bugfix for SMx feature

2022-11-11 10:42:09 +08:00 · 2022-11-11 10:42:09 +08:00 · a4a25552fe
commit a4a25552fe
parent 6b354f7147
3 changed files with 56 additions and 41 deletions
--- a/Feature-shim-cryptlib-support-sm2-signature-verify.patch
+++ b/Feature-shim-cryptlib-support-sm2-signature-verify.patch
@ -757,7 +757,7 @@ index 89fd5cd..7885a1a 100644
 		    SysCall/BaseMemAllocation.o \
 		    SysCall/BaseStrings.o
-+ifdef SHIM_ENABLE_SM
+ifdef ENABLE_SHIM_SM
 +OBJS		+=  Hash/CryptSm3.o
 +else
 +DEFINES		+= -DOPENSSL_NO_SM3
@ -777,7 +777,7 @@ index 795f471..32fb235 100644
 -		  crypto/cmac/cm_pmeth.o \
 +		  crypto/cmac/cm_pmeth.o
 +
-+ifdef SHIM_ENABLE_SM
+ifdef ENABLE_SHIM_SM
 +OBJS		+=crypto/ec/ec_ameth.o \
 +		  crypto/ec/ec_cvt.o \
 +		  crypto/ec/eck_prn.o \
--- a/Feature-shim-support-sm2-and-sm3-algorithm.patch
+++ b/Feature-shim-support-sm2-and-sm3-algorithm.patch
@ -1,26 +1,36 @@
-From b56474e6f7d0ddece0f5dd87e410f8f482f66a58 Mon Sep 17 00:00:00 2001
+From 946a1e8e7fc05b8c5bfd522ba806eeea3e0344d6 Mon Sep 17 00:00:00 2001
 From: Huaxin Lu <luhuaxin1@huawei.com>
 Date: Mon, 7 Nov 2022 11:47:42 +0800
-Subject: [PATCH 5/5] shim support sm2 and sm3 algorithm
+Subject: [PATCH] shim support sm2 and sm3 algorithm
 Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
 Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 ---
- Makefile          |   2 +-
+ Makefile          |   5 ++-
 MokManager.c      |   8 ++++
 include/pe.h      |   7 ++++
 include/peimage.h |   3 ++
 pe.c              | 100 ++++++++++++++++++++++++++++++++++++++++++++++
- shim.c            |  73 +++++++++++++++++++++++++++++++--
+ shim.c            |  74 ++++++++++++++++++++++++++++++++--
 shim.h            |  20 ++++++++++
- 7 files changed, 208 insertions(+), 5 deletions(-)
+ 7 files changed, 212 insertions(+), 5 deletions(-)
 diff --git a/Makefile b/Makefile
-index 24ac314..8876f9f 100644
+index 24ac314..9b8d7e8 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -163,7 +163,7 @@ Cryptlib/libcryptlib.a:
+@@ -38,6 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT
 else
 TARGETS += $(MMNAME) $(FBNAME)
 endif
 +ifneq ($(origin ENABLE_SHIM_SM),undefined)
 +CFLAGS += -DENABLE_SHIM_SM
 +endif
 OBJS	= shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
 ORIG_SOURCES	= shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S
@@ -163,7 +166,7 @@ Cryptlib/libcryptlib.a:
 	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
 Cryptlib/OpenSSL/libopenssl.a:
@ -126,12 +136,12 @@ index ba3e2bb..37b08a3 100644
 	sha1ctxsize = Sha1GetContextSize();
 	sha1ctx = AllocatePool(sha1ctxsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	sm3ctxsize = Sm3GetContextSize();
 +	sm3ctx = AllocatePool(sm3ctxsize);
 +#endif
 +
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!sha256ctx || !sha1ctx || !sm3ctx) {
 +#else
 	if (!sha256ctx || !sha1ctx) {
@ -140,7 +150,7 @@ index ba3e2bb..37b08a3 100644
 		return EFI_OUT_OF_RESOURCES;
 	}
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx) || !Sm3Init(sm3ctx)) {
 +#else
 	if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) {
@ -152,7 +162,7 @@ index ba3e2bb..37b08a3 100644
 		hashbase;
 	check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -167,7 +177,7 @@ index ba3e2bb..37b08a3 100644
 	hashsize = (char *)context->SecDir - hashbase;
 	check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -182,7 +192,7 @@ index ba3e2bb..37b08a3 100644
 	}
 	check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -197,7 +207,7 @@ index ba3e2bb..37b08a3 100644
 		hashsize  = (unsigned int) Section->SizeOfRawData;
 		check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -212,7 +222,7 @@ index ba3e2bb..37b08a3 100644
 		}
 		check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -227,7 +237,7 @@ index ba3e2bb..37b08a3 100644
 		check_size(data, datasize, hashbase, hashsize);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
 +		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
 +		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -242,7 +252,7 @@ index ba3e2bb..37b08a3 100644
 	}
 #endif
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (!(Sha256Final(sha256ctx, sha256hash)) ||
 +	    !(Sha1Final(sha1ctx, sha1hash)) ||
 +	    !(Sm3Final(sm3ctx, sm3hash))) {
@ -257,7 +267,7 @@ index ba3e2bb..37b08a3 100644
 	dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0);
 	dprint(L"sha256 authenticode hash:\n");
 	dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	dprint(L"sm3 authenticode hash:\n");
 +	dhexdumpat(sm3hash, SM3_DIGEST_SIZE, 0);
 +#endif
@ -268,7 +278,7 @@ index ba3e2bb..37b08a3 100644
 		FreePool(sha1ctx);
 	if (sha256ctx)
 		FreePool(sha256ctx);
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	if (sm3ctx)
 +		FreePool(sm3ctx);
 +#endif
@ -279,7 +289,7 @@ index ba3e2bb..37b08a3 100644
 	EFI_STATUS efi_status;
 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	UINT8 sm3hash[SHA256_DIGEST_SIZE];
 +#endif
@ -289,7 +299,7 @@ index ba3e2bb..37b08a3 100644
 	 * in order to load it.
 	 */
 	if (secure_mode()) {
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +		efi_status = verify_buffer(data, datasize,
 +					   context, sha256hash, sha1hash, sm3hash);
 +#else
@ -303,7 +313,7 @@ index ba3e2bb..37b08a3 100644
 	 *  this is only useful for the TPM1.2 case. We should try to fix
 	 *  this in a follow-up.
 	 */
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	efi_status = generate_hash(data, datasize, context, sha256hash,
 +				   sha1hash, sm3hash);
 +#else
@ -317,7 +327,7 @@ index ba3e2bb..37b08a3 100644
 	int found_entry_point = 0;
 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	UINT8 sm3hash[SM3_DIGEST_SIZE];
 +#endif
@ -327,7 +337,7 @@ index ba3e2bb..37b08a3 100644
 	 * in order to load it.
 	 */
 	if (secure_mode ()) {
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +		efi_status = verify_buffer(data, datasize, &context, sha256hash,
 +					   sha1hash, sm3hash);
 +#else
@ -341,7 +351,7 @@ index ba3e2bb..37b08a3 100644
 	 *  this is only useful for the TPM1.2 case. We should try to fix
 	 *  this in a follow-up.
 	 */
-+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
 +	efi_status = generate_hash(data, datasize, &context, sha256hash,
 +				   sha1hash, sm3hash);
 +#else
@ -352,7 +362,7 @@ index ba3e2bb..37b08a3 100644
 		return efi_status;
 diff --git a/shim.c b/shim.c
-index fdd205e..5662ca8 100644
+index fdd205e..400bd9a 100644
 --- a/shim.c
 +++ b/shim.c
@@ -458,11 +458,20 @@ BOOLEAN secure_mode (void)
@ -376,27 +386,29 @@ index fdd205e..5662ca8 100644
 	/*
 	 * Ensure that the binary isn't forbidden
-@@ -533,10 +542,15 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
+@@ -532,11 +541,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
 	if (vendor_cert_size) {
 		dprint("verifying against vendor_cert\n");
 	}
 +#ifdef ENABLE_SHIM_SM
 	if (vendor_cert_size &&
 -	    AuthenticodeVerify(sig->CertData,
 -			       sig->Hdr.dwLength - sizeof(sig->Hdr),
 -			       vendor_cert, vendor_cert_size,
 -			       sha256hash, SHA256_DIGEST_SIZE)) {
 +#ifdef ENABLE_SHIM_SM
 +	    (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
 +							vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE) ||
 +	     AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
 +							vendor_cert, vendor_cert_size, sm3hash, SM3_DIGEST_SIZE))) {
 +#else
 +	if (vendor_cert_size &&
 +	    (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
-+							vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) {
+							vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE))) {
 +#endif
 		dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n");
 		update_verification_method(VERIFIED_BY_CERT);
 		tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
-@@ -558,10 +572,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
+@@ -558,10 +573,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
 /*
  * Check that the signature is valid and matches the binary
  */
@ -414,7 +426,7 @@ index fdd205e..5662ca8 100644
 {
 	EFI_STATUS ret_efi_status;
 	size_t size = datasize;
-@@ -578,7 +599,12 @@ verify_buffer_authenticode (char *data, int datasize,
+@@ -578,7 +600,12 @@ verify_buffer_authenticode (char *data, int datasize,
 	 */
 	drain_openssl_errors();
@ -427,7 +439,7 @@ index fdd205e..5662ca8 100644
 	if (EFI_ERROR(ret_efi_status)) {
 		dprint(L"generate_hash: %r\n", ret_efi_status);
 		PrintErrors();
-@@ -665,7 +691,11 @@ verify_buffer_authenticode (char *data, int datasize,
+@@ -665,7 +692,11 @@ verify_buffer_authenticode (char *data, int datasize,
 			dprint(L"Attempting to verify signature %d:\n", i++);
@ -439,7 +451,7 @@ index fdd205e..5662ca8 100644
 			/*
 			 * If we didn't get EFI_SECURITY_VIOLATION from
-@@ -746,10 +776,17 @@ verify_buffer_sbat (char *data, int datasize,
+@@ -746,10 +777,17 @@ verify_buffer_sbat (char *data, int datasize,
  * Check that the signature is valid and matches the binary and that
  * the binary is permitted to load by SBAT.
  */
@ -457,7 +469,7 @@ index fdd205e..5662ca8 100644
 {
 	EFI_STATUS efi_status;
-@@ -757,7 +794,11 @@ verify_buffer (char *data, int datasize,
+@@ -757,7 +795,11 @@ verify_buffer (char *data, int datasize,
 	if (EFI_ERROR(efi_status))
 		return efi_status;
@ -469,7 +481,7 @@ index fdd205e..5662ca8 100644
 }
 static int
-@@ -970,6 +1011,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+@@ -970,6 +1012,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
@ -479,7 +491,7 @@ index fdd205e..5662ca8 100644
 	if ((INT32)size < 0)
 		return EFI_INVALID_PARAMETER;
-@@ -981,8 +1025,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+@@ -981,8 +1026,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	if (EFI_ERROR(efi_status))
 		goto done;
@ -493,7 +505,7 @@ index fdd205e..5662ca8 100644
 	if (EFI_ERROR(efi_status))
 		goto done;
-@@ -1002,16 +1051,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+@@ -1002,16 +1052,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 		goto done;
 	}
@ -521,7 +533,7 @@ index fdd205e..5662ca8 100644
 {
 	EFI_STATUS efi_status;
-@@ -1019,8 +1079,13 @@ static EFI_STATUS shim_hash (char *data, int datasize,
+@@ -1019,8 +1080,13 @@ static EFI_STATUS shim_hash (char *data, int datasize,
 		return EFI_INVALID_PARAMETER;
 	in_protocol = 1;
--- a/shim.spec
+++ b/shim.spec
@ -22,7 +22,7 @@
 Name:	   	   shim
 Version:	   15.6
-Release:	   4
+Release:	   5
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@ -144,6 +144,9 @@ cd ..
 /usr/src/debug/%{name}-%{version}-%{release}/*
 %changelog
 * Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-5
 - Bugfix for SMx feature
 * Thu Nov 10 2022 jinlun <jinlun@huawei.com> - 15.6-4
 - Add BuildRequires on the arrch64