pool/shim
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

osc copypac from project:devel:openSUSE:Factory package:shim revision:71

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=73
This commit is contained in:
Stephan Kulow 2014-04-29 07:15:01 +00:00 committed by Git OBS Bridge
parent b518987796
commit fa8f2b475d
22 changed files with 2597 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
SLES-UEFI-CA-Certificate.crt
View File

@ -1,39 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
rvc1p6G0YWtO
-----END CERTIFICATE-----

11
attach_signature.sh
View File

@ -11,13 +11,4 @@ fi
outfile="${infile%.efi}-signed.efi"
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
pesign -m "$sig" -i "$infile" -o "$outfile"

13
extract_signature.sh
View File

@ -9,16 +9,7 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
# wtf?
(pesign -n "$nssdir" -h -P -i "$infile";
(pesign -h -P -i "$infile";
perl $(dirname $0)/timestamp.pl "$infile";
pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
pesign -a -f -e /dev/stdout -i "$infile")|cat

240
shim-allow-fallback-use-system-loadimage.patch Normal file
View File

@ -0,0 +1,240 @@
From 06495f692fa748a553ffbde8bfae2974d8c791c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 14 Feb 2014 15:38:25 -0500
Subject: [PATCH] Allow fallback to use the system's LoadImage/StartImage .
Track use of the system's LoadImage(), and when the next StartImage()
call is for an image the system verified, allow that to count as
participating, since it has been verified by the system's db.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
replacements.c | 68 ++++++++++++++++++++++++++++++++++++++++++++-
replacements.h | 3 ++
shim.c | 85 ++++++++++++++++++++++++++++++++++-----------------------
3 files changed, 121 insertions(+), 35 deletions(-)
--- a/replacements.c
+++ b/replacements.c
@@ -60,26 +60,82 @@
static EFI_SYSTEM_TABLE *systab;
+static typeof(systab->BootServices->LoadImage) system_load_image;
static typeof(systab->BootServices->StartImage) system_start_image;
static typeof(systab->BootServices->Exit) system_exit;
static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
+static EFI_HANDLE last_loaded_image;
+
void
unhook_system_services(void)
{
systab->BootServices->Exit = system_exit;
+ systab->BootServices->LoadImage = system_load_image;
systab->BootServices->StartImage = system_start_image;
systab->BootServices->ExitBootServices = system_exit_boot_services;
}
static EFI_STATUS EFIAPI
+load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle,
+ EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer,
+ UINTN SourceSize, EFI_HANDLE *ImageHandle)
+{
+ EFI_STATUS status;
+ unhook_system_services();
+
+ status = systab->BootServices->LoadImage(BootPolicy,
+ ParentImageHandle, DevicePath,
+ SourceBuffer, SourceSize, ImageHandle);
+ hook_system_services(systab);
+ if (EFI_ERROR(status))
+ last_loaded_image = NULL;
+ else
+ last_loaded_image = *ImageHandle;
+ return status;
+}
+
+static EFI_STATUS EFIAPI
start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
{
EFI_STATUS status;
unhook_system_services();
+
+ /* We have to uninstall shim's protocol here, because if we're
+ * On the fallback.efi path, then our call pathway is:
+ *
+ * shim->fallback->shim->grub
+ * ^ ^ ^
+ * | | \- gets protocol #0
+ * | \- installs its protocol (#1)
+ * \- installs its protocol (#0)
+ * and if we haven't removed this, then grub will get the *first*
+ * shim's protocol, but it'll get the second shim's systab
+ * replacements. So even though it will participate and verify
+ * the kernel, the systab never finds out.
+ */
+ if (image_handle == last_loaded_image) {
+ loader_is_participating = 1;
+ uninstall_shim_protocols();
+ }
status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data);
- if (EFI_ERROR(status))
+ if (EFI_ERROR(status)) {
+ if (image_handle == last_loaded_image) {
+ EFI_STATUS status2 = install_shim_protocols();
+
+ if (EFI_ERROR(status2)) {
+ Print(L"Something has gone seriously wrong: %d\n",
+ status2);
+ Print(L"shim cannot continue, sorry.\n");
+ systab->BootServices->Stall(5000000);
+ systab->RuntimeServices->ResetSystem(
+ EfiResetShutdown,
+ EFI_SECURITY_VIOLATION, 0, NULL);
+ }
+ }
hook_system_services(systab);
+ loader_is_participating = 0;
+ }
return status;
}
@@ -123,6 +179,16 @@ hook_system_services(EFI_SYSTEM_TABLE *l
/* We need to hook various calls to make this work... */
+ /* We need LoadImage() hooked so that fallback.c can load shim
+ * without having to fake LoadImage as well. This allows it
+ * to call the system LoadImage(), and have us track the output
+ * and mark loader_is_participating in start_image. This means
+ * anything added by fallback has to be verified by the system db,
+ * which we want to preserve anyway, since that's all launching
+ * through BDS gives us. */
+ system_load_image = systab->BootServices->LoadImage;
+ systab->BootServices->LoadImage = load_image;
+
/* we need StartImage() so that we can allow chain booting to an
* image trusted by the firmware */
system_start_image = systab->BootServices->StartImage;
--- a/replacements.h
+++ b/replacements.h
@@ -41,4 +41,7 @@ extern int loader_is_participating;
extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
extern void unhook_system_services(void);
+extern EFI_STATUS install_shim_protocols(void);
+extern void uninstall_shim_protocols(void);
+
#endif /* SHIM_REPLACEMENTS_H */
--- a/shim.c
+++ b/shim.c
@@ -1719,11 +1719,56 @@ EFI_STATUS set_second_stage (EFI_HANDLE
return EFI_SUCCESS;
}
-EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+static SHIM_LOCK shim_lock_interface;
+static EFI_HANDLE shim_lock_handle;
+
+EFI_STATUS
+install_shim_protocols(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS efi_status;
+ /*
+ * Install the protocol
+ */
+ efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
+ &shim_lock_handle, &shim_lock_guid,
+ EFI_NATIVE_INTERFACE, &shim_lock_interface);
+ if (EFI_ERROR(efi_status)) {
+ console_error(L"Could not install security protocol",
+ efi_status);
+ return efi_status;
+ }
+
+#if defined(OVERRIDE_SECURITY_POLICY)
+ /*
+ * Install the security protocol hook
+ */
+ security_policy_install(shim_verify);
+#endif
+
+ return EFI_SUCCESS;
+}
+
+void
+uninstall_shim_protocols(void)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- static SHIM_LOCK shim_lock_interface;
- EFI_HANDLE handle = NULL;
+#if defined(OVERRIDE_SECURITY_POLICY)
+ /*
+ * Clean up the security protocol hook
+ */
+ security_policy_uninstall();
+#endif
+
+ /*
+ * If we're back here then clean everything up before exiting
+ */
+ uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
+ &shim_lock_guid, &shim_lock_interface);
+}
+
+EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+{
EFI_STATUS efi_status;
verification_method = VERIFIED_BY_NOTHING;
@@ -1776,24 +1821,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
loader_is_participating = 0;
}
- /*
- * Install the protocol
- */
- efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
- &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE,
- &shim_lock_interface);
- if (EFI_ERROR(efi_status)) {
- console_error(L"Could not install security protocol",
- efi_status);
+ efi_status = install_shim_protocols();
+ if (EFI_ERROR(efi_status))
return efi_status;
- }
-
-#if defined(OVERRIDE_SECURITY_POLICY)
- /*
- * Install the security protocol hook
- */
- security_policy_install(shim_verify);
-#endif
/*
* Enter MokManager if necessary
@@ -1820,20 +1850,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
efi_status = init_grub(image_handle);
-#if defined(OVERRIDE_SECURITY_POLICY)
- /*
- * Clean up the security protocol hook
- */
- security_policy_uninstall();
-#endif
-
- /*
- * If we're back here then clean everything up before exiting
- */
- uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle,
- &shim_lock_guid, &shim_lock_interface);
-
-
+ uninstall_shim_protocols();
/*
* Remove our hooks from system services.
*/

86
shim-bnc863205-mokmanager-fix-hash-delete.patch Normal file
View File

@ -0,0 +1,86 @@
From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Feb 2014 15:05:45 +0800
Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
MokSize of the hash signature list includes the owner GUID,
so we should not add the 16bytes compensation.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
index e79a8e0..e0cc143 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -934,7 +934,9 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
if (list[i].Mok == NULL)
continue;
- DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ DataSize += sizeof(EFI_SIGNATURE_LIST);
+ if (CompareGuid(&(list[i].Type), &CertType) == 0)
+ DataSize += sizeof(EFI_GUID);
DataSize += list[i].MokSize;
}
--
1.8.4.5
From 6b70c15cd8a83e0e62088bc4f2f8e84e818d2b73 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Feb 2014 17:49:55 +0800
Subject: [PATCH 2/2] MokManager: fix the hash list counting in delete
match_hash() requests the number of keys in a list and it was
mistakenly replaced with the size of the Mok node. This would
made MokManager to remove the whole Mok node instead of one
hash.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index e0cc143..5af5ce6 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1042,6 +1042,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
{
EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
+ UINT32 list_num;
int i, del_ind;
void *start, *end;
UINT32 remain;
@@ -1053,8 +1054,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
(mok[i].MokSize < sig_size))
continue;
+ list_num = mok[i].MokSize / sig_size;
+
del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
- mok[i].MokSize);
+ list_num);
while (del_ind >= 0) {
/* Remove the hash */
if (sig_size == mok[i].MokSize) {
@@ -1069,9 +1072,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
mem_move(start, end, remain);
mok[i].MokSize -= sig_size;
+ list_num--;
del_ind = match_hash(hash, hash_size, del_ind,
- mok[i].Mok, mok[i].MokSize);
+ mok[i].Mok, list_num);
}
}
}
--
1.8.4.5

177
shim-fallback-avoid-duplicate-bootorder.patch Normal file
View File

@ -0,0 +1,177 @@
From 99858938a08dbdd892cc5438ec49b4262077017d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 6 Mar 2014 11:58:36 +0800
Subject: [PATCH 1/3] [fallback] Avoid duplicate old BootOrder
set_boot_order() already copies the old BootOrder to the variable,
bootorder. Besides, we can adjust BootOrder when adding the newly
generated boot option. So, we don't have to copy the old one again
in update_boot_order(). This avoid the duplicate entries in BootOrder.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
fallback.c | 39 +++++++++++++--------------------------
1 file changed, 13 insertions(+), 26 deletions(-)
diff --git a/fallback.c b/fallback.c
index 44638ec..8aee618 100644
--- a/fallback.c
+++ b/fallback.c
@@ -204,12 +204,12 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
return EFI_OUT_OF_RESOURCES;
int j = 0;
+ newbootorder[0] = i & 0xffff;
if (nbootorder) {
- for (j = 0; j < nbootorder; j++)
- newbootorder[j] = bootorder[j];
+ for (j = 1; j < nbootorder + 1; j++)
+ newbootorder[j] = bootorder[j-1];
FreePool(bootorder);
}
- newbootorder[j] = i & 0xffff;
bootorder = newbootorder;
nbootorder += 1;
#ifdef DEBUG_FALLBACK
@@ -307,28 +307,17 @@ set_boot_order(void)
EFI_STATUS
update_boot_order(void)
{
- CHAR16 *oldbootorder;
UINTN size;
+ UINTN len = 0;
EFI_GUID global = EFI_GLOBAL_VARIABLE;
CHAR16 *newbootorder = NULL;
+ EFI_STATUS rc;
- oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
- if (oldbootorder) {
- int n = size / sizeof (CHAR16) + nbootorder;
-
- newbootorder = AllocateZeroPool(n * sizeof (CHAR16));
- if (!newbootorder)
- return EFI_OUT_OF_RESOURCES;
- CopyMem(newbootorder, bootorder, nbootorder * sizeof (CHAR16));
- CopyMem(newbootorder + nbootorder, oldbootorder, size);
- size = n * sizeof (CHAR16);
- } else {
- size = nbootorder * sizeof(CHAR16);
- newbootorder = AllocateZeroPool(size);
- if (!newbootorder)
- return EFI_OUT_OF_RESOURCES;
- CopyMem(newbootorder, bootorder, size);
- }
+ size = nbootorder * sizeof(CHAR16);
+ newbootorder = AllocateZeroPool(size);
+ if (!newbootorder)
+ return EFI_OUT_OF_RESOURCES;
+ CopyMem(newbootorder, bootorder, size);
#ifdef DEBUG_FALLBACK
Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
@@ -337,13 +326,11 @@ update_boot_order(void)
Print(L"%04x ", newbootorder[j]);
Print(L"\n");
#endif
-
- if (oldbootorder) {
+ rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
+ NULL, &len, NULL);
+ if (rc == EFI_BUFFER_TOO_SMALL)
LibDeleteVariable(L"BootOrder", &global);
- FreePool(oldbootorder);
- }
- EFI_STATUS rc;
rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global,
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
--
1.8.4.5
From 80c15a7e90d8f51b09211994895a64ec5e4f5c1e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 6 Mar 2014 10:57:02 +0800
Subject: [PATCH 2/3] [fallback] Fix the data size for boot option comparison
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
fallback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fallback.c b/fallback.c
index 8aee618..156115f 100644
--- a/fallback.c
+++ b/fallback.c
@@ -231,7 +231,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
{
int size = sizeof(UINT32) + sizeof (UINT16) +
StrLen(label)*2 + 2 + DevicePathSize(dp) +
- StrLen(arguments) * 2 + 2;
+ StrLen(arguments) * 2;
CHAR8 *data = AllocateZeroPool(size);
if (!data)
--
1.8.4.5
From 70ffe93b85380a9866ebf3a99b35dde0b332cd65 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 5 Mar 2014 18:14:09 +0800
Subject: [PATCH 3/3] [fallback] Try to boot the first boot option anyway
Some UEFI implementations never care the boot options, so the
restored boot options could be just ignored and this results in
endless reboot.
To avoid this situation, this commit makes fallback.efi to
load the first matched boot option even if there is not boot
option to be restored.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
fallback.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fallback.c b/fallback.c
index 156115f..777e708 100644
--- a/fallback.c
+++ b/fallback.c
@@ -226,8 +226,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
}
EFI_STATUS
-find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
- CHAR16 *arguments, UINT16 *optnum)
+find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
+ CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
+ UINT16 *optnum)
{
int size = sizeof(UINT32) + sizeof (UINT16) +
StrLen(label)*2 + 2 + DevicePathSize(dp) +
@@ -278,6 +279,12 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
continue;
/* at this point, we have duplicate data. */
+ if (!first_new_option) {
+ first_new_option = DuplicateDevicePath(fulldp);
+ first_new_option_args = arguments;
+ first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
+ }
+
*optnum = i;
FreePool(candidate);
FreePool(data);
@@ -403,7 +410,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
#endif
UINT16 option;
- rc = find_boot_option(dp, fullpath, label, arguments, &option);
+ rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
if (EFI_ERROR(rc)) {
add_boot_option(dp, full_device_path, fullpath, label, arguments);
} else if (option != 0) {
--
1.8.4.5

365
shim-fallback-improve-entries-creation.patch Normal file
View File

@ -0,0 +1,365 @@
From 9ba08c4e8e7cf9b001497a0752652e0ece0b2b84 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 31 Jan 2014 10:30:24 -0500
Subject: [PATCH 1/2] For HD() device paths, use just the media node and later.
UEFI 2.x section 3.1.2 provides for "short-form device path", where the
first element specified is a "hard drive media device path", so that you
can move a disk around on different buses without invalidating your
device path. Fallback has not been using this option, though in most
cases efibootmgr has.
Note that we still keep the full device path, because LoadImage()
isn't necessarily the layer where HD() works - one some systems BDS is
responsible for resolving the full path and passes that to LoadImage()
instead. So we have to do LoadImage() with the full path.
---
fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 78 insertions(+), 25 deletions(-)
diff --git a/fallback.c b/fallback.c
index 82ddbf2..7f4201e 100644
--- a/fallback.c
+++ b/fallback.c
@@ -15,6 +15,27 @@
EFI_LOADED_IMAGE *this_image = NULL;
static EFI_STATUS
+FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
+ EFI_DEVICE_PATH **Out)
+{
+ EFI_DEVICE_PATH *dp = In;
+ if (!In || !Out)
+ return EFI_INVALID_PARAMETER;
+
+ for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
+ if (DevicePathType(dp) == Type &&
+ DevicePathSubType(dp) == SubType) {
+ *Out = DuplicateDevicePath(dp);
+ if (!*Out)
+ return EFI_OUT_OF_RESOURCES;
+ return EFI_SUCCESS;
+ }
+ }
+ *Out = NULL;
+ return EFI_NOT_FOUND;
+}
+
+static EFI_STATUS
get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize)
{
EFI_STATUS rc;
@@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
{
UINT64 len;
- len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2;
+ len = StrLen(L"\\EFI\\") + StrLen(dirname)
+ + StrLen(L"\\") + StrLen(filename)
+ + 2;
CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16));
if (!fullpath) {
@@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL;
UINTN first_new_option_size = 0;
EFI_STATUS
-add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
+add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+ CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
{
static int i = 0;
CHAR16 varname[] = L"Boot0000";
@@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar
void *var = LibGetVariable(varname, &global);
if (!var) {
int size = sizeof(UINT32) + sizeof (UINT16) +
- StrLen(label)*2 + 2 + DevicePathSize(dp) +
- StrLen(arguments) * 2 + 2;
+ StrLen(label)*2 + 2 + DevicePathSize(hddp) +
+ StrLen(arguments) * 2;
CHAR8 *data = AllocateZeroPool(size);
CHAR8 *cursor = data;
*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
cursor += sizeof (UINT32);
- *(UINT16 *)cursor = DevicePathSize(dp);
+ *(UINT16 *)cursor = DevicePathSize(hddp);
cursor += sizeof (UINT16);
StrCpy((CHAR16 *)cursor, label);
cursor += StrLen(label)*2 + 2;
- CopyMem(cursor, dp, DevicePathSize(dp));
- cursor += DevicePathSize(dp);
+ CopyMem(cursor, hddp, DevicePathSize(hddp));
+ cursor += DevicePathSize(hddp);
StrCpy((CHAR16 *)cursor, arguments);
Print(L"Creating boot entry \"%s\" with label \"%s\" "
L"for file \"%s\"\n",
varname, label, filename);
+
+ if (!first_new_option) {
+ first_new_option = DuplicateDevicePath(fulldp);
+ first_new_option_args = arguments;
+ first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
+ }
+
rc = uefi_call_wrapper(RT->SetVariable, 5, varname,
&global, EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
@@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
if (EFI_ERROR(rc))
return rc;
- EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL;
+ EFI_DEVICE_PATH *dph = NULL;
+ EFI_DEVICE_PATH *file = NULL;
+ EFI_DEVICE_PATH *full_device_path = NULL;
+ EFI_DEVICE_PATH *dp = NULL;
dph = DevicePathFromHandle(this_image->DeviceHandle);
if (!dph) {
@@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
goto err;
}
- dpf = FileDevicePath(fh, fullpath);
- if (!dpf) {
+ file = FileDevicePath(fh, fullpath);
+ if (!file) {
rc = EFI_OUT_OF_RESOURCES;
goto err;
}
- dp = AppendDevicePath(dph, dpf);
- if (!dp) {
+ full_device_path = AppendDevicePath(dph, file);
+ if (!full_device_path) {
rc = EFI_OUT_OF_RESOURCES;
goto err;
}
+ rc = FindSubDevicePath(full_device_path,
+ MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
+ if (EFI_ERROR(rc)) {
+ if (rc == EFI_NOT_FOUND) {
+ dp = full_device_path;
+ } else {
+ rc = EFI_OUT_OF_RESOURCES;
+ goto err;
+ }
+ }
+
#ifdef DEBUG_FALLBACK
+ {
UINTN s = DevicePathSize(dp);
int i;
UINT8 *dpv = (void *)dp;
@@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
CHAR16 *dps = DevicePathToStr(dp);
Print(L"device path: \"%s\"\n", dps);
-#endif
- if (!first_new_option) {
- CHAR16 *dps = DevicePathToStr(dp);
- Print(L"device path: \"%s\"\n", dps);
- first_new_option = DuplicateDevicePath(dp);
- first_new_option_args = arguments;
- first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
}
+#endif
- add_boot_option(dp, fullpath, label, arguments);
+ add_boot_option(dp, full_device_path, fullpath, label, arguments);
err:
- if (dpf)
- FreePool(dpf);
+ if (file)
+ FreePool(file);
+ if (full_device_path)
+ FreePool(full_device_path);
if (dp)
FreePool(dp);
if (fullpath)
@@ -622,8 +664,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
first_new_option, NULL, 0,
&image_handle);
if (EFI_ERROR(rc)) {
- Print(L"LoadImage failed: %d\n", rc);
- uefi_call_wrapper(BS->Stall, 1, 2000000);
+ CHAR16 *dps = DevicePathToStr(first_new_option);
+ UINTN s = DevicePathSize(first_new_option);
+ int i;
+ UINT8 *dpv = (void *)first_new_option;
+ Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps);
+ for (i = 0; i < s; i++) {
+ if (i > 0 && i % 16 == 0)
+ Print(L"\n");
+ Print(L"%02x ", dpv[i]);
+ }
+ Print(L"\n");
+
+ uefi_call_wrapper(BS->Stall, 1, 500000000);
return rc;
}
@@ -637,7 +690,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL);
if (EFI_ERROR(rc)) {
Print(L"StartImage failed: %d\n", rc);
- uefi_call_wrapper(BS->Stall, 1, 2000000);
+ uefi_call_wrapper(BS->Stall, 1, 500000000);
}
return rc;
}
--
1.8.4.5
From 23ed6291df5dd34789829607a97b3605b739a629 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 31 Jan 2014 10:31:10 -0500
Subject: [PATCH 2/2] Attempt to re-use existing entries when possible.
Some firmwares seem to ignore our boot entries and put their fallback
entries back on top. Right now that results in a lot of boot entries
for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 .
Instead of that happening, if we simply find existing entries that match
the entry we would create and move them to the top of the boot order,
the machine will continue to operate in failure mode (which we can't
avoid), but at least we won't create thousands of extra entries.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 98 insertions(+), 1 deletion(-)
diff --git a/fallback.c b/fallback.c
index 7f4201e..044e4ba 100644
--- a/fallback.c
+++ b/fallback.c
@@ -226,6 +226,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
}
EFI_STATUS
+find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
+ CHAR16 *arguments, UINT16 *optnum)
+{
+ int size = sizeof(UINT32) + sizeof (UINT16) +
+ StrLen(label)*2 + 2 + DevicePathSize(dp) +
+ StrLen(arguments) * 2 + 2;
+
+ CHAR8 *data = AllocateZeroPool(size);
+ if (!data)
+ return EFI_OUT_OF_RESOURCES;
+ CHAR8 *cursor = data;
+ *(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
+ cursor += sizeof (UINT32);
+ *(UINT16 *)cursor = DevicePathSize(dp);
+ cursor += sizeof (UINT16);
+ StrCpy((CHAR16 *)cursor, label);
+ cursor += StrLen(label)*2 + 2;
+ CopyMem(cursor, dp, DevicePathSize(dp));
+ cursor += DevicePathSize(dp);
+ StrCpy((CHAR16 *)cursor, arguments);
+
+ int i = 0;
+ CHAR16 varname[] = L"Boot0000";
+ CHAR16 hexmap[] = L"0123456789ABCDEF";
+ EFI_GUID global = EFI_GLOBAL_VARIABLE;
+ EFI_STATUS rc;
+
+ CHAR8 *candidate = AllocateZeroPool(size);
+ if (!candidate) {
+ FreePool(data);
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ for(i = 0; i < nbootorder && i < 0x10000; i++) {
+ varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12];
+ varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8];
+ varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
+ varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
+
+ UINTN candidate_size = size;
+ rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
+ NULL, &candidate_size, candidate);
+ if (EFI_ERROR(rc))
+ continue;
+
+ if (candidate_size != size)
+ continue;
+
+ if (CompareMem(candidate, data, size))
+ continue;
+
+ /* at this point, we have duplicate data. */
+ *optnum = i;
+ FreePool(candidate);
+ FreePool(data);
+ return EFI_SUCCESS;
+ }
+ FreePool(candidate);
+ FreePool(data);
+ return EFI_NOT_FOUND;
+}
+
+EFI_STATUS
+set_boot_order(void)
+{
+ CHAR16 *oldbootorder;
+ UINTN size;
+ EFI_GUID global = EFI_GLOBAL_VARIABLE;
+
+ oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
+ if (oldbootorder) {
+ nbootorder = size / sizeof (CHAR16);
+ bootorder = oldbootorder;
+ }
+ return EFI_SUCCESS;
+
+}
+
+EFI_STATUS
update_boot_order(void)
{
CHAR16 *oldbootorder;
@@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
}
#endif
- add_boot_option(dp, full_device_path, fullpath, label, arguments);
+ UINT16 option;
+ rc = find_boot_option(dp, fullpath, label, arguments, &option);
+ if (EFI_ERROR(rc)) {
+ add_boot_option(dp, full_device_path, fullpath, label, arguments);
+ } else if (option != 0) {
+ CHAR16 *newbootorder;
+ newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
+ if (!newbootorder)
+ return EFI_OUT_OF_RESOURCES;
+
+ newbootorder[0] = bootorder[option];
+ CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option);
+ CopyMem(newbootorder + option + 1, bootorder + option + 1,
+ sizeof (CHAR16) * (nbootorder - option - 1));
+ FreePool(bootorder);
+ bootorder = newbootorder;
+ }
err:
if (file)
@@ -710,6 +805,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
Print(L"System BootOrder not found. Initializing defaults.\n");
+ set_boot_order();
+
rc = find_boot_options(this_image->DeviceHandle);
if (EFI_ERROR(rc)) {
Print(L"Error: could not find boot options: %d\n", rc);
--
1.8.4.5

60
shim-fix-uninitialized-variable.patch Normal file
View File

@ -0,0 +1,60 @@
From ccf21ef9a8868aacf9084400a15d73fcc24a6d39 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 09:21:53 -0500
Subject: [PATCH 1/2] Fix wrong sizeof().
CHAR16* vs CHAR16**, so the result is the same on all platforms.
Detected by coverity.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
lib/shell.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/shell.c b/lib/shell.c
index 51de4e0..7337834 100644
--- a/lib/shell.c
+++ b/lib/shell.c
@@ -35,7 +35,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV)
(*argc)++; /* we counted spaces, so add one for initial */
- *ARGV = AllocatePool(*argc * sizeof(*ARGV));
+ *ARGV = AllocatePool(*argc * sizeof(**ARGV));
if (!*ARGV) {
return EFI_OUT_OF_RESOURCES;
}
--
1.8.4.5
From c4277cf343555646dbf0c17679108983af1e8887 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 09:24:01 -0500
Subject: [PATCH 2/2] Initialize entries before we pass it to another function.
Coverity scan noticed that entries is uninitialized when we pass its
location to another function.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
lib/simple_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/simple_file.c b/lib/simple_file.c
index 3af0ec8..d345d87 100644
--- a/lib/simple_file.c
+++ b/lib/simple_file.c
@@ -415,7 +415,7 @@ simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name,
CHAR16 *filter, CHAR16 **result)
{
EFI_STATUS status;
- CHAR16 **entries;
+ CHAR16 **entries = NULL;
EFI_FILE_INFO *dmp;
int count, select, len;
CHAR16 *newname, *selected;
--
1.8.4.5

27
shim-get-variable-check.patch Normal file
View File

@ -0,0 +1,27 @@
From 293f28d1fe3921c5348c60948b4dedcef5042d5b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 10:55:37 -0500
Subject: [PATCH] Error check the right thing in get_variable_attr() when
allocating.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
lib/variables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/variables.c b/lib/variables.c
index 81bd34d..3a9735e 100644
--- a/lib/variables.c
+++ b/lib/variables.c
@@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
return efi_status;
*data = AllocateZeroPool(*len);
- if (!data)
+ if (!*data)
return EFI_OUT_OF_RESOURCES;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner,
--
1.8.4.5

87
shim-install
View File

@ -4,14 +4,18 @@ rootdir=
bootdir=
efidir=
install_device=
efibootdir=
ca_string=
removable=no
clean=no
sysconfdir="/etc"
libdir="/usr/lib64"
source_dir="$libdir/efi"
grub_probe="`which grub2-probe`"
grub_mkrelpath="`which grub2-mkrelpath`"
self="`basename $0`"
grub_cfg="/boot/grub2/grub.cfg"
update_boot=no
# Get GRUB_DISTRIBUTOR.
if test -f "${sysconfdir}/default/grub" ; then
@ -26,6 +30,14 @@ fi
efi_distributor="$bootloader_id"
bootloader_id="${bootloader_id}-secureboot"
case "$bootloader_id" in
"sle"*)
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
"opensuse"*)
ca_string='openSUSE Secure Boot CA1';;
*) ca_string="";;
esac
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
@ -169,18 +181,32 @@ fi
if test -n "$efidir"; then
efi_file=shim.efi
efibootdir="$efidir/EFI/boot"
mkdir -p "$efibootdir" || exit 1
efidir="$efidir/EFI/$efi_distributor"
mkdir -p "$efidir" || exit 1
else
exit 1;
fi
if test -f "$efibootdir/bootx64.efi"; then
if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then
update_boot=yes
fi
else
update_boot=yes
fi
if test "$clean" = "yes"; then
rm -f "${efidir}/shim.efi"
rm -f "${efidir}/MokManager.efi"
rm -f "${efidir}/grub.efi"
rm -f "${efidir}/grub.cfg"
rm -f "${efidir}/boot.csv"
if test "$update_boot" = "yes"; then
rm -f "${efibootdir}/bootx64.efi"
rm -f "${efibootdir}/fallback.efi"
fi
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
# Delete old entries from the same distributor.
@ -196,17 +222,70 @@ cp "${source_dir}/shim.efi" "${efidir}"
cp "${source_dir}/MokManager.efi" "${efidir}"
cp "${source_dir}/grub.efi" "${efidir}"
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
if test "$update_boot" = "yes"; then
cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi"
cp "${source_dir}/fallback.efi" "${efibootdir}"
fi
make_grubcfg () {
grub_cfg_dirname=`dirname $grub_cfg`
grub_cfg_basename=`basename $grub_cfg`
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
descriptive_config="snapshot_submenu.cfg"
root_fstype=`$grub_probe -t fs /`
boot_fstype=`$grub_probe -t fs /boot`
if [ "x${root_fstype}" != "xbtrfs" ] ||
[ "x${boot_fstype}" != "xbtrfs" ]; then
echo "/ is not on btrfs" >&2
exit 1;
fi
if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
test "x$root_fstype" = "xbtrfs" &&
test "x$boot_fstype" = "xbtrfs"; then
cat <<EOF
set btrfs_relative_path="yes"
set extra_cmdline=""
btrfs_subvolid=""
btrfs_subvol="/"
export btrfs_relative_path
export extra_cmdline
(cat << EOF
search --fs-uuid --set=root ${cfg_fs_uuid}
set prefix=(\${root})${grub_cfg_dirname}
set timeout=0
terminal_input console
terminal_output console
menuentry 'default' {
btrfs_subvol=""
configfile /boot/grub2/grub.cfg
btrfs_subvol="/"
}
if [ -f "/.snapshots/${descriptive_config}" ]; then
source "/.snapshots/${descriptive_config}"
fi
EOF
echo "configfile \$prefix/${grub_cfg_basename}") \
> "${efidir}/grub.cfg"
else
cat <<EOF
search --fs-uuid --set=root ${cfg_fs_uuid}
set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
configfile \$prefix/${grub_cfg_basename}
EOF
fi
}
make_grubcfg > "${efidir}/grub.cfg"
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then

69
shim-mokmanager-delete-bs-var-right.patch Normal file
View File

@ -0,0 +1,69 @@
From 3c545d630917d76d91a8491f8759927f512e56f2 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:56:14 +0800
Subject: [PATCH] MokManager: delete the BS+NV variables the right way
LibDeleteVariable assumes that the variable is RT+NV and it
won't work on a BS+NV variable.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index f5ed379..4ea28ef 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
return -1;
}
} else {
- LibDeleteVariable(L"MokSBState", &shim_lock_guid);
+ efi_status = uefi_call_wrapper(RT->SetVariable,
+ 5, L"MokSBState",
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ if (efi_status != EFI_SUCCESS) {
+ console_notify(L"Failed to delete Secure Boot state");
+ return -1;
+ }
}
console_notify(L"The system must now be rebooted");
@@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) {
return -1;
}
} else {
- LibDeleteVariable(L"MokDBState", &shim_lock_guid);
+ efi_status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"MokDBState",
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ if (efi_status != EFI_SUCCESS) {
+ console_notify(L"Failed to delete DB state");
+ return -1;
+ }
}
console_notify(L"The system must now be rebooted");
@@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0)
return 0;
- LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
+ uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore",
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
LibDeleteVariable(L"MokPW", &shim_lock_guid);
console_notify(L"The system must now be rebooted");
uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
--
1.8.4.5

627
shim-mokmanager-support-sha-family.patch Normal file
View File

@ -0,0 +1,627 @@
From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 3 Apr 2014 18:26:37 +0800
Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
Add SHA1 hash support and amend the code to make it easier to support
other SHA digests.
---
MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 46 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 5af5ce6..7cf31c1 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -93,27 +93,58 @@ done:
return status;
}
+static BOOLEAN is_sha_hash (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
+static UINT32 sha_size (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return SHA256_DIGEST_SIZE;
+
+ return 0;
+}
+
+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
+{
+ EFI_GUID CertType = X509_GUID;
+ UINT32 hash_sig_size;
+
+ if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ return TRUE;
+
+ if (!is_sha_hash (Type))
+ return FALSE;
+
+ hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
+ if (SigSize != hash_sig_size)
+ return FALSE;
+
+ return TRUE;
+}
+
static UINT32 count_keys(void *Data, UINTN DataSize)
{
EFI_SIGNATURE_LIST *CertList = Data;
- EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- console_notify(L"Doesn't look like a key or hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CertList->SignatureSize != 48)) {
- console_notify(L"Doesn't look like a valid hash");
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -134,7 +165,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
@@ -146,16 +176,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -380,22 +401,34 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
FreePool(text);
}
-static void show_sha256_digest (UINT8 *hash)
+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
+ int length;
+
+ if (CompareGuid(&Type, &Sha1) == 0) {
+ length = SHA1_DIGEST_SIZE;
+ text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha256) == 0) {
+ length = SHA256_DIGEST_SIZE;
+ text[0] = L"SHA256 hash";
+ } else {
+ return;
+ }
ZeroMem(&hash_string1, sizeof(hash_string1));
ZeroMem(&hash_string2, sizeof(hash_string2));
- text[0] = L"SHA256 hash";
text[1] = L"";
- for (i=0; i<16; i++)
+ for (i=0; i<length/2; i++)
CatPrint(&hash_string1, L"%02x ", hash[i]);
- for (i=16; i<32; i++)
+ for (i=length/2; i<length; i++)
CatPrint(&hash_string2, L"%02x ", hash[i]);
text[2] = hash_string1.str;
@@ -411,7 +444,7 @@ static void show_sha256_digest (UINT8 *hash)
FreePool(hash_string2.str);
}
-static void show_efi_hash (void *Mok, UINTN MokSize)
+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
{
UINTN sig_size;
UINTN hash_num;
@@ -420,7 +453,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
int key_num = 0;
int i;
- sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
console_errorbox(L"Corrupted Hash List");
return;
@@ -429,7 +462,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
if (hash_num == 1) {
hash = (UINT8 *)Mok + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
return;
}
@@ -452,7 +485,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
break;
hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
}
for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +500,6 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
if (!Mok || MokSize == 0)
return;
@@ -488,8 +520,8 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
console_notify(L"Not a valid X509 certificate");
return;
}
- } else if (CompareGuid (&Type, &HashType) == 0) {
- show_efi_hash(Mok, MokSize);
+ } else if (is_sha_hash(Type)) {
+ show_efi_hash(Type, Mok, MokSize);
}
}
@@ -968,7 +1000,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
} else {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST);
- CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
CopyMem(CertData, list[i].Mok, list[i].MokSize);
}
@@ -1040,7 +1072,6 @@ static void mem_move (void *dest, void *src, UINTN size)
static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
UINT32 list_num;
int i, del_ind;
@@ -1050,8 +1081,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
- (mok[i].MokSize < sig_size))
+ if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
continue;
list_num = mok[i].MokSize / sig_size;
@@ -1080,7 +1110,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
}
}
-static void delete_hash_list (void *hash_list, UINT32 list_size,
+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
MokListNode *mok, INTN mok_num)
{
UINT32 hash_size;
@@ -1089,7 +1119,7 @@ static void delete_hash_list (void *hash_list, UINT32 list_size,
UINT8 *hash;
int i;
- hash_size = SHA256_DIGEST_SIZE;
+ hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);
if (list_size < sig_size)
return;
@@ -1108,7 +1138,6 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
@@ -1183,9 +1212,9 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
- } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
- delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
- mok, mok_num);
+ } else if (is_sha_hash(del_key[i].Type)) {
+ delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ del_key[i].MokSize, mok, mok_num);
}
}
--
1.8.4.5
From 9a0aaf045859be5ba3abdaaf06683cb9ab0b6c57 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 9 Apr 2014 16:49:25 +0800
Subject: [PATCH 2/5] MokManager: fix the return value and type
There are some functions that the return value and the type
didn't match.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 7cf31c1..b09f5b8 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -536,7 +536,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_SIGNATURE_DATA))) {
console_notify(L"No MOK keys found");
- return 0;
+ return EFI_NOT_FOUND;
}
MokNum = count_keys(KeyList, KeyListSize);
@@ -544,7 +544,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
if (!keys) {
console_notify(L"Failed to construct key list");
- return 0;
+ return EFI_ABORTED;
}
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
@@ -863,7 +863,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
return EFI_SUCCESS;
}
-static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
+static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
--
1.8.4.5
From 790eb376dbe692d4702d807f24c1be7a492a5717 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 14:39:43 +0800
Subject: [PATCH 3/5] MokManager: Add more key list safe checks
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 56 insertions(+), 4 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index b09f5b8..c5501f3 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -144,6 +144,12 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+ if (CertList->SignatureListSize == 0 ||
+ CertList->SignatureListSize <= CertList->SignatureSize) {
+ console_errorbox(L"Corrupted signature list");
+ return 0;
+ }
+
if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
@@ -540,10 +546,13 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
}
MokNum = count_keys(KeyList, KeyListSize);
+ if (MokNum == 0) {
+ console_errorbox(L"Invalid key list");
+ return EFI_ABORTED;
+ }
keys = build_mok_list(MokNum, KeyList, KeyListSize);
-
if (!keys) {
- console_notify(L"Failed to construct key list");
+ console_errorbox(L"Failed to construct key list");
return EFI_ABORTED;
}
@@ -1184,7 +1193,13 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
shim_lock_guid, &attributes);
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ if (efi_status != EFI_SUCCESS) {
+ if (MokX)
+ console_errorbox(L"Failed to retrieve MokListX");
+ else
+ console_errorbox(L"Failed to retrieve MokList");
+ return EFI_ABORTED;
+ } else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
if (MokX) {
err_str1 = L"MokListX is compromised!";
err_str2 = L"Erase all keys in MokListX!";
@@ -1193,7 +1208,11 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
err_str2 = L"Erase all keys in MokList!";
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
- LibDeleteVariable(db_name, &shim_lock_guid);
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
return EFI_ACCESS_DENIED;
}
@@ -1203,9 +1222,41 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
/* Construct lists */
mok_num = count_keys(MokListData, MokListDataSize);
+ if (mok_num == 0) {
+ if (MokX) {
+ err_str1 = L"Failed to construct the key list of MokListX";
+ err_str2 = L"Reset MokListX!";
+ } else {
+ err_str1 = L"Failed to construct the key list of MokList";
+ err_str2 = L"Reset MokList!";
+ }
+ console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
mok = build_mok_list(mok_num, MokListData, MokListDataSize);
+ if (!mok) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_num = count_keys(MokDel, MokDelSize);
+ if (del_num == 0) {
+ console_errorbox(L"Invalid key delete list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_key = build_mok_list(del_num, MokDel, MokDelSize);
+ if (!del_key) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
/* Search and destroy */
for (i = 0; i < del_num; i++) {
@@ -1220,6 +1271,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
efi_status = write_back_mok_list(mok, mok_num, MokX);
+error:
if (MokListData)
FreePool(MokListData);
if (mok)
--
1.8.4.5
From a2879e575439b019d1eff5b32ca8b59d1e2e1503 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 15:29:14 +0800
Subject: [PATCH 4/5] MokManager: Support SHA224, SHA384, and SHA512
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index c5501f3..117cf9b 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -25,6 +25,9 @@
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
@@ -96,12 +99,21 @@ done:
static BOOLEAN is_sha_hash (EFI_GUID Type)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
if (CompareGuid(&Type, &Sha1) == 0)
return TRUE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return TRUE;
else if (CompareGuid(&Type, &Sha256) == 0)
return TRUE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return TRUE;
return FALSE;
}
@@ -109,12 +121,21 @@ static BOOLEAN is_sha_hash (EFI_GUID Type)
static UINT32 sha_size (EFI_GUID Type)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
if (CompareGuid(&Type, &Sha1) == 0)
return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return SHA224_DIGEST_LENGTH;
else if (CompareGuid(&Type, &Sha256) == 0)
return SHA256_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return SHA384_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return SHA512_DIGEST_LENGTH;
return 0;
}
@@ -410,7 +431,10 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
@@ -420,9 +444,18 @@ static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
if (CompareGuid(&Type, &Sha1) == 0) {
length = SHA1_DIGEST_SIZE;
text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha224) == 0) {
+ length = SHA224_DIGEST_LENGTH;
+ text[0] = L"SHA224 hash";
} else if (CompareGuid(&Type, &Sha256) == 0) {
length = SHA256_DIGEST_SIZE;
text[0] = L"SHA256 hash";
+ } else if (CompareGuid(&Type, &Sha384) == 0) {
+ length = SHA384_DIGEST_LENGTH;
+ text[0] = L"SHA384 hash";
+ } else if (CompareGuid(&Type, &Sha512) == 0) {
+ length = SHA512_DIGEST_LENGTH;
+ text[0] = L"SHA512 hash";
} else {
return;
}
@@ -1078,7 +1111,7 @@ static void mem_move (void *dest, void *src, UINTN size)
d[i] = s[i];
}
-static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
UINT32 sig_size;
@@ -1090,7 +1123,8 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
+ if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
+ (mok[i].MokSize < sig_size))
continue;
list_num = mok[i].MokSize / sig_size;
@@ -1138,7 +1172,7 @@ static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
hash = hash_list + sizeof(EFI_GUID);
for (i = 0; i < hash_num; i++) {
- delete_hash_in_list (hash, hash_size, mok, mok_num);
+ delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
hash += sig_size;
}
}
--
1.8.4.5
From 04955238a98734aac8df7ad46a732e130681acfd Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 15:55:35 +0800
Subject: [PATCH 5/5] MokManager: Discard the list contains an invalid
signature
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 117cf9b..b896836 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -172,10 +172,8 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
}
if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ console_errorbox(L"Invalid signature list found");
+ return 0;
}
MokNum++;
@@ -203,12 +201,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
+ /* Omit the signature check here since we already did it
+ in count_keys() */
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
--
1.8.4.5

101
shim-mokx-support.patch
View File

@ -1,10 +1,12 @@
From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001
From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 24 Oct 2013 17:02:08 +0800
Subject: [PATCH 1/9] Support MOK blacklist
Subject: [PATCH 01/10] Support MOK blacklist
The new blacklist, MokListX, stores the keys and hashes that are
banned.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++----------
shim.c | 3 +-
@ -510,7 +512,7 @@ index f5ed379..b9b42b6 100644
return EFI_SUCCESS;
}
diff --git a/shim.c b/shim.c
index 9ae1936..c133bb2 100644
index cf93d65..2c23a2f 100644
--- a/shim.c
+++ b/shim.c
@@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@ -524,14 +526,15 @@ index 9ae1936..c133bb2 100644
if (efi_status != EFI_SUCCESS) {
--
1.8.1.4
1.8.4.5
From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001
From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 24 Oct 2013 17:32:31 +0800
Subject: [PATCH 2/9] MokManager: show the hash list properly
Subject: [PATCH 02/10] MokManager: show the hash list properly
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 71 insertions(+), 11 deletions(-)
@ -675,14 +678,15 @@ index b9b42b6..5575a94 100644
for (i=0; menu_strings[i] != NULL; i++)
--
1.8.1.4
1.8.4.5
From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001
From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 25 Oct 2013 16:54:25 +0800
Subject: [PATCH 3/9] MokManager: delete the hash properly
Subject: [PATCH 03/10] MokManager: delete the hash properly
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 114 insertions(+), 10 deletions(-)
@ -840,14 +844,15 @@ index 5575a94..23bdeef 100644
}
--
1.8.1.4
1.8.4.5
From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001
From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 25 Oct 2013 17:05:10 +0800
Subject: [PATCH 4/9] MokManager: Match all hashes in the list
Subject: [PATCH 04/10] MokManager: Match all hashes in the list
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
@ -908,15 +913,17 @@ index 23bdeef..5b40e19 100644
}
}
--
1.8.1.4
1.8.4.5
From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001
From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 25 Oct 2013 18:30:48 +0800
Subject: [PATCH 5/9] MokManager: Write the hash list properly
Subject: [PATCH 05/10] MokManager: Write the hash list properly
also return to the previous entry in the list
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
@ -991,20 +998,21 @@ index 5b40e19..e79a8e0 100644
efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
--
1.8.1.4
1.8.4.5
From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001
From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 28 Oct 2013 15:08:40 +0800
Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable
Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
shim.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/shim.c b/shim.c
index c133bb2..a0383a8 100644
index 2c23a2f..ccb3071 100644
--- a/shim.c
+++ b/shim.c
@@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list()
@ -1041,7 +1049,7 @@ index c133bb2..a0383a8 100644
* Check if a variable exists
*/
static BOOLEAN check_var(CHAR16 *varname)
@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
efi_status = mirror_mok_list();
@ -1051,20 +1059,21 @@ index c133bb2..a0383a8 100644
* Create the runtime MokIgnoreDB variable so the kernel can make
* use of it
--
1.8.1.4
1.8.4.5
From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001
From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 28 Oct 2013 16:36:34 +0800
Subject: [PATCH 7/9] No newline for console_notify
Subject: [PATCH 07/10] No newline for console_notify
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
shim.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index a0383a8..a2e0862 100644
index ccb3071..e30a464 100644
--- a/shim.c
+++ b/shim.c
@@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void)
@ -1086,13 +1095,13 @@ index a0383a8..a2e0862 100644
}
--
1.8.1.4
1.8.4.5
From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001
From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 4 Nov 2013 14:45:33 +0800
Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist
Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
@ -1100,7 +1109,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
1 file changed, 9 insertions(+)
diff --git a/shim.c b/shim.c
index a2e0862..5f5e9a6 100644
index e30a464..efd3d85 100644
--- a/shim.c
+++ b/shim.c
@@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
@ -1127,13 +1136,13 @@ index a2e0862..5f5e9a6 100644
return EFI_SUCCESS;
}
--
1.8.1.4
1.8.4.5
From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001
From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 4 Nov 2013 17:51:55 +0800
Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images
Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images
If ca.crt was added into the certificate database, ca.crt would be the first
certificate in the signature. Because shim couldn't verify ca.crt with the
@ -1158,5 +1167,33 @@ index e65d28d..5e3fa9e 100644
certutil -d certdb/ -A -i shim.crt -n shim -t u
--
1.8.1.4
1.8.4.5
From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 11 Feb 2014 14:11:15 +0800
Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
shim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shim.c b/shim.c
index efd3d85..7093c45 100644
--- a/shim.c
+++ b/shim.c
@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (check_var(L"MokNew") || check_var(L"MokSB") ||
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
- check_var(L"MokXNew") || check_var(L"MokXDel")) {
+ check_var(L"MokXNew") || check_var(L"MokXDel") ||
+ check_var(L"MokXAuth")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
--
1.8.4.5

13
shim-only-os-name.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/Makefile b/Makefile
index 91e6bcd..6ed5ba7 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ shim_cert.h: shim.cer
version.c : version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@UNAME@@,$(shell uname -o)," \
-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
< version.c.in > version.c

390
shim-opensuse-cert-prompt.patch Normal file
View File

@ -0,0 +1,390 @@
From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
This is an openSUSE-only patch.
Pop up a window to ask if the user is willing to trust the built-in
openSUSE certificate.
If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
won't bother the user afterward.
If no, continue the booting process without using the built-in
certificate to verify the EFI images, and the window will show up
again after reboot.
The state will store in use_openSUSE_cert, a volatile RT variable.
---
shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 97 insertions(+), 19 deletions(-)
diff --git a/shim.c b/shim.c
index 0b20191..a483ce3 100644
--- a/shim.c
+++ b/shim.c
@@ -82,6 +82,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
int loader_is_participating;
+BOOLEAN use_builtin_cert;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -752,7 +753,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (status == EFI_SUCCESS)
return status;
- if (cert) {
+ if (cert && use_builtin_cert) {
/*
* Check against the shim build key
*/
@@ -1418,11 +1419,14 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
- FullDataSize = DataSize
- + sizeof (*CertList)
- + sizeof (EFI_GUID)
- + vendor_cert_size
- ;
+ FullDataSize = DataSize;
+ if (use_builtin_cert) {
+ FullDataSize += sizeof (*CertList) +
+ sizeof (EFI_GUID) +
+ vendor_cert_size;
+ } else if (DataSize == 0) {
+ return EFI_SUCCESS;
+ }
FullData = AllocatePool(FullDataSize);
if (!FullData) {
Print(L"Failed to allocate space for MokListRT\n");
@@ -1434,21 +1438,24 @@ EFI_STATUS mirror_mok_list()
CopyMem(p, Data, DataSize);
p += DataSize;
}
- CertList = (EFI_SIGNATURE_LIST *)p;
- p += sizeof (*CertList);
- CertData = (EFI_SIGNATURE_DATA *)p;
- p += sizeof (EFI_GUID);
- CertList->SignatureType = EFI_CERT_X509_GUID;
- CertList->SignatureListSize = vendor_cert_size
- + sizeof (*CertList)
- + sizeof (*CertData)
- -1;
- CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
+ if (use_builtin_cert) {
+ CertList = (EFI_SIGNATURE_LIST *)p;
+ p += sizeof (*CertList);
+ CertData = (EFI_SIGNATURE_DATA *)p;
+ p += sizeof (EFI_GUID);
- CertData->SignatureOwner = SHIM_LOCK_GUID;
- CopyMem(p, vendor_cert, vendor_cert_size);
+ CertList->SignatureType = EFI_CERT_X509_GUID;
+ CertList->SignatureListSize = vendor_cert_size
+ + sizeof (*CertList)
+ + sizeof (*CertData)
+ -1;
+ CertList->SignatureHeaderSize = 0;
+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
+
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
+ CopyMem(p, vendor_cert, vendor_cert_size);
+ }
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid,
@@ -1767,6 +1774,75 @@ uninstall_shim_protocols(void)
&shim_lock_guid, &shim_lock_interface);
}
+#define VENDOR_VERIFY L"openSUSE_Verify"
+
+/* Show the built-in certificate prompt if necessary */
+static int builtin_cert_prompt(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+ UINT32 attributes;
+ UINTN len = sizeof(UINT8);
+ UINT8 data;
+
+ use_builtin_cert = FALSE;
+
+ if (vendor_cert_size == 0)
+ return 0;
+
+ status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY,
+ &shim_lock_guid, &attributes,
+ &len, &data);
+ if (status != EFI_SUCCESS ||
+ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ int choice;
+
+ if (status != EFI_NOT_FOUND)
+ LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid);
+
+ CHAR16 *str[] = {L"Trust openSUSE Certificate",
+ L"",
+ L"Do you agree to use the built-in openSUSE certificate",
+ L"to verify boot loaders and kernels?",
+ NULL};
+ choice = console_yes_no(str);
+ if (choice != 1) {
+ data = 0;
+ goto done;
+ }
+
+ data = 1;
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ VENDOR_VERIFY,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set openSUSE_Verify", status);
+ return -1;
+ }
+ }
+
+ use_builtin_cert = TRUE;
+ data = 1;
+
+done:
+ /* Setup a runtime variable to show the current state */
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"use_openSUSE_cert",
+ &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set use_openSUSE_cert", status);
+ return -1;
+ }
+
+ return 0;
+}
+
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
EFI_STATUS efi_status;
@@ -1819,6 +1895,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
hook_system_services(systab);
loader_is_participating = 0;
+ if (builtin_cert_prompt() != 0)
+ return EFI_ABORTED;
}
efi_status = install_shim_protocols();
--
1.8.4.5
From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/3] Support revoking the openSUSE cert
This is an openSUSE-only patch.
To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
and store the password hash in the variable, and then MokManager
will show up with an additional option to clear openSUSE_Verify
---
MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
shim.c | 2 +-
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 71a3137..a03eea4 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1570,6 +1570,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
return -1;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+
+ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
+ return 0;
+
+ if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
+ status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
+ NULL, NULL);
+ }
+ if (status != EFI_SUCCESS)
+ return -1;
+
+ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
+ }
+
+ console_notify(L"The system must now be rebooted");
+ uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm,
+ EFI_SUCCESS, 0, NULL);
+ console_notify(L"Failed to reboot");
+ return -1;
+}
+
static BOOLEAN verify_certificate(void *cert, UINTN size)
{
X509 *X509Cert;
@@ -1903,6 +1930,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
+ MOK_CLEAR_VERIFY,
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
@@ -1914,7 +1942,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
- void *MokXDel, UINTN MokXDelSize)
+ void *MokXDel, UINTN MokXDelSize,
+ void *ClearVerify, UINTN ClearVerifySize)
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
@@ -1988,6 +2017,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
+ if (ClearVerify)
+ menucount++;
+
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
@@ -2057,6 +2089,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
+ if (ClearVerify) {
+ menu_strings[i] = L"Revoke openSUSE certificate";
+ menu_item[i] = MOK_CLEAR_VERIFY;
+ i++;
+ }
+
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2107,6 +2145,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
break;
+ case MOK_CLEAR_VERIFY:
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
+ break;
case MOK_KEY_ENROLL:
mok_key_enroll();
break;
@@ -2132,6 +2173,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
+ UINTN ClearVerifySize = 0;
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2139,6 +2181,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
+ void *ClearVerify = NULL;
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
@@ -2211,9 +2254,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
+ status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize,
+ shim_lock_guid);
+ if (status == EFI_SUCCESS) {
+ if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) {
+ console_notify(L"Failed to delete ClearVerify");
+ }
+ } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
+ console_error(L"Could not retrieve ClearVerify", status);
+ }
+
enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
- MokXNew, MokXNewSize, MokXDel, MokXDelSize);
+ MokXNew, MokXNewSize, MokXDel, MokXDelSize,
+ ClearVerify, ClearVerifySize);
if (MokNew)
FreePool (MokNew);
@@ -2236,6 +2290,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
+ if (ClearVerify)
+ FreePool (ClearVerify);
+
LibDeleteVariable(L"MokAuth", &shim_lock_guid);
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
index a483ce3..3b00e6c 100644
--- a/shim.c
+++ b/shim.c
@@ -1529,7 +1529,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
- check_var(L"MokXAuth")) {
+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
--
1.8.4.5
From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
This is an openSUSE-only patch.
LibDeleteVariable only works on the runtime variables.
---
MokManager.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
index a03eea4..d4f107d 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"openSUSE_Verify", &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
if (status != EFI_SUCCESS) {
console_error(L"Failed to delete openSUSE_Verify", status);
return -1;
--
1.8.4.5

110
shim.changes
View File

@ -1,3 +1,113 @@
-------------------------------------------------------------------
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
- Replace shim-mokmanager-support-sha1.patch with
shim-mokmanager-support-sha-family.patch to support the SHA
family
-------------------------------------------------------------------
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
MOK
-------------------------------------------------------------------
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
- snapper rollback support (fate#317062)
- refresh shim-install
-------------------------------------------------------------------
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
- Insert the right signature (bnc#867974)
-------------------------------------------------------------------
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
- Add shim-fix-uninitialized-variable.patch to fix the use of
uninitialzed variables in lib
-------------------------------------------------------------------
Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
correctly
-------------------------------------------------------------------
Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
duplicate entries in BootOrder
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
shim protocol properly to keep only one protocol entity
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
on btrfs subvolume (bnc#866690).
-------------------------------------------------------------------
Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com
- FATE#315002: Update shim-install to install shim.efi as the EFI
default bootloader when none exists in \EFI\boot.
-------------------------------------------------------------------
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
- Update signature-sles.asc: shim signed by UEFI signing service,
based on code from "Thu Feb 20 11:57:01 UTC 2014"
-------------------------------------------------------------------
Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
whether the user trusts the openSUSE certificate or not
-------------------------------------------------------------------
Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
- allow package to carry multiple signatures
- check correct certificate is embedded
-------------------------------------------------------------------
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
- always clean up generated files that embed certificates
(shim_cert.h shim.cer shim.crt) to make sure next build loop
rebuilds them properly
-------------------------------------------------------------------
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
hash deletion operation to avoid ruining the whole list
(bnc#863205)
-------------------------------------------------------------------
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
- Update shim-mokx-support.patch to support the resetting of MOK
blacklist
- Add shim-get-variable-check.patch to fix the variable checking
in get_variable_attr
- Add shim-improve-fallback-entries-creation.patch to improve the
boot entry pathes and avoid generating the boot entries that
are already there
- Update SUSE certificate
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
extract_signature.sh and show_signatures.sh to remove the
creation of the temporary nss database
- Add shim-only-os-name.patch: remove the kernel version of the
build server
- Match the the prefix of the project name properly by escaping the
percent sign.
-------------------------------------------------------------------
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de

90
shim.spec
View File

@ -28,7 +28,7 @@ Url: https://github.com/mjg59/shim
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
Source1: microsoft.asc
Source1: signature-opensuse.asc
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
Source4: SLES-UEFI-CA-Certificate.crt
@ -38,6 +38,8 @@ Source7: show_hash.sh
Source8: show_signatures.sh
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
Patch1: shim-fix-verify-mok.patch
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
@ -50,6 +52,26 @@ Patch4: shim-fix-dhcpv4-path-generation.patch
Patch5: shim-mokx-support.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
Patch6: shim-mokmanager-handle-keystroke-error.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch7: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr
Patch8: shim-get-variable-check.patch
# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there
Patch9: shim-fallback-improve-entries-creation.patch
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch
# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
Patch11: shim-fallback-avoid-duplicate-bootorder.patch
# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
Patch12: shim-allow-fallback-use-system-loadimage.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
Patch13: shim-mokmanager-delete-bs-var-right.patch
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
Patch14: shim-fix-uninitialized-variable.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
Patch15: shim-mokmanager-support-sha-family.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@ -78,6 +100,16 @@ Authors:
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch100 -p1
%build
# first, build MokManager and fallback as they don't depend on a
@ -108,12 +140,18 @@ for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
cert2=%{SOURCE9}
verify='openSUSE Secure Boot CA1'
signature=%{SOURCE1}
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
cert2=''
verify='SUSE Linux Enterprise Secure Boot CA1'
signature=%{SOURCE12}
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
cert2=''
verify=`openssl x509 -in "$cert" -noout -email`
signature=''
test -e "$cert" || continue
else
echo "invalid suffix"
@ -121,6 +159,7 @@ for suffix in "${suffixes[@]}"; do
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
rm -f shim_cert.h shim.cer shim.crt
if [ -z "$cert2" ]; then
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
@ -128,35 +167,38 @@ for suffix in "${suffixes[@]}"; do
touch shim.cer
else
cp $cert2 shim.crt
rm -f shim.cer
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
chmod 755 %{SOURCE10}
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
head -1 %{SOURCE1} > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file %{SOURCE1} shim.efi
%{SOURCE7} shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
echo "ERROR: binary changed, need to request new signature!"
# don't fail in devel projects
prj="%{_project}"
if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
false
fi
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
else
# attach signature
%{SOURCE6} %{SOURCE1} shim.efi
mv shim-signed.efi shim-$suffix.efi
rm -f shim.efi
if test -n "$signature"; then
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file "$signature" shim.efi
pesign -h -P -i shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
echo "ERROR: $suffix binary changed, need to request new signature!"
# don't fail in devel projects
prj="%{_project}"
if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
false
fi
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
else
# attach signature
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
rm -f shim.efi
fi
fi
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt

11
show_hash.sh
View File

@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -h -P -i "$infile"
pesign -h -P -i "$infile"

11
show_signatures.sh
View File

@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
exit 1
fi
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -S -i "$infile"
pesign -S -i "$infile"

0
microsoft.asc → signature-opensuse.asc
View File

188
signature-sles.asc Normal file
View File

@ -0,0 +1,188 @@
hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
# 2069-04-10 06:07:54
timestamp: babababa
checksum: 61c9
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF
JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYrMIIW
JwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
KoZIhvcNAQkEMSIEIJrzMZcr8o7z/mk2WCbI8fEz7nZbYeVPQtJjL0exXBCxMIGk
BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAjHDQORfm8d8T
eyJMiPDMRPFiO/aBL7UtF4rtDUeYi+c9UU6KDVXHi19Z9DNt3pkRRm4DxFVdDPXU
P1TFD8HWbQPQ7YGGRjDOv1BwxZ+5F6xmNgoxUh0khKisi3l0LPq6Zauee7ebgly3
6A6GQSKlaXH7MXxMsgbvGFdXAQs/KVMb3xzuttby/jcQ9lxoMr4SVcM6Vu6fFZ24
DWhHFtONzHFSvJ3Sf10d8teTvikrIaXg7pzNU+T7+sMXsiyhVhWiFFFtetaaxtT4
vcKDuGHNP797WM1YYxZz+2sMbWyi81h+We6ReHn0V+UUW4b7i4yh0p2Vy3xPrzb6
TgGQIyi536GCE00wghNJBgorBgEEAYI3AwMBMYITOTCCEzUGCSqGSIb3DQEHAqCC
EyYwghMiAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAqAR+tIZOx
IQiET4LQ+OsCmH0VlrTUkAPePwl/JtC8pAIGUt6TDOrUGBMyMDE0MDIyNzAxMDcz
My43NzNaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT
RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
YW1wIFNlcnZpY2Wggg7QMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy
MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt
ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw
FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF
DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7
32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW
RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ
k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA
MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K
AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw
Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB
dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y
MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw
PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D
UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv
AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD
ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1
5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW
S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE
JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/
3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9
nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H
moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3
3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI
5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0
MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e
GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB
AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz
MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD
VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF
RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ
xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4
IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0
qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3
Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn
yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj
ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw
FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M
QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK
yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl
Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0
nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v
UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3kwggJhAgEBMIHj
oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w
CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2
LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB
ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P
UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG
A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG
9w0BAQUFAAIFANa4+LowIhgPMjAxNDAyMjYyMzM1MjJaGA8yMDE0MDIyNzIzMzUy
MlowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA1rj4ugIBADAKAgEAAgIM/AIB/zAH
AgEAAgIV3zAKAgUA1rpKOgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ
CgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBm
lwBgKM7WFYZn7KoOxHuc0HCwn9KJ7P2+V1ixjuYcd9TJPbpom+P6TqrtdVyqC1qN
P1ika8uTrueq+WIyDkpbBeRjgRPxywB8p6swJXn3a8FQJlYM8wZlX6k4DXOQ5a1I
8Df1MoZedlnFIJFCuailsPek9CZSuawhHvQu6tutrNrCtOJpHGwP/g7QhqDby6MU
9W08fcBbMQ+Q+NN9R+O5914iiyXTxNYply2O6zmRRXVV8Os49n6MAdLMQwlW/Hjf
Qx9xsPgmOpnwA3IVmPCEtJnHbNPnmX23cB3zQ5HQ8Rgzh4a2iGFTUKVLQzP2XbJI
GAt0fd2U/pFkRHTpexsrMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
bXAgUENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCg
ggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg
igCH0fhbYKLF4fSmxZObvVlmifs8MaWR0dGzScGuExwwgeIGCyqGSIb3DQEJEAIM
MYHSMIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv
c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYE
FP/tXYkB9TLyFTNFAIYorcmDMtYiMA0GCSqGSIb3DQEBCwUABIIBABg8AdKpFO37
Mdc4SKY28D2Sff2uoRuCoLxMZPhC7rR14gC1sXKSBHIoNyMBR32mYJnJsTAgJRwT
YTEmsHYl6l37/tkLAsRS21lt+YuynR9/fdGlwvqxc41HkUHdcTRjvsetVZ7v2HSz
vpCBje4TsAaxblVCsyXiH94CyMR3Aq6brcoG+QJKh14NFLLLIxN2melZYivfcAJR
ES78bXBRGa6hPqsvOIZ6USSC1rAwHodonNcp4Xb1QMPoXKcMPyUAYdzz0q673Mec
hsP7HKqhezXDmpGe6Hg4RrO/In7qyRok6LZ4DH5hsp6dp0Omcgqm3kmcqTTNmtF6
0JelOr7e+os=
-----END AUTHENTICODE SIGNATURE-----

11
strip_signature.sh
View File

@ -10,13 +10,4 @@ fi
outfile="${infile%.efi}-unsigned.efi"
nssdir=`mktemp -d`
cleanup()
{
rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N
pesign -n "$nssdir" -r -i "$infile" -o "$outfile"
pesign -r -i "$infile" -o "$outfile"