From fe3d4015ba7bbd231214a6f6c8d3c8f43d3dbc4a Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Wed, 23 Nov 2022 14:03:53 +0100 Subject: [PATCH] Perform load_image on initrd to hopefully verify signatures --- rust/lanzaboote/src/linux_loader.rs | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/rust/lanzaboote/src/linux_loader.rs b/rust/lanzaboote/src/linux_loader.rs index bfb05c6..32feb54 100644 --- a/rust/lanzaboote/src/linux_loader.rs +++ b/rust/lanzaboote/src/linux_loader.rs @@ -11,6 +11,7 @@ use uefi::{ media::file::RegularFile, Protocol, }, + table::boot::LoadImageSource, unsafe_guid, Handle, Identify, Result, ResultExt, Status, }; @@ -123,6 +124,8 @@ pub struct InitrdLoader { /// Returns the data range of the initrd in the PE binary. fn initrd_location(initrd_efi: &mut RegularFile) -> Result> { + initrd_efi.set_position(0)?; + let file_data = read_all(initrd_efi)?; let pe_binary = goblin::pe::PE::parse(&file_data).map_err(|_| Status::INVALID_PARAMETER)?; @@ -142,13 +145,36 @@ fn initrd_location(initrd_efi: &mut RegularFile) -> Result> { .ok_or(Status::END_OF_FILE.into()) } +fn initrd_verify(boot_services: &BootServices, initrd_efi: &mut RegularFile) -> Result<()> { + initrd_efi.set_position(0)?; + let file_data = read_all(initrd_efi)?; + + let initrd_handle = boot_services.load_image( + boot_services.image_handle(), + LoadImageSource::FromBuffer { + buffer: &file_data, + file_path: None, + }, + )?; + + // If we get here, the security policy allowed loading the + // image. This means that it was signed with an acceptable key in + // the Secure Boot scenario. + + boot_services.unload_image(initrd_handle)?; + + Ok(()) +} + impl InitrdLoader { pub fn new( boot_services: &BootServices, handle: Handle, mut file: RegularFile, ) -> Result { - let range = initrd_location(&mut file)?; + initrd_verify(boot_services, &mut file).unwrap(); + + let range = initrd_location(&mut file).unwrap(); let mut proto = Box::pin(LoadFile2Protocol { load_file: raw_load_file, file,