|
 |
6a35ff |
From 3d62232feb296b238ca5d7963ba40a2c346767e7 Mon Sep 17 00:00:00 2001
|
|
|
6a35ff |
From: Gary Lin <glin@suse.com>
|
|
|
6a35ff |
Date: Wed, 19 Dec 2018 12:40:02 +0800
|
|
|
6a35ff |
Subject: [PATCH 24/62] mok: also mirror the build cert to MokListRT
|
|
|
6a35ff |
|
|
|
6a35ff |
If the build cert is enabled, we should also mirror it to MokListRT.
|
|
|
6a35ff |
|
|
|
6a35ff |
Signed-off-by: Gary Lin <glin@suse.com>
|
|
|
6a35ff |
Upstream-commit-id: aecbe1f99b6
|
|
|
6a35ff |
---
|
|
|
6a35ff |
mok.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
|
|
|
6a35ff |
1 file changed, 72 insertions(+), 6 deletions(-)
|
|
|
6a35ff |
|
|
|
6a35ff |
diff --git a/mok.c b/mok.c
|
|
|
6a35ff |
index 2b9d796a0e8..6150d8c8868 100644
|
|
|
6a35ff |
--- a/mok.c
|
|
|
6a35ff |
+++ b/mok.c
|
|
|
6a35ff |
@@ -68,6 +68,10 @@ struct mok_state_variable {
|
|
|
6a35ff |
*/
|
|
|
6a35ff |
UINT8 **addend_source;
|
|
|
6a35ff |
UINT32 *addend_size;
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+ UINT8 **build_cert;
|
|
|
6a35ff |
+ UINT32 *build_cert_size;
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
UINT32 yes_attr;
|
|
|
6a35ff |
UINT32 no_attr;
|
|
|
6a35ff |
UINT32 flags;
|
|
|
6a35ff |
@@ -90,6 +94,10 @@ struct mok_state_variable mok_state_variables[] = {
|
|
|
6a35ff |
.no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
|
|
|
6a35ff |
.addend_source = &vendor_cert,
|
|
|
6a35ff |
.addend_size = &vendor_cert_size,
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+ .build_cert = &build_cert,
|
|
|
6a35ff |
+ .build_cert_size = &build_cert_size,
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
.flags = MOK_MIRROR_KEYDB |
|
|
|
6a35ff |
MOK_VARIABLE_LOG,
|
|
|
6a35ff |
.pcr = 14,
|
|
|
6a35ff |
@@ -130,6 +138,22 @@ struct mok_state_variable mok_state_variables[] = {
|
|
|
6a35ff |
{ NULL, }
|
|
|
6a35ff |
};
|
|
|
6a35ff |
|
|
|
6a35ff |
+inline BOOLEAN check_vendor_cert(struct mok_state_variable *v)
|
|
|
6a35ff |
+{
|
|
|
6a35ff |
+ return (v->addend_source && v->addend_size &&
|
|
|
6a35ff |
+ *v->addend_source && *v->addend_size) ? TRUE : FALSE;
|
|
|
6a35ff |
+}
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+inline BOOLEAN check_build_cert(struct mok_state_variable *v)
|
|
|
6a35ff |
+{
|
|
|
6a35ff |
+ return (v->build_cert && v->build_cert_size &&
|
|
|
6a35ff |
+ *v->build_cert && *v->build_cert_size) ? TRUE : FALSE;
|
|
|
6a35ff |
+}
|
|
|
6a35ff |
+#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v))
|
|
|
6a35ff |
+#else
|
|
|
6a35ff |
+#define check_addend(v) check_vendor_cert(v)
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
+
|
|
|
6a35ff |
static EFI_STATUS nonnull(1)
|
|
|
6a35ff |
mirror_one_mok_variable(struct mok_state_variable *v)
|
|
|
6a35ff |
{
|
|
|
6a35ff |
@@ -138,15 +162,27 @@ mirror_one_mok_variable(struct mok_state_variable *v)
|
|
|
6a35ff |
UINTN FullDataSize = 0;
|
|
|
6a35ff |
uint8_t *p = NULL;
|
|
|
6a35ff |
|
|
|
6a35ff |
- if ((v->flags & MOK_MIRROR_KEYDB) &&
|
|
|
6a35ff |
- v->addend_source && *v->addend_source &&
|
|
|
6a35ff |
- v->addend_size && *v->addend_size) {
|
|
|
6a35ff |
+ if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) {
|
|
|
6a35ff |
EFI_SIGNATURE_LIST *CertList = NULL;
|
|
|
6a35ff |
EFI_SIGNATURE_DATA *CertData = NULL;
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+ FullDataSize = v->data_size;
|
|
|
6a35ff |
+ if (check_build_cert(v)) {
|
|
|
6a35ff |
+ FullDataSize += sizeof (*CertList)
|
|
|
6a35ff |
+ + sizeof (EFI_GUID)
|
|
|
6a35ff |
+ + *v->build_cert_size;
|
|
|
6a35ff |
+ }
|
|
|
6a35ff |
+ if (check_vendor_cert(v)) {
|
|
|
6a35ff |
+ FullDataSize += sizeof (*CertList)
|
|
|
6a35ff |
+ + sizeof (EFI_GUID)
|
|
|
6a35ff |
+ + *v->addend_size;
|
|
|
6a35ff |
+ }
|
|
|
6a35ff |
+#else
|
|
|
6a35ff |
FullDataSize = v->data_size
|
|
|
6a35ff |
+ sizeof (*CertList)
|
|
|
6a35ff |
+ sizeof (EFI_GUID)
|
|
|
6a35ff |
+ *v->addend_size;
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
FullData = AllocatePool(FullDataSize);
|
|
|
6a35ff |
if (!FullData) {
|
|
|
6a35ff |
perror(L"Failed to allocate space for MokListRT\n");
|
|
|
6a35ff |
@@ -158,6 +194,35 @@ mirror_one_mok_variable(struct mok_state_variable *v)
|
|
|
6a35ff |
CopyMem(p, v->data, v->data_size);
|
|
|
6a35ff |
p += v->data_size;
|
|
|
6a35ff |
}
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+ if (check_build_cert(v) == FALSE)
|
|
|
6a35ff |
+ goto skip_build_cert;
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+ CertList = (EFI_SIGNATURE_LIST *)p;
|
|
|
6a35ff |
+ p += sizeof (*CertList);
|
|
|
6a35ff |
+ CertData = (EFI_SIGNATURE_DATA *)p;
|
|
|
6a35ff |
+ p += sizeof (EFI_GUID);
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
|
|
|
6a35ff |
+ CertList->SignatureListSize = *v->build_cert_size
|
|
|
6a35ff |
+ + sizeof (*CertList)
|
|
|
6a35ff |
+ + sizeof (*CertData)
|
|
|
6a35ff |
+ -1;
|
|
|
6a35ff |
+ CertList->SignatureHeaderSize = 0;
|
|
|
6a35ff |
+ CertList->SignatureSize = *v->build_cert_size +
|
|
|
6a35ff |
+ sizeof (EFI_GUID);
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
|
6a35ff |
+ CopyMem(p, *v->build_cert, *v->build_cert_size);
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+ p += *v->build_cert_size;
|
|
|
6a35ff |
+
|
|
|
6a35ff |
+ if (check_vendor_cert(v) == FALSE)
|
|
|
6a35ff |
+ goto skip_vendor_cert;
|
|
|
6a35ff |
+skip_build_cert:
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
+
|
|
|
6a35ff |
CertList = (EFI_SIGNATURE_LIST *)p;
|
|
|
6a35ff |
p += sizeof (*CertList);
|
|
|
6a35ff |
CertData = (EFI_SIGNATURE_DATA *)p;
|
|
|
6a35ff |
@@ -174,6 +239,9 @@ mirror_one_mok_variable(struct mok_state_variable *v)
|
|
|
6a35ff |
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
|
6a35ff |
CopyMem(p, *v->addend_source, *v->addend_size);
|
|
|
6a35ff |
|
|
|
6a35ff |
+#if defined(ENABLE_SHIM_CERT)
|
|
|
6a35ff |
+skip_vendor_cert:
|
|
|
6a35ff |
+#endif /* defined(ENABLE_SHIM_CERT) */
|
|
|
6a35ff |
if (v->data && v->data_size)
|
|
|
6a35ff |
FreePool(v->data);
|
|
|
6a35ff |
v->data = FullData;
|
|
|
6a35ff |
@@ -247,9 +315,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
|
|
6a35ff |
UINT32 attrs = 0;
|
|
|
6a35ff |
BOOLEAN delete = FALSE, present, addend;
|
|
|
6a35ff |
|
|
|
6a35ff |
- addend = (v->addend_source && v->addend_size &&
|
|
|
6a35ff |
- *v->addend_source && *v->addend_size)
|
|
|
6a35ff |
- ? TRUE : FALSE;
|
|
|
6a35ff |
+ addend = check_addend(v);
|
|
|
6a35ff |
|
|
|
6a35ff |
efi_status = get_variable_attr(v->name,
|
|
|
6a35ff |
&v->data, &v->data_size,
|
|
|
6a35ff |
--
|
|
|
6a35ff |
2.26.2
|
|
|
6a35ff |
|