:: commit 4793ace8b2b6449012ca5750bb178bce69f559ba
misc: Exempt EFI chainload and cosmetic resources from Secure Boot hash enforcement
diff --git a/CONFIG.md b/CONFIG.md
index b6bac469..2092bd91 100644
--- a/CONFIG.md
+++ b/CONFIG.md
@@ -345,7 +345,8 @@ A path can optionally be suffixed with a blake2b hash for the referenced file,
by appending a pound character (`#`) followed by the blake2b hash.
E.g.: `boot():/somemodule.tar#ca6914d2...446b470a`.
When Secure Boot is active, all file paths **must** have a hash appended or
-Limine will panic (except for wallpapers, which are silently skipped instead).
+Limine will panic (except for wallpapers and fonts, which are silently skipped
+instead, falling back to defaults).
## Macros
diff --git a/USAGE.md b/USAGE.md
index e1f64ca7..4783d01d 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -28,9 +28,10 @@ is set and `SetupMode` is not), the following security policies are enforced:
executable. If no checksum is enrolled, Limine will panic.
* All file paths (kernels, modules, DTBs, fonts, etc.) **must** have a BLAKE2B
hash appended (e.g. `boot():/kernel#<hash>`). Loading a file without a hash
- will cause a panic.
-* Wallpaper files without an associated hash are silently skipped rather than
- causing a panic.
+ will cause a panic. The exception is EFI chainloading, where the firmware's
+ own Secure Boot image verification is used instead.
+* Wallpaper and font files without an associated hash are silently skipped
+ (falling back to defaults) rather than causing a panic.
* The config editor is unconditionally disabled.
* `hash_mismatch_panic` is forced to `yes` regardless of the config setting.
diff --git a/common/lib/gterm.c b/common/lib/gterm.c
index 99686dce..a574f253 100644
--- a/common/lib/gterm.c
+++ b/common/lib/gterm.c
@@ -658,6 +658,10 @@ static void gterm_parse_config(char *config, struct gterm_config *cfg) {
char *menu_font = config_get_value(config, 0, "TERM_FONT");
if (menu_font != NULL) {
+ if (secure_boot_active && strchr(menu_font, '#') == NULL) {
+ print("Font skipped: Secure Boot is active and no hash is associated.\n");
+ goto config_no_load_font;
+ }
struct file_handle *f;
if ((f = uri_open(menu_font)) == NULL) {
print("menu: Could not open font file.\n");
diff --git a/common/protos/chainload.c b/common/protos/chainload.c
index 29de9c24..dfd20e5e 100644
--- a/common/protos/chainload.c
+++ b/common/protos/chainload.c
@@ -265,10 +265,18 @@ noreturn void chainload(char *config, char *cmdline) {
panic(true, "efi: Image path not specified");
}
+ // The firmware's LoadImage will verify the Secure Boot signature of the
+ // chainloaded EFI application, so Limine does not need to enforce its
+ // own hash check here.
+ bool saved_secure_boot_active = secure_boot_active;
+ secure_boot_active = false;
+
struct file_handle *image;
if ((image = uri_open(image_path)) == NULL)
panic(true, "efi: Failed to open image with path `%s`. Is the path correct?", image_path);
+ secure_boot_active = saved_secure_boot_active;
+
EFI_STATUS status;
EFI_HANDLE efi_part_handle = image->efi_part_handle;
