integ/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch

From 7fc985a350f9f7f5abbd19cef7a1947a3e33e5c8 Mon Sep 17 00:00:00 2001
From: root <root@yow-cgts4-lx.wrs.com>
Date: Mon, 15 Jan 2018 13:25:04 -0500
Subject: [PATCH] Use Titanium certificate

Signed-off-by: Scott Little <scott.little@windriver.com>
---
 Make.defaults |  6 ++++++
 Makefile      | 29 ++++++++++++++++-------------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/Make.defaults b/Make.defaults
index e11ab5a..d16510c 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -51,6 +51,12 @@ CLANG_BUGS	= $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
 
 COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
 
+# We compile a certificate into shim.  Usually this is a one-time generated
+# certificate (make-certs script) however we want to include a custom
+# certificate for which we have the key.  We use the key to sign the kernel and
+# grub down the road
+INTERNAL_CERT = tis-shim
+
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
 	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
 endif
diff --git a/Makefile b/Makefile
index 115e7f0..f2b37fa 100644
--- a/Makefile
+++ b/Makefile
@@ -32,9 +32,10 @@ TARGETS	+= $(MMNAME).signed $(FBNAME).signed
 CFLAGS += -DENABLE_SHIM_CERT
 else
 TARGETS += $(MMNAME) $(FBNAME)
+CFLAGS += -DENABLE_SHIM_CERT
 endif
 OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
-KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+KEYS    = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
 ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
@@ -52,14 +53,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
 
 all: $(TARGETS)
 
-shim.crt:
-	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+# certificate is now provided in source.  To generate a random certificate,
+# uncomment this rule
+#$(INTERNAL_CERT).crt:
+#	$(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
 
-shim.cer: shim.crt
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
 	$(OPENSSL) x509 -outform der -in $< -out $@
 
 .NOTPARALLEL: shim_cert.h
-shim_cert.h: shim.cer
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
+# use a fixed name for #include
+shim_cert.h: $(INTERNAL_CERT).cer
 	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
 	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
 	echo "};" >> $@
@@ -70,15 +75,13 @@ version.c : $(TOPDIR)/version.c.in
 		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
 		< $< > $@
 
-certdb/secmod.db: shim.crt
+certdb/secmod.db: $(INTERNAL_CERT).crt
 	-mkdir certdb
-	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
-	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
+	$(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
+	$(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
 
 shim.o: $(SOURCES)
-ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 shim.o: shim_cert.h
-endif
 shim.o: $(wildcard $(TOPDIR)/*.h)
 
 cert.o : $(TOPDIR)/cert.S
@@ -213,8 +216,8 @@ endif
 		$^ $@
 
 ifneq ($(origin ENABLE_SBSIGN),undefined)
-%.efi.signed: %.efi shim.key shim.crt
-	$(SBSIGN) --key shim.key --cert shim.crt --output $@ $<
+%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt
+	$(SBSIGN) --key $(INTERNAL_CERT).key --cert $(INTERNAL_CERT).crt --output $@ $<
 else
 %.efi.signed: %.efi certdb/secmod.db
 	$(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
@@ -258,6 +261,6 @@ archive: tag
 	@rm -rf /tmp/shim-$(VERSION)
 	@echo "The archive is in shim-$(VERSION).tar.bz2"
 
-.PHONY : install-deps shim.key
+.PHONY : install-deps $(INTERNAL_CERT).key
 
 export ARCH CC LD OBJCOPY EFI_INCLUDE
-- 
1.8.3.1