1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "console.h"
#include "proto/security-arch.h"
#include "secure-boot.h"
#include "util.h"
#include "vmm.h"
bool secure_boot_enabled(void) {
bool secure = false; /* avoid false maybe-uninitialized warning */
EFI_STATUS err;
err = efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"SecureBoot", &secure);
return err == EFI_SUCCESS && secure;
}
SecureBootMode secure_boot_mode(void) {
bool secure, audit = false, deployed = false, setup = false;
EFI_STATUS err;
err = efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"SecureBoot", &secure);
if (err != EFI_SUCCESS)
return SECURE_BOOT_UNSUPPORTED;
/* We can assume false for all these if they are abscent (AuditMode and
* DeployedMode may not exist on older firmware). */
(void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"AuditMode", &audit);
(void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"DeployedMode", &deployed);
(void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"SetupMode", &setup);
return decode_secure_boot_mode(secure, audit, deployed, setup);
}
EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool force) {
assert(root_dir);
assert(path);
EFI_STATUS err;
clear_screen(COLOR_NORMAL);
/* Enrolling secure boot keys is safe to do in virtualized environments as there is nothing
* we can brick there. */
bool is_safe = in_hypervisor();
if (!is_safe && !force)
return EFI_SUCCESS;
printf("Enrolling secure boot keys from directory: %ls\n", path);
if (!is_safe) {
printf("Warning: Enrolling custom Secure Boot keys might soft-brick your machine!\n");
unsigned timeout_sec = 15;
for (;;) {
printf("\rEnrolling in %2u s, press any key to abort.", timeout_sec);
uint64_t key;
err = console_key_read(&key, 1000 * 1000);
if (err == EFI_NOT_READY)
continue;
if (err == EFI_TIMEOUT) {
if (timeout_sec == 0) /* continue enrolling keys */
break;
timeout_sec--;
continue;
}
if (err != EFI_SUCCESS)
return log_error_status(
err,
"Error waiting for user input to enroll Secure Boot keys: %m");
/* user aborted, returning EFI_SUCCESS here allows the user to go back to the menu */
return EFI_SUCCESS;
}
printf("\n");
}
_cleanup_(file_closep) EFI_FILE *dir = NULL;
err = open_directory(root_dir, path, &dir);
if (err != EFI_SUCCESS)
return log_error_status(err, "Failed opening keys directory %ls: %m", path);
struct {
const char16_t *name;
const char16_t *filename;
const EFI_GUID vendor;
char *buffer;
size_t size;
} sb_vars[] = {
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, NULL, 0 },
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
};
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
for (size_t i = 0; i < ELEMENTSOF(sb_vars); i++) {
err = file_read(dir, sb_vars[i].filename, 0, 0, &sb_vars[i].buffer, &sb_vars[i].size);
if (err != EFI_SUCCESS) {
log_error_status(err, "Failed reading file %ls\\%ls: %m", path, sb_vars[i].filename);
goto out_deallocate;
}
}
for (size_t i = 0; i < ELEMENTSOF(sb_vars); i++) {
uint32_t sb_vars_opts =
EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
if (err != EFI_SUCCESS) {
log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);
goto out_deallocate;
}
}
printf("Custom Secure Boot keys successfully enrolled, rebooting the system now!\n");
/* The system should be in secure boot mode now and we could continue a regular boot. But at least
* TPM PCR7 measurements should change on next boot. Reboot now so that any OS we load does not end
* up relying on the old PCR state. */
RT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL);
assert_not_reached();
out_deallocate:
for (size_t i = 0; i < ELEMENTSOF(sb_vars); i++)
free(sb_vars[i].buffer);
return err;
}
static struct SecurityOverride {
EFI_SECURITY_ARCH_PROTOCOL *security;
EFI_SECURITY2_ARCH_PROTOCOL *security2;
EFI_SECURITY_FILE_AUTHENTICATION_STATE original_hook;
EFI_SECURITY2_FILE_AUTHENTICATION original_hook2;
security_validator_t validator;
const void *validator_ctx;
} security_override;
static EFIAPI EFI_STATUS security_hook(
const EFI_SECURITY_ARCH_PROTOCOL *this,
uint32_t authentication_status,
const EFI_DEVICE_PATH *file) {
assert(security_override.validator);
assert(security_override.security);
assert(security_override.original_hook);
if (security_override.validator(security_override.validator_ctx, file, NULL, 0))
return EFI_SUCCESS;
return security_override.original_hook(security_override.security, authentication_status, file);
}
static EFIAPI EFI_STATUS security2_hook(
const EFI_SECURITY2_ARCH_PROTOCOL *this,
const EFI_DEVICE_PATH *device_path,
void *file_buffer,
size_t file_size,
bool boot_policy) {
assert(security_override.validator);
assert(security_override.security2);
assert(security_override.original_hook2);
if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size))
return EFI_SUCCESS;
return security_override.original_hook2(
security_override.security2, device_path, file_buffer, file_size, boot_policy);
}
/* This replaces the platform provided security arch protocols hooks (defined in the UEFI Platform
* Initialization Specification) with our own that uses the given validator to decide if a image is to be
* trusted. If not running in secure boot or the protocols are not available nothing happens. The override
* must be removed with uninstall_security_override() after LoadImage() has been called.
*
* This is a hack as we do not own the security protocol instances and modifying them is not an official part
* of their spec. But there is little else we can do to circumvent secure boot short of implementing our own
* PE loader. We could replace the firmware instances with our own instance using
* ReinstallProtocolInterface(), but some firmware will still use the old ones. */
void install_security_override(security_validator_t validator, const void *validator_ctx) {
EFI_STATUS err;
assert(validator);
if (!secure_boot_enabled())
return;
security_override = (struct SecurityOverride) {
.validator = validator,
.validator_ctx = validator_ctx,
};
EFI_SECURITY_ARCH_PROTOCOL *security = NULL;
err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY_ARCH_PROTOCOL), NULL, (void **) &security);
if (err == EFI_SUCCESS) {
security_override.security = security;
security_override.original_hook = security->FileAuthenticationState;
security->FileAuthenticationState = security_hook;
}
EFI_SECURITY2_ARCH_PROTOCOL *security2 = NULL;
err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY2_ARCH_PROTOCOL), NULL, (void **) &security2);
if (err == EFI_SUCCESS) {
security_override.security2 = security2;
security_override.original_hook2 = security2->FileAuthentication;
security2->FileAuthentication = security2_hook;
}
}
void uninstall_security_override(void) {
if (security_override.original_hook)
security_override.security->FileAuthenticationState = security_override.original_hook;
if (security_override.original_hook2)
security_override.security2->FileAuthentication = security_override.original_hook2;
}
|
