diff options
| -rw-r--r-- | src/image/efi_image.c | 31 | ||||
| -rw-r--r-- | src/include/ipxe/efi/efi_image.h | 27 | ||||
| -rw-r--r-- | src/include/ipxe/efi/efi_shim.h | 23 | ||||
| -rw-r--r-- | src/include/ipxe/errfile.h | 1 | ||||
| -rw-r--r-- | src/include/ipxe/image.h | 9 | ||||
| -rw-r--r-- | src/include/usr/shimmgmt.h | 16 | ||||
| -rw-r--r-- | src/interface/efi/efi_shim.c | 251 | ||||
| -rw-r--r-- | src/usr/shimmgmt.c | 58 |
8 files changed, 413 insertions, 3 deletions
diff --git a/src/image/efi_image.c b/src/image/efi_image.c index 4371340..104753a 100644 --- a/src/image/efi_image.c +++ b/src/image/efi_image.c @@ -31,6 +31,8 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/efi/efi_wrap.h> #include <ipxe/efi/efi_pxe.h> #include <ipxe/efi/efi_driver.h> +#include <ipxe/efi/efi_image.h> +#include <ipxe/efi/efi_shim.h> #include <ipxe/image.h> #include <ipxe/init.h> #include <ipxe/features.h> @@ -134,6 +136,8 @@ static int efi_image_exec ( struct image *image ) { EFI_LOADED_IMAGE_PROTOCOL *image; void *interface; } loaded; + struct image *shim; + struct image *exec; EFI_HANDLE handle; EFI_MEMORY_TYPE type; wchar_t *cmdline; @@ -150,6 +154,15 @@ static int efi_image_exec ( struct image *image ) { goto err_no_snpdev; } + /* Use shim instead of directly executing image if applicable */ + shim = ( efi_can_load ( image ) ? + NULL : find_image_tag ( &efi_shim ) ); + exec = ( shim ? shim : image ); + if ( shim ) { + DBGC ( image, "EFIIMAGE %s executing via %s\n", + image->name, shim->name ); + } + /* Re-register as a hidden image to allow for access via file I/O */ toggle = ( ~image->flags & IMAGE_HIDDEN ); image->flags |= IMAGE_HIDDEN; @@ -178,7 +191,7 @@ static int efi_image_exec ( struct image *image ) { } /* Create device path for image */ - path = efi_image_path ( image, snpdev->path ); + path = efi_image_path ( exec, snpdev->path ); if ( ! path ) { DBGC ( image, "EFIIMAGE %s could not create device path\n", image->name ); @@ -195,11 +208,20 @@ static int efi_image_exec ( struct image *image ) { goto err_cmdline; } + /* Install shim special handling if applicable */ + if ( shim && + ( ( rc = efi_shim_install ( shim, snpdev->handle, + &cmdline ) ) != 0 ) ){ + DBGC ( image, "EFIIMAGE %s could not install shim handling: " + "%s\n", image->name, strerror ( rc ) ); + goto err_shim_install; + } + /* Attempt loading image */ handle = NULL; if ( ( efirc = bs->LoadImage ( FALSE, efi_image_handle, path, - user_to_virt ( image->data, 0 ), - image->len, &handle ) ) != 0 ) { + user_to_virt ( exec->data, 0 ), + exec->len, &handle ) ) != 0 ) { /* Not an EFI image */ rc = -EEFI_LOAD ( efirc ); DBGC ( image, "EFIIMAGE %s could not load: %s\n", @@ -289,6 +311,9 @@ static int efi_image_exec ( struct image *image ) { if ( rc != 0 ) bs->UnloadImage ( handle ); err_load_image: + if ( shim ) + efi_shim_uninstall(); + err_shim_install: free ( cmdline ); err_cmdline: free ( path ); diff --git a/src/include/ipxe/efi/efi_image.h b/src/include/ipxe/efi/efi_image.h new file mode 100644 index 0000000..0fc0402 --- /dev/null +++ b/src/include/ipxe/efi/efi_image.h @@ -0,0 +1,27 @@ +#ifndef _IPXE_EFI_IMAGE_H +#define _IPXE_EFI_IMAGE_H + +/** @file + * + * EFI images + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/image.h> + +extern struct image_type efi_image_type[] __image_type ( PROBE_NORMAL ); + +/** + * Check if EFI image can be loaded directly + * + * @v image EFI image + * @ret can_load EFI image can be loaded directly + */ +static inline int efi_can_load ( struct image *image ) { + + return ( image->type == efi_image_type ); +} + +#endif /* _IPXE_EFI_IMAGE_H */ diff --git a/src/include/ipxe/efi/efi_shim.h b/src/include/ipxe/efi/efi_shim.h new file mode 100644 index 0000000..ad8d24d --- /dev/null +++ b/src/include/ipxe/efi/efi_shim.h @@ -0,0 +1,23 @@ +#ifndef _IPXE_EFI_SHIM_H +#define _IPXE_EFI_SHIM_H + +/** @file + * + * UEFI shim special handling + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/image.h> +#include <ipxe/efi/efi.h> + +extern int efi_shim_require_loader; +extern int efi_shim_allow_pxe; +extern struct image_tag efi_shim __image_tag; + +extern int efi_shim_install ( struct image *shim, EFI_HANDLE handle, + wchar_t **cmdline ); +extern void efi_shim_uninstall ( void ); + +#endif /* _IPXE_EFI_SHIM_H */ diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h index 235611a..daa038c 100644 --- a/src/include/ipxe/errfile.h +++ b/src/include/ipxe/errfile.h @@ -405,6 +405,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define ERRFILE_dhe ( ERRFILE_OTHER | 0x005a0000 ) #define ERRFILE_efi_cmdline ( ERRFILE_OTHER | 0x005b0000 ) #define ERRFILE_efi_rng ( ERRFILE_OTHER | 0x005c0000 ) +#define ERRFILE_efi_shim ( ERRFILE_OTHER | 0x005d0000 ) /** @} */ diff --git a/src/include/ipxe/image.h b/src/include/ipxe/image.h index cd51188..bfbf236 100644 --- a/src/include/ipxe/image.h +++ b/src/include/ipxe/image.h @@ -257,6 +257,15 @@ static inline void image_untrust ( struct image *image ) { } /** + * Mark image as hidden + * + * @v image Image + */ +static inline void image_hide ( struct image *image ) { + image->flags |= IMAGE_HIDDEN; +} + +/** * Tag image * * @v image Image diff --git a/src/include/usr/shimmgmt.h b/src/include/usr/shimmgmt.h new file mode 100644 index 0000000..5030607 --- /dev/null +++ b/src/include/usr/shimmgmt.h @@ -0,0 +1,16 @@ +#ifndef _USR_SHIMMGMT_H +#define _USR_SHIMMGMT_H + +/** @file + * + * EFI shim management + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/image.h> + +extern int shim ( struct image *image, int require_loader, int allow_pxe ); + +#endif /* _USR_SHIMMGMT_H */ diff --git a/src/interface/efi/efi_shim.c b/src/interface/efi/efi_shim.c new file mode 100644 index 0000000..9b1b69e --- /dev/null +++ b/src/interface/efi/efi_shim.c @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <string.h> +#include <stdlib.h> +#include <errno.h> +#include <ipxe/image.h> +#include <ipxe/efi/efi.h> +#include <ipxe/efi/efi_strings.h> +#include <ipxe/efi/efi_shim.h> +#include <ipxe/efi/Protocol/PxeBaseCode.h> +#include <ipxe/efi/Protocol/ShimLock.h> + +/** @file + * + * UEFI shim special handling + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +/** + * Require use of a third party loader binary + * + * The UEFI shim is gradually becoming less capable of directly + * executing a Linux kernel image, due to an ever increasing list of + * assumptions that it will only ever be used in conjunction with a + * second stage loader binary such as GRUB. + * + * For example: shim will erroneously complain if the image that it + * loads and executes does not in turn call in to the "shim lock + * protocol" to verify a separate newly loaded binary before calling + * ExitBootServices(), even if no such separate binary is used or + * required. + * + * Experience shows that there is unfortunately no point in trying to + * get a fix for this upstreamed into shim. We therefore default to + * reducing the Secure Boot attack surface by removing, where + * possible, this spurious requirement for the use of an additional + * second stage loader. + * + * This option may be used to require the use of an additional second + * stage loader binary, in case this behaviour is ever desirable. + */ +int efi_shim_require_loader = 0; + +/** + * Allow use of PXE base code protocol + * + * We provide shim with access to all of the relevant downloaded files + * via our EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface. However, shim + * will instead try to redownload the files via TFTP since it prefers + * to use the EFI_PXE_BASE_CODE_PROTOCOL installed on the same handle. + * + * Experience shows that there is unfortunately no point in trying to + * get a fix for this upstreamed into shim. We therefore default to + * working around this undesirable behaviour by stopping the PXE base + * code protocol before invoking shim. + * + * This option may be used to allow shim to use the PXE base code + * protocol, in case this behaviour is ever desirable. + */ +int efi_shim_allow_pxe = 0; + +/** UEFI shim image */ +struct image_tag efi_shim __image_tag = { + .name = "SHIM", +}; + +/** Original GetMemoryMap() function */ +static EFI_GET_MEMORY_MAP efi_shim_orig_map; + +/** + * Unlock UEFI shim + * + * @v len Memory map size + * @v map Memory map + * @v key Memory map key + * @v desclen Descriptor size + * @v descver Descriptor version + * @ret efirc EFI status code + * + */ +static EFIAPI EFI_STATUS efi_shim_unlock ( UINTN *len, + EFI_MEMORY_DESCRIPTOR *map, + UINTN *key, UINTN *desclen, + UINT32 *descver ) { + EFI_BOOT_SERVICES *bs = efi_systab->BootServices; + uint8_t empty[0]; + union { + EFI_SHIM_LOCK_PROTOCOL *lock; + void *interface; + } u; + EFI_STATUS efirc; + + /* Locate shim lock protocol */ + if ( ( efirc = bs->LocateProtocol ( &efi_shim_lock_protocol_guid, + NULL, &u.interface ) ) == 0 ) { + u.lock->Verify ( empty, sizeof ( empty ) ); + DBGC ( &efi_shim, "SHIM unlocked via %p\n", u.lock ); + } + + /* Hand off to original GetMemoryMap() */ + return efi_shim_orig_map ( len, map, key, desclen, descver ); +} + +/** + * Inhibit use of PXE base code + * + * @v handle EFI handle + * @ret rc Return status code + */ +static int efi_shim_inhibit_pxe ( EFI_HANDLE handle ) { + EFI_BOOT_SERVICES *bs = efi_systab->BootServices; + union { + EFI_PXE_BASE_CODE_PROTOCOL *pxe; + void *interface; + } u; + EFI_STATUS efirc; + int rc; + + /* Locate PXE base code */ + if ( ( efirc = bs->OpenProtocol ( handle, + &efi_pxe_base_code_protocol_guid, + &u.interface, efi_image_handle, NULL, + EFI_OPEN_PROTOCOL_GET_PROTOCOL ))!=0){ + rc = -EEFI ( efirc ); + DBGC ( &efi_shim, "SHIM could not open PXE base code: %s\n", + strerror ( rc ) ); + goto err_no_base; + } + + /* Stop PXE base code */ + if ( ( efirc = u.pxe->Stop ( u.pxe ) ) != 0 ) { + rc = -EEFI ( efirc ); + DBGC ( &efi_shim, "SHIM could not stop PXE base code: %s\n", + strerror ( rc ) ); + goto err_stop; + } + + /* Success */ + rc = 0; + DBGC ( &efi_shim, "SHIM stopped PXE base code\n" ); + + err_stop: + bs->CloseProtocol ( handle, &efi_pxe_base_code_protocol_guid, + efi_image_handle, NULL ); + err_no_base: + return rc; +} + +/** + * Update command line + * + * @v shim Shim image + * @v cmdline Command line to update + * @ret rc Return status code + */ +static int efi_shim_cmdline ( struct image *shim, wchar_t **cmdline ) { + wchar_t *shimcmdline; + int len; + int rc; + + /* Construct new command line */ + len = ( shim->cmdline ? + efi_asprintf ( &shimcmdline, "%s %s", shim->name, + shim->cmdline ) : + efi_asprintf ( &shimcmdline, "%s %ls", shim->name, + *cmdline ) ); + if ( len < 0 ) { + rc = len; + DBGC ( &efi_shim, "SHIM could not construct command line: " + "%s\n", strerror ( rc ) ); + return rc; + } + + /* Replace command line */ + free ( *cmdline ); + *cmdline = shimcmdline; + + return 0; +} + +/** + * Install UEFI shim special handling + * + * @v shim Shim image + * @v handle EFI device handle + * @v cmdline Command line to update + * @ret rc Return status code + */ +int efi_shim_install ( struct image *shim, EFI_HANDLE handle, + wchar_t **cmdline ) { + EFI_BOOT_SERVICES *bs = efi_systab->BootServices; + int rc; + + /* Intercept GetMemoryMap() via boot services table */ + efi_shim_orig_map = bs->GetMemoryMap; + if ( ! efi_shim_require_loader ) + bs->GetMemoryMap = efi_shim_unlock; + + /* Stop PXE base code */ + if ( ( ! efi_shim_allow_pxe ) && + ( ( rc = efi_shim_inhibit_pxe ( handle ) ) != 0 ) ) { + goto err_inhibit_pxe; + } + + /* Update command line */ + if ( ( rc = efi_shim_cmdline ( shim, cmdline ) ) != 0 ) + goto err_cmdline; + + return 0; + + err_cmdline: + err_inhibit_pxe: + bs->GetMemoryMap = efi_shim_orig_map; + return rc; +} + +/** + * Uninstall UEFI shim special handling + * + */ +void efi_shim_uninstall ( void ) { + EFI_BOOT_SERVICES *bs = efi_systab->BootServices; + + /* Restore original GetMemoryMap() */ + bs->GetMemoryMap = efi_shim_orig_map; +} diff --git a/src/usr/shimmgmt.c b/src/usr/shimmgmt.c new file mode 100644 index 0000000..ba9c348 --- /dev/null +++ b/src/usr/shimmgmt.c @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2023 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/efi/efi.h> +#include <ipxe/efi/efi_shim.h> +#include <usr/shimmgmt.h> + +/** @file + * + * EFI shim management + * + */ + +/** + * Set shim image + * + * @v image Shim image, or NULL to clear shim + * @v require_loader Require use of a third party loader + * @v allow_pxe Allow use of PXE base code + * @ret rc Return status code + */ +int shim ( struct image *image, int require_loader, int allow_pxe ) { + + /* Record (or clear) shim image */ + image_tag ( image, &efi_shim ); + + /* Avoid including image in constructed initrd */ + if ( image ) + image_hide ( image ); + + /* Record configuration */ + efi_shim_require_loader = require_loader; + efi_shim_allow_pxe = allow_pxe; + + return 0; +} |