From 4b0a61dc9a952028c7b1ccc8914835d989ce661e Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 29 Oct 2020 09:49:36 -0400 Subject: [PATCH] shim: compile time option to bypass the ExitBootServices() check On systems where a second stage bootloader is not used, and the Linux Kernel is booted directly from shim, shim's ExitBootServices() hook can cause problems as the kernel never calls the shim's verification protocol. In this case calling the shim verification protocol is unnecessary and redundant as shim has already verified the kernel when shim loaded the kernel as the second stage loader. This functionality is disabled by default and must be enabled via the DISABLE_EBS_PROTECTION macro/define at build time. Signed-off-by: Paul Moore --- Make.defaults | 4 ++++ replacements.c | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/Make.defaults b/Make.defaults index 2e01646a3..811db7185 100644 --- a/Make.defaults +++ b/Make.defaults @@ -105,6 +105,10 @@ ifneq ($(origin REQUIRE_TPM), undefined) CFLAGS += -DREQUIRE_TPM endif +ifneq ($(origin DISABLE_EBS_PROTECTION), undefined) + CFLAGS += -DDISABLE_EBS_PROTECTION +endif + LIB_GCC = $(shell $(CC) $(ARCH_CFLAGS) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) FORMAT ?= --target efi-app-$(ARCH) diff --git a/replacements.c b/replacements.c index 944c779da..4a8a46a5f 100644 --- a/replacements.c +++ b/replacements.c @@ -131,6 +131,7 @@ replacement_start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 * return efi_status; } +#if !defined(DISABLE_EBS_PROTECTION) static EFI_STATUS EFIAPI exit_boot_services(EFI_HANDLE image_key, UINTN map_key) { @@ -150,6 +151,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL); return EFI_SECURITY_VIOLATION; } +#endif /* !defined(DISABLE_EBS_PROTECTION) */ static EFI_STATUS EFIAPI do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, @@ -199,17 +201,22 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab) system_start_image = systab->BootServices->StartImage; systab->BootServices->StartImage = replacement_start_image; +#if !defined(DISABLE_EBS_PROTECTION) /* we need to hook ExitBootServices() so a) we can enforce the policy * and b) we can unwrap when we're done. */ system_exit_boot_services = systab->BootServices->ExitBootServices; systab->BootServices->ExitBootServices = exit_boot_services; +#endif /* defined(DISABLE_EBS_PROTECTION) */ } void unhook_exit(void) { +#if !defined(DISABLE_EBS_PROTECTION) systab->BootServices->Exit = system_exit; gBS = systab->BootServices; +#endif /* defined(DISABLE_EBS_PROTECTION) */ + return; } void