From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 13 Aug 2012 17:06:46 -0400 Subject: [PATCH] Allow specification of vendor_cert through a build command line option. This allows you to specify the vendor_cert as a file on the command line during build. --- Makefile | 16 +++++++++++----- cert.S | 32 ++++++++++++++++++++++++++++++++ cert.h | 1 - shim.c | 6 +++--- 4 files changed, 46 insertions(+), 9 deletions(-) create mode 100644 cert.S delete mode 100644 cert.h diff --git a/Makefile b/Makefile index 1e3a020..66b105f 100644 --- a/Makefile +++ b/Makefile @@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -Wall -mno-red-zone \ $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER endif +ifneq ($(origin VENDOR_CERT_FILE), undefined) + CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" +endif + LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -TARGET = shim.efi -OBJS = shim.o shim.so -SOURCES = shim.c shim.h signature.h PeImage.h cert.h +TARGET = shim.efi +OBJS = shim.o cert.o +SOURCES = shim.c shim.h signature.h PeImage.h all: $(TARGET) shim.o: $(SOURCES) -shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a +cert.o : cert.S + $(CC) $(CFLAGS) -c -o $@ $< + +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) Cryptlib/libcryptlib.a: diff --git a/cert.S b/cert.S new file mode 100644 index 0000000..129bab5 --- /dev/null +++ b/cert.S @@ -0,0 +1,32 @@ +#if defined(VENDOR_CERT_FILE) + .globl vendor_cert + .data + .align 16 + .type vendor_cert, @object + .size vendor_cert_size, vendor_cert_size-vendor_cert +vendor_cert: +.incbin VENDOR_CERT_FILE + + .globl vendor_cert_size + .data + .align 16 + .type vendor_cert_size, @object + .size vendor_cert_size, 4 +vendor_cert_size: + .long vendor_cert_size - vendor_cert +#else + .globl vendor_cert + .bss + .type vendor_cert, @object + .size vendor_cert, 1 +vendor_cert: + .zero 1 + + .globl vendor_cert_size + .data + .align 4 + .type vendor_cert_size, @object + .size vendor_cert_size, 4 +vendor_cert_size: + .long 1 +#endif diff --git a/cert.h b/cert.h deleted file mode 100644 index 380bc04..0000000 --- a/cert.h +++ /dev/null @@ -1 +0,0 @@ -static UINT8 vendor_cert[] = {0x00}; diff --git a/shim.c b/shim.c index fc3dafc..2d9044d 100644 --- a/shim.c +++ b/shim.c @@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB /* * The vendor certificate used for validating the second stage loader */ - -#include "cert.h" +extern UINT8 vendor_cert[]; +extern UINT32 vendor_cert_size; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} @@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (!AuthenticodeVerify(cert->CertData, context->SecDir->Size - sizeof(cert->Hdr), - vendor_cert, sizeof(vendor_cert), hash, + vendor_cert, vendor_cert_size, hash, SHA256_DIGEST_SIZE)) { Print(L"Invalid signature\n"); status = EFI_ACCESS_DENIED; -- 1.7.11.2