PreLoader: Add built in whitelist hash table

This allows us to pre-authorise some of the other pre-build binaries
(currently only HashTool.efi, Loader.efi and KeyTool.efi)

Signed-off-by: James Bottomley <JBottomley@Parallels.com>

5 files changed, 36 insertions, 6 deletions

diff --git a/.gitignore b/.gitignore
index fe58085..d5699c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@
 PK.h
 KEK.h
 DB.h
+hashlist.h
 *~
 cert-to-efi-sig-list
 sig-list-to-certs
diff --git a/Make.rules b/Make.rules
index e63e25d..478ff20 100644
--- a/Make.rules
+++ b/Make.rules
@@ -37,6 +37,9 @@ endif
 %.h: %.auth
 	xxd -i $< > $@
 
+%.hash: %.efi hash-to-efi-sig-list
+	./hash-to-efi-sig-list $< $@
+
 %.esl: %.crt cert-to-efi-sig-list
 	./cert-to-efi-sig-list -g $(MYGUID) $< $@
 
diff --git a/Makefile b/Makefile
index 9f08f44..532465e 100644
--- a/Makefile
+++ b/Makefile
@@ -34,6 +34,7 @@ PK.crt KEK.crt DB.crt:
 	$(EFIFILES)
 
 LockDown.o: PK.h KEK.h DB.h
+PreLoader.o: hashlist.h
 
 PK.h: PK.auth
 
@@ -47,6 +48,12 @@ noPK.esl:
 noPK.auth: noPK.esl PK.crt sign-efi-sig-list
 	./sign-efi-sig-list -c PK.crt -k PK.key PK $< $@
 
+hashlist.h: KeyTool.hash HashTool.hash Loader.hash
+	cat $^ > /tmp/tmp.hash
+	xxd -i /tmp/tmp.hash > $@
+	rm -f /tmp/tmp.hash
+
+
 Loader.so: lib/lib-efi.a
 ReadVars.so: lib/lib-efi.a
 UpdateVars.so: lib/lib-efi.a
diff --git a/PreLoader.c b/PreLoader.c
index cf23030..a884588 100644
--- a/PreLoader.c
+++ b/PreLoader.c
@@ -9,10 +9,13 @@
 #include <efi.h>
 #include <efilib.h>
 
+#include <guid.h>
 #include <pecoff.h>
 #include <console.h>
 #include <errors.h>
 
+#include "hashlist.h"
+
 CHAR16 *loader = L"\\loader.efi";
 CHAR16 *hashtool = L"\\HashTool.efi";
 
@@ -23,6 +26,14 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
 
 	InitializeLib(image, systab);
 
+	/* Transfer from built in hash list to tmpHashList variable */
+	uefi_call_wrapper(RT->SetVariable, 5, L"tmpHashList", &MOK_OWNER,
+			  EFI_VARIABLE_BOOTSERVICE_ACCESS,
+			  (UINTN)_tmp_tmp_hash_len, _tmp_tmp_hash);
+
+	Print(L"ABOUT TO EXECUTE %s\n", loader);
+	console_get_keystroke();
+
 	status = pecoff_execute_checked(image, systab, loader);
 
 	if (status == EFI_SUCCESS)
diff --git a/lib/pecoff.c b/lib/pecoff.c
index c3db3a7..9cd091c 100644
--- a/lib/pecoff.c
+++ b/lib/pecoff.c
@@ -285,20 +285,28 @@ pecoff_check_mok(EFI_HANDLE image, CHAR16 *name)
 	if (find_in_variable_esl(L"dbx", SIG_DB, hash, SHA256_DIGEST_SIZE)
 	    == EFI_SUCCESS)
 		/* MOK list cannot override dbx */
-		return EFI_SECURITY_VIOLATION;
+		goto check_tmplist;
 
 	status = get_variable_attr(L"MokList", &data, &len, MOK_OWNER, &attr);
 	if (status != EFI_SUCCESS)
-		return EFI_SECURITY_VIOLATION;
+		goto check_tmplist;
 	FreePool(data);
 
 	if (attr & EFI_VARIABLE_RUNTIME_ACCESS)
-		return EFI_SECURITY_VIOLATION;
+		goto check_tmplist;
 
-	if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) != EFI_SUCCESS)
-		return EFI_SECURITY_VIOLATION;
+	if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS)
+		return EFI_SUCCESS;
 
-	return EFI_SUCCESS;
+ check_tmplist:
+	status = get_variable_attr(L"tmpHashList", &data, &len, MOK_OWNER,
+				   &attr);
+	if (status == EFI_SUCCESS && attr == EFI_VARIABLE_BOOTSERVICE_ACCESS
+	    && find_in_variable_esl(L"tmpHashList", MOK_OWNER, hash,
+				    SHA256_DIGEST_SIZE) == EFI_SUCCESS)
+		return EFI_SUCCESS;
+
+	return EFI_SECURITY_VIOLATION;
 }
 
 EFI_STATUS