shim: sync up with upstream

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
This commit is contained in:
Jia Zhang
2017-08-22 17:53:49 +08:00
parent 6ad9a338e6
commit bfd800fe02
7 changed files with 22 additions and 335 deletions
@@ -1,6 +1,6 @@
From 8cfbeee2979f0049bf018f207afc01b55d1a7bcd Mon Sep 17 00:00:00 2001 From 4019b6bad6e4e63fdf2079a1637c5f7afa9defbe Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com> From: Jia Zhang <lans.zhang2008@gmail.com>
Date: Fri, 30 Jun 2017 16:59:34 +0800 Date: Tue, 22 Aug 2017 17:31:04 +0800
Subject: [PATCH] Prevent from removing intermediate .efi Subject: [PATCH] Prevent from removing intermediate .efi
Upstream-Status: Pending Upstream-Status: Pending
@@ -10,24 +10,24 @@ sysroots/x86_64-linux/usr/bin/pesign -n certdb -i MokManager.efi -c "shim" -s -o
rm fallback.efi MokManager.efi rm fallback.efi MokManager.efi
DEBUG: Shell function do_compile finished DEBUG: Shell function do_compile finished
Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
--- ---
Makefile | 2 ++ Makefile | 2 ++
1 file changed, 2 insertions(+) 1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 0497e4d..19e1b4f 100644 index afd6504..0ec2b0b 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -108,6 +108,8 @@ ifneq ($(origin ENABLE_HTTPBOOT), undefined) @@ -159,6 +159,8 @@ SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
SOURCES += httpboot.c httpboot.h MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
endif FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
+.PRECIOUS: $(MMNAME).efi $(FBNAME).efi +.PRECIOUS: $(MMNAME).efi $(FBNAME).efi
+ +
all: $(TARGET) all: $(TARGETS)
shim.crt shim.key: shim.crt:
-- --
2.7.5 2.14.1
@@ -1,44 +0,0 @@
From 04da6c928d5f15b7adb6c51e55b9aa0a8126063d Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 21 Sep 2016 11:31:02 +0800
Subject: [PATCH 07/11] Use sbsign to sign MokManager and fallback
Upstream-Status: Pending
pesign is written with -std=gnu11 and thus the host gcc version lower
than 4.7 cannot build out pesign.
sbsign is another alternate used to sign efi binary and it works well.
Therefore, drop to use sbsign to sign efi binary.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Makefile | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 7c71993..58b4b4c 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ HEXDUMP ?= hexdump
PK12UTIL ?= pk12util
CERTUTIL ?= certutil
PESIGN ?= pesign
+SBSIGN ?= sbsign
ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
@@ -190,8 +191,8 @@ endif
-j .note.gnu.build-id \
$(FORMAT) $^ $@.debug
-%.efi.signed: %.efi certdb/secmod.db
- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
+%.efi.signed: %.efi shim.key shim.crt
+ $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
clean:
$(MAKE) -C Cryptlib clean
--
2.11.0
@@ -1,6 +1,6 @@
From 3b4fe6b2eda92c78c80a2c0c1ab5625fd0920811 Mon Sep 17 00:00:00 2001 From 22b58e64a0cd10456f79f146216c899a898ce037 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com> From: Jia Zhang <lans.zhang2008@gmail.com>
Date: Thu, 3 Aug 2017 09:53:37 +0800 Date: Tue, 22 Aug 2017 17:32:47 +0800
Subject: [PATCH] Fix the world build failure due to the missing rule of Subject: [PATCH] Fix the world build failure due to the missing rule of
generating shim.key generating shim.key
@@ -12,18 +12,18 @@ for signing. However, the commit 79c0d3ab3964ff03483277a515aaf50016bbe786
forgets to add the rule of generating shim.key, causing the world build forgets to add the rule of generating shim.key, causing the world build
failure. failure.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
--- ---
Makefile | 2 +- Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 063578a..96bdf14 100644 index 0ec2b0b..2fc6c90 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -125,7 +125,7 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) @@ -163,7 +163,7 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
all: $(TARGET) all: $(TARGETS)
-shim.crt: -shim.crt:
+shim.crt shim.key: +shim.crt shim.key:
@@ -31,5 +31,5 @@ index 063578a..96bdf14 100644
shim.cer: shim.crt shim.cer: shim.crt
-- --
2.7.5 2.14.1
@@ -1,35 +0,0 @@
From b3d57a092d837fe8134e0b3ff408040fa33d4efc Mon Sep 17 00:00:00 2001
From: Yunguo Wei <yunguo.wei@windriver.com>
Date: Wed, 28 Dec 2016 11:08:37 +0800
Subject: [PATCH 10/11] Makefile: do not sign the efi file
Shim tries to sign all the efi binaries at build time, but is not
suitable for us. Because the private key has to be supplied, and this
doesn't make sense to EDSS key.
We will use a seperated function in bitbake file to
sign these efi binaries, so that we can freely use EDSS key, Wind
River sample key or user key.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 24e21a8..0912cd0 100644
--- a/Makefile
+++ b/Makefile
@@ -92,7 +92,7 @@ endif
LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
-TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
+TARGET = $(SHIMNAME).efi $(MMNAME).efi $(FBNAME).efi
OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
--
2.11.0
@@ -1,35 +0,0 @@
From 2003b828be0e0fe774e119922e81ee0bb0d2ecdd Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 9 Aug 2017 16:10:14 +0800
Subject: [PATCH 1/2] fallback: fix double free of dp
If the boot option recorded in csv is not in a media device path, the
corresponding full device path will be referred for creating the boot
variable.
However, the current code logic always frees the full device path
(full_device_path) and the media device path (dp) separately. In order
to resolve this issue, always check whether dp equals to full_device_path
before freeing dp.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
fallback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fallback.c b/fallback.c
index 9b64077..2ef1b86 100644
--- a/fallback.c
+++ b/fallback.c
@@ -482,7 +482,7 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum
err:
if (full_device_path)
FreePool(full_device_path);
- if (dp)
+ if (dp && dp != full_device_path)
FreePool(dp);
if (fullpath)
FreePool(fullpath);
--
2.13.2
@@ -1,197 +0,0 @@
From 0fbd5a6375bbfe463979cc1958bc721353e49625 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Fri, 11 Aug 2017 13:42:20 +0800
Subject: [PATCH 2/2] fallback: work around the issue of boot option creation
with AMI BIOS
AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
variables with ami_masked_device_path_guid.
Initially, the normal boot option created by fallback looks like this:
00000000 01 00 00 00 5e 00 42 00 6f 00 6f 00 74 00 6c 00 |....^.B.o.o.t.l.|
00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.|
00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.|
00000030 69 00 74 00 29 00 00 00 04 01 2a 00 01 00 00 00 |i.t.).....*.....|
00000040 00 08 00 00 00 00 00 00 00 00 08 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 01 01 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 |....0.\.E.F.I.\.|
00000070 42 00 4f 00 4f 00 54 00 5c 00 74 00 65 00 73 00 |B.O.O.T.\.t.e.s.|
00000080 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 |t.x.6.4...e.f.i.|
00000090 00 00 7f ff 04 00 |......|
00000096
after reboot, fallback has to create a new one due to the previous boot
option is hidden and masked by AMI BIOS:
00000000 09 00 00 00 76 00 42 00 6f 00 6f 00 74 00 6c 00 |....v.B.o.o.t.l.|
00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.|
00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.|
00000030 69 00 74 00 29 00 00 00 01 04 14 00 e7 75 e2 99 |i.t.)........u..|
00000040 a0 75 37 4b a2 e6 c5 38 5e 6c 00 cb 7f ff 04 00 |.u7K...8^l......|
00000050 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 |..*.............|
00000060 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 01 01 04 04 30 00 5c 00 |............0.\.|
00000080 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 |E.F.I.\.B.O.O.T.|
00000090 5c 00 74 00 65 00 73 00 74 00 78 00 36 00 34 00 |\.t.e.s.t.x.6.4.|
000000a0 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 |..e.f.i.......|
000000ae
And after several reboot, fallback will have to create more boot options
because AMI BIOS corrupts the previous ones.
We can get the valid device path if just skipping the masked device path and
its next end path.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 109 insertions(+), 5 deletions(-)
diff --git a/fallback.c b/fallback.c
index 2ef1b86..46894af 100644
--- a/fallback.c
+++ b/fallback.c
@@ -287,6 +287,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
return EFI_OUT_OF_RESOURCES;
}
+/*
+ * AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
+ * variables with ami_masked_device_path_guid. We can get the valid device path
+ * if just skipping it and its next end path.
+ */
+
+static EFI_GUID ami_masked_device_path_guid = {
+ 0x99e275e7, 0x75a0, 0x4b37,
+ { 0xa2, 0xe6, 0xc5, 0x38, 0x5e, 0x6c, 0x0, 0xcb }
+};
+
+static unsigned int
+calc_masked_boot_option_size(unsigned int size)
+{
+ return size + sizeof(EFI_DEVICE_PATH) +
+ sizeof(ami_masked_device_path_guid) + sizeof(EFI_DEVICE_PATH);
+}
+
+static int
+check_masked_boot_option(CHAR8 *candidate, unsigned int candidate_size,
+ CHAR8 *data, unsigned int data_size)
+{
+ /*
+ * The patched BootXXXX variables contain a hardware device path and
+ * an end path, preceding the real device path.
+ */
+ if (calc_masked_boot_option_size(data_size) != candidate_size)
+ return 1;
+
+ CHAR8 *cursor = candidate;
+
+ /* Check whether the BootXXXX is patched */
+ cursor += sizeof(UINT32) + sizeof(UINT16);
+ cursor += StrSize((CHAR16 *)cursor);
+
+ unsigned int min_valid_size = cursor - candidate + sizeof(EFI_DEVICE_PATH);
+
+ if (candidate_size <= min_valid_size)
+ return 1;
+
+ EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)cursor;
+ unsigned int node_size = DevicePathNodeLength(dp) - sizeof(EFI_DEVICE_PATH);
+
+ min_valid_size += node_size;
+ if (candidate_size <= min_valid_size ||
+ DevicePathType(dp) != HARDWARE_DEVICE_PATH ||
+ DevicePathSubType(dp) != HW_VENDOR_DP ||
+ node_size != sizeof(ami_masked_device_path_guid) ||
+ CompareGuid((EFI_GUID *)(cursor + sizeof(EFI_DEVICE_PATH)),
+ &ami_masked_device_path_guid))
+ return 1;
+
+ /* Check whether the patched guid is followed by an end path */
+ min_valid_size += sizeof(EFI_DEVICE_PATH);
+ if (candidate_size <= min_valid_size)
+ return 1;
+
+ dp = NextDevicePathNode(dp);
+ if (!IsDevicePathEnd(dp))
+ return 1;
+
+ /*
+ * OK. We may really get a masked BootXXXX variable. The next
+ * step is to test whether it is hidden.
+ */
+ UINT32 attrs = *(UINT32 *)candidate;
+#ifndef LOAD_OPTION_HIDDEN
+# define LOAD_OPTION_HIDDEN 0x00000008
+#endif
+ if (!(attrs & LOAD_OPTION_HIDDEN))
+ return 1;
+
+ attrs &= ~LOAD_OPTION_HIDDEN;
+
+ /* Compare the field Attributes */
+ if (attrs != *(UINT32 *)data)
+ return 1;
+
+ /* Compare the field FilePathListLength */
+ data += sizeof(UINT32);
+ candidate += sizeof(UINT32);
+ if (calc_masked_boot_option_size(*(UINT16 *)data) !=
+ *(UINT16 *)candidate)
+ return 1;
+
+ /* Compare the field Description */
+ data += sizeof(UINT16);
+ candidate += sizeof(UINT16);
+ if (CompareMem(candidate, data, cursor - candidate))
+ return 1;
+
+ /* Compare the filed FilePathList */
+ cursor = (CHAR8 *)NextDevicePathNode(dp);
+ data += sizeof(UINT16);
+ data += StrSize((CHAR16 *)data);
+
+ return CompareMem(cursor, data, candidate_size - min_valid_size);
+}
+
EFI_STATUS
find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
@@ -316,7 +415,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
EFI_GUID global = EFI_GLOBAL_VARIABLE;
EFI_STATUS rc;
- CHAR8 *candidate = AllocateZeroPool(size);
+ UINTN max_candidate_size = calc_masked_boot_option_size(size);
+ CHAR8 *candidate = AllocateZeroPool(max_candidate_size);
if (!candidate) {
FreePool(data);
return EFI_OUT_OF_RESOURCES;
@@ -328,17 +428,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
- UINTN candidate_size = size;
+ UINTN candidate_size = max_candidate_size;
rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
NULL, &candidate_size, candidate);
if (EFI_ERROR(rc))
continue;
- if (candidate_size != size)
+ if (candidate_size != size) {
+ if (check_masked_boot_option(candidate, candidate_size,
+ data, size))
+ continue;
+ } else if (CompareMem(candidate, data, size))
continue;
- if (CompareMem(candidate, data, size))
- continue;
+ VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" "
+ L"for file \"%s\"\n", varname, label, filename);
/* at this point, we have duplicate data. */
if (!first_new_option) {
--
2.13.2
@@ -26,13 +26,9 @@ SRC_URI = "\
file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \ file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \
file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
file://0006-Prevent-from-removing-intermediate-.efi.patch \ file://0006-Prevent-from-removing-intermediate-.efi.patch \
file://0007-Use-sbsign-to-sign-MokManager-and-fallback.patch \
file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \ file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \
file://0010-Makefile-do-not-sign-the-efi-file.patch \
file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
file://0013-fallback-fix-double-free-of-dp.patch \
file://0014-fallback-work-around-the-issue-of-boot-option-creati.patch \
file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \ file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \
file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \ file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \
file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \ file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \
@@ -42,7 +38,7 @@ SRC_URI_append_x86-64 = "\
'file://shim' + d.expand('EFI_ARCH') + '.efi.signed file://LICENSE' \ 'file://shim' + d.expand('EFI_ARCH') + '.efi.signed file://LICENSE' \
if uks_signing_model(d) == 'sample' else '', '', d)} \ if uks_signing_model(d) == 'sample' else '', '', d)} \
" "
SRCREV = "631265b7e9c447412d423ffed1b39dfd706054cd" SRCREV = "5202f80c32bdcab0469785e953bf9fa8dd4eaaa1"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
@@ -50,6 +46,7 @@ inherit deploy user-key-store
EXTRA_OEMAKE = "\ EXTRA_OEMAKE = "\
CROSS_COMPILE="${TARGET_PREFIX}" \ CROSS_COMPILE="${TARGET_PREFIX}" \
prefix="${STAGING_DIR_HOST}/${prefix}" \
LIB_GCC="`${CC} -print-libgcc-file-name`" \ LIB_GCC="`${CC} -print-libgcc-file-name`" \
LIB_PATH="${STAGING_LIBDIR}" \ LIB_PATH="${STAGING_LIBDIR}" \
EFI_PATH="${STAGING_LIBDIR}" \ EFI_PATH="${STAGING_LIBDIR}" \
@@ -68,6 +65,7 @@ EXTRA_OEMAKE = "\
if uks_signing_model(d) == 'user' else ''} \ if uks_signing_model(d) == 'user' else ''} \
ENABLE_HTTPBOOT=1 \ ENABLE_HTTPBOOT=1 \
OVERRIDE_SECURITY_POLICY=1 \ OVERRIDE_SECURITY_POLICY=1 \
ENABLE_SBSIGN=1 \
" "
PARALLEL_MAKE = "" PARALLEL_MAKE = ""