From f1ac62256a57616988f89b91be0e35ac17144400 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Fri, 11 Nov 2022 10:42:09 +0800 Subject: [PATCH] bugfix for SMx feature --- ...ryptlib-support-sm2-signature-verify.patch | 4 +- ...e-shim-support-sm2-and-sm3-algorithm.patch | 88 +++++++++++-------- shim.spec | 5 +- 3 files changed, 56 insertions(+), 41 deletions(-) diff --git a/Feature-shim-cryptlib-support-sm2-signature-verify.patch b/Feature-shim-cryptlib-support-sm2-signature-verify.patch index 105a065..b3086c8 100644 --- a/Feature-shim-cryptlib-support-sm2-signature-verify.patch +++ b/Feature-shim-cryptlib-support-sm2-signature-verify.patch @@ -757,7 +757,7 @@ index 89fd5cd..7885a1a 100644 SysCall/BaseMemAllocation.o \ SysCall/BaseStrings.o -+ifdef SHIM_ENABLE_SM ++ifdef ENABLE_SHIM_SM +OBJS += Hash/CryptSm3.o +else +DEFINES += -DOPENSSL_NO_SM3 @@ -777,7 +777,7 @@ index 795f471..32fb235 100644 - crypto/cmac/cm_pmeth.o \ + crypto/cmac/cm_pmeth.o + -+ifdef SHIM_ENABLE_SM ++ifdef ENABLE_SHIM_SM +OBJS +=crypto/ec/ec_ameth.o \ + crypto/ec/ec_cvt.o \ + crypto/ec/eck_prn.o \ diff --git a/Feature-shim-support-sm2-and-sm3-algorithm.patch b/Feature-shim-support-sm2-and-sm3-algorithm.patch index d43769a..0bec161 100644 --- a/Feature-shim-support-sm2-and-sm3-algorithm.patch +++ b/Feature-shim-support-sm2-and-sm3-algorithm.patch @@ -1,26 +1,36 @@ -From b56474e6f7d0ddece0f5dd87e410f8f482f66a58 Mon Sep 17 00:00:00 2001 +From 946a1e8e7fc05b8c5bfd522ba806eeea3e0344d6 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Mon, 7 Nov 2022 11:47:42 +0800 -Subject: [PATCH 5/5] shim support sm2 and sm3 algorithm +Subject: [PATCH] shim support sm2 and sm3 algorithm Co-authored-by: Yusong Gao Signed-off-by: Yusong Gao Signed-off-by: Huaxin Lu --- - Makefile | 2 +- + Makefile | 5 ++- MokManager.c | 8 ++++ include/pe.h | 7 ++++ include/peimage.h | 3 ++ pe.c | 100 ++++++++++++++++++++++++++++++++++++++++++++++ - shim.c | 73 +++++++++++++++++++++++++++++++-- + shim.c | 74 ++++++++++++++++++++++++++++++++-- shim.h | 20 ++++++++++ - 7 files changed, 208 insertions(+), 5 deletions(-) + 7 files changed, 212 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile -index 24ac314..8876f9f 100644 +index 24ac314..9b8d7e8 100644 --- a/Makefile +++ b/Makefile -@@ -163,7 +163,7 @@ Cryptlib/libcryptlib.a: +@@ -38,6 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT + else + TARGETS += $(MMNAME) $(FBNAME) + endif ++ifneq ($(origin ENABLE_SHIM_SM),undefined) ++CFLAGS += -DENABLE_SHIM_SM ++endif + OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o + KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer + ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S +@@ -163,7 +166,7 @@ Cryptlib/libcryptlib.a: $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile Cryptlib/OpenSSL/libopenssl.a: @@ -126,12 +136,12 @@ index ba3e2bb..37b08a3 100644 sha1ctxsize = Sha1GetContextSize(); sha1ctx = AllocatePool(sha1ctxsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + sm3ctxsize = Sm3GetContextSize(); + sm3ctx = AllocatePool(sm3ctxsize); +#endif + -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!sha256ctx || !sha1ctx || !sm3ctx) { +#else if (!sha256ctx || !sha1ctx) { @@ -140,7 +150,7 @@ index ba3e2bb..37b08a3 100644 return EFI_OUT_OF_RESOURCES; } -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx) || !Sm3Init(sm3ctx)) { +#else if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) { @@ -152,7 +162,7 @@ index ba3e2bb..37b08a3 100644 hashbase; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -167,7 +177,7 @@ index ba3e2bb..37b08a3 100644 hashsize = (char *)context->SecDir - hashbase; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -182,7 +192,7 @@ index ba3e2bb..37b08a3 100644 } check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -197,7 +207,7 @@ index ba3e2bb..37b08a3 100644 hashsize = (unsigned int) Section->SizeOfRawData; check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -212,7 +222,7 @@ index ba3e2bb..37b08a3 100644 } check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -227,7 +237,7 @@ index ba3e2bb..37b08a3 100644 check_size(data, datasize, hashbase, hashsize); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || + !(Sha1Update(sha1ctx, hashbase, hashsize)) || + !(Sm3Update(sm3ctx, hashbase, hashsize))) { @@ -242,7 +252,7 @@ index ba3e2bb..37b08a3 100644 } #endif -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (!(Sha256Final(sha256ctx, sha256hash)) || + !(Sha1Final(sha1ctx, sha1hash)) || + !(Sm3Final(sm3ctx, sm3hash))) { @@ -257,7 +267,7 @@ index ba3e2bb..37b08a3 100644 dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0); dprint(L"sha256 authenticode hash:\n"); dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + dprint(L"sm3 authenticode hash:\n"); + dhexdumpat(sm3hash, SM3_DIGEST_SIZE, 0); +#endif @@ -268,7 +278,7 @@ index ba3e2bb..37b08a3 100644 FreePool(sha1ctx); if (sha256ctx) FreePool(sha256ctx); -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + if (sm3ctx) + FreePool(sm3ctx); +#endif @@ -279,7 +289,7 @@ index ba3e2bb..37b08a3 100644 EFI_STATUS efi_status; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + UINT8 sm3hash[SHA256_DIGEST_SIZE]; +#endif @@ -289,7 +299,7 @@ index ba3e2bb..37b08a3 100644 * in order to load it. */ if (secure_mode()) { -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = verify_buffer(data, datasize, + context, sha256hash, sha1hash, sm3hash); +#else @@ -303,7 +313,7 @@ index ba3e2bb..37b08a3 100644 * this is only useful for the TPM1.2 case. We should try to fix * this in a follow-up. */ -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = generate_hash(data, datasize, context, sha256hash, + sha1hash, sm3hash); +#else @@ -317,7 +327,7 @@ index ba3e2bb..37b08a3 100644 int found_entry_point = 0; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + UINT8 sm3hash[SM3_DIGEST_SIZE]; +#endif @@ -327,7 +337,7 @@ index ba3e2bb..37b08a3 100644 * in order to load it. */ if (secure_mode ()) { -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = verify_buffer(data, datasize, &context, sha256hash, + sha1hash, sm3hash); +#else @@ -341,7 +351,7 @@ index ba3e2bb..37b08a3 100644 * this is only useful for the TPM1.2 case. We should try to fix * this in a follow-up. */ -+#ifdef SHIM_ENABLE_SM ++#ifdef ENABLE_SHIM_SM + efi_status = generate_hash(data, datasize, &context, sha256hash, + sha1hash, sm3hash); +#else @@ -352,7 +362,7 @@ index ba3e2bb..37b08a3 100644 return efi_status; diff --git a/shim.c b/shim.c -index fdd205e..5662ca8 100644 +index fdd205e..400bd9a 100644 --- a/shim.c +++ b/shim.c @@ -458,11 +458,20 @@ BOOLEAN secure_mode (void) @@ -376,27 +386,29 @@ index fdd205e..5662ca8 100644 /* * Ensure that the binary isn't forbidden -@@ -533,10 +542,15 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, +@@ -532,11 +541,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, + if (vendor_cert_size) { dprint("verifying against vendor_cert\n"); } ++#ifdef ENABLE_SHIM_SM if (vendor_cert_size && - AuthenticodeVerify(sig->CertData, - sig->Hdr.dwLength - sizeof(sig->Hdr), - vendor_cert, vendor_cert_size, - sha256hash, SHA256_DIGEST_SIZE)) { -+#ifdef ENABLE_SHIM_SM + (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), + vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE) || + AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), + vendor_cert, vendor_cert_size, sm3hash, SM3_DIGEST_SIZE))) { +#else ++ if (vendor_cert_size && + (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr), -+ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { ++ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE))) { +#endif dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n"); update_verification_method(VERIFIED_BY_CERT); tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -@@ -558,10 +572,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, +@@ -558,10 +573,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, /* * Check that the signature is valid and matches the binary */ @@ -414,7 +426,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS ret_efi_status; size_t size = datasize; -@@ -578,7 +599,12 @@ verify_buffer_authenticode (char *data, int datasize, +@@ -578,7 +600,12 @@ verify_buffer_authenticode (char *data, int datasize, */ drain_openssl_errors(); @@ -427,7 +439,7 @@ index fdd205e..5662ca8 100644 if (EFI_ERROR(ret_efi_status)) { dprint(L"generate_hash: %r\n", ret_efi_status); PrintErrors(); -@@ -665,7 +691,11 @@ verify_buffer_authenticode (char *data, int datasize, +@@ -665,7 +692,11 @@ verify_buffer_authenticode (char *data, int datasize, dprint(L"Attempting to verify signature %d:\n", i++); @@ -439,7 +451,7 @@ index fdd205e..5662ca8 100644 /* * If we didn't get EFI_SECURITY_VIOLATION from -@@ -746,10 +776,17 @@ verify_buffer_sbat (char *data, int datasize, +@@ -746,10 +777,17 @@ verify_buffer_sbat (char *data, int datasize, * Check that the signature is valid and matches the binary and that * the binary is permitted to load by SBAT. */ @@ -457,7 +469,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS efi_status; -@@ -757,7 +794,11 @@ verify_buffer (char *data, int datasize, +@@ -757,7 +795,11 @@ verify_buffer (char *data, int datasize, if (EFI_ERROR(efi_status)) return efi_status; @@ -469,7 +481,7 @@ index fdd205e..5662ca8 100644 } static int -@@ -970,6 +1011,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -970,6 +1012,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) PE_COFF_LOADER_IMAGE_CONTEXT context; UINT8 sha1hash[SHA1_DIGEST_SIZE]; UINT8 sha256hash[SHA256_DIGEST_SIZE]; @@ -479,7 +491,7 @@ index fdd205e..5662ca8 100644 if ((INT32)size < 0) return EFI_INVALID_PARAMETER; -@@ -981,8 +1025,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -981,8 +1026,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) if (EFI_ERROR(efi_status)) goto done; @@ -493,7 +505,7 @@ index fdd205e..5662ca8 100644 if (EFI_ERROR(efi_status)) goto done; -@@ -1002,16 +1051,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) +@@ -1002,16 +1052,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) goto done; } @@ -521,7 +533,7 @@ index fdd205e..5662ca8 100644 { EFI_STATUS efi_status; -@@ -1019,8 +1079,13 @@ static EFI_STATUS shim_hash (char *data, int datasize, +@@ -1019,8 +1080,13 @@ static EFI_STATUS shim_hash (char *data, int datasize, return EFI_INVALID_PARAMETER; in_protocol = 1; diff --git a/shim.spec b/shim.spec index 688b1bf..73376a3 100644 --- a/shim.spec +++ b/shim.spec @@ -22,7 +22,7 @@ Name: shim Version: 15.6 -Release: 4 +Release: 5 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -157,6 +157,9 @@ cd .. /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Fri Nov 11 2022 luhuaxin - 15.6-5 +- Bugfix for SMx feature + * Thu Nov 10 2022 jinlun - 15.6-4 - Add BuildRequires on the arrch64 -- Gitee