replacements.c 7.43 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
/*
 * shim - trivial UEFI first-stage bootloader
 *
 * Copyright 2012 Red Hat, Inc <mjg@redhat.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
 *
 * Redistributions in binary form must reproduce the above copyright
 * notice, this list of conditions and the following disclaimer in the
 * documentation and/or other materials provided with the
 * distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Significant portions of this code are derived from Tianocore
 * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel
 * Corporation.
 */

/*   Chemical agents lend themselves to covert use in sabotage against
 * which it is exceedingly difficult to visualize any really effective
 * defense... I will not dwell upon this use of CBW because, as one
 * pursues the possibilities of such covert uses, one discovers that the
 * scenarios resemble that in which the components of a nuclear weapon
 * are smuggled into New York City and assembled in the basement of the
 * Empire State Building.
 *   In other words, once the possibility is recognized to exist, about
 * all that one can do is worry about it.
 *   -- Dr. Ivan L Bennett, Jr., testifying before the Subcommittee on
 *      National Security Policy and Scientific Developments, November 20,
 *      1969.
 */

#include <efi.h>
#include <efiapi.h>
#include <efilib.h>
#include "shim.h"
#include "replacements.h"
55 56
#include "console.h"
#include "errors.h"
57 58 59

static EFI_SYSTEM_TABLE *systab;

60
static typeof(systab->BootServices->LoadImage) system_load_image;
61 62 63 64
static typeof(systab->BootServices->StartImage) system_start_image;
static typeof(systab->BootServices->Exit) system_exit;
static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;

65 66
static EFI_HANDLE last_loaded_image;

67
void
68 69
unhook_system_services(void)
{
70 71 72
	if (!systab)
		return;

73
	systab->BootServices->LoadImage = system_load_image;
74 75 76 77
	systab->BootServices->StartImage = system_start_image;
	systab->BootServices->ExitBootServices = system_exit_boot_services;
}

78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
static EFI_STATUS EFIAPI
load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle,
	EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer,
	UINTN SourceSize, EFI_HANDLE *ImageHandle)
{
	EFI_STATUS status;
	unhook_system_services();

	status = systab->BootServices->LoadImage(BootPolicy,
			ParentImageHandle, DevicePath,
			SourceBuffer, SourceSize, ImageHandle);
	hook_system_services(systab);
	if (EFI_ERROR(status))
		last_loaded_image = NULL;
	else
		last_loaded_image = *ImageHandle;
	return status;
}

97 98 99 100 101
static EFI_STATUS EFIAPI
start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
{
	EFI_STATUS status;
	unhook_system_services();
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

	/* We have to uninstall shim's protocol here, because if we're
	 * On the fallback.efi path, then our call pathway is:
	 *
	 * shim->fallback->shim->grub
	 * ^               ^      ^
	 * |               |      \- gets protocol #0
	 * |               \- installs its protocol (#1)
	 * \- installs its protocol (#0)
	 * and if we haven't removed this, then grub will get the *first*
	 * shim's protocol, but it'll get the second shim's systab
	 * replacements.  So even though it will participate and verify
	 * the kernel, the systab never finds out.
	 */
	if (image_handle == last_loaded_image) {
		loader_is_participating = 1;
		uninstall_shim_protocols();
	}
120
	status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data);
121 122 123 124 125 126 127 128
	if (EFI_ERROR(status)) {
		if (image_handle == last_loaded_image) {
			EFI_STATUS status2 = install_shim_protocols();

			if (EFI_ERROR(status2)) {
				Print(L"Something has gone seriously wrong: %d\n",
					status2);
				Print(L"shim cannot continue, sorry.\n");
129
				msleep(5000000);
130 131 132 133 134
				systab->RuntimeServices->ResetSystem(
					EfiResetShutdown,
					EFI_SECURITY_VIOLATION, 0, NULL);
			}
		}
135
		hook_system_services(systab);
136 137
		loader_is_participating = 0;
	}
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
	return status;
}

static EFI_STATUS EFIAPI
exit_boot_services(EFI_HANDLE image_key, UINTN map_key)
{
	if (loader_is_participating || verification_method == VERIFIED_BY_HASH) {
		unhook_system_services();
		EFI_STATUS status;
		status = systab->BootServices->ExitBootServices(image_key, map_key);
		if (status != EFI_SUCCESS)
			hook_system_services(systab);
		return status;
	}

	Print(L"Bootloader has not verified loaded image.\n");
	Print(L"System is compromised.  halting.\n");
155
	msleep(5000000);
156 157 158 159 160
	systab->RuntimeServices->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL);
	return EFI_SECURITY_VIOLATION;
}

static EFI_STATUS EFIAPI
161
do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
162
	UINTN ExitDataSize, CHAR16 *ExitData)
163 164 165
{
	EFI_STATUS status;

166 167 168 169 170 171 172 173 174 175 176
	shim_fini();

	status = systab->BootServices->Exit(ImageHandle, ExitStatus,
					    ExitDataSize, ExitData);
	if (EFI_ERROR(status)) {
		EFI_STATUS status2 = shim_init();

		if (EFI_ERROR(status2)) {
			Print(L"Something has gone seriously wrong: %r\n",
				status2);
			Print(L"shim cannot continue, sorry.\n");
177
			msleep(5000000);
178 179 180 181 182
			systab->RuntimeServices->ResetSystem(
				EfiResetShutdown,
				EFI_SECURITY_VIOLATION, 0, NULL);
		}
	}
183 184 185 186 187 188 189 190 191 192
	return status;
}

void
hook_system_services(EFI_SYSTEM_TABLE *local_systab)
{
	systab = local_systab;

	/* We need to hook various calls to make this work... */

193 194 195 196 197 198 199 200 201 202
	/* We need LoadImage() hooked so that fallback.c can load shim
	 * without having to fake LoadImage as well.  This allows it
	 * to call the system LoadImage(), and have us track the output
	 * and mark loader_is_participating in start_image.  This means
	 * anything added by fallback has to be verified by the system db,
	 * which we want to preserve anyway, since that's all launching
	 * through BDS gives us. */
	system_load_image = systab->BootServices->LoadImage;
	systab->BootServices->LoadImage = load_image;

203 204 205 206 207 208 209 210 211
	/* we need StartImage() so that we can allow chain booting to an
	 * image trusted by the firmware */
	system_start_image = systab->BootServices->StartImage;
	systab->BootServices->StartImage = start_image;

	/* we need to hook ExitBootServices() so a) we can enforce the policy
	 * and b) we can unwrap when we're done. */
	system_exit_boot_services = systab->BootServices->ExitBootServices;
	systab->BootServices->ExitBootServices = exit_boot_services;
212 213 214 215 216 217 218 219 220 221 222 223
}

void
unhook_exit(void)
{
	systab->BootServices->Exit = system_exit;
}

void
hook_exit(EFI_SYSTEM_TABLE *local_systab)
{
	systab = local_systab;
224 225 226 227 228

	/* we need to hook Exit() so that we can allow users to quit the
	 * bootloader and still e.g. start a new one or run an internal
	 * shell. */
	system_exit = systab->BootServices->Exit;
229
	systab->BootServices->Exit = do_exit;
230
}