diff --git a/shim.c b/shim.c index 85805b76e..499da8b56 100644 --- a/shim.c +++ b/shim.c @@ -344,12 +344,16 @@ static void update_verification_method(verification_method_t method) * Check whether the binary signature or hash are present in db or MokList */ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert, - UINT8 *sha256hash, UINT8 *sha1hash) + UINT8 *sha256hash, UINT8 *sha1hash, + BOOLEAN *fw_allow) { + *fw_allow = FALSE; + if (!ignore_db) { if (check_db_hash(L"db", EFI_SECURE_BOOT_DB_GUID, sha256hash, SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { update_verification_method(VERIFIED_BY_HASH); + *fw_allow = TRUE; return EFI_SUCCESS; } else { LogError(L"check_db_hash(db, sha256hash) != DATA_FOUND\n"); @@ -358,6 +362,7 @@ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_CERT_SHA1_GUID) == DATA_FOUND) { verification_method = VERIFIED_BY_HASH; update_verification_method(VERIFIED_BY_HASH); + *fw_allow = TRUE; return EFI_SUCCESS; } else { LogError(L"check_db_hash(db, sha1hash) != DATA_FOUND\n"); @@ -366,6 +371,7 @@ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert, == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); + *fw_allow = TRUE; return EFI_SUCCESS; } else if (cert) { LogError(L"check_db_cert(db, sha256hash) != DATA_FOUND\n"); @@ -460,7 +466,7 @@ BOOLEAN secure_mode (void) static EFI_STATUS verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, - UINT8 *sha256hash, UINT8 *sha1hash) + UINT8 *sha256hash, UINT8 *sha1hash, BOOLEAN *fw_allow) { EFI_STATUS efi_status; @@ -482,7 +488,7 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, * databases */ drain_openssl_errors(); - efi_status = check_allowlist(sig, sha256hash, sha1hash); + efi_status = check_allowlist(sig, sha256hash, sha1hash, fw_allow); if (EFI_ERROR(efi_status)) { if (efi_status != EFI_NOT_FOUND) { dprint(L"check_allowlist(): %r\n", efi_status); @@ -561,7 +567,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, EFI_STATUS verify_buffer_authenticode (char *data, int datasize, PE_COFF_LOADER_IMAGE_CONTEXT *context, - UINT8 *sha256hash, UINT8 *sha1hash) + UINT8 *sha256hash, UINT8 *sha1hash, + BOOLEAN *fw_allow) { EFI_STATUS ret_efi_status; size_t size = datasize; @@ -606,7 +613,7 @@ verify_buffer_authenticode (char *data, int datasize, * firmware databases */ drain_openssl_errors(); - ret_efi_status = check_allowlist(NULL, sha256hash, sha1hash); + ret_efi_status = check_allowlist(NULL, sha256hash, sha1hash, fw_allow); if (EFI_ERROR(ret_efi_status)) { LogError(L"check_allowlist(): %r\n", ret_efi_status); dprint(L"check_allowlist: %r\n", ret_efi_status); @@ -673,7 +680,7 @@ verify_buffer_authenticode (char *data, int datasize, dprint(L"Attempting to verify signature %d:\n", i++); - efi_status = verify_one_signature(sig, sha256hash, sha1hash); + efi_status = verify_one_signature(sig, sha256hash, sha1hash, fw_allow); /* * If we didn't get EFI_SECURITY_VIOLATION from @@ -772,11 +779,16 @@ verify_buffer (char *data, int datasize, UINT8 *sha256hash, UINT8 *sha1hash) { EFI_STATUS efi_status; + BOOLEAN fw_allow; - efi_status = verify_buffer_authenticode(data, datasize, context, sha256hash, sha1hash); + efi_status = verify_buffer_authenticode(data, datasize, context, sha256hash, sha1hash, &fw_allow); if (EFI_ERROR(efi_status)) return efi_status; + // Don't need to verify SBAT if the firmware would allow booting binary anyways + if (fw_allow) + return EFI_SUCCESS; + return verify_buffer_sbat(data, datasize, context); }