fix(shim): use pinned boxed slices to represent data that needs to be passed to uefi stack

2025-12-19 22:10:17 +00:00 · 2025-11-02 05:08:03 -05:00
parent 8d403d74c9
commit cc37c2b26a
1 changed files with 17 additions and 7 deletions
--- a/src/integrations/shim.rs
+++ b/src/integrations/shim.rs
@@ -6,6 +6,7 @@ use crate::utils::variables::{VariableClass, VariableController};
 use anyhow::{Context, Result, anyhow, bail};
 use log::warn;
 use std::ffi::c_void;
+use std::pin::Pin;
 use uefi::Handle;
 use uefi::boot::LoadImageSource;
 use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
@@ -23,13 +24,13 @@ pub struct ShimSupport;
 /// Input to the shim mechanisms.
 pub enum ShimInput<'a> {
    /// Data loaded into a buffer and ready to be verified, owned.
-    OwnedDataBuffer(Option<&'a ResolvedPath>, Vec<u8>),
+    OwnedDataBuffer(Option<&'a ResolvedPath>, Pin<Box<[u8]>>),
    /// Data loaded into a buffer and ready to be verified.
    DataBuffer(Option<&'a ResolvedPath>, &'a [u8]),
    /// Low-level data buffer provided by the security hook.
    SecurityHookBuffer(Option<*const FfiDevicePath>, &'a [u8]),
    /// Low-level owned data buffer provided by the security hook.
-    SecurityHookOwnedBuffer(Option<*const FfiDevicePath>, Vec<u8>),
+    SecurityHookOwnedBuffer(Option<*const FfiDevicePath>, Pin<Box<[u8]>>),
    /// Low-level path provided by the security hook.
    SecurityHookPath(*const FfiDevicePath),
    /// Data is provided as a resolved path. We will need to load the data to verify it.
@@ -72,9 +73,10 @@ impl<'a> ShimInput<'a> {
        match self {
            ShimInput::OwnedDataBuffer(root, data) => Ok(ShimInput::OwnedDataBuffer(root, data)),

-            ShimInput::DataBuffer(root, data) => {
-                Ok(ShimInput::OwnedDataBuffer(root, data.to_vec()))
-            }
+            ShimInput::DataBuffer(root, data) => Ok(ShimInput::OwnedDataBuffer(
+                root,
+                Box::into_pin(data.to_vec().into_boxed_slice()),
+            )),

            ShimInput::SecurityHookPath(ffi_path) => {
                // Acquire the file path.
@@ -89,7 +91,10 @@ impl<'a> ShimInput<'a> {
                    .context("unable to resolve path")?;
                // Read the file path.
                let data = path.read_file()?;
-                Ok(ShimInput::SecurityHookOwnedBuffer(Some(ffi_path), data))
+                Ok(ShimInput::SecurityHookOwnedBuffer(
+                    Some(ffi_path),
+                    Box::into_pin(data.to_vec().into_boxed_slice()),
+                ))
            }

            ShimInput::SecurityHookBuffer(_, _) => {
@@ -97,7 +102,12 @@ impl<'a> ShimInput<'a> {
            }

            ShimInput::ResolvedPath(path) => {
-                Ok(ShimInput::OwnedDataBuffer(Some(path), path.read_file()?))
+                // Read the file path.
+                let data = path.read_file()?;
+                Ok(ShimInput::OwnedDataBuffer(
+                    Some(path),
+                    Box::into_pin(data.to_vec().into_boxed_slice()),
+                ))
            }

            ShimInput::SecurityHookOwnedBuffer(path, data) => {