Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/EFI: add code interfacing with the secure boot shim

To: Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>

From: Keir Fraser <keir@xxxxxxx>

Date: Thu, 06 Dec 2012 15:54:30 +0000

Delivery-date: Thu, 06 Dec 2012 15:56:20 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: Ac3TyfoCeq6oZ65a/0ip8OYQvBlWSw==

Thread-topic: [Xen-devel] [PATCH] x86/EFI: add code interfacing with the secure boot shim

On 06/12/2012 13:05, "Jan Beulich" <JBeulich@xxxxxxxx> wrote: > ... to validate the kernel image (which is required to be in PE > format, as is e.g. the case for the Linux bzImage when built with > CONFIG_EFI_STUB). > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Keir Fraser <keir@xxxxxxx> > --- a/xen/arch/x86/efi/boot.c > +++ b/xen/arch/x86/efi/boot.c > @@ -24,6 +24,18 @@ > #include <asm/msr.h> > #include <asm/processor.h> > > +#define SHIM_LOCK_PROTOCOL_GUID \ > + { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, > 0x23} } > + > +typedef EFI_STATUS > +(/* _not_ EFIAPI */ *EFI_SHIM_LOCK_VERIFY) ( > + IN VOID *Buffer, > + IN UINT32 Size); > + > +typedef struct { > + EFI_SHIM_LOCK_VERIFY Verify; > +} EFI_SHIM_LOCK_PROTOCOL; > + > extern char start[]; > extern u32 cpuid_ext_features; > > @@ -640,12 +652,14 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY > static EFI_GUID __initdata gop_guid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID; > static EFI_GUID __initdata bio_guid = BLOCK_IO_PROTOCOL; > static EFI_GUID __initdata devp_guid = DEVICE_PATH_PROTOCOL; > + static EFI_GUID __initdata shim_lock_guid = SHIM_LOCK_PROTOCOL_GUID; > EFI_LOADED_IMAGE *loaded_image; > EFI_STATUS status; > unsigned int i, argc; > CHAR16 **argv, *file_name, *cfg_file_name = NULL; > UINTN cols, rows, depth, size, map_key, info_size, gop_mode = ~0; > EFI_HANDLE *handles = NULL; > + EFI_SHIM_LOCK_PROTOCOL *shim_lock; > EFI_GRAPHICS_OUTPUT_PROTOCOL *gop = NULL; > EFI_GRAPHICS_OUTPUT_MODE_INFORMATION *mode_info; > EFI_FILE_HANDLE dir_handle; > @@ -835,6 +849,11 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY > read_file(dir_handle, s2w(&name), &kernel); > efi_bs->FreePool(name.w); > > + if ( !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL, > + (void **)&shim_lock)) && > + shim_lock->Verify(kernel.ptr, kernel.size) != EFI_SUCCESS ) > + blexit(L"Dom0 kernel image could not be verified\r\n"); > + > name.s = get_value(&cfg, section.s, "ramdisk"); > if ( name.s ) > { > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxx > http://lists.xen.org/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.