -456,21 +456,30 @@ static BOOLEAN secure_mode (void) - return FALSE; - - status = get_variable(L"SecureBoot", &Data, &len, global_var); -+ if (status != EFI_SUCCESS) { -+ if (verbose) -+ console_notify(L"Secure boot not enabled\n"); -+ return FALSE; -+ } - sb = *Data; - FreePool(Data); - -- /* FIXME - more paranoia here? */ -- if (status != EFI_SUCCESS || sb != 1) { -+ if (sb != 1) { - if (verbose) - console_notify(L"Secure boot not enabled\n"); - return FALSE; - } - - status = get_variable(L"SetupMode", &Data, &len, global_var); -+ if (status == EFI_SUCCESS) { -+ if (verbose) -+ console_notify(L"Platform is in setup mode\n"); -+ return FALSE; -+ } - setupmode = *Data; - FreePool(Data); - -- if (status == EFI_SUCCESS && setupmode == 1) { -+ if (setupmode == 1) { - if (verbose) - console_notify(L"Platform is in setup mode\n"); - return FALSE; --- -1.8.3.1 - diff --git a/shim-fedora.diff b/shim-fedora.diff deleted file mode 100644 index 4e672ea..0000000 --- a/shim-fedora.diff +++ /dev/null @@ -1,7 +0,0 @@ -diff --git a/cert.h b/cert.h -index 380bc04..7b91a59 100644 ---- a/cert.h -+++ b/cert.h -@@ -1 +1 @@ --static UINT8 vendor_cert[] = {0x00}; -+static UINT8 vendor_cert[] = { 0x30, 0x82, 0x04, 0x2F, 0x30, 0x82, 0x03, 0x17, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xF7, 0xD9, 0x05, 0xDC, 0xFD, 0x96, 0x96, 0x21, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x76, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0D, 0x4D, 0x61, 0x73, 0x73, 0x61, 0x63, 0x68, 0x75, 0x73, 0x65, 0x74, 0x74, 0x73, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x61, 0x6D, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x23, 0x30, 0x21, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1A, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x79, 0x69, 0x6E, 0x67, 0x20, 0x43, 0x41, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x32, 0x30, 0x37, 0x30, 0x39, 0x31, 0x39, 0x31, 0x32, 0x34, 0x34, 0x5A, 0x17, 0x0D, 0x31, 0x33, 0x30, 0x37, 0x30, 0x39, 0x31, 0x39, 0x31, 0x32, 0x34, 0x34, 0x5A, 0x30, 0x74, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0D, 0x4D, 0x61, 0x73, 0x73, 0x61, 0x63, 0x68, 0x75, 0x73, 0x65, 0x74, 0x74, 0x73, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x61, 0x6D, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBF, 0x87, 0xF1, 0x75, 0x2C, 0x54, 0xC0, 0x51, 0xD3, 0x6C, 0x8C, 0x16, 0x9D, 0xD3, 0x90, 0x50, 0x19, 0x01, 0x81, 0x1C, 0xBA, 0xAF, 0xDD, 0x7D, 0x32, 0x5B, 0xA2, 0x50, 0xB6, 0x2C, 0x1C, 0x13, 0x13, 0x70, 0x1E, 0x83, 0x55, 0x93, 0xDF, 0x78, 0xBA, 0xDE, 0xE2, 0xF2, 0x32, 0xDB, 0x06, 0xB1, 0x72, 0x93, 0xE2, 0x5C, 0x13, 0x67, 0xD3, 0x2E, 0xA0, 0x0E, 0x54, 0xDB, 0xE7, 0xAC, 0x96, 0xBC, 0xF4, 0x7F, 0x31, 0x87, 0x60, 0x9D, 0x17, 0x57, 0xD1, 0xF0, 0x5F, 0x04, 0x64, 0x0A, 0x16, 0x52, 0x02, 0x86, 0x46, 0x56, 0x46, 0x20, 0x3E, 0x31, 0x90, 0x96, 0x3D, 0xB4, 0x38, 0x6D, 0x9C, 0xE7, 0xDF, 0xD0, 0xA9, 0xBC, 0x19, 0xC1, 0x22, 0xE7, 0xE1, 0x95, 0x04, 0xB1, 0x67, 0x49, 0x5E, 0x3F, 0x7D, 0xA2, 0x06, 0xF2, 0x65, 0x0A, 0xCF, 0x2A, 0xE4, 0x8B, 0x83, 0x27, 0x55, 0xBB, 0xF7, 0x2E, 0xB3, 0x80, 0x3A, 0x98, 0x97, 0xEF, 0x3D, 0x0E, 0x6B, 0x37, 0xA2, 0x3B, 0xB4, 0x62, 0xCD, 0xA3, 0xB9, 0x1F, 0x28, 0x50, 0xAF, 0xED, 0x1C, 0x02, 0xB0, 0xFA, 0x0D, 0x18, 0x3D, 0x81, 0x82, 0xD2, 0xED, 0xB8, 0x77, 0x00, 0x66, 0xA0, 0x1B, 0xB6, 0xB1, 0x5F, 0x2B, 0x59, 0x33, 0x32, 0xD6, 0x1C, 0xA6, 0xC7, 0x02, 0x06, 0x60, 0xA2, 0x2E, 0xC5, 0x1E, 0x93, 0x84, 0xFC, 0x82, 0xF6, 0x15, 0x82, 0x99, 0x71, 0x64, 0x83, 0xD9, 0x80, 0x4E, 0x09, 0xEC, 0xF6, 0x23, 0x48, 0xB1, 0x96, 0x2A, 0x13, 0xA1, 0xE1, 0x91, 0xF8, 0x35, 0xF2, 0x61, 0x42, 0xB4, 0x7D, 0x8D, 0x70, 0x38, 0x3C, 0xDC, 0xEB, 0x1E, 0x0B, 0x97, 0x2F, 0x27, 0x60, 0xE0, 0x28, 0x18, 0x77, 0x55, 0xE8, 0x30, 0x35, 0x58, 0xBF, 0x85, 0x99, 0xA4, 0x2B, 0xA2, 0x6E, 0x70, 0xAE, 0xDD, 0x36, 0x2F, 0xCF, 0x49, 0xC3, 0x6A, 0xCF, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x35, 0x80, 0xCF, 0x35, 0xD7, 0x6B, 0x3B, 0x66, 0x7A, 0x40, 0xDF, 0x66, 0x69, 0x1C, 0xBC, 0xF8, 0x73, 0x53, 0xB2, 0x3C, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x08, 0xA0, 0xEF, 0x58, 0x00, 0xCB, 0x02, 0xFB, 0x58, 0x7C, 0x12, 0xB4, 0x03, 0x25, 0x9C, 0x7D, 0x4E, 0xF1, 0x5D, 0x1C, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x03, 0x07, 0xFF, 0x80, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x18, 0x30, 0x16, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0A, 0x03, 0x01, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x3F, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x42, 0x01, 0x0D, 0x04, 0x32, 0x16, 0x30, 0x54, 0x65, 0x73, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x7C, 0xC1, 0x9E, 0xF4, 0xD4, 0xDD, 0x85, 0x4E, 0xF2, 0xA9, 0x34, 0xDE, 0xB6, 0x76, 0x8C, 0x4D, 0x27, 0x53, 0x53, 0x81, 0x61, 0xF3, 0x64, 0xC0, 0x3E, 0xF4, 0x45, 0x05, 0x34, 0x74, 0x58, 0x0E, 0xA8, 0xD8, 0xF8, 0x78, 0x65, 0xD7, 0x7D, 0xE5, 0xB7, 0x15, 0xC0, 0xD6, 0x4E, 0x3A, 0xFC, 0x44, 0x9D, 0xF8, 0x37, 0x29, 0x7E, 0xE6, 0x09, 0x2F, 0x66, 0x82, 0xA1, 0xC8, 0xD8, 0x15, 0xA0, 0xE8, 0xB9, 0x2F, 0x6F, 0x77, 0x06, 0x36, 0xBE, 0x01, 0x81, 0x7C, 0x70, 0x4F, 0xF0, 0xF3, 0xD9, 0x01, 0x7E, 0x97, 0x98, 0x93, 0x59, 0xE2, 0x4F, 0x26, 0xBC, 0xFA, 0x07, 0x59, 0x11, 0xD9, 0x2B, 0xEF, 0x84, 0x30, 0xA4, 0xF0, 0x53, 0xBD, 0x22, 0x28, 0xDC, 0x18, 0xDD, 0x71, 0x9A, 0x35, 0x28, 0x3E, 0x72, 0x9E, 0xD0, 0x36, 0x53, 0x9C, 0xF8, 0x66, 0x7E, 0x76, 0x29, 0xF7, 0xEA, 0x03, 0x9A, 0x6B, 0x6E, 0x90, 0x70, 0x3B, 0x2A, 0xDD, 0xD1, 0xCA, 0x9C, 0x1F, 0x8A, 0x84, 0x31, 0xF8, 0x86, 0xA1, 0x08, 0x8A, 0x7D, 0x01, 0xE2, 0xBE, 0x74, 0x93, 0xF6, 0xF4, 0x5F, 0x2F, 0xC6, 0x4C, 0xDB, 0xE5, 0x6E, 0xE9, 0xB9, 0xF4, 0x7A, 0x95, 0xFB, 0x64, 0x05, 0x78, 0xDE, 0x0D, 0xEF, 0xCC, 0x7A, 0x47, 0x81, 0xBF, 0xCA, 0xC1, 0x85, 0x6D, 0x40, 0xDF, 0x17, 0x19, 0x80, 0xC5, 0x54, 0xBF, 0x12, 0x7F, 0x34, 0xB1, 0x1D, 0x60, 0x0C, 0x53, 0x5E, 0xA8, 0xE8, 0xB6, 0x93, 0x84, 0x49, 0x2C, 0x5D, 0x01, 0x9A, 0xD9, 0x1A, 0xE0, 0x19, 0xDC, 0xE9, 0xCA, 0x30, 0x68, 0xFE, 0xAB, 0xAB, 0x65, 0xBD, 0x14, 0x2C, 0x67, 0x4A, 0x84, 0x4F, 0xB3, 0x9E, 0xC1, 0xD4, 0x2D, 0x6E, 0xF3, 0x5B, 0xE4, 0x82, 0x6D, 0xCB, 0x9F, 0xED, 0xEC, 0xCB, 0xB8, 0x03, 0x74, 0xFD, 0x0C, 0x3C, 0x32, 0x82, 0xFD, 0xF9, 0xE2}; diff --git a/shim-image-size.patch b/shim-image-size.patch deleted file mode 100644 index 9edd419..0000000 --- a/shim-image-size.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 14 Aug 2012 06:50:00 -0400 -Subject: [PATCH] Use the file size, not the image size field, for - verification. - ---- - shim.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/shim.c b/shim.c -index 2d9044d..6a3c054 100644 ---- a/shim.c -+++ b/shim.c -@@ -555,7 +555,7 @@ done: - /* - * Read the binary header and grab appropriate information from it - */ --static EFI_STATUS read_header(void *data, -+static EFI_STATUS read_header(void *data, unsigned int datasize, - PE_COFF_LOADER_IMAGE_CONTEXT *context) - { - EFI_IMAGE_DOS_HEADER *DosHdr = data; -@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data, - context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); - context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; - -- if (context->SecDir->VirtualAddress >= context->ImageSize) { -+ if (context->SecDir->VirtualAddress >= datasize) { - Print(L"Malformed security header\n"); - return EFI_INVALID_PARAMETER; - } -@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data, - /* - * Once the image has been loaded it needs to be validated and relocated - */ --static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li) -+static EFI_STATUS handle_grub (void *data, unsigned int datasize, -+ EFI_LOADED_IMAGE *li) - { - EFI_STATUS efi_status; - char *buffer; -@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li) - char *base, *end; - PE_COFF_LOADER_IMAGE_CONTEXT context; - -- efi_status = read_header(data, &context); -+ efi_status = read_header(data, datasize, &context); - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to read header\n"); - return efi_status; -@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) - if (!secure_mode()) - return EFI_SUCCESS; - -- status = read_header(buffer, &context); -+ status = read_header(buffer, size, &context); - - if (status != EFI_SUCCESS) - return status; --- -1.7.11.2 - diff --git a/shim-vendor-cert-file.patch b/shim-vendor-cert-file.patch deleted file mode 100644 index 09e8ab1..0000000 --- a/shim-vendor-cert-file.patch +++ /dev/null @@ -1,129 +0,0 @@ -From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 13 Aug 2012 17:06:46 -0400 -Subject: [PATCH] Allow specification of vendor_cert through a build command - line option. - -This allows you to specify the vendor_cert as a file on the command line -during build. ---- - Makefile | 16 +++++++++++----- - cert.S | 32 ++++++++++++++++++++++++++++++++ - cert.h | 1 - - shim.c | 6 +++--- - 4 files changed, 46 insertions(+), 9 deletions(-) - create mode 100644 cert.S - delete mode 100644 cert.h - -diff --git a/Makefile b/Makefile -index 1e3a020..66b105f 100644 ---- a/Makefile -+++ b/Makefile -@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ - EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o - EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds - -- - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall -mno-red-zone \ - $(EFI_INCLUDES) - ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER - endif -+ifneq ($(origin VENDOR_CERT_FILE), undefined) -+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" -+endif -+ - LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) - --TARGET = shim.efi --OBJS = shim.o shim.so --SOURCES = shim.c shim.h signature.h PeImage.h cert.h -+TARGET = shim.efi -+OBJS = shim.o cert.o -+SOURCES = shim.c shim.h signature.h PeImage.h - - all: $(TARGET) - - shim.o: $(SOURCES) - --shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a -+cert.o : cert.S -+ $(CC) $(CFLAGS) -c -o $@ $< -+ -+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o - $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) - - Cryptlib/libcryptlib.a: -diff --git a/cert.S b/cert.S -new file mode 100644 -index 0000000..129bab5 ---- /dev/null -+++ b/cert.S -@@ -0,0 +1,32 @@ -+#if defined(VENDOR_CERT_FILE) -+ .globl vendor_cert -+ .data -+ .align 16 -+ .type vendor_cert, @object -+ .size vendor_cert_size, vendor_cert_size-vendor_cert -+vendor_cert: -+.incbin VENDOR_CERT_FILE -+ -+ .globl vendor_cert_size -+ .data -+ .align 16 -+ .type vendor_cert_size, @object -+ .size vendor_cert_size, 4 -+vendor_cert_size: -+ .long vendor_cert_size - vendor_cert -+#else -+ .globl vendor_cert -+ .bss -+ .type vendor_cert, @object -+ .size vendor_cert, 1 -+vendor_cert: -+ .zero 1 -+ -+ .globl vendor_cert_size -+ .data -+ .align 4 -+ .type vendor_cert_size, @object -+ .size vendor_cert_size, 4 -+vendor_cert_size: -+ .long 1 -+#endif -diff --git a/cert.h b/cert.h -deleted file mode 100644 -index 380bc04..0000000 ---- a/cert.h -+++ /dev/null -@@ -1 +0,0 @@ --static UINT8 vendor_cert[] = {0x00}; -diff --git a/shim.c b/shim.c -index fc3dafc..2d9044d 100644 ---- a/shim.c -+++ b/shim.c -@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB - /* - * The vendor certificate used for validating the second stage loader - */ -- --#include "cert.h" -+extern UINT8 vendor_cert[]; -+extern UINT32 vendor_cert_size; - - #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} - -@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - - if (!AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), -- vendor_cert, sizeof(vendor_cert), hash, -+ vendor_cert, vendor_cert_size, hash, - SHA256_DIGEST_SIZE)) { - Print(L"Invalid signature\n"); - status = EFI_ACCESS_DENIED; --- -1.7.11.2 -