diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2016-02-23 16:56:07 -0800 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2016-02-23 16:56:07 -0800 |
commit | 491059569251cb86c3ea8d62ada0331b8c274725 (patch) | |
tree | de3a36d51641a8c3e423d8e997814a611566f4d1 | |
parent | 58e7a21b04e53faf0499fb826b1f14b22894e722 (diff) | |
download | efitools-491059569251cb86c3ea8d62ada0331b8c274725.tar.gz |
ShimReplace: add new shim loader simply to install protocol
The way grub currently works on Linux is that it relies on the shim
protocol to verify images. Without this, the secure boot chain is
broken. Fix this by adding a shim replacement whose sole job is to
install the protocol and call the boot loader via the normal fashion
(meaning the bootloader must be signed with a key in the secure boot
database). The second stage loader can then use the protocol to
verify any images against the secure boot database as well.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | Makefile | 3 | ||||
-rw-r--r-- | ShimReplace.c | 63 |
2 files changed, 65 insertions, 1 deletions
@@ -1,5 +1,5 @@ EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \ - KeyTool.efi HashTool.efi SetNull.efi + KeyTool.efi HashTool.efi SetNull.efi ShimReplace.efi BINARIES = cert-to-efi-sig-list sig-list-to-certs sign-efi-sig-list \ hash-to-efi-sig-list efi-readvar efi-updatevar cert-to-efi-hash-list \ flash-var @@ -85,6 +85,7 @@ KeyTool.so: lib/lib-efi.a lib/asn1/libasn1-efi.a HashTool.so: lib/lib-efi.a PreLoader.so: lib/lib-efi.a HelloWorld.so: lib/lib-efi.a +ShimReplace.so: lib/lib-efi.a cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a $(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a diff --git a/ShimReplace.c b/ShimReplace.c new file mode 100644 index 0000000..598f7fd --- /dev/null +++ b/ShimReplace.c @@ -0,0 +1,63 @@ +/* + * Copyright 2016 <James.Bottomley@HansenPartnership.com> + * + * see COPYING file + * + * Replacement for shim.efi which is signed by your own key + * and installs the shim protocol verifier for grub to use + * so the secure boot chain is unbroken + */ + +#include <efi.h> +#include <efilib.h> + +#include <console.h> +#include <guid.h> +#include <efiauthenticated.h> +#include <execute.h> +#include <shim_protocol.h> +#include <pkcs7verify.h> + +static const CHAR16 *loader = L"\\grub.efi"; +static const CHAR16 *fallback = L"\\fallback.efi"; + +EFI_STATUS +efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) +{ + EFI_STATUS efi_status; + EFI_PKCS7_VERIFY_PROTOCOL *p7vp; + CHAR16 *error; + void *ptr; + + InitializeLib(image, systab); + + efi_status = pkcs7verify_get_protocol(image, &p7vp, &error); + + if (efi_status != EFI_SUCCESS) { + console_error(error, efi_status); + return efi_status; + } + + efi_status = shim_protocol_install(p7vp); + if (efi_status != EFI_SUCCESS) + console_error(L"Failed to install shim protocol", efi_status); + + + efi_status = BS->LocateProtocol(&MOK_OWNER, + NULL, &ptr); + if (efi_status != EFI_SUCCESS) + console_error(L"Failed to locate shim protocol", efi_status); + + efi_status = execute(image, loader); + if (efi_status == EFI_SUCCESS) + return efi_status; + + console_error(L"Failed to start primary loader", efi_status); + + efi_status = execute(image, fallback); + + if (efi_status != EFI_SUCCESS) + console_error(L"Failed to start fallback loader", efi_status); + + return efi_status; +} |