]>
code.delx.au - refind/blob - mok/mok.c
3 * Based mostly on shim.c by Matthew J. Garrett/Red Hat (see below
6 * Code to perform Secure Boot verification of boot loader programs
7 * using the Shim program and its Machine Owner Keys (MOKs), to
8 * supplement standard Secure Boot checks performed by the firmware.
13 * shim - trivial UEFI first-stage bootloader
15 * Copyright 2012 Red Hat, Inc <mjg@redhat.com>
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
21 * Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
24 * Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in the
26 * documentation and/or other materials provided with the
29 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
30 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
31 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
32 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
33 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
34 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
35 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
36 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
38 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
39 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
40 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 * Significant portions of this code are derived from Tianocore
43 * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel
49 #include "../include/refit_call_wrapper.h"
50 #include "../refind/lib.h"
51 #include "../refind/screen.h"
55 * Check whether we're in Secure Boot and user mode
57 BOOLEAN
secure_mode (VOID
)
60 EFI_GUID global_var
= EFI_GLOBAL_VARIABLE
;
61 UINTN charsize
= sizeof(char);
62 UINT8
*sb
= NULL
, *setupmode
= NULL
;
64 status
= EfivarGetRaw(&global_var
, L
"SecureBoot", (CHAR8
**) &sb
, &charsize
);
65 /* FIXME - more paranoia here? */
66 if (status
!= EFI_SUCCESS
|| charsize
!= sizeof(CHAR8
) || *sb
!= 1) {
70 status
= EfivarGetRaw(&global_var
, L
"SetupMode", (CHAR8
**) &setupmode
, &charsize
);
71 if (status
== EFI_SUCCESS
&& charsize
== sizeof(CHAR8
) && *setupmode
== 1) {
78 // Returns TRUE if the shim program is available to verify binaries,
80 BOOLEAN
ShimLoaded(void) {
82 EFI_GUID ShimLockGuid
= SHIM_LOCK_GUID
;
84 return (refit_call3_wrapper(BS
->LocateProtocol
, &ShimLockGuid
, NULL
, (VOID
**) &shim_lock
) == EFI_SUCCESS
);
87 // The following is based on the grub_linuxefi_secure_validate() function in Fedora's
89 // Returns TRUE if the specified data is validated by Shim's MOK, FALSE otherwise
90 BOOLEAN
ShimValidate (VOID
*data
, UINT32 size
)
93 EFI_GUID ShimLockGuid
= SHIM_LOCK_GUID
;
95 if ((data
!= NULL
) && (refit_call3_wrapper(BS
->LocateProtocol
, &ShimLockGuid
, NULL
, (VOID
**) &shim_lock
) == EFI_SUCCESS
)) {
99 if (shim_lock
->shim_verify(data
, size
) == EFI_SUCCESS
)
104 } // BOOLEAN ShimValidate()