pool/shim
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

Accepting request 244537 from devel:openSUSE:Factory

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/244537
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=32
This commit is contained in:
Ludwig Nussel
2014-08-18 09:23:47 +00:00
committed by Git OBS Bridge
parent 73e81b4748 b8cbae7e99
commit d153b635dc
24 changed files with 1998 additions and 1676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
SLES-UEFI-CA-Certificate.crt
View File

@@ -1,39 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
rvc1p6G0YWtO
-----END CERTIFICATE-----

11
attach_signature.sh
View File

@@ -11,13 +11,4 @@ fi
outfile="${infile%.efi}-signed.efi"
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
pesign -m "$sig" -i "$infile" -o "$outfile"

13
extract_signature.sh
View File

@@ -9,16 +9,7 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
# wtf?
(pesign -n "$nssdir" -h -P -i "$infile";
(pesign -h -P -i "$infile";
perl $(dirname $0)/timestamp.pl "$infile";
pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
pesign -a -f -e /dev/stdout -i "$infile")|cat

3
shim-0.7.318.81ee561d.tar.bz2 Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:161cdfa33c1221b9d86241d7b9803240c91d939251a5d6b5c8d8626b8d93cf7f
size 1012687

3
shim-0.7.tar.bz2
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b85cabcdedfcf256e357dc2a8a0131a32f3b4619155a174465db47326c8102b7
size 988071

60
shim-bnc863205-mokmanager-fix-hash-delete.patch Normal file
View File

@@ -0,0 +1,60 @@
From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Feb 2014 15:05:45 +0800
Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
MokSize of the hash signature list includes the owner GUID,
so we should not add the 16bytes compensation.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -940,7 +940,9 @@ static EFI_STATUS write_back_mok_list (M
if (list[i].Mok == NULL)
continue;
- DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ DataSize += sizeof(EFI_SIGNATURE_LIST);
+ if (CompareGuid(&(list[i].Type), &CertType) == 0)
+ DataSize += sizeof(EFI_GUID);
DataSize += list[i].MokSize;
}
@@ -1046,6 +1048,7 @@ static void delete_hash_in_list (UINT8 *
{
EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
+ UINT32 list_num;
int i, del_ind;
void *start, *end;
UINT32 remain;
@@ -1057,8 +1060,10 @@ static void delete_hash_in_list (UINT8 *
(mok[i].MokSize < sig_size))
continue;
+ list_num = mok[i].MokSize / sig_size;
+
del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
- mok[i].MokSize);
+ list_num);
while (del_ind >= 0) {
/* Remove the hash */
if (sig_size == mok[i].MokSize) {
@@ -1073,9 +1078,10 @@ static void delete_hash_in_list (UINT8 *
mem_move(start, end, remain);
mok[i].MokSize -= sig_size;
+ list_num--;
del_ind = match_hash(hash, hash_size, del_ind,
- mok[i].Mok, mok[i].MokSize);
+ mok[i].Mok, list_num);
}
}
}

93
shim-correct-user_insecure-usage.patch
View File

@@ -1,93 +0,0 @@
commit d95b24bd02cf41cca9adebd95f10609d6424d2b3
Author: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue Nov 19 10:09:13 2013 -0500
Clarify meaning of insecure_mode
insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
diff --git a/replacements.c b/replacements.c
index bac5e5d..5ea5c32 100644
--- a/replacements.c
+++ b/replacements.c
@@ -64,13 +64,9 @@ static typeof(systab->BootServices->StartImage) system_start_image;
static typeof(systab->BootServices->Exit) system_exit;
static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
-extern UINT8 insecure_mode;
-
void
unhook_system_services(void)
{
- if (insecure_mode)
- return;
systab->BootServices->Exit = system_exit;
systab->BootServices->StartImage = system_start_image;
systab->BootServices->ExitBootServices = system_exit_boot_services;
@@ -123,8 +119,6 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
void
hook_system_services(EFI_SYSTEM_TABLE *local_systab)
{
- if (insecure_mode)
- return;
systab = local_systab;
/* We need to hook various calls to make this work... */
diff --git a/shim.c b/shim.c
index 9ae1936..524f5fc 100644
--- a/shim.c
+++ b/shim.c
@@ -85,7 +85,7 @@ int loader_is_participating;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-UINT8 insecure_mode;
+UINT8 user_insecure_mode;
UINT8 ignore_db;
typedef enum {
@@ -456,7 +456,7 @@ static BOOLEAN secure_mode (void)
UINT8 *Data;
UINT8 sb, setupmode;
- if (insecure_mode)
+ if (user_insecure_mode)
return FALSE;
status = get_variable(L"SecureBoot", &Data, &len, global_var);
@@ -1534,7 +1534,7 @@ static EFI_STATUS check_mok_sb (void)
UINTN MokSBStateSize = 0;
UINT32 attributes;
- insecure_mode = 0;
+ user_insecure_mode = 0;
ignore_db = 0;
status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize,
@@ -1555,7 +1555,7 @@ static EFI_STATUS check_mok_sb (void)
status = EFI_ACCESS_DENIED;
} else {
if (*(UINT8 *)MokSBState == 1) {
- insecure_mode = 1;
+ user_insecure_mode = 1;
}
}
@@ -1753,10 +1753,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
/*
* Tell the user that we're in insecure mode if necessary
*/
- if (!secure_mode()) {
+ if (user_insecure_mode) {
Print(L"Booting in insecure mode\n");
uefi_call_wrapper(BS->Stall, 1, 2000000);
- } else {
+ } else if (secure_mode()) {
/*
* Install our hooks for ExitBootServices() and StartImage()
*/

165
shim-fix-dhcpv4-path-generation.patch
View File

@@ -1,165 +0,0 @@
From e62b69a5b0b87c6df7a4fc23906134945309e927 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 20 Nov 2013 12:20:23 -0500
Subject: [PATCH 1/2] Fix path generation for Dhcpv4 bootloader.
Right now we always look for e.g. "\grubx64.efi", which is completely
wrong. This makes it look for the path shim was loaded from and modify
that to end in a sanitized version of our default loader name.
Resolves: rhbz#1032583
Signed-off-by: Peter Jones <pjones@redhat.com>
---
include/str.h | 45 +++++++++++++++++++++++++++++++++++++++++++++
netboot.c | 28 +++++++++++++++++++++-------
2 files changed, 66 insertions(+), 7 deletions(-)
create mode 100644 include/str.h
diff --git a/include/str.h b/include/str.h
new file mode 100644
index 0000000..0f3e003
--- /dev/null
+++ b/include/str.h
@@ -0,0 +1,45 @@
+#ifndef SHIM_STR_H
+#define SHIM_STR_H
+
+static inline
+__attribute__((unused))
+unsigned long strnlena(const CHAR8 *s, unsigned long n)
+{
+ unsigned long i;
+ for (i = 0; i <= n; i++)
+ if (s[i] == '\0')
+ break;
+ return i;
+}
+
+static inline
+__attribute__((unused))
+CHAR8 *
+strncpya(CHAR8 *dest, const CHAR8 *src, unsigned long n)
+{
+ unsigned long i;
+
+ for (i = 0; i < n && src[i] != '\0'; i++)
+ dest[i] = src[i];
+ for (; i < n; i++)
+ dest[i] = '\0';
+
+ return dest;
+}
+
+static inline
+__attribute__((unused))
+CHAR8 *
+strcata(CHAR8 *dest, const CHAR8 *src)
+{
+ unsigned long dest_len = strlena(dest);
+ unsigned long i;
+
+ for (i = 0; src[i] != '\0'; i++)
+ dest[dest_len + i] = src[i];
+ dest[dest_len + i] = '\0';
+
+ return dest;
+}
+
+#endif /* SHIM_STR_H */
diff --git a/netboot.c b/netboot.c
index a83c82a..1732dc7 100644
--- a/netboot.c
+++ b/netboot.c
@@ -38,6 +38,7 @@
#include <string.h>
#include "shim.h"
#include "netboot.h"
+#include "str.h"
static inline unsigned short int __swap16(unsigned short int x)
{
@@ -305,19 +306,32 @@ static EFI_STATUS parseDhcp6()
static EFI_STATUS parseDhcp4()
{
- CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR;
- full_path = AllocateZeroPool(strlen(template)+1);
+ CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+ UINTN template_len = strlen(template) + 1;
+
+ UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
+ UINTN i;
+ UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile;
+
+ for (i = dir_len; i >= 0; i--) {
+ if (dir[i] == '/')
+ break;
+ }
+ dir_len = (i >= 0) ? i + 1 : 0;
+
+ full_path = AllocateZeroPool(dir_len + template_len);
if (!full_path)
return EFI_OUT_OF_RESOURCES;
+ if (dir_len > 0) {
+ strncpya(full_path, dir, dir_len);
+ if (full_path[dir_len-1] == '/' && template[0] == '/')
+ full_path[dir_len-1] = '\0';
+ }
+ strcata(full_path, template);
memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4);
- memcpy(full_path, template, strlen(template));
-
- /* Note we don't capture the filename option here because we know its shim.efi
- * We instead assume the filename at the end of the path is going to be grubx64.efi
- */
return EFI_SUCCESS;
}
--
1.8.1.4
From 27129a5a05d1947e6f7479766e8281d50d6031f6 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Nov 2013 11:26:08 -0500
Subject: [PATCH 2/2] Lengths that might be -1 can't be unsigned, Peter.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
netboot.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/netboot.c b/netboot.c
index 1732dc7..07e2773 100644
--- a/netboot.c
+++ b/netboot.c
@@ -307,10 +307,10 @@ static EFI_STATUS parseDhcp6()
static EFI_STATUS parseDhcp4()
{
CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
- UINTN template_len = strlen(template) + 1;
+ INTN template_len = strlen(template) + 1;
- UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
- UINTN i;
+ INTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
+ INTN i;
UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile;
for (i = dir_len; i >= 0; i--) {
@@ -329,6 +329,8 @@ static EFI_STATUS parseDhcp4()
if (full_path[dir_len-1] == '/' && template[0] == '/')
full_path[dir_len-1] = '\0';
}
+ if (dir_len == 0 && dir[0] != '/' && template[0] == '/')
+ template++;
strcata(full_path, template);
memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4);
--
1.8.1.4

49
shim-fix-verify-mok.patch
View File

@@ -1,49 +0,0 @@
commit 11495d4019d44dce1487939f91f7d751ffbb9730
Author: Andrew Boie <andrew.p.boie@intel.com>
Date: Mon Apr 15 14:11:17 2013 -0700
fix verify_mok()
() Fix the return value semantics. If the MokList doesn't
exist, we are OK. If the MokList was compromised but we
were able to erase it, that is OK too. Only if the list
can't be nuked do we return an error.
() Fix use of potentially uninitialized attribute variable
() Actually use the return value when called from verify_buffer.
Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
diff --git a/shim.c b/shim.c
index 23dd0ee..dcb36d0 100644
--- a/shim.c
+++ b/shim.c
@@ -670,13 +670,12 @@ static EFI_STATUS verify_mok (void) {
status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize,
shim_lock_guid, &attributes);
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
Print(L"MokList is compromised!\nErase all keys in MokList!\n");
if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
Print(L"Failed to erase MokList\n");
+ return EFI_ACCESS_DENIED;
}
- status = EFI_ACCESS_DENIED;
- return status;
}
if (MokListData)
@@ -722,7 +721,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
/*
* Check that the MOK database hasn't been modified
*/
- verify_mok();
+ status = verify_mok();
+ if (status != EFI_SUCCESS)
+ return status;
/*
* Ensure that the binary isn't blacklisted

181
shim-improve-error-messages.patch
View File

@@ -1,181 +0,0 @@
commit 2f09d0ab290d9b0d8aa14c3243f1d85a20bc34e6
Author: Andrew Boie <andrew.p.boie@intel.com>
Date: Mon Nov 11 17:29:06 2013 -0800
shim: improve error messages
%r when used in Print() will show a string representation of
an EFI_STATUS code.
Change-Id: I6db47f5213454603bd66177aca378ad01e9f0bd4
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
diff --git a/shim.c b/shim.c
index a043779..9ae1936 100644
--- a/shim.c
+++ b/shim.c
@@ -914,7 +914,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
*/
efi_status = read_header(data, datasize, &context);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to read header\n");
+ Print(L"Failed to read header: %r\n", efi_status);
return efi_status;
}
@@ -981,7 +981,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
efi_status = relocate_coff(&context, buffer);
if (efi_status != EFI_SUCCESS) {
- Print(L"Relocation failed\n");
+ Print(L"Relocation failed: %r\n", efi_status);
FreePool(buffer);
return efi_status;
}
@@ -1022,7 +1022,7 @@ should_use_fallback(EFI_HANDLE image_handle)
rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
&loaded_image_protocol, (void **)&li);
if (EFI_ERROR(rc)) {
- Print(L"Could not get image for bootx64.efi: %d\n", rc);
+ Print(L"Could not get image for bootx64.efi: %r\n", rc);
return 0;
}
@@ -1044,13 +1044,13 @@ should_use_fallback(EFI_HANDLE image_handle)
rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle,
&FileSystemProtocol, (void **)&fio);
if (EFI_ERROR(rc)) {
- Print(L"Could not get fio for li->DeviceHandle: %d\n", rc);
+ Print(L"Could not get fio for li->DeviceHandle: %r\n", rc);
return 0;
}
rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh);
if (EFI_ERROR(rc)) {
- Print(L"Could not open fio volume: %d\n", rc);
+ Print(L"Could not open fio volume: %r\n", rc);
return 0;
}
@@ -1172,14 +1172,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
(void **)&drive);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to find fs\n");
+ Print(L"Failed to find fs: %r\n", efi_status);
goto error;
}
efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to open fs\n");
+ Print(L"Failed to open fs: %r\n", efi_status);
goto error;
}
@@ -1190,7 +1190,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
EFI_FILE_MODE_READ, 0);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to open %s - %lx\n", PathName, efi_status);
+ Print(L"Failed to open %s - %r\n", PathName, efi_status);
goto error;
}
@@ -1223,7 +1223,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
}
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to get file info\n");
+ Print(L"Unable to get file info: %r\n", efi_status);
goto error;
}
@@ -1251,7 +1251,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data,
}
if (efi_status != EFI_SUCCESS) {
- Print(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize);
+ Print(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize);
goto error;
}
@@ -1328,20 +1328,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = generate_path(li, ImagePath, &path, &PathName);
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to generate path: %s\n", ImagePath);
+ Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status);
goto done;
}
if (findNetboot(image_handle)) {
efi_status = parseNetbootinfo(image_handle);
if (efi_status != EFI_SUCCESS) {
- Print(L"Netboot parsing failed: %d\n", efi_status);
+ Print(L"Netboot parsing failed: %r\n", efi_status);
return EFI_PROTOCOL_ERROR;
}
efi_status = FetchNetbootimage(image_handle, &sourcebuffer,
&sourcesize);
if (efi_status != EFI_SUCCESS) {
- Print(L"Unable to fetch TFTP image\n");
+ Print(L"Unable to fetch TFTP image: %r\n", efi_status);
return efi_status;
}
data = sourcebuffer;
@@ -1353,7 +1353,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = load_image(li, &data, &datasize, PathName);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to load image\n");
+ Print(L"Failed to load image %s: %r\n", PathName, efi_status);
goto done;
}
}
@@ -1370,7 +1370,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
efi_status = handle_image(data, datasize, li);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to load image\n");
+ Print(L"Failed to load image: %r\n", efi_status);
CopyMem(li, &li_bak, sizeof(li_bak));
goto done;
}
@@ -1473,7 +1473,7 @@ EFI_STATUS mirror_mok_list()
| EFI_VARIABLE_RUNTIME_ACCESS,
FullDataSize, FullData);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to set MokListRT %d\n", efi_status);
+ Print(L"Failed to set MokListRT: %r\n", efi_status);
}
return efi_status;
@@ -1514,7 +1514,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to start MokManager\n");
+ Print(L"Failed to start MokManager: %r\n", efi_status);
return efi_status;
}
}
@@ -1621,7 +1621,7 @@ static EFI_STATUS mok_ignore_db()
| EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, (void *)&Data);
if (efi_status != EFI_SUCCESS) {
- Print(L"Failed to set MokIgnoreDB %d\n", efi_status);
+ Print(L"Failed to set MokIgnoreDB: %r\n", efi_status);
}
}
@@ -1648,7 +1648,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle,
&LoadedImageProtocol, (void **) &li);
if (status != EFI_SUCCESS) {
- Print (L"Failed to get load options\n");
+ Print (L"Failed to get load options: %r\n", status);
return status;
}

58
shim-install
View File

@@ -4,14 +4,19 @@ rootdir=
bootdir=
efidir=
install_device=
efibootdir=
ca_string=
removable=no
clean=no
sysconfdir="/etc"
libdir="/usr/lib64"
source_dir="$libdir/efi"
grub_probe="`which grub2-probe`"
grub_mkrelpath="`which grub2-mkrelpath`"
grub_install="`which grub2-install`"
self="`basename $0`"
grub_cfg="/boot/grub2/grub.cfg"
update_boot=no
# Get GRUB_DISTRIBUTOR.
if test -f "${sysconfdir}/default/grub" ; then
@@ -26,6 +31,14 @@ fi
efi_distributor="$bootloader_id"
bootloader_id="${bootloader_id}-secureboot"
case "$bootloader_id" in
"sle"*)
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
"opensuse"*)
ca_string='openSUSE Secure Boot CA1';;
*) ca_string="";;
esac
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
@@ -169,18 +182,32 @@ fi
if test -n "$efidir"; then
efi_file=shim.efi
efibootdir="$efidir/EFI/boot"
mkdir -p "$efibootdir" || exit 1
efidir="$efidir/EFI/$efi_distributor"
mkdir -p "$efidir" || exit 1
else
exit 1;
fi
if test -f "$efibootdir/bootx64.efi"; then
if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then
update_boot=yes
fi
else
update_boot=yes
fi
if test "$clean" = "yes"; then
rm -f "${efidir}/shim.efi"
rm -f "${efidir}/MokManager.efi"
rm -f "${efidir}/grub.efi"
rm -f "${efidir}/grub.cfg"
rm -f "${efidir}/boot.csv"
if test "$update_boot" = "yes"; then
rm -f "${efibootdir}/bootx64.efi"
rm -f "${efibootdir}/fallback.efi"
fi
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
# Delete old entries from the same distributor.
@@ -196,17 +223,38 @@ cp "${source_dir}/shim.efi" "${efidir}"
cp "${source_dir}/MokManager.efi" "${efidir}"
cp "${source_dir}/grub.efi" "${efidir}"
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
if test "$update_boot" = "yes"; then
cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi"
cp "${source_dir}/fallback.efi" "${efibootdir}"
fi
make_grubcfg () {
grub_cfg_dirname=`dirname $grub_cfg`
grub_cfg_basename=`basename $grub_cfg`
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
(cat << EOF
search --fs-uuid --set=root ${cfg_fs_uuid}
set prefix=(\${root})${grub_cfg_dirname}
if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue"; then
cat <<EOF
set btrfs_relative_path="yes"
EOF
echo "configfile \$prefix/${grub_cfg_basename}") \
> "${efidir}/grub.cfg"
if ${grub_mkrelpath} --usage | grep -q -e '--relative'; then
grub_mkrelpath="${grub_mkrelpath} -r"
fi
fi
cat <<EOF
search --fs-uuid --set=root ${cfg_fs_uuid}
set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
configfile \$prefix/${grub_cfg_basename}
EOF
}
make_grubcfg > "${efidir}/grub.cfg"
# bnc#889765 GRUB shows broken letters at boot
# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
${grub_install} --no-nvram
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then

157
shim-mokmanager-handle-keystroke-error.patch
View File

@@ -1,157 +0,0 @@
From 7edfcaa6e03c8aa1ce39e8eb193d2064f4119342 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 3 Dec 2013 15:52:02 +0800
Subject: [PATCH] MokManager: handle the error status from ReadKeyStroke
On some machines, even though the key event was signaled, ReadKeyStroke
still got EFI_NOT_READY. This commit handles the error status to avoid
console_get_keystroke from returning unexpected keys.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 17 +++++++++++++----
include/console.h | 4 ++--
lib/console.c | 26 ++++++++++++++++++--------
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index f5ed379..d700fa8 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -488,13 +488,19 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
return EFI_SUCCESS;
}
-static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show)
+static EFI_STATUS get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show)
{
EFI_INPUT_KEY key;
+ EFI_STATUS status;
int count = 0;
do {
- key = console_get_keystroke();
+ status = console_get_keystroke(&key);
+ if (EFI_ERROR (status)) {
+ console_error(L"Failed to read the keystroke", status);
+ *length = 0;
+ return status;
+ }
if ((count >= line_max &&
key.UnicodeChar != CHAR_BACKSPACE) ||
@@ -525,7 +531,7 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show
*length = count;
- return 1;
+ return EFI_SUCCESS;
}
static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password,
@@ -989,6 +995,7 @@ static INTN mok_deletion_prompt (void *MokDel, UINTN MokDelSize)
static CHAR16 get_password_charater (CHAR16 *prompt)
{
SIMPLE_TEXT_OUTPUT_MODE SavedMode;
+ EFI_STATUS status;
CHAR16 *message[2];
CHAR16 character;
UINTN length;
@@ -1003,7 +1010,9 @@ static CHAR16 get_password_charater (CHAR16 *prompt)
message[1] = NULL;
length = StrLen(message[0]);
console_print_box_at(message, -1, -length-4, -5, length+4, 3, 0, 1);
- get_line(&pw_length, &character, 1, 0);
+ status = get_line(&pw_length, &character, 1, 0);
+ if (EFI_ERROR(status))
+ character = 0;
console_restore_mode(&SavedMode);
diff --git a/include/console.h b/include/console.h
index e6c2818..9c793ea 100644
--- a/include/console.h
+++ b/include/console.h
@@ -1,8 +1,8 @@
#ifndef _SHIM_LIB_CONSOLE_H
#define _SHIM_LIB_CONSOLE_H 1
-EFI_INPUT_KEY
-console_get_keystroke(void);
+EFI_STATUS
+console_get_keystroke(EFI_INPUT_KEY *key);
void
console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines);
void
diff --git a/lib/console.c b/lib/console.c
index 2fc8db3..41ed83a 100644
--- a/lib/console.c
+++ b/lib/console.c
@@ -40,16 +40,18 @@ SetMem16(CHAR16 *dst, UINT32 n, CHAR16 c)
}
}
-EFI_INPUT_KEY
-console_get_keystroke(void)
+EFI_STATUS
+console_get_keystroke(EFI_INPUT_KEY *key)
{
- EFI_INPUT_KEY key;
UINTN EventIndex;
+ EFI_STATUS status;
- uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex);
- uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &key);
+ do {
+ uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex);
+ status = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, key);
+ } while (status == EFI_NOT_READY);
- return key;
+ return status;
}
void
@@ -162,6 +164,8 @@ console_print_box(CHAR16 *str_arr[], int highlight)
{
SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode;
SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
+ EFI_INPUT_KEY key;
+
CopyMem(&SavedConsoleMode, co->Mode, sizeof(SavedConsoleMode));
uefi_call_wrapper(co->EnableCursor, 2, co, FALSE);
uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE);
@@ -169,7 +173,7 @@ console_print_box(CHAR16 *str_arr[], int highlight)
console_print_box_at(str_arr, highlight, 0, 0, -1, -1, 0,
count_lines(str_arr));
- console_get_keystroke();
+ console_get_keystroke(&key);
uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible);
@@ -184,6 +188,7 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start)
SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode;
SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
EFI_INPUT_KEY k;
+ EFI_STATUS status;
int selector;
int selector_lines = count_lines(selectors);
int selector_max_cols = 0;
@@ -237,7 +242,12 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start)
size_cols, size_rows, 0, lines);
do {
- k = console_get_keystroke();
+ status = console_get_keystroke(&k);
+ if (EFI_ERROR (status)) {
+ Print(L"Failed to read the keystroke: %r", status);
+ selector = -1;
+ break;
+ }
if (k.ScanCode == SCAN_ESC) {
selector = -1;
--
1.8.4

449
shim-mokmanager-support-sha-family.patch Normal file
View File

@@ -0,0 +1,449 @@
From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 3 Apr 2014 18:26:37 +0800
Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
Add SHA1 hash support and amend the code to make it easier to support
other SHA digests.
---
MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 46 deletions(-)
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -25,6 +25,9 @@
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
@@ -93,31 +96,84 @@ done:
return status;
}
+static BOOLEAN is_sha_hash (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
+static UINT32 sha_size (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return SHA224_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return SHA256_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return SHA384_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return SHA512_DIGEST_LENGTH;
+
+ return 0;
+}
+
+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
+{
+ EFI_GUID CertType = X509_GUID;
+ UINT32 hash_sig_size;
+
+ if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ return TRUE;
+
+ if (!is_sha_hash (Type))
+ return FALSE;
+
+ hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
+ if (SigSize != hash_sig_size)
+ return FALSE;
+
+ return TRUE;
+}
+
static UINT32 count_keys(void *Data, UINTN DataSize)
{
EFI_SIGNATURE_LIST *CertList = Data;
- EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- console_notify(L"Doesn't look like a key or hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ if (CertList->SignatureListSize == 0 ||
+ CertList->SignatureListSize <= CertList->SignatureSize) {
+ console_errorbox(L"Corrupted signature list");
+ return 0;
}
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CertList->SignatureSize != 48)) {
- console_notify(L"Doesn't look like a valid hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+ console_errorbox(L"Invalid signature list found");
+ return 0;
}
MokNum++;
@@ -134,7 +190,6 @@ static MokListNode *build_mok_list(UINT3
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
@@ -146,21 +201,8 @@ static MokListNode *build_mok_list(UINT3
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
+ /* Omit the signature check here since we already did it
+ in count_keys() */
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
@@ -380,22 +422,46 @@ static void show_x509_info (X509 *X509Ce
FreePool(text);
}
-static void show_sha256_digest (UINT8 *hash)
+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
+ int length;
+
+ if (CompareGuid(&Type, &Sha1) == 0) {
+ length = SHA1_DIGEST_SIZE;
+ text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha224) == 0) {
+ length = SHA224_DIGEST_LENGTH;
+ text[0] = L"SHA224 hash";
+ } else if (CompareGuid(&Type, &Sha256) == 0) {
+ length = SHA256_DIGEST_SIZE;
+ text[0] = L"SHA256 hash";
+ } else if (CompareGuid(&Type, &Sha384) == 0) {
+ length = SHA384_DIGEST_LENGTH;
+ text[0] = L"SHA384 hash";
+ } else if (CompareGuid(&Type, &Sha512) == 0) {
+ length = SHA512_DIGEST_LENGTH;
+ text[0] = L"SHA512 hash";
+ } else {
+ return;
+ }
ZeroMem(&hash_string1, sizeof(hash_string1));
ZeroMem(&hash_string2, sizeof(hash_string2));
- text[0] = L"SHA256 hash";
text[1] = L"";
- for (i=0; i<16; i++)
+ for (i=0; i<length/2; i++)
CatPrint(&hash_string1, L"%02x ", hash[i]);
- for (i=16; i<32; i++)
+ for (i=length/2; i<length; i++)
CatPrint(&hash_string2, L"%02x ", hash[i]);
text[2] = hash_string1.str;
@@ -411,7 +477,7 @@ static void show_sha256_digest (UINT8 *h
FreePool(hash_string2.str);
}
-static void show_efi_hash (void *Mok, UINTN MokSize)
+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
{
UINTN sig_size;
UINTN hash_num;
@@ -420,7 +486,7 @@ static void show_efi_hash (void *Mok, UI
int key_num = 0;
int i;
- sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
console_errorbox(L"Corrupted Hash List");
return;
@@ -429,7 +495,7 @@ static void show_efi_hash (void *Mok, UI
if (hash_num == 1) {
hash = (UINT8 *)Mok + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
return;
}
@@ -452,7 +518,7 @@ static void show_efi_hash (void *Mok, UI
break;
hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
}
for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +533,6 @@ static void show_mok_info (EFI_GUID Type
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
if (!Mok || MokSize == 0)
return;
@@ -488,8 +553,8 @@ static void show_mok_info (EFI_GUID Type
console_notify(L"Not a valid X509 certificate");
return;
}
- } else if (CompareGuid (&Type, &HashType) == 0) {
- show_efi_hash(Mok, MokSize);
+ } else if (is_sha_hash(Type)) {
+ show_efi_hash(Type, Mok, MokSize);
}
}
@@ -504,15 +569,18 @@ static EFI_STATUS list_keys (void *KeyLi
if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_SIGNATURE_DATA))) {
console_notify(L"No MOK keys found");
- return 0;
+ return EFI_NOT_FOUND;
}
MokNum = count_keys(KeyList, KeyListSize);
+ if (MokNum == 0) {
+ console_errorbox(L"Invalid key list");
+ return EFI_ABORTED;
+ }
keys = build_mok_list(MokNum, KeyList, KeyListSize);
-
if (!keys) {
- console_notify(L"Failed to construct key list");
- return 0;
+ console_errorbox(L"Failed to construct key list");
+ return EFI_ABORTED;
}
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
@@ -837,7 +905,7 @@ static EFI_STATUS store_keys (void *MokN
return EFI_SUCCESS;
}
-static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
+static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@@ -974,7 +1042,7 @@ static EFI_STATUS write_back_mok_list (M
} else {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST);
- CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
CopyMem(CertData, list[i].Mok, list[i].MokSize);
}
@@ -1043,10 +1111,9 @@ static void mem_move (void *dest, void *
d[i] = s[i];
}
-static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
UINT32 list_num;
int i, del_ind;
@@ -1056,7 +1123,7 @@ static void delete_hash_in_list (UINT8 *
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
+ if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
(mok[i].MokSize < sig_size))
continue;
@@ -1086,7 +1153,7 @@ static void delete_hash_in_list (UINT8 *
}
}
-static void delete_hash_list (void *hash_list, UINT32 list_size,
+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
MokListNode *mok, INTN mok_num)
{
UINT32 hash_size;
@@ -1095,7 +1162,7 @@ static void delete_hash_list (void *hash
UINT8 *hash;
int i;
- hash_size = SHA256_DIGEST_SIZE;
+ hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);
if (list_size < sig_size)
return;
@@ -1105,7 +1172,7 @@ static void delete_hash_list (void *hash
hash = hash_list + sizeof(EFI_GUID);
for (i = 0; i < hash_num; i++) {
- delete_hash_in_list (hash, hash_size, mok, mok_num);
+ delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
hash += sig_size;
}
}
@@ -1114,7 +1181,6 @@ static EFI_STATUS delete_keys (void *Mok
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
@@ -1161,7 +1227,13 @@ static EFI_STATUS delete_keys (void *Mok
efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
shim_lock_guid, &attributes);
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ if (efi_status != EFI_SUCCESS) {
+ if (MokX)
+ console_errorbox(L"Failed to retrieve MokListX");
+ else
+ console_errorbox(L"Failed to retrieve MokList");
+ return EFI_ABORTED;
+ } else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
if (MokX) {
err_str1 = L"MokListX is compromised!";
err_str2 = L"Erase all keys in MokListX!";
@@ -1170,7 +1242,11 @@ static EFI_STATUS delete_keys (void *Mok
err_str2 = L"Erase all keys in MokList!";
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
- LibDeleteVariable(db_name, &shim_lock_guid);
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
return EFI_ACCESS_DENIED;
}
@@ -1180,23 +1256,56 @@ static EFI_STATUS delete_keys (void *Mok
/* Construct lists */
mok_num = count_keys(MokListData, MokListDataSize);
+ if (mok_num == 0) {
+ if (MokX) {
+ err_str1 = L"Failed to construct the key list of MokListX";
+ err_str2 = L"Reset MokListX!";
+ } else {
+ err_str1 = L"Failed to construct the key list of MokList";
+ err_str2 = L"Reset MokList!";
+ }
+ console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
mok = build_mok_list(mok_num, MokListData, MokListDataSize);
+ if (!mok) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_num = count_keys(MokDel, MokDelSize);
+ if (del_num == 0) {
+ console_errorbox(L"Invalid key delete list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_key = build_mok_list(del_num, MokDel, MokDelSize);
+ if (!del_key) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
/* Search and destroy */
for (i = 0; i < del_num; i++) {
if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
- } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
- delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
- mok, mok_num);
+ } else if (is_sha_hash(del_key[i].Type)) {
+ delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ del_key[i].MokSize, mok, mok_num);
}
}
efi_status = write_back_mok_list(mok, mok_num, MokX);
+error:
if (MokListData)
FreePool(MokListData);
if (mok)

1398
shim-mokx-support.patch
View File

File diff suppressed because it is too large Load Diff

13
shim-only-os-name.patch Normal file
View File

@@ -0,0 +1,13 @@
Index: shim-0.7/Makefile
===================================================================
--- shim-0.7.orig/Makefile
+++ shim-0.7/Makefile
@@ -67,7 +67,7 @@ shim_cert.h: shim.cer
version.c : version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@UNAME@@,$(shell uname -o)," \
-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
< version.c.in > version.c

336
shim-opensuse-cert-prompt.patch Normal file
View File

@@ -0,0 +1,336 @@
From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
This is an openSUSE-only patch.
Pop up a window to ask if the user is willing to trust the built-in
openSUSE certificate.
If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
won't bother the user afterward.
If no, continue the booting process without using the built-in
certificate to verify the EFI images, and the window will show up
again after reboot.
The state will store in use_openSUSE_cert, a volatile RT variable.
---
shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 97 insertions(+), 19 deletions(-)
Index: shim-0.7/shim.c
===================================================================
--- shim-0.7.orig/shim.c
+++ shim-0.7/shim.c
@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
int loader_is_participating;
+BOOLEAN use_builtin_cert;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d
if (status == EFI_SUCCESS)
return status;
- if (cert) {
+ if (cert && use_builtin_cert) {
/*
* Check against the shim build key
*/
@@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
- FullDataSize = DataSize
- + sizeof (*CertList)
- + sizeof (EFI_GUID)
- + vendor_cert_size
- ;
+ FullDataSize = DataSize;
+ if (use_builtin_cert) {
+ FullDataSize += sizeof (*CertList) +
+ sizeof (EFI_GUID) +
+ vendor_cert_size;
+ } else if (DataSize == 0) {
+ return EFI_SUCCESS;
+ }
FullData = AllocatePool(FullDataSize);
if (!FullData) {
perror(L"Failed to allocate space for MokListRT\n");
@@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list()
CopyMem(p, Data, DataSize);
p += DataSize;
}
- CertList = (EFI_SIGNATURE_LIST *)p;
- p += sizeof (*CertList);
- CertData = (EFI_SIGNATURE_DATA *)p;
- p += sizeof (EFI_GUID);
-
- CertList->SignatureType = EFI_CERT_X509_GUID;
- CertList->SignatureListSize = vendor_cert_size
- + sizeof (*CertList)
- + sizeof (*CertData)
- -1;
- CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
- CertData->SignatureOwner = SHIM_LOCK_GUID;
- CopyMem(p, vendor_cert, vendor_cert_size);
+ if (use_builtin_cert) {
+ CertList = (EFI_SIGNATURE_LIST *)p;
+ p += sizeof (*CertList);
+ CertData = (EFI_SIGNATURE_DATA *)p;
+ p += sizeof (EFI_GUID);
+
+ CertList->SignatureType = EFI_CERT_X509_GUID;
+ CertList->SignatureListSize = vendor_cert_size
+ + sizeof (*CertList)
+ + sizeof (*CertData)
+ -1;
+ CertList->SignatureHeaderSize = 0;
+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
+
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
+ CopyMem(p, vendor_cert, vendor_cert_size);
+ }
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid,
@@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
- check_var(L"MokXAuth")) {
+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
@@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void)
&shim_lock_guid, &shim_lock_interface);
}
+#define VENDOR_VERIFY L"openSUSE_Verify"
+
+/* Show the built-in certificate prompt if necessary */
+static int builtin_cert_prompt(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+ UINT32 attributes;
+ UINTN len = sizeof(UINT8);
+ UINT8 data;
+
+ use_builtin_cert = FALSE;
+
+ if (vendor_cert_size == 0)
+ return 0;
+
+ status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY,
+ &shim_lock_guid, &attributes,
+ &len, &data);
+ if (status != EFI_SUCCESS ||
+ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ int choice;
+
+ if (status != EFI_NOT_FOUND)
+ LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid);
+
+ CHAR16 *str[] = {L"Trust openSUSE Certificate",
+ L"",
+ L"Do you agree to use the built-in openSUSE certificate",
+ L"to verify boot loaders and kernels?",
+ NULL};
+ choice = console_yes_no(str);
+ if (choice != 1) {
+ data = 0;
+ goto done;
+ }
+
+ data = 1;
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ VENDOR_VERIFY,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set openSUSE_Verify", status);
+ return -1;
+ }
+ }
+
+ use_builtin_cert = TRUE;
+ data = 1;
+
+done:
+ /* Setup a runtime variable to show the current state */
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"use_openSUSE_cert",
+ &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set use_openSUSE_cert", status);
+ return -1;
+ }
+
+ return 0;
+}
+
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
EFI_STATUS efi_status;
@@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
*/
hook_system_services(systab);
loader_is_participating = 0;
+ if (builtin_cert_prompt() != 0)
+ return EFI_ABORTED;
}
}
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW,
return -1;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+
+ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
+ return 0;
+
+ if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
+ status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
+ NULL, NULL);
+ }
+ if (status != EFI_SUCCESS)
+ return -1;
+
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"openSUSE_Verify", &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
+ }
+
+ console_notify(L"The system must now be rebooted");
+ uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm,
+ EFI_SUCCESS, 0, NULL);
+ console_notify(L"Failed to reboot");
+ return -1;
+}
+
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
@@ -2053,6 +2083,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
+ MOK_CLEAR_VERIFY,
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
@@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
- void *MokXDel, UINTN MokXDelSize)
+ void *MokXDel, UINTN MokXDelSize,
+ void *ClearVerify, UINTN ClearVerifySize)
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
@@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
if (MokDB)
menucount++;
+ if (ClearVerify)
+ menucount++;
+
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
@@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
i++;
}
+ if (ClearVerify) {
+ menu_strings[i] = L"Revoke openSUSE certificate";
+ menu_item[i] = MOK_CLEAR_VERIFY;
+ i++;
+ }
+
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
break;
+ case MOK_CLEAR_VERIFY:
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
+ break;
case MOK_KEY_ENROLL:
mok_key_enroll();
break;
@@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
+ UINTN ClearVerifySize = 0;
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
+ void *ClearVerify = NULL;
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
@@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_
console_error(L"Could not retrieve MokXDel", status);
}
+ status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize,
+ shim_lock_guid);
+ if (status == EFI_SUCCESS) {
+ if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) {
+ console_notify(L"Failed to delete ClearVerify");
+ }
+ } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
+ console_error(L"Could not retrieve ClearVerify", status);
+ }
+
enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
- MokXNew, MokXNewSize, MokXDel, MokXDelSize);
+ MokXNew, MokXNewSize, MokXDel, MokXDelSize,
+ ClearVerify, ClearVerifySize);
if (MokNew)
FreePool (MokNew);
@@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_
if (MokXDel)
FreePool (MokXDel);
+ if (ClearVerify)
+ FreePool (ClearVerify);
+
LibDeleteVariable(L"MokAuth", &shim_lock_guid);
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);

51
shim-signed-unsigned-compares.patch Normal file
View File

@@ -0,0 +1,51 @@
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -483,8 +483,8 @@ static void show_efi_hash (EFI_GUID Type
UINTN hash_num;
UINT8 *hash;
CHAR16 **menu_strings;
- int key_num = 0;
- int i;
+ UINTN key_num = 0;
+ UINTN i;
sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
@@ -562,7 +562,7 @@ static EFI_STATUS list_keys (void *KeyLi
{
UINT32 MokNum = 0;
MokListNode *keys = NULL;
- int key_num = 0;
+ UINT32 key_num = 0;
CHAR16 **menu_strings;
unsigned int i;
@@ -1088,7 +1088,7 @@ static int match_hash (UINT8 *hash, UINT
void *hash_list, UINT32 list_num)
{
UINT8 *ptr;
- int i;
+ UINTN i;
ptr = hash_list + sizeof(EFI_GUID);
for (i = start; i < list_num; i++) {
@@ -1103,7 +1103,7 @@ static int match_hash (UINT8 *hash, UINT
static void mem_move (void *dest, void *src, UINTN size)
{
UINT8 *d, *s;
- int i;
+ UINTN i;
d = (UINT8 *)dest;
s = (UINT8 *)src;
@@ -1160,7 +1160,7 @@ static void delete_hash_list (EFI_GUID T
UINT32 hash_num;
UINT32 sig_size;
UINT8 *hash;
- int i;
+ UINT32 i;
hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);

176
shim.changes
View File

@@ -1,3 +1,179 @@
-------------------------------------------------------------------
Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
certificate from Microsoft. Removed
* shim-allow-fallback-use-system-loadimage.patch
* shim-bnc872503-check-key-encoding.patch
* shim-bnc877003-fetch-from-the-same-device.patch
* shim-correct-user_insecure-usage.patch
* shim-fallback-avoid-duplicate-bootorder.patch
* shim-fallback-improve-entries-creation.patch
* shim-fix-dhcpv4-path-generation.patch
* shim-fix-uninitialized-variable.patch
* shim-fix-verify-mok.patch
* shim-get-variable-check.patch
* shim-improve-error-messages.patch
* shim-mokmanager-delete-bs-var-right.patch
* shim-mokmanager-handle-keystroke-error.patch
* shim-remove-unused-variables.patch
since they're included in upstream and rebased the remaining onces.
Added shim-signed-unsigned-compares.patch to fix some compiler
warnings
-------------------------------------------------------------------
Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com
- Keep shim-devel.efi for the devel project
-------------------------------------------------------------------
Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de
- don't fail the build if the UEFI signing service signature can't
be attached anymore. This way shim can still pass through staging
projects. We will verify the correct signature for release builds
using openQA instead.
-------------------------------------------------------------------
Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com
- shim-install: fix GRUB shows broken letters at boot by calling
grub2-install to initialize /boot/grub2 directory with files
needed by grub.cfg (bnc#889765)
-------------------------------------------------------------------
Wed May 28 04:13:33 UTC 2014 - glin@suse.com
- Add shim-remove-unused-variables.patch to remove the unused
variables
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
of the keys (bnc#872503)
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
netboot image from the same device (bnc#877003)
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Wed May 14 09:39:02 UTC 2014 - glin@suse.com
- Use --reinit instead of --refresh in %post to update the files
in /boot
-------------------------------------------------------------------
Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com
- shim-install: fix boot partition and rollback support kluge
(bnc#875385)
-------------------------------------------------------------------
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
- Replace shim-mokmanager-support-sha1.patch with
shim-mokmanager-support-sha-family.patch to support the SHA
family
-------------------------------------------------------------------
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
MOK
-------------------------------------------------------------------
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
- snapper rollback support (fate#317062)
- refresh shim-install
-------------------------------------------------------------------
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
- Insert the right signature (bnc#867974)
-------------------------------------------------------------------
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
- Add shim-fix-uninitialized-variable.patch to fix the use of
uninitialzed variables in lib
-------------------------------------------------------------------
Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
correctly
-------------------------------------------------------------------
Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
duplicate entries in BootOrder
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
shim protocol properly to keep only one protocol entity
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
on btrfs subvolume (bnc#866690).
-------------------------------------------------------------------
Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com
- FATE#315002: Update shim-install to install shim.efi as the EFI
default bootloader when none exists in \EFI\boot.
-------------------------------------------------------------------
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
- Update signature-sles.asc: shim signed by UEFI signing service,
based on code from "Thu Feb 20 11:57:01 UTC 2014"
-------------------------------------------------------------------
Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
whether the user trusts the openSUSE certificate or not
-------------------------------------------------------------------
Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
- allow package to carry multiple signatures
- check correct certificate is embedded
-------------------------------------------------------------------
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
- always clean up generated files that embed certificates
(shim_cert.h shim.cer shim.crt) to make sure next build loop
rebuilds them properly
-------------------------------------------------------------------
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
hash deletion operation to avoid ruining the whole list
(bnc#863205)
-------------------------------------------------------------------
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
- Update shim-mokx-support.patch to support the resetting of MOK
blacklist
- Add shim-get-variable-check.patch to fix the variable checking
in get_variable_attr
- Add shim-fallback-improve-entries-creation.patch to improve the
boot entry pathes and avoid generating the boot entries that
are already there
- Update SUSE certificate
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
extract_signature.sh and show_signatures.sh to remove the
creation of the temporary nss database
- Add shim-only-os-name.patch: remove the kernel version of the
build server
- Match the the prefix of the project name properly by escaping the
percent sign.
-------------------------------------------------------------------
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de

90
shim.spec
View File

@@ -17,9 +17,13 @@
# needssslcertforbuild
%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31
%define shortcommit 81ee561d
Name: shim
Version: 0.7
# to ensure newer versions of the git export are always higher numbers the output of
# git rev-list master|wc -l is added before the git commit hash
Version: 0.7.318.%{shortcommit}
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@@ -28,7 +32,7 @@ Url: https://github.com/mjg59/shim
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
Source1: microsoft.asc
Source1: signature-opensuse.asc
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
Source4: SLES-UEFI-CA-Certificate.crt
@@ -38,18 +42,20 @@ Source7: show_hash.sh
Source8: show_signatures.sh
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
Patch1: shim-fix-verify-mok.patch
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
Patch2: shim-improve-error-messages.patch
# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch glin@suse.com -- Correct the usage of the user insecure mode variable
Patch3: shim-correct-user_insecure-usage.patch
# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch glin@suse.com -- Fix path generation for DHCPv4 bootloader
Patch4: shim-fix-dhcpv4-path-generation.patch
Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
Patch5: shim-mokx-support.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
Patch6: shim-mokmanager-handle-keystroke-error.patch
Patch1: shim-mokx-support.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch2: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
Patch4: shim-mokmanager-support-sha-family.patch
# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jsegitz@suse.com -- Fixed some signed - unsigned comparisons
Patch5: shim-signed-unsigned-compares.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@@ -57,7 +63,8 @@ BuildRequires: pesign
BuildRequires: pesign-obs-integration
Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Recommends: grub2-efi
# For shim-install script
Requires: grub2-efi
ExclusiveArch: x86_64
%description
@@ -77,7 +84,7 @@ Authors:
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch100 -p1
%build
# first, build MokManager and fallback as they don't depend on a
@@ -108,12 +115,18 @@ for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
cert2=%{SOURCE9}
verify='openSUSE Secure Boot CA1'
signature=%{SOURCE1}
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
cert2=''
verify='SUSE Linux Enterprise Secure Boot CA1'
signature=%{SOURCE12}
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
cert2=''
verify=`openssl x509 -in "$cert" -noout -email`
signature=''
test -e "$cert" || continue
else
echo "invalid suffix"
@@ -121,6 +134,7 @@ for suffix in "${suffixes[@]}"; do
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
rm -f shim_cert.h shim.cer shim.crt
if [ -z "$cert2" ]; then
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
@@ -128,35 +142,35 @@ for suffix in "${suffixes[@]}"; do
touch shim.cer
else
cp $cert2 shim.crt
rm -f shim.cer
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
chmod 755 %{SOURCE10}
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
head -1 %{SOURCE1} > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file %{SOURCE1} shim.efi
%{SOURCE7} shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
echo "ERROR: binary changed, need to request new signature!"
# don't fail in devel projects
prj="%{_project}"
if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
false
fi
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
if test -n "$signature"; then
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file "$signature" shim.efi
pesign -h -P -i shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
echo "ERROR: $suffix binary changed, need to request new signature!"
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
else
# attach signature
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
rm -f shim.efi
fi
else
# attach signature
%{SOURCE6} %{SOURCE1} shim.efi
mv shim-signed.efi shim-$suffix.efi
rm -f shim.efi
mv shim.efi shim-$suffix.efi
fi
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt
@@ -185,7 +199,7 @@ done
%{?buildroot:%__rm -rf "%{buildroot}"}
%post
/sbin/update-bootloader --refresh || true
/sbin/update-bootloader --reinit || true
%files
%defattr(-,root,root)

11
show_hash.sh
View File

@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -h -P -i "$infile"
pesign -h -P -i "$infile"

11
show_signatures.sh
View File

@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -S -i "$infile"
pesign -S -i "$infile"

187
signature-opensuse.asc Normal file
View File

@@ -0,0 +1,187 @@
hash: bdd01126e9d85710d3fe75af1cc1702a29f081b4f6fdf6a2b2135c0297a9cec5
# 2069-04-10 06:07:54
timestamp: babababa
checksum: ff45
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIh3AYJKoZIhvcNAQcCoIIhzTCCIckCAQExDzANBglghkgBZQMEAgEFADBcBgor
BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
ZQMEAgEFAAQgvdARJunYVxDT/nWvHMFwKinwgbT2/faishNcApepzsWgggs8MIIF
JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYTMIIW
DwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
KoZIhvcNAQkEMSIEIKOfDrPjsHj5IpbLDH/emIN2ujjTNjWxi+JiBMeM1lejMIGk
BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAThlP7UGIWeaL
wSgeXtn8Whnj2NuB/+fBohdlEmuU4oOJsKt07jxVrzXWHO0/znARfCMhsqGnwQq6
IU45DSbqHiBsPS2bucCmygVJZjS+lYUY0o1OSiAOgkcOb3byqbOhFx+yU4jyi1I6
vZsetJf0VIB/50CUDWw/jgC29MS5uLKPbljn6Gav6BmWkbzR7g7e44QInagtQsEm
kxI4FaHRkaKnkTtrJZ2htMCGJUEm83iyEaFB1jfwE+eSVilltwZeUiM8cm5jSIeZ
CWyF2+bOgaOyIk47XVZWI0683wwf43yftlRMsuySQuD7Vk4sKsRM87Nl1SszQSqI
murrQX0OHqGCEzUwghMxBgorBgEEAYI3AwMBMYITITCCEx0GCSqGSIb3DQEHAqCC
Ew4wghMKAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE1BgsqhkiG9w0BCRABBKCCASQE
ggEgMIIBHAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBhVxDrnAE1
Odf8YYCrsCpxqlspu1YwtY7Xj0HNqt+MlgIGU8faFW37GBMyMDE0MDgwMjAwMjcx
My4yMzVaMAcCAQGAAgH0oIGxpIGuMIGrMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
dGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNOOjMx
QzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2
aWNloIIOwDCCBnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAw
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMT
KU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEw
MDcwMTIxMzY1NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg
UENBIDIwMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGK
OiDs/BOX9fp/aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0Eb
GpUdzgkTjnxhMFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/
JGAyWGBG8lhHhjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0k
ZxJyGiGKr0tkiVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7l
msqxqPJ6Kgox8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlE
XV4WnAEFTyJNAgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4E
FgQU1WM6XIoxkPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD
AEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZW
y4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5t
aWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAt
MDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3
dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0y
My5jcnQwgaAGA1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUF
BwIBFjFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1
bHQuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5
AF8AUwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohR
DeLG4Jg/gXEDPZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l
4/m87WtUVwgrUYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/
f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WW
j1kpvLb9BOFwnzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI5
7BlKcWOdeyFtw5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1
gJsiOCC1JeVk7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9Dv
fYPw4TtxCd9ddJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFrb3ep
gcunCaw5u+zGy9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMu
Ein1wC9UJyH3yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmK
LxvHIa9Zta7cRDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu
7w2gUDXa7wknHNWzfjUeCLraNtvTX4/edIhJEjCCBNIwggO6oAMCAQICEzMAAABP
rehUlVAolGcAAAAAAE8wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
bXAgUENBIDIwMTAwHhcNMTQwNTIzMTcyMDA4WhcNMTUwODIzMTcyMDA4WjCBqzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIxJzAlBgNV
BAsTHm5DaXBoZXIgRFNFIEVTTjozMUM1LTMwQkEtN0M5MTElMCMGA1UEAxMcTWlj
cm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKFVkneQwi1RLhVhgJoMVZY6JIU3jigasjbuZClciQzP0d0z9Ev8
mxS2T2+fdfVkWZWKQXeYmD5mejixNPhFpoQR0zWhpfNQe4XA7x4l8a48+P483uz3
7sMyBlYtYaQEnfBPmCqG/Wbr9cdH9QVx94F4NKVZFnSa/eEq3hDRLfqqiDmkRTN4
t+w8d3Yx41CVzx6TBgh6bE2km58m5YS/+54xLirgm44nHlmQCut58IGTZ6CArg/1
g1cqGrFbMUZC/mhSgCA4uFNSRctPc56zSTBbsM5vP6PqOW6J8VWJICxREyBqg2gV
Qp7JhZmczo+DtG+W3QyjPO8Thwx+mo3iFnkCAwEAAaOCARswggEXMB0GA1UdDgQW
BBQrpekQU9AS8xkbQCwKTRfMxEXJLjAfBgNVHSMEGDAWgBTVYzpcijGQ80N7fEYb
xTNoWoVtVTBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5j
b20vcGtpL2NybC9wcm9kdWN0cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmww
WgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29m
dC5jb20vcGtpL2NlcnRzL01pY1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNV
HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IB
AQBhbgv5FjD4pzjfVhGhfk23Gom8Ip4kfRTobqi7up1JHBTWidiUVKwoszU9TPi+
PTuCNBDJgWuMIXNGcpXRTLTENDW9Maln6yp7zFUEtYGulWSFT9EGMLfjBTLoBl4M
GxU8IDviiM6GuCy7vV0QbsNfeBZpo761j42sHJccu7LPTk8VD24W1diIEaCjePJW
FRBKidTcAQRHki0xDK4xYbN9GFncfhXaMlQn4TN/mRx6YBTELjiP1RH3rdW9I/NX
0kXfCGth/BbVctp6rGRkK8NQaHkq9rXqt+C75sVwASx/JxMkXS1q+Rnwbilso9Rq
LsiE9SszQjNKzc+rebhHpUELoYIDcTCCAlkCAQEwgduhgbGkga4wgasxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
TWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5u
Q2lwaGVyIERTRSBFU046MzFDNS0zMEJBLTdDOTExJTAjBgNVBAMTHE1pY3Jvc29m
dCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoBATAJBgUrDgMCGgUAAxUAKLyR2kF+5obQ
k1yVhHi3u5xWWaqggcIwgb+kgbwwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
Q29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRT
IEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkGA1UEAxMiTWljcm9zb2Z0IFRpbWUgU291
cmNlIE1hc3RlciBDbG9jazANBgkqhkiG9w0BAQUFAAIFANeGrl0wIhgPMjAxNDA4
MDIwMDI1MDFaGA8yMDE0MDgwMzAwMjUwMVowdzA9BgorBgEEAYRZCgQBMS8wLTAK
AgUA14auXQIBADAKAgEAAgIJAAIB/zAHAgEAAgIYWjAKAgUA14f/3QIBADA2Bgor
BgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMBoAowCAIBAAIDFuNgoQowCAIBAAID
B6EgMA0GCSqGSIb3DQEBBQUAA4IBAQCFCxo0b2hLnmf+xoh21SzjNvFsZm6WfCFc
PlGAEgOqq1Dlp9KNsYik0tjif3xLKmMjM1sBE8JJ85c2iYDMm/y5PUyyM16zlojk
q4zwcJEiPzEzBPzKqtgGRvJElVY37BuowRCgbRv5gi6eKGiHObCFf0ElAwGNJydf
DDxy7BmNS5/kPk926NxynXs1kdqPdUmyZmh/3wtm0w9S6+NIzfCXLp0kxCP3kPVv
kEHTiPUj/ogu4DVvkbECmJyZwtjhlsEcr+VxT2PYNdQX+89UdreCR0deUXY7Y6WS
M1Zr7cVhFJAWjLPB8ciqG8WDmijJviFDp8e+7lrBCxZdRwXilBKiMYIC9TCCAvEC
AQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG
A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAABPrehUlVAo
lGcAAAAAAE8wDQYJYIZIAWUDBAIBBQCgggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG
9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg2Fdy/47bukVF9tAPO8fA4meI/cXYbmn7
z135MrP1QSowgeIGCyqGSIb3DQEJEAIMMYHSMIHPMIHMMIGxBBQovJHaQX7mhtCT
XJWEeLe7nFZZqjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
AhMzAAAAT63oVJVQKJRnAAAAAABPMBYEFCYplGRrdF2iEXIxRDr2Yo/nmNd0MA0G
CSqGSIb3DQEBCwUABIIBAIUNbJ8A82Vn/zft6B33oO5uQqRZcSD6zqqM3z7a/Tb2
VLnhWYmDjxsLesS8kXcSZKv5MBVBA01FQQaL6jEwkjRx/qYM8ly6qthXGsgN0WoE
vXKnOPjJ40Iz03g/AlMHzs2lI9hYWw/iaArpzdiCgD0qeOt12K+HANTEm3azsDWr
d7F/rUlHOQJxbCkxuMhpN8kFcV8qtgiVJ5jYna6AlOEDOL0E7Z15Tesid2ZjJn/5
/hrND9ZCeYcgROjy154VnT0a0zEWaiN6Rp8xqYYGSnLiXZAZPMtHNkXAIRUy34ut
XgbI8J3rkmRK1vZYNa4dHD7X/7cohNa9/XZZi4Usn8k=
-----END AUTHENTICODE SIGNATURE-----

96
microsoft.asc → signature-sles.asc
View File

@@ -1,11 +1,11 @@
hash: 97a8c5ba11d61fefbb5d6a05da4e15ba472dc4c6cd4972fc1a035de321342fe4
# 2013-10-01 08:29:53
timestamp: 524a8801
checksum: d364
hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
# 2069-04-10 06:07:54
timestamp: babababa
checksum: 61c9
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIh8QYJKoZIhvcNAQcCoIIh4jCCId4CAQExDzANBglghkgBZQMEAgEFADBcBgor
MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
ZQMEAgEFAAQgl6jFuhHWH++7XWoF2k4VukctxMbNSXL8GgNd4yE0L+Sgggs8MIIF
ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF
JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
@@ -65,31 +65,31 @@ HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYoMIIW
JAIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYrMIIW
JwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
KoZIhvcNAQkEMSIEIOBR1lXJ0yMtGJm8ETD6MEFIJCyjBPLlLe2aF6PcGN1xMIGk
KoZIhvcNAQkEMSIEIJrzMZcr8o7z/mk2WCbI8fEz7nZbYeVPQtJjL0exXBCxMIGk
BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAVajbL42oQSy1
NUS6HAoCq0L01hhN9fHn8acFrSpXK+GjijNspEcxVWSmJCWUWj4oVgBU7hgB2cFr
YBm7M6VLl0h45tCI0jyHURNs4bYeKhBlywIAKQ1B3sxBi84vrNmVv7tZqtV8eAte
tmX/8X6mOObVtD1YfYRVc2/EAEqv/Dee3BKb2/3MJ8TlUDuPZ1yAjAq4MViGs0J3
m4T63cugiWPuoaZEGJ6eaPiVXPcEKiDDOboCMm6MY1CLADE0moMrQ86dtbmycXIu
N44ImKRkPSSCnRbmNDl/OkITHAicitORyvpet6uciDQtXQEq8xuRHJ7tOrwTmuLs
r+BEVn7BR6GCE0owghNGBgorBgEEAYI3AwMBMYITNjCCEzIGCSqGSIb3DQEHAqCC
EyMwghMfAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBfmL3wsdu9
3kovdSnRVAah9huZNZbgGFJ05HSVLqfy9gIGUmk4IyjpGBMyMDEzMTAzMDE5MTY0
My42ODZaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAjHDQORfm8d8T
eyJMiPDMRPFiO/aBL7UtF4rtDUeYi+c9UU6KDVXHi19Z9DNt3pkRRm4DxFVdDPXU
P1TFD8HWbQPQ7YGGRjDOv1BwxZ+5F6xmNgoxUh0khKisi3l0LPq6Zauee7ebgly3
6A6GQSKlaXH7MXxMsgbvGFdXAQs/KVMb3xzuttby/jcQ9lxoMr4SVcM6Vu6fFZ24
DWhHFtONzHFSvJ3Sf10d8teTvikrIaXg7pzNU+T7+sMXsiyhVhWiFFFtetaaxtT4
vcKDuGHNP797WM1YYxZz+2sMbWyi81h+We6ReHn0V+UUW4b7i4yh0p2Vy3xPrzb6
TgGQIyi536GCE00wghNJBgorBgEEAYI3AwMBMYITOTCCEzUGCSqGSIb3DQEHAqCC
EyYwghMiAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAqAR+tIZOx
IQiET4LQ+OsCmH0VlrTUkAPePwl/JtC8pAIGUt6TDOrUGBMyMDE0MDIyNzAxMDcz
My43NzNaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT
RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
YW1wIFNlcnZpY2Wggg7NMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
YW1wIFNlcnZpY2Wggg7QMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy
MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
@@ -149,7 +149,7 @@ QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK
yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl
Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0
nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v
UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3YwggJeAgEBMIHj
UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3kwggJhAgEBMIHj
oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w
CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2
@@ -159,30 +159,30 @@ CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P
UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG
A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG
9w0BAQUFAAIFANYbbXkwIhgPMjAxMzEwMzAxMTM1MjFaGA8yMDEzMTAzMTExMzUy
MVowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA1htteQIBADAHAgEAAgIQxzAHAgEA
AgIYcDAKAgUA1hy++QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMB
oAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQAxxOL5
p8WZx+WQXwsf9YpPA4dWCU2xk7l1MY2R653keklyM7ks9Md5/7JbBzMPQXMPJ0Ts
SllTUWF+wCUwW84ZAJCG4IUS5MrfbC5yXPkCjYEW6pll2A77OgwC+UG7X5VN67nm
XfRbw+3lyAAcCjpreeEOiMRTNP1UW3Th2x5Lmbgc4AW/6p+6VEj/7QJEuj7oMXVe
KQNp/I+lJn1rBGU42wqteobjNmUI55+i5PN+Wa5uGh7IhkqpDRPIkBM9wqVDQoHb
d727DRVQMwzTAGYdSaOPJjLYti078h71WDJYyM1waA435nrkukJ6ObWdMTNjJqsy
/Tz7rYZPgMPKLjtfMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg
UENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCgggEy
MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgqtHU
/PG7RLWN/Y5UsjD6+lFX/RpWbpbjNV/x7SF3lQwwgeIGCyqGSIb3DQEJEAIMMYHS
MIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
dCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYEFLWf
+tQPMIlyzZih4uVtvwa31BWHMA0GCSqGSIb3DQEBCwUABIIBAEJSSeyhVFmVBArn
o02R+f9PxUVjdMsHRqTWdnfA6F4uFU2GGGB2NoGTPHVeHrTTejo2bzXf5Di0jO5r
nIM1KVSUIDmM6xgvcIgxMuo2oM8MxHnYSh9QdWTCnJsqcR+PzIhsdrxaQOLRXNiS
uEyj0MgaJuYATAmhM2oM4BFNmbFavr0Sar3fj54zoZ9/p7ZhROSVm40OKt8tzSDu
7KrU8rr6VikJV2svuvLsmBKP7H6A+ZBWgrSlraQhdOxgjdPci6rhoZ9GG3WzNIcg
c+4KZEXs0hxinuZA2+Z9QhyXcTeLXm1UbKtN+P6hEv6ABEaghtj238dcrBtwijpX
BkfJeJoAAAA=
9w0BAQUFAAIFANa4+LowIhgPMjAxNDAyMjYyMzM1MjJaGA8yMDE0MDIyNzIzMzUy
MlowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA1rj4ugIBADAKAgEAAgIM/AIB/zAH
AgEAAgIV3zAKAgUA1rpKOgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ
CgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBm
lwBgKM7WFYZn7KoOxHuc0HCwn9KJ7P2+V1ixjuYcd9TJPbpom+P6TqrtdVyqC1qN
P1ika8uTrueq+WIyDkpbBeRjgRPxywB8p6swJXn3a8FQJlYM8wZlX6k4DXOQ5a1I
8Df1MoZedlnFIJFCuailsPek9CZSuawhHvQu6tutrNrCtOJpHGwP/g7QhqDby6MU
9W08fcBbMQ+Q+NN9R+O5914iiyXTxNYply2O6zmRRXVV8Os49n6MAdLMQwlW/Hjf
Qx9xsPgmOpnwA3IVmPCEtJnHbNPnmX23cB3zQ5HQ8Rgzh4a2iGFTUKVLQzP2XbJI
GAt0fd2U/pFkRHTpexsrMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
bXAgUENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCg
ggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg
igCH0fhbYKLF4fSmxZObvVlmifs8MaWR0dGzScGuExwwgeIGCyqGSIb3DQEJEAIM
MYHSMIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv
c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYE
FP/tXYkB9TLyFTNFAIYorcmDMtYiMA0GCSqGSIb3DQEBCwUABIIBABg8AdKpFO37
Mdc4SKY28D2Sff2uoRuCoLxMZPhC7rR14gC1sXKSBHIoNyMBR32mYJnJsTAgJRwT
YTEmsHYl6l37/tkLAsRS21lt+YuynR9/fdGlwvqxc41HkUHdcTRjvsetVZ7v2HSz
vpCBje4TsAaxblVCsyXiH94CyMR3Aq6brcoG+QJKh14NFLLLIxN2melZYivfcAJR
ES78bXBRGa6hPqsvOIZ6USSC1rAwHodonNcp4Xb1QMPoXKcMPyUAYdzz0q673Mec
hsP7HKqhezXDmpGe6Hg4RrO/In7qyRok6LZ4DH5hsp6dp0Omcgqm3kmcqTTNmtF6
0JelOr7e+os=
-----END AUTHENTICODE SIGNATURE-----

11
strip_signature.sh
View File

@@ -10,13 +10,4 @@ fi
outfile="${infile%.efi}-unsigned.efi"
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -r -i "$infile" -o "$outfile"
pesign -r -i "$infile" -o "$outfile"