1 files changed, 402 insertions, 0 deletions
diff --git a/src/interface/efi/efi_shim.c b/src/interface/efi/efi_shim.c
new file mode 100644
index 00000000..a46d79d0
--- /dev/null
+++ b/src/interface/efi/efi_shim.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <ipxe/image.h>
+#include <ipxe/efi/efi.h>
+#include <ipxe/efi/efi_strings.h>
+#include <ipxe/efi/efi_shim.h>
+#include <ipxe/efi/Protocol/PxeBaseCode.h>
+#include <ipxe/efi/Protocol/ShimLock.h>
+
+/** @file
+ *
+ * UEFI shim special handling
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+/**
+ * Require use of a third party loader binary
+ *
+ * The UEFI shim is gradually becoming less capable of directly
+ * executing a Linux kernel image, due to an ever increasing list of
+ * assumptions that it will only ever be used in conjunction with a
+ * second stage loader binary such as GRUB.
+ *
+ * For example: shim will erroneously complain if the image that it
+ * loads and executes does not in turn call in to the "shim lock
+ * protocol" to verify a separate newly loaded binary before calling
+ * ExitBootServices(), even if no such separate binary is used or
+ * required.
+ *
+ * Experience shows that there is unfortunately no point in trying to
+ * get a fix for this upstreamed into shim.  We therefore default to
+ * reducing the Secure Boot attack surface by removing, where
+ * possible, this spurious requirement for the use of an additional
+ * second stage loader.
+ *
+ * This option may be used to require the use of an additional second
+ * stage loader binary, in case this behaviour is ever desirable.
+ */
+int efi_shim_require_loader = 0;
+
+/**
+ * Allow use of PXE base code protocol
+ *
+ * We provide shim with access to all of the relevant downloaded files
+ * via our EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface.  However, shim
+ * will instead try to redownload the files via TFTP since it prefers
+ * to use the EFI_PXE_BASE_CODE_PROTOCOL installed on the same handle.
+ *
+ * Experience shows that there is unfortunately no point in trying to
+ * get a fix for this upstreamed into shim.  We therefore default to
+ * working around this undesirable behaviour by stopping the PXE base
+ * code protocol before invoking shim.
+ *
+ * This option may be used to allow shim to use the PXE base code
+ * protocol, in case this behaviour is ever desirable.
+ */
+int efi_shim_allow_pxe = 0;
+
+/**
+ * Allow SBAT variable access
+ *
+ * The UEFI shim implements a fairly nicely designed revocation
+ * mechanism designed around the concept of security generations.
+ * Unfortunately nobody in the shim community has thus far added the
+ * relevant metadata to the Linux kernel, with the result that current
+ * versions of shim are incapable of booting current versions of the
+ * Linux kernel.
+ *
+ * Experience shows that there is unfortunately no point in trying to
+ * get a fix for this upstreamed into shim.  We therefore default to
+ * working around this undesirable behaviour by patching data read
+ * from the "SbatLevel" variable used to hold SBAT configuration.
+ *
+ * This option may be used to allow shim unpatched access to the
+ * "SbatLevel" variable, in case this behaviour is ever desirable.
+ */
+int efi_shim_allow_sbat = 0;
+
+/** UEFI shim image */
+struct image_tag efi_shim __image_tag = {
+	.name = "SHIM",
+};
+
+/** Original GetMemoryMap() function */
+static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map;
+
+/** Original ExitBootServices() function */
+static EFI_EXIT_BOOT_SERVICES efi_shim_orig_exit_boot_services;
+
+/** Original SetVariable() function */
+static EFI_SET_VARIABLE efi_shim_orig_set_variable;
+
+/** Original GetVariable() function */
+static EFI_GET_VARIABLE efi_shim_orig_get_variable;
+
+/** Verify read from SbatLevel variable */
+static int efi_shim_sbatlevel_verify;
+
+/**
+ * Check if variable is SbatLevel
+ *
+ * @v name		Variable name
+ * @v guid		Variable namespace GUID
+ * @ret is_sbatlevel	Variable is SbatLevel
+ */
+static int efi_shim_is_sbatlevel ( const CHAR16 *name, const EFI_GUID *guid ) {
+	static CHAR16 sbatlevel[] = L"SbatLevel";
+	EFI_GUID *shimlock = &efi_shim_lock_protocol_guid;
+
+	return ( ( memcmp ( name, sbatlevel, sizeof ( sbatlevel ) ) == 0 ) &&
+		 ( memcmp ( guid, shimlock, sizeof ( *shimlock ) ) == 0 ) );
+}
+
+/**
+ * Unlock UEFI shim
+ *
+ */
+static void efi_shim_unlock ( void ) {
+	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
+	uint8_t empty[0];
+	union {
+		EFI_SHIM_LOCK_PROTOCOL *lock;
+		void *interface;
+	} u;
+	EFI_STATUS efirc;
+
+	/* Locate shim lock protocol */
+	if ( ( efirc = bs->LocateProtocol ( &efi_shim_lock_protocol_guid,
+					    NULL, &u.interface ) ) == 0 ) {
+		u.lock->Verify ( empty, sizeof ( empty ) );
+		DBGC ( &efi_shim, "SHIM unlocked via %p\n", u.lock );
+	}
+}
+
+/**
+ * Wrap GetMemoryMap()
+ *
+ * @v len		Memory map size
+ * @v map		Memory map
+ * @v key		Memory map key
+ * @v desclen		Descriptor size
+ * @v descver		Descriptor version
+ * @ret efirc		EFI status code
+ */
+static EFIAPI EFI_STATUS efi_shim_get_memory_map ( UINTN *len,
+						   EFI_MEMORY_DESCRIPTOR *map,
+						   UINTN *key, UINTN *desclen,
+						   UINT32 *descver ) {
+
+	/* Unlock shim */
+	if ( ! efi_shim_require_loader )
+		efi_shim_unlock();
+
+	/* Hand off to original GetMemoryMap() */
+	return efi_shim_orig_get_memory_map ( len, map, key, desclen,
+					      descver );
+}
+
+/**
+ * Wrap ExitBootServices()
+ *
+ * @v handle		Image handle
+ * @v key		Memory map key
+ * @ret efirc		EFI status code
+ */
+static EFIAPI EFI_STATUS efi_shim_exit_boot_services ( EFI_HANDLE handle,
+						       UINTN key ) {
+	EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
+
+	/* Restore original runtime services functions */
+	rs->SetVariable = efi_shim_orig_set_variable;
+	rs->GetVariable = efi_shim_orig_get_variable;
+
+	/* Hand off to original ExitBootServices() */
+	return efi_shim_orig_exit_boot_services ( handle, key );
+}
+
+/**
+ * Wrap SetVariable()
+ *
+ * @v name		Variable name
+ * @v guid		Variable namespace GUID
+ * @v attrs		Attributes
+ * @v len		Buffer size
+ * @v data		Data buffer
+ * @ret efirc		EFI status code
+ */
+static EFI_STATUS EFIAPI
+efi_shim_set_variable ( CHAR16 *name, EFI_GUID *guid, UINT32 attrs,
+			UINTN len, VOID *data ) {
+	EFI_STATUS efirc;
+
+	/* Call original SetVariable() */
+	efirc = efi_shim_orig_set_variable ( name, guid, attrs, len, data );
+
+	/* Allow verification of SbatLevel variable content */
+	if ( efi_shim_is_sbatlevel ( name, guid ) && ( efirc == 0 ) ) {
+		DBGC ( &efi_shim, "SHIM detected write to %ls:\n", name );
+		DBGC_HDA ( &efi_shim, 0, data, len );
+		efi_shim_sbatlevel_verify = 1;
+	}
+
+	return efirc;
+}
+
+/**
+ * Wrap GetVariable()
+ *
+ * @v name		Variable name
+ * @v guid		Variable namespace GUID
+ * @v attrs		Attributes to fill in
+ * @v len		Buffer size
+ * @v data		Data buffer
+ * @ret efirc		EFI status code
+ */
+static EFI_STATUS EFIAPI
+efi_shim_get_variable ( CHAR16 *name, EFI_GUID *guid, UINT32 *attrs,
+			UINTN *len, VOID *data ) {
+	char *value = data;
+	EFI_STATUS efirc;
+
+	/* Call original GetVariable() */
+	efirc = efi_shim_orig_get_variable ( name, guid, attrs, len, data );
+
+	/* Patch SbatLevel variable if applicable */
+	if ( efi_shim_is_sbatlevel ( name, guid ) && data && ( efirc == 0 ) ) {
+		if ( efi_shim_allow_sbat ) {
+			DBGC ( &efi_shim, "SHIM allowing read from %ls:\n",
+			       name );
+		} else if ( efi_shim_sbatlevel_verify ) {
+			DBGC ( &efi_shim, "SHIM allowing one read from %ls:\n",
+			       name );
+			efi_shim_sbatlevel_verify = 0;
+		} else {
+			DBGC ( &efi_shim, "SHIM patching read from %ls:\n",
+			       name );
+			value[0] = '\0';
+		}
+		DBGC_HDA ( &efi_shim, 0, data, *len );
+	}
+
+	return efirc;
+}
+
+/**
+ * Inhibit use of PXE base code
+ *
+ * @v handle		EFI handle
+ * @ret rc		Return status code
+ */
+static int efi_shim_inhibit_pxe ( EFI_HANDLE handle ) {
+	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
+	union {
+		EFI_PXE_BASE_CODE_PROTOCOL *pxe;
+		void *interface;
+	} u;
+	EFI_STATUS efirc;
+	int rc;
+
+	/* Locate PXE base code */
+	if ( ( efirc = bs->OpenProtocol ( handle,
+					  &efi_pxe_base_code_protocol_guid,
+					  &u.interface, efi_image_handle, NULL,
+					  EFI_OPEN_PROTOCOL_GET_PROTOCOL ))!=0){
+		rc = -EEFI ( efirc );
+		DBGC ( &efi_shim, "SHIM could not open PXE base code: %s\n",
+		       strerror ( rc ) );
+		goto err_no_base;
+	}
+
+	/* Stop PXE base code */
+	if ( ( efirc = u.pxe->Stop ( u.pxe ) ) != 0 ) {
+		rc = -EEFI ( efirc );
+		DBGC ( &efi_shim, "SHIM could not stop PXE base code: %s\n",
+		       strerror ( rc ) );
+		goto err_stop;
+	}
+
+	/* Success */
+	rc = 0;
+	DBGC ( &efi_shim, "SHIM stopped PXE base code\n" );
+
+ err_stop:
+	bs->CloseProtocol ( handle, &efi_pxe_base_code_protocol_guid,
+			    efi_image_handle, NULL );
+ err_no_base:
+	return rc;
+}
+
+/**
+ * Update command line
+ *
+ * @v shim		Shim image
+ * @v cmdline		Command line to update
+ * @ret rc		Return status code
+ */
+static int efi_shim_cmdline ( struct image *shim, wchar_t **cmdline ) {
+	wchar_t *shimcmdline;
+	int len;
+	int rc;
+
+	/* Construct new command line */
+	len = ( shim->cmdline ?
+		efi_asprintf ( &shimcmdline, "%s %s", shim->name,
+			       shim->cmdline ) :
+		efi_asprintf ( &shimcmdline, "%s %ls", shim->name,
+			       *cmdline ) );
+	if ( len < 0 ) {
+		rc = len;
+		DBGC ( &efi_shim, "SHIM could not construct command line: "
+		       "%s\n", strerror ( rc ) );
+		return rc;
+	}
+
+	/* Replace command line */
+	free ( *cmdline );
+	*cmdline = shimcmdline;
+
+	return 0;
+}
+
+/**
+ * Install UEFI shim special handling
+ *
+ * @v shim		Shim image
+ * @v handle		EFI device handle
+ * @v cmdline		Command line to update
+ * @ret rc		Return status code
+ */
+int efi_shim_install ( struct image *shim, EFI_HANDLE handle,
+		       wchar_t **cmdline ) {
+	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
+	EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
+	int rc;
+
+	/* Stop PXE base code */
+	if ( ( ! efi_shim_allow_pxe ) &&
+	     ( ( rc = efi_shim_inhibit_pxe ( handle ) ) != 0 ) ) {
+		return rc;
+	}
+
+	/* Update command line */
+	if ( ( rc = efi_shim_cmdline ( shim, cmdline ) ) != 0 )
+		return rc;
+
+	/* Record original boot and runtime services functions */
+	efi_shim_orig_get_memory_map = bs->GetMemoryMap;
+	efi_shim_orig_exit_boot_services = bs->ExitBootServices;
+	efi_shim_orig_set_variable = rs->SetVariable;
+	efi_shim_orig_get_variable = rs->GetVariable;
+
+	/* Wrap relevant boot and runtime services functions */
+	bs->GetMemoryMap = efi_shim_get_memory_map;
+	bs->ExitBootServices = efi_shim_exit_boot_services;
+	rs->SetVariable = efi_shim_set_variable;
+	rs->GetVariable = efi_shim_get_variable;
+
+	return 0;
+}
+
+/**
+ * Uninstall UEFI shim special handling
+ *
+ */
+void efi_shim_uninstall ( void ) {
+	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
+	EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
+
+	/* Restore original boot and runtime services functions */
+	bs->GetMemoryMap = efi_shim_orig_get_memory_map;
+	bs->ExitBootServices = efi_shim_orig_exit_boot_services;
+	rs->SetVariable = efi_shim_orig_set_variable;
+	rs->GetVariable = efi_shim_orig_get_variable;
+}