rhboot/shim

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

shim 13:
- OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working
- Better PCR usage for TPM
- TPM documentation in README.tpm
- More configurable build via make variables:
  ENABLE_SHIM_CERT
  ENABLE_SHIM_HASH
  ENABLE_SBSIGN
  LIBDIR
  EFIDIR
  VENDOR_CERT_FILE
  VENDOR_DB_FILE
- Better MoK documentation in MokVars.txt
- Better debuginfo generation
- Lots of minor bug fixes.

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

If you build with ENABLE_SHIM_CERT=1, the include chain right now winds
up meaning shim_cert is defined in a header that gets included in
netboot.c as well, which never uses it:

  In file included from shim.h:125:0,
                   from netboot.c:36:
  shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable]
   static UINT8 shim_cert[] = {
                ^~~~~~~~~
  cc1: all warnings being treated as errors

So make that okay by adding __attribute__((__unused__)) to the variable
decl.

Signed-off-by: Peter Jones <pjones@redhat.com>

Cyphermox discovered that when you run this:

  ( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g'

on some debian machines, printf(1) doesn't interpret the \x.. characters,
and that results in this being the encoded text:

00000000  5c 78 66 66 5c 78 66 65  73 00 68 00 69 00 6d 00  |\xff\xfes.h.i.m.|
00000010  78 00 36 00 34 00 2e 00  65 00 66 00 69 00 2c 00  |x.6.4...e.f.i.,.|
00000020  66 00 6f 00 6f 00 2c 00  2c 00 54 00 68 00 69 00  |f.o.o.,.,.T.h.i.|

which... yeah, that's wrong.  So instead, use iconv instead of
printf+sed to encode it in UCS-2.  Unfortunately, that means we don't
get endian markers, because for some reason iconv(1) doesn't have any way
to say it should include them.  But that's okay; fallback already
handles not having them and just assumes the second byte being \x00
means UCS-2LE.

Signed-off-by: Peter Jones <pjones@redhat.com>

Commit 1e71734 inadvertantly switched ARM's
LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set,
and so it got clobbered away.

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

shim_cert.h is required by other pieces (such as netboot.o, cert.o) and
might not be built by the time these targets are reached. In that case the
build would fail as it can't find a required header.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

It should not be left around after clean since it's a generated file.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

I'm still having some trouble with the offsetof() definition, so just
nerf it to what stddef.h would say anyway.

Signed-off-by: Peter Jones <pjones@redhat.com>

I think this works around most of them.

Signed-off-by: Peter Jones <pjones@redhat.com>

Disable DES completely since it's already old and insecure.
This makes MokManager not support the DES based password hash but
probably no one is using it.

Signed-off-by: Gary Lin <glin@suse.com>

MD4 is known to be insecure and shim never uses it.

Signed-off-by: Gary Lin <glin@suse.com>

- Declare some functions in the proper headers
  + We missed them for a long time...

- Cast offsetof to UINTN
  + The original casting triggers the gcc warning since int can not
    present the offset for the 64bit machines.

- Cast the "char" array to "CHAR8 *" to avoid the gcc warnings

- Implement atoi correctly

Signed-off-by: Gary Lin <glin@suse.com>

…d by the shim.crt target

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

strcmp() and strcasecmp() are widely used in openssl. Implement those
two functions to eliminate the gcc warnings and the potential crash.

Signed-off-by: Gary Lin <glin@suse.com>

The changes in the openssl headers cause the inclusion of
CrtLibSupport.h eariler than the inclusion of stddef.h, so "offsetof"
was defined twice and this caused the followling build error:

In file included from Cryptlib/Include/openssl/buffer.h:23:0,
                 from Cryptlib/Include/openssl/x509.h:22,
                 from shim.c:56:
/usr/lib64/gcc/x86_64-suse-linux/6/include/stddef.h:417:0: error: "offsetof" redefined [-Werror]
 #define offsetof(TYPE, MEMBER) __builtin_offsetof (TYPE, MEMBER)

In file included from Cryptlib/Include/limits.h:15:0,
                 from Cryptlib/Include/openssl/ossl_typ.h:13,
                 from Cryptlib/Include/openssl/x509.h:20,
                 from shim.c:56:
Cryptlib/Include/CrtLibSupport.h:192:0: note: this is the location of the previous definition
 #define offsetof(type, member) ( (int) & ((type*)0) -> member )

We can lower the priority of the gcc include path or just remove the
path, but this might cause problem since the path was introduced on
purpose(*). Instead, including stddef.h first is more feasible.

(*) d51739a

Signed-off-by: Gary Lin <glin@suse.com>

OpenSSL changes quite a bit of the key validation, and most of the keys
I can find in the wild aren't marked as trusted by the new checker.

Intel noticed this too: vathpela/edk2@f536d7c
but instead of fixing the compatibility error, they switched their test
data to match the bug.

So that's pretty broken.

For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in
the wild to work.

This reverts commit 513cbe2.
This reverts commit e9cc33d.
This reverts commit 80d49f7.
This reverts commit 9bc647e.
This reverts commit ae75df6.
This reverts commit e883479.
This reverts commit 9746944.
This reverts commit e396926.
This reverts commit 0f3dfc0.
This reverts commit 4da6ac8.
This reverts commit d064bd7.
This reverts commit 9bc86cf.
This reverts commit ab9a05a.

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Rather than looping once through the possible actions (MokNew, MokDel, etc.),
revise the logic so that instead of rebooting immediately we get back to the
main menu setting a flag to replace "Continue booting" with a proper reboot.

Getting back to the menu means we can go make other changes before rebooting.
For instance, you might want to enable validation, but beforehand you also
need to enroll a MOK. You can already do so from userland; except the requests
were cleared as soon as one of them was processed.

This involves some extra cleanup of the states to avoid running the same
request more than once, removing the option from the menu once it's done, and
changing prompting functions to return an EFI_STATUS so we can better track
whether the process has succeeded.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>

Signed-off-by: Peter Jones <pjones@redhat.com>