Add features for the Host Security ID program by vathpela · Pull Request #660 · rhboot/shim

vathpela · 2024-05-15T20:36:35Z

No description provided.

kukrimate · 2024-05-21T06:19:19Z

Shouldn't this also explicitly expose if data sections of the image are executable or is that implied by heap is executable flag?

dennis-tseng99 · 2024-05-31T13:28:16Z

May I suggest you could put error codes on the bottom of get_hsi_mem_info() ?

void
get_hsi_mem_info(void)
{
	EFI_STATUS efi_status;
	uintptr_t addr;
	uint64_t attrs = 0;
	uint32_t *tmp_alloc;

	addr = ((uintptr_t)&get_hsi_mem_info) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
                goto error;
        }

	hsi_status = SHIM_HSI_STATUS_HASMAP;
	if (attrs & MEM_ATTR_W) {
		hsi_status |= SHIM_HSI_STATUS_ROW;
	}

	addr = ((uintptr_t)&addr) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}

	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_STACKX;
	}

	tmp_alloc = AllocatePool(EFI_PAGE_SIZE);
	if (!tmp_alloc) {
		goto error;
	}

	addr = ((uintptr_t)tmp_alloc) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_MASK, &attrs);
	FreePool(tmp_alloc);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}
	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_HEAPX;
	}
	return;
	
error:
        /*
	 * In this case we can't actually tell anything, so assume
	 * and report the worst case scenario.
	 */
	hsi_status = SHIM_HSI_STATUS_HEAPX |
			     SHIM_HSI_STATUS_STACKX |
			     SHIM_HSI_STATUS_ROW;
}

vathpela · 2025-01-16T03:43:09Z

Shouldn't this also explicitly expose if data sections of the image are executable or is that implied by heap is executable flag?

I'd rather 1) make that never happen and 2) make post-process-pe reject it. This should be reporting primarily about what firmware does.

vathpela · 2025-01-16T03:44:35Z

May I suggest you could put error codes on the bottom of get_hsi_mem_info() ?

...

hsi_status = SHIM_HSI_STATUS_HEAPX |
SHIM_HSI_STATUS_STACKX |
SHIM_HSI_STATUS_ROW;
}

What's the improvement? Seems the same to me, but my habit is to put a series of 'undo' blocks in gotos at the end, but if it's just reporting an error, to do it at the first place it occurs.

vathpela · 2025-02-19T19:32:41Z

Note that this is now on top of #726

This changes get_mem_attrs() to return EFI_UNSUPPORTED if LibLocateProtocol() does not return an error but does give us a NULL pointer. Signed-off-by: Peter Jones <pjones@redhat.com>

This adds a mok variable flag "MOK_VARIABLE_CONFIG_ONLY" to specify that the data should be added to our UEFI config table, but shim should not create a legacy UEFI variable. Signed-off-by: Peter Jones <pjones@redhat.com>

This adds a member to the mok_state_variable struct to provide a callback function for formatting external data. It basically has snprintf()-like semantics for filling the buffer, but without the actual printf-like formatting bits. Signed-off-by: Peter Jones <pjones@redhat.com>

Currently when you've added a variable and not correctly changed the test cases to match, you get a message like: ./test-mok-mirror test-mok-mirror: setting variable sort policy to MOCK_SORT_DESCENDING test-mok-mirror: setting delete policy to MOCK_VAR_DELETE_ATTR_ALLOW_ZERO running test_mok_mirror_with_enough_space test_mok_mirror_with_enough_space: passed running test_mok_mirror_setvar_out_of_resources check_config_table:232:mok.name[0] 72 != test.name[0] 0 check_config_table:232:Assertion `mok_entry->name[0] == mock_entry->name[0]' failed. This adds another two lines: test-mok-mirror: Failed on entry 4 mok.name:"HSIStatus" mock.name:"" test-mok-mirror: Entry is missing in expected variable list. Or: test-mok-mirror: Failed on entry 4 mok.name:"" mock.name:"HSIStatus" test-mok-mirror: Entry is missing in found variable list. Which will usually tell you which variable you forgot to add that's present in test data, or what's missing in the test data and present in the expected data. Signed-off-by: Peter Jones <pjones@redhat.com>

This moves the EFI Memory Attribute Protocol helper functions to their own file, since they're not related to PE things. Signed-off-by: Peter Jones <pjones@redhat.com>

hughsie asked me if I can make shim tell userland what kinds of accesses are allowed to the heap, stack, and allocations on the running platform, so that these could be reported up through fwupd's Host Security ID program (see https://fwupd.github.io/libfwupdplugin/hsi.html ). This adds a new config-only (i.e. not a UEFI variable) variable generated during boot, "/sys/firmware/efi/mok-variables/HSIStatus", which tells us those properties as well as if the EFI Memory Attribute Protocol is present. Signed-off-by: Peter Jones <pjones@redhat.com>

vathpela force-pushed the hsi branch 2 times, most recently from f75a896 to b446211 Compare May 15, 2024 20:39

vathpela force-pushed the hsi branch from b446211 to d20c801 Compare May 23, 2024 20:07

vathpela force-pushed the hsi branch from d20c801 to 99e923d Compare January 21, 2025 14:35

vathpela force-pushed the hsi branch 2 times, most recently from 75c0cd5 to 82040dd Compare February 19, 2025 19:06

vathpela mentioned this pull request Feb 19, 2025

Mirror some more efi variables to mok-variables #723

Merged

vathpela force-pushed the hsi branch from 82040dd to 1450159 Compare February 19, 2025 20:24

vathpela requested a review from jsetje February 19, 2025 20:31

vathpela marked this pull request as ready for review February 19, 2025 20:32

vathpela force-pushed the hsi branch 3 times, most recently from 145d1ac to 8b876bc Compare February 21, 2025 00:28

jsetje approved these changes Feb 21, 2025

View reviewed changes

vathpela force-pushed the hsi branch from 8b876bc to 14537cc Compare February 24, 2025 20:15

vathpela added 6 commits February 24, 2025 15:23

get_mem_attrs(): ensure an error code is set on failure

67cba67

This changes get_mem_attrs() to return EFI_UNSUPPORTED if LibLocateProtocol() does not return an error but does give us a NULL pointer. Signed-off-by: Peter Jones <pjones@redhat.com>

mok: add MOK_VARIABLE_CONFIG_ONLY

83fa95f

This adds a mok variable flag "MOK_VARIABLE_CONFIG_ONLY" to specify that the data should be added to our UEFI config table, but shim should not create a legacy UEFI variable. Signed-off-by: Peter Jones <pjones@redhat.com>

Move memory attribute support to its own file.

85b1747

This moves the EFI Memory Attribute Protocol helper functions to their own file, since they're not related to PE things. Signed-off-by: Peter Jones <pjones@redhat.com>

vathpela force-pushed the hsi branch from 14537cc to 60c2c66 Compare February 24, 2025 20:24

vathpela merged commit 848667d into rhboot:main Feb 24, 2025
13 checks passed

vathpela deleted the hsi branch February 24, 2025 20:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add features for the Host Security ID program#660

Add features for the Host Security ID program#660
vathpela merged 6 commits intorhboot:mainfrom
vathpela:hsi

vathpela commented May 15, 2024

Uh oh!

kukrimate commented May 21, 2024

Uh oh!

dennis-tseng99 commented May 31, 2024

Uh oh!

vathpela commented Jan 16, 2025

Uh oh!

vathpela commented Jan 16, 2025

Uh oh!

vathpela commented Feb 19, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

vathpela commented May 15, 2024

Uh oh!

kukrimate commented May 21, 2024

Uh oh!

dennis-tseng99 commented May 31, 2024

Uh oh!

vathpela commented Jan 16, 2025

Uh oh!

vathpela commented Jan 16, 2025

Uh oh!

vathpela commented Feb 19, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants