From 032365921b81469dffc5bc5ac3302e9e43a4fe70 Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Nov 16 2018 19:44:04 +0000
Subject: Added new centos ESL file , using new x509 TLS cert


---

diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
new file mode 100644
index 0000000..c7de89d
--- /dev/null
+++ b/SOURCES/0001-Add-vendor-esl.patch
@@ -0,0 +1,318 @@
+From ad8b20e8e2cd71418a536a8068f8e37222bd3855 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Sat, 21 Jul 2018 04:12:57 +0200
+Subject: [PATCH] Implement vendor EFI Signature List (ESL)
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ Make.defaults |   3 ++
+ cert.S        |  30 +++++++++++++++
+ mok.c         | 100 +++++++++++++++++++++++++++++---------------------
+ shim.c        |  25 +++++++++++++
+ shim.h        |   2 +
+ 5 files changed, 119 insertions(+), 41 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index bbfc1d7f..d8b4ba25 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -124,6 +124,9 @@ CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/sha
+ ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+ endif
++ifneq ($(origin VENDOR_ESL_FILE), undefined)
++	CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
++endif
+ ifneq ($(origin VENDOR_DBX_FILE), undefined)
+ 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+ endif
+diff --git a/cert.S b/cert.S
+index cfc4525b..7ad782ab 100644
+--- a/cert.S
++++ b/cert.S
+@@ -8,12 +8,18 @@ cert_table:
+ #else
+ 	.long	0
+ #endif
++#if defined(VENDOR_ESL_FILE)
++	.long	vendor_esl_priv_end - vendor_esl_priv
++#else
++	.long	0
++#endif
+ #if defined(VENDOR_DBX_FILE)
+ 	.long	vendor_dbx_priv_end - vendor_dbx_priv
+ #else
+ 	.long	0
+ #endif
+ 	.long	vendor_cert_priv - cert_table
++	.long	vendor_esl_priv - cert_table
+ 	.long	vendor_dbx_priv - cert_table
+ #if defined(VENDOR_CERT_FILE)
+ 	.data
+@@ -39,6 +45,30 @@ vendor_cert_priv:
+ 	.section .vendor_cert, "a", %progbits
+ vendor_cert_priv_end:
+ #endif
++#if defined(VENDOR_ESL_FILE)
++	.data
++	.align	1
++	.type	vendor_esl_priv, %object
++	.size	vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv:
++.incbin VENDOR_ESL_FILE
++vendor_esl_priv_end:
++#else
++	.bss
++	.type	vendor_esl_priv, %object
++	.size	vendor_esl_priv, 1
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv:
++	.zero	1
++
++	.data
++	.align 4
++	.type	vendor_esl_size_priv, %object
++	.size	vendor_esl_size_priv, 4
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv_end:
++#endif
+ #if defined(VENDOR_DBX_FILE)
+ 	.data
+ 	.align	1
+diff --git a/mok.c b/mok.c
+index 38675211..7734806b 100644
+--- a/mok.c
++++ b/mok.c
+@@ -62,12 +62,6 @@ struct mok_state_variable {
+ 	EFI_GUID *guid;
+ 	UINT8 *data;
+ 	UINTN data_size;
+-	/*
+-	 * These two are indirect pointers just to make initialization
+-	 * saner...
+-	 */
+-	UINT8 **addend_source;
+-	UINT32 *addend_size;
+ 	UINT32 yes_attr;
+ 	UINT32 no_attr;
+ 	UINT32 flags;
+@@ -75,10 +69,11 @@ struct mok_state_variable {
+ 	UINT8 *state;
+ };
+ 
+-#define MOK_MIRROR_KEYDB	0x01
+-#define MOK_MIRROR_DELETE_FIRST	0x02
+-#define MOK_VARIABLE_MEASURE	0x04
+-#define MOK_VARIABLE_LOG	0x08
++#define MOK_MIRROR_KEYDB		0x01
++#define MOK_MIRROR_DELETE_FIRST		0x02
++#define MOK_VARIABLE_MEASURE		0x04
++#define MOK_VARIABLE_LOG		0x08
++#define MOK_VARIABLE_APPEND_CERT	0x10
+ 
+ struct mok_state_variable mok_state_variables[] = {
+ 	{.name = L"MokList",
+@@ -88,10 +83,9 @@ struct mok_state_variable mok_state_variables[] = {
+ 	 .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ 		     EFI_VARIABLE_NON_VOLATILE,
+ 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+-	 .addend_source = &vendor_cert,
+-	 .addend_size = &vendor_cert_size,
+ 	 .flags = MOK_MIRROR_KEYDB |
+-		  MOK_VARIABLE_LOG,
++		  MOK_VARIABLE_LOG |
++		  MOK_VARIABLE_APPEND_CERT,
+ 	 .pcr = 14,
+ 	},
+ 	{.name = L"MokListX",
+@@ -138,40 +132,54 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
+ 	uint8_t *p = NULL;
+ 
+ 	if ((v->flags & MOK_MIRROR_KEYDB) &&
+-	    v->addend_source && *v->addend_source &&
+-	    v->addend_size && *v->addend_size) {
+-		EFI_SIGNATURE_LIST *CertList = NULL;
+-		EFI_SIGNATURE_DATA *CertData = NULL;
+-		FullDataSize = v->data_size
+-			     + sizeof (*CertList)
+-			     + sizeof (EFI_GUID)
+-			     + *v->addend_size;
++	    (v->flags & MOK_VARIABLE_APPEND_CERT)) {
++		FullDataSize = v->data_size;
++
++		if (vendor_esl_size) {
++			FullDataSize += vendor_esl_size;
++		}
++		if (vendor_cert_size) {
++			FullDataSize += sizeof (EFI_SIGNATURE_LIST)
++				     + sizeof (EFI_GUID)
++			             + vendor_cert_size;
++		}
++
+ 		FullData = AllocatePool(FullDataSize);
+ 		if (!FullData) {
+ 			perror(L"Failed to allocate space for MokListRT\n");
+ 			return EFI_OUT_OF_RESOURCES;
+ 		}
+ 		p = FullData;
+-
+ 		if (!EFI_ERROR(efi_status) && v->data_size > 0) {
+ 			CopyMem(p, v->data, v->data_size);
+ 			p += v->data_size;
+ 		}
+-		CertList = (EFI_SIGNATURE_LIST *)p;
+-		p += sizeof (*CertList);
+-		CertData = (EFI_SIGNATURE_DATA *)p;
+-		p += sizeof (EFI_GUID);
+-
+-		CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
+-		CertList->SignatureListSize = *v->addend_size
+-					      + sizeof (*CertList)
+-					      + sizeof (*CertData)
+-					      -1;
+-		CertList->SignatureHeaderSize = 0;
+-		CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID);
+-
+-		CertData->SignatureOwner = SHIM_LOCK_GUID;
+-		CopyMem(p, *v->addend_source, *v->addend_size);
++
++		if (vendor_esl_size) {
++			CopyMem(p, vendor_esl, vendor_esl_size);
++			p += vendor_esl_size;
++		}
++
++		if (vendor_cert_size) {
++			EFI_SIGNATURE_LIST *CertList = NULL;
++			EFI_SIGNATURE_DATA *CertData = NULL;
++
++			CertList = (EFI_SIGNATURE_LIST *)p;
++			p += sizeof (*CertList);
++			CertData = (EFI_SIGNATURE_DATA *)p;
++			p += sizeof (EFI_GUID);
++
++			CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
++			CertList->SignatureListSize = vendor_cert_size
++						      + sizeof (*CertList)
++						      + sizeof (*CertData)
++						      -1;
++			CertList->SignatureHeaderSize = 0;
++			CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
++
++			CertData->SignatureOwner = SHIM_LOCK_GUID;
++			CopyMem(p, vendor_cert, vendor_cert_size);
++		}
+ 
+ 		if (v->data && v->data_size)
+ 			FreePool(v->data);
+@@ -223,11 +231,24 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		UINT32 attrs = 0;
+ 		BOOLEAN delete = FALSE, present, addend;
+ 
++		addend = (v->flags & MOK_VARIABLE_APPEND_CERT) != 0;
++
+ 		efi_status = get_variable_attr(v->name,
+ 					       &v->data, &v->data_size,
+ 					       *v->guid, &attrs);
+-		if (efi_status == EFI_NOT_FOUND)
++		if (efi_status == EFI_NOT_FOUND) {
++			if (v->rtname && addend) {
++				efi_status = mirror_one_mok_variable(v);
++				if (EFI_ERROR(efi_status) &&
++				    ret != EFI_SECURITY_VIOLATION)
++					ret = efi_status;
++			}
++			/*
++			 * after possibly adding, we can continue, no
++			 * further checks to be done.
++			 */
+ 			continue;
++		}
+ 		if (EFI_ERROR(efi_status)) {
+ 			perror(L"Could not verify %s: %r\n", v->name,
+ 			       efi_status);
+@@ -272,9 +293,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		}
+ 
+ 		present = (v->data && v->data_size) ? TRUE : FALSE;
+-		addend = (v->addend_source && v->addend_size &&
+-			  *v->addend_source && *v->addend_size)
+-			? TRUE : FALSE;
+ 
+ 		if (v->flags & MOK_VARIABLE_MEASURE && present) {
+ 			/*
+diff --git a/shim.c b/shim.c
+index 05fc6500..64b79da5 100644
+--- a/shim.c
++++ b/shim.c
+@@ -66,14 +66,18 @@ static UINT32 load_options_size;
+  */
+ extern struct {
+ 	UINT32 vendor_cert_size;
++	UINT32 vendor_esl_size;
+ 	UINT32 vendor_dbx_size;
+ 	UINT32 vendor_cert_offset;
++	UINT32 vendor_esl_offset;
+ 	UINT32 vendor_dbx_offset;
+ } cert_table;
+ 
+ UINT32 vendor_cert_size;
++UINT32 vendor_esl_size;
+ UINT32 vendor_dbx_size;
+ UINT8 *vendor_cert;
++UINT8 *vendor_esl;
+ UINT8 *vendor_dbx;
+ 
+ /*
+@@ -1065,6 +1069,25 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ 		}
+ #endif /* defined(ENABLE_SHIM_CERT) */
+ 
++		/*
++		 * Check against a built-in EFI Signature List (ESL)
++		 */
++		if (vendor_esl_size &&
++		    check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
++					 vendor_esl_size,
++					 cert,
++					 sha256hash,
++					 L"Shim",
++					 SHIM_LOCK_GUID) == DATA_FOUND) {
++			update_verification_method(VERIFIED_BY_CERT);
++			// tpm_measurement is done by check_db_cert_in_ram
++			efi_status = EFI_SUCCESS;
++			drain_openssl_errors();
++			return efi_status;
++		} else {
++			LogError(L"check_db_cert_in_ram(vendor_esl) failed\n");
++		}
++
+ 		/*
+ 		 * And finally, check against shim's built-in key
+ 		 */
+@@ -2541,8 +2564,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	verification_method = VERIFIED_BY_NOTHING;
+ 
+ 	vendor_cert_size = cert_table.vendor_cert_size;
++	vendor_esl_size = cert_table.vendor_esl_size;
+ 	vendor_dbx_size = cert_table.vendor_dbx_size;
+ 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
++	vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
+ 	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
+ 	CHAR16 *msgs[] = {
+ 		L"import_mok_state() failed\n",
+diff --git a/shim.h b/shim.h
+index 2b359d82..2e411040 100644
+--- a/shim.h
++++ b/shim.h
+@@ -167,8 +167,10 @@ extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
+ extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
+ 
+ extern UINT32 vendor_cert_size;
++extern UINT32 vendor_esl_size;
+ extern UINT32 vendor_dbx_size;
+ extern UINT8 *vendor_cert;
++extern UINT8 *vendor_esl;
+ extern UINT8 *vendor_dbx;
+ 
+ extern UINT8 user_insecure_mode;
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
new file mode 100644
index 0000000..c0815a7
Binary files /dev/null and b/SOURCES/centos.esl differ
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 97117dd..cc652ac 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -6,11 +6,14 @@ Summary:        First-stage UEFI bootloader
 License:        BSD
 URL:            http://www.codon.org.uk/~mjg59/shim/
 Source0:        https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:        securebootca.cer
+#Source1:        centos.crt
 # currently here's what's in our dbx: # nothing.
 #Source2:       dbx-x64.esl
 #Source3:       dbx-aa64.esl
 Source4:        shim-find-debuginfo.sh
+Source5:	centos.esl
+
+Patch0:		0001-Add-vendor-esl.patch
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -127,6 +130,10 @@ fi
 if [ -f "%{SOURCE3}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
 fi
+if [ -f "%{SOURCE5}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+fi
+
 %else
 if [ -f "%{SOURCE1}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -134,6 +141,10 @@ fi
 if [ -f "%{SOURCE2}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+if [ -f "%{SOURCE5}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+fi
+
 %endif
 cd %{name}-%{version}-%{efiarch}
 make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
@@ -217,6 +228,10 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
+* Tue Oct 30 2018 Fabian Arrotin <arrfab@centos.org> - 15-1.el7.centos
+- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
+- Rebuilt with combined centos.esl (so new and previous crt) 
+
 * Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
   Resolves: rhbz#1589961