From 7d542805ba5c48185128a2351bb315a5648fe3d7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 23 Jul 2020 00:08:30 -0400
Subject: [PATCH 56/62] Make cert.S not impossible to read.

Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream: pr#206
---
 shim.c | 47 +++++++++++++++++--------------
 shim.h | 28 +++++++++++++++---
 cert.S | 89 ++++++++++++++++++++++------------------------------------
 3 files changed, 84 insertions(+), 80 deletions(-)

diff --git a/shim.c b/shim.c
index 0e7e784b4c8..888ee6e8d7b 100644
--- a/shim.c
+++ b/shim.c
@@ -68,16 +68,18 @@ static UINT32 load_options_size;
  * The vendor certificate used for validating the second stage loader
  */
 extern struct {
-	UINT32 vendor_cert_size;
-	UINT32 vendor_dbx_size;
-	UINT32 vendor_cert_offset;
-	UINT32 vendor_dbx_offset;
+	UINT32 vendor_authorized_size;
+	UINT32 vendor_deauthorized_size;
+	UINT32 vendor_authorized_offset;
+	UINT32 vendor_deauthorized_offset;
 } cert_table;
 
-UINT32 vendor_cert_size;
-UINT32 vendor_dbx_size;
-UINT8 *vendor_cert;
-UINT8 *vendor_dbx;
+UINT32 vendor_authorized_size = 0;
+UINT8 *vendor_authorized = NULL;
+
+UINT32 vendor_deauthorized_size = 0;
+UINT8 *vendor_deauthorized = NULL;
+
 #if defined(ENABLE_SHIM_CERT)
 UINT32 build_cert_size;
 UINT8 *build_cert;
@@ -554,22 +556,22 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data,
 static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 				   UINT8 *sha256hash, UINT8 *sha1hash)
 {
-	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
+	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized;
 
-	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
+	if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha256hash,
 			SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx",
 			EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
 		LogError(L"binary sha256hash found in vendor dbx\n");
 		return EFI_SECURITY_VIOLATION;
 	}
-	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
+	if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha1hash,
 				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx",
 				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
 		LogError(L"binary sha1hash found in vendor dbx\n");
 		return EFI_SECURITY_VIOLATION;
 	}
 	if (cert &&
-	    check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx",
+	    check_db_cert_in_ram(dbx, vendor_deauthorized_size, cert, sha256hash, L"dbx",
 				 EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) {
 		LogError(L"cert sha256hash found in vendor dbx\n");
 		return EFI_SECURITY_VIOLATION;
@@ -1077,19 +1079,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 		/*
 		 * And finally, check against shim's built-in key
 		 */
-		if (vendor_cert_size &&
+		if (vendor_authorized_size &&
 		    AuthenticodeVerify(cert->CertData,
 				       cert->Hdr.dwLength - sizeof(cert->Hdr),
-				       vendor_cert, vendor_cert_size,
+				       vendor_authorized, vendor_authorized_size,
 				       sha256hash, SHA256_DIGEST_SIZE)) {
 			update_verification_method(VERIFIED_BY_CERT);
 			tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
-					     vendor_cert_size, vendor_cert);
+					     vendor_authorized_size, vendor_authorized);
 			efi_status = EFI_SUCCESS;
 			drain_openssl_errors();
 			return efi_status;
 		} else {
-			LogError(L"AuthenticodeVerify(vendor_cert) failed\n");
+			LogError(L"AuthenticodeVerify(vendor_authorized) failed\n");
 		}
 	}
 
@@ -2501,7 +2503,7 @@ shim_init(void)
 	}
 
 	if (secure_mode()) {
-		if (vendor_cert_size || vendor_dbx_size) {
+		if (vendor_authorized_size || vendor_deauthorized_size) {
 			/*
 			 * If shim includes its own certificates then ensure
 			 * that anything it boots has performed some
@@ -2606,14 +2608,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 
 	verification_method = VERIFIED_BY_NOTHING;
 
-	vendor_cert_size = cert_table.vendor_cert_size;
-	vendor_dbx_size = cert_table.vendor_dbx_size;
-	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
+	vendor_authorized_size = cert_table.vendor_authorized_size;
+	vendor_authorized = (UINT8 *)&cert_table + cert_table.vendor_authorized_offset;
+
+	vendor_deauthorized_size = cert_table.vendor_deauthorized_size;
+	vendor_deauthorized = (UINT8 *)&cert_table + cert_table.vendor_deauthorized_offset;
+
 #if defined(ENABLE_SHIM_CERT)
 	build_cert_size = sizeof(shim_cert);
 	build_cert = shim_cert;
 #endif /* defined(ENABLE_SHIM_CERT) */
+
 	CHAR16 *msgs[] = {
 		L"import_mok_state() failed",
 		L"shim_init() failed",
diff --git a/shim.h b/shim.h
index a0fa5a75e7e..555498c6673 100644
--- a/shim.h
+++ b/shim.h
@@ -97,6 +97,24 @@
 #define FALLBACK L"\\fb" EFI_ARCH L".efi"
 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
 
+#if defined(VENDOR_CERT_FILE)
+# define vendor_authorized vendor_cert
+# define vendor_authorized_size vendor_cert_size
+# define vendor_authorized_category VENDOR_ADDEND_X509
+#else
+# define vendor_authorized vendor_null
+# define vendor_authorized_size vendor_null_size
+# define vendor_authorized_category VENDOR_ADDEND_NONE
+#endif
+
+#if defined(VENDOR_DBX_FILE)
+# define vendor_deauthorized vendor_dbx
+# define vendor_deauthorized_size vendor_dbx_size
+#else
+# define vendor_deauthorized vendor_deauthorized_null
+# define vendor_deauthorized_size vendor_deauthorized_null_size
+#endif
+
 #include "include/asm.h"
 #include "include/configtable.h"
 #include "include/console.h"
@@ -166,10 +184,12 @@ extern VOID ClearErrors(VOID);
 extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
 extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
 
-extern UINT32 vendor_cert_size;
-extern UINT32 vendor_dbx_size;
-extern UINT8 *vendor_cert;
-extern UINT8 *vendor_dbx;
+extern UINT32 vendor_authorized_size;
+extern UINT8 *vendor_authorized;
+
+extern UINT32 vendor_deauthorized_size;
+extern UINT8 *vendor_deauthorized;
+
 #if defined(ENABLE_SHIM_CERT)
 extern UINT32 build_cert_size;
 extern UINT8 *build_cert;
diff --git a/cert.S b/cert.S
index cfc4525b44c..520caaef3af 100644
--- a/cert.S
+++ b/cert.S
@@ -1,65 +1,44 @@
+
+#if defined(VENDOR_CERT_FILE)
+# define vendor_authorized vendor_cert
+# define vendor_authorized_end vendor_cert_end
+# define vendor_authorized_size vendor_cert_size
+# define vendor_authorized_size_end vendor_cert_size_end
+#endif
+
+#if defined(VENDOR_DBX_FILE)
+# define vendor_deauthorized vendor_dbx
+# define vendor_deauthorized_end vendor_dbx_end
+# define vendor_deauthorized_size vendor_dbx_size
+# define vendor_deauthorized_size_end vendor_dbx_size_end
+#endif
+
 	.globl cert_table
 	.type	cert_table, %object
-	.size	cert_table, 4
+	.size	cert_table, .Lcert_table_end - cert_table
 	.section .vendor_cert, "a", %progbits
+	.balignl 4, 0
 cert_table:
-#if defined(VENDOR_CERT_FILE)
-	.long	vendor_cert_priv_end - vendor_cert_priv
-#else
-	.long	0
-#endif
-#if defined(VENDOR_DBX_FILE)
-	.long	vendor_dbx_priv_end - vendor_dbx_priv
-#else
-	.long	0
-#endif
-	.long	vendor_cert_priv - cert_table
-	.long	vendor_dbx_priv - cert_table
-#if defined(VENDOR_CERT_FILE)
-	.data
-	.align	1
-	.type	vendor_cert_priv, %object
-	.size	vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv
+	.4byte	.Lvendor_authorized_end - vendor_authorized
+	.4byte	.Lvendor_deauthorized_end - vendor_deauthorized
+	.4byte	vendor_authorized - cert_table
+	.4byte	vendor_deauthorized - cert_table
+	.balign	1, 0
+	.type	vendor_authorized, %object
+	.size	vendor_authorized, .Lvendor_authorized_end - vendor_authorized
 	.section .vendor_cert, "a", %progbits
-vendor_cert_priv:
+vendor_authorized:
+#if defined(VENDOR_CERT_FILE)
 .incbin VENDOR_CERT_FILE
-vendor_cert_priv_end:
-#else
-	.bss
-	.type	vendor_cert_priv, %object
-	.size	vendor_cert_priv, 1
-	.section .vendor_cert, "a", %progbits
-vendor_cert_priv:
-	.zero	1
-
-	.data
-	.align 4
-	.type	vendor_cert_size_priv, %object
-	.size	vendor_cert_size_priv, 4
-	.section .vendor_cert, "a", %progbits
-vendor_cert_priv_end:
 #endif
+.Lvendor_authorized_end:
+	.balign	1, 0
+	.type	vendor_deauthorized, %object
+	.size	vendor_deauthorized, .Lvendor_deauthorized_end - vendor_deauthorized
+	.section .vendor_cert, "a", %progbits
+vendor_deauthorized:
 #if defined(VENDOR_DBX_FILE)
-	.data
-	.align	1
-	.type	vendor_dbx_priv, %object
-	.size	vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv
-	.section .vendor_cert, "a", %progbits
-vendor_dbx_priv:
 .incbin VENDOR_DBX_FILE
-vendor_dbx_priv_end:
-#else
-	.bss
-	.type	vendor_dbx_priv, %object
-	.size	vendor_dbx_priv, 1
-	.section .vendor_cert, "a", %progbits
-vendor_dbx_priv:
-	.zero	1
-
-	.data
-	.align 4
-	.type	vendor_dbx_size_priv, %object
-	.size	vendor_dbx_size_priv, 4
-	.section .vendor_cert, "a", %progbits
-vendor_dbx_priv_end:
 #endif
+.Lvendor_deauthorized_end:
+.Lcert_table_end:
-- 
2.26.2