Mirrors/Ventoy
1
0
Fork 0
mirror of https://github.com/ventoy/Ventoy.git synced 2026-06-29 06:28:13 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Optimization for secure boot process.
Some checks failed
Ventoy CI / build (push) Has been cancelled
Details
Mirror GitHub to Gitee / Sync-GitHub-to-Gitee (push) Has been cancelled
Details

Browse Source
This commit is contained in:
longpanda
2026-06-28 21:48:32 +08:00
parent 2915e197e9
commit 3d0d6c3147
6 changed files with 212 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

239
EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.c
View File

@@ -79,11 +79,15 @@ STATIC VOID EFIAPI DumpDevicePath(const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
{ {
CHAR16 *DPStr = NULL; CHAR16 *DPStr = NULL;
DPStr = ConvertDevicePathToText(DevicePath, TRUE, TRUE); if (DevicePath)
{
DPStr = ConvertDevicePathToText(DevicePath, TRUE, TRUE);
}
if (DPStr) if (DPStr)
{ {
vLog(L"%s", DPStr); vLog(L"%s", DPStr);
gBS->FreePool(DPStr); FreePool(DPStr);
} }
else else
{ {
@@ -98,7 +102,7 @@ STATIC VOID EFIAPI ShowSBWarning(const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
DumpDevicePath(DevicePath); DumpDevicePath(DevicePath);
vLog(L"\r\n####### Security Boot Violation ##########\r\n"); vLog(L"\r\n####### Ventoy Security Boot Violation ##########\r\n");
vLog(L"======================================================="); vLog(L"=======================================================");
vLog(L"======================================================="); vLog(L"=======================================================");
@@ -208,179 +212,33 @@ END:
} }
STATIC EFI_STATUS EFIAPI ReadAuthFile
(
const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst,
VOID **Buffer,
UINT32 *Size
)
{
EFI_STATUS Status;
UINTN TmpSize = 0;
CHAR16 *DpStr = NULL;
EFI_HANDLE Handle = NULL;
EFI_DEVICE_PATH *DevPath = NULL;
EFI_DEVICE_PATH *TmpPath = NULL;
EFI_FILE_IO_INTERFACE *FileIO = NULL;
EFI_FILE *File = NULL;
EFI_FILE *Root = NULL;
UINT8 *FileData = NULL;
EFI_FILE_INFO *FInfo = NULL;
UINT8 Buf[1024];
DevPath = TmpPath = DuplicateDevicePath(DevicePathConst);
if (!DevPath)
{
Status = EFI_OUT_OF_RESOURCES;
goto END;
}
Status = gBS->LocateDevicePath(&gEfiSimpleFileSystemProtocolGuid, &DevPath, &Handle);
if (EFI_ERROR(Status))
{
vLog(L"Failed to locate simple file protocol %lx", Status);
goto END;
}
DpStr = ConvertDevicePathToText(DevPath, FALSE, TRUE);
if (!DpStr)
{
Status = EFI_OUT_OF_RESOURCES;
goto END;
}
Status = gBS->HandleProtocol(Handle, &gEfiSimpleFileSystemProtocolGuid, (VOID **)&FileIO);
if (EFI_ERROR(Status))
{
vLog(L"Failed to handle simple file protocol %lx", Status);
goto END;
}
Status = FileIO->OpenVolume(Handle, &Root);
if (EFI_ERROR(Status))
{
vLog(L"Failed to open drive volume (%lx)\n", Status);
goto END;
}
Status = Root->Open(Root, &File, DpStr, EFI_FILE_MODE_READ, 0);
if (EFI_ERROR(Status))
{
vLog(L"Failed to open file (%s) (%lx)\n", DpStr, Status);
goto END;
}
FInfo = (EFI_FILE_INFO *)Buf;
TmpSize = sizeof(Buf);
ZeroMem(FInfo, sizeof(EFI_FILE_INFO));
Status = File->GetInfo(File, &gEfiFileInfoGuid, &TmpSize, FInfo);
if (EFI_ERROR(Status) || FInfo->FileSize == 0 || FInfo->FileSize >= 0xFFFFFFFFUL)
{
vLog(L"Failed to open file (%s) (%lx) Size(%ld)\n", DpStr, Status, (UINTN)FInfo->FileSize);
goto END;
}
FileData = AllocatePool(FInfo->FileSize);
if (!FileData)
{
Status = EFI_OUT_OF_RESOURCES;
goto END;
}
TmpSize = FInfo->FileSize;
Status = File->Read(File, &TmpSize, FileData);
if (EFI_ERROR(Status) || TmpSize != (UINTN)FInfo->FileSize)
{
vLog(L"Failed to read file (%lx) Read:%ld Size:%ld\n", Status, TmpSize, (UINTN)FInfo->FileSize);
goto END;
}
END:
if (File)
{
File->Close(File);
}
if (Root)
{
Root->Close(Root);
}
CheckFreePool(TmpPath);
CheckFreePool(DpStr);
if (EFI_ERROR(Status))
{
CheckFreePool(FileData);
}
else
{
*Buffer = FileData;
*Size = (UINT32)FInfo->FileSize;
}
return Status;
}
STATIC EFI_STATUS EFIAPI CheckVtoyGrub STATIC EFI_STATUS EFIAPI CheckVtoyGrub
( (
VOID *FileBuffer, VOID *FileBuffer,
UINTN FileSize UINTN FileSize
) )
{ {
UINTN Index = 0;
EFI_STATUS Status = EFI_SECURITY_VIOLATION;
PE_COFF_LOADER_IMAGE_CONTEXT Ctx;
UINT8 Sha256Hash[64]; UINT8 Sha256Hash[64];
UINT8 Sha1Hash[64];
ZeroMem(&Ctx, sizeof(Ctx)); if (!FileBuffer || FileSize < sizeof(EFI_IMAGE_DOS_HEADER))
ZeroMem(Sha1Hash, sizeof(Sha1Hash)); {
vErr(L"Invalid FileBuffer:%p or size:%ld", FileBuffer, FileSize);
return EFI_SECURITY_VIOLATION;
}
ZeroMem(Sha256Hash, sizeof(Sha256Hash)); ZeroMem(Sha256Hash, sizeof(Sha256Hash));
calc_sha256(FileBuffer, (UINT64)FileSize, Sha256Hash);
Status = gShimLock.Context(FileBuffer, FileSize, &Ctx);
if (EFI_ERROR(Status))
{
vErr(L"Cannot get shim context %lx", Status);
goto END;
}
Status = gShimLock.Hash(FileBuffer, FileSize, &Ctx, Sha256Hash, Sha1Hash);
if (EFI_ERROR(Status))
{
vErr(L"Cannot get shim hash %lx", Status);
goto END;
}
if (CompareMem(Sha256Hash, gVtoyGrubSha256Hash, 32) != 0) if (CompareMem(Sha256Hash, gVtoyGrubSha256Hash, 32) != 0)
{ {
vErr(L"Ventoy hash check failed."); vErr(L"Ventoy hash check failed.");
goto END;
}
Status = EFI_SUCCESS;
END:
if (EFI_ERROR(Status))
{
vLog(L"\r\n###### Press Enter to reboot... ######");
if (gST->ConIn)
{
gST->ConIn->Reset(gST->ConIn, FALSE);
gBS->WaitForEvent(1, &gST->ConIn->WaitForKey, &Index);
}
gRT->ResetSystem(EfiResetWarm, EFI_SECURITY_VIOLATION, 0, NULL); gRT->ResetSystem(EfiResetWarm, EFI_SECURITY_VIOLATION, 0, NULL);
return EFI_SECURITY_VIOLATION;
} }
return Status; return EFI_SUCCESS;
} }
STATIC EFI_STATUS EFIAPI SecurityPolicyAuth STATIC EFI_STATUS EFIAPI SecurityPolicyAuth
( (
const EFI_SECURITY_ARCH_PROTOCOL *This, const EFI_SECURITY_ARCH_PROTOCOL *This,
@@ -388,66 +246,17 @@ STATIC EFI_STATUS EFIAPI SecurityPolicyAuth
const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst
) )
{ {
EFI_STATUS Status;
UINT32 Size = 0;
VOID *Buffer = NULL;
/* Just return OK if the user choose to bypass SB */
if (gVtoyByPassSB)
{
return EFI_SUCCESS;
}
if (!gGrubLaunched)
{
Status = ReadAuthFile(DevicePathConst, &Buffer, &Size);
if (EFI_ERROR(Status))
{
return EFI_SECURITY_VIOLATION;
}
Status = CheckVtoyGrub(Buffer, Size);
FreePool(Buffer);
return Status;
}
/* /*
* Step 1: * Some old UEFI firmware (without Security2 protocol) will hang when run OpenVolume.
* Use original UEFI firmware auth API. * So finally I decide not to support such UEFI firmware.
* If it's OK, it may be signed with Microsoft UEFI CA. (e.g. bootmgr/shim/...) * It means that for UEFI firmware before 2.5 (about 2015) Ventoy only supports Bypass policy.
*
*/ */
if (gSysSecFileAuth)
{
Status = gSysSecFileAuth(This, AuthenticationStatus, DevicePathConst);
if (!EFI_ERROR(Status))
{
return EFI_SUCCESS;
}
}
(VOID)This;
/* (VOID)AuthenticationStatus;
* Step 2: (VOID)DevicePathConst;
* Use shim verify API. return EFI_SUCCESS;
* If it's OK, it may be signed with a MOK key. (e.g. Ventoy EFI files)
*/
if (gShimLock.Verify)
{
Status = ReadAuthFile(DevicePathConst, &Buffer, &Size);
if (!EFI_ERROR(Status))
{
Status = gShimLock.Verify(Buffer, Size);
FreePool(Buffer);
if (!EFI_ERROR(Status))
{
return EFI_SUCCESS;
}
}
}
ShowSBWarning(DevicePathConst);
return EFI_SECURITY_VIOLATION;
} }
STATIC EFI_STATUS EFIAPI Security2PolicyAuth STATIC EFI_STATUS EFIAPI Security2PolicyAuth

2
EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.h
View File

@@ -110,7 +110,7 @@ typedef struct _VTOY_SHIM{
VTOY_LAUNCHED Launched; VTOY_LAUNCHED Launched;
} VTOY_SHIM; } VTOY_SHIM;
CONST UINT8 * ventoy_get_der_data(UINT32 *Len); void calc_sha256(const void *data, UINT64 len, void *output);
#endif #endif

1
EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.inf
View File

@@ -31,6 +31,7 @@
[Sources] [Sources]
VtoyShim.h VtoyShim.h
VtoyShim.c VtoyShim.c
sha256.c
[Packages] [Packages]
MdePkg/MdePkg.dec MdePkg/MdePkg.dec

170
EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/sha256.c Normal file
View File

@@ -0,0 +1,170 @@
/******************************************************************************
* VtoyShim.c
*
* Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.<BR>
* SPDX-License-Identifier: BSD-2-Clause-Patent
*
*/
#include <Uefi.h>
#include <Library/DebugLib.h>
#include <Library/PrintLib.h>
#include <Library/UefiLib.h>
#include <Library/BaseMemoryLib.h>
static const UINT32 sha256_initial_h[8]
= { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 };
static const UINT32 sha256_round_k[64]
= { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 };
static void sha256_endian_reverse64(UINT64 input, UINT8 *output) {
output[7] = (input >> 0) & 0xff;
output[6] = (input >> 8) & 0xff;
output[5] = (input >> 16) & 0xff;
output[4] = (input >> 24) & 0xff;
output[3] = (input >> 32) & 0xff;
output[2] = (input >> 40) & 0xff;
output[1] = (input >> 48) & 0xff;
output[0] = (input >> 56) & 0xff;
}
static UINT32 sha256_endian_read32(UINT8 *input) {
UINT32 output = 0;
output |= (input[0] << 24);
output |= (input[1] << 16);
output |= (input[2] << 8);
output |= (input[3] << 0);
return output;
}
static void sha256_endian_reverse32(UINT32 input, UINT8 *output) {
output[3] = (input >> 0) & 0xff;
output[2] = (input >> 8) & 0xff;
output[1] = (input >> 16) & 0xff;
output[0] = (input >> 24) & 0xff;
}
static UINT32 sha256_ror(UINT32 input, UINT32 by) {
return (input >> by) | (((input & ((1 << by) - 1))) << (32 - by));
}
void calc_sha256(const void *data, UINT64 len, void *output)
{
int i = 0;
int j = 0;
UINT8 padding[80];
UINT64 current = (len + 1) % 64;
// want to be == 56 % 64.
UINT64 needed = (64 + 56 - current) % 64;
UINT64 extra = needed + 9;
UINT64 total = len + extra;
UINT32 v[8];
UINT64 cursor = 0;
for(i = 1; i < 80; i++)
{
padding[i] = 0;
}
padding[0] = 0x80;
sha256_endian_reverse64(len * 8, padding + total - len - 8);
for(i = 0; i < 8; i++)
{
v[i] = sha256_initial_h[i];
}
for(cursor = 0; cursor * 64 < total; cursor++)
{
UINT32 t[8];
UINT32 w[64];
for(i = 0; i < 8; i++)
{
t[i] = v[i];
}
if(cursor * 64 + 64 <= len)
{
for(j = 0; j < 16; j++)
{
w[j] = sha256_endian_read32((UINT8 *)data + cursor * 64 + j * 4);
}
}
else
{
if(cursor * 64 < len)
{
UINT64 size = len - cursor * 64;
if(size > 0)
{
CopyMem(w, (UINT8 *)data + cursor * 64, size);
}
CopyMem((UINT8 *)w + size, padding, 64 - size);
}
else
{
UINT64 off = (cursor * 64 - len) % 64;
CopyMem((UINT8 *)w, padding + off, 64);
}
for(j = 0; j < 16; j++)
{
w[j] = sha256_endian_read32((UINT8 *)&w[j]);
}
}
for(j = 16; j < 64; j++)
{
UINT32 s1 = sha256_ror(w[j - 2], 17) ^ sha256_ror(w[j - 2], 19) ^ (w[j - 2] >> 10);
UINT32 s0 = sha256_ror(w[j - 15], 7) ^ sha256_ror(w[j - 15], 18) ^ (w[j - 15] >> 3);
w[j] = s1 + w[j - 7] + s0 + w[j - 16];
}
for(j = 0; j < 64; j++)
{
UINT32 ch = (t[4] & t[5]) ^ (~t[4] & t[6]);
UINT32 maj = (t[0] & t[1]) ^ (t[0] & t[2]) ^ (t[1] & t[2]);
UINT32 S0 = sha256_ror(t[0], 2) ^ sha256_ror(t[0], 13) ^ sha256_ror(t[0], 22);
UINT32 S1 = sha256_ror(t[4], 6) ^ sha256_ror(t[4], 11) ^ sha256_ror(t[4], 25);
UINT32 t1 = t[7] + S1 + ch + sha256_round_k[j] + w[j];
UINT32 t2 = S0 + maj;
t[7] = t[6];
t[6] = t[5];
t[5] = t[4];
t[4] = t[3] + t1;
t[3] = t[2];
t[2] = t[1];
t[1] = t[0];
t[0] = t1 + t2;
}
for(i = 0; i < 8; i++)
{
v[i] += t[i];
}
}
for(i = 0; i < 8; i++)
{
sha256_endian_reverse32(v[i], (UINT8 *)output + i * 4);
}
}

15
GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy_cmd.c
View File

@@ -6463,7 +6463,12 @@ static grub_err_t ventoy_cmd_sb_info(grub_extcmd_context_t ctxt, int argc, char
(void)args; (void)args;
#ifdef GRUB_MACHINE_EFI #ifdef GRUB_MACHINE_EFI
const char *env = NULL;
const char *policy = NULL; const char *policy = NULL;
grub_efi_guid_t security =
{ 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };
grub_efi_guid_t security2 =
{ 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } };
if (g_sb_policy == VTOY_SB_POLICY_BYPASS) if (g_sb_policy == VTOY_SB_POLICY_BYPASS)
{ {
@@ -6478,8 +6483,14 @@ static grub_err_t ventoy_cmd_sb_info(grub_extcmd_context_t ctxt, int argc, char
policy = "XXX"; policy = "XXX";
} }
grub_printf("UEFI Firmware Secure Boot: %s\n", g_sys_sb ? "Enable" : "Disable"); env = grub_env_get("grub_uefi_version");
grub_printf("Ventoy Secure Boot Policy: %s\n", policy); grub_printf("UEFI Firmware Version : %s\n", env ? env : "NA");
grub_printf("UEFI Firmware Secure Boot : %s\n", g_sys_sb ? "Enable" : "Disable");
grub_printf("Ventoy Secure Boot Policy : %s\n", policy);
grub_printf("UEFI Security Protocol : %s\n", grub_efi_locate_protocol(&security, NULL) ? "Yes" : "No");
grub_printf("UEFI Security2 Protocol : %s\n", grub_efi_locate_protocol(&security2, NULL) ? "Yes" : "No");
#else #else
grub_printf("Non EFI mode!\n"); grub_printf("Non EFI mode!\n");
#endif #endif

6
INSTALL/ventoy_pack.sh
View File

@@ -206,7 +206,7 @@ sign_efi $tmpmnt/ventoy/wimboot.i386.efi.xz
sign_efi $tmpmnt/ventoy/wimboot.x86_64.xz sign_efi $tmpmnt/ventoy/wimboot.x86_64.xz
#inject Ventoy Grub sign sha256 value into VtoyShim #inject Ventoy Grub sign sha256 value into VtoyShim
grub_signsha256=$(pesign -i $tmpmnt/EFI/BOOT/grubx64_real.efi -h -d sha256 | awk '{print $2}') grub_sha256=$(sha256sum $tmpmnt/EFI/BOOT/grubx64_real.efi | awk '{print $1}')
magic_cnt=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | wc -l) magic_cnt=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | wc -l)
if [ $magic_cnt -ne 1 ]; then if [ $magic_cnt -ne 1 ]; then
echo "hash magic duplicate" echo "hash magic duplicate"
@@ -215,9 +215,9 @@ fi
magic_off_hex=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | awk '{print $1}') magic_off_hex=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | awk '{print $1}')
magic_off=$(printf '%u' "0x${magic_off_hex}") magic_off=$(printf '%u' "0x${magic_off_hex}")
echo_cmd=$(echo $grub_signsha256 | sed 's/\(..\)/\\x\1/g') echo_cmd=$(echo $grub_sha256 | sed 's/\(..\)/\\x\1/g')
echo Ventoy Grub sign hash $grub_signsha256 echo Ventoy Grub hash $grub_sha256
echo -en "$echo_cmd" | dd bs=1 count=32 of=$tmpmnt/EFI/BOOT/fbx64.efi seek=$magic_off conv=notrunc status=none echo -en "$echo_cmd" | dd bs=1 count=32 of=$tmpmnt/EFI/BOOT/fbx64.efi seek=$magic_off conv=notrunc status=none
sign_efi $tmpmnt/EFI/BOOT/fbx64.efi sign_efi $tmpmnt/EFI/BOOT/fbx64.efi