[uefi] factorize SkuSiPolicy.p7b copying code and apply it for Windows To Go

* Also don't forget to credit the original authors of the PowerShell gist we derived our code from!
2024-08-14 23:57:05 +00:00 · 2023-06-19 00:04:08 +02:00 · 2023-06-19 00:04:08 +02:00 · c59e9209eb
commit c59e9209eb
parent 7eb9a6f16b
6 changed files with 40 additions and 17 deletions
--- a/src/format.c
+++ b/src/format.c
@ -1908,19 +1908,8 @@ DWORD WINAPI FormatThread(void* param)
 							FormatStatus = ERROR_SEVERITY_ERROR|FAC(FACILITY_STORAGE)|APPERR(ERROR_CANT_PATCH);
 						}
 					}
-				} else if ((target_type == TT_UEFI) && IS_WINDOWS_1X(img_report) && pe256ssp_size > 0) {
-					// Copy this system's SkuSiPolicy.p7b to the target drive so that UEFI bootloaders
-					// revoked by Windows through WDAC policy do get flagged as revoked.
-					char src[MAX_PATH], dst[MAX_PATH];
-					struct __stat64 stat64 = { 0 };
-					static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir);
-					static_sprintf(dst, "%s\\efi\\microsoft\\boot\\SKUSiPolicy.p7b", drive_name);
-					if ((_stat64U(dst, &stat64) != 0) && (_stat64U(src, &stat64) == 0)) {
-						uprintf("Copying: %s (%s) (from %s)", dst, SizeToHumanReadable(stat64.st_size, FALSE, FALSE), src);
-						if (!CopyFileU(src, dst, TRUE))
-							uprintf("  Error writing file: %s", WindowsErrorString());
-					}
 				}
+				CopySKUSiPolicy(drive_name);
 				if ( (target_type == TT_BIOS) && HAS_WINPE(img_report) ) {
 					// Apply WinPE fixup
 					if (!SetupWinPE(drive_name[0]))
--- a/src/license.h
+++ b/src/license.h
@ -134,6 +134,11 @@ const char* additional_copyrights =
 "https://github.com/u-boot/u-boot\\line\n"
 "GNU General Public License (GPL) v2 or later\\line\n"
 "\\line\n"
+"SkuSiPolicy.p7b parsing derived from:\\line\n"
+"https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e\\line\n"
+"by Matthew Graeber, with contributions by James Forshaw\\line\n"
+"BSD 3-Clause\\line\n"
+"\\line\n"
 "About and License dialogs inspired by WinSCP by Martin Prikryl\\line\n"
 "https://winscp.net/\\line\n"
 "GNU General Public License (GPL) v3 or later\\line\n"
--- a/src/pki.c
+++ b/src/pki.c
@ -792,6 +792,9 @@ out:
 	return r;
 }

+// The following SkuSiPolicy.p7b parsing code is derived from:
+// https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e
+// by Matthew Graeber, with contributions by James Forshaw.
 BOOL ParseSKUSiPolicy(void)
 {
 	char path[MAX_PATH];
--- a/src/rufus.h
+++ b/src/rufus.h
@ -643,6 +643,7 @@ extern BOOL ExtractAppIcon(const char* filename, BOOL bSilent);
 extern BOOL ExtractDOS(const char* path);
 extern BOOL ExtractISO(const char* src_iso, const char* dest_dir, BOOL scan);
 extern int64_t ExtractISOFile(const char* iso, const char* iso_file, const char* dest_file, DWORD attributes);
+extern BOOL CopySKUSiPolicy(const char* drive_name);
 extern BOOL HasEfiImgBootLoaders(void);
 extern BOOL DumpFatDir(const char* path, int32_t cluster);
 extern char* MountISO(const char* path);
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.2.2052"
+CAPTION "Rufus 4.2.2053"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -392,8 +392,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,2,2052,0
- PRODUCTVERSION 4,2,2052,0
+ FILEVERSION 4,2,2053,0
+ PRODUCTVERSION 4,2,2053,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -411,13 +411,13 @@ BEGIN
            VALUE "Comments", "https://rufus.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.2.2052"
+            VALUE "FileVersion", "4.2.2053"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011-2023 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
            VALUE "OriginalFilename", "rufus-4.2.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.2.2052"
+            VALUE "ProductVersion", "4.2.2053"
        END
    END
    BLOCK "VarFileInfo"
--- a/src/wue.c
+++ b/src/wue.c
@ -473,6 +473,29 @@ out:
 	return ((img_report.win_version.major != 0) && (img_report.win_version.build != 0));
 }

+// Copy this system's SkuSiPolicy.p7b to the target drive so that UEFI bootloaders
+// revoked by Windows through WDAC policy do get flagged as revoked.
+BOOL CopySKUSiPolicy(const char* drive_name)
+{
+	BOOL r = FALSE;
+	char src[MAX_PATH], dst[MAX_PATH];
+	struct __stat64 stat64 = { 0 };
+
+	if ((target_type != TT_UEFI) || !IS_WINDOWS_1X(img_report) || pe256ssp_size == 0)
+		return r;
+
+	static_sprintf(src, "%s\\SecureBootUpdates\\SKUSiPolicy.p7b", system_dir);
+	static_sprintf(dst, "%s\\efi\\microsoft\\boot\\SKUSiPolicy.p7b", drive_name);
+	if ((_stat64U(dst, &stat64) != 0) && (_stat64U(src, &stat64) == 0)) {
+		uprintf("Copying: %s (%s) (from %s)", dst, SizeToHumanReadable(stat64.st_size, FALSE, FALSE), src);
+		r = CopyFileU(src, dst, TRUE);
+		if (!r)
+			uprintf("  Error writing file: %s", WindowsErrorString());
+	}
+
+	return r;
+}
+
 /// <summary>
 /// Checks which versions of Windows are available in an install image
 /// to set our extraction index. Asks the user to select one if needed.
@ -687,6 +710,8 @@ BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 		FormatStatus = ERROR_SEVERITY_ERROR | FAC(FACILITY_STORAGE) | APPERR(ERROR_ISO_EXTRACT);
 	}

+	CopySKUSiPolicy((use_esp) ? ms_efi : drive_name);
+
 	UpdateProgressWithInfo(OP_FILE_COPY, MSG_267, wim_proc_files + 2 * wim_extra_files, wim_nb_files);

 	// Setting internal drives offline for Windows To Go is crucial if, for instance, you are using ReFS