diff --git a/rust/uefi/linux-bootloader/src/pe_loader.rs b/rust/uefi/linux-bootloader/src/pe_loader.rs index 4a39039..c500813 100644 --- a/rust/uefi/linux-bootloader/src/pe_loader.rs +++ b/rust/uefi/linux-bootloader/src/pe_loader.rs @@ -9,7 +9,7 @@ use uefi::{ boot::{AllocateType, MemoryType}, Boot, SystemTable, }, - CStr16, Handle, Status, + Handle, Status, }; /// UEFI mandates 4 KiB pages. @@ -174,7 +174,7 @@ impl Image { self, handle: Handle, system_table: &SystemTable, - load_options: &CStr16, + load_options: &[u8], ) -> Status { let mut loaded_image = system_table .boot_services() @@ -196,7 +196,7 @@ impl Image { ); loaded_image.set_load_options( load_options.as_ptr() as *const u8, - u32::try_from(load_options.num_bytes()).unwrap(), + u32::try_from(load_options.len()).unwrap(), ); } diff --git a/rust/uefi/stub/src/common.rs b/rust/uefi/stub/src/common.rs index aaee529..e8fe20c 100644 --- a/rust/uefi/stub/src/common.rs +++ b/rust/uefi/stub/src/common.rs @@ -1,5 +1,9 @@ use alloc::vec::Vec; -use uefi::{prelude::*, CStr16, CString16, Result}; +use log::warn; +use uefi::{ + guid, prelude::*, proto::loaded_image::LoadedImage, table::runtime::VariableVendor, CStr16, + CString16, Result, +}; use linux_bootloader::linux_loader::InitrdLoader; use linux_bootloader::pe_loader::Image; @@ -12,6 +16,70 @@ pub fn extract_string(pe_data: &[u8], section: &str) -> Result { Ok(CString16::try_from(string.as_str()).map_err(|_| Status::INVALID_PARAMETER)?) } +/// Obtain the kernel command line that should be used for booting. +/// +/// If Secure Boot is active, this is always the embedded one (since the one passed from the bootloader may come from a malicious type 1 entry). +/// If Secure Boot is not active, the command line passed from the bootloader is used, falling back to the embedded one. +pub fn get_cmdline( + embedded: &CStr16, + boot_services: &BootServices, + secure_boot_enabled: bool, +) -> Vec { + if secure_boot_enabled { + // The command line passed from the bootloader cannot be trusted, so it is not used when Secure Boot is active. + embedded.as_bytes().to_vec() + } else { + let passed = boot_services + .open_protocol_exclusive::(boot_services.image_handle()) + .map(|loaded_image| loaded_image.load_options_as_bytes().map(|b| b.to_vec())); + match passed { + Ok(Some(passed)) => passed, + // If anything went wrong, fall back to the embedded command line. + _ => embedded.as_bytes().to_vec(), + } + } +} + +/// Check whether Secure Boot is active, and we should be enforcing integrity checks. +/// +/// In case of doubt, true is returned to be on the safe side. +pub fn get_secure_boot_status(runtime_services: &RuntimeServices) -> bool { + // The firmware initialized SecureBoot to 1 if performing signature checks, and 0 if it doesn't. + // Applications are not supposed to modify this variable (in particular, don't change the value from 1 to 0). + let secure_boot_enabled = runtime_services + .get_variable( + cstr16!("SecureBoot"), + &VariableVendor(guid!("8be4df61-93ca-11d2-aa0d-00e098032b8c")), + &mut [1], + ) + .and_then(|(value, _)| match value { + [0] => Ok(false), + [1] => Ok(true), + [v] => { + warn!( + "Unexpected value of SecureBoot variable: {v}. Performing verification anyway." + ); + Ok(true) + } + _ => Err(Status::BAD_BUFFER_SIZE.into()), + }) + .unwrap_or_else(|err| { + if err.status() == Status::NOT_FOUND { + warn!("SecureBoot variable not found. Assuming Secure Boot is not supported."); + false + } else { + warn!("Failed to read SecureBoot variable: {err}. Performing verification anyway."); + true + } + }); + + if !secure_boot_enabled { + warn!("Secure Boot is not active!"); + } + + secure_boot_enabled +} + /// Boot the Linux kernel without checking the PE signature. /// /// We assume that the caller has made sure that the image is safe to @@ -20,7 +88,7 @@ pub fn boot_linux_unchecked( handle: Handle, system_table: SystemTable, kernel_data: Vec, - kernel_cmdline: &CStr16, + kernel_cmdline: &[u8], initrd_data: Vec, ) -> uefi::Result<()> { let kernel = diff --git a/rust/uefi/stub/src/fat.rs b/rust/uefi/stub/src/fat.rs index 2cbc053..cce30d3 100644 --- a/rust/uefi/stub/src/fat.rs +++ b/rust/uefi/stub/src/fat.rs @@ -1,7 +1,7 @@ use alloc::vec::Vec; use uefi::{prelude::*, CString16, Result}; -use crate::common::{boot_linux_unchecked, extract_string}; +use crate::common::{boot_linux_unchecked, extract_string, get_cmdline, get_secure_boot_status}; use linux_bootloader::pe_section::pe_section; use linux_bootloader::uefi_helpers::booted_image_file; @@ -56,12 +56,12 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> Status .expect("Failed to extract configuration from binary.") }; - boot_linux_unchecked( - handle, - system_table, - config.kernel, + let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services()); + let cmdline = get_cmdline( &config.cmdline, - config.initrd, - ) - .status() + system_table.boot_services(), + secure_boot_enabled, + ); + + boot_linux_unchecked(handle, system_table, config.kernel, &cmdline, config.initrd).status() } diff --git a/rust/uefi/stub/src/thin.rs b/rust/uefi/stub/src/thin.rs index bd431ea..bf91c5e 100644 --- a/rust/uefi/stub/src/thin.rs +++ b/rust/uefi/stub/src/thin.rs @@ -1,8 +1,8 @@ use log::{error, warn}; use sha2::{Digest, Sha256}; -use uefi::{fs::FileSystem, guid, prelude::*, table::runtime::VariableVendor, CString16, Result}; +use uefi::{fs::FileSystem, prelude::*, CString16, Result}; -use crate::common::{boot_linux_unchecked, extract_string}; +use crate::common::{boot_linux_unchecked, extract_string, get_cmdline, get_secure_boot_status}; use linux_bootloader::pe_section::pe_section; use linux_bootloader::uefi_helpers::booted_image_file; @@ -91,39 +91,7 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> uefi:: .expect("Failed to extract configuration from binary. Did you run lzbt?") }; - // The firmware initialized SecureBoot to 1 if performing signature checks, and 0 if it doesn't. - // Applications are not supposed to modify this variable (in particular, don't change the value from 1 to 0). - let secure_boot_enabled = system_table - .runtime_services() - .get_variable( - cstr16!("SecureBoot"), - &VariableVendor(guid!("8be4df61-93ca-11d2-aa0d-00e098032b8c")), - &mut [1], - ) - .and_then(|(value, _)| match value { - [0] => Ok(false), - [1] => Ok(true), - [v] => { - warn!( - "Unexpected value of SecureBoot variable: {v}. Performing verification anyway." - ); - Ok(true) - } - _ => Err(Status::BAD_BUFFER_SIZE.into()), - }) - .unwrap_or_else(|err| { - if err.status() == Status::NOT_FOUND { - warn!("SecureBoot variable not found. Assuming Secure Boot is not supported."); - false - } else { - warn!("Failed to read SecureBoot variable: {err}. Performing verification anyway."); - true - } - }); - - if !secure_boot_enabled { - warn!("Secure Boot is not active!"); - } + let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services()); let kernel_data; let initrd_data; @@ -143,6 +111,12 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> uefi:: .expect("Failed to read initrd file into memory"); } + let cmdline = get_cmdline( + &config.cmdline, + system_table.boot_services(), + secure_boot_enabled, + ); + check_hash( &kernel_data, config.kernel_hash, @@ -156,11 +130,5 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable) -> uefi:: secure_boot_enabled, )?; - boot_linux_unchecked( - handle, - system_table, - kernel_data, - &config.cmdline, - initrd_data, - ) + boot_linux_unchecked(handle, system_table, kernel_data, &cmdline, initrd_data) }