pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
shim/shim-bnc841426-silence-shim-protocols.patch

790 lines
25 KiB
Diff
Raw Normal View History

Accepting request 201531 from home:gary_lin:branches:devel:openSUSE:Factory - Add shim-netboot-fixes.patch to include upstream netboot fixes - Add shim-mokmanager-disable-gfx-console.patch to disable the graphics console to avoid system hang on some machines - Add shim-bnc841426-silence-shim-protocols.patch to silence the shim protocols (bnc#841426) OBS-URL: https://build.opensuse.org/request/show/201531 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=48
2013-10-01 07:06:21 +00:00
From f60d64b0e119ad7df60d9111fc94fe7ded65750f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 20 Jun 2013 12:41:14 -0400
Subject: [PATCH 1/3] Don't print that fallback isn't found in
should_use_fallback()
The call can simply fail if it isn't found - which will be the case on
removeable install media.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
shim.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/shim.c b/shim.c
index 47e3812..895b594 100644
--- a/shim.c
+++ b/shim.c
@@ -951,7 +951,12 @@ should_use_fallback(EFI_HANDLE image_handle)
rc = uefi_call_wrapper(vh->Open, 5, vh, &fh, L"\\EFI\\BOOT" FALLBACK,
EFI_FILE_MODE_READ, 0);
if (EFI_ERROR(rc)) {
- Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK, rc);
+ /* Do not print the error here - this is an acceptable case
+ * for removable media, where we genuinely don't want
+ * fallback.efi to exist.
+ * Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK,
+ * rc);
+ */
uefi_call_wrapper(vh->Close, 1, vh);
return 0;
}
--
1.8.1.4
From abe44733163c3ef8da96c09dadd8e54e65f9bdab Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 25 Jul 2013 10:51:05 -0400
Subject: [PATCH 2/3] Don't print things on the screen by default when
everything works.
There's no point to this text, and it generally confuses people.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
shim.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/shim.c b/shim.c
index 895b594..137290d 100644
--- a/shim.c
+++ b/shim.c
@@ -53,6 +53,7 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
static CHAR16 *second_stage;
static void *load_options;
static UINT32 load_options_size;
+static UINT8 verbose;
/*
* The vendor certificate used for validating the second stage loader
@@ -431,7 +432,8 @@ static BOOLEAN secure_mode (void)
/* FIXME - more paranoia here? */
if (status != EFI_SUCCESS || sb != 1) {
- Print(L"Secure boot not enabled\n");
+ if (verbose)
+ Print(L"Secure boot not enabled\n");
return FALSE;
}
@@ -439,7 +441,8 @@ static BOOLEAN secure_mode (void)
(void *)&setupmode);
if (status == EFI_SUCCESS && setupmode == 1) {
- Print(L"Platform is in setup mode\n");
+ if (verbose)
+ Print(L"Platform is in setup mode\n");
return FALSE;
}
@@ -699,7 +702,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
status = check_whitelist(cert, sha256hash, sha1hash);
if (status == EFI_SUCCESS) {
- Print(L"Binary is whitelisted\n");
+ if (verbose)
+ Print(L"Binary is whitelisted\n");
return status;
}
@@ -711,7 +715,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
- Print(L"Binary is verified by the vendor certificate\n");
+ if (verbose)
+ Print(L"Binary is verified by the vendor certificate\n");
return status;
}
@@ -724,7 +729,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
vendor_cert, vendor_cert_size, sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
- Print(L"Binary is verified by the vendor certificate\n");
+ if (verbose)
+ Print(L"Binary is verified by the vendor certificate\n");
return status;
}
@@ -1501,6 +1507,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
static SHIM_LOCK shim_lock_interface;
EFI_HANDLE handle = NULL;
EFI_STATUS efi_status;
+ UINT8 verbose_check;
+ UINTN verbose_check_size;
+ UINT32 attributes;
+ EFI_GUID global_var = EFI_GLOBAL_VARIABLE;
/*
* Set up the shim lock protocol so that grub and MokManager can
@@ -1517,6 +1527,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
InitializeLib(image_handle, systab);
+ verbose_check_size = 1;
+ efi_status = get_variable(L"SHIM_VERBOSE", global_var, &attributes,
+ &verbose_check_size, (void *)&verbose_check);
+ if (!EFI_ERROR(efi_status))
+ verbose = verbose_check;
+
/* Set the second stage loader */
set_second_stage (image_handle);
--
1.8.1.4
From 3a131108f7b86af4fe5ed0021374467feb98bd54 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 1 Oct 2013 11:58:52 +0800
Subject: [PATCH 3/3] Keep silent in shim protocol
On some machines, grub2 hung on shim_verify() which tried to output
messages. This commit silences the functions used in the shim
protocols to avoid system hang.
---
shim.c | 178 +++++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 106 insertions(+), 72 deletions(-)
diff --git a/shim.c b/shim.c
index 137290d..a0de14e 100644
--- a/shim.c
+++ b/shim.c
@@ -54,6 +54,9 @@ static CHAR16 *second_stage;
static void *load_options;
static UINT32 load_options_size;
static UINT8 verbose;
+static UINT8 in_protocol;
+
+#define ERROR(...) if(!in_protocol) {Print(__VA_ARGS__);}
/*
* The vendor certificate used for validating the second stage loader
@@ -94,7 +97,7 @@ static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes,
*buffer = AllocatePool(*size);
if (!*buffer) {
- Print(L"Unable to allocate variable buffer\n");
+ ERROR(L"Unable to allocate variable buffer\n");
return EFI_OUT_OF_RESOURCES;
}
@@ -134,7 +137,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data;
if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) {
- Print(L"Image has no relocation entry\n");
+ ERROR(L"Image has no relocation entry\n");
return EFI_UNSUPPORTED;
}
@@ -142,7 +145,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1);
if (!RelocBase || !RelocBaseEnd) {
- Print(L"Reloc table overflows binary\n");
+ ERROR(L"Reloc table overflows binary\n");
return EFI_UNSUPPORTED;
}
@@ -153,13 +156,13 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock);
if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) {
- Print(L"Reloc entry overflows binary\n");
+ ERROR(L"Reloc entry overflows binary\n");
return EFI_UNSUPPORTED;
}
FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress);
if (!FixupBase) {
- Print(L"Invalid fixupbase\n");
+ ERROR(L"Invalid fixupbase\n");
return EFI_UNSUPPORTED;
}
@@ -208,7 +211,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
break;
default:
- Print(L"Unknown relocation\n");
+ ERROR(L"Unknown relocation\n");
return EFI_UNSUPPORTED;
}
Reloc += 1;
@@ -432,7 +435,7 @@ static BOOLEAN secure_mode (void)
/* FIXME - more paranoia here? */
if (status != EFI_SUCCESS || sb != 1) {
- if (verbose)
+ if (verbose && !in_protocol)
Print(L"Secure boot not enabled\n");
return FALSE;
}
@@ -441,7 +444,7 @@ static BOOLEAN secure_mode (void)
(void *)&setupmode);
if (status == EFI_SUCCESS && setupmode == 1) {
- if (verbose)
+ if (verbose && !in_protocol)
Print(L"Platform is in setup mode\n");
return FALSE;
}
@@ -477,12 +480,12 @@ static EFI_STATUS generate_hash (char *data, int datasize,
sha1ctx = AllocatePool(sha1ctxsize);
if (!sha256ctx || !sha1ctx) {
- Print(L"Unable to allocate memory for hash context\n");
+ ERROR(L"Unable to allocate memory for hash context\n");
return EFI_OUT_OF_RESOURCES;
}
if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) {
- Print(L"Unable to initialise hash\n");
+ ERROR(L"Unable to initialise hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -494,7 +497,7 @@ static EFI_STATUS generate_hash (char *data, int datasize,
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) {
- Print(L"Unable to generate hash\n");
+ ERROR(L"Unable to generate hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -506,7 +509,7 @@ static EFI_STATUS generate_hash (char *data, int datasize,
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) {
- Print(L"Unable to generate hash\n");
+ ERROR(L"Unable to generate hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -518,7 +521,7 @@ static EFI_STATUS generate_hash (char *data, int datasize,
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) {
- Print(L"Unable to generate hash\n");
+ ERROR(L"Unable to generate hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -539,14 +542,14 @@ static EFI_STATUS generate_hash (char *data, int datasize,
}
if (SumOfSectionBytes >= datasize) {
- Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size);
+ ERROR(L"Malformed binary: %x %x\n", SumOfSectionBytes, size);
status = EFI_INVALID_PARAMETER;
goto done;
}
SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections);
if (SectionHeader == NULL) {
- Print(L"Unable to allocate section header\n");
+ ERROR(L"Unable to allocate section header\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -572,14 +575,14 @@ static EFI_STATUS generate_hash (char *data, int datasize,
hashsize = (unsigned int) Section->SizeOfRawData;
if (!hashbase) {
- Print(L"Malformed section header\n");
+ ERROR(L"Malformed section header\n");
status = EFI_INVALID_PARAMETER;
goto done;
}
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) {
- Print(L"Unable to generate hash\n");
+ ERROR(L"Unable to generate hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -596,7 +599,7 @@ static EFI_STATUS generate_hash (char *data, int datasize,
if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
!(Sha1Update(sha1ctx, hashbase, hashsize))) {
- Print(L"Unable to generate hash\n");
+ ERROR(L"Unable to generate hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -604,7 +607,7 @@ static EFI_STATUS generate_hash (char *data, int datasize,
if (!(Sha256Final(sha256ctx, sha256hash)) ||
!(Sha1Final(sha1ctx, sha1hash))) {
- Print(L"Unable to finalise hash\n");
+ ERROR(L"Unable to finalise hash\n");
status = EFI_OUT_OF_RESOURCES;
goto done;
}
@@ -634,9 +637,9 @@ static EFI_STATUS verify_mok (void) {
&MokListDataSize, &MokListData);
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
- Print(L"MokList is compromised!\nErase all keys in MokList!\n");
+ ERROR(L"MokList is compromised!\nErase all keys in MokList!\n");
if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
- Print(L"Failed to erase MokList\n");
+ ERROR(L"Failed to erase MokList\n");
}
status = EFI_ACCESS_DENIED;
return status;
@@ -658,19 +661,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
unsigned int size = datasize;
if (context->SecDir->Size == 0) {
- Print(L"Empty security header\n");
+ ERROR(L"Empty security header\n");
return EFI_INVALID_PARAMETER;
}
cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
if (!cert) {
- Print(L"Certificate located outside the image\n");
+ ERROR(L"Certificate located outside the image\n");
return EFI_INVALID_PARAMETER;
}
if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
- Print(L"Unsupported certificate type %x\n",
+ ERROR(L"Unsupported certificate type %x\n",
cert->Hdr.wCertificateType);
return EFI_UNSUPPORTED;
}
@@ -691,7 +694,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
status = check_blacklist(cert, sha256hash, sha1hash);
if (status != EFI_SUCCESS) {
- Print(L"Binary is blacklisted\n");
+ ERROR(L"Binary is blacklisted\n");
return status;
}
@@ -702,7 +705,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
status = check_whitelist(cert, sha256hash, sha1hash);
if (status == EFI_SUCCESS) {
- if (verbose)
+ if (verbose && !in_protocol)
Print(L"Binary is whitelisted\n");
return status;
}
@@ -715,7 +718,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
- if (verbose)
+ if (verbose && !in_protocol)
Print(L"Binary is verified by the vendor certificate\n");
return status;
}
@@ -729,12 +732,12 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
vendor_cert, vendor_cert_size, sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
- if (verbose)
+ if (verbose && !in_protocol)
Print(L"Binary is verified by the vendor certificate\n");
return status;
}
- Print(L"Invalid signature\n");
+ ERROR(L"Invalid signature\n");
status = EFI_ACCESS_DENIED;
return status;
@@ -750,7 +753,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data;
if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) {
- Print(L"Invalid image\n");
+ ERROR(L"Invalid image\n");
return EFI_UNSUPPORTED;
}
@@ -758,22 +761,22 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew);
if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) {
- Print(L"Invalid image\n");
+ ERROR(L"Invalid image\n");
return EFI_UNSUPPORTED;
}
if (PEHdr->Te.Signature != EFI_IMAGE_NT_SIGNATURE) {
- Print(L"Unsupported image type\n");
+ ERROR(L"Unsupported image type\n");
return EFI_UNSUPPORTED;
}
if (PEHdr->Pe32.FileHeader.Characteristics & EFI_IMAGE_FILE_RELOCS_STRIPPED) {
- Print(L"Unsupported image - Relocations have been stripped\n");
+ ERROR(L"Unsupported image - Relocations have been stripped\n");
return EFI_UNSUPPORTED;
}
if (PEHdr->Pe32.OptionalHeader.Magic != EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
- Print(L"Only 64-bit images supported\n");
+ ERROR(L"Only 64-bit images supported\n");
return EFI_UNSUPPORTED;
}
@@ -789,22 +792,23 @@ static EFI_STATUS read_header(void *data, unsigned int datasize,
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
if (context->ImageSize < context->SizeOfHeaders) {
- Print(L"Invalid image\n");
+ ERROR(L"Invalid image\n");
return EFI_UNSUPPORTED;
}
if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) {
- Print(L"Invalid image\n");
+ ERROR(L"Invalid image\n");
return EFI_UNSUPPORTED;
}
if (context->SecDir->VirtualAddress >= datasize) {
- Print(L"Malformed security header\n");
+ ERROR(L"Malformed security header\n");
return EFI_INVALID_PARAMETER;
}
return EFI_SUCCESS;
}
+
/*
* Once the image has been loaded it needs to be validated and relocated
*/
@@ -823,7 +827,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
*/
efi_status = read_header(data, datasize, &context);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to read header\n");
+ ERROR(L"Failed to read header\n");
return efi_status;
}
@@ -834,7 +838,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
efi_status = verify_buffer(data, datasize, &context);
if (efi_status != EFI_SUCCESS) {
- Print(L"Verification failed\n");
+ ERROR(L"Verification failed\n");
return efi_status;
}
}
@@ -842,7 +846,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
buffer = AllocatePool(context.ImageSize);
if (!buffer) {
- Print(L"Failed to allocate image buffer\n");
+ ERROR(L"Failed to allocate image buffer\n");
return EFI_OUT_OF_RESOURCES;
}
@@ -862,7 +866,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1);
if (!base || !end) {
- Print(L"Invalid section size\n");
+ ERROR(L"Invalid section size\n");
return EFI_UNSUPPORTED;
}
@@ -881,7 +885,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
efi_status = relocate_coff(&context, buffer);
if (efi_status != EFI_SUCCESS) {
- Print(L"Relocation failed\n");
+ ERROR(L"Relocation failed\n");
FreePool(buffer);
return efi_status;
}
@@ -899,7 +903,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
li->LoadOptionsSize = load_options_size;
if (!entry_point) {
- Print(L"Invalid entry point\n");
+ ERROR(L"Invalid entry point\n");
FreePool(buffer);
return EFI_UNSUPPORTED;
}
@@ -922,7 +926,7 @@ should_use_fallback(EFI_HANDLE image_handle)
rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
&loaded_image_protocol, (void **)&li);
if (EFI_ERROR(rc)) {
- Print(L"Could not get image for bootx64.efi: %d\n", rc);
+ ERROR(L"Could not get image for bootx64.efi: %d\n", rc);
return 0;
}
@@ -944,13 +948,13 @@ should_use_fallback(EFI_HANDLE image_handle)
rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle,
&FileSystemProtocol, (void **)&fio);
if (EFI_ERROR(rc)) {
- Print(L"Could not get fio for li->DeviceHandle: %d\n", rc);
+ ERROR(L"Could not get fio for li->DeviceHandle: %d\n", rc);
return 0;
}
rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh);
if (EFI_ERROR(rc)) {
- Print(L"Could not open fio volume: %d\n", rc);
+ ERROR(L"Could not open fio volume: %d\n", rc);
return 0;
}
@@ -1029,7 +1033,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath,
*PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath));
if (!*PathName) {
- Print(L"Failed to allocate path buffer\n");
+ ERROR(L"Failed to allocate path buffer\n");
efi_status = EFI_OUT_OF_RESOURCES;
goto error;
}
@@ -1072,14 +1076,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
(void **)&drive);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to find fs\n");
+ ERROR(L"Failed to find fs\n");
goto error;
}
efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to open fs\n");
+ ERROR(L"Failed to open fs\n");
goto error;
}
@@ -1090,14 +1094,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
EFI_FILE_MODE_READ, 0);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to open %s - %lx\n", PathName, efi_status);
+ ERROR(L"Failed to open %s - %lx\n", PathName, efi_status);
goto error;
}
fileinfo = AllocatePool(buffersize);
if (!fileinfo) {
- Print(L"Unable to allocate file info buffer\n");
+ ERROR(L"Unable to allocate file info buffer\n");
efi_status = EFI_OUT_OF_RESOURCES;
goto error;
}
@@ -1113,7 +1117,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
FreePool(fileinfo);
fileinfo = AllocatePool(buffersize);
if (!fileinfo) {
- Print(L"Unable to allocate file info buffer\n");
+ ERROR(L"Unable to allocate file info buffer\n");
efi_status = EFI_OUT_OF_RESOURCES;
goto error;
}
@@ -1123,7 +1127,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
}
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to get file info\n");
+ ERROR(L"Unable to get file info\n");
goto error;
}
@@ -1132,7 +1136,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
*data = AllocatePool(buffersize);
if (!*data) {
- Print(L"Unable to allocate file buffer\n");
+ ERROR(L"Unable to allocate file buffer\n");
efi_status = EFI_OUT_OF_RESOURCES;
goto error;
}
@@ -1151,7 +1155,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
}
if (efi_status != EFI_SUCCESS) {
- Print(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize);
+ ERROR(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize);
goto error;
}
@@ -1180,15 +1184,45 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
EFI_STATUS status;
PE_COFF_LOADER_IMAGE_CONTEXT context;
- if (!secure_mode())
- return EFI_SUCCESS;
+ in_protocol = 1;
+
+ if (!secure_mode()) {
+ status = EFI_SUCCESS;
+ goto done;
+ }
status = read_header(buffer, size, &context);
if (status != EFI_SUCCESS)
- return status;
+ goto done;
status = verify_buffer(buffer, size, &context);
+done:
+ in_protocol = 0;
+ return status;
+}
+
+static EFI_STATUS shim_hash (char *data, int datasize,
+ PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ UINT8 *sha256hash, UINT8 *sha1hash)
+{
+ EFI_STATUS status;
+
+ in_protocol = 1;
+ status = generate_hash(data, datasize, context, sha256hash, sha1hash);
+ in_protocol = 0;
+
+ return status;
+}
+
+static EFI_STATUS shim_read_header(void *data, unsigned int datasize,
+ PE_COFF_LOADER_IMAGE_CONTEXT *context)
+{
+ EFI_STATUS status;
+
+ in_protocol = 1;
+ status = read_header(data, datasize, context);
+ in_protocol = 0;
return status;
}
@@ -1216,7 +1250,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
&loaded_image_protocol, (void **)&li);
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to init protocol\n");
+ ERROR(L"Unable to init protocol\n");
return efi_status;
}
@@ -1226,20 +1260,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = generate_path(li, ImagePath, &path, &PathName);
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to generate path: %s\n", ImagePath);
+ ERROR(L"Unable to generate path: %s\n", ImagePath);
goto done;
}
if (findNetboot(image_handle)) {
efi_status = parseNetbootinfo(image_handle);
if (efi_status != EFI_SUCCESS) {
- Print(L"Netboot parsing failed: %d\n", efi_status);
+ ERROR(L"Netboot parsing failed: %d\n", efi_status);
return EFI_PROTOCOL_ERROR;
}
efi_status = FetchNetbootimage(image_handle, &sourcebuffer,
&sourcesize);
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to fetch TFTP image\n");
+ ERROR(L"Unable to fetch TFTP image\n");
return efi_status;
}
data = sourcebuffer;
@@ -1251,7 +1285,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = load_image(li, &data, &datasize, PathName);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to load image\n");
+ ERROR(L"Failed to load image\n");
goto done;
}
}
@@ -1268,7 +1302,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = handle_image(data, datasize, li);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to load image\n");
+ ERROR(L"Failed to load image\n");
CopyMem(li, &li_bak, sizeof(li_bak));
goto done;
}
@@ -1336,7 +1370,7 @@ EFI_STATUS mirror_mok_list()
| EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, Data);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to set MokListRT %d\n", efi_status);
+ ERROR(L"Failed to set MokListRT %d\n", efi_status);
}
done:
@@ -1378,7 +1412,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to start MokManager\n");
+ ERROR(L"Failed to start MokManager\n");
return efi_status;
}
}
@@ -1409,9 +1443,9 @@ static EFI_STATUS check_mok_sb (void)
* modified by the OS
*/
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
- Print(L"MokSBState is compromised! Clearing it\n");
+ ERROR(L"MokSBState is compromised! Clearing it\n");
if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) {
- Print(L"Failed to erase MokSBState\n");
+ ERROR(L"Failed to erase MokSBState\n");
}
status = EFI_ACCESS_DENIED;
} else {
@@ -1442,7 +1476,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
&LoadedImageProtocol, (void **) &li);
if (status != EFI_SUCCESS) {
- Print (L"Failed to get load options\n");
+ ERROR (L"Failed to get load options\n");
return status;
}
@@ -1486,7 +1520,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
if (loader_len > 0) {
loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16));
if (!loader_str) {
- Print(L"Failed to allocate loader string\n");
+ ERROR(L"Failed to allocate loader string\n");
return EFI_OUT_OF_RESOURCES;
}
for (i = 0; i < loader_len; i++)
@@ -1517,8 +1551,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
* call back in and use shim functions
*/
shim_lock_interface.Verify = shim_verify;
- shim_lock_interface.Hash = generate_hash;
- shim_lock_interface.Context = read_header;
+ shim_lock_interface.Hash = shim_hash;
+ shim_lock_interface.Context = shim_read_header;
systab = passed_systab;
--
1.8.1.4
Reference in New Issue Copy Permalink