Permalink
Browse files

Support a vendor-specific DBX list.

In some rare corner cases, it's useful to add a blacklist of things that
were allowed by a copy of shim that was never signed by the UEFI signing
service.  In these cases it's okay for them to go into a local dbx,
rather than taking up precious flash.

Signed-off-by: Peter Jones <pjones@redhat.com>
  • Loading branch information...
1 parent cdde659 commit e0b78774d98a4f766c47254b959d295887963f21 @vathpela vathpela committed Oct 23, 2012
Showing with 98 additions and 27 deletions.
  1. +5 −2 Makefile
  2. +32 −0 dbx.S
  3. +61 −25 shim.c
View
@@ -29,7 +29,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
VERSION = 0.1
TARGET = shim.efi MokManager.efi
-OBJS = shim.o cert.o
+OBJS = shim.o cert.o dbx.o
SOURCES = shim.c shim.h signature.h PeImage.h
MOK_OBJS = MokManager.o
MOK_SOURCES = MokManager.c shim.h
@@ -41,7 +41,10 @@ shim.o: $(SOURCES)
cert.o : cert.S
$(CC) $(CFLAGS) -c -o $@ $<
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
+dbx.o : dbx.S
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
MokManager.o: $(SOURCES)
View
32 dbx.S
@@ -0,0 +1,32 @@
+#if defined(VENDOR_DBX_FILE)
+ .globl vendor_dbx_size
+ .data
+ .align 1
+ .type vendor_dbx_size, @object
+ .size vendor_dbx_size, 4
+vendor_dbx_size:
+ .long .L0 - vendor_dbx
+ .globl vendor_dbx
+ .data
+ .align 1
+ .type vendor_dbx, @object
+ .size vendor_dbx_size, vendor_dbx_size-vendor_dbx
+vendor_dbx:
+.incbin VENDOR_DBX_FILE
+.L0:
+#else
+ .globl vendor_dbx
+ .bss
+ .type vendor_dbx, @object
+ .size vendor_dbx, 1
+vendor_dbx:
+ .zero 1
+
+ .globl vendor_dbx_size
+ .data
+ .align 4
+ .type vendor_dbx_size, @object
+ .size vendor_dbx_size, 4
+vendor_dbx_size:
+ .long 1
+#endif
View
86 shim.c
@@ -51,6 +51,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
*/
extern UINT8 vendor_cert[];
extern UINT32 vendor_cert_size;
+extern EFI_SIGNATURE_LIST *vendor_dbx;
+extern UINT32 vendor_dbx_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -209,26 +211,16 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
return EFI_SUCCESS;
}
-static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid,
- WIN_CERTIFICATE_EFI_PKCS *data, UINT8 *hash)
+static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
+ UINTN dbsize,
+ WIN_CERTIFICATE_EFI_PKCS *data,
+ UINT8 *hash)
{
- EFI_STATUS efi_status;
- EFI_SIGNATURE_LIST *CertList;
EFI_SIGNATURE_DATA *Cert;
- UINTN dbsize = 0;
UINTN CertCount, Index;
- UINT32 attributes;
BOOLEAN IsFound = FALSE;
- void *db;
EFI_GUID CertType = EfiCertX509Guid;
- efi_status = get_variable(dbname, guid, &attributes, &dbsize, &db);
-
- if (efi_status != EFI_SUCCESS)
- return VAR_NOT_FOUND;
-
- CertList = db;
-
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
CertCount = (CertList->SignatureListSize - CertList->SignatureHeaderSize) / CertList->SignatureSize;
@@ -250,34 +242,44 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid,
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
- FreePool(db);
-
if (IsFound)
return DATA_FOUND;
return DATA_NOT_FOUND;
}
-static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
- int SignatureSize, EFI_GUID CertType)
+static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid,
+ WIN_CERTIFICATE_EFI_PKCS *data, UINT8 *hash)
{
+ CHECK_STATUS rc;
EFI_STATUS efi_status;
EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
UINTN dbsize = 0;
- UINTN CertCount, Index;
UINT32 attributes;
- BOOLEAN IsFound = FALSE;
void *db;
efi_status = get_variable(dbname, guid, &attributes, &dbsize, &db);
- if (efi_status != EFI_SUCCESS) {
+ if (efi_status != EFI_SUCCESS)
return VAR_NOT_FOUND;
- }
CertList = db;
+ rc = check_db_cert_in_ram(CertList, dbsize, data, hash);
+
+ FreePool(db);
+
+ return rc;
+}
+
+static CHECK_STATUS check_db_hash_in_ram(EFI_SIGNATURE_LIST *CertList,
+ UINTN dbsize, UINT8 *data,
+ int SignatureSize, EFI_GUID CertType)
+{
+ EFI_SIGNATURE_DATA *Cert;
+ UINTN CertCount, Index;
+ BOOLEAN IsFound = FALSE;
+
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
CertCount = (CertList->SignatureListSize - CertList->SignatureHeaderSize) / CertList->SignatureSize;
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
@@ -302,19 +304,53 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
- FreePool(db);
-
if (IsFound)
return DATA_FOUND;
return DATA_NOT_FOUND;
}
+static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
+ int SignatureSize, EFI_GUID CertType)
+{
+ EFI_STATUS efi_status;
+ EFI_SIGNATURE_LIST *CertList;
+ UINT32 attributes;
+ UINTN dbsize = 0;
+ void *db;
+
+ efi_status = get_variable(dbname, guid, &attributes, &dbsize, &db);
+
+ if (efi_status != EFI_SUCCESS) {
+ return VAR_NOT_FOUND;
+ }
+
+ CertList = db;
+
+ CHECK_STATUS rc = check_db_hash_in_ram(CertList, dbsize, data,
+ SignatureSize, CertType);
+ FreePool(db);
+ return rc;
+
+}
+
static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
UINT8 *sha256hash, UINT8 *sha1hash)
{
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+ if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
+ SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
+ DATA_NOT_FOUND)
+ return EFI_ACCESS_DENIED;
+ if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
+ SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
+ DATA_NOT_FOUND)
+ return EFI_ACCESS_DENIED;
+ if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
+ sha256hash) == DATA_NOT_FOUND)
+ return EFI_ACCESS_DENIED;
+
if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
EfiHashSha256Guid) == DATA_FOUND)
return EFI_ACCESS_DENIED;

0 comments on commit e0b7877

Please sign in to comment.