|
 |
e97c83 |
From fa2a35ce78b3dc4e9b29f47a9ebc675a97a9a7c7 Mon Sep 17 00:00:00 2001
|
|
|
e97c83 |
From: Peter Jones <pjones@redhat.com>
|
|
|
e97c83 |
Date: Wed, 27 Aug 2014 16:39:51 -0400
|
|
|
e97c83 |
Subject: [PATCH 54/74] Make sure we don't try to load a binary from a
|
|
|
e97c83 |
different arch.
|
|
|
e97c83 |
|
|
|
e97c83 |
Since in theory you could, for example, get an x86_64 binary signed that
|
|
|
e97c83 |
also behaves as an ARM executable, we should be checking this before
|
|
|
e97c83 |
people build on other architectures.
|
|
|
e97c83 |
|
|
|
e97c83 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
e97c83 |
---
|
|
|
e97c83 |
include/PeImage.h | 1 +
|
|
|
e97c83 |
shim.c | 19 +++++++++++++++++++
|
|
|
e97c83 |
2 files changed, 20 insertions(+)
|
|
|
e97c83 |
|
|
|
e97c83 |
diff --git a/include/PeImage.h b/include/PeImage.h
|
|
|
e97c83 |
index ec13404..133e11e 100644
|
|
|
e97c83 |
--- a/include/PeImage.h
|
|
|
e97c83 |
+++ b/include/PeImage.h
|
|
|
e97c83 |
@@ -49,6 +49,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
|
e97c83 |
#define IMAGE_FILE_MACHINE_EBC 0x0EBC
|
|
|
e97c83 |
#define IMAGE_FILE_MACHINE_X64 0x8664
|
|
|
e97c83 |
#define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2
|
|
|
e97c83 |
+#define IMAGE_FILE_MACHINE_ARM64 0xaa64
|
|
|
e97c83 |
|
|
|
e97c83 |
//
|
|
|
e97c83 |
// EXE file formats
|
|
|
e97c83 |
diff --git a/shim.c b/shim.c
|
|
|
e97c83 |
index 1329212..1ec1e11 100644
|
|
|
e97c83 |
--- a/shim.c
|
|
|
e97c83 |
+++ b/shim.c
|
|
|
e97c83 |
@@ -947,6 +947,20 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
|
|
|
e97c83 |
return EFI_SUCCESS;
|
|
|
e97c83 |
}
|
|
|
e97c83 |
|
|
|
e97c83 |
+static const UINT16 machine_type =
|
|
|
e97c83 |
+#if defined(__x86_64__)
|
|
|
e97c83 |
+ IMAGE_FILE_MACHINE_X64;
|
|
|
e97c83 |
+#elif defined(__aarch64__)
|
|
|
e97c83 |
+ IMAGE_FILE_MACHINE_ARM64;
|
|
|
e97c83 |
+#elif defined(__arm__)
|
|
|
e97c83 |
+ IMAGE_FILE_MACHINE_ARMTHUMB_MIXED;
|
|
|
e97c83 |
+#elif defined(__i386__) || defined(__i486__) || defined(__i686__)
|
|
|
e97c83 |
+ IMAGE_FILE_MACHINE_I386;
|
|
|
e97c83 |
+#elif defined(__ia64__)
|
|
|
e97c83 |
+ IMAGE_FILE_MACHINE_IA64;
|
|
|
e97c83 |
+#else
|
|
|
e97c83 |
+#error this architecture is not supported by shim
|
|
|
e97c83 |
+#endif
|
|
|
e97c83 |
|
|
|
e97c83 |
/*
|
|
|
e97c83 |
* Once the image has been loaded it needs to be validated and relocated
|
|
|
e97c83 |
@@ -971,6 +985,11 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
|
|
|
e97c83 |
return efi_status;
|
|
|
e97c83 |
}
|
|
|
e97c83 |
|
|
|
e97c83 |
+ if (context.PEHdr->Pe32.FileHeader.Machine != machine_type) {
|
|
|
e97c83 |
+ perror(L"Image is for a different architecture\n");
|
|
|
e97c83 |
+ return EFI_UNSUPPORTED;
|
|
|
e97c83 |
+ }
|
|
|
e97c83 |
+
|
|
|
e97c83 |
/*
|
|
|
e97c83 |
* We only need to verify the binary if we're in secure mode
|
|
|
e97c83 |
*/
|
|
|
e97c83 |
--
|
|
|
e97c83 |
1.9.3
|
|
|
e97c83 |
|