Commit ef8c9962 authored by Matthew Garrett's avatar Matthew Garrett

Sign MokManager with a locally-generated key

shim needs to verify that MokManager hasn't been modified, but we want to
be able to support configurations where shim is shipped without a vendor
certificate. This patch adds support for generating a certificate at build
time, incorporating the public half into shim and signing MokManager with
the private half. It uses pesign and nss, but still requires openssl for
key generation. Anyone using sbsign will need to figure this out for
parent e4d55afe
......@@ -28,15 +28,33 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
TARGET = shim.efi MokManager.efi
TARGET = shim.efi MokManager.efi.signed
OBJS = shim.o netboot.o cert.o dbx.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
SOURCES = shim.c shim.h netboot.c signature.h PeImage.h
MOK_OBJS = MokManager.o
MOK_SOURCES = MokManager.c shim.h
all: $(TARGET)
shim.o: $(SOURCES)
./make-certs shim all codesign </dev/null
shim.cer: shim.crt
openssl x509 -outform der -in $< -out $@
shim_cert.h: shim.cer
echo "static UINT8 shim_cert[] = {" > $@
hexdump -v -e '1/1 "0x%02x, "' $< >> $@
echo "};" >> $@
certdb/secmod.db: shim.crt
-mkdir certdb
certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
pk12util -d certdb/ -i shim.p12 -W "" -K ""
certutil -d certdb/ -A -i shim.crt -n shim -t u
shim.o: $(SOURCES) shim_cert.h
cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $<
......@@ -70,10 +88,14 @@ Cryptlib/OpenSSL/libopenssl.a:
-j .debug_line -j .debug_str -j .debug_ranges \
--target=efi-app-$(ARCH) $^ $@.debug
%.efi.signed: %.efi certdb/secmod.db
pesign -n certdb -i $< -c "shim" -s -o $@ -f
$(MAKE) -C Cryptlib clean
$(MAKE) -C Cryptlib/OpenSSL clean
rm -f $(TARGET) $(OBJS)
rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(KEYS) certdb
rm -f *.debug *.so
This diff is collapsed.
......@@ -40,6 +40,7 @@
#include "shim.h"
#include "signature.h"
#include "netboot.h"
#include "shim_cert.h"
#define SECOND_STAGE L"\\grub.efi"
#define MOK_MANAGER L"\\MokManager.efi"
......@@ -415,6 +416,8 @@ static BOOLEAN secure_mode (void)
UINT8 sb, setupmode;
UINT32 attributes;
return TRUE;
if (insecure_mode)
return FALSE;
......@@ -695,6 +698,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
return status;
* Check against the shim build key
if (AuthenticodeVerify(cert->CertData,
context->SecDir->Size - sizeof(cert->Hdr),
shim_cert, sizeof(shim_cert), sha256hash,
status = EFI_SUCCESS;
Print(L"Binary is verified by the vendor certificate\n");
return status;
* And finally, check against shim's built-in key
......@@ -1180,12 +1196,8 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
efi_status = start_image(image_handle, SECOND_STAGE);
if (efi_status != EFI_SUCCESS) {
if (efi_status == EFI_ACCESS_DENIED)
efi_status = start_image(image_handle, MOK_MANAGER);
Print(L"Failed to start grub\n");
if (efi_status != EFI_SUCCESS)
efi_status = start_image(image_handle, MOK_MANAGER);
return efi_status;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment