Add Windows SkuSiPolicy### variables updating

* Also fix detection of existing BD cert. * Also add a new Abort() macro to simplify error conditions. * Also remove an extra LF from sbat_level.txt so that we match exactly with what Windows currently installs. NB: Gotta love the fact that we get our SBAT from Microsoft and our Windows SSPs from Red Hat... :D
pbatard · Sep 14, 2024 · bb2b00d · bb2b00d
1 parent 5c388dd
commit bb2b00d
Show file tree

Hide file tree

Showing 9 changed files with 218 additions and 145 deletions.
diff --git a/sbat_level.txt b/sbat_level.txt
@@ -1,4 +1,4 @@
 sbat,1,2024010900
 shim,4
 grub,3
-grub.debian,4
+grub.debian,4
diff --git a/src/console.h b/src/console.h
@@ -23,8 +23,9 @@
 
 #define NOSEL 0x7fffffff
 
-/* Error reporting macro */
+/* Error reporting macros */
 #define ReportErrorAndExit(...) do { RecallPrint(__VA_ARGS__); goto exit; } while(0)
+#define Abort(s, ...)           do { Status = s; RecallPrint(__VA_ARGS__); goto exit; } while(0) 
 
 EFI_INPUT_KEY ConsoleGetKeystroke(VOID);
 

diff --git a/src/data.c b/src/data.c
@@ -17,7 +17,9 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <stdint.h>
 #include "mosby.h"
+#include "ssp_var_defs.h"
 
 // From https://go.microsoft.com/fwlink/?LinkId=321185
 unsigned char kek_ms1_cer[] = {
@@ -675,9 +677,9 @@ unsigned char sbat_level_txt[] = {
   0x73, 0x62, 0x61, 0x74, 0x2c, 0x31, 0x2c, 0x32, 0x30, 0x32, 0x34, 0x30,
   0x31, 0x30, 0x39, 0x30, 0x30, 0x0a, 0x73, 0x68, 0x69, 0x6d, 0x2c, 0x34,
   0x0a, 0x67, 0x72, 0x75, 0x62, 0x2c, 0x33, 0x0a, 0x67, 0x72, 0x75, 0x62,
-  0x2e, 0x64, 0x65, 0x62, 0x69, 0x61, 0x6e, 0x2c, 0x34, 0x0a
+  0x2e, 0x64, 0x65, 0x62, 0x69, 0x61, 0x6e, 0x2c, 0x34
 };
-unsigned int sbat_level_txt_len = 46;
+unsigned int sbat_level_txt_len = 45;
 
 // From https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin
 unsigned char dbx_arm_bin[] = {
@@ -4337,44 +4339,47 @@ EFI_STATUS InitializeList(
 	IN OUT MOSBY_LIST *List
 )
 {
-	if (MOSBY_MAX_LIST_SIZE < 11)
+	if (MOSBY_MAX_LIST_SIZE < 13)
 		return EFI_INVALID_PARAMETER;
 	ZeroMem(List, sizeof(MOSBY_LIST));
 	List->Entry[List->Size].Type = KEK;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"kek_ms1.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?LinkId=321185";
 	List->Entry[List->Size].Description = "Microsoft Corporation KEK CA 2011";
 	List->Entry[List->Size].Buffer.Data = kek_ms1_cer;
 	List->Entry[List->Size].Buffer.Size = kek_ms1_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = KEK;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"kek_ms2.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239775";
 	List->Entry[List->Size].Description = "Microsoft Corporation KEK 2K CA 2023";
 	List->Entry[List->Size].Buffer.Data = kek_ms2_cer;
 	List->Entry[List->Size].Buffer.Size = kek_ms2_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"db_ms3.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239776";
 	List->Entry[List->Size].Description = "Windows UEFI CA 2023";
 	List->Entry[List->Size].Buffer.Data = db_ms3_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms3_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"db_ms2.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321194";
 	List->Entry[List->Size].Description = "Microsoft Corporation UEFI CA 2011";
 	List->Entry[List->Size].Buffer.Data = db_ms2_cer;
 	List->Entry[List->Size].Buffer.Size = db_ms2_cer_len;
 	List->Size++;
+	List->Entry[List->Size].Type = SSPV;
+	List->Entry[List->Size].Flags = USE_BUFFER;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;
+	List->Entry[List->Size].Url = "https://raw.githubusercontent.com/rhboot/shim/main/include/ssp_var_defs.h";
+	List->Entry[List->Size].Description = "SkuSiPolicyVersion [2023.04.29]";
+	List->Entry[List->Size].Buffer.Data = SkuSiPolicyVersion;
+	List->Entry[List->Size].Buffer.Size = sizeof(SkuSiPolicyVersion);
+	List->Size++;
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"db_ms1.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321192";
 	List->Entry[List->Size].Description = "Microsoft Windows Production PCA 2011";
 	List->Entry[List->Size].Buffer.Data = db_ms1_cer;
@@ -4383,16 +4388,22 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Type = SBAT;
 	List->Entry[List->Size].Flags = USE_BUFFER;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;
-	List->Entry[List->Size].Path = L"sbat_level.txt";
 	List->Entry[List->Size].Url = "https://github.com/pbatard/Mosby/raw/main/sbat_level.txt";
 	List->Entry[List->Size].Description = "SbatLevel.txt [2024.01.09]";
 	List->Entry[List->Size].Buffer.Data = sbat_level_txt;
 	List->Entry[List->Size].Buffer.Size = sbat_level_txt_len;
 	List->Size++;
+	List->Entry[List->Size].Type = SSPU;
+	List->Entry[List->Size].Flags = USE_BUFFER;
+	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;
+	List->Entry[List->Size].Url = "https://raw.githubusercontent.com/rhboot/shim/main/include/ssp_var_defs.h";
+	List->Entry[List->Size].Description = "SkuSiPolicyUpdateSigners [2023.04.29]";
+	List->Entry[List->Size].Buffer.Data = SkuSiPolicyUpdateSigners;
+	List->Entry[List->Size].Buffer.Size = sizeof(SkuSiPolicyUpdateSigners);
+	List->Size++;
 #if defined (_M_ARM) || defined(__arm__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"dbx_arm.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for ARM (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_arm_bin;
@@ -4401,7 +4412,6 @@ EFI_STATUS InitializeList(
 #endif
 	List->Entry[List->Size].Type = DB;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"db_ms4.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239872";
 	List->Entry[List->Size].Description = "Microsoft UEFI CA 2023";
 	List->Entry[List->Size].Buffer.Data = db_ms4_cer;
@@ -4410,7 +4420,6 @@ EFI_STATUS InitializeList(
 #if defined (_M_ARM64) || defined(__aarch64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"dbx_aa64.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for ARM (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_aa64_bin;
@@ -4420,7 +4429,6 @@ EFI_STATUS InitializeList(
 #if defined(_M_X64) || defined(__x86_64__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"dbx_x64.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for x86 (64 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_x64_bin;
@@ -4430,7 +4438,6 @@ EFI_STATUS InitializeList(
 #if defined(_M_IX86) || defined(__i386__)
 	List->Entry[List->Size].Type = DBX;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
-	List->Entry[List->Size].Path = L"dbx_ia32.bin";
 	List->Entry[List->Size].Url = "https://uefi.org/sites/default/files/resources/x86_DBXUpdate.bin";
 	List->Entry[List->Size].Description = "DBX for x86 (32 bit) [2023.05.09]";
 	List->Entry[List->Size].Buffer.Data = dbx_ia32_bin;

diff --git a/src/file.c b/src/file.c
@@ -67,10 +67,8 @@ STATIC EFI_STATUS GeneratePath(
 	PathLen += StrLen(Name) + 1;
 	*PathName = AllocateZeroPool(PathLen * sizeof(CHAR16));
 
-	if (*PathName == NULL) {
-		Status = EFI_OUT_OF_RESOURCES;
-		ReportErrorAndExit(L"Failed to allocate path buffer\n");
-	}
+	if (*PathName == NULL)
+		Abort(EFI_OUT_OF_RESOURCES, L"Failed to allocate path buffer\n");
 
 	StrCpyS(*PathName, PathLen, DevicePathString);
 
@@ -171,10 +169,8 @@ EFI_STATUS SimpleDirReadAllByHandle(
 	Status = File->GetInfo(File, &gEfiFileInfoGuid, &Size, Info);
 	if (EFI_ERROR(Status))
 		ReportErrorAndExit(L"Failed to get file info: %r\n", Status);
-	if ((Info->Attribute & EFI_FILE_DIRECTORY) == 0) {
-		Status = EFI_INVALID_PARAMETER;
-		ReportErrorAndExit(L"Not a directory: '%s'\n", Name);
-	}
+	if ((Info->Attribute & EFI_FILE_DIRECTORY) == 0)
+		Abort(EFI_INVALID_PARAMETER, L"Not a directory: '%s'\n", Name);
 	Size = 0;
 	*Count = 0;
 	for (;;) {
@@ -246,18 +242,14 @@ EFI_STATUS SimpleFileReadAll(
 
 	*Size = Info->FileSize;
 
-	if (*Size > MAX_FILE_SIZE) {
-		Status = EFI_UNSUPPORTED;
-		ReportErrorAndExit(L"File size %d is too large\n", *Size);
-	}
+	if (*Size > MAX_FILE_SIZE)
+		Abort(EFI_UNSUPPORTED, L"File size %d is too large\n", *Size);
 
 	// Might use memory mapped, so align up to nearest page.
 	// Also + 2 so the data is always NUL terminated.
 	*Buffer = AllocateZeroPool(ALIGN_VALUE(*Size + 2, 4096));
-	if (*Buffer == NULL) {
-		Status = EFI_OUT_OF_RESOURCES;
-		ReportErrorAndExit(L"Failed to allocate buffer of size %d\n", *Size);
-	}
+	if (*Buffer == NULL)
+		Abort(EFI_OUT_OF_RESOURCES, L"Failed to allocate buffer of size %d\n", *Size);
 	Status = File->Read(File, Size, *Buffer);
 
 exit:
@@ -291,10 +283,8 @@ EFI_STATUS SimpleVolumeSelector(
 		return EFI_NOT_FOUND;
 
 	Entries = AllocateZeroPool(sizeof(CHAR16 *) * (Count + 1));
-	if (Entries == NULL) {
-		Status = EFI_OUT_OF_RESOURCES;
-		ReportErrorAndExit(L"Failed to allocate volume selector buffer\n");
-	}
+	if (Entries == NULL)
+		Abort(EFI_OUT_OF_RESOURCES, L"Failed to allocate volume selector buffer\n");
 
 	for (i = 0; i < Count; i++) {
 		UINT8 Buffer[4096];
@@ -324,10 +314,8 @@ EFI_STATUS SimpleVolumeSelector(
 
 		if (Name == NULL || StrLen(Name) == 0 || StrCmp(Name, L" ") == 0) {
 			Name = ConvertDevicePathToText(DevicePathFromHandle(VolumeHandles[i]), FALSE, FALSE);
-			if (Name == NULL) {
-				Status = EFI_OUT_OF_RESOURCES;
-				ReportErrorAndExit(L"Failed to convert device path\n");
-			}
+			if (Name == NULL)
+				Abort(EFI_OUT_OF_RESOURCES, L"Failed to convert device path\n");
 		}
 
 		Entries[i] = AllocateZeroPool((StrLen(Name) + 2) * sizeof(CHAR16));
@@ -379,10 +367,8 @@ EFI_STATUS SimpleDirFilter(
 	Offset = StrLen(Filter);
 	NewFilter = AllocateZeroPool((StrLen(Filter) + 1) * sizeof(CHAR16));
 
-	if (NewFilter == NULL) {
-		Status = EFI_OUT_OF_RESOURCES;
-		ReportErrorAndExit(L"Failed to allocate filter buffer\n");
-	}
+	if (NewFilter == NULL)
+		Abort(EFI_OUT_OF_RESOURCES, L"Failed to allocate filter buffer\n");
 
 	// Just in case EFI ever stops writeable strings
 	StrCpyS(NewFilter, StrLen(Filter) + 1, Filter);
@@ -430,10 +416,8 @@ EFI_STATUS SimpleDirFilter(
 		*Result = AllocateZeroPool(((*Count) + 1) * sizeof(VOID *));
 	else
 		*Result = AllocateZeroPool(2 * sizeof(VOID *));
-	if (*Result == NULL) {
-		Status = EFI_OUT_OF_RESOURCES;
-		ReportErrorAndExit(L"Failed to allocate filter result buffer\n");
-	}
+	if (*Result == NULL)
+		Abort(EFI_OUT_OF_RESOURCES, L"Failed to allocate filter result buffer\n");
 
 	*Count = 0;
 	Ptr = Next = *Entries;

diff --git a/src/gen_data.sh b/src/gen_data.sh
@@ -13,15 +13,18 @@ declare -A source=(
   [dbx_ia32.bin]='https://uefi.org/sites/default/files/resources/x86_DBXUpdate.bin'
   [dbx_aa64.bin]='https://uefi.org/sites/default/files/resources/arm64_DBXUpdate.bin'
   [dbx_arm.bin]='https://uefi.org/sites/default/files/resources/arm_DBXUpdate.bin'
-  # Shim does not provide an SBatLevel.txt we can download, so we use our own:
-  # https://github.com/rhboot/shim/issues/685
+  # Shim does not provide an SBatLevel.txt we can download, so we currently use our own.
+  # See: https://github.com/rhboot/shim/issues/685
   [sbat_level.txt]='https://github.com/pbatard/Mosby/raw/main/sbat_level.txt'
+  # Microsoft SSP variables... provided by Red Hat, since Microsoft doesn't understand the
+  # importance of letting everyone access CRITICAL PIECES OF A PUBLIC SECURITY TRUST CHAIN!
+  [ssp_var_defs.h]='https://raw.githubusercontent.com/rhboot/shim/main/include/ssp_var_defs.h'
 )
 
 # From https://uefi.org/revocationlistfile.
 # Needs to be updated manually on DBX update since Microsoft stupidly decided to
 # hardcode the EFI_TIME timestamp of ALL authenticated list updates to 2010.03.06
-# instead of using the actual timestamp of when they created the variables.
+# instead of using the actual timestamp of when they create the variables...
 declare -A archdate=(
   [x64]='2023.05.09'
   [ia32]='2023.05.09'
@@ -46,6 +49,11 @@ declare -A archguard=(
   [riscv64]='#if defined(_M_RISCV64) || (defined (__riscv) && (__riscv_xlen == 64))'
 )
 
+declare -A ssp_varname=(
+  [SSPU]='SkuSiPolicyUpdateSigners'
+  [SSPV]='SkuSiPolicyVersion'
+)
+
 declare -A description=()
 
 cat << EOF
@@ -68,17 +76,30 @@ cat << EOF
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <stdint.h>
 #include "mosby.h"
+#include "ssp_var_defs.h"
 
 EOF
 
+# Get the SSP date from the last GitHub commit of ssp_var_defs.h
+ssp_date_url="${source[ssp_var_defs.h]}"
+ssp_date_url="${ssp_date_url#*main/}"
+ssp_date_url="${ssp_date_url//\//%2F}"
+ssp_date_url="https://api.github.com/repos/rhboot/shim/commits?path=${ssp_date_url}&page=1&per_page=1"
+ssp_date="$(curl -s -L ${ssp_date_url} | grep -m1 -Eo '[0-9]+\-[0-9]+\-[0-9]+')"
+ssp_date=${ssp_date//-/.}
+
 for file in "${!source[@]}"; do
   # '-o' tries to use an override from the current repo
   if [[ "$1" == "-o" &&  -f ../${file} ]]; then
     cp ../${file} .
   else
     curl -s -L ${source[${file}]} -o ${file}
   fi
+  if [[ "${file}" = "ssp_var_defs.h" ]]; then
+    continue
+  fi
   echo "// From ${source[${file}]}"
   type=${file%%_*}
   if [ "$type" = "dbx" ]; then
@@ -100,6 +121,10 @@ for file in "${!source[@]}"; do
   echo ""
   rm ${file}
 done
+
+# Add a dummy entry for the extra SSPV
+source[sspv_var_defs.h]=${source[ssp_var_defs.h]}
+
 echo "EFI_STATUS InitializeList("
 echo "	IN OUT MOSBY_LIST *List"
 echo ")"
@@ -115,21 +140,28 @@ for file in "${!source[@]}"; do
   arch=${arch##*_}
   if [ "$type" = "DBX" ]; then
     echo "${archguard[$arch]}"
+  elif [ "$type" = "SSP" ]; then
+    type="SSPU"
   fi
   echo "	List->Entry[List->Size].Type = ${type};"
-  if [[ "$type" = "SBAT" ]]; then
+  if [[ "$type" = "SBAT" || "$type" = "SSPU" || "$type" = "SSPV" ]]; then
     echo "	List->Entry[List->Size].Flags = USE_BUFFER;"
   fi
-  if [[ "$type" = "SBAT" || "$type" = "MOK" ]]; then
+  if [[ "$type" = "SBAT" || "$type" = "MOK" || "$type" = "SSPU" || "$type" = "SSPV" ]]; then
     echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS;"
   else
     echo "	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;"
   fi
-  echo "	List->Entry[List->Size].Path = L\"${file}\";"
   echo "	List->Entry[List->Size].Url = \"${source[${file}]}\";"
-  echo "	List->Entry[List->Size].Description = \"${description[${file}]}\";"
-  echo "	List->Entry[List->Size].Buffer.Data = ${data};"
-  echo "	List->Entry[List->Size].Buffer.Size = ${data}_len;"
+  if [[ "$type" = "SSPU" || "$type" = "SSPV" ]]; then
+    echo "	List->Entry[List->Size].Description = \"${ssp_varname[${type}]} [${ssp_date}]\";"
+    echo "	List->Entry[List->Size].Buffer.Data = ${ssp_varname[${type}]};"
+    echo "	List->Entry[List->Size].Buffer.Size = sizeof(${ssp_varname[${type}]});"
+  else
+    echo "	List->Entry[List->Size].Description = \"${description[${file}]}\";"
+    echo "	List->Entry[List->Size].Buffer.Data = ${data};"
+    echo "	List->Entry[List->Size].Buffer.Size = ${data}_len;"
+  fi
   echo "	List->Size++;"
   if [ "$type" = "DBX" ]; then
     echo "#endif"