Secure boot no longer working
Secure Boot's hasn't been tested since July 2018 The principle players in the Secure Boot chain of trust are Shim, Grub, and the Linux kernel. All three components have seen multiple upgrades since the last test. A new build option has been added to shim, (ENABLE_SHIM_CERT) that enables/disables the support for an embedded shim key. It defaults to disabled. It also controls the generation of a random shim key, and the build time signing of fallback and MokManager components. Since we don't want a random shim key (reproducable builds), and we do signing as a post build step, leaving it disabled seemed like the correct setting initially... until it's function to disable shim keys entirely was discovered. This update reworks the shim patch so that we can embed a prebuilt shim key, and still have shim key functionality active. Closes-Bug: 1864245 Change-Id: Ibcb6bcfe3060ce0b3e2c2f3c23908bb7127b0ccd Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
85723f2095
commit
4761e4f3fa
@ -1,15 +1,16 @@
|
||||
From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
|
||||
From 7fc985a350f9f7f5abbd19cef7a1947a3e33e5c8 Mon Sep 17 00:00:00 2001
|
||||
From: root <root@yow-cgts4-lx.wrs.com>
|
||||
Date: Mon, 15 Jan 2018 13:25:04 -0500
|
||||
Subject: [PATCH] Use Titanium certificate
|
||||
|
||||
Signed-off-by: Scott Little <scott.little@windriver.com>
|
||||
---
|
||||
Make.defaults | 6 ++++++
|
||||
Makefile | 20 ++++++++++++--------
|
||||
2 files changed, 18 insertions(+), 8 deletions(-)
|
||||
Makefile | 29 ++++++++++++++++-------------
|
||||
2 files changed, 22 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 3cec82d..d7606db 100644
|
||||
index e11ab5a..d16510c 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -51,6 +51,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
|
||||
@ -26,11 +27,14 @@ index 3cec82d..d7606db 100644
|
||||
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
||||
endif
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 115e7f0..8964a97 100644
|
||||
index 115e7f0..f2b37fa 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -34,7 +34,7 @@ else
|
||||
@@ -32,9 +32,10 @@ TARGETS += $(MMNAME).signed $(FBNAME).signed
|
||||
CFLAGS += -DENABLE_SHIM_CERT
|
||||
else
|
||||
TARGETS += $(MMNAME) $(FBNAME)
|
||||
+CFLAGS += -DENABLE_SHIM_CERT
|
||||
endif
|
||||
OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
|
||||
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
||||
@ -38,7 +42,7 @@ index 115e7f0..8964a97 100644
|
||||
ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
|
||||
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
||||
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
|
||||
@@ -52,14 +52,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
|
||||
@@ -52,14 +53,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
|
||||
|
||||
all: $(TARGETS)
|
||||
|
||||
@ -61,7 +65,7 @@ index 115e7f0..8964a97 100644
|
||||
echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
|
||||
$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
|
||||
echo "};" >> $@
|
||||
@@ -70,10 +74,10 @@ version.c : $(TOPDIR)/version.c.in
|
||||
@@ -70,15 +75,13 @@ version.c : $(TOPDIR)/version.c.in
|
||||
-e "s,@@COMMIT@@,$(COMMIT_ID)," \
|
||||
< $< > $@
|
||||
|
||||
@ -74,7 +78,31 @@ index 115e7f0..8964a97 100644
|
||||
+ $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
||||
|
||||
shim.o: $(SOURCES)
|
||||
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
|
||||
-ifneq ($(origin ENABLE_SHIM_CERT),undefined)
|
||||
shim.o: shim_cert.h
|
||||
-endif
|
||||
shim.o: $(wildcard $(TOPDIR)/*.h)
|
||||
|
||||
cert.o : $(TOPDIR)/cert.S
|
||||
@@ -213,8 +216,8 @@ endif
|
||||
$^ $@
|
||||
|
||||
ifneq ($(origin ENABLE_SBSIGN),undefined)
|
||||
-%.efi.signed: %.efi shim.key shim.crt
|
||||
- $(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
|
||||
+%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt
|
||||
+ $(SBSIGN) --key $(INTERNAL_CERT).key --cert $(INTERNAL_CERT).crt --output $@ $<
|
||||
else
|
||||
%.efi.signed: %.efi certdb/secmod.db
|
||||
$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
|
||||
@@ -258,6 +261,6 @@ archive: tag
|
||||
@rm -rf /tmp/shim-$(VERSION)
|
||||
@echo "The archive is in shim-$(VERSION).tar.bz2"
|
||||
|
||||
-.PHONY : install-deps shim.key
|
||||
+.PHONY : install-deps $(INTERNAL_CERT).key
|
||||
|
||||
export ARCH CC LD OBJCOPY EFI_INCLUDE
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user