├── LICENSE.GPL2 ├── LICENSE.LGPL2.1 ├── Makefile.am ├── README.md ├── autogen.sh ├── completion ├── Makefile.am └── bash │ ├── Makefile.am │ └── sbpctl ├── configure.ac ├── m4 ├── arch.m4 └── ax_normalize_path.m4 ├── man ├── Makefile.am └── sbpctl.xml └── src ├── Makefile.am ├── efi ├── Makefile.am ├── boot.c ├── console.c ├── console.h ├── disk.c ├── disk.h ├── graphics.c ├── graphics.h ├── linux.c ├── linux.h ├── measure.c ├── measure.h ├── pe.c ├── pe.h ├── sha512.c ├── sha512.h ├── shim.c ├── shim.h ├── splash.c ├── splash.h ├── stub.c ├── util.c └── util.h └── sbpctl.in /LICENSE.GPL2: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /LICENSE.LGPL2.1: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 2.1, February 1999 3 | 4 | Copyright (C) 1991, 1999 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | [This is the first released version of the Lesser GPL. It also counts 10 | as the successor of the GNU Library Public License, version 2, hence 11 | the version number 2.1.] 12 | 13 | Preamble 14 | 15 | The licenses for most software are designed to take away your 16 | freedom to share and change it. By contrast, the GNU General Public 17 | Licenses are intended to guarantee your freedom to share and change 18 | free software--to make sure the software is free for all its users. 19 | 20 | This license, the Lesser General Public License, applies to some 21 | specially designated software packages--typically libraries--of the 22 | Free Software Foundation and other authors who decide to use it. You 23 | can use it too, but we suggest you first think carefully about whether 24 | this license or the ordinary General Public License is the better 25 | strategy to use in any particular case, based on the explanations below. 26 | 27 | When we speak of free software, we are referring to freedom of use, 28 | not price. Our General Public Licenses are designed to make sure that 29 | you have the freedom to distribute copies of free software (and charge 30 | for this service if you wish); that you receive source code or can get 31 | it if you want it; that you can change the software and use pieces of 32 | it in new free programs; and that you are informed that you can do 33 | these things. 34 | 35 | To protect your rights, we need to make restrictions that forbid 36 | distributors to deny you these rights or to ask you to surrender these 37 | rights. These restrictions translate to certain responsibilities for 38 | you if you distribute copies of the library or if you modify it. 39 | 40 | For example, if you distribute copies of the library, whether gratis 41 | or for a fee, you must give the recipients all the rights that we gave 42 | you. You must make sure that they, too, receive or can get the source 43 | code. If you link other code with the library, you must provide 44 | complete object files to the recipients, so that they can relink them 45 | with the library after making changes to the library and recompiling 46 | it. And you must show them these terms so they know their rights. 47 | 48 | We protect your rights with a two-step method: (1) we copyright the 49 | library, and (2) we offer you this license, which gives you legal 50 | permission to copy, distribute and/or modify the library. 51 | 52 | To protect each distributor, we want to make it very clear that 53 | there is no warranty for the free library. Also, if the library is 54 | modified by someone else and passed on, the recipients should know 55 | that what they have is not the original version, so that the original 56 | author's reputation will not be affected by problems that might be 57 | introduced by others. 58 | 59 | Finally, software patents pose a constant threat to the existence of 60 | any free program. We wish to make sure that a company cannot 61 | effectively restrict the users of a free program by obtaining a 62 | restrictive license from a patent holder. Therefore, we insist that 63 | any patent license obtained for a version of the library must be 64 | consistent with the full freedom of use specified in this license. 65 | 66 | Most GNU software, including some libraries, is covered by the 67 | ordinary GNU General Public License. This license, the GNU Lesser 68 | General Public License, applies to certain designated libraries, and 69 | is quite different from the ordinary General Public License. We use 70 | this license for certain libraries in order to permit linking those 71 | libraries into non-free programs. 72 | 73 | When a program is linked with a library, whether statically or using 74 | a shared library, the combination of the two is legally speaking a 75 | combined work, a derivative of the original library. The ordinary 76 | General Public License therefore permits such linking only if the 77 | entire combination fits its criteria of freedom. The Lesser General 78 | Public License permits more lax criteria for linking other code with 79 | the library. 80 | 81 | We call this license the "Lesser" General Public License because it 82 | does Less to protect the user's freedom than the ordinary General 83 | Public License. It also provides other free software developers Less 84 | of an advantage over competing non-free programs. These disadvantages 85 | are the reason we use the ordinary General Public License for many 86 | libraries. However, the Lesser license provides advantages in certain 87 | special circumstances. 88 | 89 | For example, on rare occasions, there may be a special need to 90 | encourage the widest possible use of a certain library, so that it becomes 91 | a de-facto standard. To achieve this, non-free programs must be 92 | allowed to use the library. A more frequent case is that a free 93 | library does the same job as widely used non-free libraries. In this 94 | case, there is little to gain by limiting the free library to free 95 | software only, so we use the Lesser General Public License. 96 | 97 | In other cases, permission to use a particular library in non-free 98 | programs enables a greater number of people to use a large body of 99 | free software. For example, permission to use the GNU C Library in 100 | non-free programs enables many more people to use the whole GNU 101 | operating system, as well as its variant, the GNU/Linux operating 102 | system. 103 | 104 | Although the Lesser General Public License is Less protective of the 105 | users' freedom, it does ensure that the user of a program that is 106 | linked with the Library has the freedom and the wherewithal to run 107 | that program using a modified version of the Library. 108 | 109 | The precise terms and conditions for copying, distribution and 110 | modification follow. Pay close attention to the difference between a 111 | "work based on the library" and a "work that uses the library". The 112 | former contains code derived from the library, whereas the latter must 113 | be combined with the library in order to run. 114 | 115 | GNU LESSER GENERAL PUBLIC LICENSE 116 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 117 | 118 | 0. This License Agreement applies to any software library or other 119 | program which contains a notice placed by the copyright holder or 120 | other authorized party saying it may be distributed under the terms of 121 | this Lesser General Public License (also called "this License"). 122 | Each licensee is addressed as "you". 123 | 124 | A "library" means a collection of software functions and/or data 125 | prepared so as to be conveniently linked with application programs 126 | (which use some of those functions and data) to form executables. 127 | 128 | The "Library", below, refers to any such software library or work 129 | which has been distributed under these terms. A "work based on the 130 | Library" means either the Library or any derivative work under 131 | copyright law: that is to say, a work containing the Library or a 132 | portion of it, either verbatim or with modifications and/or translated 133 | straightforwardly into another language. (Hereinafter, translation is 134 | included without limitation in the term "modification".) 135 | 136 | "Source code" for a work means the preferred form of the work for 137 | making modifications to it. For a library, complete source code means 138 | all the source code for all modules it contains, plus any associated 139 | interface definition files, plus the scripts used to control compilation 140 | and installation of the library. 141 | 142 | Activities other than copying, distribution and modification are not 143 | covered by this License; they are outside its scope. The act of 144 | running a program using the Library is not restricted, and output from 145 | such a program is covered only if its contents constitute a work based 146 | on the Library (independent of the use of the Library in a tool for 147 | writing it). Whether that is true depends on what the Library does 148 | and what the program that uses the Library does. 149 | 150 | 1. You may copy and distribute verbatim copies of the Library's 151 | complete source code as you receive it, in any medium, provided that 152 | you conspicuously and appropriately publish on each copy an 153 | appropriate copyright notice and disclaimer of warranty; keep intact 154 | all the notices that refer to this License and to the absence of any 155 | warranty; and distribute a copy of this License along with the 156 | Library. 157 | 158 | You may charge a fee for the physical act of transferring a copy, 159 | and you may at your option offer warranty protection in exchange for a 160 | fee. 161 | 162 | 2. You may modify your copy or copies of the Library or any portion 163 | of it, thus forming a work based on the Library, and copy and 164 | distribute such modifications or work under the terms of Section 1 165 | above, provided that you also meet all of these conditions: 166 | 167 | a) The modified work must itself be a software library. 168 | 169 | b) You must cause the files modified to carry prominent notices 170 | stating that you changed the files and the date of any change. 171 | 172 | c) You must cause the whole of the work to be licensed at no 173 | charge to all third parties under the terms of this License. 174 | 175 | d) If a facility in the modified Library refers to a function or a 176 | table of data to be supplied by an application program that uses 177 | the facility, other than as an argument passed when the facility 178 | is invoked, then you must make a good faith effort to ensure that, 179 | in the event an application does not supply such function or 180 | table, the facility still operates, and performs whatever part of 181 | its purpose remains meaningful. 182 | 183 | (For example, a function in a library to compute square roots has 184 | a purpose that is entirely well-defined independent of the 185 | application. Therefore, Subsection 2d requires that any 186 | application-supplied function or table used by this function must 187 | be optional: if the application does not supply it, the square 188 | root function must still compute square roots.) 189 | 190 | These requirements apply to the modified work as a whole. If 191 | identifiable sections of that work are not derived from the Library, 192 | and can be reasonably considered independent and separate works in 193 | themselves, then this License, and its terms, do not apply to those 194 | sections when you distribute them as separate works. But when you 195 | distribute the same sections as part of a whole which is a work based 196 | on the Library, the distribution of the whole must be on the terms of 197 | this License, whose permissions for other licensees extend to the 198 | entire whole, and thus to each and every part regardless of who wrote 199 | it. 200 | 201 | Thus, it is not the intent of this section to claim rights or contest 202 | your rights to work written entirely by you; rather, the intent is to 203 | exercise the right to control the distribution of derivative or 204 | collective works based on the Library. 205 | 206 | In addition, mere aggregation of another work not based on the Library 207 | with the Library (or with a work based on the Library) on a volume of 208 | a storage or distribution medium does not bring the other work under 209 | the scope of this License. 210 | 211 | 3. You may opt to apply the terms of the ordinary GNU General Public 212 | License instead of this License to a given copy of the Library. To do 213 | this, you must alter all the notices that refer to this License, so 214 | that they refer to the ordinary GNU General Public License, version 2, 215 | instead of to this License. (If a newer version than version 2 of the 216 | ordinary GNU General Public License has appeared, then you can specify 217 | that version instead if you wish.) Do not make any other change in 218 | these notices. 219 | 220 | Once this change is made in a given copy, it is irreversible for 221 | that copy, so the ordinary GNU General Public License applies to all 222 | subsequent copies and derivative works made from that copy. 223 | 224 | This option is useful when you wish to copy part of the code of 225 | the Library into a program that is not a library. 226 | 227 | 4. You may copy and distribute the Library (or a portion or 228 | derivative of it, under Section 2) in object code or executable form 229 | under the terms of Sections 1 and 2 above provided that you accompany 230 | it with the complete corresponding machine-readable source code, which 231 | must be distributed under the terms of Sections 1 and 2 above on a 232 | medium customarily used for software interchange. 233 | 234 | If distribution of object code is made by offering access to copy 235 | from a designated place, then offering equivalent access to copy the 236 | source code from the same place satisfies the requirement to 237 | distribute the source code, even though third parties are not 238 | compelled to copy the source along with the object code. 239 | 240 | 5. A program that contains no derivative of any portion of the 241 | Library, but is designed to work with the Library by being compiled or 242 | linked with it, is called a "work that uses the Library". Such a 243 | work, in isolation, is not a derivative work of the Library, and 244 | therefore falls outside the scope of this License. 245 | 246 | However, linking a "work that uses the Library" with the Library 247 | creates an executable that is a derivative of the Library (because it 248 | contains portions of the Library), rather than a "work that uses the 249 | library". The executable is therefore covered by this License. 250 | Section 6 states terms for distribution of such executables. 251 | 252 | When a "work that uses the Library" uses material from a header file 253 | that is part of the Library, the object code for the work may be a 254 | derivative work of the Library even though the source code is not. 255 | Whether this is true is especially significant if the work can be 256 | linked without the Library, or if the work is itself a library. The 257 | threshold for this to be true is not precisely defined by law. 258 | 259 | If such an object file uses only numerical parameters, data 260 | structure layouts and accessors, and small macros and small inline 261 | functions (ten lines or less in length), then the use of the object 262 | file is unrestricted, regardless of whether it is legally a derivative 263 | work. (Executables containing this object code plus portions of the 264 | Library will still fall under Section 6.) 265 | 266 | Otherwise, if the work is a derivative of the Library, you may 267 | distribute the object code for the work under the terms of Section 6. 268 | Any executables containing that work also fall under Section 6, 269 | whether or not they are linked directly with the Library itself. 270 | 271 | 6. As an exception to the Sections above, you may also combine or 272 | link a "work that uses the Library" with the Library to produce a 273 | work containing portions of the Library, and distribute that work 274 | under terms of your choice, provided that the terms permit 275 | modification of the work for the customer's own use and reverse 276 | engineering for debugging such modifications. 277 | 278 | You must give prominent notice with each copy of the work that the 279 | Library is used in it and that the Library and its use are covered by 280 | this License. You must supply a copy of this License. If the work 281 | during execution displays copyright notices, you must include the 282 | copyright notice for the Library among them, as well as a reference 283 | directing the user to the copy of this License. Also, you must do one 284 | of these things: 285 | 286 | a) Accompany the work with the complete corresponding 287 | machine-readable source code for the Library including whatever 288 | changes were used in the work (which must be distributed under 289 | Sections 1 and 2 above); and, if the work is an executable linked 290 | with the Library, with the complete machine-readable "work that 291 | uses the Library", as object code and/or source code, so that the 292 | user can modify the Library and then relink to produce a modified 293 | executable containing the modified Library. (It is understood 294 | that the user who changes the contents of definitions files in the 295 | Library will not necessarily be able to recompile the application 296 | to use the modified definitions.) 297 | 298 | b) Use a suitable shared library mechanism for linking with the 299 | Library. A suitable mechanism is one that (1) uses at run time a 300 | copy of the library already present on the user's computer system, 301 | rather than copying library functions into the executable, and (2) 302 | will operate properly with a modified version of the library, if 303 | the user installs one, as long as the modified version is 304 | interface-compatible with the version that the work was made with. 305 | 306 | c) Accompany the work with a written offer, valid for at 307 | least three years, to give the same user the materials 308 | specified in Subsection 6a, above, for a charge no more 309 | than the cost of performing this distribution. 310 | 311 | d) If distribution of the work is made by offering access to copy 312 | from a designated place, offer equivalent access to copy the above 313 | specified materials from the same place. 314 | 315 | e) Verify that the user has already received a copy of these 316 | materials or that you have already sent this user a copy. 317 | 318 | For an executable, the required form of the "work that uses the 319 | Library" must include any data and utility programs needed for 320 | reproducing the executable from it. However, as a special exception, 321 | the materials to be distributed need not include anything that is 322 | normally distributed (in either source or binary form) with the major 323 | components (compiler, kernel, and so on) of the operating system on 324 | which the executable runs, unless that component itself accompanies 325 | the executable. 326 | 327 | It may happen that this requirement contradicts the license 328 | restrictions of other proprietary libraries that do not normally 329 | accompany the operating system. Such a contradiction means you cannot 330 | use both them and the Library together in an executable that you 331 | distribute. 332 | 333 | 7. You may place library facilities that are a work based on the 334 | Library side-by-side in a single library together with other library 335 | facilities not covered by this License, and distribute such a combined 336 | library, provided that the separate distribution of the work based on 337 | the Library and of the other library facilities is otherwise 338 | permitted, and provided that you do these two things: 339 | 340 | a) Accompany the combined library with a copy of the same work 341 | based on the Library, uncombined with any other library 342 | facilities. This must be distributed under the terms of the 343 | Sections above. 344 | 345 | b) Give prominent notice with the combined library of the fact 346 | that part of it is a work based on the Library, and explaining 347 | where to find the accompanying uncombined form of the same work. 348 | 349 | 8. You may not copy, modify, sublicense, link with, or distribute 350 | the Library except as expressly provided under this License. Any 351 | attempt otherwise to copy, modify, sublicense, link with, or 352 | distribute the Library is void, and will automatically terminate your 353 | rights under this License. However, parties who have received copies, 354 | or rights, from you under this License will not have their licenses 355 | terminated so long as such parties remain in full compliance. 356 | 357 | 9. You are not required to accept this License, since you have not 358 | signed it. However, nothing else grants you permission to modify or 359 | distribute the Library or its derivative works. These actions are 360 | prohibited by law if you do not accept this License. Therefore, by 361 | modifying or distributing the Library (or any work based on the 362 | Library), you indicate your acceptance of this License to do so, and 363 | all its terms and conditions for copying, distributing or modifying 364 | the Library or works based on it. 365 | 366 | 10. Each time you redistribute the Library (or any work based on the 367 | Library), the recipient automatically receives a license from the 368 | original licensor to copy, distribute, link with or modify the Library 369 | subject to these terms and conditions. You may not impose any further 370 | restrictions on the recipients' exercise of the rights granted herein. 371 | You are not responsible for enforcing compliance by third parties with 372 | this License. 373 | 374 | 11. If, as a consequence of a court judgment or allegation of patent 375 | infringement or for any other reason (not limited to patent issues), 376 | conditions are imposed on you (whether by court order, agreement or 377 | otherwise) that contradict the conditions of this License, they do not 378 | excuse you from the conditions of this License. If you cannot 379 | distribute so as to satisfy simultaneously your obligations under this 380 | License and any other pertinent obligations, then as a consequence you 381 | may not distribute the Library at all. For example, if a patent 382 | license would not permit royalty-free redistribution of the Library by 383 | all those who receive copies directly or indirectly through you, then 384 | the only way you could satisfy both it and this License would be to 385 | refrain entirely from distribution of the Library. 386 | 387 | If any portion of this section is held invalid or unenforceable under any 388 | particular circumstance, the balance of the section is intended to apply, 389 | and the section as a whole is intended to apply in other circumstances. 390 | 391 | It is not the purpose of this section to induce you to infringe any 392 | patents or other property right claims or to contest validity of any 393 | such claims; this section has the sole purpose of protecting the 394 | integrity of the free software distribution system which is 395 | implemented by public license practices. Many people have made 396 | generous contributions to the wide range of software distributed 397 | through that system in reliance on consistent application of that 398 | system; it is up to the author/donor to decide if he or she is willing 399 | to distribute software through any other system and a licensee cannot 400 | impose that choice. 401 | 402 | This section is intended to make thoroughly clear what is believed to 403 | be a consequence of the rest of this License. 404 | 405 | 12. If the distribution and/or use of the Library is restricted in 406 | certain countries either by patents or by copyrighted interfaces, the 407 | original copyright holder who places the Library under this License may add 408 | an explicit geographical distribution limitation excluding those countries, 409 | so that distribution is permitted only in or among countries not thus 410 | excluded. In such case, this License incorporates the limitation as if 411 | written in the body of this License. 412 | 413 | 13. The Free Software Foundation may publish revised and/or new 414 | versions of the Lesser General Public License from time to time. 415 | Such new versions will be similar in spirit to the present version, 416 | but may differ in detail to address new problems or concerns. 417 | 418 | Each version is given a distinguishing version number. If the Library 419 | specifies a version number of this License which applies to it and 420 | "any later version", you have the option of following the terms and 421 | conditions either of that version or of any later version published by 422 | the Free Software Foundation. If the Library does not specify a 423 | license version number, you may choose any version ever published by 424 | the Free Software Foundation. 425 | 426 | 14. If you wish to incorporate parts of the Library into other free 427 | programs whose distribution conditions are incompatible with these, 428 | write to the author to ask for permission. For software which is 429 | copyrighted by the Free Software Foundation, write to the Free 430 | Software Foundation; we sometimes make exceptions for this. Our 431 | decision will be guided by the two goals of preserving the free status 432 | of all derivatives of our free software and of promoting the sharing 433 | and reuse of software generally. 434 | 435 | NO WARRANTY 436 | 437 | 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO 438 | WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 439 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 440 | OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY 441 | KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 442 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 444 | LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME 445 | THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 446 | 447 | 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN 448 | WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY 449 | AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU 450 | FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 451 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 452 | LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 453 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A 454 | FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF 455 | SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 456 | DAMAGES. 457 | 458 | END OF TERMS AND CONDITIONS 459 | 460 | How to Apply These Terms to Your New Libraries 461 | 462 | If you develop a new library, and you want it to be of the greatest 463 | possible use to the public, we recommend making it free software that 464 | everyone can redistribute and change. You can do so by permitting 465 | redistribution under these terms (or, alternatively, under the terms of the 466 | ordinary General Public License). 467 | 468 | To apply these terms, attach the following notices to the library. It is 469 | safest to attach them to the start of each source file to most effectively 470 | convey the exclusion of warranty; and each file should have at least the 471 | "copyright" line and a pointer to where the full notice is found. 472 | 473 | 474 | Copyright (C) 475 | 476 | This library is free software; you can redistribute it and/or 477 | modify it under the terms of the GNU Lesser General Public 478 | License as published by the Free Software Foundation; either 479 | version 2.1 of the License, or (at your option) any later version. 480 | 481 | This library is distributed in the hope that it will be useful, 482 | but WITHOUT ANY WARRANTY; without even the implied warranty of 483 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 484 | Lesser General Public License for more details. 485 | 486 | You should have received a copy of the GNU Lesser General Public 487 | License along with this library; if not, write to the Free Software 488 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 489 | 490 | Also add information on how to contact you by electronic and paper mail. 491 | 492 | You should also get your employer (if you work as a programmer) or your 493 | school, if any, to sign a "copyright disclaimer" for the library, if 494 | necessary. Here is a sample; alter the names: 495 | 496 | Yoyodyne, Inc., hereby disclaims all copyright interest in the 497 | library `Frob' (a library for tweaking knobs) written by James Random Hacker. 498 | 499 | , 1 April 1990 500 | Ty Coon, President of Vice 501 | 502 | That's all there is to it! 503 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | ACLOCAL_AMFLAGS = -I m4 ${ACLOCAL_FLAGS} 2 | 3 | SUBDIRS = \ 4 | completion \ 5 | man \ 6 | src 7 | 8 | DISTCHECK_CONFIGURE_FLAGS = \ 9 | --with-bashcompletiondir=$$dc_install_base/$(bashcompletiondir) 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # systemd-boot-password 2 | 3 | systemd-boot-password is systemd-boot boot manager with password-protected editor. 4 | 5 | ## Building and Installing 6 | 7 | The `gnu-efi` library, `docbook-xsl` and GNU autotools should be installed. 8 | 9 | Run `./autogen.sh && make && sudo make install` to build and install systemd-boot-password to your system. 10 | 11 | Arch Linux users can install [`systemd-boot-password`](https://aur.archlinux.org/packages/systemd-boot-password) package from AUR. 12 | 13 | ## Boot Manager Installing and Configuration 14 | 15 | You can install boot manager using `sudo sbpctl install $esp`. 16 | 17 | In `$esp/loader/loader.conf` you can add `editor 1` to enable kernel parameters editor (enabled by default). 18 | 19 | For password protection, run `sbpctl generate` and enter desired password. This tool will generate SHA-512 hash sum which you can add to `loader.conf` file: `password $sha512sum`. Boot manager will prompt password when you try to open editor with `e` key. 20 | 21 | You can create a standalone EFI application with Linux EFI and initramfs: `sudo sbpctl standalone --initrd /boot/initramfs-linux.img /boot/vmlinuz-linux $esp/linux.efi`. 22 | 23 | You can create a single `loader.conf` file with all entries, divided by empty line: 24 | 25 | ``` 26 | default entry0 27 | timeout 0 28 | editor 1 29 | password 61cf00560dff557e0cd498fe 30 | 31 | title Linux 32 | efi /linux.efi 33 | options root=/dev/sda2 rw 34 | ``` 35 | 36 | You can also include your configuration to EFI binary using `--include` command option for `install`. In this case `loader.conf` should be placed at `/etc/sbp`. 37 | 38 | You can automatically sign your EFI applications for Secure Boot using `--sign` option for `install` and `standalone`. To do this you should install `sbsigntools` and place your `db.crt` and `db.key` to `/etc/sbp` directory. 39 | 40 | Consider changing permissions for `/etc/sbp` to 700 and fmask for `$esp` to 0077 or 0177 in `/etc/fstab`. 41 | 42 | ## License 43 | 44 | This program is licensed with LGPLv2.1+. 45 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | autoreconf -v --force --install && { 3 | [ -n "$NOCONFIGURE" ] || ./configure "$@" 4 | } 5 | -------------------------------------------------------------------------------- /completion/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = \ 2 | bash 3 | -------------------------------------------------------------------------------- /completion/bash/Makefile.am: -------------------------------------------------------------------------------- 1 | bashcompletiondir = \ 2 | @bashcompletiondir@ 3 | 4 | bashcompletion_data = \ 5 | sbpctl 6 | 7 | if ENABLE_BASH_COMPLETION 8 | bashcompletion_DATA = $(bashcompletion_data) 9 | endif 10 | 11 | EXTRA_DIST = \ 12 | sbpctl 13 | -------------------------------------------------------------------------------- /completion/bash/sbpctl: -------------------------------------------------------------------------------- 1 | # sbpctl(1) completion -*- shell-script -*- 2 | 3 | _sbpctl() { 4 | local cur words cword 5 | _init_completion || return 6 | 7 | [ "$cword" -eq 1 ] && { 8 | COMPREPLY=( $(compgen -W 'install standalone generate' -- "$cur") ) 9 | } || { 10 | case "${words[1]}" in 11 | 'generate') 12 | COMPREPLY=() 13 | ;; 14 | 'install') 15 | _filedir -d 16 | COMPREPLY+=( $( compgen -W '-i -d -s --include --default --sign' -- "$cur" ) ) 17 | ;; 18 | 'standalone') 19 | _filedir 20 | COMPREPLY+=( $( compgen -W '-o -c -i -s --osrel --cmdline --initrd --sign' -- "$cur" ) ) 21 | ;; 22 | esac 23 | } 24 | } 25 | 26 | complete -F _sbpctl sbpctl 27 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | AC_INIT([systemd-boot-password], [1.0.237]) 2 | 3 | AC_CONFIG_MACRO_DIR([m4]) 4 | AC_CONFIG_HEADERS([config.h]) 5 | 6 | AC_CONFIG_FILES([ 7 | Makefile 8 | completion/Makefile 9 | completion/bash/Makefile 10 | man/Makefile 11 | src/Makefile 12 | src/efi/Makefile 13 | ]) 14 | 15 | AM_INIT_AUTOMAKE([foreign 1.11 -Wall -Wno-portability tar-pax no-dist-gzip dist-xz]) 16 | AM_SILENT_RULES([yes]) 17 | 18 | AC_CANONICAL_HOST 19 | 20 | AC_PROG_CC_C99 21 | AC_CHECK_TOOL(OBJCOPY, objcopy) 22 | PKG_PROG_PKG_CONFIG 23 | 24 | SET_ARCH(X86_64, x86_64*) 25 | SET_ARCH(IA32, i*86*) 26 | SET_ARCH(MIPS, mips*) 27 | SET_ARCH(AARCH64, aarch64*) 28 | 29 | EFI_ARCH=`echo $host | sed "s/\(-\).*$//"` 30 | AM_COND_IF(ARCH_IA32, [EFI_ARCH=ia32 EFI_MACHINE_TYPE_NAME=ia32]) 31 | AM_COND_IF(ARCH_X86_64, [EFI_MACHINE_TYPE_NAME=x64]) 32 | AM_COND_IF(ARCH_AARCH64, [EFI_MACHINE_TYPE_NAME=aa64]) 33 | 34 | AC_SUBST([EFI_ARCH]) 35 | AC_SUBST([EFI_MACHINE_TYPE_NAME]) 36 | 37 | AC_CHECK_HEADERS(efi/${EFI_ARCH}/efibind.h, [AC_DEFINE(HAVE_GNUEFI, 1, [Define if gnuefi is available]) have_gnuefi=yes], 38 | [AC_MSG_ERROR([*** gnuefi is required])]) 39 | efiroot=$(echo $(cd /usr/lib/$(${CC} -print-multi-os-directory); pwd)) 40 | EFI_LIB_DIR="$efiroot" 41 | AC_ARG_WITH(efi-libdir, AS_HELP_STRING([--with-efi-libdir=PATH], [Path to EFI lib directory]), 42 | [EFI_LIB_DIR="$withval"], [EFI_LIB_DIR="$efiroot"]) 43 | AC_SUBST([EFI_LIB_DIR]) 44 | have_efi_lds=no 45 | AC_ARG_WITH(efi-ldsdir, AS_HELP_STRING([--with-efi-ldsdir=PATH], [Path to EFI lds directory]), 46 | [EFI_LDS_DIR="$withval" && AS_IF([test -f "${EFI_LDS_DIR}/elf_${EFI_ARCH}_efi.lds"], [have_efi_lds=yes])], 47 | [AS_FOR([DIR], [EFI_LDS_DIR], ["${EFI_LIB_DIR}/gnuefi" "${EFI_LIB_DIR}"], 48 | [AS_IF([test -f "${EFI_LDS_DIR}/elf_${EFI_ARCH}_efi.lds"], [have_efi_lds=yes && break])])]) 49 | AS_IF([test "x$have_efi_lds" = xyes], [AC_SUBST([EFI_LDS_DIR])], 50 | [AC_MSG_ERROR([*** gnuefi is required])]) 51 | AC_ARG_WITH(efi-includedir, AS_HELP_STRING([--with-efi-includedir=PATH], [Path to EFI include directory]), 52 | [EFI_INC_DIR="$withval"], [EFI_INC_DIR="/usr/include"]) 53 | AC_SUBST([EFI_INC_DIR]) 54 | 55 | AC_PATH_PROG([XSLTPROC], [xsltproc]) 56 | AS_IF([test -z "$XSLTPROC"], AC_MSG_ERROR([*** xsltproc is required])) 57 | 58 | AC_ARG_ENABLE([secure-boot-password], AS_HELP_STRING([--disable-secure-boot-password], 59 | [disallow password prompt with Secure Boot enabled]), 60 | [case "${enableval}" in 61 | yes) secure_boot_password=true ;; 62 | no) secure_boot_password=false ;; 63 | *) AC_MSG_ERROR([bad value ${enableval} for --disable-secure-boot-password]) ;; 64 | esac], [secure_boot_password=true]) 65 | AC_DEFINE_UNQUOTED([SECURE_BOOT_PASSWORD], `test ! "x$secure_boot_password" != "xfalse"; echo $?`, 66 | [Define if Secure Boot password is allowed]) 67 | 68 | AC_ARG_WITH([bashcompletiondir], AS_HELP_STRING([--with-bashcompletiondir=DIR], 69 | [Bash completions directory]), [], [AS_IF([$($PKG_CONFIG --exists bash-completion)], 70 | [with_bashcompletiondir=$($PKG_CONFIG --variable=completionsdir bash-completion)], 71 | [with_bashcompletiondir=${datadir}/bash-completion/completions])]) 72 | AM_CONDITIONAL(ENABLE_BASH_COMPLETION, [test "$with_bashcompletiondir" != "no"]) 73 | AX_NORMALIZE_PATH([with_bashcompletiondir]) 74 | AC_SUBST([bashcompletiondir], [$with_bashcompletiondir]) 75 | 76 | AC_SUBST([bootlibdir], ["${prefix}/lib/systemd/boot/efi-sbp"]) 77 | 78 | AC_OUTPUT 79 | AC_MSG_RESULT([ 80 | $PACKAGE_NAME ${PACKAGE_VERSION} 81 | prefix: ${prefix} 82 | datarootdir: ${datarootdir} 83 | arch: ${EFI_ARCH} 84 | EFI machine type: ${EFI_MACHINE_TYPE_NAME} 85 | EFI libdir: ${EFI_LIB_DIR} 86 | EFI ldsdir: ${EFI_LDS_DIR} 87 | EFI includedir: ${EFI_INC_DIR} 88 | Allow Secure Boot password: ${secure_boot_password} 89 | Bash completions dir: ${with_bashcompletiondir} 90 | Boot lib dir: ${bootlibdir} 91 | ]) 92 | -------------------------------------------------------------------------------- /m4/arch.m4: -------------------------------------------------------------------------------- 1 | dnl SET_ARCH(ARCHNAME, PATTERN) 2 | dnl 3 | dnl Define ARCH_ condition if the pattern match with the current 4 | dnl architecture 5 | dnl 6 | AC_DEFUN([SET_ARCH], [ 7 | cpu_$1=false 8 | case "$host" in 9 | $2) cpu_$1=true ;; 10 | esac 11 | AM_CONDITIONAL(AS_TR_CPP(ARCH_$1), [test "x$cpu_$1" = xtrue]) 12 | ]) 13 | -------------------------------------------------------------------------------- /m4/ax_normalize_path.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://www.gnu.org/software/autoconf-archive/ax_normalize_path.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_NORMALIZE_PATH(VARNAME, [REFERENCE_STRING]) 8 | # 9 | # DESCRIPTION 10 | # 11 | # Perform some cleanups on the value of $VARNAME (interpreted as a path): 12 | # 13 | # - empty paths are changed to '.' 14 | # - trailing slashes are removed 15 | # - repeated slashes are squeezed except a leading doubled slash '//' 16 | # (which might indicate a networked disk on some OS). 17 | # 18 | # REFERENCE_STRING is used to turn '/' into '\' and vice-versa: if 19 | # REFERENCE_STRING contains some backslashes, all slashes and backslashes 20 | # are turned into backslashes, otherwise they are all turned into slashes. 21 | # 22 | # This makes processing of DOS filenames quite easier, because you can 23 | # turn a filename to the Unix notation, make your processing, and turn it 24 | # back to original notation. 25 | # 26 | # filename='A:\FOO\\BAR\' 27 | # old_filename="$filename" 28 | # # Switch to the unix notation 29 | # AX_NORMALIZE_PATH([filename], ["/"]) 30 | # # now we have $filename = 'A:/FOO/BAR' and we can process it as if 31 | # # it was a Unix path. For instance let's say that you want 32 | # # to append '/subpath': 33 | # filename="$filename/subpath" 34 | # # finally switch back to the original notation 35 | # AX_NORMALIZE_PATH([filename], ["$old_filename"]) 36 | # # now $filename equals to 'A:\FOO\BAR\subpath' 37 | # 38 | # One good reason to make all path processing with the unix convention is 39 | # that backslashes have a special meaning in many cases. For instance 40 | # 41 | # expr 'A:\FOO' : 'A:\Foo' 42 | # 43 | # will return 0 because the second argument is a regex in which 44 | # backslashes have to be backslashed. In other words, to have the two 45 | # strings to match you should write this instead: 46 | # 47 | # expr 'A:\Foo' : 'A:\\Foo' 48 | # 49 | # Such behavior makes DOS filenames extremely unpleasant to work with. So 50 | # temporary turn your paths to the Unix notation, and revert them to the 51 | # original notation after the processing. See the macro 52 | # AX_COMPUTE_RELATIVE_PATHS for a concrete example of this. 53 | # 54 | # REFERENCE_STRING defaults to $VARIABLE, this means that slashes will be 55 | # converted to backslashes if $VARIABLE already contains some backslashes 56 | # (see $thirddir below). 57 | # 58 | # firstdir='/usr/local//share' 59 | # seconddir='C:\Program Files\\' 60 | # thirddir='C:\home/usr/' 61 | # AX_NORMALIZE_PATH([firstdir]) 62 | # AX_NORMALIZE_PATH([seconddir]) 63 | # AX_NORMALIZE_PATH([thirddir]) 64 | # # $firstdir = '/usr/local/share' 65 | # # $seconddir = 'C:\Program Files' 66 | # # $thirddir = 'C:\home\usr' 67 | # 68 | # LICENSE 69 | # 70 | # Copyright (c) 2008 Alexandre Duret-Lutz 71 | # 72 | # This program is free software; you can redistribute it and/or modify it 73 | # under the terms of the GNU General Public License as published by the 74 | # Free Software Foundation; either version 2 of the License, or (at your 75 | # option) any later version. 76 | # 77 | # This program is distributed in the hope that it will be useful, but 78 | # WITHOUT ANY WARRANTY; without even the implied warranty of 79 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 80 | # Public License for more details. 81 | # 82 | # You should have received a copy of the GNU General Public License along 83 | # with this program. If not, see . 84 | # 85 | # As a special exception, the respective Autoconf Macro's copyright owner 86 | # gives unlimited permission to copy, distribute and modify the configure 87 | # scripts that are the output of Autoconf when processing the Macro. You 88 | # need not follow the terms of the GNU General Public License when using 89 | # or distributing such scripts, even though portions of the text of the 90 | # Macro appear in them. The GNU General Public License (GPL) does govern 91 | # all other use of the material that constitutes the Autoconf Macro. 92 | # 93 | # This special exception to the GPL applies to versions of the Autoconf 94 | # Macro released by the Autoconf Archive. When you make and distribute a 95 | # modified version of the Autoconf Macro, you may extend this special 96 | # exception to the GPL to apply to your modified version as well. 97 | 98 | #serial 5 99 | 100 | AU_ALIAS([ADL_NORMALIZE_PATH], [AX_NORMALIZE_PATH]) 101 | AC_DEFUN([AX_NORMALIZE_PATH], 102 | [case ":[$]$1:" in 103 | # change empty paths to '.' 104 | ::) $1='.' ;; 105 | # strip trailing slashes 106 | :*[[\\/]]:) $1=`echo "[$]$1" | sed 's,[[\\/]]*[$],,'` ;; 107 | :*:) ;; 108 | esac 109 | # squeze repeated slashes 110 | case ifelse($2,,"[$]$1",$2) in 111 | # if the path contains any backslashes, turn slashes into backslashes 112 | *\\*) $1=`echo "[$]$1" | sed 's,\(.\)[[\\/]][[\\/]]*,\1\\\\,g'` ;; 113 | # if the path contains slashes, also turn backslashes into slashes 114 | *) $1=`echo "[$]$1" | sed 's,\(.\)[[\\/]][[\\/]]*,\1/,g'` ;; 115 | esac]) 116 | -------------------------------------------------------------------------------- /man/Makefile.am: -------------------------------------------------------------------------------- 1 | man_MANS = \ 2 | sbpctl.1 3 | 4 | EXTRA_DIST = \ 5 | sbpctl.xml 6 | 7 | XSLTPROC_FLAGS = \ 8 | --nonet \ 9 | --stringparam man.authors.section.enabled 0 \ 10 | --stringparam man.copyright.section.enabled 0 11 | 12 | %.1: %.xml 13 | $(AM_V_GEN) $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) \ 14 | http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< 15 | 16 | CLEANFILES = \ 17 | $(man_MANS) 18 | -------------------------------------------------------------------------------- /man/sbpctl.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | sbpctl 5 | 1 6 | 7 | 8 | 9 | sbpctl 10 | Control the boot manager installation 11 | 12 | 13 | 14 | sbpctl 15 | systemd-boot-password 16 | 17 | 18 | 19 | kitsunyan 20 | kitsunyan@inbox.ru 21 | 22 | 23 | 24 | 25 | 26 | 27 | sbpctl install 28 | 29 | 30 | 31 | path 32 | 33 | 34 | 35 | sbpctl standalone 36 | osrel 37 | cmdline 38 | initrd 39 | 40 | efi 41 | output 42 | 43 | 44 | 45 | sbpctl generate 46 | 47 | 48 | 49 | 50 | Description 51 | 52 | 53 | sbpctl install installs systemd-boot-password into the EFI system partition. 54 | systemd-boot-password will be installed as default EFI loader at /EFI/BOOT/BOOT*.EFI. 55 | 56 | 57 | 58 | sbpctl standalone creates a standalone EFI application 59 | with initramfs and Linux EFI application included. 60 | 61 | 62 | 63 | sbpctl generate prompts for password and generates a SHA-512 hash sum 64 | which you can add to the basic configuration file. 65 | 66 | 67 | 68 | 69 | Installation options 70 | 71 | 72 | 73 | , 74 | 75 | 76 | Include configuration file to EFI binary. In this case boot manager 77 | will never read configuration from file. 78 | 79 | 80 | 81 | 82 | 83 | , 84 | 85 | 86 | Boot manager will be installed only as default EFI loader at 87 | /EFI/BOOT/BOOT*.EFI. 88 | 89 | 90 | 91 | 92 | 93 | , 94 | 95 | 96 | Boot manager will be signed with keys located at 97 | /etc/sbp/db.key and /etc/sbp/db.crt 98 | using sbsign util. 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | Path to the EFI System Partition (ESP). 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | Standalone options 116 | 117 | 118 | 119 | osrel, =osrel 120 | 121 | 122 | Include os-release to EFI binary. In most cases you can use /etc/os-release. 123 | With both and provided 124 | EFI application can be installed at /EFI/Linux/ without entry configuration. 125 | 126 | 127 | 128 | 129 | 130 | cmdline, =cmdline 131 | 132 | 133 | Include cmdline to EFI binary. In most cases you can use /proc/cmdline. 134 | With both and provided 135 | EFI application can be installed at /EFI/Linux/ without entry configuration. 136 | 137 | 138 | 139 | 140 | 141 | initrd, =initrd 142 | 143 | 144 | Path to initrd. You can specify multiple options. 145 | 146 | 147 | 148 | 149 | 150 | , 151 | 152 | 153 | EFI application will be signed with keys located at 154 | /etc/sbp/db.key and /etc/sbp/db.crt 155 | using sbsign util. 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Path to Linux EFI application. 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | Path to output EFI application. 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | Configuration files 182 | 183 | 184 | The basic configuration file is located at /loader/loader.conf 185 | of your EFI system partition or at /etc/sbp/loader.conf if 186 | you planning include configuration to EFI binary. 187 | The basic confguration file supports the following options: 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | Default entry to select. This options can take a name of entry 196 | configuration file or entryINDEX 197 | if entry is included to basic configuration file. 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | Menu timeout. Can take a 0 value, in this case menu will be shown 207 | on Esc key press during boot process. 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | Defines whether enable the kernel parameters editor with e key. 217 | A 1 value enables editor, 0 disables. 218 | Editor is enabled by default. 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | A SHA-512 hash sum of password. User will be prompted for password to access 228 | kernel parameters editor. 229 | 230 | 231 | 232 | 233 | 234 | 235 | Boot entry configuration files are located at /loader/entries/*.conf 236 | of your EFI system partition or can be included to basic configuration file divided by empty line. 237 | The boot entry confguration file supports the following options: 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | Entry title to display. 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | Version displayed for non-unique entries. 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | Machine ID displayed for non-unique entries. 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | EFI program to start. 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | EFI program to start. This will also automatically add option 282 | to kernel parameters. 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | Path to initramfs. 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | EFI image architecture. Allows to filter EFI images not matching your architecture. 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | Default kernel parameters. These options may be changed with enabled editor. 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | Exit status 318 | 319 | On success, 0 is returned, a non-zero failure code otherwise. 320 | 321 | 322 | 323 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = \ 2 | efi 3 | 4 | bin_SCRIPTS = \ 5 | sbpctl 6 | 7 | sbpctl: sbpctl.in 8 | $(AM_V_GEN) sed \ 9 | -e 's,[@]BOOT_LIB_DIR[@],$(bootlibdir),g' \ 10 | -e 's,[@]EFI_MACHINE_TYPE_NAME[@],$(EFI_MACHINE_TYPE_NAME),g' \ 11 | < $< > $@ 12 | @chmod a+x $@ 13 | 14 | EXTRA_DIST = \ 15 | sbpctl.in 16 | 17 | CLEANFILES = \ 18 | $(bin_SCRIPTS) 19 | -------------------------------------------------------------------------------- /src/efi/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_V_CC = $(am__v_CC_$(V)) 2 | am__v_CC_ = $(am__v_CC_$(AM_DEFAULT_VERBOSITY)) 3 | am__v_CC_0 = @echo " CC " $@; 4 | 5 | AM_V_CCLD = $(am__v_CCLD_$(V)) 6 | am__v_CCLD_ = $(am__v_CCLD_$(AM_DEFAULT_VERBOSITY)) 7 | am__v_CCLD_0 = @echo " CCLD " $@; 8 | 9 | bootlib_DATA = 10 | EXTRA_DIST = 11 | CLEANFILES = 12 | 13 | bootlibdir = \ 14 | @bootlibdir@ 15 | 16 | efi_cppflags = \ 17 | $(EFI_CPPFLAGS) \ 18 | -I$(top_builddir) -include config.h \ 19 | -I$(EFI_INC_DIR)/efi \ 20 | -I$(EFI_INC_DIR)/efi/$(EFI_ARCH) \ 21 | -DEFI_MACHINE_TYPE_NAME=\"$(EFI_MACHINE_TYPE_NAME)\" 22 | 23 | efi_cflags = \ 24 | $(EFI_CFLAGS) \ 25 | -Wall \ 26 | -Wextra \ 27 | -std=gnu90 \ 28 | -nostdinc \ 29 | -ggdb -O0 \ 30 | -fpic \ 31 | -fshort-wchar \ 32 | -nostdinc \ 33 | -ffreestanding \ 34 | -fno-strict-aliasing \ 35 | -fno-stack-protector \ 36 | -Wsign-compare \ 37 | -Wno-missing-field-initializers 38 | 39 | if ARCH_X86_64 40 | efi_cflags += \ 41 | -mno-red-zone \ 42 | -mno-sse \ 43 | -mno-mmx \ 44 | -DEFI_FUNCTION_WRAPPER \ 45 | -DGNU_EFI_USE_MS_ABI 46 | endif 47 | 48 | if ARCH_IA32 49 | efi_cflags += \ 50 | -mno-sse \ 51 | -mno-mmx 52 | endif 53 | 54 | efi_ldflags = \ 55 | $(EFI_LDFLAGS) \ 56 | -T $(EFI_LDS_DIR)/elf_$(EFI_ARCH)_efi.lds \ 57 | -shared \ 58 | -Bsymbolic \ 59 | -nostdlib \ 60 | -znocombreloc \ 61 | -L $(EFI_LIB_DIR) \ 62 | $(EFI_LDS_DIR)/crt0-efi-$(EFI_ARCH).o 63 | 64 | # Aarch64 and ARM32 don't have an EFI capable objcopy. Use 'binary' instead, 65 | # and add required symbols manually. 66 | if ARCH_AARCH64 67 | efi_ldflags += --defsym=EFI_SUBSYSTEM=0xa 68 | EFI_FORMAT = -O binary 69 | else 70 | EFI_FORMAT = --target=efi-app-$(EFI_ARCH) 71 | endif 72 | 73 | systemd_boot_headers = \ 74 | console.h \ 75 | disk.h \ 76 | graphics.h \ 77 | linux.h \ 78 | measure.h \ 79 | pe.h \ 80 | sha512.h \ 81 | shim.h \ 82 | util.h 83 | 84 | systemd_boot_sources = \ 85 | boot.c \ 86 | console.c \ 87 | disk.c \ 88 | graphics.c \ 89 | measure.c \ 90 | pe.c \ 91 | sha512.c \ 92 | shim.c \ 93 | util.c 94 | 95 | systemd_boot_objects = $(systemd_boot_sources:.c=.o) 96 | systemd_boot_solib = systemd_boot.so 97 | systemd_boot = systemd-boot$(EFI_MACHINE_TYPE_NAME).efi 98 | 99 | $(systemd_boot): $(systemd_boot_solib) 100 | $(AM_V_GEN) $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic \ 101 | -j .dynsym -j .rel -j .rela -j .reloc $(EFI_FORMAT) $< $@ 102 | 103 | $(systemd_boot_solib): $(systemd_boot_objects) 104 | $(AM_V_CCLD) $(LD) $(efi_ldflags) $(systemd_boot_objects) \ 105 | -o $@ -lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name); 106 | @nm -D -u $@ | grep ' U ' && exit 1 || : 107 | 108 | %.o: %.c $(systemd_boot_headers) 109 | $(AM_V_CC) $(CC) $(efi_cppflags) $(efi_cflags) -c $< -o $@ 110 | 111 | bootlib_DATA += \ 112 | $(systemd_boot) 113 | 114 | EXTRA_DIST += \ 115 | $(systemd_boot_headers) \ 116 | $(systemd_boot_sources) 117 | 118 | CLEANFILES += \ 119 | $(systemd_boot_objects) \ 120 | $(systemd_boot_solib) \ 121 | $(systemd_boot) 122 | 123 | systemd_boot_stub_headers = \ 124 | disk.h \ 125 | graphics.h \ 126 | linux.h \ 127 | measure.h \ 128 | pe.h \ 129 | splash.h \ 130 | util.h 131 | 132 | systemd_boot_stub_sources = \ 133 | disk.c \ 134 | graphics.c \ 135 | linux.c \ 136 | measure.c \ 137 | pe.c \ 138 | splash.c \ 139 | stub.c \ 140 | util.c 141 | 142 | systemd_boot_stub_objects = $(systemd_boot_stub_sources:.c=.o) 143 | systemd_boot_stub_solib = systemd_boot_stub.so 144 | systemd_boot_stub = linux$(EFI_MACHINE_TYPE_NAME).efi.stub 145 | 146 | $(systemd_boot_stub): $(systemd_boot_stub_solib) 147 | $(AM_V_GEN) $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic \ 148 | -j .dynsym -j .rel -j .rela -j .reloc $(EFI_FORMAT) $< $@ 149 | 150 | $(systemd_boot_stub_solib): $(systemd_boot_stub_objects) 151 | $(AM_V_CCLD) $(LD) $(efi_ldflags) $(systemd_boot_stub_objects) \ 152 | -o $@ -lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) 153 | @nm -D -u $@ | grep ' U ' && exit 1 || : 154 | 155 | %.o: %.c $(systemd_boot_stub_headers) 156 | $(AM_V_CC) $(CC) $(efi_cppflags) $(efi_cflags) -c $< -o $@ 157 | 158 | bootlib_DATA += \ 159 | $(systemd_boot_stub) 160 | 161 | EXTRA_DIST += \ 162 | $(systemd_boot_stub_headers) \ 163 | $(systemd_boot_stub_sources) 164 | 165 | CLEANFILES += \ 166 | $(systemd_boot_stub_objects) \ 167 | $(systemd_boot_stub_solib) \ 168 | $(systemd_boot_stub) 169 | -------------------------------------------------------------------------------- /src/efi/console.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include "console.h" 21 | #include "util.h" 22 | 23 | #define EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL_GUID \ 24 | { 0xdd9e7534, 0x7762, 0x4698, { 0x8c, 0x14, 0xf5, 0x85, 0x17, 0xa6, 0x25, 0xaa } } 25 | 26 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL; 27 | 28 | typedef EFI_STATUS (EFIAPI *EFI_INPUT_RESET_EX)( 29 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *This, 30 | BOOLEAN ExtendedVerification 31 | ); 32 | 33 | typedef UINT8 EFI_KEY_TOGGLE_STATE; 34 | 35 | typedef struct { 36 | UINT32 KeyShiftState; 37 | EFI_KEY_TOGGLE_STATE KeyToggleState; 38 | } EFI_KEY_STATE; 39 | 40 | typedef struct { 41 | EFI_INPUT_KEY Key; 42 | EFI_KEY_STATE KeyState; 43 | } EFI_KEY_DATA; 44 | 45 | typedef EFI_STATUS (EFIAPI *EFI_INPUT_READ_KEY_EX)( 46 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *This, 47 | EFI_KEY_DATA *KeyData 48 | ); 49 | 50 | typedef EFI_STATUS (EFIAPI *EFI_SET_STATE)( 51 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *This, 52 | EFI_KEY_TOGGLE_STATE *KeyToggleState 53 | ); 54 | 55 | typedef EFI_STATUS (EFIAPI *EFI_KEY_NOTIFY_FUNCTION)( 56 | EFI_KEY_DATA *KeyData 57 | ); 58 | 59 | typedef EFI_STATUS (EFIAPI *EFI_REGISTER_KEYSTROKE_NOTIFY)( 60 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *This, 61 | EFI_KEY_DATA KeyData, 62 | EFI_KEY_NOTIFY_FUNCTION KeyNotificationFunction, 63 | VOID **NotifyHandle 64 | ); 65 | 66 | typedef EFI_STATUS (EFIAPI *EFI_UNREGISTER_KEYSTROKE_NOTIFY)( 67 | struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *This, 68 | VOID *NotificationHandle 69 | ); 70 | 71 | typedef struct _EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL { 72 | EFI_INPUT_RESET_EX Reset; 73 | EFI_INPUT_READ_KEY_EX ReadKeyStrokeEx; 74 | EFI_EVENT WaitForKeyEx; 75 | EFI_SET_STATE SetState; 76 | EFI_REGISTER_KEYSTROKE_NOTIFY RegisterKeyNotify; 77 | EFI_UNREGISTER_KEYSTROKE_NOTIFY UnregisterKeyNotify; 78 | } EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL; 79 | 80 | EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait) { 81 | EFI_GUID EfiSimpleTextInputExProtocolGuid = EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL_GUID; 82 | static EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *TextInputEx; 83 | static BOOLEAN checked; 84 | UINTN index; 85 | EFI_INPUT_KEY k; 86 | EFI_STATUS err; 87 | 88 | if (!checked) { 89 | err = LibLocateProtocol(&EfiSimpleTextInputExProtocolGuid, (VOID **)&TextInputEx); 90 | if (EFI_ERROR(err)) 91 | TextInputEx = NULL; 92 | 93 | checked = TRUE; 94 | } 95 | 96 | /* wait until key is pressed */ 97 | if (wait) 98 | uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &index); 99 | 100 | if (TextInputEx) { 101 | EFI_KEY_DATA keydata; 102 | UINT64 keypress; 103 | 104 | err = uefi_call_wrapper(TextInputEx->ReadKeyStrokeEx, 2, TextInputEx, &keydata); 105 | if (!EFI_ERROR(err)) { 106 | UINT32 shift = 0; 107 | 108 | /* do not distinguish between left and right keys */ 109 | if (keydata.KeyState.KeyShiftState & EFI_SHIFT_STATE_VALID) { 110 | if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED)) 111 | shift |= EFI_CONTROL_PRESSED; 112 | if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED)) 113 | shift |= EFI_ALT_PRESSED; 114 | }; 115 | 116 | /* 32 bit modifier keys + 16 bit scan code + 16 bit unicode */ 117 | keypress = KEYPRESS(shift, keydata.Key.ScanCode, keydata.Key.UnicodeChar); 118 | if (keypress > 0) { 119 | *key = keypress; 120 | return 0; 121 | } 122 | } 123 | } 124 | 125 | /* fallback for firmware which does not support SimpleTextInputExProtocol 126 | * 127 | * This is also called in case ReadKeyStrokeEx did not return a key, because 128 | * some broken firmwares offer SimpleTextInputExProtocol, but never acually 129 | * handle any key. */ 130 | err = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &k); 131 | if (EFI_ERROR(err)) 132 | return err; 133 | 134 | *key = KEYPRESS(0, k.ScanCode, k.UnicodeChar); 135 | return 0; 136 | } 137 | -------------------------------------------------------------------------------- /src/efi/console.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | */ 16 | 17 | #ifndef __SDBOOT_CONSOLE_H 18 | #define __SDBOOT_CONSOLE_H 19 | 20 | #define EFI_SHIFT_STATE_VALID 0x80000000 21 | #define EFI_RIGHT_CONTROL_PRESSED 0x00000004 22 | #define EFI_LEFT_CONTROL_PRESSED 0x00000008 23 | #define EFI_RIGHT_ALT_PRESSED 0x00000010 24 | #define EFI_LEFT_ALT_PRESSED 0x00000020 25 | 26 | #define EFI_CONTROL_PRESSED (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED) 27 | #define EFI_ALT_PRESSED (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED) 28 | #define KEYPRESS(keys, scan, uni) ((((UINT64)keys) << 32) | ((scan) << 16) | (uni)) 29 | #define KEYCHAR(k) ((k) & 0xffff) 30 | #define CHAR_CTRL(c) ((c) - 'a' + 1) 31 | 32 | EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait); 33 | #endif 34 | -------------------------------------------------------------------------------- /src/efi/disk.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | #include "util.h" 20 | 21 | EFI_STATUS disk_get_part_uuid(EFI_HANDLE *handle, CHAR16 uuid[37]) { 22 | EFI_DEVICE_PATH *device_path; 23 | EFI_STATUS r = EFI_NOT_FOUND; 24 | 25 | /* export the device path this image is started from */ 26 | device_path = DevicePathFromHandle(handle); 27 | if (device_path) { 28 | EFI_DEVICE_PATH *path, *paths; 29 | 30 | paths = UnpackDevicePath(device_path); 31 | for (path = paths; !IsDevicePathEnd(path); path = NextDevicePathNode(path)) { 32 | HARDDRIVE_DEVICE_PATH *drive; 33 | 34 | if (DevicePathType(path) != MEDIA_DEVICE_PATH) 35 | continue; 36 | if (DevicePathSubType(path) != MEDIA_HARDDRIVE_DP) 37 | continue; 38 | drive = (HARDDRIVE_DEVICE_PATH *)path; 39 | if (drive->SignatureType != SIGNATURE_TYPE_GUID) 40 | continue; 41 | 42 | GuidToString(uuid, (EFI_GUID *)&drive->Signature); 43 | r = EFI_SUCCESS; 44 | break; 45 | } 46 | FreePool(paths); 47 | } 48 | 49 | return r; 50 | } 51 | -------------------------------------------------------------------------------- /src/efi/disk.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #ifndef __SDBOOT_DISK_H 17 | #define __SDBOOT_DISK_H 18 | 19 | EFI_STATUS disk_get_part_uuid(EFI_HANDLE *handle, CHAR16 uuid[37]); 20 | #endif 21 | -------------------------------------------------------------------------------- /src/efi/graphics.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | * Copyright (C) 2013 Intel Corporation 16 | * Authored by Joonas Lahtinen 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | #include "graphics.h" 23 | #include "util.h" 24 | 25 | EFI_STATUS graphics_mode(BOOLEAN on) { 26 | #define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \ 27 | { 0xf42f7782, 0x12e, 0x4c12, { 0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21 } }; 28 | 29 | struct _EFI_CONSOLE_CONTROL_PROTOCOL; 30 | 31 | typedef enum { 32 | EfiConsoleControlScreenText, 33 | EfiConsoleControlScreenGraphics, 34 | EfiConsoleControlScreenMaxValue, 35 | } EFI_CONSOLE_CONTROL_SCREEN_MODE; 36 | 37 | typedef EFI_STATUS (EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE)( 38 | struct _EFI_CONSOLE_CONTROL_PROTOCOL *This, 39 | EFI_CONSOLE_CONTROL_SCREEN_MODE *Mode, 40 | BOOLEAN *UgaExists, 41 | BOOLEAN *StdInLocked 42 | ); 43 | 44 | typedef EFI_STATUS (EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE)( 45 | struct _EFI_CONSOLE_CONTROL_PROTOCOL *This, 46 | EFI_CONSOLE_CONTROL_SCREEN_MODE Mode 47 | ); 48 | 49 | typedef EFI_STATUS (EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN)( 50 | struct _EFI_CONSOLE_CONTROL_PROTOCOL *This, 51 | CHAR16 *Password 52 | ); 53 | 54 | typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL { 55 | EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE GetMode; 56 | EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE SetMode; 57 | EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN LockStdIn; 58 | } EFI_CONSOLE_CONTROL_PROTOCOL; 59 | 60 | EFI_GUID ConsoleControlProtocolGuid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; 61 | EFI_CONSOLE_CONTROL_PROTOCOL *ConsoleControl = NULL; 62 | EFI_CONSOLE_CONTROL_SCREEN_MODE new; 63 | EFI_CONSOLE_CONTROL_SCREEN_MODE current; 64 | BOOLEAN uga_exists; 65 | BOOLEAN stdin_locked; 66 | EFI_STATUS err; 67 | 68 | err = LibLocateProtocol(&ConsoleControlProtocolGuid, (VOID **)&ConsoleControl); 69 | if (EFI_ERROR(err)) 70 | /* console control protocol is nonstandard and might not exist. */ 71 | return err == EFI_NOT_FOUND ? EFI_SUCCESS : err; 72 | 73 | /* check current mode */ 74 | err = uefi_call_wrapper(ConsoleControl->GetMode, 4, ConsoleControl, ¤t, &uga_exists, &stdin_locked); 75 | if (EFI_ERROR(err)) 76 | return err; 77 | 78 | /* do not touch the mode */ 79 | new = on ? EfiConsoleControlScreenGraphics : EfiConsoleControlScreenText; 80 | if (new == current) 81 | return EFI_SUCCESS; 82 | 83 | err = uefi_call_wrapper(ConsoleControl->SetMode, 2, ConsoleControl, new); 84 | 85 | /* some firmware enables the cursor when switching modes */ 86 | uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); 87 | 88 | return err; 89 | } 90 | -------------------------------------------------------------------------------- /src/efi/graphics.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | * Copyright (C) 2013 Intel Corporation 16 | * Authored by Joonas Lahtinen 17 | */ 18 | 19 | #ifndef __SDBOOT_GRAPHICS_H 20 | #define __SDBOOT_GRAPHICS_H 21 | 22 | EFI_STATUS graphics_mode(BOOLEAN on); 23 | #endif 24 | -------------------------------------------------------------------------------- /src/efi/linux.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | #include "linux.h" 20 | #include "util.h" 21 | 22 | #define SETUP_MAGIC 0x53726448 /* "HdrS" */ 23 | struct SetupHeader { 24 | UINT8 boot_sector[0x01f1]; 25 | UINT8 setup_secs; 26 | UINT16 root_flags; 27 | UINT32 sys_size; 28 | UINT16 ram_size; 29 | UINT16 video_mode; 30 | UINT16 root_dev; 31 | UINT16 signature; 32 | UINT16 jump; 33 | UINT32 header; 34 | UINT16 version; 35 | UINT16 su_switch; 36 | UINT16 setup_seg; 37 | UINT16 start_sys; 38 | UINT16 kernel_ver; 39 | UINT8 loader_id; 40 | UINT8 load_flags; 41 | UINT16 movesize; 42 | UINT32 code32_start; 43 | UINT32 ramdisk_start; 44 | UINT32 ramdisk_len; 45 | UINT32 bootsect_kludge; 46 | UINT16 heap_end; 47 | UINT8 ext_loader_ver; 48 | UINT8 ext_loader_type; 49 | UINT32 cmd_line_ptr; 50 | UINT32 ramdisk_max; 51 | UINT32 kernel_alignment; 52 | UINT8 relocatable_kernel; 53 | UINT8 min_alignment; 54 | UINT16 xloadflags; 55 | UINT32 cmdline_size; 56 | UINT32 hardware_subarch; 57 | UINT64 hardware_subarch_data; 58 | UINT32 payload_offset; 59 | UINT32 payload_length; 60 | UINT64 setup_data; 61 | UINT64 pref_address; 62 | UINT32 init_size; 63 | UINT32 handover_offset; 64 | } __attribute__((packed)); 65 | 66 | #ifdef __x86_64__ 67 | typedef VOID(*handover_f)(VOID *image, EFI_SYSTEM_TABLE *table, struct SetupHeader *setup); 68 | static inline VOID linux_efi_handover(EFI_HANDLE image, struct SetupHeader *setup) { 69 | handover_f handover; 70 | 71 | asm volatile ("cli"); 72 | handover = (handover_f)((UINTN)setup->code32_start + 512 + setup->handover_offset); 73 | handover(image, ST, setup); 74 | } 75 | #else 76 | typedef VOID(*handover_f)(VOID *image, EFI_SYSTEM_TABLE *table, struct SetupHeader *setup) __attribute__((regparm(0))); 77 | static inline VOID linux_efi_handover(EFI_HANDLE image, struct SetupHeader *setup) { 78 | handover_f handover; 79 | 80 | handover = (handover_f)((UINTN)setup->code32_start + setup->handover_offset); 81 | handover(image, ST, setup); 82 | } 83 | #endif 84 | 85 | EFI_STATUS linux_exec(EFI_HANDLE *image, 86 | CHAR8 *cmdline, UINTN cmdline_len, 87 | UINTN linux_addr, 88 | UINTN initrd_addr, UINTN initrd_size, BOOLEAN secure) { 89 | struct SetupHeader *image_setup; 90 | struct SetupHeader *boot_setup; 91 | EFI_PHYSICAL_ADDRESS addr; 92 | EFI_STATUS err; 93 | 94 | image_setup = (struct SetupHeader *)(linux_addr); 95 | if (image_setup->signature != 0xAA55 || image_setup->header != SETUP_MAGIC) 96 | return EFI_LOAD_ERROR; 97 | 98 | if (image_setup->version < 0x20b || !image_setup->relocatable_kernel) 99 | return EFI_LOAD_ERROR; 100 | 101 | addr = 0x3fffffff; 102 | err = uefi_call_wrapper(BS->AllocatePages, 4, AllocateMaxAddress, EfiLoaderData, 103 | EFI_SIZE_TO_PAGES(0x4000), &addr); 104 | if (EFI_ERROR(err)) 105 | return err; 106 | boot_setup = (struct SetupHeader *)(UINTN)addr; 107 | ZeroMem(boot_setup, 0x4000); 108 | CopyMem(boot_setup, image_setup, sizeof(struct SetupHeader)); 109 | boot_setup->loader_id = 0xff; 110 | 111 | if (secure) { 112 | /* set secure boot flag in linux kernel zero page, see 113 | - Documentation/x86/zero-page.txt 114 | - arch/x86/include/uapi/asm/bootparam.h 115 | - drivers/firmware/efi/libstub/secureboot.c 116 | in the linux kernel source tree 117 | Possible values: 0 (unassigned), 1 (undetected), 2 (disabled), 3 (enabled) 118 | */ 119 | boot_setup->boot_sector[0x1ec] = 3; 120 | } 121 | 122 | boot_setup->code32_start = (UINT32)linux_addr + (image_setup->setup_secs+1) * 512; 123 | 124 | if (cmdline) { 125 | addr = 0xA0000; 126 | err = uefi_call_wrapper(BS->AllocatePages, 4, AllocateMaxAddress, EfiLoaderData, 127 | EFI_SIZE_TO_PAGES(cmdline_len + 1), &addr); 128 | if (EFI_ERROR(err)) 129 | return err; 130 | CopyMem((VOID *)(UINTN)addr, cmdline, cmdline_len); 131 | ((CHAR8 *)addr)[cmdline_len] = 0; 132 | boot_setup->cmd_line_ptr = (UINT32)addr; 133 | } 134 | 135 | boot_setup->ramdisk_start = (UINT32)initrd_addr; 136 | boot_setup->ramdisk_len = (UINT32)initrd_size; 137 | 138 | linux_efi_handover(image, boot_setup); 139 | return EFI_LOAD_ERROR; 140 | } 141 | -------------------------------------------------------------------------------- /src/efi/linux.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #ifndef __SDBOOT_kernel_H 17 | #define __SDBOOT_kernel_H 18 | 19 | EFI_STATUS linux_exec(EFI_HANDLE *image, 20 | CHAR8 *cmdline, UINTN cmdline_size, 21 | UINTN linux_addr, 22 | UINTN initrd_addr, UINTN initrd_size, BOOLEAN secure); 23 | #endif 24 | -------------------------------------------------------------------------------- /src/efi/measure.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | */ 14 | 15 | #if ENABLE_TPM 16 | 17 | #include 18 | #include 19 | #include "measure.h" 20 | 21 | #define EFI_TCG_PROTOCOL_GUID { 0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd} } 22 | 23 | typedef struct _TCG_VERSION { 24 | UINT8 Major; 25 | UINT8 Minor; 26 | UINT8 RevMajor; 27 | UINT8 RevMinor; 28 | } TCG_VERSION; 29 | 30 | typedef struct tdEFI_TCG2_VERSION { 31 | UINT8 Major; 32 | UINT8 Minor; 33 | } EFI_TCG2_VERSION; 34 | 35 | typedef struct _TCG_BOOT_SERVICE_CAPABILITY { 36 | UINT8 Size; 37 | struct _TCG_VERSION StructureVersion; 38 | struct _TCG_VERSION ProtocolSpecVersion; 39 | UINT8 HashAlgorithmBitmap; 40 | BOOLEAN TPMPresentFlag; 41 | BOOLEAN TPMDeactivatedFlag; 42 | } TCG_BOOT_SERVICE_CAPABILITY; 43 | 44 | typedef struct tdTREE_BOOT_SERVICE_CAPABILITY { 45 | UINT8 Size; 46 | EFI_TCG2_VERSION StructureVersion; 47 | EFI_TCG2_VERSION ProtocolVersion; 48 | UINT32 HashAlgorithmBitmap; 49 | UINT32 SupportedEventLogs; 50 | BOOLEAN TrEEPresentFlag; 51 | UINT16 MaxCommandSize; 52 | UINT16 MaxResponseSize; 53 | UINT32 ManufacturerID; 54 | } TREE_BOOT_SERVICE_CAPABILITY; 55 | 56 | typedef UINT32 TCG_ALGORITHM_ID; 57 | #define TCG_ALG_SHA 0x00000004 // The SHA1 algorithm 58 | 59 | #define SHA1_DIGEST_SIZE 20 60 | 61 | typedef struct _TCG_DIGEST { 62 | UINT8 Digest[SHA1_DIGEST_SIZE]; 63 | } TCG_DIGEST; 64 | 65 | #define EV_IPL 13 66 | 67 | typedef struct _TCG_PCR_EVENT { 68 | UINT32 PCRIndex; 69 | UINT32 EventType; 70 | struct _TCG_DIGEST digest; 71 | UINT32 EventSize; 72 | UINT8 Event[1]; 73 | } TCG_PCR_EVENT; 74 | 75 | INTERFACE_DECL(_EFI_TCG); 76 | 77 | typedef EFI_STATUS(EFIAPI * EFI_TCG_STATUS_CHECK) (IN struct _EFI_TCG * This, 78 | OUT struct _TCG_BOOT_SERVICE_CAPABILITY * ProtocolCapability, 79 | OUT UINT32 * TCGFeatureFlags, 80 | OUT EFI_PHYSICAL_ADDRESS * EventLogLocation, 81 | OUT EFI_PHYSICAL_ADDRESS * EventLogLastEntry); 82 | 83 | typedef EFI_STATUS(EFIAPI * EFI_TCG_HASH_ALL) (IN struct _EFI_TCG * This, 84 | IN UINT8 * HashData, 85 | IN UINT64 HashDataLen, 86 | IN TCG_ALGORITHM_ID AlgorithmId, 87 | IN OUT UINT64 * HashedDataLen, IN OUT UINT8 ** HashedDataResult); 88 | 89 | typedef EFI_STATUS(EFIAPI * EFI_TCG_LOG_EVENT) (IN struct _EFI_TCG * This, 90 | IN struct _TCG_PCR_EVENT * TCGLogData, 91 | IN OUT UINT32 * EventNumber, IN UINT32 Flags); 92 | 93 | typedef EFI_STATUS(EFIAPI * EFI_TCG_PASS_THROUGH_TO_TPM) (IN struct _EFI_TCG * This, 94 | IN UINT32 TpmInputParameterBlockSize, 95 | IN UINT8 * TpmInputParameterBlock, 96 | IN UINT32 TpmOutputParameterBlockSize, 97 | IN UINT8 * TpmOutputParameterBlock); 98 | 99 | typedef EFI_STATUS(EFIAPI * EFI_TCG_HASH_LOG_EXTEND_EVENT) (IN struct _EFI_TCG * This, 100 | IN EFI_PHYSICAL_ADDRESS HashData, 101 | IN UINT64 HashDataLen, 102 | IN TCG_ALGORITHM_ID AlgorithmId, 103 | IN struct _TCG_PCR_EVENT * TCGLogData, 104 | IN OUT UINT32 * EventNumber, 105 | OUT EFI_PHYSICAL_ADDRESS * EventLogLastEntry); 106 | 107 | typedef struct _EFI_TCG { 108 | EFI_TCG_STATUS_CHECK StatusCheck; 109 | EFI_TCG_HASH_ALL HashAll; 110 | EFI_TCG_LOG_EVENT LogEvent; 111 | EFI_TCG_PASS_THROUGH_TO_TPM PassThroughToTPM; 112 | EFI_TCG_HASH_LOG_EXTEND_EVENT HashLogExtendEvent; 113 | } EFI_TCG; 114 | 115 | #define EFI_TCG2_PROTOCOL_GUID {0x607f766c, 0x7455, 0x42be, { 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }} 116 | 117 | typedef struct tdEFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL; 118 | 119 | typedef UINT32 EFI_TCG2_EVENT_LOG_BITMAP; 120 | typedef UINT32 EFI_TCG2_EVENT_LOG_FORMAT; 121 | typedef UINT32 EFI_TCG2_EVENT_ALGORITHM_BITMAP; 122 | 123 | #define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2 0x00000001 124 | #define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 0x00000002 125 | 126 | typedef struct tdEFI_TCG2_BOOT_SERVICE_CAPABILITY { 127 | UINT8 Size; 128 | EFI_TCG2_VERSION StructureVersion; 129 | EFI_TCG2_VERSION ProtocolVersion; 130 | EFI_TCG2_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap; 131 | EFI_TCG2_EVENT_LOG_BITMAP SupportedEventLogs; 132 | BOOLEAN TPMPresentFlag; 133 | UINT16 MaxCommandSize; 134 | UINT16 MaxResponseSize; 135 | UINT32 ManufacturerID; 136 | UINT32 NumberOfPCRBanks; 137 | EFI_TCG2_EVENT_ALGORITHM_BITMAP ActivePcrBanks; 138 | } EFI_TCG2_BOOT_SERVICE_CAPABILITY; 139 | 140 | #define EFI_TCG2_EVENT_HEADER_VERSION 1 141 | 142 | typedef struct { 143 | UINT32 HeaderSize; 144 | UINT16 HeaderVersion; 145 | UINT32 PCRIndex; 146 | UINT32 EventType; 147 | } __attribute__ ((packed)) EFI_TCG2_EVENT_HEADER; 148 | 149 | typedef struct tdEFI_TCG2_EVENT { 150 | UINT32 Size; 151 | EFI_TCG2_EVENT_HEADER Header; 152 | UINT8 Event[1]; 153 | } __attribute__ ((packed)) EFI_TCG2_EVENT; 154 | 155 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_GET_CAPABILITY) (IN EFI_TCG2_PROTOCOL * This, 156 | IN OUT EFI_TCG2_BOOT_SERVICE_CAPABILITY * ProtocolCapability); 157 | 158 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_GET_EVENT_LOG) (IN EFI_TCG2_PROTOCOL * This, 159 | IN EFI_TCG2_EVENT_LOG_FORMAT EventLogFormat, 160 | OUT EFI_PHYSICAL_ADDRESS * EventLogLocation, 161 | OUT EFI_PHYSICAL_ADDRESS * EventLogLastEntry, 162 | OUT BOOLEAN * EventLogTruncated); 163 | 164 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_HASH_LOG_EXTEND_EVENT) (IN EFI_TCG2_PROTOCOL * This, 165 | IN UINT64 Flags, 166 | IN EFI_PHYSICAL_ADDRESS DataToHash, 167 | IN UINT64 DataToHashLen, IN EFI_TCG2_EVENT * EfiTcgEvent); 168 | 169 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_SUBMIT_COMMAND) (IN EFI_TCG2_PROTOCOL * This, 170 | IN UINT32 InputParameterBlockSize, 171 | IN UINT8 * InputParameterBlock, 172 | IN UINT32 OutputParameterBlockSize, IN UINT8 * OutputParameterBlock); 173 | 174 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_GET_ACTIVE_PCR_BANKS) (IN EFI_TCG2_PROTOCOL * This, OUT UINT32 * ActivePcrBanks); 175 | 176 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_SET_ACTIVE_PCR_BANKS) (IN EFI_TCG2_PROTOCOL * This, IN UINT32 ActivePcrBanks); 177 | 178 | typedef EFI_STATUS(EFIAPI * EFI_TCG2_GET_RESULT_OF_SET_ACTIVE_PCR_BANKS) (IN EFI_TCG2_PROTOCOL * This, 179 | OUT UINT32 * OperationPresent, OUT UINT32 * Response); 180 | 181 | typedef struct tdEFI_TCG2_PROTOCOL { 182 | EFI_TCG2_GET_CAPABILITY GetCapability; 183 | EFI_TCG2_GET_EVENT_LOG GetEventLog; 184 | EFI_TCG2_HASH_LOG_EXTEND_EVENT HashLogExtendEvent; 185 | EFI_TCG2_SUBMIT_COMMAND SubmitCommand; 186 | EFI_TCG2_GET_ACTIVE_PCR_BANKS GetActivePcrBanks; 187 | EFI_TCG2_SET_ACTIVE_PCR_BANKS SetActivePcrBanks; 188 | EFI_TCG2_GET_RESULT_OF_SET_ACTIVE_PCR_BANKS GetResultOfSetActivePcrBanks; 189 | } EFI_TCG2; 190 | 191 | 192 | static EFI_STATUS tpm1_measure_to_pcr_and_event_log(const EFI_TCG *tcg, UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, 193 | UINTN buffer_size, const CHAR16 *description) { 194 | EFI_STATUS status; 195 | TCG_PCR_EVENT *tcg_event; 196 | UINT32 event_number; 197 | EFI_PHYSICAL_ADDRESS event_log_last; 198 | UINTN desc_len; 199 | 200 | desc_len = (StrLen(description) + 1) * sizeof(CHAR16); 201 | 202 | tcg_event = AllocateZeroPool(desc_len + sizeof(TCG_PCR_EVENT)); 203 | 204 | if (!tcg_event) 205 | return EFI_OUT_OF_RESOURCES; 206 | 207 | tcg_event->EventSize = desc_len; 208 | CopyMem((VOID *) & tcg_event->Event[0], (VOID *) description, desc_len); 209 | 210 | tcg_event->PCRIndex = pcrindex; 211 | tcg_event->EventType = EV_IPL; 212 | 213 | event_number = 1; 214 | status = uefi_call_wrapper(tcg->HashLogExtendEvent, 7, 215 | (EFI_TCG *) tcg, buffer, buffer_size, TCG_ALG_SHA, tcg_event, &event_number, &event_log_last); 216 | 217 | if (EFI_ERROR(status)) 218 | return status; 219 | 220 | uefi_call_wrapper(BS->FreePool, 1, tcg_event); 221 | 222 | return EFI_SUCCESS; 223 | } 224 | 225 | /* 226 | * According to TCG EFI Protocol Specification for TPM 2.0 family, 227 | * all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG 228 | * shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka 229 | * EFI TCG 2.0 final events table. Hence, it is necessary to trigger the 230 | * internal switch through calling get_event_log() in order to allow 231 | * to retrieve the logs from OS runtime. 232 | */ 233 | static EFI_STATUS trigger_tcg2_final_events_table(const EFI_TCG2 *tcg, EFI_TCG2_EVENT_LOG_FORMAT log_fmt) 234 | { 235 | EFI_PHYSICAL_ADDRESS loc; 236 | EFI_PHYSICAL_ADDRESS last_loc; 237 | BOOLEAN truncated; 238 | return uefi_call_wrapper(tcg->GetEventLog, 5, (EFI_TCG2 *) tcg, 239 | log_fmt, &loc, &last_loc, &truncated); 240 | } 241 | 242 | static EFI_STATUS tpm2_measure_to_pcr_and_event_log(const EFI_TCG2 *tcg, UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, 243 | UINT64 buffer_size, const CHAR16 *description, EFI_TCG2_EVENT_LOG_FORMAT log_fmt) { 244 | EFI_STATUS status; 245 | EFI_TCG2_EVENT *tcg_event; 246 | UINTN desc_len; 247 | static BOOLEAN triggered = FALSE; 248 | 249 | if (triggered == FALSE) { 250 | status = trigger_tcg2_final_events_table(tcg, log_fmt); 251 | if (EFI_ERROR(status)) 252 | return status; 253 | 254 | triggered = TRUE; 255 | } 256 | 257 | desc_len = StrLen(description) * sizeof(CHAR16); 258 | 259 | tcg_event = AllocateZeroPool(sizeof(*tcg_event) - sizeof(tcg_event->Event) + desc_len + 1); 260 | 261 | if (!tcg_event) 262 | return EFI_OUT_OF_RESOURCES; 263 | 264 | tcg_event->Size = sizeof(*tcg_event) - sizeof(tcg_event->Event) + desc_len + 1; 265 | tcg_event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER); 266 | tcg_event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION; 267 | tcg_event->Header.PCRIndex = pcrindex; 268 | tcg_event->Header.EventType = EV_IPL; 269 | 270 | CopyMem((VOID *) tcg_event->Event, (VOID *) description, desc_len); 271 | 272 | status = uefi_call_wrapper(tcg->HashLogExtendEvent, 5, (EFI_TCG2 *) tcg, 0, buffer, (UINT64) buffer_size, tcg_event); 273 | 274 | uefi_call_wrapper(BS->FreePool, 1, tcg_event); 275 | 276 | if (EFI_ERROR(status)) 277 | return status; 278 | 279 | return EFI_SUCCESS; 280 | } 281 | 282 | static EFI_TCG * tcg1_interface_check(void) { 283 | EFI_GUID tpm_guid = EFI_TCG_PROTOCOL_GUID; 284 | EFI_STATUS status; 285 | EFI_TCG *tcg; 286 | TCG_BOOT_SERVICE_CAPABILITY capability; 287 | UINT32 features; 288 | EFI_PHYSICAL_ADDRESS event_log_location; 289 | EFI_PHYSICAL_ADDRESS event_log_last_entry; 290 | 291 | status = LibLocateProtocol(&tpm_guid, (void **) &tcg); 292 | 293 | if (EFI_ERROR(status)) 294 | return NULL; 295 | 296 | capability.Size = (UINT8) sizeof(capability); 297 | status = uefi_call_wrapper(tcg->StatusCheck, 5, tcg, &capability, &features, &event_log_location, &event_log_last_entry); 298 | 299 | if (EFI_ERROR(status)) 300 | return NULL; 301 | 302 | if (capability.TPMDeactivatedFlag) 303 | return NULL; 304 | 305 | if (!capability.TPMPresentFlag) 306 | return NULL; 307 | 308 | return tcg; 309 | } 310 | 311 | static EFI_TCG2 * tcg2_interface_check(EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps) { 312 | EFI_GUID tpm2_guid = EFI_TCG2_PROTOCOL_GUID; 313 | EFI_STATUS status; 314 | EFI_TCG2 *tcg; 315 | 316 | status = LibLocateProtocol(&tpm2_guid, (void **) &tcg); 317 | 318 | if (EFI_ERROR(status)) 319 | return NULL; 320 | 321 | caps->Size = (UINT8) sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); 322 | status = uefi_call_wrapper(tcg->GetCapability, 2, tcg, caps); 323 | 324 | if (EFI_ERROR(status)) 325 | return NULL; 326 | 327 | if (caps->StructureVersion.Major == 1 && 328 | caps->StructureVersion.Minor == 0) { 329 | TCG_BOOT_SERVICE_CAPABILITY *caps_1_0; 330 | caps_1_0 = (TCG_BOOT_SERVICE_CAPABILITY *)caps; 331 | if (caps_1_0->TPMPresentFlag) 332 | return tcg; 333 | } 334 | 335 | if (!caps->TPMPresentFlag) 336 | return NULL; 337 | 338 | return tcg; 339 | } 340 | 341 | EFI_STATUS tpm_log_event(UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, UINTN buffer_size, const CHAR16 *description) { 342 | EFI_TCG *tpm1; 343 | EFI_TCG2 *tpm2; 344 | EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; 345 | 346 | tpm2 = tcg2_interface_check(&caps); 347 | if (tpm2) { 348 | EFI_TCG2_EVENT_LOG_BITMAP supported_logs; 349 | EFI_TCG2_EVENT_LOG_FORMAT log_fmt; 350 | 351 | if (caps.StructureVersion.Major == 1 && 352 | caps.StructureVersion.Minor == 0) 353 | supported_logs = ((TREE_BOOT_SERVICE_CAPABILITY *)&caps)->SupportedEventLogs; 354 | else 355 | supported_logs = caps.SupportedEventLogs; 356 | 357 | if (supported_logs & EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) 358 | log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; 359 | else 360 | log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; 361 | 362 | uefi_call_wrapper(BS->Stall, 1, 2000 * 1000); 363 | return tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description, log_fmt); 364 | } 365 | 366 | tpm1 = tcg1_interface_check(); 367 | if (tpm1) 368 | return tpm1_measure_to_pcr_and_event_log(tpm1, pcrindex, buffer, buffer_size, description); 369 | 370 | /* No active TPM found, so don't return an error */ 371 | return EFI_SUCCESS; 372 | } 373 | 374 | #endif 375 | -------------------------------------------------------------------------------- /src/efi/measure.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | */ 14 | #ifndef __SDBOOT_MEASURE_H 15 | #define __SDBOOT_MEASURE_H 16 | 17 | EFI_STATUS tpm_log_event(UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, UINTN buffer_size, const CHAR16 *description); 18 | 19 | #endif 20 | -------------------------------------------------------------------------------- /src/efi/pe.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | #include "pe.h" 20 | #include "util.h" 21 | 22 | struct DosFileHeader { 23 | UINT8 Magic[2]; 24 | UINT16 LastSize; 25 | UINT16 nBlocks; 26 | UINT16 nReloc; 27 | UINT16 HdrSize; 28 | UINT16 MinAlloc; 29 | UINT16 MaxAlloc; 30 | UINT16 ss; 31 | UINT16 sp; 32 | UINT16 Checksum; 33 | UINT16 ip; 34 | UINT16 cs; 35 | UINT16 RelocPos; 36 | UINT16 nOverlay; 37 | UINT16 reserved[4]; 38 | UINT16 OEMId; 39 | UINT16 OEMInfo; 40 | UINT16 reserved2[10]; 41 | UINT32 ExeHeader; 42 | } __attribute__((packed)); 43 | 44 | #define PE_HEADER_MACHINE_I386 0x014c 45 | #define PE_HEADER_MACHINE_X64 0x8664 46 | struct PeFileHeader { 47 | UINT16 Machine; 48 | UINT16 NumberOfSections; 49 | UINT32 TimeDateStamp; 50 | UINT32 PointerToSymbolTable; 51 | UINT32 NumberOfSymbols; 52 | UINT16 SizeOfOptionalHeader; 53 | UINT16 Characteristics; 54 | } __attribute__((packed)); 55 | 56 | struct PeHeader { 57 | UINT8 Magic[4]; 58 | struct PeFileHeader FileHeader; 59 | } __attribute__((packed)); 60 | 61 | struct PeSectionHeader { 62 | UINT8 Name[8]; 63 | UINT32 VirtualSize; 64 | UINT32 VirtualAddress; 65 | UINT32 SizeOfRawData; 66 | UINT32 PointerToRawData; 67 | UINT32 PointerToRelocations; 68 | UINT32 PointerToLinenumbers; 69 | UINT16 NumberOfRelocations; 70 | UINT16 NumberOfLinenumbers; 71 | UINT32 Characteristics; 72 | } __attribute__((packed)); 73 | 74 | EFI_STATUS pe_memory_locate_sections(CHAR8 *base, CHAR8 **sections, UINTN *addrs, UINTN *offsets, UINTN *sizes) { 75 | struct DosFileHeader *dos; 76 | struct PeHeader *pe; 77 | UINTN i; 78 | UINTN offset; 79 | 80 | dos = (struct DosFileHeader *)base; 81 | 82 | if (CompareMem(dos->Magic, "MZ", 2) != 0) 83 | return EFI_LOAD_ERROR; 84 | 85 | pe = (struct PeHeader *)&base[dos->ExeHeader]; 86 | if (CompareMem(pe->Magic, "PE\0\0", 4) != 0) 87 | return EFI_LOAD_ERROR; 88 | 89 | /* PE32+ Subsystem type */ 90 | if (pe->FileHeader.Machine != PE_HEADER_MACHINE_X64 && 91 | pe->FileHeader.Machine != PE_HEADER_MACHINE_I386) 92 | return EFI_LOAD_ERROR; 93 | 94 | if (pe->FileHeader.NumberOfSections > 96) 95 | return EFI_LOAD_ERROR; 96 | 97 | offset = dos->ExeHeader + sizeof(*pe) + pe->FileHeader.SizeOfOptionalHeader; 98 | 99 | for (i = 0; i < pe->FileHeader.NumberOfSections; i++) { 100 | struct PeSectionHeader *sect; 101 | UINTN j; 102 | 103 | sect = (struct PeSectionHeader *)&base[offset]; 104 | for (j = 0; sections[j]; j++) { 105 | if (CompareMem(sect->Name, sections[j], strlena(sections[j])) != 0) 106 | continue; 107 | 108 | if (addrs) 109 | addrs[j] = (UINTN)sect->VirtualAddress; 110 | if (offsets) 111 | offsets[j] = (UINTN)sect->PointerToRawData; 112 | if (sizes) 113 | sizes[j] = (UINTN)sect->VirtualSize; 114 | } 115 | offset += sizeof(*sect); 116 | } 117 | 118 | return EFI_SUCCESS; 119 | } 120 | 121 | EFI_STATUS pe_file_locate_sections(EFI_FILE *dir, CHAR16 *path, CHAR8 **sections, UINTN *addrs, UINTN *offsets, UINTN *sizes) { 122 | EFI_FILE_HANDLE handle; 123 | struct DosFileHeader dos; 124 | struct PeHeader pe; 125 | UINTN len; 126 | UINTN headerlen; 127 | EFI_STATUS err; 128 | CHAR8 *header = NULL; 129 | 130 | err = uefi_call_wrapper(dir->Open, 5, dir, &handle, path, EFI_FILE_MODE_READ, 0ULL); 131 | if (EFI_ERROR(err)) 132 | return err; 133 | 134 | /* MS-DOS stub */ 135 | len = sizeof(dos); 136 | err = uefi_call_wrapper(handle->Read, 3, handle, &len, &dos); 137 | if (EFI_ERROR(err)) 138 | goto out; 139 | if (len != sizeof(dos)) { 140 | err = EFI_LOAD_ERROR; 141 | goto out; 142 | } 143 | 144 | err = uefi_call_wrapper(handle->SetPosition, 2, handle, dos.ExeHeader); 145 | if (EFI_ERROR(err)) 146 | goto out; 147 | 148 | len = sizeof(pe); 149 | err = uefi_call_wrapper(handle->Read, 3, handle, &len, &pe); 150 | if (EFI_ERROR(err)) 151 | goto out; 152 | if (len != sizeof(pe)) { 153 | err = EFI_LOAD_ERROR; 154 | goto out; 155 | } 156 | 157 | headerlen = sizeof(dos) + sizeof(pe) + pe.FileHeader.SizeOfOptionalHeader + pe.FileHeader.NumberOfSections * sizeof(struct PeSectionHeader); 158 | header = AllocatePool(headerlen); 159 | if (!header) { 160 | err = EFI_OUT_OF_RESOURCES; 161 | goto out; 162 | } 163 | len = headerlen; 164 | err = uefi_call_wrapper(handle->SetPosition, 2, handle, 0); 165 | if (EFI_ERROR(err)) 166 | goto out; 167 | 168 | err = uefi_call_wrapper(handle->Read, 3, handle, &len, header); 169 | if (EFI_ERROR(err)) { 170 | goto out; 171 | } 172 | if (len != headerlen) { 173 | err = EFI_LOAD_ERROR; 174 | goto out; 175 | } 176 | 177 | err = pe_memory_locate_sections(header, sections, addrs, offsets, sizes); 178 | out: 179 | if (header) 180 | FreePool(header); 181 | uefi_call_wrapper(handle->Close, 1, handle); 182 | return err; 183 | } 184 | -------------------------------------------------------------------------------- /src/efi/pe.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2015 Kay Sievers 14 | */ 15 | 16 | #ifndef __SDBOOT_PEFILE_H 17 | #define __SDBOOT_PEFILE_H 18 | 19 | EFI_STATUS pe_memory_locate_sections(CHAR8 *base, 20 | CHAR8 **sections, UINTN *addrs, UINTN *offsets, UINTN *sizes); 21 | EFI_STATUS pe_file_locate_sections(EFI_FILE *dir, CHAR16 *path, 22 | CHAR8 **sections, UINTN *addrs, UINTN *offsets, UINTN *sizes); 23 | #endif 24 | -------------------------------------------------------------------------------- /src/efi/sha512.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2017 kitsunyan 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | #include "sha512.h" 20 | 21 | static const UINT64 K[80] = { 22 | 0x428a2f98d728ae22, 0x7137449123ef65cd, 23 | 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 24 | 0x3956c25bf348b538, 0x59f111f1b605d019, 25 | 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 26 | 0xd807aa98a3030242, 0x12835b0145706fbe, 27 | 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 28 | 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 29 | 0x9bdc06a725c71235, 0xc19bf174cf692694, 30 | 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 31 | 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 32 | 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 33 | 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 34 | 0x983e5152ee66dfab, 0xa831c66d2db43210, 35 | 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 36 | 0xc6e00bf33da88fc2, 0xd5a79147930aa725, 37 | 0x06ca6351e003826f, 0x142929670a0e6e70, 38 | 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 39 | 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df, 40 | 0x650a73548baf63de, 0x766a0abb3c77b2a8, 41 | 0x81c2c92e47edaee6, 0x92722c851482353b, 42 | 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 43 | 0xc24b8b70d0f89791, 0xc76c51a30654be30, 44 | 0xd192e819d6ef5218, 0xd69906245565a910, 45 | 0xf40e35855771202a, 0x106aa07032bbd1b8, 46 | 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 47 | 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 48 | 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 49 | 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 50 | 0x748f82ee5defb2fc, 0x78a5636f43172f60, 51 | 0x84c87814a1f0ab72, 0x8cc702081a6439ec, 52 | 0x90befffa23631e28, 0xa4506cebde82bde9, 53 | 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 54 | 0xca273eceea26619c, 0xd186b8c721c0c207, 55 | 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 56 | 0x06f067aa72176fba, 0x0a637dc5a2c898a6, 57 | 0x113f9804bef90dae, 0x1b710b35131c471b, 58 | 0x28db77f523047d84, 0x32caab7b40c72493, 59 | 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c, 60 | 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 61 | 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 62 | }; 63 | 64 | #define be_swap(var) { \ 65 | (var) = (UINT64) ((UINT8 *) &(var))[0] << 56 | \ 66 | (UINT64) ((UINT8 *) &(var))[1] << 48 | \ 67 | (UINT64) ((UINT8 *) &(var))[2] << 40 | \ 68 | (UINT64) ((UINT8 *) &(var))[3] << 32 | \ 69 | (UINT64) ((UINT8 *) &(var))[4] << 24 | \ 70 | (UINT64) ((UINT8 *) &(var))[5] << 16 | \ 71 | (UINT64) ((UINT8 *) &(var))[6] << 8 | \ 72 | (UINT64) ((UINT8 *) &(var))[7]; \ 73 | } 74 | 75 | #define rotr(x, n) (((x) >> (n)) | ((x) << (64 - (n)))) 76 | #define ch(x, y, z) (((x) & (y)) | (~(x) & (z))) 77 | #define maj(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) 78 | #define sum0(x) (rotr(x, 28) ^ rotr(x, 34) ^ rotr(x, 39)) 79 | #define sum1(x) (rotr(x, 14) ^ rotr(x, 18) ^ rotr(x, 41)) 80 | #define s0(x) (rotr(x, 1) ^ rotr(x, 8) ^ (x >> 7)) 81 | #define s1(x) (rotr(x, 19) ^ rotr(x, 61) ^ (x >> 6)) 82 | 83 | static VOID sha512_block(Sha512Context *context) { 84 | UINTN i; 85 | UINT64 t1, t2; 86 | UINT64 a, b, c, d, e, f, g, h; 87 | UINT64 *w; 88 | 89 | a = context->h[0]; 90 | b = context->h[1]; 91 | c = context->h[2]; 92 | d = context->h[3]; 93 | e = context->h[4]; 94 | f = context->h[5]; 95 | g = context->h[6]; 96 | h = context->h[7]; 97 | 98 | w = context->w; 99 | for (i = 0; i < 80; i++) { 100 | if (i >= 16) 101 | w[i&0xf] = s1(w[(i-2)&0xf]) + w[(i-7)&0xf] + s0(w[(i-15)&0xf]) + w[(i-16)&0xf]; 102 | else 103 | be_swap(w[i]); 104 | t1 = h + sum1(e) + ch(e, f, g) + K[i] + w[i&0xf]; 105 | t2 = sum0(a) + maj(a, b, c); 106 | 107 | h = g; 108 | g = f; 109 | f = e; 110 | e = d + t1; 111 | d = c; 112 | c = b; 113 | b = a; 114 | a = t1 + t2; 115 | } 116 | 117 | context->h[0] += a; 118 | context->h[1] += b; 119 | context->h[2] += c; 120 | context->h[3] += d; 121 | context->h[4] += e; 122 | context->h[5] += f; 123 | context->h[6] += g; 124 | context->h[7] += h; 125 | } 126 | 127 | VOID sha512_create(Sha512Context *context) { 128 | context->h[0] = 0x6a09e667f3bcc908; 129 | context->h[1] = 0xbb67ae8584caa73b; 130 | context->h[2] = 0x3c6ef372fe94f82b; 131 | context->h[3] = 0xa54ff53a5f1d36f1; 132 | context->h[4] = 0x510e527fade682d1; 133 | context->h[5] = 0x9b05688c2b3e6c1f; 134 | context->h[6] = 0x1f83d9abfb41bd6b; 135 | context->h[7] = 0x5be0cd19137e2179; 136 | context->size = 0; 137 | context->total = 0; 138 | } 139 | 140 | VOID sha512_update(Sha512Context *context, VOID *data, UINTN length) { 141 | UINTN count, size; 142 | VOID *ptr; 143 | 144 | context->total += length; 145 | size = context->size; 146 | while (length > 0) { 147 | count = 128 - size; 148 | count = length < count ? length : count; 149 | 150 | ptr = (VOID *) context->w + size; 151 | if (data) { 152 | CopyMem(ptr, data, count); 153 | data += count; 154 | } else 155 | SetMem(ptr, count, 0); 156 | 157 | size += count; 158 | length -= count; 159 | 160 | if (size == 128) { 161 | sha512_block(context); 162 | size = 0; 163 | } 164 | } 165 | context->size = size; 166 | } 167 | 168 | VOID sha512_finish(Sha512Context *context, UINT8 *output) { 169 | UINTN i, total, padding; 170 | UINT8 end; 171 | 172 | total = context->total; 173 | padding = (context->size >= 112 ? 128 : 0) + 112 - context->size; 174 | end = 0x80; 175 | sha512_update(context, &end, 1); 176 | sha512_update(context, NULL, padding-1); 177 | 178 | context->w[14] = 0; 179 | context->w[15] = total << 3; 180 | be_swap(context->w[15]); 181 | sha512_block(context); 182 | 183 | for (i = 0; i < 8; i++) 184 | be_swap(context->h[i]); 185 | CopyMem(output, context->h, 64); 186 | } 187 | 188 | VOID sha512_compute(VOID *data, UINTN length, UINT8 *output) { 189 | Sha512Context context; 190 | sha512_create(&context); 191 | sha512_update(&context, data, length); 192 | sha512_finish(&context, output); 193 | } 194 | -------------------------------------------------------------------------------- /src/efi/sha512.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2017 kitsunyan 14 | */ 15 | 16 | #ifndef __SDBOOT_SHA512_H 17 | #define __SDBOOT_SHA512_H 18 | 19 | typedef struct { 20 | UINT64 h[8], w[16]; 21 | UINTN size, total; 22 | } Sha512Context; 23 | 24 | VOID sha512_create(Sha512Context *context); 25 | VOID sha512_update(Sha512Context *context, VOID *data, UINTN length); 26 | VOID sha512_finish(Sha512Context *context, UINT8 *output); 27 | 28 | VOID sha512_compute(VOID *data, UINTN length, UINT8 *output); 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /src/efi/shim.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Port to systemd-boot 14 | * Copyright 2017 Max Resch 15 | * 16 | * Security Policy Handling 17 | * Copyright 2012 18 | * https://github.com/mjg59/efitools 19 | */ 20 | 21 | #include 22 | #include 23 | 24 | #include "util.h" 25 | #include "shim.h" 26 | 27 | /* well known shim lock guid */ 28 | #define SHIM_LOCK_GUID 29 | 30 | struct ShimLock { 31 | EFI_STATUS __attribute__((sysv_abi)) (*shim_verify) (VOID *buffer, UINT32 size); 32 | 33 | /* context is actually a struct for the PE header, but it isn't needed so void is sufficient just do define the interface 34 | * see shim.c/shim.h and PeHeader.h in the github shim repo */ 35 | EFI_STATUS __attribute__((sysv_abi)) (*generate_hash) (VOID *data, UINT32 datasize, VOID *context, UINT8 *sha256hash, UINT8 *sha1hash); 36 | 37 | EFI_STATUS __attribute__((sysv_abi)) (*read_header) (VOID *data, UINT32 datasize, VOID *context); 38 | }; 39 | 40 | static const EFI_GUID simple_fs_guid = SIMPLE_FILE_SYSTEM_PROTOCOL; 41 | static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; 42 | 43 | static const EFI_GUID security_protocol_guid = { 0xa46423e3, 0x4617, 0x49f1, {0xb9, 0xff, 0xd1, 0xbf, 0xa9, 0x11, 0x58, 0x39 } }; 44 | static const EFI_GUID security2_protocol_guid = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; 45 | static const EFI_GUID shim_lock_guid = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; 46 | 47 | BOOLEAN shim_loaded(void) { 48 | struct ShimLock *shim_lock; 49 | 50 | return uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &shim_lock_guid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS; 51 | } 52 | 53 | static BOOLEAN shim_validate(VOID *data, UINT32 size) { 54 | struct ShimLock *shim_lock; 55 | 56 | if (!data) 57 | return FALSE; 58 | 59 | if (uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &shim_lock_guid, NULL, (VOID**) &shim_lock) != EFI_SUCCESS) 60 | return FALSE; 61 | 62 | if (!shim_lock) 63 | return FALSE; 64 | 65 | return shim_lock->shim_verify(data, size) == EFI_SUCCESS; 66 | } 67 | 68 | BOOLEAN secure_boot_enabled(void) { 69 | CHAR8 *b; 70 | UINTN size; 71 | BOOLEAN result; 72 | 73 | if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) { 74 | result = *b > 0; 75 | FreePool(b); 76 | return result; 77 | } 78 | 79 | return FALSE; 80 | } 81 | 82 | /* 83 | * See the UEFI Platform Initialization manual (Vol2: DXE) for this 84 | */ 85 | struct _EFI_SECURITY2_PROTOCOL; 86 | struct _EFI_SECURITY_PROTOCOL; 87 | struct _EFI_DEVICE_PATH_PROTOCOL; 88 | 89 | typedef struct _EFI_SECURITY2_PROTOCOL EFI_SECURITY2_PROTOCOL; 90 | typedef struct _EFI_SECURITY_PROTOCOL EFI_SECURITY_PROTOCOL; 91 | typedef struct _EFI_DEVICE_PATH_PROTOCOL EFI_DEVICE_PATH_PROTOCOL; 92 | 93 | typedef EFI_STATUS (EFIAPI *EFI_SECURITY_FILE_AUTHENTICATION_STATE) ( 94 | const EFI_SECURITY_PROTOCOL *This, 95 | UINT32 AuthenticationStatus, 96 | const EFI_DEVICE_PATH_PROTOCOL *File 97 | ); 98 | 99 | typedef EFI_STATUS (EFIAPI *EFI_SECURITY2_FILE_AUTHENTICATION) ( 100 | const EFI_SECURITY2_PROTOCOL *This, 101 | const EFI_DEVICE_PATH_PROTOCOL *DevicePath, 102 | VOID *FileBuffer, 103 | UINTN FileSize, 104 | BOOLEAN BootPolicy 105 | ); 106 | 107 | struct _EFI_SECURITY2_PROTOCOL { 108 | EFI_SECURITY2_FILE_AUTHENTICATION FileAuthentication; 109 | }; 110 | 111 | struct _EFI_SECURITY_PROTOCOL { 112 | EFI_SECURITY_FILE_AUTHENTICATION_STATE FileAuthenticationState; 113 | }; 114 | 115 | /* Handle to the original authenticator for security1 protocol */ 116 | static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; 117 | 118 | /* Handle to the original authenticator for security2 protocol */ 119 | static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; 120 | 121 | /* 122 | * Perform shim/MOK and Secure Boot authentication on a binary that's already been 123 | * loaded into memory. This function does the platform SB authentication first 124 | * but preserves its return value in case of its failure, so that it can be 125 | * returned in case of a shim/MOK authentication failure. This is done because 126 | * the SB failure code seems to vary from one implementation to another, and I 127 | * don't want to interfere with that at this time. 128 | */ 129 | static EFIAPI EFI_STATUS security2_policy_authentication (const EFI_SECURITY2_PROTOCOL *this, 130 | const EFI_DEVICE_PATH_PROTOCOL *device_path, 131 | VOID *file_buffer, UINTN file_size, BOOLEAN boot_policy) { 132 | EFI_STATUS status; 133 | 134 | /* Chain original security policy */ 135 | status = uefi_call_wrapper(es2fa, 5, this, device_path, file_buffer, file_size, boot_policy); 136 | 137 | /* if OK, don't bother with MOK check */ 138 | if (status == EFI_SUCCESS) 139 | return status; 140 | 141 | if (shim_validate(file_buffer, file_size)) 142 | return EFI_SUCCESS; 143 | 144 | return status; 145 | } 146 | 147 | /* 148 | * Perform both shim/MOK and platform Secure Boot authentication. This function loads 149 | * the file and performs shim/MOK authentication first simply to avoid double loads 150 | * of Linux kernels, which are much more likely to be shim/MOK-signed than platform-signed, 151 | * since kernels are big and can take several seconds to load on some computers and 152 | * filesystems. This also has the effect of returning whatever the platform code is for 153 | * authentication failure, be it EFI_ACCESS_DENIED, EFI_SECURITY_VIOLATION, or something 154 | * else. (This seems to vary between implementations.) 155 | */ 156 | static EFIAPI EFI_STATUS security_policy_authentication (const EFI_SECURITY_PROTOCOL *this, UINT32 authentication_status, 157 | const EFI_DEVICE_PATH_PROTOCOL *device_path_const) { 158 | EFI_STATUS status; 159 | EFI_DEVICE_PATH *dev_path; 160 | EFI_HANDLE h; 161 | EFI_FILE *root; 162 | CHAR8 *file_buffer = NULL; 163 | UINTN file_size; 164 | CHAR16 *dev_path_str; 165 | 166 | if (!device_path_const) 167 | return EFI_INVALID_PARAMETER; 168 | 169 | dev_path = DuplicateDevicePath((EFI_DEVICE_PATH*) device_path_const); 170 | 171 | status = uefi_call_wrapper(BS->LocateDevicePath, 3, (EFI_GUID*) &simple_fs_guid, &dev_path, &h); 172 | if (status != EFI_SUCCESS) { 173 | FreePool(dev_path); 174 | return status; 175 | } 176 | 177 | /* No need to check return value, this already happend in efi_main() */ 178 | root = LibOpenRoot(h); 179 | dev_path_str = DevicePathToStr(dev_path); 180 | FreePool(dev_path); 181 | 182 | file_size = file_read(root, dev_path_str, 0, 0, &file_buffer); 183 | FreePool(dev_path_str); 184 | uefi_call_wrapper(root->Close, 1, root); 185 | 186 | if (shim_validate(file_buffer, file_size)) 187 | status = EFI_SUCCESS; 188 | else 189 | /* Try using the platform's native policy.... */ 190 | status = uefi_call_wrapper(esfas, 3, this, authentication_status, device_path_const); 191 | FreePool(file_buffer); 192 | 193 | return status; 194 | } 195 | 196 | EFI_STATUS security_policy_install(void) { 197 | EFI_SECURITY_PROTOCOL *security_protocol; 198 | EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; 199 | EFI_STATUS status; 200 | 201 | /* Already Installed */ 202 | if (esfas) 203 | return EFI_ALREADY_STARTED; 204 | 205 | /* 206 | * Don't bother with status here. The call is allowed 207 | * to fail, since SECURITY2 was introduced in PI 1.2.1. 208 | * Use security2_protocol == NULL as indicator. 209 | */ 210 | uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security2_protocol_guid, NULL, (VOID**) &security2_protocol); 211 | 212 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security_protocol_guid, NULL, (VOID**) &security_protocol); 213 | /* This one is mandatory, so there's a serious problem */ 214 | if (status != EFI_SUCCESS) 215 | return status; 216 | 217 | esfas = security_protocol->FileAuthenticationState; 218 | security_protocol->FileAuthenticationState = security_policy_authentication; 219 | 220 | if (security2_protocol) { 221 | es2fa = security2_protocol->FileAuthentication; 222 | security2_protocol->FileAuthentication = security2_policy_authentication; 223 | } 224 | 225 | return EFI_SUCCESS; 226 | } 227 | 228 | EFI_STATUS security_policy_uninstall(void) { 229 | EFI_STATUS status; 230 | 231 | if (esfas) { 232 | EFI_SECURITY_PROTOCOL *security_protocol; 233 | 234 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security_protocol_guid, NULL, (VOID**) &security_protocol); 235 | 236 | if (status != EFI_SUCCESS) 237 | return status; 238 | 239 | security_protocol->FileAuthenticationState = esfas; 240 | esfas = NULL; 241 | } else 242 | /* nothing installed */ 243 | return EFI_NOT_STARTED; 244 | 245 | if (es2fa) { 246 | EFI_SECURITY2_PROTOCOL *security2_protocol; 247 | 248 | status = uefi_call_wrapper(BS->LocateProtocol, 3, (EFI_GUID*) &security2_protocol_guid, NULL, (VOID**) &security2_protocol); 249 | 250 | if (status != EFI_SUCCESS) 251 | return status; 252 | 253 | security2_protocol->FileAuthentication = es2fa; 254 | es2fa = NULL; 255 | } 256 | 257 | return EFI_SUCCESS; 258 | } 259 | -------------------------------------------------------------------------------- /src/efi/shim.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Port to systemd-boot 14 | * Copyright 2017 Max Resch 15 | * 16 | * Security Policy Handling 17 | * Copyright 2012 18 | * https://github.com/mjg59/efitools 19 | */ 20 | 21 | #ifndef __SDBOOT_SHIM_H 22 | #define __SDBOOT_SHIM_H 23 | 24 | BOOLEAN shim_loaded(void); 25 | 26 | BOOLEAN secure_boot_enabled(void); 27 | 28 | EFI_STATUS security_policy_install(void); 29 | 30 | EFI_STATUS security_policy_uninstall(void); 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /src/efi/splash.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include "graphics.h" 21 | #include "splash.h" 22 | #include "util.h" 23 | 24 | struct bmp_file { 25 | CHAR8 signature[2]; 26 | UINT32 size; 27 | UINT16 reserved[2]; 28 | UINT32 offset; 29 | } __attribute__((packed)); 30 | 31 | /* we require at least BITMAPINFOHEADER, later versions are 32 | accepted, but their features ignored */ 33 | struct bmp_dib { 34 | UINT32 size; 35 | UINT32 x; 36 | UINT32 y; 37 | UINT16 planes; 38 | UINT16 depth; 39 | UINT32 compression; 40 | UINT32 image_size; 41 | INT32 x_pixel_meter; 42 | INT32 y_pixel_meter; 43 | UINT32 colors_used; 44 | UINT32 colors_important; 45 | } __attribute__((packed)); 46 | 47 | struct bmp_map { 48 | UINT8 blue; 49 | UINT8 green; 50 | UINT8 red; 51 | UINT8 reserved; 52 | } __attribute__((packed)); 53 | 54 | EFI_STATUS bmp_parse_header(UINT8 *bmp, UINTN size, struct bmp_dib **ret_dib, 55 | struct bmp_map **ret_map, UINT8 **pixmap) { 56 | struct bmp_file *file; 57 | struct bmp_dib *dib; 58 | struct bmp_map *map; 59 | UINTN row_size; 60 | 61 | if (size < sizeof(struct bmp_file) + sizeof(struct bmp_dib)) 62 | return EFI_INVALID_PARAMETER; 63 | 64 | /* check file header */ 65 | file = (struct bmp_file *)bmp; 66 | if (file->signature[0] != 'B' || file->signature[1] != 'M') 67 | return EFI_INVALID_PARAMETER; 68 | if (file->size != size) 69 | return EFI_INVALID_PARAMETER; 70 | if (file->size < file->offset) 71 | return EFI_INVALID_PARAMETER; 72 | 73 | /* check device-independent bitmap */ 74 | dib = (struct bmp_dib *)(bmp + sizeof(struct bmp_file)); 75 | if (dib->size < sizeof(struct bmp_dib)) 76 | return EFI_UNSUPPORTED; 77 | 78 | switch (dib->depth) { 79 | case 1: 80 | case 4: 81 | case 8: 82 | case 24: 83 | if (dib->compression != 0) 84 | return EFI_UNSUPPORTED; 85 | 86 | break; 87 | 88 | case 16: 89 | case 32: 90 | if (dib->compression != 0 && dib->compression != 3) 91 | return EFI_UNSUPPORTED; 92 | 93 | break; 94 | 95 | default: 96 | return EFI_UNSUPPORTED; 97 | } 98 | 99 | row_size = ((UINTN) dib->depth * dib->x + 31) / 32 * 4; 100 | if (file->size - file->offset < dib->y * row_size) 101 | return EFI_INVALID_PARAMETER; 102 | if (row_size * dib->y > 64 * 1024 * 1024) 103 | return EFI_INVALID_PARAMETER; 104 | 105 | /* check color table */ 106 | map = (struct bmp_map *)(bmp + sizeof(struct bmp_file) + dib->size); 107 | if (file->offset < sizeof(struct bmp_file) + dib->size) 108 | return EFI_INVALID_PARAMETER; 109 | 110 | if (file->offset > sizeof(struct bmp_file) + dib->size) { 111 | UINT32 map_count; 112 | UINTN map_size; 113 | 114 | if (dib->colors_used) 115 | map_count = dib->colors_used; 116 | else { 117 | switch (dib->depth) { 118 | case 1: 119 | case 4: 120 | case 8: 121 | map_count = 1 << dib->depth; 122 | break; 123 | 124 | default: 125 | map_count = 0; 126 | break; 127 | } 128 | } 129 | 130 | map_size = file->offset - (sizeof(struct bmp_file) + dib->size); 131 | if (map_size != sizeof(struct bmp_map) * map_count) 132 | return EFI_INVALID_PARAMETER; 133 | } 134 | 135 | *ret_map = map; 136 | *ret_dib = dib; 137 | *pixmap = bmp + file->offset; 138 | 139 | return EFI_SUCCESS; 140 | } 141 | 142 | static VOID pixel_blend(UINT32 *dst, const UINT32 source) { 143 | UINT32 alpha, src, src_rb, src_g, dst_rb, dst_g, rb, g; 144 | 145 | alpha = (source & 0xff); 146 | 147 | /* convert src from RGBA to XRGB */ 148 | src = source >> 8; 149 | 150 | /* decompose into RB and G components */ 151 | src_rb = (src & 0xff00ff); 152 | src_g = (src & 0x00ff00); 153 | 154 | dst_rb = (*dst & 0xff00ff); 155 | dst_g = (*dst & 0x00ff00); 156 | 157 | /* blend */ 158 | rb = ((((src_rb - dst_rb) * alpha + 0x800080) >> 8) + dst_rb) & 0xff00ff; 159 | g = ((((src_g - dst_g) * alpha + 0x008000) >> 8) + dst_g) & 0x00ff00; 160 | 161 | *dst = (rb | g); 162 | } 163 | 164 | EFI_STATUS bmp_to_blt(EFI_GRAPHICS_OUTPUT_BLT_PIXEL *buf, 165 | struct bmp_dib *dib, struct bmp_map *map, 166 | UINT8 *pixmap) { 167 | UINT8 *in; 168 | UINTN y; 169 | 170 | /* transform and copy pixels */ 171 | in = pixmap; 172 | for (y = 0; y < dib->y; y++) { 173 | EFI_GRAPHICS_OUTPUT_BLT_PIXEL *out; 174 | UINTN row_size; 175 | UINTN x; 176 | 177 | out = &buf[(dib->y - y - 1) * dib->x]; 178 | for (x = 0; x < dib->x; x++, in++, out++) { 179 | switch (dib->depth) { 180 | case 1: { 181 | UINTN i; 182 | 183 | for (i = 0; i < 8 && x < dib->x; i++) { 184 | out->Red = map[((*in) >> (7 - i)) & 1].red; 185 | out->Green = map[((*in) >> (7 - i)) & 1].green; 186 | out->Blue = map[((*in) >> (7 - i)) & 1].blue; 187 | out++; 188 | x++; 189 | } 190 | out--; 191 | x--; 192 | break; 193 | } 194 | 195 | case 4: { 196 | UINTN i; 197 | 198 | i = (*in) >> 4; 199 | out->Red = map[i].red; 200 | out->Green = map[i].green; 201 | out->Blue = map[i].blue; 202 | if (x < (dib->x - 1)) { 203 | out++; 204 | x++; 205 | i = (*in) & 0x0f; 206 | out->Red = map[i].red; 207 | out->Green = map[i].green; 208 | out->Blue = map[i].blue; 209 | } 210 | break; 211 | } 212 | 213 | case 8: 214 | out->Red = map[*in].red; 215 | out->Green = map[*in].green; 216 | out->Blue = map[*in].blue; 217 | break; 218 | 219 | case 16: { 220 | UINT16 i = *(UINT16 *) in; 221 | 222 | out->Red = (i & 0x7c00) >> 7; 223 | out->Green = (i & 0x3e0) >> 2; 224 | out->Blue = (i & 0x1f) << 3; 225 | in += 1; 226 | break; 227 | } 228 | 229 | case 24: 230 | out->Red = in[2]; 231 | out->Green = in[1]; 232 | out->Blue = in[0]; 233 | in += 2; 234 | break; 235 | 236 | case 32: { 237 | UINT32 i = *(UINT32 *) in; 238 | 239 | pixel_blend((UINT32 *)out, i); 240 | 241 | in += 3; 242 | break; 243 | } 244 | } 245 | } 246 | 247 | /* add row padding; new lines always start at 32 bit boundary */ 248 | row_size = in - pixmap; 249 | in += ((row_size + 3) & ~3) - row_size; 250 | } 251 | 252 | return EFI_SUCCESS; 253 | } 254 | 255 | EFI_STATUS graphics_splash(UINT8 *content, UINTN len, const EFI_GRAPHICS_OUTPUT_BLT_PIXEL *background) { 256 | EFI_GRAPHICS_OUTPUT_BLT_PIXEL pixel = {}; 257 | EFI_GUID GraphicsOutputProtocolGuid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID; 258 | EFI_GRAPHICS_OUTPUT_PROTOCOL *GraphicsOutput = NULL; 259 | struct bmp_dib *dib; 260 | struct bmp_map *map; 261 | UINT8 *pixmap; 262 | UINT64 blt_size; 263 | VOID *blt = NULL; 264 | UINTN x_pos = 0; 265 | UINTN y_pos = 0; 266 | EFI_STATUS err; 267 | 268 | if (!background) { 269 | if (StriCmp(L"Apple", ST->FirmwareVendor) == 0) { 270 | pixel.Red = 0xc0; 271 | pixel.Green = 0xc0; 272 | pixel.Blue = 0xc0; 273 | } 274 | background = &pixel; 275 | } 276 | 277 | err = LibLocateProtocol(&GraphicsOutputProtocolGuid, (VOID **)&GraphicsOutput); 278 | if (EFI_ERROR(err)) 279 | return err; 280 | 281 | err = bmp_parse_header(content, len, &dib, &map, &pixmap); 282 | if (EFI_ERROR(err)) 283 | goto err; 284 | 285 | if (dib->x < GraphicsOutput->Mode->Info->HorizontalResolution) 286 | x_pos = (GraphicsOutput->Mode->Info->HorizontalResolution - dib->x) / 2; 287 | if (dib->y < GraphicsOutput->Mode->Info->VerticalResolution) 288 | y_pos = (GraphicsOutput->Mode->Info->VerticalResolution - dib->y) / 2; 289 | 290 | uefi_call_wrapper(GraphicsOutput->Blt, 10, GraphicsOutput, 291 | (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *)background, 292 | EfiBltVideoFill, 0, 0, 0, 0, 293 | GraphicsOutput->Mode->Info->HorizontalResolution, 294 | GraphicsOutput->Mode->Info->VerticalResolution, 0); 295 | 296 | /* EFI buffer */ 297 | blt_size = dib->x * dib->y * sizeof(EFI_GRAPHICS_OUTPUT_BLT_PIXEL); 298 | blt = AllocatePool(blt_size); 299 | if (!blt) 300 | return EFI_OUT_OF_RESOURCES; 301 | 302 | err = uefi_call_wrapper(GraphicsOutput->Blt, 10, GraphicsOutput, 303 | blt, EfiBltVideoToBltBuffer, x_pos, y_pos, 0, 0, 304 | dib->x, dib->y, 0); 305 | if (EFI_ERROR(err)) 306 | goto err; 307 | 308 | err = bmp_to_blt(blt, dib, map, pixmap); 309 | if (EFI_ERROR(err)) 310 | goto err; 311 | 312 | err = graphics_mode(TRUE); 313 | if (EFI_ERROR(err)) 314 | goto err; 315 | 316 | err = uefi_call_wrapper(GraphicsOutput->Blt, 10, GraphicsOutput, 317 | blt, EfiBltBufferToVideo, 0, 0, x_pos, y_pos, 318 | dib->x, dib->y, 0); 319 | err: 320 | FreePool(blt); 321 | return err; 322 | } 323 | -------------------------------------------------------------------------------- /src/efi/splash.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | */ 16 | 17 | #ifndef __SDBOOT_SPLASH_H 18 | #define __SDBOOT_SPLASH_H 19 | 20 | EFI_STATUS graphics_splash(UINT8 *content, UINTN len, const EFI_GRAPHICS_OUTPUT_BLT_PIXEL *background); 21 | #endif 22 | -------------------------------------------------------------------------------- /src/efi/stub.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* This program is free software; you can redistribute it and/or modify it 3 | * under the terms of the GNU Lesser General Public License as published by 4 | * the Free Software Foundation; either version 2.1 of the License, or 5 | * (at your option) any later version. 6 | * 7 | * This program is distributed in the hope that it will be useful, but 8 | * WITHOUT ANY WARRANTY; without even the implied warranty of 9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 10 | * Lesser General Public License for more details. 11 | * 12 | * Copyright (C) 2015 Kay Sievers 13 | */ 14 | 15 | #include 16 | #include 17 | 18 | #include "disk.h" 19 | #include "graphics.h" 20 | #include "linux.h" 21 | #include "measure.h" 22 | #include "pe.h" 23 | #include "splash.h" 24 | #include "util.h" 25 | 26 | /* magic string to find in the binary image */ 27 | static const char __attribute__((used)) magic[] = "#### LoaderInfo: systemd-stub " PACKAGE_VERSION " ####"; 28 | 29 | static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; 30 | 31 | EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { 32 | EFI_LOADED_IMAGE *loaded_image; 33 | CHAR8 *b; 34 | UINTN size; 35 | BOOLEAN secure = FALSE; 36 | CHAR8 *sections[] = { 37 | (UINT8 *)".cmdline", 38 | (UINT8 *)".linux", 39 | (UINT8 *)".initrd", 40 | (UINT8 *)".splash", 41 | NULL 42 | }; 43 | UINTN addrs[ELEMENTSOF(sections)-1] = {}; 44 | UINTN offs[ELEMENTSOF(sections)-1] = {}; 45 | UINTN szs[ELEMENTSOF(sections)-1] = {}; 46 | CHAR8 *cmdline = NULL; 47 | UINTN cmdline_len; 48 | CHAR16 uuid[37]; 49 | EFI_STATUS err; 50 | 51 | InitializeLib(image, sys_table); 52 | 53 | err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, 54 | image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); 55 | if (EFI_ERROR(err)) { 56 | Print(L"Error getting a LoadedImageProtocol handle: %r ", err); 57 | uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); 58 | return err; 59 | } 60 | 61 | if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) { 62 | if (*b > 0) 63 | secure = TRUE; 64 | FreePool(b); 65 | } 66 | err = pe_memory_locate_sections(loaded_image->ImageBase, sections, addrs, offs, szs); 67 | if (EFI_ERROR(err)) { 68 | Print(L"Unable to locate embedded .linux section: %r ", err); 69 | uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); 70 | return err; 71 | } 72 | 73 | if (szs[0] > 0) 74 | cmdline = (CHAR8 *)(loaded_image->ImageBase + addrs[0]); 75 | 76 | cmdline_len = szs[0]; 77 | 78 | /* if we are not in secure boot mode, accept a custom command line and replace the built-in one */ 79 | if ((!secure || SECURE_BOOT_PASSWORD) && loaded_image->LoadOptionsSize > 0 && *(CHAR16 *)loaded_image->LoadOptions != 0) { 80 | CHAR16 *options; 81 | CHAR8 *line; 82 | UINTN i; 83 | 84 | options = (CHAR16 *)loaded_image->LoadOptions; 85 | cmdline_len = (loaded_image->LoadOptionsSize / sizeof(CHAR16)) * sizeof(CHAR8); 86 | line = AllocatePool(cmdline_len); 87 | for (i = 0; i < cmdline_len; i++) 88 | line[i] = options[i]; 89 | cmdline = line; 90 | 91 | #if ENABLE_TPM 92 | /* Try to log any options to the TPM, especially manually edited options */ 93 | err = tpm_log_event(SD_TPM_PCR, 94 | (EFI_PHYSICAL_ADDRESS) loaded_image->LoadOptions, 95 | loaded_image->LoadOptionsSize, loaded_image->LoadOptions); 96 | if (EFI_ERROR(err)) { 97 | Print(L"Unable to add image options measurement: %r", err); 98 | uefi_call_wrapper(BS->Stall, 1, 200 * 1000); 99 | } 100 | #endif 101 | } 102 | 103 | /* export the device path this image is started from */ 104 | if (disk_get_part_uuid(loaded_image->DeviceHandle, uuid) == EFI_SUCCESS) 105 | efivar_set(L"LoaderDevicePartUUID", uuid, FALSE); 106 | 107 | /* if LoaderImageIdentifier is not set, assume the image with this stub was loaded directly from UEFI */ 108 | if (efivar_get_raw(&global_guid, L"LoaderImageIdentifier", &b, &size) != EFI_SUCCESS) { 109 | CHAR16 *loaded_image_path = DevicePathToStr(loaded_image->FilePath); 110 | efivar_set(L"LoaderImageIdentifier", loaded_image_path, FALSE); 111 | FreePool(loaded_image_path); 112 | } 113 | 114 | /* if LoaderFirmwareInfo is not set, let's set it */ 115 | if (efivar_get_raw(&global_guid, L"LoaderFirmwareInfo", &b, &size) != EFI_SUCCESS) { 116 | CHAR16 *loader_firmware_info = PoolPrint(L"%s %d.%02d", ST->FirmwareVendor, ST->FirmwareRevision >> 16, ST->FirmwareRevision & 0xffff); 117 | efivar_set(L"LoaderFirmwareInfo", loader_firmware_info, FALSE); 118 | FreePool(loader_firmware_info); 119 | } 120 | /* ditto for LoaderFirmwareType */ 121 | if (efivar_get_raw(&global_guid, L"LoaderFirmwareType", &b, &size) != EFI_SUCCESS) { 122 | CHAR16 *loader_firmware_type = PoolPrint(L"UEFI %d.%02d", ST->Hdr.Revision >> 16, ST->Hdr.Revision & 0xffff); 123 | efivar_set(L"LoaderFirmwareType", loader_firmware_type, FALSE); 124 | FreePool(loader_firmware_type); 125 | } 126 | 127 | /* add StubInfo */ 128 | if (efivar_get_raw(&global_guid, L"StubInfo", &b, &size) != EFI_SUCCESS) 129 | efivar_set(L"StubInfo", L"systemd-stub " PACKAGE_VERSION, FALSE); 130 | 131 | if (szs[3] > 0) 132 | graphics_splash((UINT8 *)((UINTN)loaded_image->ImageBase + addrs[3]), szs[3], NULL); 133 | 134 | err = linux_exec(image, cmdline, cmdline_len, 135 | (UINTN)loaded_image->ImageBase + addrs[1], 136 | (UINTN)loaded_image->ImageBase + addrs[2], szs[2], secure); 137 | 138 | graphics_mode(FALSE); 139 | Print(L"Execution of embedded linux image failed: %r\n", err); 140 | uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); 141 | return err; 142 | } 143 | -------------------------------------------------------------------------------- /src/efi/util.c: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | * Copyright (C) 2017 kitsunyan 16 | */ 17 | 18 | #include 19 | #include 20 | 21 | #include "util.h" 22 | 23 | /* 24 | * Allocated random UUID, intended to be shared across tools that implement 25 | * the (ESP)\loader\entries\-.conf convention and the 26 | * associated EFI variables. 27 | */ 28 | static const EFI_GUID loader_guid = { 0x4a67b082, 0x0a4c, 0x41cf, {0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f} }; 29 | 30 | #ifdef __x86_64__ 31 | UINT64 ticks_read(VOID) { 32 | UINT64 a, d; 33 | __asm__ volatile ("rdtsc" : "=a" (a), "=d" (d)); 34 | return (d << 32) | a; 35 | } 36 | #elif defined(__i386__) 37 | UINT64 ticks_read(VOID) { 38 | UINT64 val; 39 | __asm__ volatile ("rdtsc" : "=A" (val)); 40 | return val; 41 | } 42 | #else 43 | UINT64 ticks_read(VOID) { 44 | UINT64 val = 1; 45 | return val; 46 | } 47 | #endif 48 | 49 | /* count TSC ticks during a millisecond delay */ 50 | UINT64 ticks_freq(VOID) { 51 | UINT64 ticks_start, ticks_end; 52 | 53 | ticks_start = ticks_read(); 54 | uefi_call_wrapper(BS->Stall, 1, 1000); 55 | ticks_end = ticks_read(); 56 | 57 | return (ticks_end - ticks_start) * 1000; 58 | } 59 | 60 | UINT64 time_usec(VOID) { 61 | UINT64 ticks; 62 | static UINT64 freq; 63 | 64 | ticks = ticks_read(); 65 | if (ticks == 0) 66 | return 0; 67 | 68 | if (freq == 0) { 69 | freq = ticks_freq(); 70 | if (freq == 0) 71 | return 0; 72 | } 73 | 74 | return 1000 * 1000 * ticks / freq; 75 | } 76 | 77 | EFI_STATUS parse_boolean(CHAR8 *v, BOOLEAN *b) { 78 | if (strcmpa(v, (CHAR8 *)"1") == 0 || 79 | strcmpa(v, (CHAR8 *)"yes") == 0 || 80 | strcmpa(v, (CHAR8 *)"y") == 0 || 81 | strcmpa(v, (CHAR8 *)"true") == 0) { 82 | *b = TRUE; 83 | return EFI_SUCCESS; 84 | } 85 | 86 | if (strcmpa(v, (CHAR8 *)"0") == 0 || 87 | strcmpa(v, (CHAR8 *)"no") == 0 || 88 | strcmpa(v, (CHAR8 *)"n") == 0 || 89 | strcmpa(v, (CHAR8 *)"false") == 0) { 90 | *b = FALSE; 91 | return EFI_SUCCESS; 92 | } 93 | 94 | return EFI_INVALID_PARAMETER; 95 | } 96 | 97 | EFI_STATUS efivar_set_raw(const EFI_GUID *vendor, CHAR16 *name, CHAR8 *buf, UINTN size, BOOLEAN persistent) { 98 | UINT32 flags; 99 | 100 | flags = EFI_VARIABLE_BOOTSERVICE_ACCESS|EFI_VARIABLE_RUNTIME_ACCESS; 101 | if (persistent) 102 | flags |= EFI_VARIABLE_NON_VOLATILE; 103 | 104 | return uefi_call_wrapper(RT->SetVariable, 5, name, (EFI_GUID *)vendor, flags, size, buf); 105 | } 106 | 107 | EFI_STATUS efivar_set(CHAR16 *name, CHAR16 *value, BOOLEAN persistent) { 108 | return efivar_set_raw(&loader_guid, name, (CHAR8 *)value, value ? (StrLen(value)+1) * sizeof(CHAR16) : 0, persistent); 109 | } 110 | 111 | EFI_STATUS efivar_set_int(CHAR16 *name, UINTN i, BOOLEAN persistent) { 112 | CHAR16 str[32]; 113 | 114 | SPrint(str, 32, L"%d", i); 115 | return efivar_set(name, str, persistent); 116 | } 117 | 118 | EFI_STATUS efivar_get(CHAR16 *name, CHAR16 **value) { 119 | CHAR8 *buf; 120 | CHAR16 *val; 121 | UINTN size; 122 | EFI_STATUS err; 123 | 124 | err = efivar_get_raw(&loader_guid, name, &buf, &size); 125 | if (EFI_ERROR(err)) 126 | return err; 127 | 128 | val = StrDuplicate((CHAR16 *)buf); 129 | if (!val) { 130 | FreePool(buf); 131 | return EFI_OUT_OF_RESOURCES; 132 | } 133 | 134 | *value = val; 135 | return EFI_SUCCESS; 136 | } 137 | 138 | EFI_STATUS efivar_get_int(CHAR16 *name, UINTN *i) { 139 | CHAR16 *val; 140 | EFI_STATUS err; 141 | 142 | err = efivar_get(name, &val); 143 | if (!EFI_ERROR(err)) { 144 | *i = Atoi(val); 145 | FreePool(val); 146 | } 147 | return err; 148 | } 149 | 150 | EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, CHAR16 *name, CHAR8 **buffer, UINTN *size) { 151 | CHAR8 *buf; 152 | UINTN l; 153 | EFI_STATUS err; 154 | 155 | l = sizeof(CHAR16 *) * EFI_MAXIMUM_VARIABLE_SIZE; 156 | buf = AllocatePool(l); 157 | if (!buf) 158 | return EFI_OUT_OF_RESOURCES; 159 | 160 | err = uefi_call_wrapper(RT->GetVariable, 5, name, (EFI_GUID *)vendor, NULL, &l, buf); 161 | if (!EFI_ERROR(err)) { 162 | *buffer = buf; 163 | if (size) 164 | *size = l; 165 | } else 166 | FreePool(buf); 167 | return err; 168 | 169 | } 170 | 171 | VOID efivar_set_time_usec(CHAR16 *name, UINT64 usec) { 172 | CHAR16 str[32]; 173 | 174 | if (usec == 0) 175 | usec = time_usec(); 176 | if (usec == 0) 177 | return; 178 | 179 | SPrint(str, 32, L"%ld", usec); 180 | efivar_set(name, str, FALSE); 181 | } 182 | 183 | static INTN utf8_to_16(CHAR8 *stra, CHAR16 *c) { 184 | CHAR16 unichar; 185 | UINTN len; 186 | UINTN i; 187 | 188 | if (stra[0] < 0x80) 189 | len = 1; 190 | else if ((stra[0] & 0xe0) == 0xc0) 191 | len = 2; 192 | else if ((stra[0] & 0xf0) == 0xe0) 193 | len = 3; 194 | else if ((stra[0] & 0xf8) == 0xf0) 195 | len = 4; 196 | else if ((stra[0] & 0xfc) == 0xf8) 197 | len = 5; 198 | else if ((stra[0] & 0xfe) == 0xfc) 199 | len = 6; 200 | else 201 | return -1; 202 | 203 | switch (len) { 204 | case 1: 205 | unichar = stra[0]; 206 | break; 207 | case 2: 208 | unichar = stra[0] & 0x1f; 209 | break; 210 | case 3: 211 | unichar = stra[0] & 0x0f; 212 | break; 213 | case 4: 214 | unichar = stra[0] & 0x07; 215 | break; 216 | case 5: 217 | unichar = stra[0] & 0x03; 218 | break; 219 | case 6: 220 | unichar = stra[0] & 0x01; 221 | break; 222 | } 223 | 224 | for (i = 1; i < len; i++) { 225 | if ((stra[i] & 0xc0) != 0x80) 226 | return -1; 227 | unichar <<= 6; 228 | unichar |= stra[i] & 0x3f; 229 | } 230 | 231 | *c = unichar; 232 | return len; 233 | } 234 | 235 | CHAR16 *stra_to_str(CHAR8 *stra) { 236 | UINTN strlen; 237 | UINTN len; 238 | UINTN i; 239 | CHAR16 *str; 240 | 241 | len = strlena(stra); 242 | str = AllocatePool((len + 1) * sizeof(CHAR16)); 243 | 244 | strlen = 0; 245 | i = 0; 246 | while (i < len) { 247 | INTN utf8len; 248 | 249 | utf8len = utf8_to_16(stra + i, str + strlen); 250 | if (utf8len <= 0) { 251 | /* invalid utf8 sequence, skip the garbage */ 252 | i++; 253 | continue; 254 | } 255 | 256 | strlen++; 257 | i += utf8len; 258 | } 259 | str[strlen] = '\0'; 260 | return str; 261 | } 262 | 263 | CHAR16 *stra_to_path(CHAR8 *stra) { 264 | CHAR16 *str; 265 | UINTN strlen; 266 | UINTN len; 267 | UINTN i; 268 | 269 | len = strlena(stra); 270 | str = AllocatePool((len + 2) * sizeof(CHAR16)); 271 | 272 | str[0] = '\\'; 273 | strlen = 1; 274 | i = 0; 275 | while (i < len) { 276 | INTN utf8len; 277 | 278 | utf8len = utf8_to_16(stra + i, str + strlen); 279 | if (utf8len <= 0) { 280 | /* invalid utf8 sequence, skip the garbage */ 281 | i++; 282 | continue; 283 | } 284 | 285 | if (str[strlen] == '/') 286 | str[strlen] = '\\'; 287 | if (str[strlen] == '\\' && str[strlen-1] == '\\') { 288 | /* skip double slashes */ 289 | i += utf8len; 290 | continue; 291 | } 292 | 293 | strlen++; 294 | i += utf8len; 295 | } 296 | str[strlen] = '\0'; 297 | return str; 298 | } 299 | 300 | CHAR8 *strchra(CHAR8 *s, CHAR8 c) { 301 | do { 302 | if (*s == c) 303 | return s; 304 | } while (*s++); 305 | return NULL; 306 | } 307 | 308 | INTN file_read(EFI_FILE_HANDLE dir, CHAR16 *name, UINTN off, UINTN size, CHAR8 **content) { 309 | EFI_FILE_HANDLE handle; 310 | CHAR8 *buf; 311 | UINTN buflen; 312 | EFI_STATUS err; 313 | UINTN len; 314 | 315 | err = uefi_call_wrapper(dir->Open, 5, dir, &handle, name, EFI_FILE_MODE_READ, 0ULL); 316 | if (EFI_ERROR(err)) 317 | return err; 318 | 319 | if (size == 0) { 320 | EFI_FILE_INFO *info; 321 | 322 | info = LibFileInfo(handle); 323 | buflen = info->FileSize+1; 324 | FreePool(info); 325 | } else 326 | buflen = size; 327 | 328 | if (off > 0) { 329 | err = uefi_call_wrapper(handle->SetPosition, 2, handle, off); 330 | if (EFI_ERROR(err)) 331 | return err; 332 | } 333 | 334 | buf = AllocatePool(buflen); 335 | err = uefi_call_wrapper(handle->Read, 3, handle, &buflen, buf); 336 | if (!EFI_ERROR(err)) { 337 | buf[buflen] = '\0'; 338 | *content = buf; 339 | len = buflen; 340 | } else { 341 | len = err; 342 | FreePool(buf); 343 | } 344 | 345 | uefi_call_wrapper(handle->Close, 1, handle); 346 | return len; 347 | } 348 | 349 | UINT8 *hash_str_to_array(CHAR8 *value) { 350 | UINTN i; 351 | UINT8 b; 352 | UINTN len = strlena(value); 353 | UINT8 *hash = NULL; 354 | BOOLEAN invalid = len != 64*2; 355 | 356 | if (!invalid) { 357 | hash = AllocatePool(64); 358 | for (i = 0; i < 64*2; i++) { 359 | switch (value[i]) { 360 | case '0' ... '9': 361 | b = value[i] - '0'; 362 | break; 363 | case 'a' ... 'f': 364 | b = value[i] - 'a' + 10; 365 | break; 366 | case 'A' ... 'F': 367 | b = value[i] - 'A' + 10; 368 | break; 369 | default: 370 | invalid = TRUE; 371 | break; 372 | } 373 | 374 | if (!invalid) { 375 | if (i % 2) 376 | hash[i/2] |= b; 377 | else 378 | hash[i/2] = b << 4; 379 | } else 380 | break; 381 | } 382 | } 383 | if (invalid) { 384 | FreePool(hash); 385 | hash = NULL; 386 | } 387 | return hash; 388 | } 389 | -------------------------------------------------------------------------------- /src/efi/util.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ 2 | /* 3 | * This program is free software; you can redistribute it and/or modify it 4 | * under the terms of the GNU Lesser General Public License as published by 5 | * the Free Software Foundation; either version 2.1 of the License, or 6 | * (at your option) any later version. 7 | * 8 | * This program is distributed in the hope that it will be useful, but 9 | * WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | * Lesser General Public License for more details. 12 | * 13 | * Copyright (C) 2012-2013 Kay Sievers 14 | * Copyright (C) 2012 Harald Hoyer 15 | * Copyright (C) 2017 kitsunyan 16 | */ 17 | 18 | #ifndef __SDBOOT_UTIL_H 19 | #define __SDBOOT_UTIL_H 20 | 21 | #include 22 | #include 23 | 24 | #define ELEMENTSOF(x) (sizeof(x)/sizeof((x)[0])) 25 | 26 | static inline const CHAR16 *yes_no(BOOLEAN b) { 27 | return b ? L"yes" : L"no"; 28 | } 29 | 30 | EFI_STATUS parse_boolean(CHAR8 *v, BOOLEAN *b); 31 | 32 | UINT64 ticks_read(void); 33 | UINT64 ticks_freq(void); 34 | UINT64 time_usec(void); 35 | 36 | EFI_STATUS efivar_set(CHAR16 *name, CHAR16 *value, BOOLEAN persistent); 37 | EFI_STATUS efivar_set_raw(const EFI_GUID *vendor, CHAR16 *name, CHAR8 *buf, UINTN size, BOOLEAN persistent); 38 | EFI_STATUS efivar_set_int(CHAR16 *name, UINTN i, BOOLEAN persistent); 39 | VOID efivar_set_time_usec(CHAR16 *name, UINT64 usec); 40 | 41 | EFI_STATUS efivar_get(CHAR16 *name, CHAR16 **value); 42 | EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, CHAR16 *name, CHAR8 **buffer, UINTN *size); 43 | EFI_STATUS efivar_get_int(CHAR16 *name, UINTN *i); 44 | 45 | CHAR8 *strchra(CHAR8 *s, CHAR8 c); 46 | CHAR16 *stra_to_path(CHAR8 *stra); 47 | CHAR16 *stra_to_str(CHAR8 *stra); 48 | 49 | INTN file_read(EFI_FILE_HANDLE dir, CHAR16 *name, UINTN off, UINTN size, CHAR8 **content); 50 | 51 | UINT8 *hash_str_to_array(CHAR8 *value); 52 | #endif 53 | -------------------------------------------------------------------------------- /src/sbpctl.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | BOOT_LIB_DIR='@BOOT_LIB_DIR@' 4 | EFI_MACHINE_TYPE_NAME='@EFI_MACHINE_TYPE_NAME@' 5 | 6 | EFI_DEFAULT="/EFI/BOOT/BOOT${EFI_MACHINE_TYPE_NAME^^}.EFI" 7 | EFI_SBP="/EFI/systemd/systemd-boot$EFI_MACHINE_TYPE_NAME.efi" 8 | 9 | DB_KEY='/etc/sbp/db.key' 10 | DB_CERT='/etc/sbp/db.crt' 11 | CONFIG='/etc/sbp/loader.conf' 12 | 13 | function checkroot() { 14 | [ "`id -u`" -eq 0 ] || { 15 | echo 'You should start this script as root.' >&2 16 | return 1 17 | } 18 | } 19 | 20 | function checksign() { 21 | which sbsign > /dev/null 2> /dev/null || { 22 | echo 'sbsign is not found.' >&2 23 | return 1 24 | } 25 | 26 | for f in "$DB_KEY" "$DB_CERT"; do 27 | [ -f "$f" ] || { 28 | echo "$f is not exist." >&2 29 | return 1 30 | } 31 | done 32 | } 33 | 34 | function sign() { 35 | sbsign --key "$DB_KEY" --cert "$DB_CERT" --output "$1" "$1" || { 36 | echo 'Can not sign EFI application.' >&2 37 | return 1 38 | } 39 | } 40 | 41 | function readargs() { 42 | opts_count="$1" 43 | vals_count="$2" 44 | shift 2 45 | 46 | declare -A opts_long 47 | declare -A opts_short 48 | declare -A opts_with_val 49 | 50 | for arg in "${@:1:$opts_count}"; do 51 | IFS=':' read -a arge <<< "$arg" 52 | arg="${arge[0]}" 53 | opts_long["$arg"]="$arg" 54 | 55 | for arg_opt in `seq 1 $((${#arge[@]} - 1))`; do 56 | case "${arge["$arg_opt"]}" in 57 | s) 58 | opts_short["${arg:0:1}"]="$arg" 59 | ;; 60 | v) 61 | opts_with_val["$arg"]=1 62 | ;; 63 | esac 64 | done 65 | done 66 | 67 | shift "$opts_count" 68 | opts_end= 69 | 70 | while arg="$1"; shift; do 71 | case "$arg" in 72 | --*) 73 | [ -n "$opts_end" ] && { 74 | readargs_vals+=("$arg") 75 | continue 76 | } 77 | 78 | [ "$arg" = '--' ] && { 79 | opts_end=1 80 | continue 81 | } 82 | 83 | arg="${arg:2}" 84 | opt_val="$1" 85 | opt_val_no_shift=false 86 | grep -q '=' <<< "$arg" && { 87 | opt_val="`sed 's/^[^=]*=//' <<< "$arg"`" 88 | arg="`sed 's/=.*$//' <<< "$arg"`" 89 | opt_val_no_shift=true 90 | } 91 | 92 | [ -n "${opts_long["$arg"]}" ] && { 93 | [ -n "${opts_with_val["$arg"]}" ] && { 94 | { "$opt_val_no_shift" || shift; } || { 95 | echo "No value provided for \"$arg\"" >&2 96 | return 1 97 | } 98 | 99 | readargs_opts["$arg"]="${readargs_opts["$arg"]} ${#readargs_opt_vals[@]}" 100 | readargs_opt_vals+=("$opt_val") 101 | } || { 102 | readargs_opts["$arg"]="$arg" 103 | } 104 | } || { 105 | echo "Unknown attribute: \"$arg\"." >&2 106 | return 1 107 | } 108 | ;; 109 | -*) 110 | [ -n "$opts_end" ] && { 111 | readargs_vals+=("$arg") 112 | continue 113 | } 114 | 115 | [ "$arg" = '-' ] && { 116 | echo 'Unknown attribute: "-".' >&2 117 | return 1 118 | } 119 | 120 | while arg="${arg:1}"; [ -n "$arg" ]; do 121 | short_arg="${arg:0:1}" 122 | long_arg="${opts_short["$short_arg"]}" 123 | 124 | [ -n "$long_arg" ] && { 125 | [ -n "${opts_with_val["$long_arg"]}" ] && { 126 | opt_val="$1" 127 | { shift && [ -z "${arg:1}" ]; } || { 128 | echo "No value provided for \"$short_arg\"" >&2 129 | return 1 130 | } 131 | 132 | readargs_opts["$long_arg"]="${readargs_opts["$long_arg"]} ${#readargs_opt_vals[@]}" 133 | readargs_opt_vals+=("$opt_val") 134 | } || { 135 | readargs_opts["$long_arg"]="$long_arg" 136 | } 137 | } || { 138 | echo "Unknown attribute: \"$short_arg\"." >&2 139 | return 1 140 | } 141 | done 142 | ;; 143 | *) 144 | readargs_vals+=("$arg") 145 | ;; 146 | esac 147 | done 148 | 149 | [ "${#readargs_vals[@]}" -ne "$vals_count" ] && { 150 | echo "Invalid arguments count: expected $vals_count, got ${#readargs_vals[@]}." >&2 151 | return 1 152 | } 153 | 154 | return 0 155 | } 156 | 157 | function extractargs() { 158 | for index in ${readargs_opts["$1"]}; do 159 | extractargs_vals+=("${readargs_opt_vals["$index"]}") 160 | done 161 | } 162 | 163 | shopt -s expand_aliases 164 | 165 | alias readargs='unset readargs_opts 166 | unset readargs_opt_vals 167 | unset readargs_vals 168 | declare -A readargs_opts 169 | declare -a readargs_opt_vals 170 | declare -a readargs_vals 171 | readargs' 172 | 173 | alias extractargs='unset extractargs_vals 174 | declare -a extractargs_vals 175 | extractargs' 176 | 177 | case "$1" in 178 | install) 179 | shift 180 | checkroot || exit 1 181 | readargs 3 1 default:s include:s sign:s "$@" || exit 1 182 | 183 | default="${readargs_opts[default]}" 184 | include="${readargs_opts[include]}" 185 | sign="${readargs_opts[sign]}" 186 | esp="${readargs_vals[0]}" 187 | 188 | [ -n "$include" ] && { 189 | [ -e "$CONFIG" ] || { 190 | echo "$CONFIG is not exist." >&2 191 | exit 1 192 | } 193 | } 194 | 195 | [ -n "$sign" ] && { 196 | checksign || exit 1 197 | } 198 | 199 | [ -n "$esp" ] || { 200 | echo 'Please provide ESP path.' >&2 201 | exit 1 202 | } 203 | 204 | [ -d "$esp" ] || { 205 | echo 'ESP path is not a directory.' >&2 206 | exit 1 207 | } 208 | 209 | efi="$BOOT_LIB_DIR/systemd-boot$EFI_MACHINE_TYPE_NAME.efi" 210 | 211 | function bootmkdir() { 212 | dir=`dirname "$1"` 213 | [ -d "$dir" ] || mkdir -p "$dir" || { 214 | echo "$2" >&2 215 | return 1 216 | } 217 | } 218 | 219 | bootmkdir "$esp$EFI_DEFAULT" 'Can not create EFI/BOOT directory.' || exit 1 220 | [ -n "$include" ] && { 221 | objcopy --add-section .config="$CONFIG" --change-section-vma .config=0x20000 \ 222 | "$efi" "$esp$EFI_DEFAULT" || { 223 | echo 'Can not copy EFI application.' >&2 224 | exit 1 225 | } 226 | } || { 227 | cp "$efi" "$esp$EFI_DEFAULT" || { 228 | echo 'Can not copy EFI application.' >&2 229 | exit 1 230 | } 231 | } 232 | 233 | [ -n "$sign" ] && { 234 | sign "$esp$EFI_DEFAULT" || exit 1 235 | } 236 | 237 | [ -z "$default" ] && { 238 | bootmkdir "$esp$EFI_SBP" 'Can not create EFI/systemd directory.' || exit 1 239 | cp "$esp$EFI_DEFAULT" "$esp$EFI_SBP" || { 240 | echo 'Can not copy EFI application.' >&2 241 | exit 1 242 | } 243 | } 244 | 245 | echo 'Success.' 246 | ;; 247 | standalone) 248 | shift 249 | readargs 4 2 sign:s initrd:s:v osrel:s:v cmdline:s:v "$@" || exit 1 250 | 251 | sign="${readargs_opts[sign]}" 252 | efi="${readargs_vals[0]}" 253 | output="${readargs_vals[1]}" 254 | 255 | extractargs initrd 256 | [ "${#extractargs_vals[@]}" = 0 ] && { 257 | echo 'You should specify initrd.' >&2 258 | exit 1 259 | } 260 | initrd="${extractargs_vals[0]}" 261 | 262 | remove_initrd=false 263 | [ "${#extractargs_vals[@]}" -ge 2 ] && { 264 | remove_initrd=true 265 | initrd="/tmp/.sbp-initrd-`date +%s%N`" 266 | cat "${extractargs_vals[@]}" > "$initrd" || { 267 | rm "$initrd" 268 | echo 'Can not create initrd.' >&2 269 | exit 1 270 | } 271 | } 272 | 273 | extractargs osrel 274 | osrel="${extractargs_vals[0]}" 275 | 276 | extractargs cmdline 277 | cmdline="${extractargs_vals[0]}" 278 | 279 | [ -n "$sign" ] && { 280 | checksign || exit 1 281 | } 282 | 283 | objcmd=() 284 | [ -n "$osrel" ] && objcmd+=(--add-section .osrel="$osrel" --change-section-vma .osrel=0x20000) 285 | [ -n "$cmdline" ] && objcmd+=(--add-section .cmdline="$cmdline" --change-section-vma .cmdline=0x30000) 286 | objcmd+=(--add-section .linux="$efi" --change-section-vma .linux=0x40000) 287 | objcmd+=(--add-section .initrd="$initrd" --change-section-vma .initrd=0x3000000) 288 | 289 | objcopy "${objcmd[@]}" "$BOOT_LIB_DIR/linux$EFI_MACHINE_TYPE_NAME.efi.stub" "$output" || { 290 | "$remove_initrd" && rm "$initrd" 291 | echo 'Can not create EFI application.' >&2 292 | exit 1 293 | } 294 | "$remove_initrd" && rm "$initrd" 295 | 296 | [ -n "$sign" ] && { 297 | sign "$output" || exit 1 298 | } 299 | 300 | echo 'Success.' 301 | ;; 302 | generate) 303 | function hash() { 304 | echo -n "$1: " > /dev/tty 305 | read -s password 306 | echo > /dev/tty 307 | 308 | filtered=`echo "$password" | grep -Po '[\x00-\x7f]*'` 309 | [ "$password" = "$filtered" ] || { 310 | echo 'Only non-unicode characters are allowed.' >&2 311 | return 1 312 | } 313 | 314 | echo -n "$password" | sha512sum | grep -Po [0-9a-fA-F]{128} 315 | } 316 | 317 | hash1=`hash 'Enter password'` || exit 1 318 | hash2=`hash 'Retype password'` || exit 1 319 | 320 | [ "$hash1" = "$hash2" ] && { 321 | echo "password $hash1" 322 | exit 0 323 | } || { 324 | echo 'Passwords do not match.' >&2 325 | exit 1 326 | } 327 | ;; 328 | *) 329 | [ -n "$1" ] && 330 | echo "Unknown command: \"$1\"." >&2 || 331 | echo 'No attributes provided.' >&2 332 | ;; 333 | esac 334 | --------------------------------------------------------------------------------