Xen project Mailing List

[Xen-changelog] [xen-unstable] x86/EFI: add code interfacing with the secure boot shim

From: Xen patchbot-unstable <patchbot@xxxxxxx>

Date: Tue, 11 Dec 2012 04:33:23 +0000

Delivery-date: Tue, 11 Dec 2012 04:33:29 +0000

List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch # User Jan Beulich <jbeulich@xxxxxxxx> # Date 1354884272 -3600 # Node ID b62bd62b26836fafe19cf41fec194bcf33e2ead6 # Parent cb542e58da25211843eb79998ea8568ebe9c8056 x86/EFI: add code interfacing with the secure boot shim ... to validate the kernel image (which is required to be in PE format, as is e.g. the case for the Linux bzImage when built with CONFIG_EFI_STUB). Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Keir Fraser <keir@xxxxxxx> --- diff -r cb542e58da25 -r b62bd62b2683 xen/arch/x86/efi/boot.c --- a/xen/arch/x86/efi/boot.c Fri Dec 07 13:43:17 2012 +0100 +++ b/xen/arch/x86/efi/boot.c Fri Dec 07 13:44:32 2012 +0100 @@ -24,6 +24,18 @@ #include <asm/msr.h> #include <asm/processor.h> +#define SHIM_LOCK_PROTOCOL_GUID \ + { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} } + +typedef EFI_STATUS +(/* _not_ EFIAPI */ *EFI_SHIM_LOCK_VERIFY) ( + IN VOID *Buffer, + IN UINT32 Size); + +typedef struct { + EFI_SHIM_LOCK_VERIFY Verify; +} EFI_SHIM_LOCK_PROTOCOL; + extern char start[]; extern u32 cpuid_ext_features; @@ -640,12 +652,14 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY static EFI_GUID __initdata gop_guid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID; static EFI_GUID __initdata bio_guid = BLOCK_IO_PROTOCOL; static EFI_GUID __initdata devp_guid = DEVICE_PATH_PROTOCOL; + static EFI_GUID __initdata shim_lock_guid = SHIM_LOCK_PROTOCOL_GUID; EFI_LOADED_IMAGE *loaded_image; EFI_STATUS status; unsigned int i, argc; CHAR16 **argv, *file_name, *cfg_file_name = NULL; UINTN cols, rows, depth, size, map_key, info_size, gop_mode = ~0; EFI_HANDLE *handles = NULL; + EFI_SHIM_LOCK_PROTOCOL *shim_lock; EFI_GRAPHICS_OUTPUT_PROTOCOL *gop = NULL; EFI_GRAPHICS_OUTPUT_MODE_INFORMATION *mode_info; EFI_FILE_HANDLE dir_handle; @@ -835,6 +849,11 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY read_file(dir_handle, s2w(&name), &kernel); efi_bs->FreePool(name.w); + if ( !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL, + (void **)&shim_lock)) && + shim_lock->Verify(kernel.ptr, kernel.size) != EFI_SUCCESS ) + blexit(L"Dom0 kernel image could not be verified\r\n"); + name.s = get_value(&cfg, section.s, "ramdisk"); if ( name.s ) { _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.