From 3d62232feb296b238ca5d7963ba40a2c346767e7 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 19 Dec 2018 12:40:02 +0800 Subject: [PATCH 24/62] mok: also mirror the build cert to MokListRT If the build cert is enabled, we should also mirror it to MokListRT. Signed-off-by: Gary Lin Upstream-commit-id: aecbe1f99b6 --- mok.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 72 insertions(+), 6 deletions(-) diff --git a/mok.c b/mok.c index 2b9d796a0e8..6150d8c8868 100644 --- a/mok.c +++ b/mok.c @@ -68,6 +68,10 @@ struct mok_state_variable { */ UINT8 **addend_source; UINT32 *addend_size; +#if defined(ENABLE_SHIM_CERT) + UINT8 **build_cert; + UINT32 *build_cert_size; +#endif /* defined(ENABLE_SHIM_CERT) */ UINT32 yes_attr; UINT32 no_attr; UINT32 flags; @@ -90,6 +94,10 @@ struct mok_state_variable mok_state_variables[] = { .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, .addend_source = &vendor_cert, .addend_size = &vendor_cert_size, +#if defined(ENABLE_SHIM_CERT) + .build_cert = &build_cert, + .build_cert_size = &build_cert_size, +#endif /* defined(ENABLE_SHIM_CERT) */ .flags = MOK_MIRROR_KEYDB | MOK_VARIABLE_LOG, .pcr = 14, @@ -130,6 +138,22 @@ struct mok_state_variable mok_state_variables[] = { { NULL, } }; +inline BOOLEAN check_vendor_cert(struct mok_state_variable *v) +{ + return (v->addend_source && v->addend_size && + *v->addend_source && *v->addend_size) ? TRUE : FALSE; +} +#if defined(ENABLE_SHIM_CERT) +inline BOOLEAN check_build_cert(struct mok_state_variable *v) +{ + return (v->build_cert && v->build_cert_size && + *v->build_cert && *v->build_cert_size) ? TRUE : FALSE; +} +#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v)) +#else +#define check_addend(v) check_vendor_cert(v) +#endif /* defined(ENABLE_SHIM_CERT) */ + static EFI_STATUS nonnull(1) mirror_one_mok_variable(struct mok_state_variable *v) { @@ -138,15 +162,27 @@ mirror_one_mok_variable(struct mok_state_variable *v) UINTN FullDataSize = 0; uint8_t *p = NULL; - if ((v->flags & MOK_MIRROR_KEYDB) && - v->addend_source && *v->addend_source && - v->addend_size && *v->addend_size) { + if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) { EFI_SIGNATURE_LIST *CertList = NULL; EFI_SIGNATURE_DATA *CertData = NULL; +#if defined(ENABLE_SHIM_CERT) + FullDataSize = v->data_size; + if (check_build_cert(v)) { + FullDataSize += sizeof (*CertList) + + sizeof (EFI_GUID) + + *v->build_cert_size; + } + if (check_vendor_cert(v)) { + FullDataSize += sizeof (*CertList) + + sizeof (EFI_GUID) + + *v->addend_size; + } +#else FullDataSize = v->data_size + sizeof (*CertList) + sizeof (EFI_GUID) + *v->addend_size; +#endif /* defined(ENABLE_SHIM_CERT) */ FullData = AllocatePool(FullDataSize); if (!FullData) { perror(L"Failed to allocate space for MokListRT\n"); @@ -158,6 +194,35 @@ mirror_one_mok_variable(struct mok_state_variable *v) CopyMem(p, v->data, v->data_size); p += v->data_size; } + +#if defined(ENABLE_SHIM_CERT) + if (check_build_cert(v) == FALSE) + goto skip_build_cert; + + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; + CertList->SignatureListSize = *v->build_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = *v->build_cert_size + + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, *v->build_cert, *v->build_cert_size); + + p += *v->build_cert_size; + + if (check_vendor_cert(v) == FALSE) + goto skip_vendor_cert; +skip_build_cert: +#endif /* defined(ENABLE_SHIM_CERT) */ + CertList = (EFI_SIGNATURE_LIST *)p; p += sizeof (*CertList); CertData = (EFI_SIGNATURE_DATA *)p; @@ -174,6 +239,9 @@ mirror_one_mok_variable(struct mok_state_variable *v) CertData->SignatureOwner = SHIM_LOCK_GUID; CopyMem(p, *v->addend_source, *v->addend_size); +#if defined(ENABLE_SHIM_CERT) +skip_vendor_cert: +#endif /* defined(ENABLE_SHIM_CERT) */ if (v->data && v->data_size) FreePool(v->data); v->data = FullData; @@ -247,9 +315,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) UINT32 attrs = 0; BOOLEAN delete = FALSE, present, addend; - addend = (v->addend_source && v->addend_size && - *v->addend_source && *v->addend_size) - ? TRUE : FALSE; + addend = check_addend(v); efi_status = get_variable_attr(v->name, &v->data, &v->data_size, -- 2.26.2