[shim/f18] Add vendor cert-from-file magic
Peter Jones
pjones at fedoraproject.org
Tue Aug 14 18:40:49 UTC 2012
commit 2e3808918a95a6c2c9317fa48574350886f3da16
Author: Peter Jones <pjones at redhat.com>
Date: Tue Aug 14 11:53:51 2012 -0400
Add vendor cert-from-file magic
shim-vendor-cert-file.patch | 129 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 129 insertions(+), 0 deletions(-)
---
diff --git a/shim-vendor-cert-file.patch b/shim-vendor-cert-file.patch
new file mode 100644
index 0000000..09e8ab1
--- /dev/null
+++ b/shim-vendor-cert-file.patch
@@ -0,0 +1,129 @@
+From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Mon, 13 Aug 2012 17:06:46 -0400
+Subject: [PATCH] Allow specification of vendor_cert through a build command
+ line option.
+
+This allows you to specify the vendor_cert as a file on the command line
+during build.
+---
+ Makefile | 16 +++++++++++-----
+ cert.S | 32 ++++++++++++++++++++++++++++++++
+ cert.h | 1 -
+ shim.c | 6 +++---
+ 4 files changed, 46 insertions(+), 9 deletions(-)
+ create mode 100644 cert.S
+ delete mode 100644 cert.h
+
+diff --git a/Makefile b/Makefile
+index 1e3a020..66b105f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
+ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
+ EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
+
+-
+ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+ -Wall -mno-red-zone \
+ $(EFI_INCLUDES)
+ ifeq ($(ARCH),x86_64)
+ CFLAGS += -DEFI_FUNCTION_WRAPPER
+ endif
++ifneq ($(origin VENDOR_CERT_FILE), undefined)
++ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
++endif
++
+ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
+
+-TARGET = shim.efi
+-OBJS = shim.o shim.so
+-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
++TARGET = shim.efi
++OBJS = shim.o cert.o
++SOURCES = shim.c shim.h signature.h PeImage.h
+
+ all: $(TARGET)
+
+ shim.o: $(SOURCES)
+
+-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
++cert.o : cert.S
++ $(CC) $(CFLAGS) -c -o $@ $<
++
++shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+ Cryptlib/libcryptlib.a:
+diff --git a/cert.S b/cert.S
+new file mode 100644
+index 0000000..129bab5
+--- /dev/null
++++ b/cert.S
+@@ -0,0 +1,32 @@
++#if defined(VENDOR_CERT_FILE)
++ .globl vendor_cert
++ .data
++ .align 16
++ .type vendor_cert, @object
++ .size vendor_cert_size, vendor_cert_size-vendor_cert
++vendor_cert:
++.incbin VENDOR_CERT_FILE
++
++ .globl vendor_cert_size
++ .data
++ .align 16
++ .type vendor_cert_size, @object
++ .size vendor_cert_size, 4
++vendor_cert_size:
++ .long vendor_cert_size - vendor_cert
++#else
++ .globl vendor_cert
++ .bss
++ .type vendor_cert, @object
++ .size vendor_cert, 1
++vendor_cert:
++ .zero 1
++
++ .globl vendor_cert_size
++ .data
++ .align 4
++ .type vendor_cert_size, @object
++ .size vendor_cert_size, 4
++vendor_cert_size:
++ .long 1
++#endif
+diff --git a/cert.h b/cert.h
+deleted file mode 100644
+index 380bc04..0000000
+--- a/cert.h
++++ /dev/null
+@@ -1 +0,0 @@
+-static UINT8 vendor_cert[] = {0x00};
+diff --git a/shim.c b/shim.c
+index fc3dafc..2d9044d 100644
+--- a/shim.c
++++ b/shim.c
+@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
+ /*
+ * The vendor certificate used for validating the second stage loader
+ */
+-
+-#include "cert.h"
++extern UINT8 vendor_cert[];
++extern UINT32 vendor_cert_size;
+
+ #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
+
+@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+
+ if (!AuthenticodeVerify(cert->CertData,
+ context->SecDir->Size - sizeof(cert->Hdr),
+- vendor_cert, sizeof(vendor_cert), hash,
++ vendor_cert, vendor_cert_size, hash,
+ SHA256_DIGEST_SIZE)) {
+ Print(L"Invalid signature\n");
+ status = EFI_ACCESS_DENIED;
+--
+1.7.11.2
+
More information about the scm-commits
mailing list