[RFC] Loader protocol with support for device path resolution and loading executables

BUILDING

@@ -37,15 +37,6 @@ Variables you could set to customize the build:
  debugger only on the development branch and not the OS you need to boot
  to scp in a new development build. Likewise, we look for
  SHIM_DEVEL_VERBOSE rather than SHIM_VERBOSE.
-- DISABLE_EBS_PROTECTION
- On systems where a second stage bootloader is not used, and the Linux
- Kernel is embedded in the same EFI image as shim and booted directly
- from shim, shim's ExitBootServices() hook can cause problems as the
- kernel never calls the shim's verification protocol. In this case
- calling the shim verification protocol is unnecessary and redundant as
- shim has already verified the kernel when shim loaded the kernel as the
- second stage loader. In such a case, and only in this case, you should
- use DISABLE_EBS_PROTECTION=y to build.
 - DISABLE_REMOVABLE_LOAD_OPTIONS
  Do not parse load options when invoked as boot*.efi. This prevents boot
  failures because of unexpected data in boot entries automatically generated

Make.defaults

@@ -149,10 +149,6 @@ ifneq ($(origin REQUIRE_TPM), undefined)
  DEFINES += -DREQUIRE_TPM
 endif
 
-ifneq ($(origin DISABLE_EBS_PROTECTION), undefined)
- DEFINES += -DDISABLE_EBS_PROTECTION
-endif
-
 ifneq ($(origin DISABLE_REMOVABLE_LOAD_OPTIONS), undefined)
  DEFINES += -DDISABLE_REMOVABLE_LOAD_OPTIONS
 endif

Makefile

@@ -38,9 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT
 else
 TARGETS += $(MMNAME) $(FBNAME)
 endif
-OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o pe-relocate.o httpboot.o csv.o load-options.o
+OBJS = shim.o globals.o mok.o netboot.o cert.o loader-proto.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o pe-relocate.o httpboot.o csv.o load-options.o
 KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c pe-relocate.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S sbat_var.S
+ORIG_SOURCES = shim.c globals.c mok.c netboot.c loader-proto.c tpm.c errlog.c sbat.c pe.c pe-relocate.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S sbat_var.S
 MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o globals.o

globals.c

@@ -24,7 +24,8 @@ UINT8 *build_cert;
  * indicator of how an image has been verified
  */
 verification_method_t verification_method;
-int loader_is_participating;
+
+SHIM_IMAGE_LOADER shim_image_loader_interface;
 
 UINT8 user_insecure_mode;
 UINT8 ignore_db;

include/guid.h

@@ -36,7 +36,12 @@ extern EFI_GUID SECURITY_PROTOCOL_GUID;
 extern EFI_GUID SECURITY2_PROTOCOL_GUID;
 extern EFI_GUID EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
 extern EFI_GUID SHIM_LOCK_GUID;
+extern EFI_GUID SHIM_IMAGE_LOADER_GUID;
+extern EFI_GUID SHIM_LOADED_IMAGE_GUID;
 extern EFI_GUID MOK_VARIABLE_STORE;
 extern EFI_GUID SECUREBOOT_EFI_NAMESPACE_GUID;
+extern EFI_GUID EFI_DEVICE_PATH_GUID;
+extern EFI_GUID EFI_LOADED_IMAGE_DEVICE_PATH_GUID;
+extern EFI_GUID EFI_LOAD_FILE2_GUID;
 
 #endif /* SHIM_GUID_H */

include/lf2.h

@@ -0,0 +1,76 @@
+/** @file
+ Load File protocol as defined in the UEFI 2.0 specification.
+
+ Load file protocol exists to supports the addition of new boot devices,
+ and to support booting from devices that do not map well to file system.
+ Network boot is done via a LoadFile protocol.
+
+ UEFI 2.0 can boot from any device that produces a LoadFile protocol.
+
+ Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __EFI_LOAD_FILE2_PROTOCOL_H__
+#define __EFI_LOAD_FILE2_PROTOCOL_H__
+
+#define EFI_LOAD_FILE2_PROTOCOL_GUID \
+ { \
+ 0x4006c0c1, 0xfcb3, 0x403e, {0x99, 0x6d, 0x4a, 0x6c, 0x87, 0x24, 0xe0, 0x6d } \
+ }
+
+///
+/// Protocol Guid defined by UEFI2.1.
+///
+#define LOAD_FILE2_PROTOCOL EFI_LOAD_FILE2_PROTOCOL_GUID
+
+typedef struct _EFI_LOAD_FILE2_PROTOCOL EFI_LOAD_FILE2_PROTOCOL;
+
+/**
+ Causes the driver to load a specified file.
+
+ @param This Protocol instance pointer.
+ @param FilePath The device specific path of the file to load.
+ @param BootPolicy Should always be FALSE.
+ @param BufferSize On input the size of Buffer in bytes. On output with a return
+ code of EFI_SUCCESS, the amount of data transferred to
+ Buffer. On output with a return code of EFI_BUFFER_TOO_SMALL,
+ the size of Buffer required to retrieve the requested file.
+ @param Buffer The memory buffer to transfer the file to. IF Buffer is NULL,
+ then no the size of the requested file is returned in
+ BufferSize.
+
+ @retval EFI_SUCCESS The file was loaded.
+ @retval EFI_UNSUPPORTED BootPolicy is TRUE.
+ @retval EFI_INVALID_PARAMETER FilePath is not a valid device path, or
+ BufferSize is NULL.
+ @retval EFI_NO_MEDIA No medium was present to load the file.
+ @retval EFI_DEVICE_ERROR The file was not loaded due to a device error.
+ @retval EFI_NO_RESPONSE The remote system did not respond.
+ @retval EFI_NOT_FOUND The file was not found
+ @retval EFI_ABORTED The file load process was manually canceled.
+ @retval EFI_BUFFER_TOO_SMALL The BufferSize is too small to read the current
+ directory entry. BufferSize has been updated with
+ the size needed to complete the request.
+
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_LOAD_FILE2)(
+ IN EFI_LOAD_FILE2_PROTOCOL *This,
+ IN EFI_DEVICE_PATH_PROTOCOL *FilePath,
+ IN BOOLEAN BootPolicy,
+ IN OUT UINTN *BufferSize,
+ IN VOID *Buffer OPTIONAL
+ );
+
+///
+/// The EFI_LOAD_FILE_PROTOCOL is a simple protocol used to obtain files from arbitrary devices.
+///
+struct _EFI_LOAD_FILE2_PROTOCOL {
+ EFI_LOAD_FILE2 LoadFile;
+};
+
+#endif

include/replacements.h → include/loader-proto.h

@@ -16,15 +16,21 @@ typedef enum {
 } verification_method_t;
 
 extern verification_method_t verification_method;
-extern int loader_is_participating;
 
 extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
 extern void unhook_system_services(void);
 
 extern void hook_exit(EFI_SYSTEM_TABLE *local_systab);
 extern void unhook_exit(void);
 
-extern EFI_STATUS install_shim_protocols(void);
-extern void uninstall_shim_protocols(void);
+typedef struct _SHIM_IMAGE_LOADER {
+ EFI_IMAGE_LOAD LoadImage;
+ EFI_IMAGE_START StartImage;
+ EFI_EXIT Exit;
+ EFI_IMAGE_UNLOAD UnloadImage;
+} SHIM_IMAGE_LOADER;
+
+extern SHIM_IMAGE_LOADER shim_image_loader_interface;
+extern void init_image_loader(void);
 
 #endif /* SHIM_REPLACEMENTS_H */

lib/guid.c

@@ -35,5 +35,10 @@ EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD
 EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } };
 EFI_GUID EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID = { 0xf4560cf6, 0x40ec, 0x4b4a, {0xa1, 0x92, 0xbf, 0x1d, 0x57, 0xd0, 0xb1, 0x89} };
 EFI_GUID SHIM_LOCK_GUID = {0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } };
+EFI_GUID SHIM_IMAGE_LOADER_GUID = {0x1f492041, 0xfadb, 0x4e59, {0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } };
+EFI_GUID SHIM_LOADED_IMAGE_GUID = {0x6e6baeb8, 0x7108, 0x4179, {0x94, 0x9d, 0xa3, 0x49, 0x34, 0x15, 0xec, 0x97 } };
 EFI_GUID MOK_VARIABLE_STORE = {0xc451ed2b, 0x9694, 0x45d3, {0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89} };
 EFI_GUID SECUREBOOT_EFI_NAMESPACE_GUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b} };
+EFI_GUID EFI_DEVICE_PATH_GUID = EFI_DEVICE_PATH_PROTOCOL_GUID;
+EFI_GUID EFI_LOADED_IMAGE_DEVICE_PATH_GUID = EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID;
+EFI_GUID EFI_LOAD_FILE2_GUID = EFI_LOAD_FILE2_PROTOCOL_GUID;