From bf3ad16cb08ad54a3b7d0284aedb960cd99867ff Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 4 Dec 2012 22:54:49 +0000 Subject: PreLoader: Add built in whitelist hash table This allows us to pre-authorise some of the other pre-build binaries (currently only HashTool.efi, Loader.efi and KeyTool.efi) Signed-off-by: James Bottomley --- .gitignore | 1 + Make.rules | 3 +++ Makefile | 7 +++++++ PreLoader.c | 11 +++++++++++ lib/pecoff.c | 20 ++++++++++++++------ 5 files changed, 36 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index fe58085..d5699c1 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ PK.h KEK.h DB.h +hashlist.h *~ cert-to-efi-sig-list sig-list-to-certs diff --git a/Make.rules b/Make.rules index e63e25d..478ff20 100644 --- a/Make.rules +++ b/Make.rules @@ -37,6 +37,9 @@ endif %.h: %.auth xxd -i $< > $@ +%.hash: %.efi hash-to-efi-sig-list + ./hash-to-efi-sig-list $< $@ + %.esl: %.crt cert-to-efi-sig-list ./cert-to-efi-sig-list -g $(MYGUID) $< $@ diff --git a/Makefile b/Makefile index 9f08f44..532465e 100644 --- a/Makefile +++ b/Makefile @@ -34,6 +34,7 @@ PK.crt KEK.crt DB.crt: $(EFIFILES) LockDown.o: PK.h KEK.h DB.h +PreLoader.o: hashlist.h PK.h: PK.auth @@ -47,6 +48,12 @@ noPK.esl: noPK.auth: noPK.esl PK.crt sign-efi-sig-list ./sign-efi-sig-list -c PK.crt -k PK.key PK $< $@ +hashlist.h: KeyTool.hash HashTool.hash Loader.hash + cat $^ > /tmp/tmp.hash + xxd -i /tmp/tmp.hash > $@ + rm -f /tmp/tmp.hash + + Loader.so: lib/lib-efi.a ReadVars.so: lib/lib-efi.a UpdateVars.so: lib/lib-efi.a diff --git a/PreLoader.c b/PreLoader.c index cf23030..a884588 100644 --- a/PreLoader.c +++ b/PreLoader.c @@ -9,10 +9,13 @@ #include #include +#include #include #include #include +#include "hashlist.h" + CHAR16 *loader = L"\\loader.efi"; CHAR16 *hashtool = L"\\HashTool.efi"; @@ -23,6 +26,14 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) InitializeLib(image, systab); + /* Transfer from built in hash list to tmpHashList variable */ + uefi_call_wrapper(RT->SetVariable, 5, L"tmpHashList", &MOK_OWNER, + EFI_VARIABLE_BOOTSERVICE_ACCESS, + (UINTN)_tmp_tmp_hash_len, _tmp_tmp_hash); + + Print(L"ABOUT TO EXECUTE %s\n", loader); + console_get_keystroke(); + status = pecoff_execute_checked(image, systab, loader); if (status == EFI_SUCCESS) diff --git a/lib/pecoff.c b/lib/pecoff.c index c3db3a7..9cd091c 100644 --- a/lib/pecoff.c +++ b/lib/pecoff.c @@ -285,20 +285,28 @@ pecoff_check_mok(EFI_HANDLE image, CHAR16 *name) if (find_in_variable_esl(L"dbx", SIG_DB, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS) /* MOK list cannot override dbx */ - return EFI_SECURITY_VIOLATION; + goto check_tmplist; status = get_variable_attr(L"MokList", &data, &len, MOK_OWNER, &attr); if (status != EFI_SUCCESS) - return EFI_SECURITY_VIOLATION; + goto check_tmplist; FreePool(data); if (attr & EFI_VARIABLE_RUNTIME_ACCESS) - return EFI_SECURITY_VIOLATION; + goto check_tmplist; - if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) != EFI_SUCCESS) - return EFI_SECURITY_VIOLATION; + if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS) + return EFI_SUCCESS; - return EFI_SUCCESS; + check_tmplist: + status = get_variable_attr(L"tmpHashList", &data, &len, MOK_OWNER, + &attr); + if (status == EFI_SUCCESS && attr == EFI_VARIABLE_BOOTSERVICE_ACCESS + && find_in_variable_esl(L"tmpHashList", MOK_OWNER, hash, + SHA256_DIGEST_SIZE) == EFI_SUCCESS) + return EFI_SUCCESS; + + return EFI_SECURITY_VIOLATION; } EFI_STATUS -- cgit 1.2.3-korg