shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-26 17:27:41 +03:00
Code

sd-boot: add support for support enrolling dbx

Browse Source 
usage:
  (1) get latest revocation list for your architecture
      from https://uefi.org/revocationlistfile
  (2) copy the file to $ESP/loader/keys/$name/dbx.auth
This commit is contained in:
Gerd Hoffmann 2024-03-19 14:49:51 +01:00 committed by Luca Boccassi
parent e33d43b059
commit 57ea8012d6
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
man/systemd-boot.xml
View File

@ -380,7 +380,7 @@
similar, to extend the native firmware support.</para>
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
to force or not.</para>

12
src/boot/efi/secure-boot.c
View File

@ -124,18 +124,20 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
const char16_t *name;
const char16_t *filename;
const EFI_GUID vendor;
bool required;
char *buffer;
size_t size;
} sb_vars[] = {
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, NULL, 0 },
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, true, NULL, 0 },
{ u"dbx", u"dbx.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, false, NULL, 0 },
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, true, NULL, 0 },
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, true, NULL, 0 },
};
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
for (size_t i = 0; i < ELEMENTSOF(sb_vars); i++) {
err = file_read(dir, sb_vars[i].filename, 0, 0, &sb_vars[i].buffer, &sb_vars[i].size);
if (err != EFI_SUCCESS) {
if (err != EFI_SUCCESS && sb_vars[i].required) {
log_error_status(err, "Failed reading file %ls\\%ls: %m", path, sb_vars[i].filename);
goto out_deallocate;
}
@ -172,6 +174,8 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
if (sb_vars[i].size == 0)
continue;
err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
if (err != EFI_SUCCESS) {
log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);