diff options
author | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-10-22 19:48:39 +0800 |
---|---|---|
committer | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-10-27 21:57:43 +0800 |
commit | ffe79fe91ed8d10391de976fe615932eeaffab70 (patch) | |
tree | 70e5164aa920ea31a280e2f082fed36dfe3f71fd | |
parent | 6aa83f98bc1f989f72d4a6e60b433dfc7b2045ba (diff) | |
download | meta-secure-core-ffe79fe91ed8d10391de976fe615932eeaffab70.tar.gz |
shim: drop fallback
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
7 files changed, 7 insertions, 148 deletions
diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index ce8d7fb..f69127f 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md | |||
@@ -10,12 +10,8 @@ chainloader the next stage bootloader with the integrity check using the | |||
10 | shim-managed certificates corresponding to another set of trusted keys, which | 10 | shim-managed certificates corresponding to another set of trusted keys, which |
11 | may be different than the trusted keys used by UEFI Secure Boot. | 11 | may be different than the trusted keys used by UEFI Secure Boot. |
12 | 12 | ||
13 | fallback is the second-stage bootloader used to by-pass the Red Hat shim | 13 | This layer introduces the SELoader as the second-stage bootloader and eventually |
14 | signing review. It is designed to read a .csv file and will create a boot | 14 | chainliader to the third-stage bootloader "grub". With the extension provided |
15 | option in BIOS boot manager for the first boot entry in .csv. | ||
16 | |||
17 | This layer introduces the SELoader as the third-stage bootloader and eventually | ||
18 | chainliader to the fourth-stage bootloader "grub". With the extension provided | ||
19 | by SELoader, grub configuration files, kernel (even without EFI stub support) | 15 | by SELoader, grub configuration files, kernel (even without EFI stub support) |
20 | and initrd can be authenticated. This capability is not available in the shim | 16 | and initrd can be authenticated. This capability is not available in the shim |
21 | bootloader. | 17 | bootloader. |
@@ -35,12 +31,11 @@ A complete boot flow looks like as following: | |||
35 | 31 | ||
36 | - UEFI firmware boot manager (UEFI Secure Boot enabled) -> | 32 | - UEFI firmware boot manager (UEFI Secure Boot enabled) -> |
37 | - shim (verified by a DB certificate) -> | 33 | - shim (verified by a DB certificate) -> |
38 | - fallback (verified by a shim-managed certificate) -> | 34 | - SELoader (ditto) -> |
39 | - SELoader (ditto) -> | 35 | - grub (ditto) -> |
40 | - grub (ditto) -> | 36 | - grub.cfg (ditto) |
41 | - grub.cfg (ditto) | 37 | - kernel (ditto) |
42 | - kernel (ditto) | 38 | - initramfs (ditto) |
43 | - initramfs (ditto) | ||
44 | 39 | ||
45 | ### Quick Start For The First Boot | 40 | ### Quick Start For The First Boot |
46 | - Deploy the rootfs | 41 | - Deploy the rootfs |
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch deleted file mode 100644 index 404e3de..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From 8990fdd360bc5db39e33e3a15c447bed0c1ca46e Mon Sep 17 00:00:00 2001 | ||
2 | From: Lans Zhang <jia.zhang@windriver.com> | ||
3 | Date: Mon, 24 Jul 2017 15:15:33 +0800 | ||
4 | Subject: [PATCH 3/5] fallback: allow to search .csv in \EFI\BOOT | ||
5 | |||
6 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
7 | --- | ||
8 | fallback.c | 3 +-- | ||
9 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
10 | |||
11 | diff --git a/fallback.c b/fallback.c | ||
12 | index 423b3ee..b55755b 100644 | ||
13 | --- a/fallback.c | ||
14 | +++ b/fallback.c | ||
15 | @@ -874,8 +874,7 @@ find_boot_options(EFI_HANDLE device) | ||
16 | continue; | ||
17 | } | ||
18 | if (!StrCmp(fi->FileName, L".") || | ||
19 | - !StrCmp(fi->FileName, L"..") || | ||
20 | - !StrCaseCmp(fi->FileName, L"BOOT")) { | ||
21 | + !StrCmp(fi->FileName, L"..")) { | ||
22 | FreePool(buffer); | ||
23 | buffer = NULL; | ||
24 | continue; | ||
25 | -- | ||
26 | 2.7.5 | ||
27 | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch deleted file mode 100644 index 7f23caf..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | From b992209b060f7916de20a5926788a751f1c6636f Mon Sep 17 00:00:00 2001 | ||
2 | From: Lans Zhang <jia.zhang@windriver.com> | ||
3 | Date: Tue, 1 Aug 2017 10:25:45 +0800 | ||
4 | Subject: [PATCH 4/5] fallback: don't set the csv entry as the first boot by | ||
5 | default | ||
6 | |||
7 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
8 | --- | ||
9 | fallback.c | 12 ++++++++++-- | ||
10 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
11 | |||
12 | diff --git a/fallback.c b/fallback.c | ||
13 | index b55755b..2794cc1 100644 | ||
14 | --- a/fallback.c | ||
15 | +++ b/fallback.c | ||
16 | @@ -199,6 +199,11 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) | ||
17 | CHAR16 *bootorder = NULL; | ||
18 | int nbootorder = 0; | ||
19 | |||
20 | +#ifdef FALLBACK_RUN_AS_FIRST_BOOT | ||
21 | +UINTN run_as_first_boot = 1; | ||
22 | +#else | ||
23 | +UINTN run_as_first_boot = 0; | ||
24 | +#endif | ||
25 | EFI_DEVICE_PATH *first_new_option = NULL; | ||
26 | VOID *first_new_option_args = NULL; | ||
27 | UINTN first_new_option_size = 0; | ||
28 | @@ -260,6 +265,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, | ||
29 | return rc; | ||
30 | } | ||
31 | |||
32 | + if (!run_as_first_boot) | ||
33 | + return EFI_SUCCESS; | ||
34 | + | ||
35 | CHAR16 *newbootorder = AllocateZeroPool(sizeof (CHAR16) | ||
36 | * (nbootorder + 1)); | ||
37 | if (!newbootorder) | ||
38 | @@ -569,7 +577,7 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum | ||
39 | rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option); | ||
40 | if (EFI_ERROR(rc)) { | ||
41 | add_boot_option(dp, full_device_path, fullpath, label, arguments); | ||
42 | - } else if (option != 0) { | ||
43 | + } else if (run_as_first_boot && option != 0) { | ||
44 | CHAR16 *newbootorder; | ||
45 | newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); | ||
46 | if (!newbootorder) | ||
47 | @@ -899,7 +907,7 @@ find_boot_options(EFI_HANDLE device) | ||
48 | |||
49 | } while (1); | ||
50 | |||
51 | - if (rc == EFI_SUCCESS && nbootorder > 0) | ||
52 | + if (run_as_first_boot && rc == EFI_SUCCESS && nbootorder > 0) | ||
53 | rc = update_boot_order(); | ||
54 | |||
55 | uefi_call_wrapper(fh2->Close, 1, fh2); | ||
56 | -- | ||
57 | 2.7.5 | ||
58 | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch deleted file mode 100644 index 470693b..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 92ed1e297632a718d1392c8d163beb713c00ccbf Mon Sep 17 00:00:00 2001 | ||
2 | From: Lans Zhang <jia.zhang@windriver.com> | ||
3 | Date: Wed, 9 Aug 2017 16:29:08 +0800 | ||
4 | Subject: [PATCH 5/5] fallback: always try to boot the option recorded in csv | ||
5 | |||
6 | We intend to use fallback to work around MSFT for the next bootloader | ||
7 | of shim. Thus, we don't mind fallback is involved for PCR measurement | ||
8 | at all. | ||
9 | |||
10 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
11 | --- | ||
12 | fallback.c | 8 +------- | ||
13 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
14 | |||
15 | diff --git a/fallback.c b/fallback.c | ||
16 | index 2794cc1..0a645a4 100644 | ||
17 | --- a/fallback.c | ||
18 | +++ b/fallback.c | ||
19 | @@ -1016,13 +1016,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) | ||
20 | return rc; | ||
21 | } | ||
22 | |||
23 | - rc = fallback_should_prefer_reset(); | ||
24 | - if (EFI_ERROR(rc)) { | ||
25 | - VerbosePrint(L"tpm not present, starting the first image\n"); | ||
26 | - try_start_first_option(image); | ||
27 | - } else { | ||
28 | - VerbosePrint(L"tpm present, resetting system\n"); | ||
29 | - } | ||
30 | + try_start_first_option(image); | ||
31 | |||
32 | Print(L"Reset System\n"); | ||
33 | |||
34 | -- | ||
35 | 2.7.5 | ||
36 | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv deleted file mode 100644 index c2d784e..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv +++ /dev/null | |||
Binary files differ | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv deleted file mode 100644 index c89c303..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv +++ /dev/null | |||
Binary files differ | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index d07680b..fb58727 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | |||
@@ -21,17 +21,12 @@ PV = "12+git${SRCPV}" | |||
21 | 21 | ||
22 | SRC_URI = "\ | 22 | SRC_URI = "\ |
23 | git://github.com/rhinstaller/shim.git \ | 23 | git://github.com/rhinstaller/shim.git \ |
24 | file://bootx64.csv \ | ||
25 | file://bootia32.csv \ | ||
26 | file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \ | 24 | file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \ |
27 | file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ | 25 | file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ |
28 | file://0006-Prevent-from-removing-intermediate-.efi.patch \ | 26 | file://0006-Prevent-from-removing-intermediate-.efi.patch \ |
29 | file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \ | 27 | file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \ |
30 | file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ | 28 | file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ |
31 | file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ | 29 | file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ |
32 | file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \ | ||
33 | file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \ | ||
34 | file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \ | ||
35 | " | 30 | " |
36 | SRC_URI_append_x86-64 = "\ | 31 | SRC_URI_append_x86-64 = "\ |
37 | ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \ | 32 | ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \ |
@@ -118,7 +113,6 @@ python do_sign() { | |||
118 | edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d) | 113 | edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d) |
119 | 114 | ||
120 | sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d) | 115 | sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d) |
121 | sb_sign(d.expand('${S}/fb${EFI_ARCH}.efi'), d.expand('${B}/fb${EFI_ARCH}.efi.signed'), d) | ||
122 | } | 116 | } |
123 | addtask sign after do_compile before do_install | 117 | addtask sign after do_compile before do_install |
124 | 118 | ||
@@ -127,18 +121,13 @@ do_install() { | |||
127 | 121 | ||
128 | local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" | 122 | local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" |
129 | local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" | 123 | local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" |
130 | local fb_dst="${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" | ||
131 | if [ x"${UEFI_SB}" = x"1" ]; then | 124 | if [ x"${UEFI_SB}" = x"1" ]; then |
132 | install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst" | 125 | install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst" |
133 | install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst" | 126 | install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst" |
134 | install -m 0600 "${B}/fb${EFI_ARCH}.efi.signed" "$fb_dst" | ||
135 | else | 127 | else |
136 | install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst" | 128 | install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst" |
137 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst" | 129 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst" |
138 | install -m 0600 "${B}/fb${EFI_ARCH}.efi" "$fb_dst" | ||
139 | fi | 130 | fi |
140 | |||
141 | install -m 0600 "${WORKDIR}/boot${EFI_ARCH}.csv" "${D}${EFI_TARGET}" | ||
142 | } | 131 | } |
143 | 132 | ||
144 | # Install the unsigned images for manual signing | 133 | # Install the unsigned images for manual signing |
@@ -149,13 +138,9 @@ do_deploy() { | |||
149 | "${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi" | 138 | "${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi" |
150 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" \ | 139 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" \ |
151 | "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi" | 140 | "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi" |
152 | install -m 0600 "${B}/fb${EFI_ARCH}.efi" \ | ||
153 | "${DEPLOYDIR}/efi-unsigned/fb${EFI_ARCH}.efi" | ||
154 | 141 | ||
155 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}" | 142 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}" |
156 | install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}" | 143 | install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}" |
157 | install -m 0600 "${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" "${DEPLOYDIR}" | ||
158 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.csv" "${DEPLOYDIR}" | ||
159 | } | 144 | } |
160 | addtask deploy after do_install before do_build | 145 | addtask deploy after do_install before do_build |
161 | 146 | ||