diff --git a/Feature-shim-cryptlib-support-sm2-signature-verify.patch b/Feature-shim-cryptlib-support-sm2-signature-verify.patch index 105a0656c0beb9b92e7fa4e42b0907e5cfc72f7c..173906ca6fac957d4ccabad8ab7f47f503aa6c49 100644 --- a/Feature-shim-cryptlib-support-sm2-signature-verify.patch +++ b/Feature-shim-cryptlib-support-sm2-signature-verify.patch @@ -1,7 +1,7 @@ -From 9137b68d161ccb95b1019c4885d0519ebbf4678a Mon Sep 17 00:00:00 2001 +From df8dab733a8795e896acfd459b2b9adc9607e831 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Mon, 7 Nov 2022 11:46:33 +0800 -Subject: [PATCH 4/5] shim cryptlib support sm2 signature verify +Subject: [PATCH 1/2] shim cryptlib support sm2 signature verify Co-authored-by: Yusong Gao Signed-off-by: Yusong Gao @@ -12,9 +12,9 @@ Signed-off-by: Huaxin Lu Cryptlib/Include/openssl/ec.h | 20 ++ Cryptlib/Include/openssl/ecdsa.h | 7 + Cryptlib/Include/openssl/err.h | 6 + - Cryptlib/Include/openssl/evp.h | 25 +++ + Cryptlib/Include/openssl/evp.h | 27 ++- Cryptlib/Include/openssl/obj_mac.h | 33 +++ - Cryptlib/Include/openssl/opensslconf.h | 8 +- + Cryptlib/Include/openssl/opensslconf.h | 7 +- Cryptlib/Include/openssl/x509.h | 7 + Cryptlib/Library/BaseCryptLib.h | 111 ++++++++++ Cryptlib/Makefile | 6 + @@ -27,7 +27,7 @@ Signed-off-by: Huaxin Lu Cryptlib/OpenSSL/crypto/err/err.c | 1 + Cryptlib/OpenSSL/crypto/evp/c_alld.c | 3 + Cryptlib/OpenSSL/crypto/evp/digest.c | 62 +++++- - Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 5 + + Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 24 +++ Cryptlib/OpenSSL/crypto/evp/evp_locl.h | 10 + Cryptlib/OpenSSL/crypto/evp/m_sigver.c | 17 ++ Cryptlib/OpenSSL/crypto/evp/p_lib.c | 44 ++++ @@ -37,14 +37,14 @@ Signed-off-by: Huaxin Lu Cryptlib/OpenSSL/crypto/objects/obj_dat.h | 46 +++- Cryptlib/OpenSSL/crypto/objects/obj_xref.h | 2 + Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c | 34 ++- - Cryptlib/OpenSSL/crypto/x509/x_all.c | 142 +++++++++++++ + Cryptlib/OpenSSL/crypto/x509/x_all.c | 145 +++++++++++++ Cryptlib/Pk/CryptPkcs7Verify.c | 5 + - 32 files changed, 997 insertions(+), 38 deletions(-) + 32 files changed, 1020 insertions(+), 38 deletions(-) create mode 100644 Cryptlib/Hash/CryptSm3.c diff --git a/Cryptlib/Hash/CryptSm3.c b/Cryptlib/Hash/CryptSm3.c new file mode 100644 -index 0000000..c522365 +index 0000000..84d7acc --- /dev/null +++ b/Cryptlib/Hash/CryptSm3.c @@ -0,0 +1,231 @@ @@ -271,7 +271,7 @@ index 0000000..c522365 + // + // OpenSSL SM3 Hash Computation. + // -+ ++ + SM3_CTX c; + sm3_init(&c); + sm3_update(&c, Data, DataSize); @@ -433,7 +433,7 @@ index 5a01980..c8286e1 100644 /* * 99 is the maximum possible ERR_R_... code, higher values are reserved for diff --git a/Cryptlib/Include/openssl/evp.h b/Cryptlib/Include/openssl/evp.h -index 376f260..4e1d9bb 100644 +index 376f260..26e8f04 100644 --- a/Cryptlib/Include/openssl/evp.h +++ b/Cryptlib/Include/openssl/evp.h @@ -115,6 +115,7 @@ @@ -457,16 +457,17 @@ index 376f260..4e1d9bb 100644 /* * Type needs to be a bit field Sub-type needs to be for variations on the * method, as in, can it do arbitrary encryption.... -@@ -526,6 +533,8 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +@@ -526,6 +533,9 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); # define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) # define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e)) ++void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); +void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); + int EVP_CIPHER_nid(const EVP_CIPHER *cipher); # define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) int EVP_CIPHER_block_size(const EVP_CIPHER *cipher); -@@ -583,6 +592,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c, +@@ -583,6 +593,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c, # define EVP_delete_digest_alias(alias) \ OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS); @@ -476,7 +477,7 @@ index 376f260..4e1d9bb 100644 void EVP_MD_CTX_init(EVP_MD_CTX *ctx); int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); -@@ -666,6 +678,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -666,6 +679,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen); @@ -487,7 +488,7 @@ index 376f260..4e1d9bb 100644 int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *ek, int ekl, const unsigned char *iv, EVP_PKEY *priv); -@@ -741,6 +757,9 @@ const EVP_MD *EVP_ripemd160(void); +@@ -741,6 +758,9 @@ const EVP_MD *EVP_ripemd160(void); # ifndef OPENSSL_NO_WHIRLPOOL const EVP_MD *EVP_whirlpool(void); # endif @@ -497,7 +498,7 @@ index 376f260..4e1d9bb 100644 const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ # ifndef OPENSSL_NO_DES const EVP_CIPHER *EVP_des_ecb(void); -@@ -954,10 +973,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey); +@@ -954,10 +974,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey); int EVP_PKEY_bits(EVP_PKEY *pkey); int EVP_PKEY_size(EVP_PKEY *pkey); int EVP_PKEY_set_type(EVP_PKEY *pkey, int type); @@ -513,7 +514,7 @@ index 376f260..4e1d9bb 100644 # ifndef OPENSSL_NO_RSA struct rsa_st; int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key); -@@ -976,6 +1000,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); +@@ -976,6 +1001,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); # ifndef OPENSSL_NO_EC struct ec_key_st; int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key); @@ -521,6 +522,14 @@ index 376f260..4e1d9bb 100644 struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); # endif +@@ -1268,7 +1294,6 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); + int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); + int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); + +-void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb); + EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx); + + int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx); diff --git a/Cryptlib/Include/openssl/obj_mac.h b/Cryptlib/Include/openssl/obj_mac.h index 779c309..91b75e0 100644 --- a/Cryptlib/Include/openssl/obj_mac.h @@ -563,18 +572,10 @@ index 779c309..91b75e0 100644 +#define NID_SM2_with_SM3 964 +#define OBJ_SM2_with_SM3 OBJ_sm_scheme,501L diff --git a/Cryptlib/Include/openssl/opensslconf.h b/Cryptlib/Include/openssl/opensslconf.h -index 4a36e9f..6f19ce6 100644 +index 4a36e9f..12ec552 100644 --- a/Cryptlib/Include/openssl/opensslconf.h +++ b/Cryptlib/Include/openssl/opensslconf.h -@@ -10,7 +10,6 @@ extern "C" { - #endif - #ifndef OPENSSL_DOING_MAKEDEPEND - -- - #ifndef OPENSSL_NO_BF - # define OPENSSL_NO_BF - #endif -@@ -41,8 +40,8 @@ extern "C" { +@@ -41,8 +41,8 @@ extern "C" { #ifndef OPENSSL_NO_DYNAMIC_ENGINE # define OPENSSL_NO_DYNAMIC_ENGINE #endif @@ -585,7 +586,7 @@ index 4a36e9f..6f19ce6 100644 #endif #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define OPENSSL_NO_EC_NISTP_64_GCC_128 -@@ -50,9 +49,6 @@ extern "C" { +@@ -50,9 +50,6 @@ extern "C" { #ifndef OPENSSL_NO_ECDH # define OPENSSL_NO_ECDH #endif @@ -750,14 +751,14 @@ index 2df8bd2..a7fea2c 100644 // MAC (Message Authentication Code) Primitive //===================================================================================== diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile -index 89fd5cd..7885a1a 100644 +index 89fd5cd..c95a960 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -66,6 +66,12 @@ OBJS = Hash/CryptMd4Null.o \ SysCall/BaseMemAllocation.o \ SysCall/BaseStrings.o -+ifdef SHIM_ENABLE_SM ++ifdef ENABLE_SHIM_SM +OBJS += Hash/CryptSm3.o +else +DEFINES += -DOPENSSL_NO_SM3 @@ -767,7 +768,7 @@ index 89fd5cd..7885a1a 100644 libcryptlib.a: $(OBJS) diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile -index 795f471..32fb235 100644 +index 795f471..4923ac3 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -459,7 +459,43 @@ OBJS = crypto/cryptlib.o \ @@ -777,7 +778,7 @@ index 795f471..32fb235 100644 - crypto/cmac/cm_pmeth.o \ + crypto/cmac/cm_pmeth.o + -+ifdef SHIM_ENABLE_SM ++ifdef ENABLE_SHIM_SM +OBJS +=crypto/ec/ec_ameth.o \ + crypto/ec/ec_cvt.o \ + crypto/ec/eck_prn.o \ @@ -1074,10 +1075,10 @@ index 4db1796..ffc03ef 100644 } } diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c -index 7e0bab9..5945494 100644 +index 7e0bab9..24da25d 100644 --- a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c +++ b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c -@@ -389,3 +389,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) +@@ -389,3 +389,27 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) { return (ctx->flags & flags); } @@ -1086,6 +1087,25 @@ index 7e0bab9..5945494 100644 +{ + return ctx->md_data; +} ++ ++void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) ++{ ++ /* ++ * it's reasonable to set NULL pctx (a.k.a clear the ctx->pctx), so ++ * we have to deal with the cleanup job here. ++ */ ++ if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX)) ++ EVP_PKEY_CTX_free(ctx->pctx); ++ ++ ctx->pctx = pctx; ++ ++ if (pctx != NULL) { ++ /* make sure pctx is not freed when destroying EVP_MD_CTX */ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); ++ } else { ++ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); ++ } ++} diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h b/Cryptlib/OpenSSL/crypto/evp/evp_locl.h index 2bb709a..1d179ef 100644 --- a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h @@ -1642,10 +1662,10 @@ index dd6c73f..846fcf8 100644 return (ret); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c -index 0f26c54..0228582 100644 +index 0f26c54..59a41e3 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x_all.c +++ b/Cryptlib/OpenSSL/crypto/x509/x_all.c -@@ -71,16 +71,158 @@ +@@ -71,16 +71,161 @@ # include #endif @@ -1660,7 +1680,7 @@ index 0f26c54..0228582 100644 +{ + X509 *x = NULL; + X509_REQ *r = NULL; -+ EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx = NULL; + unsigned char *buf_in = NULL; + int ret = -1, inl = 0; + size_t inll = 0; @@ -1694,17 +1714,20 @@ index 0f26c54..0228582 100644 + return -1; + } + -+ EVP_MD_CTX_init(&ctx); ++ ctx = EVP_MD_CTX_new(); ++ if (ctx == NULL) ++ goto err; + + /* Check public key OID matches public key type */ + if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id) { + goto err; + } + -+ if (!EVP_PKEY_set_type(pkey, EVP_PKEY_SM2)) { ++ if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) { + ret = 0; + goto err; + } ++ + pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (pctx == NULL) { + ret = 0; @@ -1716,9 +1739,9 @@ index 0f26c54..0228582 100644 + ret = 0; + goto err; + } -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); + -+ if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) { ++ EVP_MD_CTX_set_pkey_ctx(ctx, pctx); ++ if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) { + ret = 0; + goto err; + } @@ -1735,7 +1758,7 @@ index 0f26c54..0228582 100644 + } + inll = inl; + -+ ret = EVP_DigestVerify(&ctx, signature->data, ++ ret = EVP_DigestVerify(ctx, signature->data, + (size_t)signature->length, buf_in, inl); + if (ret <= 0) { + goto err; @@ -1743,7 +1766,7 @@ index 0f26c54..0228582 100644 + ret = 1; + err: + OPENSSL_cleanse(buf_in, inll); -+ EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(ctx); + EVP_PKEY_CTX_free(pctx); + return ret; +} diff --git a/Feature-shim-support-sm2-and-sm3-algorithm.patch b/Feature-shim-support-sm2-and-sm3-algorithm.patch index d43769accdfa2885ac836ddac7d3e9d9e65c788d..ec99aac18263a25dce6479caa7b5b8ca2bd50001 100644 --- a/Feature-shim-support-sm2-and-sm3-algorithm.patch +++ b/Feature-shim-support-sm2-and-sm3-algorithm.patch @@ -1,26 +1,36 @@ -From b56474e6f7d0ddece0f5dd87e410f8f482f66a58 Mon Sep 17 00:00:00 2001 +From e1f5fc87be6581b63550218d991c713ad0f23113 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Mon, 7 Nov 2022 11:47:42 +0800 -Subject: [PATCH 5/5] shim support sm2 and sm3 algorithm +Subject: [PATCH 2/2] shim support sm2 and sm3 algorithm Co-authored-by: Yusong Gao Signed-off-by: Yusong Gao Signed-off-by: Huaxin Lu --- - Makefile | 2 +- + Makefile | 5 ++- MokManager.c | 8 ++++ include/pe.h | 7 ++++ include/peimage.h | 3 ++ pe.c | 100 ++++++++++++++++++++++++++++++++++++++++++++++ - shim.c | 73 +++++++++++++++++++++++++++++++-- + shim.c | 74 ++++++++++++++++++++++++++++++++-- shim.h | 20 ++++++++++ - 7 files changed, 208 insertions(+), 5 deletions(-) + 7 files changed, 212 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile -index 24ac314..8876f9f 100644 +index 24ac314..9b8d7e8 100644 --- a/Makefile +++ b/Makefile -@@ -163,7 +163,7 @@ Cryptlib/libcryptlib.a: +@@ -38,6 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT + else + TARGETS += $(MMNAME) $(FBNAME) + endif ++ifneq ($(origin ENABLE_SHIM_SM),undefined) ++CFLAGS += -DENABLE_SHIM_SM ++endif + OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o + KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer + ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S +@@ -163,7 +166,7 @@ Cryptlib/libcryptlib.a: $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile Cryptlib/OpenSSL/libopenssl.a: @@ -94,7 +104,7 @@ index e97b29c..7a4f356 100644 typedef struct { diff --git a/pe.c b/pe.c -index ba3e2bb..37b08a3 100644 +index ba3e2bb..f48d635 100644 --- a/pe.c +++ b/pe.c @@ -297,13 +297,24 @@ get_section_vma_by_name (char *name, size_t namesz, @@ -126,12 +136,12 @@ index ba3e2bb..37b08a3 100644 sha1ctxsize = Sha1GetContextSize(); sha1ctx = AllocatePool(sha1ctxsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + sm3ctxsize = Sm3GetContextSize(); + sm3ctx = AllocatePool(sm3ctxsize); +#endif + -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!sha256ctx || !sha1ctx || !sm3ctx) { +#else if (!sha256ctx || !sha1ctx) { @@ -140,7 +150,7 @@ index ba3e2bb..37b08a3 100644 return EFI_OUT_OF_RESOURCES; } -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx) || !Sm3Init(sm3ctx)) { +#else if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) { @@ -152,7 +162,7 @@ index ba3e2bb..37b08a3 100644 hashbase; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -167,7 +177,7 @@ index ba3e2bb..37b08a3 100644 hashsize = (char *)context->SecDir - hashbase; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -182,7 +192,7 @@ index ba3e2bb..37b08a3 100644 } check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -197,7 +207,7 @@ index ba3e2bb..37b08a3 100644 hashsize = (unsigned int) Section->SizeOfRawData; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -212,7 +222,7 @@ index ba3e2bb..37b08a3 100644 } check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -227,7 +237,7 @@ index ba3e2bb..37b08a3 100644 check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -242,7 +252,7 @@ index ba3e2bb..37b08a3 100644 } #endif -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Final(sha256ctx, sha256hash)) || + !(Sha1Final(sha1ctx, sha1hash)) || + !(Sm3Final(sm3ctx, sm3hash))) { @@ -257,7 +267,7 @@ index ba3e2bb..37b08a3 100644 dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0); dprint(L"sha256 authenticode hash:\n"); dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + dprint(L"sm3 authenticode hash:\n"); + dhexdumpat(sm3hash, SM3_DIGEST_SIZE, 0); +#endif @@ -268,7 +278,7 @@ index ba3e2bb..37b08a3 100644 FreePool(sha1ctx); if (sha256ctx) FreePool(sha256ctx); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (sm3ctx) + FreePool(sm3ctx); +#endif @@ -279,7 +289,7 @@ index ba3e2bb..37b08a3 100644 EFI_STATUS efi_status; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + UINT8 sm3hash[SHA256_DIGEST_SIZE]; +#endif @@ -289,7 +299,7 @@ index ba3e2bb..37b08a3 100644 * in order to load it. */ if (secure_mode()) { -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = verify_buffer(data, datasize, + context, sha256hash, sha1hash, sm3hash); +#else @@ -303,7 +313,7 @@ index ba3e2bb..37b08a3 100644 * this is only useful for the TPM1.2 case. We should try to fix * this in a follow-up. */ -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = generate_hash(data, datasize, context, sha256hash, + sha1hash, sm3hash); +#else @@ -317,7 +327,7 @@ index ba3e2bb..37b08a3 100644 int found_entry_point = 0; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + UINT8 sm3hash[SM3_DIGEST_SIZE]; +#endif @@ -327,7 +337,7 @@ index ba3e2bb..37b08a3 100644 * in order to load it. */ if (secure_mode ()) { -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = verify_buffer(data, datasize, &context, sha256hash, + sha1hash, sm3hash); +#else @@ -341,7 +351,7 @@ index ba3e2bb..37b08a3 100644 * this is only useful for the TPM1.2 case. We should try to fix * this in a follow-up. */ -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = generate_hash(data, datasize, &context, sha256hash, + sha1hash, sm3hash); +#else @@ -352,7 +362,7 @@ index ba3e2bb..37b08a3 100644 return efi_status; diff --git a/shim.c b/shim.c -index fdd205e..5662ca8 100644 +index fdd205e..400bd9a 100644 --- a/shim.c +++ b/shim.c @@ -458,11 +458,20 @@ BOOLEAN secure_mode (void) @@ -376,27 +386,29 @@ index fdd205e..5662ca8 100644 /* * Ensure that the binary isn't forbidden -@@ -533,10 +542,15 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, +@@ -532,11 +541,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, + if (vendor_cert_size) { dprint("verifying against vendor_cert\n"); } ++#ifdef ENABLE_SHIM_SM if (vendor_cert_size && - AuthenticodeVerify(sig->CertData, - sig->Hdr.dwLength - sizeof(sig->Hdr), - vendor_cert, vendor_cert_size, - sha256hash, SHA256_DIGEST_SIZE)) { -+#ifdef ENABLE_SHIM_SM + (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), + vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE) || + AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), + vendor_cert, vendor_cert_size, sm3hash, SM3_DIGEST_SIZE))) { +#else ++ if (vendor_cert_size && + (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), -+ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { ++ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE))) { +#endif dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n"); update_verification_method(VERIFIED_BY_CERT); tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -@@ -558,10 +572,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, +@@ -558,10 +573,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, /* * Check that the signature is valid and matches the binary */ @@ -414,7 +426,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS ret_efi_status; size_t size = datasize; -@@ -578,7 +599,12 @@ verify_buffer_authenticode (char *data, int datasize, +@@ -578,7 +600,12 @@ verify_buffer_authenticode (char *data, int datasize, */ drain_openssl_errors(); @@ -427,7 +439,7 @@ index fdd205e..5662ca8 100644 if (EFI_ERROR(ret_efi_status)) { dprint(L"generate_hash: %r\n", ret_efi_status); PrintErrors(); -@@ -665,7 +691,11 @@ verify_buffer_authenticode (char *data, int datasize, +@@ -665,7 +692,11 @@ verify_buffer_authenticode (char *data, int datasize, dprint(L"Attempting to verify signature %d:\n", i++); @@ -439,7 +451,7 @@ index fdd205e..5662ca8 100644 /* * If we didn't get EFI_SECURITY_VIOLATION from -@@ -746,10 +776,17 @@ verify_buffer_sbat (char *data, int datasize, +@@ -746,10 +777,17 @@ verify_buffer_sbat (char *data, int datasize, * Check that the signature is valid and matches the binary and that * the binary is permitted to load by SBAT. */ @@ -457,7 +469,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS efi_status; -@@ -757,7 +794,11 @@ verify_buffer (char *data, int datasize, +@@ -757,7 +795,11 @@ verify_buffer (char *data, int datasize, if (EFI_ERROR(efi_status)) return efi_status; @@ -469,7 +481,7 @@ index fdd205e..5662ca8 100644 } static int -@@ -970,6 +1011,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -970,6 +1012,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) PE_COFF_LOADER_IMAGE_CONTEXT context; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; @@ -479,7 +491,7 @@ index fdd205e..5662ca8 100644 if ((INT32)size < 0) return EFI_INVALID_PARAMETER; -@@ -981,8 +1025,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -981,8 +1026,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) if (EFI_ERROR(efi_status)) goto done; @@ -493,7 +505,7 @@ index fdd205e..5662ca8 100644 if (EFI_ERROR(efi_status)) goto done; -@@ -1002,16 +1051,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -1002,16 +1052,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) goto done; } @@ -521,7 +533,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS efi_status; -@@ -1019,8 +1079,13 @@ static EFI_STATUS shim_hash (char *data, int datasize, +@@ -1019,8 +1080,13 @@ static EFI_STATUS shim_hash (char *data, int datasize, return EFI_INVALID_PARAMETER; in_protocol = 1; diff --git a/shim.spec b/shim.spec index c7c60a6dfc368bf057161d9cee1645d1fd170329..5a2c9d6dce5679322ced1e4ea33331cfd5c0e816 100644 --- a/shim.spec +++ b/shim.spec @@ -22,7 +22,7 @@ Name: shim Version: 15.6 -Release: 4 +Release: 6 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -144,6 +144,12 @@ cd .. /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Fri Nov 11 2022 luhuaxin - 15.6-6 +- Bugfix for SM2 certificate chain verify + +* Fri Nov 11 2022 luhuaxin - 15.6-5 +- Bugfix for SMx feature + * Thu Nov 10 2022 jinlun - 15.6-4 - Add BuildRequires on the arrch64