1. 21 Sep, 2014 2 commits
    • Peter Jones's avatar
      Do the same for ia32... · f9d825b2
      Peter Jones authored
      Once again, on ia32 this time, we see:
      
      00000120  47 84 00 00 0a 00 00 00  00 00 00 00 00 00 00 00 |G...............|
      
      Which is where the pointer on ia32 for the Base Relocation Table should
      be.  It points to 0x8447, which isn't a particularly reasonable address as
      numbers go, and happens to have this data there:
      
      00008440  6f 00 6e 00 66 00 69 00  67 00 75 00 72 00 65 00 |o.n.f.i.g.u.r.e.|
      00008450  00 00 49 00 50 00 76 00  36 00 28 00 00 00 2c 00 |..I.P.v.6.(...,.|
      00008460  25 00 73 00 2c 00 00 00  29 00 00 00 25 00 64 00 |%.s.,...)...%.d.|
      00008470  2e 00 25 00 64 00 2e 00  25 00 64 00 2e 00 25 00 |..%.d...%.d...%.|
      00008480  64 00 00 00 44 00 48 00  43 00 50 00 00 00 49 00 |d...D.H.C.P...I.|
      00008490  50 00 76 00 34 00 28 00  00 00 2c 00 25 00 73 00 |P.v.4.(...,.%.s.|
      
      And so that table is, in theory, this part:
      
      00008447                       00  67 00 75 00 72 00 65 00 |       .g.u.r.e.|
      00008450  00                                               |.               |
      
      Which is pretty clearly not a pointer table of any kind.
      
      So give ia32 the same treatment as x86_64, and now all arches work basically
      the same.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      f9d825b2
    • Peter Jones's avatar
      Generate a sane PE header on shim, fallback, and MokManager. · 2c59a1a0
      Peter Jones authored
      It turns out a7249a65 was masking a second problem - on some binaries,
      when we actually don't have any base relocations at all, binutils'
      "objcopy --target efi-app-x86_64" is generating a PE header with a base
      relocations pointer that happily points into the middle of our text
      section.  So with shim processing base relocations correctly, it refuses
      to load those binaries.
      
      For example, on one binary I just built:
      
      00000130  00 a0 00 00 0a 00 00 00  00 00 00 00 00 00 00 00 |................|
      
      which says there's a Base Relocation Table at 0xa000 that's 0xa bytes long.
      That's here:
      
      0000a000  58 00 29 00 00 00 00 00  48 00 44 00 28 00 50 00 |X.).....H.D.(.P.|
      0000a010  61 00 72 00 74 00 25 00  64 00 2c 00 53 00 69 00 |a.r.t.%.d.,.S.i.|
      0000a020  67 00 25 00 67 00 29 00  00 00 00 00 00 00 00 00 |g.%.g.).........|
      0000a030  48 00 44 00 28 00 50 00  61 00 72 00 74 00 25 00 |H.D.(.P.a.r.t.%.|
      
      So the table is:
      
      0000a000  58 00 29 00 00 00 00 00  48 00                   |X.).....H.      |
      
      That wouldn't be so bad, except those binaries are MokManager.efi,
      fallback.efi, and shim.efi, and sometimes they're .reloc, which we're
      actually trying to handle correctly now because grub builds with a real
      and valid .reloc table.  So though I didn't think there was any hair
      left on this yak, more shaving ensues.
      
      With this change, instead of letting objcopy do whatever it likes, we
      switch to "-O binary" and merely link in a header that's appropriate for
      our binaries.  This is the same method Ard wrote for aarch64, and it
      seems to work fine in either place (modulo some minor changes.)
      
      At some point this should be merged into gnu-efi instead of carrying our
      own crt0-efi-x86_64.S, but that's a less immediate problem.
      
      I did not need this problem.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      2c59a1a0
  2. 12 Aug, 2014 3 commits
  3. 25 Jun, 2014 1 commit
  4. 11 Apr, 2014 1 commit
  5. 12 Nov, 2013 3 commits
  6. 06 Nov, 2013 1 commit
  7. 31 Oct, 2013 2 commits
  8. 23 Oct, 2013 1 commit
  9. 22 Oct, 2013 1 commit
  10. 04 Oct, 2013 1 commit
  11. 03 Oct, 2013 1 commit
  12. 02 Oct, 2013 1 commit
  13. 01 Oct, 2013 5 commits
    • Peter Jones's avatar
      Conditionalize overriding the security policy. · bb2fe4cf
      Peter Jones authored
      Make OVERRIDE_SECURITY_POLICY a build option.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      bb2fe4cf
    • Peter Jones's avatar
      Merge console_control.h and console.h · 417077f8
      Peter Jones authored
      Since these are topically the same thing, they can live together.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      417077f8
    • Peter Jones's avatar
      Make verbose stuff use console_notify · bc71a15e
      Peter Jones authored
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      bc71a15e
    • Peter Jones's avatar
      Harden shim against non-participating bootloaders. · cbef697a
      Peter Jones authored
      It works like this: during startup of shim, we hook into the system's
      ExitBootServices() and StartImage().  If the system's StartImage() is
      called, we automatically unhook, because we're chainloading to something
      the system can verify.
      
      When shim's verify is called, we record what kind of certificate the
      image was verified against.  If the call /succeeds/, we remove our
      hooks.
      
      If ExitBootServices() is called, we check how the bootloader verified
      whatever it is loading.  If it was verified by its hash, we unhook
      everything and call the system's EBS().  If it was verified by
      certificate, we check if it has called shim_verify().  If it has, we
      unhook everything and call the system's EBS()
      
      If the bootloader has not verified anything, and is itself verified by
      a certificate, we display a security violation warning and halt the
      machine.
      cbef697a
    • Peter Jones's avatar
      Make vendor_cert/vendor_dbx actually replaceable by an external tool. · a1f28635
      Peter Jones authored
      This moves them both to be computed at runtime from a pointer+offset
      rather than just a pointer, so that their real address can be entirely
      derived from the section they're in.
      
      This means you can replace the whole .vendor_cert section with a new one
      with certs that don't have the same size.
      a1f28635
  14. 26 Sep, 2013 10 commits
  15. 24 Sep, 2013 1 commit
  16. 10 Jun, 2013 5 commits
    • Peter Jones's avatar
      Bump version to 0.4 · d141608b
      Peter Jones authored
      Since I've finally merged in the "sections" branch, best to increment
      the version number.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      d141608b
    • Peter Jones's avatar
    • Peter Jones's avatar
      Move embedded certificates to their own section. · c682b514
      Peter Jones authored
      With this change, the embedded certificate and dbx lists (vendor_cert,
      vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
      section named .vendor_cert, and so will look something like:
      ------
      fenchurch:~/devel/github.com/shim$ objdump -h shim.efi
      
      shim.efi:     file format pei-x86-64
      
      Sections:
      Idx Name          Size      VMA               LMA               File off  Algn
        0 .eh_frame     000174a8  0000000000005000  0000000000005000  00000400  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        1 .text         000aa7e1  000000000001d000  000000000001d000  00017a00  2**4
                        CONTENTS, ALLOC, LOAD, READONLY, CODE
        2 .reloc        0000000a  00000000000c8000  00000000000c8000  000c2200  2**0
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        3 .data         00031228  00000000000c9000  00000000000c9000  000c2400  2**5
                        CONTENTS, ALLOC, LOAD, DATA
        4 .vendor_cert  00000375  00000000000fb000  00000000000fb000  000f3800  2**0
                        CONTENTS, READONLY
        5 .dynamic      000000f0  00000000000fc000  00000000000fc000  000f3c00  2**3
                        CONTENTS, ALLOC, LOAD, DATA
        6 .rela         0002afa8  00000000000fd000  00000000000fd000  000f3e00  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        7 .dynsym       0000f1f8  0000000000128000  0000000000128000  0011ee00  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
      ------
      
      This simplifies a security audit, because it means that different
      versions of shim with substantially the same code with different keys
      will be more easily comperable, and therefore logic differences may be
      more easily identified.
      
      This also means that if there's a trusted build you want to use, you can
      remove the certificates, implant new ones, and have it signed, and the
      code sections won't change.
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      c682b514
    • Peter Jones's avatar
      Remove FALLBACK_OBJS during clean as well. · 1de10962
      Peter Jones authored
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      1de10962
    • Peter Jones's avatar
  17. 31 May, 2013 1 commit