rpm/shim
SHA256
1
0
Fork 0
forked from pool/shim
Code Pull Requests Activity

Accepting request 229569 from home:gary_lin:branches:devel:openSUSE:Factory

Browse Source 
Replace shim-mokmanager-support-sha1.patch with shim-mokmanager-support-sha-family.patch to support the SHA family

OBS-URL: https://build.opensuse.org/request/show/229569
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=71
This commit is contained in:
Gary Ching-Pang Lin 2014-04-10 08:31:41 +00:00 committed by Git OBS Bridge
parent e0fd4dbc38
commit e876d9efc6
4 changed files with 636 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

627
shim-mokmanager-support-sha-family.patch Normal file
View File

@ -0,0 +1,627 @@
From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 3 Apr 2014 18:26:37 +0800
Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
Add SHA1 hash support and amend the code to make it easier to support
other SHA digests.
---
MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 46 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 5af5ce6..7cf31c1 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -93,27 +93,58 @@ done:
return status;
}
+static BOOLEAN is_sha_hash (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
+static UINT32 sha_size (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return SHA256_DIGEST_SIZE;
+
+ return 0;
+}
+
+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
+{
+ EFI_GUID CertType = X509_GUID;
+ UINT32 hash_sig_size;
+
+ if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ return TRUE;
+
+ if (!is_sha_hash (Type))
+ return FALSE;
+
+ hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
+ if (SigSize != hash_sig_size)
+ return FALSE;
+
+ return TRUE;
+}
+
static UINT32 count_keys(void *Data, UINTN DataSize)
{
EFI_SIGNATURE_LIST *CertList = Data;
- EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- console_notify(L"Doesn't look like a key or hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CertList->SignatureSize != 48)) {
- console_notify(L"Doesn't look like a valid hash");
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -134,7 +165,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
@@ -146,16 +176,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -380,22 +401,34 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
FreePool(text);
}
-static void show_sha256_digest (UINT8 *hash)
+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
+ int length;
+
+ if (CompareGuid(&Type, &Sha1) == 0) {
+ length = SHA1_DIGEST_SIZE;
+ text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha256) == 0) {
+ length = SHA256_DIGEST_SIZE;
+ text[0] = L"SHA256 hash";
+ } else {
+ return;
+ }
ZeroMem(&hash_string1, sizeof(hash_string1));
ZeroMem(&hash_string2, sizeof(hash_string2));
- text[0] = L"SHA256 hash";
text[1] = L"";
- for (i=0; i<16; i++)
+ for (i=0; i<length/2; i++)
CatPrint(&hash_string1, L"%02x ", hash[i]);
- for (i=16; i<32; i++)
+ for (i=length/2; i<length; i++)
CatPrint(&hash_string2, L"%02x ", hash[i]);
text[2] = hash_string1.str;
@@ -411,7 +444,7 @@ static void show_sha256_digest (UINT8 *hash)
FreePool(hash_string2.str);
}
-static void show_efi_hash (void *Mok, UINTN MokSize)
+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
{
UINTN sig_size;
UINTN hash_num;
@@ -420,7 +453,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
int key_num = 0;
int i;
- sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
console_errorbox(L"Corrupted Hash List");
return;
@@ -429,7 +462,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
if (hash_num == 1) {
hash = (UINT8 *)Mok + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
return;
}
@@ -452,7 +485,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
break;
hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
}
for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +500,6 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
if (!Mok || MokSize == 0)
return;
@@ -488,8 +520,8 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
console_notify(L"Not a valid X509 certificate");
return;
}
- } else if (CompareGuid (&Type, &HashType) == 0) {
- show_efi_hash(Mok, MokSize);
+ } else if (is_sha_hash(Type)) {
+ show_efi_hash(Type, Mok, MokSize);
}
}
@@ -968,7 +1000,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
} else {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST);
- CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
CopyMem(CertData, list[i].Mok, list[i].MokSize);
}
@@ -1040,7 +1072,6 @@ static void mem_move (void *dest, void *src, UINTN size)
static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
UINT32 list_num;
int i, del_ind;
@@ -1050,8 +1081,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
- (mok[i].MokSize < sig_size))
+ if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
continue;
list_num = mok[i].MokSize / sig_size;
@@ -1080,7 +1110,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
}
}
-static void delete_hash_list (void *hash_list, UINT32 list_size,
+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
MokListNode *mok, INTN mok_num)
{
UINT32 hash_size;
@@ -1089,7 +1119,7 @@ static void delete_hash_list (void *hash_list, UINT32 list_size,
UINT8 *hash;
int i;
- hash_size = SHA256_DIGEST_SIZE;
+ hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);
if (list_size < sig_size)
return;
@@ -1108,7 +1138,6 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
@@ -1183,9 +1212,9 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
- } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
- delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
- mok, mok_num);
+ } else if (is_sha_hash(del_key[i].Type)) {
+ delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ del_key[i].MokSize, mok, mok_num);
}
}
--
1.8.4.5
From 9a0aaf045859be5ba3abdaaf06683cb9ab0b6c57 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 9 Apr 2014 16:49:25 +0800
Subject: [PATCH 2/5] MokManager: fix the return value and type
There are some functions that the return value and the type
didn't match.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 7cf31c1..b09f5b8 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -536,7 +536,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_SIGNATURE_DATA))) {
console_notify(L"No MOK keys found");
- return 0;
+ return EFI_NOT_FOUND;
}
MokNum = count_keys(KeyList, KeyListSize);
@@ -544,7 +544,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
if (!keys) {
console_notify(L"Failed to construct key list");
- return 0;
+ return EFI_ABORTED;
}
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
@@ -863,7 +863,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
return EFI_SUCCESS;
}
-static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
+static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
--
1.8.4.5
From 790eb376dbe692d4702d807f24c1be7a492a5717 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 14:39:43 +0800
Subject: [PATCH 3/5] MokManager: Add more key list safe checks
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 56 insertions(+), 4 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index b09f5b8..c5501f3 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -144,6 +144,12 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+ if (CertList->SignatureListSize == 0 ||
+ CertList->SignatureListSize <= CertList->SignatureSize) {
+ console_errorbox(L"Corrupted signature list");
+ return 0;
+ }
+
if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
@@ -540,10 +546,13 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
}
MokNum = count_keys(KeyList, KeyListSize);
+ if (MokNum == 0) {
+ console_errorbox(L"Invalid key list");
+ return EFI_ABORTED;
+ }
keys = build_mok_list(MokNum, KeyList, KeyListSize);
-
if (!keys) {
- console_notify(L"Failed to construct key list");
+ console_errorbox(L"Failed to construct key list");
return EFI_ABORTED;
}
@@ -1184,7 +1193,13 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
shim_lock_guid, &attributes);
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ if (efi_status != EFI_SUCCESS) {
+ if (MokX)
+ console_errorbox(L"Failed to retrieve MokListX");
+ else
+ console_errorbox(L"Failed to retrieve MokList");
+ return EFI_ABORTED;
+ } else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
if (MokX) {
err_str1 = L"MokListX is compromised!";
err_str2 = L"Erase all keys in MokListX!";
@@ -1193,7 +1208,11 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
err_str2 = L"Erase all keys in MokList!";
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
- LibDeleteVariable(db_name, &shim_lock_guid);
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
return EFI_ACCESS_DENIED;
}
@@ -1203,9 +1222,41 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
/* Construct lists */
mok_num = count_keys(MokListData, MokListDataSize);
+ if (mok_num == 0) {
+ if (MokX) {
+ err_str1 = L"Failed to construct the key list of MokListX";
+ err_str2 = L"Reset MokListX!";
+ } else {
+ err_str1 = L"Failed to construct the key list of MokList";
+ err_str2 = L"Reset MokList!";
+ }
+ console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
mok = build_mok_list(mok_num, MokListData, MokListDataSize);
+ if (!mok) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_num = count_keys(MokDel, MokDelSize);
+ if (del_num == 0) {
+ console_errorbox(L"Invalid key delete list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_key = build_mok_list(del_num, MokDel, MokDelSize);
+ if (!del_key) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
/* Search and destroy */
for (i = 0; i < del_num; i++) {
@@ -1220,6 +1271,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
efi_status = write_back_mok_list(mok, mok_num, MokX);
+error:
if (MokListData)
FreePool(MokListData);
if (mok)
--
1.8.4.5
From a2879e575439b019d1eff5b32ca8b59d1e2e1503 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 15:29:14 +0800
Subject: [PATCH 4/5] MokManager: Support SHA224, SHA384, and SHA512
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index c5501f3..117cf9b 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -25,6 +25,9 @@
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
@@ -96,12 +99,21 @@ done:
static BOOLEAN is_sha_hash (EFI_GUID Type)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
if (CompareGuid(&Type, &Sha1) == 0)
return TRUE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return TRUE;
else if (CompareGuid(&Type, &Sha256) == 0)
return TRUE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return TRUE;
return FALSE;
}
@@ -109,12 +121,21 @@ static BOOLEAN is_sha_hash (EFI_GUID Type)
static UINT32 sha_size (EFI_GUID Type)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
if (CompareGuid(&Type, &Sha1) == 0)
return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return SHA224_DIGEST_LENGTH;
else if (CompareGuid(&Type, &Sha256) == 0)
return SHA256_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return SHA384_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return SHA512_DIGEST_LENGTH;
return 0;
}
@@ -410,7 +431,10 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
@@ -420,9 +444,18 @@ static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
if (CompareGuid(&Type, &Sha1) == 0) {
length = SHA1_DIGEST_SIZE;
text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha224) == 0) {
+ length = SHA224_DIGEST_LENGTH;
+ text[0] = L"SHA224 hash";
} else if (CompareGuid(&Type, &Sha256) == 0) {
length = SHA256_DIGEST_SIZE;
text[0] = L"SHA256 hash";
+ } else if (CompareGuid(&Type, &Sha384) == 0) {
+ length = SHA384_DIGEST_LENGTH;
+ text[0] = L"SHA384 hash";
+ } else if (CompareGuid(&Type, &Sha512) == 0) {
+ length = SHA512_DIGEST_LENGTH;
+ text[0] = L"SHA512 hash";
} else {
return;
}
@@ -1078,7 +1111,7 @@ static void mem_move (void *dest, void *src, UINTN size)
d[i] = s[i];
}
-static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
UINT32 sig_size;
@@ -1090,7 +1123,8 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
+ if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
+ (mok[i].MokSize < sig_size))
continue;
list_num = mok[i].MokSize / sig_size;
@@ -1138,7 +1172,7 @@ static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
hash = hash_list + sizeof(EFI_GUID);
for (i = 0; i < hash_num; i++) {
- delete_hash_in_list (hash, hash_size, mok, mok_num);
+ delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
hash += sig_size;
}
}
--
1.8.4.5
From 04955238a98734aac8df7ad46a732e130681acfd Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 15:55:35 +0800
Subject: [PATCH 5/5] MokManager: Discard the list contains an invalid
signature
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 117cf9b..b896836 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -172,10 +172,8 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
}
if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ console_errorbox(L"Invalid signature list found");
+ return 0;
}
MokNum++;
@@ -203,12 +201,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
+ /* Omit the signature check here since we already did it
+ in count_keys() */
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
--
1.8.4.5

277
shim-mokmanager-support-sha1.patch
View File

@ -1,277 +0,0 @@
From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 3 Apr 2014 18:26:37 +0800
Subject: [PATCH] MokManager: Support SHA1 hash in MOK
Add SHA1 hash support and amend the code to make it easier to support
other SHA digests.
---
MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 46 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 5af5ce6..7cf31c1 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -93,27 +93,58 @@ done:
return status;
}
+static BOOLEAN is_sha_hash (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
+static UINT32 sha_size (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return SHA256_DIGEST_SIZE;
+
+ return 0;
+}
+
+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
+{
+ EFI_GUID CertType = X509_GUID;
+ UINT32 hash_sig_size;
+
+ if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ return TRUE;
+
+ if (!is_sha_hash (Type))
+ return FALSE;
+
+ hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
+ if (SigSize != hash_sig_size)
+ return FALSE;
+
+ return TRUE;
+}
+
static UINT32 count_keys(void *Data, UINTN DataSize)
{
EFI_SIGNATURE_LIST *CertList = Data;
- EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- console_notify(L"Doesn't look like a key or hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CertList->SignatureSize != 48)) {
- console_notify(L"Doesn't look like a valid hash");
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -134,7 +165,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
@@ -146,16 +176,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
CertList->SignatureListSize);
@@ -380,22 +401,34 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
FreePool(text);
}
-static void show_sha256_digest (UINT8 *hash)
+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
+ int length;
+
+ if (CompareGuid(&Type, &Sha1) == 0) {
+ length = SHA1_DIGEST_SIZE;
+ text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha256) == 0) {
+ length = SHA256_DIGEST_SIZE;
+ text[0] = L"SHA256 hash";
+ } else {
+ return;
+ }
ZeroMem(&hash_string1, sizeof(hash_string1));
ZeroMem(&hash_string2, sizeof(hash_string2));
- text[0] = L"SHA256 hash";
text[1] = L"";
- for (i=0; i<16; i++)
+ for (i=0; i<length/2; i++)
CatPrint(&hash_string1, L"%02x ", hash[i]);
- for (i=16; i<32; i++)
+ for (i=length/2; i<length; i++)
CatPrint(&hash_string2, L"%02x ", hash[i]);
text[2] = hash_string1.str;
@@ -411,7 +444,7 @@ static void show_sha256_digest (UINT8 *hash)
FreePool(hash_string2.str);
}
-static void show_efi_hash (void *Mok, UINTN MokSize)
+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
{
UINTN sig_size;
UINTN hash_num;
@@ -420,7 +453,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
int key_num = 0;
int i;
- sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
console_errorbox(L"Corrupted Hash List");
return;
@@ -429,7 +462,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
if (hash_num == 1) {
hash = (UINT8 *)Mok + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
return;
}
@@ -452,7 +485,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
break;
hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
}
for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +500,6 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
if (!Mok || MokSize == 0)
return;
@@ -488,8 +520,8 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
console_notify(L"Not a valid X509 certificate");
return;
}
- } else if (CompareGuid (&Type, &HashType) == 0) {
- show_efi_hash(Mok, MokSize);
+ } else if (is_sha_hash(Type)) {
+ show_efi_hash(Type, Mok, MokSize);
}
}
@@ -968,7 +1000,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
} else {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST);
- CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
CopyMem(CertData, list[i].Mok, list[i].MokSize);
}
@@ -1040,7 +1072,6 @@ static void mem_move (void *dest, void *src, UINTN size)
static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
UINT32 list_num;
int i, del_ind;
@@ -1050,8 +1081,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
- (mok[i].MokSize < sig_size))
+ if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
continue;
list_num = mok[i].MokSize / sig_size;
@@ -1080,7 +1110,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
}
}
-static void delete_hash_list (void *hash_list, UINT32 list_size,
+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
MokListNode *mok, INTN mok_num)
{
UINT32 hash_size;
@@ -1089,7 +1119,7 @@ static void delete_hash_list (void *hash_list, UINT32 list_size,
UINT8 *hash;
int i;
- hash_size = SHA256_DIGEST_SIZE;
+ hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);
if (list_size < sig_size)
return;
@@ -1108,7 +1138,6 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
@@ -1183,9 +1212,9 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
- } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
- delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
- mok, mok_num);
+ } else if (is_sha_hash(del_key[i].Type)) {
+ delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ del_key[i].MokSize, mok, mok_num);
}
}
--
1.8.4.5

7
shim.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
- Replace shim-mokmanager-support-sha1.patch with
shim-mokmanager-support-sha-family.patch to support the SHA
family
-------------------------------------------------------------------
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com

4
shim.spec
View File

@ -68,8 +68,8 @@ Patch12: shim-allow-fallback-use-system-loadimage.patch
Patch13: shim-mokmanager-delete-bs-var-right.patch
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
Patch14: shim-fix-uninitialized-variable.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha1.patch glin@suse.com -- Support SHA1 hashes in MOK
Patch15: shim-mokmanager-support-sha1.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
Patch15: shim-mokmanager-support-sha-family.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t