Permalink
Browse files

Sign MokManager with a locally-generated key

shim needs to verify that MokManager hasn't been modified, but we want to
be able to support configurations where shim is shipped without a vendor
certificate. This patch adds support for generating a certificate at build
time, incorporating the public half into shim and signing MokManager with
the private half. It uses pesign and nss, but still requires openssl for
key generation. Anyone using sbsign will need to figure this out for
themselves.
  • Loading branch information...
Matthew Garrett
Matthew Garrett committed Nov 24, 2012
1 parent 2fd180a commit 6d50f87a06ff70d2075863f4c145235c081263d6
Showing with 597 additions and 9 deletions.
  1. +25 −3 Makefile
  2. +554 −0 make-certs
  3. +18 −6 shim.c
View
@@ -28,15 +28,33 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
VERSION = 0.2
-TARGET = shim.efi MokManager.efi
+TARGET = shim.efi MokManager.efi.signed
OBJS = shim.o netboot.o cert.o dbx.o
+KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
SOURCES = shim.c shim.h netboot.c signature.h PeImage.h
MOK_OBJS = MokManager.o
MOK_SOURCES = MokManager.c shim.h
all: $(TARGET)
-shim.o: $(SOURCES)
+shim.crt:
+ ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+
+shim.cer: shim.crt
+ openssl x509 -outform der -in $< -out $@
+
+shim_cert.h: shim.cer
+ echo "static UINT8 shim_cert[] = {" > $@
+ hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ echo "};" >> $@
+
+certdb/secmod.db: shim.crt
+ -mkdir certdb
+ certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
+ pk12util -d certdb/ -i shim.p12 -W "" -K ""
+ certutil -d certdb/ -A -i shim.crt -n shim -t u
+
+shim.o: $(SOURCES) shim_cert.h
cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $<
@@ -70,10 +88,14 @@ Cryptlib/OpenSSL/libopenssl.a:
-j .debug_line -j .debug_str -j .debug_ranges \
--target=efi-app-$(ARCH) $^ $@.debug
+%.efi.signed: %.efi certdb/secmod.db
+ pesign -n certdb -i $< -c "shim" -s -o $@ -f
+
clean:
$(MAKE) -C Cryptlib clean
$(MAKE) -C Cryptlib/OpenSSL clean
- rm -f $(TARGET) $(OBJS)
+ rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(KEYS) certdb
+ rm -f *.debug *.so
GITTAG = $(VERSION)
Oops, something went wrong.

0 comments on commit 6d50f87

Please sign in to comment.