-
Notifications
You must be signed in to change notification settings - Fork 11
/
hash-to-efi-sig-list.c
124 lines (110 loc) · 2.75 KB
/
hash-to-efi-sig-list.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
/*
* Copyright 2012 <[email protected]>
*
* see COPYING file
*/
#include <stdint.h>
#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <time.h>
#include <unistd.h>
#include <wchar.h>
#include <PeImage.h> /* for ALIGN_VALUE */
#include <sha256.h>
#include <efiauthenticated.h>
#include <guid.h>
#include <version.h>
static void
usage(const char *progname)
{
printf("Usage: %s efi-binary [efi-binary ...] efi-signature-list\n", progname);
}
static void
help(const char *progname)
{
usage(progname);
printf("Produce an EFI Signature List file containing the sha256 hash of the\n"
"passed in EFI binary\n"
"\nOptions:\n"
"none\n"
);
}
int
main(int argc, char *argv[])
{
void *efifile;
const char *progname = argv[0];
int i;
while (argc > 1) {
if (strcmp("--version", argv[1]) == 0) {
version(progname);
exit(0);
} else if (strcmp("--help", argv[1]) == 0) {
help(progname);
exit(0);
} else {
break;
}
}
if (argc < 3) {
usage(progname);
exit(1);
}
int hashes = argc - 2;
UINT8 hash[hashes][SHA256_DIGEST_SIZE];
memset(hash, 0, sizeof(hash));
for (i = 0; i < hashes; i++) {
int j;
struct stat st;
EFI_STATUS status;
int fdefifile = open(argv[i + 1], O_RDONLY);
if (fdefifile == -1) {
fprintf(stderr, "failed to open file %s: ", argv[1]);
perror("");
exit(1);
}
fstat(fdefifile, &st);
efifile = malloc(ALIGN_VALUE(st.st_size, 4096));
memset(efifile, 0, ALIGN_VALUE(st.st_size, 4096));
read(fdefifile, efifile, st.st_size);
close(fdefifile);
status = sha256_get_pecoff_digest_mem(efifile, st.st_size,
hash[i]);
if (status != EFI_SUCCESS) {
printf("Failed to get hash of %s: %d\n", argv[i+1],
status);
continue;
}
printf("HASH IS ");
for (j = 0; j < SHA256_DIGEST_SIZE; j++) {
printf("%02x", hash[i][j]);
}
printf("\n");
}
UINT8 sig[sizeof(EFI_SIGNATURE_LIST) + (sizeof(EFI_SIGNATURE_DATA) - 1 + SHA256_DIGEST_SIZE) * hashes];
EFI_SIGNATURE_LIST *l = (void *)sig;
memset(sig, 0, sizeof(sig));
l->SignatureType = EFI_CERT_SHA256_GUID;
l->SignatureListSize = sizeof(sig);
l->SignatureSize = 16 +32; /* UEFI defined */
for (i = 0; i < hashes; i++) {
EFI_SIGNATURE_DATA *d = (void *)sig + sizeof(EFI_SIGNATURE_LIST) + l->SignatureSize * i;
d->SignatureOwner = MOK_OWNER;
memcpy(&d->SignatureData, hash[i], sizeof(hash[i]));
}
int fdoutfile = open(argv[hashes + 1], O_CREAT|O_WRONLY|O_TRUNC, S_IWUSR|S_IRUSR);
if (fdoutfile == -1) {
fprintf(stderr, "failed to open %s: ", argv[hashes + 1]);
perror("");
exit(1);
}
write(fdoutfile, sig, sizeof(sig));
close(fdoutfile);
return 0;
}