Include shim's vendor_cert in MokListRT

There needs to be some way to communicate to the kernel that it's a trusted key, and since this mechanism already exists, it's by far the easiest.
2025-05-29 12:35:33 +00:00 · 2013-10-01 14:03:16 -04:00 · 2013-10-01 14:03:16 -04:00 · 4185c7d67e
commit 4185c7d67e
parent cbef697a96
2 changed files with 38 additions and 6 deletions
--- a/2
+++ b/2
@ -2,8 +2,6 @@ Versioned protocol:
 - Make shim and the bootloaders using it express how enlightened they
  are to one another, so we can stop earlier without tricks like
  the one above
-MokListRT containing shim key:
- MokListRT has to contain the shim key...
 MokListRT signing:
 - For kexec and hybernate to work right, MokListRT probably needs to
  be an authenticated variable.  It's probable this needs to be done
--- a/shim.c
+++ b/shim.c
@ -1342,23 +1342,57 @@ EFI_STATUS mirror_mok_list()
 	EFI_STATUS efi_status;
 	UINT8 *Data = NULL;
 	UINTN DataSize = 0;
+	void *FullData = NULL;
+	UINTN FullDataSize = 0;
+	EFI_SIGNATURE_LIST *CertList = NULL;
+	EFI_SIGNATURE_DATA *CertData = NULL;
+	uint8_t *p = NULL;

 	efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid);
+	if (efi_status != EFI_SUCCESS)
+		DataSize = 0;

-	if (efi_status != EFI_SUCCESS) {
-		goto done;
+	FullDataSize = DataSize
+		     + sizeof (*CertList)
+		     + sizeof (EFI_GUID)
+		     + vendor_cert_size
+		     ;
+	FullData = AllocatePool(FullDataSize);
+	if (!FullData) {
+		Print(L"Failed to allocate space for MokListRT\n");
+		return EFI_OUT_OF_RESOURCES;
 	}
+	p = FullData;
+
+	if (efi_status == EFI_SUCCESS && DataSize > 0) {
+		CopyMem(p, Data, DataSize);
+		p += DataSize;
+	}
+	CertList = (EFI_SIGNATURE_LIST *)p;
+	p += sizeof (*CertList);
+	CertData = (EFI_SIGNATURE_DATA *)p;
+	p += sizeof (EFI_GUID);
+
+	CertList->SignatureType = EFI_CERT_X509_GUID;
+	CertList->SignatureListSize = vendor_cert_size
+				      + sizeof (*CertList)
+				      + sizeof (*CertData)
+				      -1;
+	CertList->SignatureHeaderSize = 0;
+	CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
+
+	CertData->SignatureOwner = SHIM_LOCK_GUID;
+	CopyMem(p, vendor_cert, vendor_cert_size);

 	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
 				       &shim_lock_guid,
 				       EFI_VARIABLE_BOOTSERVICE_ACCESS
 				       | EFI_VARIABLE_RUNTIME_ACCESS,
-				       DataSize, Data);
+				       FullDataSize, FullData);
 	if (efi_status != EFI_SUCCESS) {
 		Print(L"Failed to set MokListRT %d\n", efi_status);
 	}

-done:
 	return efi_status;
 }