Commit 17857eb8 authored by Matthew Garrett's avatar Matthew Garrett Committed by Peter Jones

Port MokManager to Linux Foundation loader UI code

This is the first stage of porting the MokManager UI to the UI code used
by the Linux Foundation UEFI loader.
parent 2aa2ddd8
ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,)
SUBDIRS = Cryptlib
SUBDIRS = Cryptlib lib
LIB_PATH = /usr/lib64
......@@ -78,8 +78,8 @@ fallback.so: $(FALLBACK_OBJS)
MokManager.o: $(SOURCES)
MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
Cryptlib/libcryptlib.a:
$(MAKE) -C Cryptlib
......@@ -87,6 +87,9 @@ Cryptlib/libcryptlib.a:
Cryptlib/OpenSSL/libopenssl.a:
$(MAKE) -C Cryptlib/OpenSSL
lib/lib.a:
$(MAKE) -C lib
%.efi: %.so
objcopy -j .text -j .sdata -j .data \
-j .dynamic -j .dynsym -j .rel \
......
This diff is collapsed.
/* definitions straight from TianoCore */
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004
#define EFI_IMAGE_EXECUTION_POLICY_FAILED 0x00000005
#define EFI_IMAGE_EXECUTION_INITIALIZED 0x00000008
typedef struct {
///
/// Describes the action taken by the firmware regarding this image.
///
EFI_IMAGE_EXECUTION_ACTION Action;
///
/// Size of all of the entire structure.
///
UINT32 InfoSize;
///
/// If this image was a UEFI device driver (for option ROM, for example) this is the
/// null-terminated, user-friendly name for the device. If the image was for an application,
/// then this is the name of the application. If this cannot be determined, then a simple
/// NULL character should be put in this position.
/// CHAR16 Name[];
///
///
/// For device drivers, this is the device path of the device for which this device driver
/// was intended. In some cases, the driver itself may be stored as part of the system
/// firmware, but this field should record the device's path, not the firmware path. For
/// applications, this is the device path of the application. If this cannot be determined,
/// a simple end-of-path device node should be put in this position.
/// EFI_DEVICE_PATH_PROTOCOL DevicePath;
///
///
/// Zero or more image signatures. If the image contained no signatures,
/// then this field is empty.
///
///EFI_SIGNATURE_LIST Signature;
UINT8 Data[];
} EFI_IMAGE_EXECUTION_INFO;
typedef struct {
///
/// Number of EFI_IMAGE_EXECUTION_INFO structures.
///
UINTN NumberOfImages;
///
/// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.
///
EFI_IMAGE_EXECUTION_INFO InformationInfo[];
} EFI_IMAGE_EXECUTION_INFO_TABLE;
void *
configtable_get_table(EFI_GUID *guid);
EFI_IMAGE_EXECUTION_INFO_TABLE *
configtable_get_image_table(void);
EFI_IMAGE_EXECUTION_INFO *
configtable_find_image(const EFI_DEVICE_PATH *DevicePath);
int
configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath);
EFI_INPUT_KEY
console_get_keystroke(void);
void
console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines);
void
console_print_box(CHAR16 *str_arr[], int highlight);
int
console_yes_no(CHAR16 *str_arr[]);
int
console_select(CHAR16 *title[], CHAR16* selectors[], int start);
void
console_errorbox(CHAR16 *err);
void
console_error(CHAR16 *err, EFI_STATUS);
void
console_alertbox(CHAR16 **title);
void
console_notify(CHAR16 *string);
void
console_reset(void);
#define NOSEL 0x7fffffff
#ifndef _INC_EFIAUTHENTICATED_H
#define _INC_EFIAUTHENTICATED_H
#include <wincert.h>
//***********************************************************************
// Signature Database
//***********************************************************************
///
/// The format of a signature database.
///
#pragma pack(1)
typedef struct {
///
/// An identifier which identifies the agent which added the signature to the list.
///
EFI_GUID SignatureOwner;
///
/// The format of the signature is defined by the SignatureType.
///
UINT8 SignatureData[1];
} EFI_SIGNATURE_DATA;
typedef struct {
///
/// Type of the signature. GUID signature types are defined in below.
///
EFI_GUID SignatureType;
///
/// Total size of the signature list, including this header.
///
UINT32 SignatureListSize;
///
/// Size of the signature header which precedes the array of signatures.
///
UINT32 SignatureHeaderSize;
///
/// Size of each signature.
///
UINT32 SignatureSize;
///
/// Header before the array of signatures. The format of this header is specified
/// by the SignatureType.
/// UINT8 SignatureHeader[SignatureHeaderSize];
///
/// An array of signatures. Each signature is SignatureSize bytes in length.
/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
///
} EFI_SIGNATURE_LIST;
#pragma pack()
//
// _WIN_CERTIFICATE.wCertificateType
//
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
#define EFI_CERT_X509_GUID \
(EFI_GUID){ \
0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
}
#define EFI_CERT_RSA2048_GUID \
(EFI_GUID){ \
0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
}
#define EFI_CERT_TYPE_PKCS7_GUID \
(EFI_GUID){ \
0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
}
///
/// WIN_CERTIFICATE_UEFI_GUID.CertType
///
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
{0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
///
/// WIN_CERTIFICATE_UEFI_GUID.CertData
///
typedef struct {
EFI_GUID HashType;
UINT8 PublicKey[256];
UINT8 Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;
///
/// Certificate which encapsulates a GUID-specific digital signature
///
typedef struct {
///
/// This is the standard WIN_CERTIFICATE header, where
/// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID.
///
WIN_CERTIFICATE Hdr;
///
/// This is the unique id which determines the
/// format of the CertData. .
///
EFI_GUID CertType;
///
/// The following is the certificate data. The format of
/// the data is determined by the CertType.
/// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID,
/// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
///
UINT8 CertData[1];
} WIN_CERTIFICATE_UEFI_GUID;
///
/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
///
/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
/// WIN_CERTIFICATE and encapsulate the information needed to
/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as
/// specified in RFC2437.
///
typedef struct {
///
/// This is the standard WIN_CERTIFICATE header, where
/// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
///
WIN_CERTIFICATE Hdr;
///
/// This is the hashing algorithm which was performed on the
/// UEFI executable when creating the digital signature.
///
EFI_GUID HashAlgorithm;
///
/// The following is the actual digital signature. The
/// size of the signature is the same size as the key
/// (1024-bit key is 128 bytes) and can be determined by
/// subtracting the length of the other parts of this header
/// from the total length of the certificate as found in
/// Hdr.dwLength.
///
/// UINT8 Signature[];
///
} WIN_CERTIFICATE_EFI_PKCS1_15;
#define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field))
///
/// Attributes of Authenticated Variable
///
#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
///
/// AuthInfo is a WIN_CERTIFICATE using the wCertificateType
/// WIN_CERTIFICATE_UEFI_GUID and the CertType
/// EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
/// authenticated access, then the Data buffer should begin with an
/// authentication descriptor prior to the data payload and DataSize
/// should reflect the the data.and descriptor size. The caller
/// shall digest the Monotonic Count value and the associated data
/// for the variable update using the SHA-256 1-way hash algorithm.
/// The ensuing the 32-byte digest will be signed using the private
/// key associated w/ the public/private 2048-bit RSA key-pair. The
/// WIN_CERTIFICATE shall be used to describe the signature of the
/// Variable data *Data. In addition, the signature will also
/// include the MonotonicCount value to guard against replay attacks.
///
typedef struct {
///
/// Included in the signature of
/// AuthInfo.Used to ensure freshness/no
/// replay. Incremented during each
/// "Write" access.
///
UINT64 MonotonicCount;
///
/// Provides the authorization for the variable
/// access. It is a signature across the
/// variable data and the Monotonic Count
/// value. Caller uses Private key that is
/// associated with a public key that has been
/// provisioned via the key exchange.
///
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION;
///
/// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
/// set, then the Data buffer shall begin with an instance of a complete (and serialized)
/// EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new
/// variable value and DataSize shall reflect the combined size of the descriptor and the new
/// variable value. The authentication descriptor is not part of the variable data and is not
/// returned by subsequent calls to GetVariable().
///
typedef struct {
///
/// For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and
/// Pad2 shall be set to 0. This means that the time shall always be expressed in GMT.
///
EFI_TIME TimeStamp;
///
/// Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
///
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION_2;
///
/// Size of AuthInfo prior to the data payload.
///
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
#endif
#include <efierr.h>
#ifndef EFI_INCOMPATIBLE_VERSION
#define EFI_INCOMPATIBLE_VERSION EFIERR(25)
#endif
#ifndef EFI_SECURITY_VIOLATION
#define EFI_SECURITY_VIOLATION EFIERR(26)
#endif
EFI_STATUS
generate_path(CHAR16* name, EFI_LOADED_IMAGE *li,
EFI_DEVICE_PATH **path, CHAR16 **PathName);
EFI_STATUS
execute(EFI_HANDLE image, CHAR16 *name);
#include <efi.h>
#ifndef BUILD_EFI
const char *guid_to_str(EFI_GUID *guid);
void str_to_guid(const char *str, EFI_GUID *guid);
#endif
extern EFI_GUID GV_GUID;
extern EFI_GUID SIG_DB;
extern EFI_GUID X509_GUID;
extern EFI_GUID RSA2048_GUID;
extern EFI_GUID PKCS7_GUID;
extern EFI_GUID IMAGE_PROTOCOL;
extern EFI_GUID SIMPLE_FS_PROTOCOL;
extern EFI_GUID EFI_CERT_SHA256_GUID;
extern EFI_GUID MOK_OWNER;
extern EFI_GUID SECURITY_PROTOCOL_GUID;
extern EFI_GUID SECURITY2_PROTOCOL_GUID;
EFI_STATUS
security_policy_install(void);
EFI_STATUS
security_policy_uninstall(void);
void
security_protocol_set_hashes(unsigned char *esl, int len);
EFI_STATUS
argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV);
EFI_STATUS
simple_file_open (EFI_HANDLE image, CHAR16 *name, EFI_FILE **file, UINT64 mode);
EFI_STATUS
simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UINT64 mode);
EFI_STATUS
simple_file_read_all(EFI_FILE *file, UINTN *size, void **buffer);
EFI_STATUS
simple_file_write_all(EFI_FILE *file, UINTN size, void *buffer);
void
simple_file_close(EFI_FILE *file);
EFI_STATUS
simple_dir_read_all(EFI_HANDLE image, CHAR16 *name, EFI_FILE_INFO **Entries,
int *count);
EFI_STATUS
simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter,
CHAR16 ***result, int *count, EFI_FILE_INFO **entries);
void
simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name,
CHAR16 *filter, CHAR16 **result);
EFI_STATUS
simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h);
#include <efiauthenticated.h>
#include <sha256.h> /* for SHA256_DIGEST_SIZE */
#define certlist_for_each_certentry(cl, cl_init, s, s_init) \
for (cl = (EFI_SIGNATURE_LIST *)(cl_init), s = (s_init); \
s > 0 && s >= cl->SignatureListSize; \
s -= cl->SignatureListSize, \
cl = (EFI_SIGNATURE_LIST *) ((UINT8 *)cl + cl->SignatureListSize))
/*
* Warning: this assumes (cl)->SignatureHeaderSize is zero. It is for all
* the signatures we process (X509, RSA2048, SHA256)
*/
#define certentry_for_each_cert(c, cl) \
for (c = (EFI_SIGNATURE_DATA *)((UINT8 *) (cl) + sizeof(EFI_SIGNATURE_LIST) + (cl)->SignatureHeaderSize); \
(UINT8 *)c < ((UINT8 *)(cl)) + (cl)->SignatureListSize; \
c = (EFI_SIGNATURE_DATA *)((UINT8 *)c + (cl)->SignatureSize))
EFI_STATUS
CreatePkX509SignatureList (
IN UINT8 *X509Data,
IN UINTN X509DataSize,
IN EFI_GUID owner,
OUT EFI_SIGNATURE_LIST **PkCert
);
EFI_STATUS
CreateTimeBasedPayload (
IN OUT UINTN *DataSize,
IN OUT UINT8 **Data
);
EFI_STATUS
SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, UINT32 options, int createtimebased);
EFI_STATUS
get_variable(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner);
EFI_STATUS
get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
UINT32 *attributes);
EFI_STATUS
find_in_esl(UINT8 *Data, UINTN DataSize, UINT8 *key, UINTN keylen);
EFI_STATUS
find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen);
#define EFI_OS_INDICATIONS_BOOT_TO_FW_UI 0x0000000000000001
UINT64
GetOSIndications(void);
EFI_STATUS
SETOSIndicationsAndReboot(UINT64 indications);
int
variable_is_secureboot(void);
int
variable_is_setupmode(void);
EFI_STATUS
variable_enroll_hash(CHAR16 *var, EFI_GUID owner,
UINT8 hash[SHA256_DIGEST_SIZE]);
EFI_STATUS
variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner,
void **out, int *outlen);
#define VERSION "1.3.4"
static void
version(const char *progname)
{
printf("%s " VERSION "\n", progname);
}
#ifndef _INC_WINCERT_H
#define _INC_WINCERT_H
///
/// The WIN_CERTIFICATE structure is part of the PE/COFF specification.
///
typedef struct {
///
/// The length of the entire certificate,
/// including the length of the header, in bytes.
///
UINT32 dwLength;
///
/// The revision level of the WIN_CERTIFICATE
/// structure. The current revision level is 0x0200.
///
UINT16 wRevision;
///
/// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
/// certificate types. The UEFI specification reserves the range of
/// certificate type values from 0x0EF0 to 0x0EFF.
///
UINT16 wCertificateType;
///
/// The following is the actual certificate. The format of
/// the certificate depends on wCertificateType.
///
/// UINT8 bCertificate[ANYSIZE_ARRAY];
///
} WIN_CERTIFICATE;
#endif
TARGET = lib.a
LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o
ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,)
EFI_INCLUDE = /usr/include/efi
EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
EFI_PATH = /usr/lib64/gnuefi
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -mno-red-zone -DBUILD_EFI $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif
lib.a: $(LIBFILES)
ar rcs lib.a $(LIBFILES)
all: $(TARGET)
clean:
rm -f lib.a
rm -f $(LIBFILES)
/*
* Copyright 2013 <James.Bottomley@HansenPartnership.com>
*
* see COPYING file
*
* read some platform configuration tables
*/
#include <efi.h>
#include <efilib.h>
#include <guid.h>
#include <configtable.h>
void *
configtable_get_table(EFI_GUID *guid)
{
int i;
for (i = 0; i < ST->NumberOfTableEntries; i++) {
EFI_CONFIGURATION_TABLE *CT = &ST->ConfigurationTable[i];
if (CompareGuid(guid, &CT->VendorGuid) == 0) {
return CT->VendorTable;
}
}
return NULL;
}
EFI_IMAGE_EXECUTION_INFO_TABLE *
configtable_get_image_table(void)
{
return configtable_get_table(&SIG_DB);
}
EFI_IMAGE_EXECUTION_INFO *
configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
{
EFI_IMAGE_EXECUTION_INFO_TABLE *t = configtable_get_image_table();
if (!t)
return NULL;
int entries = t->NumberOfImages;
EFI_IMAGE_EXECUTION_INFO *e = t->InformationInfo;
int i;
for (i = 0; i < entries; i++) {
#ifdef DEBUG_CONFIG
Print(L"InfoSize = %d Action = %d\n", e->InfoSize, e->Action);
/* print what we have for debugging */
UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
d += 16;
Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
#endif
CHAR16 *name = (CHAR16 *)(e->Data);
int skip = 0;
/* There's a bug in a lot of EFI platforms and they forget to
* put the name here. The only real way of detecting it is to
* look for either a UC16 NULL or ASCII as UC16 */
if (name[0] == '\0' || (e->Data[1] == 0 && e->Data[3] == 0)) {
skip = StrSize(name);
#ifdef DEBUG_CONFIG
Print(L"FOUND NAME %s (%d)\n", name, skip);
#endif
}
EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)(e->Data + skip), *dpn = dp;
if (dp->Type == 0 || dp->Type > 6 || dp->SubType == 0
|| (((dp->Length[1] << 8) + dp->Length[0]) > e->InfoSize)) {
/* Parse error, table corrupt, bail */
Print(L"Image Execution Information table corrupt\n");
break;
}
UINTN Size;
DevicePathInstance(&dpn, &Size);
#ifdef DEBUG_CONFIG
Print(L"Path: %s\n", DevicePathToStr(dp));
Print(L"Device Path Size %d\n", Size);
#endif
if (Size > e->InfoSize) {
/* parse error; the platform obviously has a
* corrupted image table; bail */
Print(L"Image Execution Information table corrupt\n");
break;
}
if (CompareMem(dp, DevicePath, Size) == 0) {
#ifdef DEBUG_CONFIG
Print(L"***FOUND\n");
console_get_keystroke();
#endif
return e;
}
e = (EFI_IMAGE_EXECUTION_INFO *)((UINT8 *)e + e->InfoSize);
}
#ifdef DEBUG_CONFIG
Print(L"***NOT FOUND\n");
console_get_keystroke();
#endif
return NULL;
}
int
configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath)
{
EFI_IMAGE_EXECUTION_INFO *e = configtable_find_image(DevicePath);
/* Image may not be in DB if it gets executed successfully If it is,
* and EFI_IMAGE_EXECUTION_INITIALIZED is not set, then the image
* isn't authenticated. If there's no signature, usually
* EFI_IMAGE_EXECUTION_AUTH_UNTESTED is set, if the hash is in dbx,
* EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND is returned, and if the key is
* in dbx, EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED is returned*/
if (e && (e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND
|| e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED)) {
/* this means the images signing key is in dbx */
#ifdef DEBUG_CONFIG
Print(L"SIGNATURE IS IN DBX, FORBIDDING EXECUTION\n");
#endif
return 1;
}
return 0;
}
This diff is collapsed.
/*
* Copyright 2012 <James.Bottomley@HansenPartnership.com>
*
* see COPYING file
*
* --
*
* generate_path is a cut and paste from
*
* git://github.com/mjg59/shim.git
*
* Code Copyright 2012 Red Hat, Inc <mjg@redhat.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include <efi.h>
#include <efilib.h>
#include <guid.h>
#include <execute.h>
EFI_STATUS
generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, EFI_DEVICE_PATH **path, CHAR16 **PathName)
{
unsigned int pathlen;
EFI_STATUS efi_status = EFI_SUCCESS;
CHAR16 *devpathstr = DevicePathToStr(li->FilePath),
*found = NULL;
int i;
for (i = 0; i < StrLen(devpathstr); i++) {
if (devpathstr[i] == '/')