From ffe79fe91ed8d10391de976fe615932eeaffab70 Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Sun, 22 Oct 2017 19:48:39 +0800 Subject: shim: drop fallback shim will uninstall MOK Verify Protocol when launching fallack, implying it is impossible to get the instance of MOK Verify Protocol for SELoader. This behavior violates the original intention of introducing fallback. Signed-off-by: Jia Zhang --- meta-efi-secure-boot/README.md | 19 +++---- ...fallback-allow-to-search-.csv-in-EFI-BOOT.patch | 27 ---------- ...n-t-set-the-csv-entry-as-the-first-boot-b.patch | 58 --------------------- ...ways-try-to-boot-the-option-recorded-in-c.patch | 36 ------------- .../recipes-bsp/shim/shim/bootia32.csv | Bin 102 -> 0 bytes .../recipes-bsp/shim/shim/bootx64.csv | Bin 100 -> 0 bytes meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | 15 ------ 7 files changed, 7 insertions(+), 148 deletions(-) delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index ce8d7fb..f69127f 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md @@ -10,12 +10,8 @@ chainloader the next stage bootloader with the integrity check using the shim-managed certificates corresponding to another set of trusted keys, which may be different than the trusted keys used by UEFI Secure Boot. -fallback is the second-stage bootloader used to by-pass the Red Hat shim -signing review. It is designed to read a .csv file and will create a boot -option in BIOS boot manager for the first boot entry in .csv. - -This layer introduces the SELoader as the third-stage bootloader and eventually -chainliader to the fourth-stage bootloader "grub". With the extension provided +This layer introduces the SELoader as the second-stage bootloader and eventually +chainliader to the third-stage bootloader "grub". With the extension provided by SELoader, grub configuration files, kernel (even without EFI stub support) and initrd can be authenticated. This capability is not available in the shim bootloader. @@ -35,12 +31,11 @@ A complete boot flow looks like as following: - UEFI firmware boot manager (UEFI Secure Boot enabled) -> - shim (verified by a DB certificate) -> - - fallback (verified by a shim-managed certificate) -> - - SELoader (ditto) -> - - grub (ditto) -> - - grub.cfg (ditto) - - kernel (ditto) - - initramfs (ditto) + - SELoader (ditto) -> + - grub (ditto) -> + - grub.cfg (ditto) + - kernel (ditto) + - initramfs (ditto) ### Quick Start For The First Boot - Deploy the rootfs diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch deleted file mode 100644 index 404e3de..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8990fdd360bc5db39e33e3a15c447bed0c1ca46e Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Mon, 24 Jul 2017 15:15:33 +0800 -Subject: [PATCH 3/5] fallback: allow to search .csv in \EFI\BOOT - -Signed-off-by: Lans Zhang ---- - fallback.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 423b3ee..b55755b 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -874,8 +874,7 @@ find_boot_options(EFI_HANDLE device) - continue; - } - if (!StrCmp(fi->FileName, L".") || -- !StrCmp(fi->FileName, L"..") || -- !StrCaseCmp(fi->FileName, L"BOOT")) { -+ !StrCmp(fi->FileName, L"..")) { - FreePool(buffer); - buffer = NULL; - continue; --- -2.7.5 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch deleted file mode 100644 index 7f23caf..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b992209b060f7916de20a5926788a751f1c6636f Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Tue, 1 Aug 2017 10:25:45 +0800 -Subject: [PATCH 4/5] fallback: don't set the csv entry as the first boot by - default - -Signed-off-by: Lans Zhang ---- - fallback.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/fallback.c b/fallback.c -index b55755b..2794cc1 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -199,6 +199,11 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) - CHAR16 *bootorder = NULL; - int nbootorder = 0; - -+#ifdef FALLBACK_RUN_AS_FIRST_BOOT -+UINTN run_as_first_boot = 1; -+#else -+UINTN run_as_first_boot = 0; -+#endif - EFI_DEVICE_PATH *first_new_option = NULL; - VOID *first_new_option_args = NULL; - UINTN first_new_option_size = 0; -@@ -260,6 +265,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, - return rc; - } - -+ if (!run_as_first_boot) -+ return EFI_SUCCESS; -+ - CHAR16 *newbootorder = AllocateZeroPool(sizeof (CHAR16) - * (nbootorder + 1)); - if (!newbootorder) -@@ -569,7 +577,7 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum - rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option); - if (EFI_ERROR(rc)) { - add_boot_option(dp, full_device_path, fullpath, label, arguments); -- } else if (option != 0) { -+ } else if (run_as_first_boot && option != 0) { - CHAR16 *newbootorder; - newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); - if (!newbootorder) -@@ -899,7 +907,7 @@ find_boot_options(EFI_HANDLE device) - - } while (1); - -- if (rc == EFI_SUCCESS && nbootorder > 0) -+ if (run_as_first_boot && rc == EFI_SUCCESS && nbootorder > 0) - rc = update_boot_order(); - - uefi_call_wrapper(fh2->Close, 1, fh2); --- -2.7.5 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch deleted file mode 100644 index 470693b..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 92ed1e297632a718d1392c8d163beb713c00ccbf Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Wed, 9 Aug 2017 16:29:08 +0800 -Subject: [PATCH 5/5] fallback: always try to boot the option recorded in csv - -We intend to use fallback to work around MSFT for the next bootloader -of shim. Thus, we don't mind fallback is involved for PCR measurement -at all. - -Signed-off-by: Lans Zhang ---- - fallback.c | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 2794cc1..0a645a4 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -1016,13 +1016,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) - return rc; - } - -- rc = fallback_should_prefer_reset(); -- if (EFI_ERROR(rc)) { -- VerbosePrint(L"tpm not present, starting the first image\n"); -- try_start_first_option(image); -- } else { -- VerbosePrint(L"tpm present, resetting system\n"); -- } -+ try_start_first_option(image); - - Print(L"Reset System\n"); - --- -2.7.5 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv deleted file mode 100644 index c2d784e..0000000 Binary files a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv and /dev/null differ diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv deleted file mode 100644 index c89c303..0000000 Binary files a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv and /dev/null differ diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index d07680b..fb58727 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb @@ -21,17 +21,12 @@ PV = "12+git${SRCPV}" SRC_URI = "\ git://github.com/rhinstaller/shim.git \ - file://bootx64.csv \ - file://bootia32.csv \ file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \ file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ file://0006-Prevent-from-removing-intermediate-.efi.patch \ file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \ file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ - file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \ - file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \ - file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \ " SRC_URI_append_x86-64 = "\ ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \ @@ -118,7 +113,6 @@ python do_sign() { edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d) sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d) - sb_sign(d.expand('${S}/fb${EFI_ARCH}.efi'), d.expand('${B}/fb${EFI_ARCH}.efi.signed'), d) } addtask sign after do_compile before do_install @@ -127,18 +121,13 @@ do_install() { local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" - local fb_dst="${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" if [ x"${UEFI_SB}" = x"1" ]; then install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst" install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst" - install -m 0600 "${B}/fb${EFI_ARCH}.efi.signed" "$fb_dst" else install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst" install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst" - install -m 0600 "${B}/fb${EFI_ARCH}.efi" "$fb_dst" fi - - install -m 0600 "${WORKDIR}/boot${EFI_ARCH}.csv" "${D}${EFI_TARGET}" } # Install the unsigned images for manual signing @@ -149,13 +138,9 @@ do_deploy() { "${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi" install -m 0600 "${B}/mm${EFI_ARCH}.efi" \ "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi" - install -m 0600 "${B}/fb${EFI_ARCH}.efi" \ - "${DEPLOYDIR}/efi-unsigned/fb${EFI_ARCH}.efi" install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}" install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}" - install -m 0600 "${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" "${DEPLOYDIR}" - install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.csv" "${DEPLOYDIR}" } addtask deploy after do_install before do_build -- cgit v1.2.3-54-g00ecf