Hello community, here is the log from the commit of package shim for openSUSE:13.1 checked in at 2013-10-25 13:50:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/shim (Old) and /work/SRC/openSUSE:13.1/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Changes: -------- --- /work/SRC/openSUSE:13.1/shim/shim.changes 2013-10-02 13:33:59.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.shim.new/shim.changes 2013-10-25 13:50:02.000000000 +0200 @@ -2,132 +1,0 @@ -Tue Oct 1 04:29:29 UTC 2013 - [email protected] - -- Add shim-netboot-fixes.patch to include upstream netboot fixes -- Add shim-mokmanager-disable-gfx-console.patch to disable the - graphics console to avoid system hang on some machines -- Add shim-bnc841426-silence-shim-protocols.patch to silence the - shim protocols (bnc#841426) - -------------------------------------------------------------------- -Wed Sep 25 07:17:54 UTC 2013 - [email protected] - -- Create boot.csv in ESP for fallback.efi to restore the boot entry - -------------------------------------------------------------------- -Tue Sep 17 10:53:50 CEST 2013 - [email protected] - -- Update microsoft.asc: shim signed by UEFI signing service, based - on code from "Fri Sep 6 13:57:36 UTC 2013". -- Improve extract_signature.sh to work on current path. - -------------------------------------------------------------------- -Fri Sep 6 13:57:36 UTC 2013 - [email protected] - -- set timestamp of PE file to time of the binary the signature was - made for. -- make sure cert.o get's rebuilt for each target - -------------------------------------------------------------------- -Fri Sep 6 11:48:14 CEST 2013 - [email protected] - -- Update microsoft.asc: shim signed by UEFI signing service, based - on code from "Wed Aug 28 15:54:38 UTC 2013" - -------------------------------------------------------------------- -Wed Aug 28 15:54:38 UTC 2013 - [email protected] - -- always build a shim that embeds the distro's certificate (e.g. - shim-opensuse.efi). If the package is built in the devel project - additionally shim-devel.efi is created. That allows us to either - load grub2/kernel signed by the distro or signed by the devel - project, depending on use case. Also shim-$distro.efi from the - devel project can be used to request additional signatures. - -------------------------------------------------------------------- -Wed Aug 28 07:16:51 UTC 2013 - [email protected] - -- also include old openSUSE 4096 bit certificate to be able to still - boot kernels signed with that key. -- add show_signatures script - -------------------------------------------------------------------- -Tue Aug 27 06:41:03 UTC 2013 - [email protected] - -- replace the 4096 bit openSUSE UEFI CA certificate with new a - standard compliant 2048 bit one. - -------------------------------------------------------------------- -Tue Aug 20 11:48:25 UTC 2013 - [email protected] - -- fix shell syntax error - -------------------------------------------------------------------- -Wed Aug 7 15:51:36 UTC 2013 - [email protected] - -- don't include binary in the sources. Instead package the raw - signature and attach it during build (bnc#813448). - -------------------------------------------------------------------- -Tue Jul 30 07:36:28 UTC 2013 - [email protected] - -- Update shim-mokmanager-ui-revamp.patch to include fixes for - MokManager - + reboot the system after clearing MOK password - + fetch more info from X509 name - + check the suffix of the key file - -------------------------------------------------------------------- -Tue Jul 23 03:55:05 UTC 2013 - [email protected] - -- Update to 0.4 -- Rebase patches - + shim-suse-build.patch - + shim-mokmanager-support-crypt-hash-method.patch - + shim-bnc804631-fix-broken-bootpath.patch - + shim-bnc798043-no-doulbe-separators.patch - + shim-bnc807760-change-pxe-2nd-loader-name.patch - + shim-bnc808106-correct-certcount.patch - + shim-mokmanager-ui-revamp.patch -- Add patches - + shim-merge-lf-loader-code.patch: merge the Linux Foundation - loader UI code - + shim-fix-pointer-casting.patch: fix a casting issue and the - size of an empty vendor cert - + shim-fix-simple-file-selector.patch: fix the buffer allocation - in the simple file selector -- Remove upstreamed patches - + shim-support-mok-delete.patch - + shim-reboot-after-changes.patch - + shim-clear-queued-key.patch - + shim-local-key-sign-mokmanager.patch - + shim-get-2nd-stage-loader.patch - + shim-fix-loadoptions.patch -- Remove unused patch: shim-mokmanager-new-pw-hash.patch and - shim-keep-unsigned-mokmanager.patch -- Install the vendor certificate to /etc/uefi/certs - -------------------------------------------------------------------- -Wed May 8 06:40:12 UTC 2013 - [email protected] - -- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI - -------------------------------------------------------------------- -Wed Apr 3 03:54:22 UTC 2013 - [email protected] - -- Call update-bootloader in %post to update *.efi in \efi\opensuse - (bnc#813079) - -------------------------------------------------------------------- -Fri Mar 8 06:53:47 UTC 2013 - [email protected] - -- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the - PXE 2nd stage loader name (bnc#807760) -- Add shim-bnc808106-correct-certcount.patch to correct the - certificate count of the signature list (bnc#808106) - -------------------------------------------------------------------- -Fri Mar 1 10:07:55 UTC 2013 - [email protected] - -- Add shim-bnc798043-no-doulbe-separators.patch to remove double - seperators from the bootpath (bnc#798043#c4) - -------------------------------------------------------------------- Old: ---- attach_signature.sh extract_signature.sh microsoft.asc openSUSE-UEFI-CA-Certificate-4096.crt shim-0.4.tar.bz2 shim-bnc798043-no-doulbe-separators.patch shim-bnc807760-change-pxe-2nd-loader-name.patch shim-bnc808106-correct-certcount.patch shim-bnc841426-silence-shim-protocols.patch shim-fix-pointer-casting.patch shim-fix-simple-file-selector.patch shim-merge-lf-loader-code.patch shim-mokmanager-disable-gfx-console.patch shim-mokmanager-ui-revamp.patch shim-netboot-fixes.patch show_hash.sh show_signatures.sh strip_signature.sh timestamp.pl New: ---- shim-0.2.tar.bz2 shim-clear-queued-key.patch shim-fix-loadoptions.patch shim-get-2nd-stage-loader.patch shim-keep-unsigned-mokmanager.patch shim-local-key-sign-mokmanager.patch shim-mokmanager-new-pw-hash.patch shim-reboot-after-changes.patch shim-signed.efi shim-support-mok-delete.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:02.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:02.000000000 +0200 @@ -19,57 +19,47 @@ # needssslcertforbuild Name: shim -Version: 0.4 +Version: 0.2 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 -# run "extract_signature.sh shim.efi" where shim.efi is the binary -# with the signature from the UEFI signing service. -Source1: microsoft.asc +# this binary has been signed by UEFI signing service +# FIXME: evaluate whether using signature only and attaching that +# to the built binary also works +Source1: shim-signed.efi Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt -Source5: extract_signature.sh -Source6: attach_signature.sh -Source7: show_hash.sh -Source8: show_signatures.sh -Source9: openSUSE-UEFI-CA-Certificate-4096.crt -Source10: timestamp.pl # PATCH-FIX-SUSE shim-suse-build.patch [email protected] -- Adjust Makefile for the build service Patch0: shim-suse-build.patch -# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch [email protected] -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. -Patch1: shim-fix-pointer-casting.patch -# PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch [email protected] -- Merge the Linux Foundation loader UI code -Patch2: shim-merge-lf-loader-code.patch -# PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch [email protected] -- Fix the buffer allocation in the simple file selector -Patch3: shim-fix-simple-file-selector.patch +# PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch [email protected] -- Sign MokManager.efi with the local generated certificate +Patch1: shim-local-key-sign-mokmanager.patch +# PATCH-FEATURE-UPSTREAM shim-get-2nd-stage-loader.patch [email protected] -- Get the second stage loader path from the load options +Patch2: shim-get-2nd-stage-loader.patch +# PATCH-FIX-UPSTREAM shim-reboot-after-changes.patch [email protected] -- Reboot the system after enrolling or erasing keys +Patch3: shim-reboot-after-changes.patch +# PATCH-FIX-UPSTREAM shim-clear-queued-key.patch [email protected] -- Clear the queued key to show the menu properly +Patch5: shim-clear-queued-key.patch +# PATCH-FIX-UPSTREAM shim-fix-loadoptions.patch bnc#798043 [email protected] -- Adopt the UEFI shell style LoadOptions +Patch6: shim-fix-loadoptions.patch +# PATCH-FIX-UPSTREAM shim-support-mok-delete.patch [email protected] -- Support for deleting specific keys +Patch7: shim-support-mok-delete.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch [email protected] -- Support the new password hash +Patch8: shim-mokmanager-new-pw-hash.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch [email protected] -- Support the password hashes from /etc/shadow -Patch4: shim-mokmanager-support-crypt-hash-method.patch +Patch9: shim-mokmanager-support-crypt-hash-method.patch +# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch [email protected] -- Keep MokManager.efi and sign it with the openSUSE key later +Patch10: shim-keep-unsigned-mokmanager.patch # PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 [email protected] -- Fix the broken bootpath generated in generate_path() -Patch5: shim-bnc804631-fix-broken-bootpath.patch -# PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 [email protected] -- Remove all double-separators from the bootpath -Patch6: shim-bnc798043-no-doulbe-separators.patch -# PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 [email protected] -- Change the PXE 2nd stage loader to match the filename we are using -Patch7: shim-bnc807760-change-pxe-2nd-loader-name.patch -# PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 [email protected] -- Correct the certifcate count of the signature list -Patch8: shim-bnc808106-correct-certcount.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch [email protected] -- Revamp the MokManager UI -Patch9: shim-mokmanager-ui-revamp.patch -# PATCH-FIX-UPSTREAM shim-netboot-fixes.patch [email protected] -- Upstream netboot fixes -Patch10: shim-netboot-fixes.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-disable-gfx-console.patch [email protected] -- Disable graphics console to avoid system hang on some machines -Patch11: shim-mokmanager-disable-gfx-console.patch -# PATCH-FIX-UPSTREAM shim-bnc841426-silence-shim-protocols.patch bnc#841426 [email protected] -- Silence the shim protocols to avoid system hang -Patch12: shim-bnc841426-silence-shim-protocols.patch -BuildRequires: gnu-efi >= 3.0t +Patch11: shim-bnc804631-fix-broken-bootpath.patch +BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration -Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: grub2-efi ExclusiveArch: x86_64 @@ -90,7 +80,6 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 @@ -98,118 +87,58 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 -%patch12 -p1 %build chmod +x "make-certs" -# first, build MokManager and fallback as they don't depend on a -# specific certificate -make MokManager.efi fallback.efi 2>/dev/null - -# now build variants of shim that embed different certificates -default='' -suffixes=(opensuse sles) -# check whether the project cert is a known one. If it is we build -# just one shim that embeds this specific cert. If it's a devel -# project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then - suffixes=(opensuse) - elif test "$prjissuer" = "$slessubject" ; then - suffixes=(sles) - elif test "$prjsubject" = "$prjissuer" ; then - suffixes=(devel opensuse sles) - fi -fi - -for suffix in "${suffixes[@]}"; do - if test "$suffix" = "opensuse"; then + suffix=opensuse cert=%{SOURCE2} - cert2=%{SOURCE9} - elif test "$suffix" = "sles"; then - cert=%{SOURCE4} - cert2='' - elif test "$suffix" = "devel"; then - cert=%{_sourcedir}/_projectcert.crt - cert2='' - test -e "$cert" || continue - else - echo "invalid suffix" - false - fi - - openssl x509 -in $cert -outform DER -out shim-$suffix.der - if [ -z "$cert2" ]; then - # create empty local cert file, we don't need a local key pair as we - # sign the mokmanager with our vendor key - touch shim.crt - touch shim.cer - else - cp $cert2 shim.crt - rm -f shim.cer fi - # make sure cast warnings don't trigger post build check - make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null - # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10} - # alternative: verify signature - #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - head -1 %{SOURCE1} > hash1 - cp shim.efi shim.efi.bak - # pe header contains timestamp and checksum. we need to - # restore that - %{SOURCE10} --set-from-file %{SOURCE1} shim.efi - %{SOURCE7} shim.efi > hash2 - cat hash1 hash2 - if ! cmp -s hash1 hash2; then - echo "ERROR: binary changed, need to request new signature!" - # don't fail in devel projects - prj="%{_project}" - if [ "${prj%%:*}" = "openSUSE" ]; then - false + if test "$prjissuer" = "$slessubject" ; then + suffix=sles + cert=%{SOURCE4} fi - mv shim.efi.bak shim-$suffix.efi - rm shim.efi - else - # attach signature - %{SOURCE6} %{SOURCE1} shim.efi - mv shim-signed.efi shim-$suffix.efi - rm -f shim.efi + if test "$prjsubject" = "$prjissuer" ; then + suffix=local + cert=%{_sourcedir}/_projectcert.crt fi - rm -f shim.cer shim.crt - # make sure cert.o gets rebuilt - rm -f cert.o -done +fi +if test -z "$suffix" ; then + echo "cannot identify project, assuming openSUSE signing" + suffix=opensuse + cert=%{SOURCE2} +fi -ln -s shim-${suffixes[0]}.efi shim.efi +openssl x509 -in $cert -outform DER -out shim-$suffix.der +# create empty local cert file, we don't need a local key pair as we +# sign the mokmanager with our vendor key +touch shim.crt +touch shim.cer +# make sure cast warnings don't trigger post build check +make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null +# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx +mv shim.efi shim-$suffix.efi %install -export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' +export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi -cp -a shim*.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi -install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi -install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi +# FIXME: install signed shim here +install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi +install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ -# install SUSE certificate -install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ -for file in shim-*.der; do - fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') - install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt -done %clean %{?buildroot:%__rm -rf "%{buildroot}"} -%post -/sbin/update-bootloader --refresh || true - %files %defattr(-,root,root) %doc COPYRIGHT @@ -218,10 +147,6 @@ %{_libdir}/efi/shim-*.efi %{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi -%{_libdir}/efi/fallback.efi %{_sbindir}/shim-install -%dir %{_sysconfdir}/uefi/ -%dir %{_sysconfdir}/uefi/certs/ -%{_sysconfdir}/uefi/certs/*.crt %changelog ++++++ openSUSE-UEFI-CA-Certificate.crt ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:02.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:02.000000000 +0200 @@ -1,26 +1,37 @@ -----BEGIN CERTIFICATE----- -MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl +MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW -EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy -MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE +EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz +MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv -amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt -Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/ -vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx -cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq -ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx -zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0 -MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl -lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB -MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx -EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh -MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR -Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2 -DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+ -5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds -LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo -idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig== +amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 +YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN +z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh +O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ +w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf +RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM +ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx +ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg +i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i +EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH +CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg +4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ +DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 +aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg +Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w +ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y +Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu +Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ +phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD +dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 +nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD +eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c +sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO +Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 +BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG +A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI +xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp +4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL -----END CERTIFICATE----- ++++++ shim-0.4.tar.bz2 -> shim-0.2.tar.bz2 ++++++ ++++ 2835 lines of diff (skipped) ++++++ shim-bnc804631-fix-broken-bootpath.patch ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:03.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:03.000000000 +0200 @@ -1,4 +1,4 @@ -From bfffac234fabdf8110e8e8c53557d57d61320098 Mon Sep 17 00:00:00 2001 +From 6b70850baa958b196ec332cf0224ffa9d5a81f5f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Thu, 21 Feb 2013 17:49:29 +0800 Subject: [PATCH] Fix the broken bootpath @@ -12,14 +12,14 @@ Based on the patch from Michal Marek <[email protected]> --- - shim.c | 22 +++++++++++++++++----- + shim.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c -index 94b9710..0622c72 100644 +index 37a5898..690d064 100644 --- a/shim.c +++ b/shim.c -@@ -981,15 +981,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, +@@ -919,15 +919,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, pathlen = StrLen(bootpath); @@ -50,7 +50,7 @@ *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); -@@ -1007,6 +1017,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, +@@ -944,6 +954,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *grubpath = FileDevicePath(device, *PathName); error: @@ -60,5 +60,5 @@ } -- -1.8.1.4 +1.7.10.4 ++++++ shim-clear-queued-key.patch ++++++ >From daa6a7519caa23ef69b9a879bc70789a0669b3e3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Wed, 26 Dec 2012 11:44:46 +0800 Subject: [PATCH] Make sure the menu shows when the callback fails Since Pause() doesn't clear the key from the input queue, the next ReadKeyStroke reads the queued key instead of the new one. If the user presses "Enter", MokManager exits directly without showing the menu again. --- MokManager.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MokManager.c b/MokManager.c index bfcbfd6..97588cb 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1241,6 +1241,9 @@ static void run_menu (CHAR16 *header, UINTN lines, struct menu_item *items, if (ret < 0) { Print(L"Press a key to continue\n"); Pause(); + /* Clear the key in the queue */ + uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, + ST->ConIn, &key); } draw_menu (header, lines, items, count); pos = 0; -- 1.7.10.4 ++++++ shim-fix-loadoptions.patch ++++++ commit f23f6b726bd12b28befd5a064c47a8a249d80a59 Author: Gary Ching-Pang Lin <[email protected]> Date: Mon Jan 14 16:53:19 2013 +0800 Adopt the UEFI shell style LoadOptions The previous commit, 14d4b8e, caused shim failed to parse the name of the 2nd stage loader in UEFI shell. Amend parsing of the name the 2nd stage loader to be compatible with UEFI shell. To create an boot entry for elilo.efi: # efibootmgr -c -L "shim elilo" -l "efi\\shim.efi" -u "shim.efi elilo.efi" diff --git a/shim.c b/shim.c index dcf1c51..37a5898 100644 --- a/shim.c +++ b/shim.c @@ -1330,6 +1330,8 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; int i, remaining_size = 0; + CHAR16 *loader_str = NULL; + int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; @@ -1351,6 +1353,11 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) return EFI_BAD_BUFFER_SIZE; } + /* + * UEFI shell copies the whole line of the command into LoadOptions. + * We ignore the string before the first L' ', i.e. the name of this + * program. + */ for (i = 0; i < li->LoadOptionsSize; i += 2) { c = (CHAR16 *)(li->LoadOptions + i); if (*c == L' ') { @@ -1360,9 +1367,30 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) break; } } + if (!start || remaining_size <= 0) + return EFI_SUCCESS; - second_stage = (CHAR16 *)li->LoadOptions; - if (start && remaining_size > 0) { + for (i = 0; start[i] != '\0'; i++) { + if (start[i] == L' ' || start[i] == L'\0') + break; + loader_len++; + } + + /* + * Setup the name of the alternative loader and the LoadOptions for + * the loader + */ + if (loader_len > 0) { + loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16)); + if (!loader_str) { + Print(L"Failed to allocate loader string\n"); + return EFI_OUT_OF_RESOURCES; + } + for (i = 0; i < loader_len; i++) + loader_str[i] = start[i]; + loader_str[loader_len] = L'\0'; + + second_stage = loader_str; load_options = start; load_options_size = remaining_size; } @@ -1439,5 +1467,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); + /* + * Free the space allocated for the alternative 2nd stage loader + */ + if (load_options_size > 0) + FreePool(second_stage); + return efi_status; } ++++++ shim-get-2nd-stage-loader.patch ++++++ commit 940425a8bce6bf1b556dc48189884b4a82d8d420 Author: Gary Ching-Pang Lin <[email protected]> Date: Thu Dec 6 17:47:26 2012 +0800 Get the second stage loader from the Load Options This commit replaces the 2nd stage loader path with the first argument in the Load Options and moves the rest arguments (if any) to the Load Options for the 2nd stage loader. For example, to make shim to load elilo.efi, just create a new boot entry with efibootmgr: # efibootmgr -c -L "shim elilo" -l "efi\\shim.efi" -u "elilo.efi" diff --git a/shim.c b/shim.c index c3aae9e..44301dd 100644 --- a/shim.c +++ b/shim.c @@ -42,12 +42,16 @@ #include "netboot.h" #include "shim_cert.h" -#define SECOND_STAGE L"\\grub.efi" +#define DEFAULT_LOADER L"\\grub.efi" #define MOK_MANAGER L"\\MokManager.efi" static EFI_SYSTEM_TABLE *systab; static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table); +static CHAR16 *second_stage; +static void *load_options; +static UINT32 load_options_size; + /* * The vendor certificate used for validating the second stage loader */ @@ -881,6 +885,10 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, li->ImageBase = buffer; li->ImageSize = context.ImageSize; + /* Pass the load options to the second stage loader */ + li->LoadOptions = load_options; + li->LoadOptionsSize = load_options_size; + if (!entry_point) { Print(L"Invalid entry point\n"); FreePool(buffer); @@ -1192,7 +1200,7 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) { EFI_STATUS efi_status; - efi_status = start_image(image_handle, SECOND_STAGE); + efi_status = start_image(image_handle, second_stage); if (efi_status != EFI_SUCCESS) efi_status = start_image(image_handle, MOK_MANAGER); @@ -1312,6 +1320,55 @@ static EFI_STATUS check_mok_sb (void) return status; } +/* + * Check the load options to specify the second stage loader + */ +EFI_STATUS set_second_stage (EFI_HANDLE image_handle) +{ + EFI_STATUS status; + EFI_LOADED_IMAGE *li; + CHAR16 *start = NULL, *c; + int i, remaining_size = 0; + + second_stage = DEFAULT_LOADER; + load_options = NULL; + load_options_size = 0; + + status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, + &LoadedImageProtocol, (void **) &li); + if (status != EFI_SUCCESS) { + Print (L"Failed to get load options\n"); + return status; + } + + /* Expect a CHAR16 string with at least one CHAR16 */ + if (li->LoadOptionsSize < 4 || li->LoadOptionsSize % 2 != 0) { + return EFI_BAD_BUFFER_SIZE; + } + c = (CHAR16 *)(li->LoadOptions + (li->LoadOptionsSize - 2)); + if (*c != L'\0') { + return EFI_BAD_BUFFER_SIZE; + } + + for (i = 0; i < li->LoadOptionsSize; i += 2) { + c = (CHAR16 *)(li->LoadOptions + i); + if (*c == L' ') { + *c = L'\0'; + start = c + 1; + remaining_size = li->LoadOptionsSize - i - 2; + break; + } + } + + second_stage = (CHAR16 *)li->LoadOptions; + if (start && remaining_size > 0) { + load_options = start; + load_options_size = remaining_size; + } + + return EFI_SUCCESS; +} + EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; @@ -1334,6 +1391,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ InitializeLib(image_handle, systab); + /* Set the second stage loader */ + set_second_stage (image_handle); + /* * Check whether the user has configured the system to run in * insecure mode ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:03.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:03.000000000 +0200 @@ -180,7 +180,6 @@ rm -f "${efidir}/MokManager.efi" rm -f "${efidir}/grub.efi" rm -f "${efidir}/grub.cfg" - rm -f "${efidir}/boot.csv" efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then # Delete old entries from the same distributor. @@ -195,7 +194,6 @@ cp "${source_dir}/shim.efi" "${efidir}" cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" -echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` ++++++ shim-keep-unsigned-mokmanager.patch ++++++ diff --git a/Makefile b/Makefile index 9217ba1..cd1c688 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH VERSION = 0.2 -TARGET = shim.efi MokManager.efi.signed +TARGET = shim.efi MokManager.efi.signed MokManager.efi OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES = shim.c shim.h netboot.c signature.h PeImage.h ++++++ shim-local-key-sign-mokmanager.patch ++++++ ++++ 722 lines (skipped) ++++++ shim-mokmanager-new-pw-hash.patch ++++++ >From 6e816e3e0f8b2013c1bccd67ec27db10ccaabc67 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 15 Jan 2013 18:01:41 +0800 Subject: [PATCH 1/2] Support new password hash Old password hash: sha256sum(key_list + password) New password hash: salt + sha256sum(salt + password) --- MokManager.c | 91 ++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 67 insertions(+), 24 deletions(-) diff --git a/MokManager.c b/MokManager.c index 97588cb..be2a764 100644 --- a/MokManager.c +++ b/MokManager.c @@ -19,6 +19,9 @@ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" +#define SALT_LEN 16 +#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) + struct menu_item { CHAR16 *text; INTN (* callback)(void *data, void *data2, void *data3); @@ -648,23 +651,30 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size; + UINT8 data[AUTH_LEN], *auth, *salt; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (authenticate) { - auth_size = SHA256_DIGEST_SIZE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokNew, MokNewSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; } @@ -842,8 +852,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 data[AUTH_LEN], *auth, *salt;; + UINTN auth_size = AUTH_LEN; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -853,14 +863,22 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokDelAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokDel, MokDelSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1052,20 +1070,29 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 hash[AUTH_LEN], *auth, *salt; + UINT8 clear = 0; UINT32 length; CHAR16 line[1]; - if (MokPWSize != SHA256_DIGEST_SIZE) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) { Print(L"Invalid MokPW variable contents\n"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, SHA256_DIGEST_SIZE, 0); + SetMem(hash, AUTH_LEN, 0); + + if (MokPWSize == AUTH_LEN) { + if (CompareMem(MokPW, hash, AUTH_LEN) == 0) + clear = 1; + } else { + if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) + clear = 1; + } - if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) { + if (clear) { Print(L"Clear MOK password? (y/n): "); do { @@ -1080,7 +1107,14 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + if (MokPWSize == AUTH_LEN) { + salt = MokPW; + auth = MokPW + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: "); + } else { + efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + } + if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return -1; @@ -1691,8 +1725,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[SHA256_DIGEST_SIZE]; - UINTN size = SHA256_DIGEST_SIZE; + UINT8 pwhash[AUTH_LEN], *auth, *salt; + UINTN size = AUTH_LEN; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1704,7 +1738,8 @@ static BOOLEAN verify_pw(void) * known value, so there's no safety advantage in failing to validate * purely because of a failure to read the variable */ - if (efi_status != EFI_SUCCESS) + if (efi_status != EFI_SUCCESS || + (size != SHA256_DIGEST_SIZE && size != AUTH_LEN)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1712,7 +1747,13 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + if (size == AUTH_LEN) { + salt = pwhash; + auth = pwhash + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: "); + } else { + efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + } if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return FALSE; @@ -1733,8 +1774,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 auth[AUTH_LEN]; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (verify_pw() == FALSE) @@ -1744,14 +1785,16 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokDelAuth = 1; if (MokNew || MokAuth) -- 1.7.10.4 >From cf448e938a54ee3006f0fca214b83e0a40499ea5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 18 Jan 2013 15:51:02 +0800 Subject: [PATCH 2/2] Extend the password hash format Several new fields were added to support hash from /etc/shadow. Affected variables: MokAuth, MokDelAuth, MokPW, MokPWStore [Hash Method][Interation Count][Salt Size][Salt][hash] Besides, the password is converted to a 8-bit char array before hashing with salt. --- MokManager.c | 145 +++++++++++++++++++++++++++++++++----------------------- PasswordHash.h | 23 +++++++++ 2 files changed, 110 insertions(+), 58 deletions(-) create mode 100644 PasswordHash.h diff --git a/MokManager.c b/MokManager.c index be2a764..9c8f32f 100644 --- a/MokManager.c +++ b/MokManager.c @@ -5,6 +5,7 @@ #include "shim.h" #include "signature.h" #include "PeImage.h" +#include "PasswordHash.h" #define PASSWORD_MAX 16 #define PASSWORD_MIN 8 @@ -19,9 +20,6 @@ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" -#define SALT_LEN 16 -#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) - struct menu_item { CHAR16 *text; INTN (* callback)(void *data, void *data2, void *data3); @@ -553,8 +551,8 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show return 1; } -static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *password, - UINT32 pw_length, UINT8 *hash) +static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, + UINT32 pw_length, UINT8 *hash) { EFI_STATUS status; unsigned int ctxsize; @@ -574,15 +572,15 @@ static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *passw goto done; } - if (MokNew && MokNewSize) { - if (!(Sha256Update(ctx, MokNew, MokNewSize))) { + if (Data && DataSize) { + if (!(Sha256Update(ctx, Data, DataSize))) { Print(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } } - if (!(Sha256Update(ctx, password, pw_length * sizeof(CHAR16)))) { + if (!(Sha256Update(ctx, password, pw_length))) { Print(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; @@ -599,15 +597,34 @@ done: return status; } -static EFI_STATUS match_password (void *Data, UINTN DataSize, - UINT8 auth[SHA256_DIGEST_SIZE], - CHAR16 *prompt) +static EFI_STATUS match_password (PASSWORD_HASH *pw_hash, + void *Data, UINTN DataSize, + UINT8 *auth, CHAR16 *prompt) { EFI_STATUS efi_status; UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 *auth_hash; + UINT32 auth_size; CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; + int i; + + if (pw_hash) { + /* + * Only support sha256 now and ignore iter_count + */ + if(pw_hash->method != SHA256_BASED) + return EFI_INVALID_PARAMETER; + auth_hash = pw_hash->hash; + /* FIXME assign auth_size according to pw_hash->method */ + auth_size = SHA256_DIGEST_SIZE; + } else if (auth) { + auth_hash = auth; + auth_size = SHA256_DIGEST_SIZE; + } else { + return EFI_INVALID_PARAMETER; + } while (fail_count < 3) { if (prompt) { @@ -623,16 +640,31 @@ static EFI_STATUS match_password (void *Data, UINTN DataSize, continue; } - efi_status = compute_pw_hash(Data, DataSize, password, - pw_length, hash); - + /* + * Compute password hash + */ + if (pw_hash) { + char pw_ascii[PASSWORD_MAX]; + for (i = 0; i < pw_length; i++) + pw_ascii[i] = (char)password[i]; + + /* FIXME calculate a proper salt_size */ + efi_status = compute_pw_hash(pw_hash->salt, (pw_hash->salt_size)/8, + (UINT8 *)pw_ascii, pw_length, hash); + } else { + /* + * For backward compatibility + */ + efi_status = compute_pw_hash(Data, DataSize, (UINT8 *)password, + pw_length * sizeof(CHAR16), hash); + } if (efi_status != EFI_SUCCESS) { Print(L"Unable to generate password hash\n"); fail_count++; continue; } - if (CompareMem(auth, hash, SHA256_DIGEST_SIZE) != 0) { + if (CompareMem(auth_hash, hash, auth_size) != 0) { Print(L"Password doesn't match\n"); fail_count++; continue; @@ -651,29 +683,28 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 data[AUTH_LEN], *auth, *salt; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; if (authenticate) { efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, - &attributes, &auth_size, data); - + &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || - (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { + (auth_size != SHA256_DIGEST_SIZE && + auth_size != PASSWORD_HASH_SIZE)) { Print(L"Failed to get MokAuth %d\n", efi_status); return efi_status; } - if (auth_size == AUTH_LEN) { - salt = data; - auth = data + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, NULL); + if (auth_size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)auth, + NULL, 0, NULL, NULL); } else { - auth = data; - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + efi_status = match_password(NULL, MokNew, MokNewSize, + auth, NULL); } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -852,8 +883,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 data[AUTH_LEN], *auth, *salt;; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -863,21 +894,19 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, - &attributes, &auth_size, data); + &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || - (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { + (auth_size != SHA256_DIGEST_SIZE && auth_size != PASSWORD_HASH_SIZE)) { Print(L"Failed to get MokDelAuth %d\n", efi_status); return efi_status; } - if (auth_size == AUTH_LEN) { - salt = data; - auth = data + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, NULL); + if (auth_size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)auth, NULL, 0, + NULL, NULL); } else { - auth = data; - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + efi_status = match_password(NULL, MokDel, MokDelSize, auth, NULL); } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1070,22 +1099,22 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 hash[AUTH_LEN], *auth, *salt; + UINT8 hash[PASSWORD_HASH_SIZE]; UINT8 clear = 0; UINT32 length; CHAR16 line[1]; - if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != PASSWORD_HASH_SIZE) { Print(L"Invalid MokPW variable contents\n"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, AUTH_LEN, 0); + SetMem(hash, PASSWORD_HASH_SIZE, 0); - if (MokPWSize == AUTH_LEN) { - if (CompareMem(MokPW, hash, AUTH_LEN) == 0) + if (MokPWSize == PASSWORD_HASH_SIZE) { + if (CompareMem(MokPW, hash, PASSWORD_HASH_SIZE) == 0) clear = 1; } else { if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) @@ -1107,12 +1136,12 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - if (MokPWSize == AUTH_LEN) { - salt = MokPW; - auth = MokPW + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: "); + if (MokPWSize == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)MokPW, NULL, 0, + NULL, L"Confirm MOK passphrase: "); } else { - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + efi_status = match_password(NULL, NULL, 0, MokPW, + L"Confirm MOK passphrase: "); } if (efi_status != EFI_SUCCESS) { @@ -1725,8 +1754,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[AUTH_LEN], *auth, *salt; - UINTN size = AUTH_LEN; + UINT8 pwhash[PASSWORD_HASH_SIZE]; + UINTN size = PASSWORD_HASH_SIZE; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1739,7 +1768,7 @@ static BOOLEAN verify_pw(void) * purely because of a failure to read the variable */ if (efi_status != EFI_SUCCESS || - (size != SHA256_DIGEST_SIZE && size != AUTH_LEN)) + (size != SHA256_DIGEST_SIZE && size != PASSWORD_HASH_SIZE)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1747,12 +1776,12 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - if (size == AUTH_LEN) { - salt = pwhash; - auth = pwhash + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: "); + if (size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)pwhash, NULL, 0, + NULL, L"Enter MOK password: "); } else { - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + efi_status = match_password(NULL, NULL, 0, pwhash, + L"Enter MOK password: "); } if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); @@ -1774,8 +1803,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[AUTH_LEN]; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; if (verify_pw() == FALSE) @@ -1786,7 +1815,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && - (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_HASH_SIZE)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", @@ -1794,7 +1823,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && - (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_HASH_SIZE)) MokDelAuth = 1; if (MokNew || MokAuth) diff --git a/PasswordHash.h b/PasswordHash.h new file mode 100644 index 0000000..70ee441 --- /dev/null +++ b/PasswordHash.h @@ -0,0 +1,23 @@ +#ifndef __PASSWORD_HASH_H__ +#define __PASSWORD_HASH_H__ + +#define PASSWORD_HASH_SIZE 88 + +enum HashMethod { + Tranditional_DES = 0, + Extend_BSDI_DES, + MD5_BASED, + SHA256_BASED, + SHA512_BASED, + BLOWFISH_BASED +}; + +typedef struct { + UINT16 method; + UINT32 iter_count; + UINT16 salt_size; + UINT8 salt[16]; + UINT8 hash[64]; +} __attribute__ ((packed)) PASSWORD_HASH; + +#endif /* __PASSWORD_HASH_H__ */ -- 1.7.10.4 ++++++ shim-mokmanager-support-crypt-hash-method.patch ++++++ ++++ 719 lines (skipped) ++++ between /work/SRC/openSUSE:13.1/shim/shim-mokmanager-support-crypt-hash-method.patch ++++ and /work/SRC/openSUSE:13.1/.shim.new/shim-mokmanager-support-crypt-hash-method.patch ++++++ shim-reboot-after-changes.patch ++++++ >From 10f0f58b03b3bcc56797744f25be15b226b51a50 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Dec 2012 17:54:05 +0800 Subject: [PATCH 1/2] Clear the screen before erasing keys --- MokManager.c | 1 + 1 file changed, 1 insertion(+) diff --git a/MokManager.c b/MokManager.c index 5802d27..c6f84d8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -675,6 +675,7 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { UINT32 length; EFI_STATUS efi_status; + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); Print(L"Erase all stored keys? (y/N): "); get_line (&length, line, 1, 1); -- 1.7.10.4 >From 510dafda53cd56210d7ff634b1c630d3645150f0 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Dec 2012 18:24:45 +0800 Subject: [PATCH 2/2] Reboot the system after enrolling/erasing keys --- MokManager.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/MokManager.c b/MokManager.c index c6f84d8..7d6650e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -637,6 +637,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) } static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -657,6 +658,19 @@ static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { Print(L"Failed to enroll keys\n"); return -1; } + + if (auth) { + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; + } + return 0; } } while (line[0] != 'N' && line[0] != 'n'); @@ -671,6 +685,7 @@ static INTN mok_enrollment_prompt_callback (void *MokNew, void *data2, } static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -687,6 +702,16 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { Print(L"Failed to erase keys\n"); return -1; } + + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; } return 0; -- 1.7.10.4 ++++++ shim-support-mok-delete.patch ++++++ ++++ 763 lines (skipped) ++++++ shim-suse-build.patch ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:03.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:03.000000000 +0200 @@ -1,13 +1,11 @@ ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/Makefile -+++ b/Makefile +Index: shim-0.2/Makefile +=================================================================== +--- shim-0.2.orig/Makefile ++++ shim-0.2/Makefile @@ -6,7 +6,7 @@ LIB_PATH = /usr/lib64 EFI_INCLUDE = /usr/include/efi - EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi +EFI_PATH = /usr/lib64 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
