From f60d64b0e119ad7df60d9111fc94fe7ded65750f Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 20 Jun 2013 12:41:14 -0400 Subject: [PATCH 1/3] Don't print that fallback isn't found in should_use_fallback() The call can simply fail if it isn't found - which will be the case on removeable install media. Signed-off-by: Peter Jones --- shim.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 47e3812..895b594 100644 --- a/shim.c +++ b/shim.c @@ -951,7 +951,12 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(vh->Open, 5, vh, &fh, L"\\EFI\\BOOT" FALLBACK, EFI_FILE_MODE_READ, 0); if (EFI_ERROR(rc)) { - Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK, rc); + /* Do not print the error here - this is an acceptable case + * for removable media, where we genuinely don't want + * fallback.efi to exist. + * Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK, + * rc); + */ uefi_call_wrapper(vh->Close, 1, vh); return 0; } -- 1.8.1.4 From abe44733163c3ef8da96c09dadd8e54e65f9bdab Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 25 Jul 2013 10:51:05 -0400 Subject: [PATCH 2/3] Don't print things on the screen by default when everything works. There's no point to this text, and it generally confuses people. Signed-off-by: Peter Jones --- shim.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index 895b594..137290d 100644 --- a/shim.c +++ b/shim.c @@ -53,6 +53,7 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; +static UINT8 verbose; /* * The vendor certificate used for validating the second stage loader @@ -431,7 +432,8 @@ static BOOLEAN secure_mode (void) /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { - Print(L"Secure boot not enabled\n"); + if (verbose) + Print(L"Secure boot not enabled\n"); return FALSE; } @@ -439,7 +441,8 @@ static BOOLEAN secure_mode (void) (void *)&setupmode); if (status == EFI_SUCCESS && setupmode == 1) { - Print(L"Platform is in setup mode\n"); + if (verbose) + Print(L"Platform is in setup mode\n"); return FALSE; } @@ -699,7 +702,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_whitelist(cert, sha256hash, sha1hash); if (status == EFI_SUCCESS) { - Print(L"Binary is whitelisted\n"); + if (verbose) + Print(L"Binary is whitelisted\n"); return status; } @@ -711,7 +715,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); + if (verbose) + Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -724,7 +729,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); + if (verbose) + Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -1501,6 +1507,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) static SHIM_LOCK shim_lock_interface; EFI_HANDLE handle = NULL; EFI_STATUS efi_status; + UINT8 verbose_check; + UINTN verbose_check_size; + UINT32 attributes; + EFI_GUID global_var = EFI_GLOBAL_VARIABLE; /* * Set up the shim lock protocol so that grub and MokManager can @@ -1517,6 +1527,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ InitializeLib(image_handle, systab); + verbose_check_size = 1; + efi_status = get_variable(L"SHIM_VERBOSE", global_var, &attributes, + &verbose_check_size, (void *)&verbose_check); + if (!EFI_ERROR(efi_status)) + verbose = verbose_check; + /* Set the second stage loader */ set_second_stage (image_handle); -- 1.8.1.4 From 3a131108f7b86af4fe5ed0021374467feb98bd54 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 1 Oct 2013 11:58:52 +0800 Subject: [PATCH 3/3] Keep silent in shim protocol On some machines, grub2 hung on shim_verify() which tried to output messages. This commit silences the functions used in the shim protocols to avoid system hang. --- shim.c | 178 +++++++++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 106 insertions(+), 72 deletions(-) diff --git a/shim.c b/shim.c index 137290d..a0de14e 100644 --- a/shim.c +++ b/shim.c @@ -54,6 +54,9 @@ static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; static UINT8 verbose; +static UINT8 in_protocol; + +#define ERROR(...) if(!in_protocol) {Print(__VA_ARGS__);} /* * The vendor certificate used for validating the second stage loader @@ -94,7 +97,7 @@ static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, *buffer = AllocatePool(*size); if (!*buffer) { - Print(L"Unable to allocate variable buffer\n"); + ERROR(L"Unable to allocate variable buffer\n"); return EFI_OUT_OF_RESOURCES; } @@ -134,7 +137,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data; if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { - Print(L"Image has no relocation entry\n"); + ERROR(L"Image has no relocation entry\n"); return EFI_UNSUPPORTED; } @@ -142,7 +145,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); if (!RelocBase || !RelocBaseEnd) { - Print(L"Reloc table overflows binary\n"); + ERROR(L"Reloc table overflows binary\n"); return EFI_UNSUPPORTED; } @@ -153,13 +156,13 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) { - Print(L"Reloc entry overflows binary\n"); + ERROR(L"Reloc entry overflows binary\n"); return EFI_UNSUPPORTED; } FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress); if (!FixupBase) { - Print(L"Invalid fixupbase\n"); + ERROR(L"Invalid fixupbase\n"); return EFI_UNSUPPORTED; } @@ -208,7 +211,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, break; default: - Print(L"Unknown relocation\n"); + ERROR(L"Unknown relocation\n"); return EFI_UNSUPPORTED; } Reloc += 1; @@ -432,7 +435,7 @@ static BOOLEAN secure_mode (void) /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { - if (verbose) + if (verbose && !in_protocol) Print(L"Secure boot not enabled\n"); return FALSE; } @@ -441,7 +444,7 @@ static BOOLEAN secure_mode (void) (void *)&setupmode); if (status == EFI_SUCCESS && setupmode == 1) { - if (verbose) + if (verbose && !in_protocol) Print(L"Platform is in setup mode\n"); return FALSE; } @@ -477,12 +480,12 @@ static EFI_STATUS generate_hash (char *data, int datasize, sha1ctx = AllocatePool(sha1ctxsize); if (!sha256ctx || !sha1ctx) { - Print(L"Unable to allocate memory for hash context\n"); + ERROR(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; } if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) { - Print(L"Unable to initialise hash\n"); + ERROR(L"Unable to initialise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -494,7 +497,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + ERROR(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -506,7 +509,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + ERROR(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -518,7 +521,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + ERROR(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -539,14 +542,14 @@ static EFI_STATUS generate_hash (char *data, int datasize, } if (SumOfSectionBytes >= datasize) { - Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); + ERROR(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); status = EFI_INVALID_PARAMETER; goto done; } SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); if (SectionHeader == NULL) { - Print(L"Unable to allocate section header\n"); + ERROR(L"Unable to allocate section header\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -572,14 +575,14 @@ static EFI_STATUS generate_hash (char *data, int datasize, hashsize = (unsigned int) Section->SizeOfRawData; if (!hashbase) { - Print(L"Malformed section header\n"); + ERROR(L"Malformed section header\n"); status = EFI_INVALID_PARAMETER; goto done; } if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + ERROR(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -596,7 +599,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + ERROR(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -604,7 +607,7 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (!(Sha256Final(sha256ctx, sha256hash)) || !(Sha1Final(sha1ctx, sha1hash))) { - Print(L"Unable to finalise hash\n"); + ERROR(L"Unable to finalise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -634,9 +637,9 @@ static EFI_STATUS verify_mok (void) { &MokListDataSize, &MokListData); if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokList is compromised!\nErase all keys in MokList!\n"); + ERROR(L"MokList is compromised!\nErase all keys in MokList!\n"); if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokList\n"); + ERROR(L"Failed to erase MokList\n"); } status = EFI_ACCESS_DENIED; return status; @@ -658,19 +661,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize, unsigned int size = datasize; if (context->SecDir->Size == 0) { - Print(L"Empty security header\n"); + ERROR(L"Empty security header\n"); return EFI_INVALID_PARAMETER; } cert = ImageAddress (data, size, context->SecDir->VirtualAddress); if (!cert) { - Print(L"Certificate located outside the image\n"); + ERROR(L"Certificate located outside the image\n"); return EFI_INVALID_PARAMETER; } if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - Print(L"Unsupported certificate type %x\n", + ERROR(L"Unsupported certificate type %x\n", cert->Hdr.wCertificateType); return EFI_UNSUPPORTED; } @@ -691,7 +694,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_blacklist(cert, sha256hash, sha1hash); if (status != EFI_SUCCESS) { - Print(L"Binary is blacklisted\n"); + ERROR(L"Binary is blacklisted\n"); return status; } @@ -702,7 +705,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_whitelist(cert, sha256hash, sha1hash); if (status == EFI_SUCCESS) { - if (verbose) + if (verbose && !in_protocol) Print(L"Binary is whitelisted\n"); return status; } @@ -715,7 +718,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - if (verbose) + if (verbose && !in_protocol) Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -729,12 +732,12 @@ static EFI_STATUS verify_buffer (char *data, int datasize, vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - if (verbose) + if (verbose && !in_protocol) Print(L"Binary is verified by the vendor certificate\n"); return status; } - Print(L"Invalid signature\n"); + ERROR(L"Invalid signature\n"); status = EFI_ACCESS_DENIED; return status; @@ -750,7 +753,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { - Print(L"Invalid image\n"); + ERROR(L"Invalid image\n"); return EFI_UNSUPPORTED; } @@ -758,22 +761,22 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) { - Print(L"Invalid image\n"); + ERROR(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (PEHdr->Te.Signature != EFI_IMAGE_NT_SIGNATURE) { - Print(L"Unsupported image type\n"); + ERROR(L"Unsupported image type\n"); return EFI_UNSUPPORTED; } if (PEHdr->Pe32.FileHeader.Characteristics & EFI_IMAGE_FILE_RELOCS_STRIPPED) { - Print(L"Unsupported image - Relocations have been stripped\n"); + ERROR(L"Unsupported image - Relocations have been stripped\n"); return EFI_UNSUPPORTED; } if (PEHdr->Pe32.OptionalHeader.Magic != EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) { - Print(L"Only 64-bit images supported\n"); + ERROR(L"Only 64-bit images supported\n"); return EFI_UNSUPPORTED; } @@ -789,22 +792,23 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; if (context->ImageSize < context->SizeOfHeaders) { - Print(L"Invalid image\n"); + ERROR(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { - Print(L"Invalid image\n"); + ERROR(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (context->SecDir->VirtualAddress >= datasize) { - Print(L"Malformed security header\n"); + ERROR(L"Malformed security header\n"); return EFI_INVALID_PARAMETER; } return EFI_SUCCESS; } + /* * Once the image has been loaded it needs to be validated and relocated */ @@ -823,7 +827,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, */ efi_status = read_header(data, datasize, &context); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to read header\n"); + ERROR(L"Failed to read header\n"); return efi_status; } @@ -834,7 +838,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, efi_status = verify_buffer(data, datasize, &context); if (efi_status != EFI_SUCCESS) { - Print(L"Verification failed\n"); + ERROR(L"Verification failed\n"); return efi_status; } } @@ -842,7 +846,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, buffer = AllocatePool(context.ImageSize); if (!buffer) { - Print(L"Failed to allocate image buffer\n"); + ERROR(L"Failed to allocate image buffer\n"); return EFI_OUT_OF_RESOURCES; } @@ -862,7 +866,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1); if (!base || !end) { - Print(L"Invalid section size\n"); + ERROR(L"Invalid section size\n"); return EFI_UNSUPPORTED; } @@ -881,7 +885,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, efi_status = relocate_coff(&context, buffer); if (efi_status != EFI_SUCCESS) { - Print(L"Relocation failed\n"); + ERROR(L"Relocation failed\n"); FreePool(buffer); return efi_status; } @@ -899,7 +903,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, li->LoadOptionsSize = load_options_size; if (!entry_point) { - Print(L"Invalid entry point\n"); + ERROR(L"Invalid entry point\n"); FreePool(buffer); return EFI_UNSUPPORTED; } @@ -922,7 +926,7 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &loaded_image_protocol, (void **)&li); if (EFI_ERROR(rc)) { - Print(L"Could not get image for bootx64.efi: %d\n", rc); + ERROR(L"Could not get image for bootx64.efi: %d\n", rc); return 0; } @@ -944,13 +948,13 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle, &FileSystemProtocol, (void **)&fio); if (EFI_ERROR(rc)) { - Print(L"Could not get fio for li->DeviceHandle: %d\n", rc); + ERROR(L"Could not get fio for li->DeviceHandle: %d\n", rc); return 0; } rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh); if (EFI_ERROR(rc)) { - Print(L"Could not open fio volume: %d\n", rc); + ERROR(L"Could not open fio volume: %d\n", rc); return 0; } @@ -1029,7 +1033,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); if (!*PathName) { - Print(L"Failed to allocate path buffer\n"); + ERROR(L"Failed to allocate path buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1072,14 +1076,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, (void **)&drive); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to find fs\n"); + ERROR(L"Failed to find fs\n"); goto error; } efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open fs\n"); + ERROR(L"Failed to open fs\n"); goto error; } @@ -1090,14 +1094,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, EFI_FILE_MODE_READ, 0); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open %s - %lx\n", PathName, efi_status); + ERROR(L"Failed to open %s - %lx\n", PathName, efi_status); goto error; } fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + ERROR(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1113,7 +1117,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, FreePool(fileinfo); fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + ERROR(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1123,7 +1127,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unable to get file info\n"); + ERROR(L"Unable to get file info\n"); goto error; } @@ -1132,7 +1136,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, *data = AllocatePool(buffersize); if (!*data) { - Print(L"Unable to allocate file buffer\n"); + ERROR(L"Unable to allocate file buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1151,7 +1155,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize); + ERROR(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize); goto error; } @@ -1180,15 +1184,45 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) EFI_STATUS status; PE_COFF_LOADER_IMAGE_CONTEXT context; - if (!secure_mode()) - return EFI_SUCCESS; + in_protocol = 1; + + if (!secure_mode()) { + status = EFI_SUCCESS; + goto done; + } status = read_header(buffer, size, &context); if (status != EFI_SUCCESS) - return status; + goto done; status = verify_buffer(buffer, size, &context); +done: + in_protocol = 0; + return status; +} + +static EFI_STATUS shim_hash (char *data, int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context, + UINT8 *sha256hash, UINT8 *sha1hash) +{ + EFI_STATUS status; + + in_protocol = 1; + status = generate_hash(data, datasize, context, sha256hash, sha1hash); + in_protocol = 0; + + return status; +} + +static EFI_STATUS shim_read_header(void *data, unsigned int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context) +{ + EFI_STATUS status; + + in_protocol = 1; + status = read_header(data, datasize, context); + in_protocol = 0; return status; } @@ -1216,7 +1250,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) &loaded_image_protocol, (void **)&li); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to init protocol\n"); + ERROR(L"Unable to init protocol\n"); return efi_status; } @@ -1226,20 +1260,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = generate_path(li, ImagePath, &path, &PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate path: %s\n", ImagePath); + ERROR(L"Unable to generate path: %s\n", ImagePath); goto done; } if (findNetboot(image_handle)) { efi_status = parseNetbootinfo(image_handle); if (efi_status != EFI_SUCCESS) { - Print(L"Netboot parsing failed: %d\n", efi_status); + ERROR(L"Netboot parsing failed: %d\n", efi_status); return EFI_PROTOCOL_ERROR; } efi_status = FetchNetbootimage(image_handle, &sourcebuffer, &sourcesize); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to fetch TFTP image\n"); + ERROR(L"Unable to fetch TFTP image\n"); return efi_status; } data = sourcebuffer; @@ -1251,7 +1285,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = load_image(li, &data, &datasize, PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + ERROR(L"Failed to load image\n"); goto done; } } @@ -1268,7 +1302,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = handle_image(data, datasize, li); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + ERROR(L"Failed to load image\n"); CopyMem(li, &li_bak, sizeof(li_bak)); goto done; } @@ -1336,7 +1370,7 @@ EFI_STATUS mirror_mok_list() | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, Data); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokListRT %d\n", efi_status); + ERROR(L"Failed to set MokListRT %d\n", efi_status); } done: @@ -1378,7 +1412,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to start MokManager\n"); + ERROR(L"Failed to start MokManager\n"); return efi_status; } } @@ -1409,9 +1443,9 @@ static EFI_STATUS check_mok_sb (void) * modified by the OS */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokSBState is compromised! Clearing it\n"); + ERROR(L"MokSBState is compromised! Clearing it\n"); if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokSBState\n"); + ERROR(L"Failed to erase MokSBState\n"); } status = EFI_ACCESS_DENIED; } else { @@ -1442,7 +1476,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &LoadedImageProtocol, (void **) &li); if (status != EFI_SUCCESS) { - Print (L"Failed to get load options\n"); + ERROR (L"Failed to get load options\n"); return status; } @@ -1486,7 +1520,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) if (loader_len > 0) { loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16)); if (!loader_str) { - Print(L"Failed to allocate loader string\n"); + ERROR(L"Failed to allocate loader string\n"); return EFI_OUT_OF_RESOURCES; } for (i = 0; i < loader_len; i++) @@ -1517,8 +1551,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) * call back in and use shim functions */ shim_lock_interface.Verify = shim_verify; - shim_lock_interface.Hash = generate_hash; - shim_lock_interface.Context = read_header; + shim_lock_interface.Hash = shim_hash; + shim_lock_interface.Context = shim_read_header; systab = passed_systab; -- 1.8.1.4