Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple certificate handling improvements #644

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Multiple certificate handling improvements #644

wants to merge 3 commits into from

Conversation

rosslagerwall
Copy link

A couple of improvements for performing verification with multiple certificates.

@vathpela
Copy link
Contributor

vathpela commented May 8, 2024

Is there existing usage of these packed certificates? It would seem like the obvious way to do this is multiple EFI_SIGNATURE_LIST entries each with an EFI_CERT_TYPE_X509_GUID entry. If something else is already supporting the packed version, though, I don't have a big problem with it.

@rosslagerwall rosslagerwall force-pushed the private/rossla/cert branch from fbf536c to 0885b25 Compare May 9, 2024 09:23
@rosslagerwall
Copy link
Author

Is there existing usage of these packed certificates? It would seem like the obvious way to do this is multiple EFI_SIGNATURE_LIST entries each with an EFI_CERT_TYPE_X509_GUID entry. If something else is already supporting the packed version, though, I don't have a big problem with it.

Nothing that I am aware of. On reflection, that change is unnecessary so I've dropped the commit. The remaining commits fix a leak and allow having multiple EFI_SIGNATURE_LIST entries each with an EFI_CERT_TYPE_X509_GUID entry.

Thanks

@rosslagerwall rosslagerwall force-pushed the private/rossla/cert branch from 0885b25 to 3e05585 Compare May 9, 2024 09:28
jepio and others added 3 commits January 21, 2025 11:43
@jepio @vathpela
Fix parallel build of gnu-efi
992b6d3 
When building with make 4.4.1, gnu-efi may be built twice and in parallel:

  $ make -n -j ARCH=x86_64 2>&1 | tee build.log
  $ grep -e 'make -C gnu-efi' build.log
  make -C gnu-efi \
  make -C gnu-efi \

This has been seen to cause linking failures when building libgnuefi.a because
some object files may end up truncated.

The reason for this is that make interprets multiple targets in the same rule
as independent and can run the rule multiple times. The solution is to define a
grouped target with &:, which causes make to behave the way one expects: runs
the rule once and expects it to create all targets.

Grouped target support was added in make 4.3 released 4 years ago.

Signed-off-by: Jeremi Piotrowski <[email protected]>
@rosslagerwall @vathpela
Fix leak in error path
31e1fce 
Signed-off-by: Ross Lagerwall <[email protected]>
@rosslagerwall @vathpela
Load concatenated EFI_SIGNATURE_LISTs from shim_certificate.efi
5889d8a 
For multiple reasons, it may be useful for different keys to be used to
sign different parts of the boot chain (e.g. a different key for GRUB
and the Linux kernel). Allow this by loading concatenated
EFI_SIGNATURE_LISTs from shim_certificate.efi rather than only the
first.

At the same time, be a bit more robust by checking for allocation
failures and overflows due to invalid data in the binary.
Use the smaller of VirtualSize and SizeOfRawData since the latter is
rounded up to the section alignment and therefore may contain
non-certificate data.

Signed-off-by: Ross Lagerwall <[email protected]>
@vathpela vathpela force-pushed the private/rossla/cert branch from 3e05585 to 5889d8a Compare January 21, 2025 16:48
@vathpela vathpela added this to the shim 16 milestone Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
shim 16
Development

Successfully merging this pull request may close these issues.
3 participants
@rosslagerwall @vathpela @jepio