From 7d542805ba5c48185128a2351bb315a5648fe3d7 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Thu, 23 Jul 2020 00:08:30 -0400

Subject: [PATCH 56/62] Make cert.S not impossible to read.

Signed-off-by: Peter Jones <pjones@redhat.com>

Upstream: pr#206

---

 shim.c | 47 +++++++++++++++++--------------

 shim.h | 28 +++++++++++++++---

 cert.S | 89 ++++++++++++++++++++++------------------------------------

 3 files changed, 84 insertions(+), 80 deletions(-)

diff --git a/shim.c b/shim.c

index 0e7e784b4c8..888ee6e8d7b 100644

--- a/shim.c

+++ b/shim.c

@@ -68,16 +68,18 @@ static UINT32 load_options_size;

  * The vendor certificate used for validating the second stage loader

  */

 extern struct {

-	UINT32 vendor_cert_size;

-	UINT32 vendor_dbx_size;

-	UINT32 vendor_cert_offset;

-	UINT32 vendor_dbx_offset;

+	UINT32 vendor_authorized_size;

+	UINT32 vendor_deauthorized_size;

+	UINT32 vendor_authorized_offset;

+	UINT32 vendor_deauthorized_offset;

 } cert_table;

-UINT32 vendor_cert_size;

-UINT32 vendor_dbx_size;

-UINT8 *vendor_cert;

-UINT8 *vendor_dbx;

+UINT32 vendor_authorized_size = 0;

+UINT8 *vendor_authorized = NULL;

+

+UINT32 vendor_deauthorized_size = 0;

+UINT8 *vendor_deauthorized = NULL;

+

 #if defined(ENABLE_SHIM_CERT)

 UINT32 build_cert_size;

 UINT8 *build_cert;

@@ -554,22 +556,22 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,

 static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,

 				   UINT8 *sha256hash, UINT8 *sha1hash)

 {

-	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;

+	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized;

-	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,

+	if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha256hash,

 			SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx",

 			EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {

 		LogError(L"binary sha256hash found in vendor dbx\n");

 		return EFI_SECURITY_VIOLATION;

 	}

-	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,

+	if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha1hash,

 				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx",

 				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {

 		LogError(L"binary sha1hash found in vendor dbx\n");

 		return EFI_SECURITY_VIOLATION;

 	}

 	if (cert &&

-	    check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx",

+	    check_db_cert_in_ram(dbx, vendor_deauthorized_size, cert, sha256hash, L"dbx",

 				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {

 		LogError(L"cert sha256hash found in vendor dbx\n");

 		return EFI_SECURITY_VIOLATION;

@@ -1077,19 +1079,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,

 		/*

 		 * And finally, check against shim's built-in key

 		 */

-		if (vendor_cert_size &&

+		if (vendor_authorized_size &&

 		    AuthenticodeVerify(cert->CertData,

 				       cert->Hdr.dwLength - sizeof(cert->Hdr),

-				       vendor_cert, vendor_cert_size,

+				       vendor_authorized, vendor_authorized_size,

 				       sha256hash, SHA256_DIGEST_SIZE)) {

 			update_verification_method(VERIFIED_BY_CERT);

 			tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,

-					     vendor_cert_size, vendor_cert);

+					     vendor_authorized_size, vendor_authorized);

 			efi_status = EFI_SUCCESS;

 			drain_openssl_errors();

 			return efi_status;

 		} else {

-			LogError(L"AuthenticodeVerify(vendor_cert) failed\n");

+			LogError(L"AuthenticodeVerify(vendor_authorized) failed\n");

 		}

 	}

@@ -2501,7 +2503,7 @@ shim_init(void)

 	}

 	if (secure_mode()) {

-		if (vendor_cert_size || vendor_dbx_size) {

+		if (vendor_authorized_size || vendor_deauthorized_size) {

 			/*

 			 * If shim includes its own certificates then ensure

 			 * that anything it boots has performed some

@@ -2606,14 +2608,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)

 	verification_method = VERIFIED_BY_NOTHING;

-	vendor_cert_size = cert_table.vendor_cert_size;

-	vendor_dbx_size = cert_table.vendor_dbx_size;

-	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;

-	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;

+	vendor_authorized_size = cert_table.vendor_authorized_size;

+	vendor_authorized = (UINT8 *)&cert_table + cert_table.vendor_authorized_offset;

+

+	vendor_deauthorized_size = cert_table.vendor_deauthorized_size;

+	vendor_deauthorized = (UINT8 *)&cert_table + cert_table.vendor_deauthorized_offset;

+

 #if defined(ENABLE_SHIM_CERT)

 	build_cert_size = sizeof(shim_cert);

 	build_cert = shim_cert;

 #endif /* defined(ENABLE_SHIM_CERT) */

+

 	CHAR16 *msgs[] = {

 		L"import_mok_state() failed",

 		L"shim_init() failed",

diff --git a/shim.h b/shim.h

index a0fa5a75e7e..555498c6673 100644

--- a/shim.h

+++ b/shim.h

@@ -97,6 +97,24 @@

 #define FALLBACK L"\\fb" EFI_ARCH L".efi"

 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"

+#if defined(VENDOR_CERT_FILE)

+# define vendor_authorized vendor_cert

+# define vendor_authorized_size vendor_cert_size

+# define vendor_authorized_category VENDOR_ADDEND_X509

+#else

+# define vendor_authorized vendor_null

+# define vendor_authorized_size vendor_null_size

+# define vendor_authorized_category VENDOR_ADDEND_NONE

+#endif

+

+#if defined(VENDOR_DBX_FILE)

+# define vendor_deauthorized vendor_dbx

+# define vendor_deauthorized_size vendor_dbx_size

+#else

+# define vendor_deauthorized vendor_deauthorized_null

+# define vendor_deauthorized_size vendor_deauthorized_null_size

+#endif

+

 #include "include/asm.h"

 #include "include/configtable.h"

 #include "include/console.h"

@@ -166,10 +184,12 @@ extern VOID ClearErrors(VOID);

 extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);

 extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);

-extern UINT32 vendor_cert_size;

-extern UINT32 vendor_dbx_size;

-extern UINT8 *vendor_cert;

-extern UINT8 *vendor_dbx;

+extern UINT32 vendor_authorized_size;

+extern UINT8 *vendor_authorized;

+

+extern UINT32 vendor_deauthorized_size;

+extern UINT8 *vendor_deauthorized;

+

 #if defined(ENABLE_SHIM_CERT)

 extern UINT32 build_cert_size;

 extern UINT8 *build_cert;

diff --git a/cert.S b/cert.S

index cfc4525b44c..520caaef3af 100644

--- a/cert.S

+++ b/cert.S

@@ -1,65 +1,44 @@

+

+#if defined(VENDOR_CERT_FILE)

+# define vendor_authorized vendor_cert

+# define vendor_authorized_end vendor_cert_end

+# define vendor_authorized_size vendor_cert_size

+# define vendor_authorized_size_end vendor_cert_size_end

+#endif

+

+#if defined(VENDOR_DBX_FILE)

+# define vendor_deauthorized vendor_dbx

+# define vendor_deauthorized_end vendor_dbx_end

+# define vendor_deauthorized_size vendor_dbx_size

+# define vendor_deauthorized_size_end vendor_dbx_size_end

+#endif

+

 	.globl cert_table

 	.type	cert_table, %object

-	.size	cert_table, 4

+	.size	cert_table, .Lcert_table_end - cert_table

 	.section .vendor_cert, "a", %progbits

+	.balignl 4, 0

 cert_table:

-#if defined(VENDOR_CERT_FILE)

-	.long	vendor_cert_priv_end - vendor_cert_priv

-#else

-	.long	0

-#endif

-#if defined(VENDOR_DBX_FILE)

-	.long	vendor_dbx_priv_end - vendor_dbx_priv

-#else

-	.long	0

-#endif

-	.long	vendor_cert_priv - cert_table

-	.long	vendor_dbx_priv - cert_table

-#if defined(VENDOR_CERT_FILE)

-	.data

-	.align	1

-	.type	vendor_cert_priv, %object

-	.size	vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv

+	.4byte	.Lvendor_authorized_end - vendor_authorized

+	.4byte	.Lvendor_deauthorized_end - vendor_deauthorized

+	.4byte	vendor_authorized - cert_table

+	.4byte	vendor_deauthorized - cert_table

+	.balign	1, 0

+	.type	vendor_authorized, %object

+	.size	vendor_authorized, .Lvendor_authorized_end - vendor_authorized

 	.section .vendor_cert, "a", %progbits

-vendor_cert_priv:

+vendor_authorized:

+#if defined(VENDOR_CERT_FILE)

 .incbin VENDOR_CERT_FILE

-vendor_cert_priv_end:

-#else

-	.bss

-	.type	vendor_cert_priv, %object

-	.size	vendor_cert_priv, 1

-	.section .vendor_cert, "a", %progbits

-vendor_cert_priv:

-	.zero	1

-

-	.data

-	.align 4

-	.type	vendor_cert_size_priv, %object

-	.size	vendor_cert_size_priv, 4

-	.section .vendor_cert, "a", %progbits

-vendor_cert_priv_end:

 #endif

+.Lvendor_authorized_end:

+	.balign	1, 0

+	.type	vendor_deauthorized, %object

+	.size	vendor_deauthorized, .Lvendor_deauthorized_end - vendor_deauthorized

+	.section .vendor_cert, "a", %progbits

+vendor_deauthorized:

 #if defined(VENDOR_DBX_FILE)

-	.data

-	.align	1

-	.type	vendor_dbx_priv, %object

-	.size	vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv

-	.section .vendor_cert, "a", %progbits

-vendor_dbx_priv:

 .incbin VENDOR_DBX_FILE

-vendor_dbx_priv_end:

-#else

-	.bss

-	.type	vendor_dbx_priv, %object

-	.size	vendor_dbx_priv, 1

-	.section .vendor_cert, "a", %progbits

-vendor_dbx_priv:

-	.zero	1

-

-	.data

-	.align 4

-	.type	vendor_dbx_size_priv, %object

-	.size	vendor_dbx_size_priv, 4

-	.section .vendor_cert, "a", %progbits

-vendor_dbx_priv_end:

 #endif

+.Lvendor_deauthorized_end:

+.Lcert_table_end:

-- 

2.26.2