Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add features for the Host Security ID program #660

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

vathpela
Copy link
Contributor

No description provided.

This adds a mok variable flag "MOK_VARIABLE_CONFIG_ONLY" to specify that
the data should be added to our UEFI config table, but shim should not
create a legacy UEFI variable.

Signed-off-by: Peter Jones <[email protected]>
This adds a member to the mok_state_variable struct to provide a
callback function for formatting external data.  It basically has
snprintf()-like semantics for filling the buffer, but without the actual
printf-like formatting bits.

Signed-off-by: Peter Jones <[email protected]>
@vathpela vathpela force-pushed the hsi branch 2 times, most recently from f75a896 to b446211 Compare May 15, 2024 20:39
@kukrimate
Copy link

Shouldn't this also explicitly expose if data sections of the image are executable or is that implied by heap is executable flag?

hughsie asked me if I can make shim tell userland what kinds of accesses
are allowed to the heap, stack, and allocations on the running platform,
so that these could be reported up through fwupd's Host Security ID
program (see https://fwupd.github.io/libfwupdplugin/hsi.html ).

This adds a new config-only (i.e. not a UEFI variable) variable
generated during boot, "/sys/firmware/efi/mok-variables/HSIStatus",
which tells us those properties as well as if the EFI Memory Attribute
Protocol is present.

Signed-off-by: Peter Jones <[email protected]>
@dennis-tseng99
Copy link
Contributor

May I suggest you could put error codes on the bottom of get_hsi_mem_info() ?

void
get_hsi_mem_info(void)
{
	EFI_STATUS efi_status;
	uintptr_t addr;
	uint64_t attrs = 0;
	uint32_t *tmp_alloc;

	addr = ((uintptr_t)&get_hsi_mem_info) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
                goto error;
        }

	hsi_status = SHIM_HSI_STATUS_HASMAP;
	if (attrs & MEM_ATTR_W) {
		hsi_status |= SHIM_HSI_STATUS_ROW;
	}

	addr = ((uintptr_t)&addr) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_SIZE, &attrs);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}

	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_STACKX;
	}

	tmp_alloc = AllocatePool(EFI_PAGE_SIZE);
	if (!tmp_alloc) {
		goto error;
	}

	addr = ((uintptr_t)tmp_alloc) & ~EFI_PAGE_MASK;
	efi_status = get_mem_attrs(addr, EFI_PAGE_MASK, &attrs);
	FreePool(tmp_alloc);
	if (EFI_ERROR(efi_status)) {
		goto error;
	}
	if (attrs & MEM_ATTR_X) {
		hsi_status |= SHIM_HSI_STATUS_HEAPX;
	}
	return;
	
error:
        /*
	 * In this case we can't actually tell anything, so assume
	 * and report the worst case scenario.
	 */
	hsi_status = SHIM_HSI_STATUS_HEAPX |
			     SHIM_HSI_STATUS_STACKX |
			     SHIM_HSI_STATUS_ROW;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants