Skip to content

Add shim's current NX_COMPAT status to HSIStatus #727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 26, 2025
Merged

Add shim's current NX_COMPAT status to HSIStatus #727

merged 6 commits into from
Feb 26, 2025

Conversation

@vathpela
Copy link
Member

@vathpela vathpela commented Feb 24, 2025

@hughsie asked me to also make it observable at runtime whether the shim binary that was used to boot was set as NX_COMPAT or not.

This adds that into the HSIStatus data as "shim-has-nx-compat-set".

@vathpela vathpela marked this pull request as ready for review February 24, 2025 22:29
@vathpela vathpela force-pushed the show-nx-compat-in-hsi branch from e369da2 to 9af5fcf Compare February 24, 2025 22:33
@hughsie
Copy link

hughsie commented Feb 25, 2025

Many thanks @vathpela -- this makes the output much more useful.

@vathpela vathpela force-pushed the show-nx-compat-in-hsi branch from ea61e77 to 1991560 Compare February 25, 2025 15:48
@vathpela
hexdump: give a different debug log for size==0
59f7965 
Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
HSI: Add decode_hsi_bits() for easier reading of the debug log
07e434c 
This changes all the HSI bitfield operations to print a string showing
the change instead of just hex values.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
pe: read_header(): allow skipping SecDir content validation
1e32cbd 
When we're parsing the PE header of shim itself from the Loaded Image
object, the signatures aren't present, but the Certificate Table entry
in the Data Directory has not been cleared, so it'll fail verification.

We know when we're doing that, so this patch makes that test optional.

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
Add shim's current NX_COMPAT status to HSIStatus
a2ec4e4 
hughsie asked me to also make it observable at runtime whether the shim
binary that was used to boot was set as NX_COMPAT or not.

This adds that into the HSIStatus data as "shim-has-nx-compat-set".

Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
peimage.h: minor whitespace fixes
1762e09 
Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela
peimage: add a bunch of comments to read_header()
6534fe9 
Signed-off-by: Peter Jones <pjones@redhat.com>
@vathpela vathpela force-pushed the show-nx-compat-in-hsi branch from 1991560 to 6534fe9 Compare February 25, 2025 16:52
@vathpela vathpela merged commit 5007d83 into rhboot:main Feb 26, 2025
20 checks passed
@vathpela vathpela deleted the show-nx-compat-in-hsi branch February 26, 2025 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vathpela @hughsie