Optimization for secure boot process.

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/Ventoy/Ventoy.c

@@ -1231,65 +1231,6 @@ EFI_STATUS EFIAPI ventoy_boot(IN EFI_HANDLE ImageHandle)
     return EFI_SUCCESS;
 }
 
-#if defined (MDE_CPU_X64)
-
-STATIC BOOLEAN EFIAPI IsSecureBootEnabled(VOID)
-{
-    UINT8 SecureBoot = 0;
-	UINTN DataSize;
-	EFI_STATUS Status;
-
-	DataSize = sizeof(SecureBoot);
-	Status = gST->RuntimeServices->GetVariable(L"SecureBoot", &gEfiGlobalVariableGuid, NULL,
-				     &DataSize, &SecureBoot);
-	if (EFI_ERROR(Status))
-    {
-        return FALSE;
-    }
-
-	return SecureBoot ? TRUE : FALSE;
-}
-
-STATIC BOOLEAN EFIAPI IsSetupMode(VOID)
-{
-    UINT8 SetupMode = 0;
-	UINTN DataSize;
-	EFI_STATUS Status;
-
-	DataSize = sizeof(SetupMode);
-	Status = gST->RuntimeServices->GetVariable(L"SetupMode", &gEfiGlobalVariableGuid, NULL,
-				     &DataSize, &SetupMode);
-	if (EFI_ERROR(Status))
-    {
-        return FALSE;
-    }
-
-	return SetupMode ? TRUE : FALSE;
-}
-
-STATIC BOOLEAN EFIAPI CheckVtoyShim(VOID)
-{
-	EFI_STATUS Status;
-    EFI_GUID Guid = VTOY_SHIM_POLICY_GUID;
-    VOID *Prot = NULL;
-
-    /* If secure boot is not enabled or in SetupMode, nothing needed */
-    if (!IsSecureBootEnabled() || IsSetupMode())
-    {
-        return TRUE;
-    }
-
-	Status = gBS->LocateProtocol(&Guid, NULL, (VOID**)&Prot);
-    if (EFI_ERROR(Status))
-    {
-        VtoyDebug("Failed to locate Vtoy Shim Protocol %lx\r\n", Status);
-        return FALSE;
-    }
-
-    return TRUE;
-}
-#endif
-
 EFI_STATUS EFIAPI VentoyEfiMain
 (
     IN EFI_HANDLE         ImageHandle,
@@ -1299,15 +1240,6 @@ EFI_STATUS EFIAPI VentoyEfiMain
     EFI_STATUS Status = EFI_SUCCESS;
     EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *Protocol;
 
-#if defined (MDE_CPU_X64)
-    /* check that Ventoy Shim must exist */
-    if (!CheckVtoyShim())
-    {
-        sleep(5);
-        return EFI_NOT_FOUND;
-    }
-#endif
-
     g_sector_flag_num = 512; /* initial value */
 
     g_sector_flag = AllocatePool(g_sector_flag_num * sizeof(ventoy_sector_flag));

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.c

@@ -34,7 +34,14 @@
 
 #define CUR_SBAT_VER    1
 
-STATIC EFI_GUID gVtoySbatGUID = { 0xf755068a, 0xe04f, 0x452b, { 0x9d, 0x6d, 0x7c, 0x55, 0x96, 0xb3, 0xc0, 0x7d }};
+STATIC UINT8 gVtoyGrubSha256Hash[32] __attribute__((aligned(32)))  = {
+    0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26,
+    0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26,
+    0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26,
+    0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26, 0x26
+};
+
+STATIC BOOLEAN gGrubLaunched = FALSE;
 STATIC EFI_GUID gShimLockGUID = SHIM_LOCK_GUID;
 STATIC EFI_SECURITY_FILE_AUTHENTICATION_STATE gSysSecFileAuth = NULL;
 STATIC EFI_SECURITY2_FILE_AUTHENTICATION gSysSec2FileAuth = NULL;
@@ -46,6 +53,10 @@ STATIC SHIM_LOCK gShimLock;
 STATIC EFI_EXIT_BOOT_SERVICES gSysExitBootServices = NULL;
 STATIC EFI_GET_VARIABLE gSysGetVariable = NULL;
 
+STATIC VOID EFIAPI HookSystemService(VOID);
+STATIC VOID EFIAPI UnHookSystemService(VOID);
+
+
 STATIC VOID EFIAPI VtoyLog(CONST CHAR16 *Format, ...)
 {
     VA_LIST         Marker;
@@ -68,11 +79,15 @@ STATIC VOID EFIAPI DumpDevicePath(const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
 {
     CHAR16 *DPStr = NULL;
 
+    if (DevicePath)
+    {
         DPStr = ConvertDevicePathToText(DevicePath, TRUE, TRUE);
+    }
+
     if (DPStr)
     {
         vLog(L"%s", DPStr);
-        gBS->FreePool(DPStr);
+        FreePool(DPStr);
     }
     else
     {
@@ -80,35 +95,20 @@ STATIC VOID EFIAPI DumpDevicePath(const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
     }
 }
 
-STATIC VOID EFIAPI ShowSBWarning(BOOLEAN Reboot, const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
+STATIC VOID EFIAPI ShowSBWarning(const EFI_DEVICE_PATH_PROTOCOL *DevicePath)
 {
-    UINTN Index = 0;
-
     vLog(L"\r\n=======================================================");
     vLog(L"=======================================================\r\n");
 
     DumpDevicePath(DevicePath);
 
-    vLog(L"\r\n####### Security Boot Violation ##########\r\n");
+    vLog(L"\r\n####### Ventoy Security Boot Violation ##########\r\n");
 
     vLog(L"=======================================================");
     vLog(L"=======================================================");
 
-    if (Reboot)
-    {
-        vLog(L"\r\n###### Press Enter to reboot... ######");
-        if (gST->ConIn)
-        {
-            gST->ConIn->Reset(gST->ConIn, FALSE);
-            gBS->WaitForEvent(1, &gST->ConIn->WaitForKey, &Index);
-        }
-        gRT->ResetSystem(EfiResetWarm, EFI_SECURITY_VIOLATION, 0, NULL);
-    }
-    else
-    {
     VtoySleep(5);
 }
-}
 
 
 STATIC VOID * EFIAPI FindShimFuncAddr(UINT64 FuncOffset)
@@ -212,144 +212,31 @@ END:
 }
 
 
-
+STATIC EFI_STATUS EFIAPI CheckVtoyGrub
-STATIC EFI_STATUS EFIAPI ReadAuthFile
 (
-    const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst,
+    VOID *FileBuffer,
-    VOID **Buffer,
+	UINTN FileSize
-    UINT32 *Size
 )
 {
-    EFI_STATUS Status;
+    UINT8 Sha256Hash[64];
-    UINTN TmpSize = 0;
-    CHAR16 *DpStr = NULL;
-	EFI_HANDLE Handle = NULL;
-    EFI_DEVICE_PATH *DevPath = NULL;
-    EFI_DEVICE_PATH *TmpPath = NULL;
-	EFI_FILE_IO_INTERFACE *FileIO = NULL;
-	EFI_FILE *File = NULL;
-	EFI_FILE *Root = NULL;
-    UINT8 *FileData = NULL;
-    EFI_FILE_INFO *FInfo = NULL;
-    UINT8 Buf[1024];
 
-	DevPath	= TmpPath = DuplicateDevicePath(DevicePathConst);
+    if (!FileBuffer || FileSize < sizeof(EFI_IMAGE_DOS_HEADER))
-    if (!DevPath)
     {
-        Status = EFI_OUT_OF_RESOURCES;
+        vErr(L"Invalid FileBuffer:%p or size:%ld", FileBuffer, FileSize);
-        goto END;
+        return EFI_SECURITY_VIOLATION;
     }
 
-	Status = gBS->LocateDevicePath(&gEfiSimpleFileSystemProtocolGuid, &DevPath, &Handle);
+    ZeroMem(Sha256Hash, sizeof(Sha256Hash));
-    if (EFI_ERROR(Status))
+    calc_sha256(FileBuffer, (UINT64)FileSize, Sha256Hash);
+
+    if (CompareMem(Sha256Hash, gVtoyGrubSha256Hash, 32) != 0)
     {
-        vLog(L"Failed to locate simple file protocol %lx", Status);
+        vErr(L"Ventoy hash check failed.");
-        goto END;
+        gRT->ResetSystem(EfiResetWarm, EFI_SECURITY_VIOLATION, 0, NULL);
+        return EFI_SECURITY_VIOLATION;
     }
 
-    DpStr = ConvertDevicePathToText(DevPath, FALSE, TRUE);
+    return EFI_SUCCESS;
-    if (!DpStr)
-    {
-        Status = EFI_OUT_OF_RESOURCES;
-        goto END;
-    }
-
-    Status = gBS->HandleProtocol(Handle, &gEfiSimpleFileSystemProtocolGuid, (VOID **)&FileIO);
-    if (EFI_ERROR(Status))
-    {
-        vLog(L"Failed to handle simple file protocol %lx", Status);
-        goto END;
-    }
-
-    Status = FileIO->OpenVolume(Handle, &Root);
-	if (EFI_ERROR(Status))
-    {
-		vLog(L"Failed to open drive volume (%lx)\n", Status);
-		goto END;
-	}
-
-    Status = Root->Open(Root, &File, DpStr, EFI_FILE_MODE_READ, 0);
-    if (EFI_ERROR(Status))
-    {
-		vLog(L"Failed to open file (%s) (%lx)\n", DpStr, Status);
-		goto END;
-	}
-
-    FInfo = (EFI_FILE_INFO *)Buf;
-    TmpSize = sizeof(Buf);
-    ZeroMem(FInfo, sizeof(EFI_FILE_INFO));
-
-    Status = File->GetInfo(File, &gEfiFileInfoGuid, &TmpSize, FInfo);
-    if (EFI_ERROR(Status) || FInfo->FileSize == 0 || FInfo->FileSize >= 0xFFFFFFFFUL)
-    {
-		vLog(L"Failed to open file (%s) (%lx) Size(%ld)\n", DpStr, Status, (UINTN)FInfo->FileSize);
-		goto END;
-	}
-
-    FileData = AllocatePool(FInfo->FileSize);
-    if (!FileData)
-    {
-        Status = EFI_OUT_OF_RESOURCES;
-        goto END;
-    }
-
-    TmpSize = FInfo->FileSize;
-    Status = File->Read(File, &TmpSize, FileData);
-    if (EFI_ERROR(Status) || TmpSize != (UINTN)FInfo->FileSize)
-    {
-		vLog(L"Failed to read file (%lx) Read:%ld Size:%ld\n", Status, TmpSize, (UINTN)FInfo->FileSize);
-		goto END;
-	}
-
-
-END:
-
-    if (File)
-    {
-        File->Close(File);
-    }
-
-    if (Root)
-    {
-        Root->Close(Root);
-    }
-
-    CheckFreePool(TmpPath);
-    CheckFreePool(DpStr);
-
-    if (EFI_ERROR(Status))
-    {
-        CheckFreePool(FileData);
-    }
-    else
-    {
-        *Buffer = FileData;
-        *Size = (UINT32)FInfo->FileSize;
-    }
-
-    return Status;
-}
-
-
-STATIC BOOLEAN VtoyCheckRevoke(VOID *Buffer, UINTN Size)
-{
-    UINT32 uiVer = 0;
-    EFI_IMAGE_DOS_HEADER *DosHead = (EFI_IMAGE_DOS_HEADER *)Buffer;
-
-    if (Size > sizeof(EFI_IMAGE_DOS_HEADER) && DosHead->e_magic == 0x5A4D)
-    {
-        if (CompareMem(DosHead->e_res2, &gVtoySbatGUID, 16) == 0)
-        {
-            CopyMem(&uiVer, DosHead->e_res2 + 8, 4);
-            if (uiVer < CUR_SBAT_VER)
-            {
-                vLog(L"Ventoy EFI file revoke (%u < %u)", uiVer, CUR_SBAT_VER);
-                return FALSE;
-            }
-        }
-    }
-
-    return TRUE;
 }
 
 STATIC EFI_STATUS EFIAPI SecurityPolicyAuth
@@ -359,60 +246,18 @@ STATIC EFI_STATUS EFIAPI SecurityPolicyAuth
 	const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst
 )
 {
-    EFI_STATUS Status;
-    BOOLEAN bRevokeChkOK = TRUE;
-    UINT32 Size = 0;
-    VOID *Buffer = NULL;
-
-    /* Just return OK if the user choose to bypass SB */
-    if (gVtoyByPassSB)
-    {
-        return EFI_SUCCESS;
-    }
-
     /*
-     * Step 1:
+     * Some old UEFI firmware (without Security2 protocol) will hang when run OpenVolume.
-     * Use original UEFI firmware auth API.
+     * So finally I decide not to support such UEFI firmware.
-     * If it's OK, it may be signed with Microsoft UEFI CA. (e.g. bootmgr/shim/...)
+     * It means that for UEFI firmware before 2.5 (about 2015) Ventoy only supports Bypass policy.
+     *
      */
-    if (gSysSecFileAuth)
+
-    {
+    (VOID)This;
-        Status = gSysSecFileAuth(This, AuthenticationStatus, DevicePathConst);
+    (VOID)AuthenticationStatus;
-        if (!EFI_ERROR(Status))
+    (VOID)DevicePathConst;
-        {
     return EFI_SUCCESS;
 }
-    }
-
-
-    /*
-     * Step 2:
-     * Use shim verify API.
-     * If it's OK, it may be signed with a MOK key. (e.g. Ventoy EFI files)
-     */
-    if (gShimLock.Verify)
-    {
-        Status = ReadAuthFile(DevicePathConst, &Buffer, &Size);
-        if (!EFI_ERROR(Status))
-        {
-            Status = gShimLock.Verify(Buffer, Size);
-            if (!EFI_ERROR(Status))
-            {
-                bRevokeChkOK = VtoyCheckRevoke(Buffer, Size);
-                if (bRevokeChkOK)
-                {
-                    FreePool(Buffer);
-                    return EFI_SUCCESS;
-                }
-            }
-            FreePool(Buffer);
-        }
-    }
-
-    ShowSBWarning(!bRevokeChkOK, DevicePathConst);
-
-    return EFI_SECURITY_VIOLATION;
-}
 
 STATIC EFI_STATUS EFIAPI Security2PolicyAuth
 (
@@ -424,7 +269,6 @@ STATIC EFI_STATUS EFIAPI Security2PolicyAuth
 )
 {
     EFI_STATUS Status;
-    BOOLEAN bRevokeChkOK = TRUE;
 
     /* Just return OK if the user choose to bypass SB */
     if (gVtoyByPassSB)
@@ -432,6 +276,11 @@ STATIC EFI_STATUS EFIAPI Security2PolicyAuth
         return EFI_SUCCESS;
     }
 
+    if (!gGrubLaunched)
+    {
+        return CheckVtoyGrub(FileBuffer, FileSize);
+    }
+
     /*
      * Step 1:
      * Use original UEFI firmware auth API.
@@ -458,17 +307,13 @@ STATIC EFI_STATUS EFIAPI Security2PolicyAuth
         {
             Status = gShimLock.Verify(FileBuffer, (UINT32)FileSize);
             if (!EFI_ERROR(Status))
-            {
-                bRevokeChkOK = VtoyCheckRevoke(FileBuffer, FileSize);
-                if (bRevokeChkOK)
             {
                 return EFI_SUCCESS;
             }
         }
     }
-    }
 
-    ShowSBWarning(!bRevokeChkOK, DevicePath);
+    ShowSBWarning(DevicePath);
 
     return EFI_SECURITY_VIOLATION;
 }
@@ -549,6 +394,11 @@ STATIC VOID EFIAPI VtoyCheckSB(VOID)
     gVtoyByPassSB = FALSE;
 }
 
+STATIC VOID EFIAPI VtoyLaunched(VOID)
+{
+    gGrubLaunched = TRUE;
+}
+
 STATIC VOID EFIAPI UnInstallVtoyShimProtocol(VOID)
 {
     EFI_GUID Guid = VTOY_SHIM_POLICY_GUID;
@@ -568,6 +418,7 @@ STATIC EFI_STATUS EFIAPI InstallVtoyShimProtocol(VOID)
 
     gVtoyShimProtocol.ByPassSB = VtoyByPassSB;
     gVtoyShimProtocol.CheckSB = VtoyCheckSB;
+    gVtoyShimProtocol.Launched = VtoyLaunched;
 
     Status = gBS->LocateProtocol(&Guid, NULL, (VOID**)&Prot);
     if (!EFI_ERROR(Status))
@@ -623,9 +474,7 @@ STATIC BOOLEAN EFIAPI IsSetupMode(VOID)
 STATIC EFI_STATUS EFIAPI ShimEfiMain
 (
     IN EFI_HANDLE         ImageHandle,
-    IN EFI_SYSTEM_TABLE  *SystemTable,
+    IN EFI_SYSTEM_TABLE  *SystemTable
-    IN BOOLEAN            IsSecureBoot,
-    IN BOOLEAN            IsSetup
 )
 {
     EFI_STATUS Status;
@@ -633,17 +482,6 @@ STATIC EFI_STATUS EFIAPI ShimEfiMain
     shim_void_func_pf Func1 = NULL;
     shim_void_func_pf Func2 = NULL;
 
-    /* If secure boot is not enabled or in SetupMode, nothing needed, just launch Ventoy grub */
-    if (!IsSecureBoot || IsSetup)
-    {
-        Status = LaunchRealGrub(ImageHandle, REAL_GRUB_FILE);
-        if (EFI_ERROR(Status))
-        {
-            vErr(L"Failed to launch %s", REAL_GRUB_FILE);
-        }
-        return Status;
-    }
-
     /* We must be launched by shim */
     Status = gBS->LocateProtocol(&gShimLockGUID, NULL, (VOID**)&ShimLock);
     if (EFI_ERROR(Status) || !ShimLock)
@@ -691,6 +529,7 @@ STATIC EFI_STATUS EFIAPI ShimEfiMain
     Func1(); /* call shim unhook_system_services() */
     Func2(); /* call shim uninstall_shim_protocols() */
 
+    HookSystemService();
 
     /* Hook the system security policy */
     Status = HookSecurityPolicy();
@@ -700,6 +539,7 @@ STATIC EFI_STATUS EFIAPI ShimEfiMain
         goto END;
     }
 
+
     /* Finally launch Ventoy grub */
     Status = LaunchRealGrub(ImageHandle, REAL_GRUB_FILE);
     if (EFI_ERROR(Status))
@@ -715,24 +555,11 @@ END:
 
     UnInstallVtoyShimProtocol();
 
+    UnHookSystemService();
+
     return Status;
 }
 
-STATIC EFI_STATUS EFIAPI VtoyExitBootServices
-(
-    IN  EFI_HANDLE  ImageHandle,
-    IN  UINTN       MapKey
-)
-{
-    UnHookSecurityPolicy();
-    UnInstallVtoyShimProtocol();
-
-    gST->RuntimeServices->GetVariable = gSysGetVariable;
-    gBS->ExitBootServices = gSysExitBootServices;
-
-    return gSysExitBootServices(ImageHandle, MapKey);
-}
-
 EFI_STATUS EFIAPI VtoyGetVariable
 (
     IN     CHAR16                      *VariableName,
@@ -763,6 +590,48 @@ EFI_STATUS EFIAPI VtoyGetVariable
     return Status;
 }
 
+STATIC VOID EFIAPI UnHookSystemService(VOID)
+{
+    if (gSysExitBootServices)
+    {
+        gBS->ExitBootServices = gSysExitBootServices;
+        gSysExitBootServices = NULL;
+    }
+
+    if (gSysGetVariable)
+    {
+        gST->RuntimeServices->GetVariable = gSysGetVariable;
+        gSysGetVariable = NULL;
+    }
+}
+
+
+STATIC EFI_STATUS EFIAPI VtoyExitBootServices
+(
+    IN  EFI_HANDLE  ImageHandle,
+    IN  UINTN       MapKey
+)
+{
+    EFI_EXIT_BOOT_SERVICES SysExitBS;
+
+    /* UnHookSystemService will set gSysExitBootServices NULL */
+    SysExitBS = gSysExitBootServices;
+
+    UnHookSecurityPolicy();
+    UnInstallVtoyShimProtocol();
+    UnHookSystemService();
+
+    return SysExitBS(ImageHandle, MapKey);
+}
+
+STATIC VOID EFIAPI HookSystemService(VOID)
+{
+    gSysExitBootServices = gBS->ExitBootServices;
+    gBS->ExitBootServices = VtoyExitBootServices;
+
+    gSysGetVariable = gST->RuntimeServices->GetVariable;
+    gST->RuntimeServices->GetVariable = VtoyGetVariable;
+}
 
 EFI_STATUS EFIAPI VtoyShimEfiMain
 (
@@ -779,20 +648,16 @@ EFI_STATUS EFIAPI VtoyShimEfiMain
 
     if (!IsSecureBoot || IsSetup)
     {
-        Status = ShimEfiMain(ImageHandle, SystemTable, IsSecureBoot, IsSetup);
+        /* If secure boot is not enabled or in SetupMode, nothing needed, just launch Ventoy grub */
+        Status = LaunchRealGrub(ImageHandle, REAL_GRUB_FILE);
+        if (EFI_ERROR(Status))
+        {
+            vErr(L"Failed to launch %s", REAL_GRUB_FILE);
+        }
     }
     else
     {
-        gSysExitBootServices = gBS->ExitBootServices;
+        Status = ShimEfiMain(ImageHandle, SystemTable);
-        gBS->ExitBootServices = VtoyExitBootServices;
-
-        gSysGetVariable = gST->RuntimeServices->GetVariable;
-        gST->RuntimeServices->GetVariable = VtoyGetVariable;
-
-        Status = ShimEfiMain(ImageHandle, SystemTable, IsSecureBoot, IsSetup);
-
-        gBS->ExitBootServices = gSysExitBootServices;
-        gST->RuntimeServices->GetVariable = gSysGetVariable;
     }
 
     return Status;

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.h

@@ -88,6 +88,7 @@ typedef VOID (*shim_void_func_pf)(VOID);
 #define VtoySleep(sec)      gBS->Stall(1000000 * (sec))
 #define vLog(fmt, ...)      VtoyLog(fmt "\r\n", ##__VA_ARGS__)
 #define vErr(fmt, ...)      VtoyLog(fmt "\r\n", ##__VA_ARGS__); VtoySleep(5)
+#define vDbg(fmt, ...)      VtoyLog(fmt "\r\n", ##__VA_ARGS__); VtoySleep(2)
 
 #define CheckFreePool(p) \
 do { \
@@ -100,15 +101,16 @@ do { \
 
 #define VTOY_SHIM_POLICY_GUID    {0x90a29d14, 0x3968, 0x48fe, { 0x85, 0x81, 0x6b, 0x7f, 0x7d, 0xc4, 0x70, 0x55 }};
 
-
 typedef VOID (EFIAPI *VTOY_BYPASS_SB)(VOID);
 typedef VOID (EFIAPI *VTOY_CHECK_SB)(VOID);
+typedef VOID (EFIAPI *VTOY_LAUNCHED)(VOID);
 typedef struct _VTOY_SHIM{
 	VTOY_BYPASS_SB ByPassSB;
 	VTOY_BYPASS_SB CheckSB;
+	VTOY_LAUNCHED Launched;
 } VTOY_SHIM;
 
-CONST UINT8 * ventoy_get_der_data(UINT32 *Len);
+void calc_sha256(const void *data, UINT64 len, void *output);
 
 #endif
 

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/VtoyShim.inf

@@ -31,6 +31,7 @@
 [Sources]
   VtoyShim.h
   VtoyShim.c
+  sha256.c
   
 [Packages]
   MdePkg/MdePkg.dec

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyShim/sha256.c

@@ -0,0 +1,170 @@
+/******************************************************************************
+ * VtoyShim.c
+ *
+ * Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.<BR>
+ * SPDX-License-Identifier: BSD-2-Clause-Patent
+ *
+ */
+
+#include <Uefi.h>
+#include <Library/DebugLib.h>
+#include <Library/PrintLib.h>
+#include <Library/UefiLib.h>
+#include <Library/BaseMemoryLib.h>
+
+
+static const UINT32 sha256_initial_h[8]
+    = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 };
+
+static const UINT32 sha256_round_k[64]
+    = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+        0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+        0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+        0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+        0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+        0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 };
+
+static void sha256_endian_reverse64(UINT64 input, UINT8 *output) {
+    output[7] = (input >> 0) & 0xff;
+    output[6] = (input >> 8) & 0xff;
+    output[5] = (input >> 16) & 0xff;
+    output[4] = (input >> 24) & 0xff;
+    output[3] = (input >> 32) & 0xff;
+    output[2] = (input >> 40) & 0xff;
+    output[1] = (input >> 48) & 0xff;
+    output[0] = (input >> 56) & 0xff;
+}
+
+static UINT32 sha256_endian_read32(UINT8 *input) {
+    UINT32 output = 0;
+    output |= (input[0] << 24);
+    output |= (input[1] << 16);
+    output |= (input[2] << 8);
+    output |= (input[3] << 0);
+
+    return output;
+}
+
+static void sha256_endian_reverse32(UINT32 input, UINT8 *output) {
+    output[3] = (input >> 0) & 0xff;
+    output[2] = (input >> 8) & 0xff;
+    output[1] = (input >> 16) & 0xff;
+    output[0] = (input >> 24) & 0xff;
+}
+
+static UINT32 sha256_ror(UINT32 input, UINT32 by) {
+    return (input >> by) | (((input & ((1 << by) - 1))) << (32 - by));
+}
+
+void calc_sha256(const void *data, UINT64 len, void *output)
+{
+    int i = 0;
+    int j = 0;
+    UINT8 padding[80];
+    UINT64 current = (len + 1) % 64;
+    // want to be == 56 % 64.
+    UINT64 needed = (64 + 56 - current) % 64;
+    UINT64 extra = needed + 9;
+    UINT64 total = len + extra;
+    UINT32 v[8];
+    UINT64 cursor = 0;
+
+    for(i = 1; i < 80; i++)
+    {
+        padding[i] = 0;
+    }
+    padding[0] = 0x80;
+
+    sha256_endian_reverse64(len * 8, padding + total - len - 8);
+
+    for(i = 0; i < 8; i++)
+    {
+        v[i] = sha256_initial_h[i];
+    }
+
+    for(cursor = 0; cursor * 64 < total; cursor++)
+    {
+        UINT32 t[8];
+        UINT32 w[64];
+
+        for(i = 0; i < 8; i++)
+        {
+            t[i] = v[i];
+        }
+
+
+        if(cursor * 64 + 64 <= len)
+        {
+            for(j = 0; j < 16; j++)
+            {
+                w[j] = sha256_endian_read32((UINT8 *)data + cursor * 64 + j * 4);
+            }
+        }
+        else
+        {
+            if(cursor * 64 < len)
+            {
+                UINT64 size = len - cursor * 64;
+                if(size > 0)
+                {
+                    CopyMem(w, (UINT8 *)data + cursor * 64, size);
+                }
+                CopyMem((UINT8 *)w + size, padding, 64 - size);
+            }
+            else
+            {
+                UINT64 off = (cursor * 64 - len) % 64;
+                CopyMem((UINT8 *)w, padding + off, 64);
+            }
+
+            for(j = 0; j < 16; j++)
+            {
+                w[j] = sha256_endian_read32((UINT8 *)&w[j]);
+            }
+        }
+
+        for(j = 16; j < 64; j++)
+        {
+            UINT32 s1 = sha256_ror(w[j - 2], 17) ^ sha256_ror(w[j - 2], 19) ^ (w[j - 2] >> 10);
+            UINT32 s0 = sha256_ror(w[j - 15], 7) ^ sha256_ror(w[j - 15], 18) ^ (w[j - 15] >> 3);
+            w[j] = s1 + w[j - 7] + s0 + w[j - 16];
+        }
+
+        for(j = 0; j < 64; j++)
+        {
+            UINT32 ch = (t[4] & t[5]) ^ (~t[4] & t[6]);
+            UINT32 maj = (t[0] & t[1]) ^ (t[0] & t[2]) ^ (t[1] & t[2]);
+            UINT32 S0 = sha256_ror(t[0], 2) ^ sha256_ror(t[0], 13) ^ sha256_ror(t[0], 22);
+            UINT32 S1 = sha256_ror(t[4], 6) ^ sha256_ror(t[4], 11) ^ sha256_ror(t[4], 25);
+            UINT32 t1 = t[7] + S1 + ch + sha256_round_k[j] + w[j];
+            UINT32 t2 = S0 + maj;
+
+            t[7] = t[6];
+            t[6] = t[5];
+            t[5] = t[4];
+            t[4] = t[3] + t1;
+            t[3] = t[2];
+            t[2] = t[1];
+            t[1] = t[0];
+            t[0] = t1 + t2;
+        }
+
+        for(i = 0; i < 8; i++)
+        {
+            v[i] += t[i];
+        }
+    }
+
+    for(i = 0; i < 8; i++)
+    {
+        sha256_endian_reverse32(v[i], (UINT8 *)output + i * 4);
+    }
+}
+
+

EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyUtil/VtoyUtil.c

@@ -145,66 +145,6 @@ STATIC EFI_STATUS ParseCmdline(IN EFI_HANDLE ImageHandle)
     return EFI_SUCCESS;
 }
 
-#if defined (MDE_CPU_X64)
-
-STATIC BOOLEAN EFIAPI IsSecureBootEnabled(VOID)
-{
-    UINT8 SecureBoot = 0;
-	UINTN DataSize;
-	EFI_STATUS Status;
-
-	DataSize = sizeof(SecureBoot);
-	Status = gST->RuntimeServices->GetVariable(L"SecureBoot", &gEfiGlobalVariableGuid, NULL,
-				     &DataSize, &SecureBoot);
-	if (EFI_ERROR(Status))
-    {
-        return FALSE;
-    }
-
-	return SecureBoot ? TRUE : FALSE;
-}
-
-STATIC BOOLEAN EFIAPI IsSetupMode(VOID)
-{
-    UINT8 SetupMode = 0;
-	UINTN DataSize;
-	EFI_STATUS Status;
-
-	DataSize = sizeof(SetupMode);
-	Status = gST->RuntimeServices->GetVariable(L"SetupMode", &gEfiGlobalVariableGuid, NULL,
-				     &DataSize, &SetupMode);
-	if (EFI_ERROR(Status))
-    {
-        return FALSE;
-    }
-
-	return SetupMode ? TRUE : FALSE;
-}
-
-
-STATIC BOOLEAN EFIAPI CheckVtoyShim(VOID)
-{
-	EFI_STATUS Status;
-    EFI_GUID Guid = VTOY_SHIM_POLICY_GUID;
-    VOID *Prot = NULL;
-
-    /* If secure boot is not enabled or in SetupMode, nothing needed */
-    if (!IsSecureBootEnabled() || IsSetupMode())
-    {
-        return TRUE;
-    }
-
-    Status = gBS->LocateProtocol(&Guid, NULL, (VOID**)&Prot);
-    if (EFI_ERROR(Status))
-    {
-        gST->ConOut->OutputString(gST->ConOut, L"Can not locate Vtoy Shim\r\n");
-        return FALSE;
-    }
-
-    return TRUE;
-}
-#endif
-
 EFI_STATUS EFIAPI VtoyUtilEfiMain
 (
     IN EFI_HANDLE         ImageHandle,
@@ -214,15 +154,6 @@ EFI_STATUS EFIAPI VtoyUtilEfiMain
     UINTN i;
     UINTN Len;
 
-#if defined (MDE_CPU_X64)
-    /* check that Ventoy Shim must exist */
-    if (!CheckVtoyShim())
-    {
-        gBS->Stall(5 * 1000000);
-        return EFI_NOT_FOUND;
-    }
-#endif
-
     ParseCmdline(ImageHandle);
 
     for (i = 0; gCurFeature && i < ARRAY_SIZE(gFeatureList); i++)

GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy.c

@@ -314,6 +314,25 @@ static void ventoy_get_uefi_version(char *str, grub_size_t len)
         grub_snprintf(str, len, "%s.%d", str, uefi_minor_2);
 }
 
+static void ventoy_get_pi_version(char *str, grub_size_t len)
+{
+    grub_uint32_t data = 0;
+    grub_efi_uintn_t i = 0;
+    grub_efi_guid_t dxest =
+        { 0x05ad34ba, 0x6f02, 0x4214, {0x95, 0x2e, 0x4d, 0xa0, 0x39, 0x8e, 0x2b, 0xb9 } };
+
+    for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
+    {
+        if (grub_memcmp(&dxest, &grub_efi_system_table->configuration_table[i].vendor_guid, 16) == 0)
+        {
+            grub_memcpy(&data, (char *)grub_efi_system_table->configuration_table[i].vendor_table + 8, 4);
+            break;
+        }
+    }
+
+    grub_snprintf(str, len, "%d.%d", (data >> 16) & 0xFFFF, (data & 0xFFFF) / 10);
+}
+
 int ventoy_set_sb_policy(void)
 {
     const char *env = NULL;
@@ -399,24 +418,23 @@ static int ventoy_secure_boot_init(void)
     }
 
 
-    /*
-     * When SecureBoot enabled, Ventoy grub must be launched by Ventoy Shim.
-     * Currently only x86_64 support this feature.
-     */
     if (g_ventoy_plat_data == VTOY_PLAT_X86_64_UEFI)
     {
         g_vtoy_shim = grub_efi_locate_protocol(&ProtGuid, NULL);
-        if (g_vtoy_shim == NULL || g_vtoy_shim->ByPassSB == NULL || g_vtoy_shim->CheckSB == NULL)
+        if (g_vtoy_shim == NULL || g_vtoy_shim->ByPassSB == NULL ||
+            g_vtoy_shim->CheckSB == NULL || g_vtoy_shim->Launched == NULL)
         {
-            grub_cls();
+            /*
-            grub_printf(VTOY_WARNING"\n");
+             * Generally when SecureBoot enabled, Ventoy grub must be launched by Ventoy Shim.
-            grub_printf(VTOY_WARNING"\n");
+             * But there are some exceptions:
-            grub_printf(VTOY_WARNING"\n\n\n");
+             *   1. Ventoy key was enrolled directly to the UEFI DB
-
+             *   2. Some UEFI firmware (MSI) has Image Execution Policy as Always Execute which
-            grub_printf("Ventoy grub is not launched by Ventoy shim.\n\n");
+             *      means Secure Boot is effectively disabled.
-            grub_refresh();
+             */
-
+        }
-            ventoy_prompt_end();
+        else
+        {
+            g_vtoy_shim->Launched();
         }
     }
 
@@ -483,8 +501,12 @@ static int ventoy_hwinfo_init(void)
 #ifdef GRUB_MACHINE_EFI
     ventoy_get_uefi_version(str, sizeof(str));
     ventoy_env_export("grub_uefi_version", str);
+
+    ventoy_get_pi_version(str, sizeof(str));
+    ventoy_env_export("grub_pi_version", str);
 #else
     ventoy_env_export("grub_uefi_version", "NA");
+    ventoy_env_export("grub_pi_version", "NA");
 #endif
 
     return 0;

GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy_cmd.c

@@ -4752,23 +4752,10 @@ static grub_err_t ventoy_cmd_img_unhook_root(grub_extcmd_context_t ctxt, int arg
 #ifdef GRUB_MACHINE_EFI
 static grub_err_t ventoy_cmd_check_secureboot_var(grub_extcmd_context_t ctxt, int argc, char **args)
 {
-    int ret = 1;
-    grub_uint8_t *var = NULL;
-    grub_size_t size;
-    grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
-
     (void)ctxt;
     (void)argc;
     (void)args;
-
+    return g_sys_sb ? 0 : 1;
-    var = grub_efi_get_variable("SecureBoot", &global, &size);
-    if (var && *var == 1)
-    {
-        grub_free(var);
-        return 0;
-    }
-
-    return ret;
 }
 #else
 static grub_err_t ventoy_cmd_check_secureboot_var(grub_extcmd_context_t ctxt, int argc, char **args)
@@ -6464,6 +6451,10 @@ static grub_err_t ventoy_cmd_sb_info(grub_extcmd_context_t ctxt, int argc, char
 
 #ifdef GRUB_MACHINE_EFI
     const char *policy = NULL;
+    grub_efi_guid_t security =
+        { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };
+    grub_efi_guid_t security2 =
+        { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } };
 
     if (g_sb_policy == VTOY_SB_POLICY_BYPASS)
     {
@@ -6478,8 +6469,10 @@ static grub_err_t ventoy_cmd_sb_info(grub_extcmd_context_t ctxt, int argc, char
         policy = "XXX";
     }
 
-    grub_printf("UEFI Firmware Secure Boot: %s\n", g_sys_sb ? "Enable" : "Disable");
+    grub_printf("UEFI Security           %s\n", grub_efi_locate_protocol(&security, NULL) ? "Yes" : "No");
-    grub_printf("Ventoy Secure Boot Policy: %s\n", policy);
+    grub_printf("UEFI Security2          %s\n", grub_efi_locate_protocol(&security2, NULL) ? "Yes" : "No");
+    grub_printf("Ventoy Secure Policy    %s\n", policy);
+
 #else
     grub_printf("Non EFI mode!\n");
 #endif

GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy_def.h

@@ -199,9 +199,11 @@ typedef struct cpio_newc_header
 
 typedef void (*VTOY_BYPASS_SB)(void);
 typedef void (*VTOY_CHECK_SB)(void);
+typedef void (*VTOY_LAUNCHED)(void);
 typedef struct _VTOY_SHIM{
 	VTOY_BYPASS_SB ByPassSB;
 	VTOY_CHECK_SB CheckSB;
+	VTOY_LAUNCHED Launched;
 } VTOY_SHIM;
 
 

INSTALL/grub/grub.cfg

@@ -34,20 +34,6 @@ function ventoy_debug_pause {
 }
 
 
-function ventoy_max_resolution {
-    #Skip this for VirtualBox
-    smbios -t 1 -s 0x05 --set=system_product;
-    if vt_str_casebegin "$system_product"  "VirtualBox"; then
-        return
-    fi
-
-    vt_enum_video_mode
-    vt_get_video_mode 0 vtCurMode
-    terminal_output console
-    set gfxmode=$vtCurMode
-    terminal_output gfxterm
-}
-
 function ventoy_cli_console {
     if [ -z "$vtoy_display_mode" ]; then
         terminal_output  console
@@ -662,7 +648,6 @@ function uefi_windows_menu_func {
 
     if [ -n "$vtoy_chain_mem_addr" ]; then
         ventoy_acpi_param ${vtoy_chain_mem_addr} 2048
-        ventoy_max_resolution
         chainloader ${vtoy_path}/ventoy_${VTOY_EFI_ARCH}.efi  env_param=${env_param} isoefi=${LoadIsoEfiDriver} iso_${ventoy_fs_probe} ${vtdebug_flag} mem:${vtoy_chain_mem_addr}:size:${vtoy_chain_mem_size}
         boot
     else

INSTALL/grub/hwinfo.cfg

@@ -28,11 +28,14 @@ menuentry "$VTLANG_HWINFO" --class=debug_hwinfo --class=F5tool {
     echo "Platform                $grub_cpu-$grub_platform"    
     if [ "$grub_platform" != "pc" ]; then
         echo "UEFI Version            $grub_uefi_version"
+        echo "PI   Version            $grub_pi_version"
         if vt_check_secureboot_var; then
             echo "Secure Boot             Enabled"
         else
             echo "Secure Boot             Disabled"
         fi
+        
+        vt_sbinfo
     fi    
 
     echo ""    

INSTALL/ventoy_pack.sh

@@ -12,7 +12,6 @@ if [ "$VENTOY_CERT_PASS" = "YES" ]; then
     fi
 fi
 
-SBAT_VER=1
 sign_efi() {
     efi=$1
     
@@ -32,10 +31,6 @@ sign_efi() {
         mv ${efi}.unxz  ${efi}
     fi
 
-    sbstr=$(printf "%08x" $SBAT_VER)
-    echo -en "\x8a\x06\x55\xf7\x4f\xe0\x2b\x45\x9d\x6d\x7c\x55\x96\xb3\xc0\x7d\x${sbstr:6:2}\x${sbstr:4:2}\x${sbstr:2:2}\x${sbstr:0:2}" | \
-        dd bs=1 count=20 of=${efi} seek=40 conv=notrunc status=none
-
     rm -f "${efi}.signed"
     if [ "$VENTOY_CERT_PASS" = "YES" ]; then
         expect -f ./sign_with_pass.exp "$KEY_PASS" "$VENTOY_CERT_KEY" "$VENTOY_CERT_PEM" "${efi}" "${efi}.signed" >/dev/null 2>&1
@@ -52,7 +47,7 @@ sign_efi() {
             mv "${efi}.signed" "$efi"
         fi
     else
-        echo "### %-64s  failed\n" "$efi"
+        printf "### %-64s  failed\n" "$efi"
         exit 1
     fi 
 
@@ -191,7 +186,6 @@ cp -a ./tool/create_ventoy_iso_part_dm.sh  $tmpmnt/tool/
 rm -f $tmpmnt/grub/i386-pc/*.img
 
 
-sign_efi $tmpmnt/EFI/BOOT/fbx64.efi
 sign_efi $tmpmnt/EFI/BOOT/fbia32.efi
 sign_efi $tmpmnt/EFI/BOOT/fbaa64.efi
 sign_efi $tmpmnt/EFI/BOOT/grubx64_real.efi
@@ -211,6 +205,23 @@ sign_efi $tmpmnt/ventoy/vtoyutil_aa64.efi
 sign_efi $tmpmnt/ventoy/wimboot.i386.efi.xz
 sign_efi $tmpmnt/ventoy/wimboot.x86_64.xz
 
+#inject Ventoy Grub sign sha256 value into VtoyShim
+grub_sha256=$(sha256sum $tmpmnt/EFI/BOOT/grubx64_real.efi | awk '{print $1}')
+magic_cnt=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | wc -l)
+if [ $magic_cnt -ne 1 ]; then
+    echo "hash magic duplicate"
+    exit 1
+fi
+magic_off_hex=$(hexdump -C $tmpmnt/EFI/BOOT/fbx64.efi | grep '26 26 26 26 26 26 26 26' | awk '{print $1}')
+magic_off=$(printf '%u' "0x${magic_off_hex}")
+
+echo_cmd=$(echo $grub_sha256 | sed 's/\(..\)/\\x\1/g')
+
+echo Ventoy Grub hash $grub_sha256
+echo -en "$echo_cmd" | dd bs=1 count=32 of=$tmpmnt/EFI/BOOT/fbx64.efi seek=$magic_off conv=notrunc status=none
+
+sign_efi $tmpmnt/EFI/BOOT/fbx64.efi
+
 
 umount $tmpmnt && rm -rf $tmpmnt