Debian: shim-unsigned: porting from LAT
This is done for moving packages that are related to secure boot out of LAT and into integ. Use shim version: 15+1533136590.3beb971. Although there was a debian package for shim here, it wasn't effective because LAT didn't use it (the shim version in use is 12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper version for this porting. I choose this version because it should be matched with the grub image. shim 15.3 introduced and now mandates SBAT. This means that shim 15.3+ will not launch any EFI binaries without a .sbat section. Use tis-shim.der (another format for tis-shim.crt) to verify grub image's signature. Test Plan: The tests are done with all the changes for this porting, which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because they are in a chain for secure boot verification. - PASS: secure boot OK on qemu. - PASS: secure boot OK on PowerEdge R430 lab. - PASS: secure boot NG on qemu/hardware when shim/grub-efi images are without the right signatures. Story: 2009221 Task: 46401 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b
This commit is contained in:
parent
764d81db0a
commit
0535f5b0ae
@ -0,0 +1,26 @@
|
||||
From 7bf206a8899a5df0bbc361a39eb5b38a6f0b0882 Mon Sep 17 00:00:00 2001
|
||||
From: Li Zhou <li.zhou@windriver.com>
|
||||
Date: Thu, 25 Aug 2022 18:10:28 +0800
|
||||
Subject: [PATCH] shim: replace the debian cert file with ours
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
debian/rules | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/debian/rules b/debian/rules
|
||||
index 58620be..0434c4d 100755
|
||||
--- a/debian/rules
|
||||
+++ b/debian/rules
|
||||
@@ -11,7 +11,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
|
||||
distributor=ubuntu
|
||||
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
|
||||
else
|
||||
- cert=debian/debian-uefi-ca.der
|
||||
+ cert=tis-shim.der
|
||||
distributor=debian
|
||||
endif
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
1
security/shim-unsigned/debian/deb_patches/series
Normal file
1
security/shim-unsigned/debian/deb_patches/series
Normal file
@ -0,0 +1 @@
|
||||
0001-shim-replace-the-debian-cert-file-with-ours.patch
|
@ -1,13 +1,14 @@
|
||||
---
|
||||
debver: 15.4-7
|
||||
debver: 15+1533136590.3beb971
|
||||
debname: shim
|
||||
dl_path:
|
||||
name: shim-debian-15.4-7.tar.gz
|
||||
url: https://salsa.debian.org/efi-team/shim/-/archive/debian/15.4-7/shim-debian-15.4-7.tar.gz
|
||||
md5sum: f2ceaa268acb6eb9bbe08b839371e04a
|
||||
sha256sum: a4ec39a11c75c95f268403f27125dd002aaf8511afb4fe476bc2d89d97f41eb3
|
||||
name: shim-debian-15+1533136590.3beb971.tar.bz2
|
||||
url: "https://salsa.debian.org/efi-team/shim/-/archive/debian/\
|
||||
15+1533136590.3beb971-10/shim-debian-15+1533136590.3beb971-10.tar.bz2"
|
||||
md5sum: eb6db0c9b8b4257d77ed07a81cd3a7b8
|
||||
sha256sum: 06341378fc89836ee3355ff9ade263105a9ab445de8b065c0989eec8c55769c8
|
||||
src_files:
|
||||
- files/tis-shim.crt
|
||||
- files/tis-shim.der
|
||||
revision:
|
||||
dist: $STX_DIST
|
||||
PKG_GITREVCOUNT: true
|
||||
|
@ -1,125 +0,0 @@
|
||||
From f6e8ace9a9783a1645cb6141ba5788790963cda3 Mon Sep 17 00:00:00 2001
|
||||
From: Yue Tao <Yue.Tao@windriver.com>
|
||||
Date: Mon, 15 Jan 2018 13:25:04 -0500
|
||||
Subject: [PATCH] Use Titanium certificate
|
||||
|
||||
Signed-off-by: Scott Little <scott.little@windriver.com>
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
---
|
||||
Make.defaults | 6 ++++++
|
||||
Makefile | 33 +++++++++++++++++++--------------
|
||||
2 files changed, 25 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index a775083..656669d 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -56,6 +56,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
|
||||
|
||||
COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
|
||||
|
||||
+# We compile a certificate into shim. Usually this is a one-time generated
|
||||
+# certificate (make-certs script) however we want to include a custom
|
||||
+# certificate for which we have the key. We use the key to sign the kernel and
|
||||
+# grub down the road
|
||||
+INTERNAL_CERT = tis-shim
|
||||
+
|
||||
ifeq ($(ARCH),x86_64)
|
||||
ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
|
||||
$(CLANG_BUGS) -m64 \
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 8c66459..919e002 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -37,9 +37,10 @@ TARGETS += $(MMNAME).signed $(FBNAME).signed
|
||||
CFLAGS += -DENABLE_SHIM_CERT
|
||||
else
|
||||
TARGETS += $(MMNAME) $(FBNAME)
|
||||
+CFLAGS += -DENABLE_SHIM_CERT
|
||||
endif
|
||||
OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o
|
||||
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
||||
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
|
||||
ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
|
||||
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
|
||||
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
|
||||
@@ -75,14 +76,18 @@ endif
|
||||
update :
|
||||
git submodule update --init --recursive
|
||||
|
||||
-shim.crt:
|
||||
- $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
+# certificate is now provided in source. To generate a random certificate,
|
||||
+# uncomment this rule
|
||||
+#$(INTERNAL_CERT).crt:
|
||||
+# $(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
|
||||
-shim.cer: shim.crt
|
||||
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
|
||||
$(OPENSSL) x509 -outform der -in $< -out $@
|
||||
|
||||
.NOTPARALLEL: shim_cert.h
|
||||
-shim_cert.h: shim.cer
|
||||
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
|
||||
+# use a fixed name for #include
|
||||
+shim_cert.h: $(INTERNAL_CERT).cer
|
||||
echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
|
||||
$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
|
||||
echo "};" >> $@
|
||||
@@ -93,15 +98,13 @@ version.c : $(TOPDIR)/version.c.in
|
||||
-e "s,@@COMMIT@@,$(COMMIT_ID)," \
|
||||
< $< > $@
|
||||
|
||||
-certdb/secmod.db: shim.crt
|
||||
+certdb/secmod.db: $(INTERNAL_CERT).crt
|
||||
-mkdir certdb
|
||||
- $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
|
||||
- $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
|
||||
+ $(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
|
||||
+ $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
||||
|
||||
shim.o: $(SOURCES)
|
||||
-ifneq ($(origin ENABLE_SHIM_CERT),undefined)
|
||||
shim.o: shim_cert.h
|
||||
-endif
|
||||
shim.o: $(wildcard $(TOPDIR)/*.h)
|
||||
|
||||
cert.o : $(TOPDIR)/cert.S
|
||||
@@ -267,10 +270,10 @@ endif
|
||||
$< $@
|
||||
|
||||
ifneq ($(origin ENABLE_SBSIGN),undefined)
|
||||
-%.efi.signed: %.efi shim.key shim.crt
|
||||
+%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt
|
||||
@$(SBSIGN) \
|
||||
- --key shim.key \
|
||||
- --cert shim.crt \
|
||||
+ --key $(INTERNAL_CERT).key \
|
||||
+ --cert $(INTERNAL_CERT).crt \
|
||||
--output $@ $<
|
||||
else
|
||||
%.efi.signed: %.efi certdb/secmod.db
|
||||
@@ -302,9 +305,11 @@ clean-lib-objs:
|
||||
fi
|
||||
|
||||
clean-shim-objs:
|
||||
+ @mv $(INTERNAL_CERT).crt $(INTERNAL_CERT).crt.back
|
||||
@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
|
||||
@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
|
||||
@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
|
||||
+ @mv $(INTERNAL_CERT).crt.back $(INTERNAL_CERT).crt
|
||||
@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
|
||||
|
||||
clean-openssl-objs:
|
||||
@@ -331,7 +336,7 @@ tag:
|
||||
archive: tag
|
||||
@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
|
||||
|
||||
-.PHONY : install-deps shim.key
|
||||
+.PHONY : install-deps $(INTERNAL_CERT).key
|
||||
|
||||
export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
|
||||
export FEATUREFLAGS WARNFLAGS WERRFLAGS
|
||||
--
|
||||
2.25.1
|
||||
|
@ -1 +0,0 @@
|
||||
0001-Use-Titanium-certificate.patch
|
BIN
security/shim-unsigned/files/tis-shim.der
Normal file
BIN
security/shim-unsigned/files/tis-shim.der
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user