Skip to content

Commit

Permalink
[build] Allow signed binaries to be injected into the build process
Browse files Browse the repository at this point in the history 
Allow UEFI signed binaries to be injected using e.g.

  unzip -o -DD 1763278.zip
  make

This will unzip wimboot.x86_64.efi and wimboot.i386.efi, overwriting
the unsigned versions.  The subsequent "make" will then take care of
updating the wimboot.x86_64, wimboot.i386, and ../wimboot binaries
(which are committed to the tree for release).

The signed binaries are automatically compared against the original
binaries (using the SHA256 hash generated by "pesign -h") to ensure
that no malicious code was injected during the signing process.

Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
  • Loading branch information
@mcb30
mcb30 committed Sep 25, 2015
1 parent 2d5db9e commit 334ed1a
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 5 deletions.
1 change: 1 addition & 0 deletions src/.gitignore
View file
Expand Up @@ -4,6 +4,7 @@ wimboot
*.a
*.elf
*.map
*.unsigned
*.efi
*.cab
efireloc
23 changes: 18 additions & 5 deletions src/Makefile
View file
Expand Up @@ -20,6 +20,8 @@ RANLIB := ranlib
CP := cp
RM := rm
LCAB := lcab
PESIGN := pesign
DIFF := diff
BINUTILS_DIR := /usr
BFD_DIR := $(BINUTILS_DIR)
ZLIB_DIR := /usr
Expand Down Expand Up @@ -75,15 +77,25 @@ wimboot : wimboot.x86_64 Makefile
$(CP) $< $@
$(CP) $@ ../$@

wimboot.% : wimboot.%.elf efireloc Makefile
$(OBJCOPY) -Obinary $< $@
./efireloc $< $@

wimboot.%.elf : prefix.%.o lib.%.a script.lds Makefile
$(LD) -m elf_$* -T script.lds -o $@ -q -Map wimboot.$*.map \
prefix.$*.o lib.$*.a

wimboot.%.efi : wimboot.% Makefile
wimboot.%.unsigned : wimboot.%.elf efireloc Makefile
$(OBJCOPY) -Obinary $< $@
./efireloc $< $@

wimboot.%.unsigned.hash : wimboot.%.unsigned Makefile
$(PESIGN) -h -i $< > $@

wimboot.%.efi : wimboot.%.unsigned Makefile
$(CP) $< $@

wimboot.%.efi.hash : wimboot.%.efi Makefile
$(PESIGN) -h -i $< > $@

wimboot.% : wimboot.%.efi wimboot.%.efi.hash wimboot.%.unsigned.hash Makefile
$(DIFF) wimboot.$*.efi.hash wimboot.$*.unsigned.hash
$(CP) $< $@

wimboot.cab : wimboot.i386.efi wimboot.x86_64.efi Makefile
Expand Down Expand Up @@ -155,4 +167,5 @@ clean :
$(RM) -f *.s *.o *.a *.elf
$(RM) -f efireloc
$(RM) -f wimboot wimboot.i386 wimboot.x86_64 ../wimboot
$(RM) -f wimboot.i386.unsigned wimboot.x86_64.unsigned
$(RM) -f wimboot.i386.efi wimboot.x86_64.efi wimboot.cab

0 comments on commit 334ed1a

Please sign in to comment.