From 3d62232feb296b238ca5d7963ba40a2c346767e7 Mon Sep 17 00:00:00 2001

From: Gary Lin <glin@suse.com>

Date: Wed, 19 Dec 2018 12:40:02 +0800

Subject: [PATCH 24/62] mok: also mirror the build cert to MokListRT

If the build cert is enabled, we should also mirror it to MokListRT.

Signed-off-by: Gary Lin <glin@suse.com>

Upstream-commit-id: aecbe1f99b6

---

 mok.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----

 1 file changed, 72 insertions(+), 6 deletions(-)

diff --git a/mok.c b/mok.c

index 2b9d796a0e8..6150d8c8868 100644

--- a/mok.c

+++ b/mok.c

@@ -68,6 +68,10 @@ struct mok_state_variable {

 	 */

 	UINT8 **addend_source;

 	UINT32 *addend_size;

+#if defined(ENABLE_SHIM_CERT)

+	UINT8 **build_cert;

+	UINT32 *build_cert_size;

+#endif /* defined(ENABLE_SHIM_CERT) */

 	UINT32 yes_attr;

 	UINT32 no_attr;

 	UINT32 flags;

@@ -90,6 +94,10 @@ struct mok_state_variable mok_state_variables[] = {

 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,

 	 .addend_source = &vendor_cert,

 	 .addend_size = &vendor_cert_size,

+#if defined(ENABLE_SHIM_CERT)

+	 .build_cert = &build_cert,

+	 .build_cert_size = &build_cert_size,

+#endif /* defined(ENABLE_SHIM_CERT) */

 	 .flags = MOK_MIRROR_KEYDB |

 		  MOK_VARIABLE_LOG,

 	 .pcr = 14,

@@ -130,6 +138,22 @@ struct mok_state_variable mok_state_variables[] = {

 	{ NULL, }

 };

+inline BOOLEAN check_vendor_cert(struct mok_state_variable *v)

+{

+	return (v->addend_source && v->addend_size &&

+		*v->addend_source && *v->addend_size) ? TRUE : FALSE;

+}

+#if defined(ENABLE_SHIM_CERT)

+inline BOOLEAN check_build_cert(struct mok_state_variable *v)

+{

+	return (v->build_cert && v->build_cert_size &&

+		*v->build_cert && *v->build_cert_size) ? TRUE : FALSE;

+}

+#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v))

+#else

+#define check_addend(v) check_vendor_cert(v)

+#endif /* defined(ENABLE_SHIM_CERT) */

+

 static EFI_STATUS nonnull(1)

 mirror_one_mok_variable(struct mok_state_variable *v)

 {

@@ -138,15 +162,27 @@ mirror_one_mok_variable(struct mok_state_variable *v)

 	UINTN FullDataSize = 0;

 	uint8_t *p = NULL;

-	if ((v->flags & MOK_MIRROR_KEYDB) &&

-	    v->addend_source && *v->addend_source &&

-	    v->addend_size && *v->addend_size) {

+	if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) {

 		EFI_SIGNATURE_LIST *CertList = NULL;

 		EFI_SIGNATURE_DATA *CertData = NULL;

+#if defined(ENABLE_SHIM_CERT)

+		FullDataSize = v->data_size;

+		if (check_build_cert(v)) {

+			FullDataSize += sizeof (*CertList)

+					+ sizeof (EFI_GUID)

+					+ *v->build_cert_size;

+		}

+		if (check_vendor_cert(v)) {

+			FullDataSize += sizeof (*CertList)

+					+ sizeof (EFI_GUID)

+					+ *v->addend_size;

+		}

+#else

 		FullDataSize = v->data_size

 			     + sizeof (*CertList)

 			     + sizeof (EFI_GUID)

 			     + *v->addend_size;

+#endif /* defined(ENABLE_SHIM_CERT) */

 		FullData = AllocatePool(FullDataSize);

 		if (!FullData) {

 			perror(L"Failed to allocate space for MokListRT\n");

@@ -158,6 +194,35 @@ mirror_one_mok_variable(struct mok_state_variable *v)

 			CopyMem(p, v->data, v->data_size);

 			p += v->data_size;

 		}

+

+#if defined(ENABLE_SHIM_CERT)

+		if (check_build_cert(v) == FALSE)

+			goto skip_build_cert;

+

+		CertList = (EFI_SIGNATURE_LIST *)p;

+		p += sizeof (*CertList);

+		CertData = (EFI_SIGNATURE_DATA *)p;

+		p += sizeof (EFI_GUID);

+

+		CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;

+		CertList->SignatureListSize = *v->build_cert_size

+					      + sizeof (*CertList)

+					      + sizeof (*CertData)

+					      -1;

+		CertList->SignatureHeaderSize = 0;

+		CertList->SignatureSize = *v->build_cert_size +

+					  sizeof (EFI_GUID);

+

+		CertData->SignatureOwner = SHIM_LOCK_GUID;

+		CopyMem(p, *v->build_cert, *v->build_cert_size);

+

+		p += *v->build_cert_size;

+

+		if (check_vendor_cert(v) == FALSE)

+			goto skip_vendor_cert;

+skip_build_cert:

+#endif /* defined(ENABLE_SHIM_CERT) */

+

 		CertList = (EFI_SIGNATURE_LIST *)p;

 		p += sizeof (*CertList);

 		CertData = (EFI_SIGNATURE_DATA *)p;

@@ -174,6 +239,9 @@ mirror_one_mok_variable(struct mok_state_variable *v)

 		CertData->SignatureOwner = SHIM_LOCK_GUID;

 		CopyMem(p, *v->addend_source, *v->addend_size);

+#if defined(ENABLE_SHIM_CERT)

+skip_vendor_cert:

+#endif /* defined(ENABLE_SHIM_CERT) */

 		if (v->data && v->data_size)

 			FreePool(v->data);

 		v->data = FullData;

@@ -247,9 +315,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)

 		UINT32 attrs = 0;

 		BOOLEAN delete = FALSE, present, addend;

-		addend = (v->addend_source && v->addend_size &&

-			  *v->addend_source && *v->addend_size)

-			? TRUE : FALSE;

+		addend = check_addend(v);

 		efi_status = get_variable_attr(v->name,

 					       &v->data, &v->data_size,

-- 

2.26.2