-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
netboot cleanup for additional files #686
Draft
jsetje
wants to merge
4
commits into
rhboot:main
Choose a base branch
from
jsetje:revocations_v3
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
a597437
Suppress file open failures for some netboot cases
jsetje 224e914
Allow indepdent SkuSi and SBAT revocation updates
jsetje 3412508
netboot: process revocations.efi as revocations not shim_certificate
jsetje e9aef68
netboot can try to load shim_certificate_[0..9].efi
jsetje File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,6 +32,7 @@ | |
#include <Library/BaseCryptLib.h> | ||
|
||
#include <stdint.h> | ||
#include <stdio.h> | ||
|
||
#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2" | ||
|
||
|
@@ -54,6 +55,8 @@ extern struct { | |
|
||
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} | ||
|
||
#define SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE 1 | ||
|
||
typedef enum { | ||
DATA_FOUND, | ||
DATA_NOT_FOUND, | ||
|
@@ -1091,7 +1094,8 @@ str16_to_str8(CHAR16 *str16, CHAR8 **str8) | |
* Load and run an EFI executable | ||
*/ | ||
EFI_STATUS read_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, | ||
CHAR16 **PathName, void **data, int *datasize) | ||
CHAR16 **PathName, void **data, int *datasize, | ||
int flags) | ||
{ | ||
EFI_STATUS efi_status; | ||
void *sourcebuffer = NULL; | ||
|
@@ -1130,8 +1134,9 @@ EFI_STATUS read_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, | |
efi_status = FetchNetbootimage(image_handle, &sourcebuffer, | ||
&sourcesize); | ||
if (EFI_ERROR(efi_status)) { | ||
perror(L"Unable to fetch TFTP image: %r\n", | ||
efi_status); | ||
if (~flags & SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) | ||
perror(L"Unable to fetch TFTP image: %r\n", | ||
efi_status); | ||
return efi_status; | ||
} | ||
*data = sourcebuffer; | ||
|
@@ -1143,8 +1148,9 @@ EFI_STATUS read_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, | |
&sourcesize, | ||
netbootname); | ||
if (EFI_ERROR(efi_status)) { | ||
perror(L"Unable to fetch HTTP image %a: %r\n", | ||
netbootname, efi_status); | ||
if (~flags & SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) | ||
perror(L"Unable to fetch HTTP image %a: %r\n", | ||
netbootname, efi_status); | ||
return efi_status; | ||
} | ||
*data = sourcebuffer; | ||
|
@@ -1183,7 +1189,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) | |
int datasize = 0; | ||
|
||
efi_status = read_image(image_handle, ImagePath, &PathName, &data, | ||
&datasize); | ||
&datasize, 0); | ||
if (EFI_ERROR(efi_status)) | ||
goto done; | ||
|
||
|
@@ -1459,8 +1465,12 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *PathName) | |
uint8_t *ssps_latest = NULL; | ||
uint8_t *sspv_latest = NULL; | ||
|
||
efi_status = read_image(image_handle, L"revocations.efi", &PathName, | ||
&data, &datasize); | ||
efi_status = read_image(image_handle, L"revocations_sbat.efi", &PathName, | ||
&data, &datasize, | ||
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE); | ||
efi_status = read_image(image_handle, L"revocations_skusi.efi", &PathName, | ||
&data, &datasize, | ||
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE); | ||
if (EFI_ERROR(efi_status)) | ||
return efi_status; | ||
|
||
|
@@ -1510,7 +1520,8 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *PathName) | |
} | ||
|
||
EFI_STATUS | ||
load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName) | ||
load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName, | ||
int flags) | ||
{ | ||
EFI_STATUS efi_status; | ||
PE_COFF_LOADER_IMAGE_CONTEXT context; | ||
|
@@ -1523,7 +1534,7 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName) | |
int i; | ||
|
||
efi_status = read_image(image_handle, filename, &PathName, | ||
&data, &datasize); | ||
&data, &datasize, flags); | ||
if (EFI_ERROR(efi_status)) | ||
return efi_status; | ||
|
||
|
@@ -1565,13 +1576,15 @@ load_unbundled_trust(EFI_HANDLE image_handle) | |
EFI_STATUS efi_status; | ||
EFI_LOADED_IMAGE *li = NULL; | ||
CHAR16 *PathName = NULL; | ||
static CHAR16 FileName[] = L"shim_certificate_0.efi"; | ||
EFI_FILE *root, *dir; | ||
EFI_FILE_INFO *info; | ||
EFI_HANDLE device; | ||
EFI_FILE_IO_INTERFACE *drive; | ||
UINTN buffersize = 0; | ||
void *buffer = NULL; | ||
BOOLEAN search_revocations = TRUE; | ||
int i = 0; | ||
|
||
efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, | ||
(void **)&li); | ||
|
@@ -1592,11 +1605,11 @@ load_unbundled_trust(EFI_HANDLE image_handle) | |
efi_status); | ||
/* | ||
* Network boot cases do not support reading a directory. Try | ||
* to read revocations.efi to pull in any unbundled SBATLevel | ||
* to read revocations to pull in any unbundled SBATLevel | ||
* updates unconditionally in those cases. This may produce | ||
* console noise when the file is not present. | ||
*/ | ||
load_cert_file(image_handle, REVOCATIONFILE, PathName); | ||
load_revocations_file(image_handle, PathName); | ||
goto done; | ||
} | ||
|
||
|
@@ -1683,13 +1696,18 @@ load_unbundled_trust(EFI_HANDLE image_handle) | |
if (EFI_ERROR(efi_status)) { | ||
perror(L"Failed to open %s - %r\n", | ||
PathName, efi_status); | ||
while (load_cert_file(image_handle, FileName, PathName, | ||
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) | ||
== EFI_SUCCESS && i++ < 10) { | ||
FileName[17]++; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it's going to be confusing having to rename shim_certificate_sbat.efi to shim_certificate_0.efi, shim_certificate_ski.efi to shim_certificate_1.efi etc. Can't we just use those names? |
||
} | ||
goto done; | ||
} | ||
} | ||
|
||
if (!search_revocations && | ||
StrnCaseCmp(info->FileName, L"shim_certificate", 16) == 0) { | ||
load_cert_file(image_handle, info->FileName, PathName); | ||
load_cert_file(image_handle, info->FileName, PathName, 0); | ||
} | ||
} | ||
done: | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are you missing a check for efi_status here?