sbsign will sign an already signed binary (adding a signature at the end)
sbverify has a new mode --list, for listing all the signatures and sbattach
takes a --signum argument for --remove or --detach.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This prevents a FIPS failure message if no FIPS module is loaded.
Plus add -v as short form for --verbose in sbverify
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
In line with the verification process in firmware, update our verify
callback to explicitly trust all certificates that we load to our cert
store.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Proposed changes to the kernel will establish /sys/firmware/efi/efivars
as the canonical mountpoint for the efivars filesystem.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than overrunning the heap, explicitly allocate the pad area for
cases where we've aligned-up the section table sizes.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Since we write the certificate table starting at data_size (not size),
use this value when generating the cert table header.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
The PE/COFF spec allows variable-sized data directories, which reduce
the size of the optional header. While GNU ld always produces
maximum-sized headers, the kernel's EFI_STUB code generates a smaller
header size, which causes the image parsing code to abort.
This change allows variable-sized optional headers, but checks for at
least enough of an optional header to contain a CERT_TABLE data
directory entry.
We also rename struct image's aouthdr to opthdr, as it contains more
than just the a.out fields.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We were updating siglist before incrementing i, and so aborting the
siglist iteration earlier than necessary.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than having three sets of (firmware, filesystem) key databases,
refactor into two sets of (kdk, db, dbx) databases. This allows us to
add the PK later.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We should free filename, and buf on error.
Also, check for the length of the file's data; we may be passed empty
files, and end up with a negative len.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We want to collect keystore entries on a separate list, so rename the
'list' member to something more specific.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We want to call key_id on file buffers too, which don't have the
EFI_SIGNATURE_DATA encapsulation.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We may want to read files which can be absent. In this case, we don't
want to print an error.
This change adds fileio_read_file_noerror(), which suppresses error
output.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We're almost always going to want the attributes set to
NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCES | APPEND_WRITE,
and TIME_BASED_AUTHENTICATED_WRITE is required. So, provide this
as the default if no --attrs argument is specified.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>