proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-05-31 09:21:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Include shim's vendor_cert in MokListRT

Browse Source 
There needs to be some way to communicate to the kernel that it's a
trusted key, and since this mechanism already exists, it's by far the
easiest.
This commit is contained in:
Peter Jones 2013-10-01 14:03:16 -04:00
parent cbef697a96
commit 4185c7d67e
2 changed files with 38 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -2,8 +2,6 @@ Versioned protocol:
- Make shim and the bootloaders using it express how enlightened they - Make shim and the bootloaders using it express how enlightened they
are to one another, so we can stop earlier without tricks like are to one another, so we can stop earlier without tricks like
the one above the one above
MokListRT containing shim key:
- MokListRT has to contain the shim key...
MokListRT signing: MokListRT signing:
- For kexec and hybernate to work right, MokListRT probably needs to - For kexec and hybernate to work right, MokListRT probably needs to
be an authenticated variable. It's probable this needs to be done be an authenticated variable. It's probable this needs to be done

42
shim.c
View File

@ -1342,23 +1342,57 @@ EFI_STATUS mirror_mok_list()
EFI_STATUS efi_status; EFI_STATUS efi_status;
UINT8 *Data = NULL; UINT8 *Data = NULL;
UINTN DataSize = 0; UINTN DataSize = 0;
void *FullData = NULL;
UINTN FullDataSize = 0;
EFI_SIGNATURE_LIST *CertList = NULL;
EFI_SIGNATURE_DATA *CertData = NULL;
uint8_t *p = NULL;
efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid);
if (efi_status != EFI_SUCCESS)
DataSize = 0;
if (efi_status != EFI_SUCCESS) { FullDataSize = DataSize
goto done; + sizeof (*CertList)
+ sizeof (EFI_GUID)
+ vendor_cert_size
;
FullData = AllocatePool(FullDataSize);
if (!FullData) {
Print(L"Failed to allocate space for MokListRT\n");
return EFI_OUT_OF_RESOURCES;
} }
p = FullData;
if (efi_status == EFI_SUCCESS && DataSize > 0) {
CopyMem(p, Data, DataSize);
p += DataSize;
}
CertList = (EFI_SIGNATURE_LIST *)p;
p += sizeof (*CertList);
CertData = (EFI_SIGNATURE_DATA *)p;
p += sizeof (EFI_GUID);
CertList->SignatureType = EFI_CERT_X509_GUID;
CertList->SignatureListSize = vendor_cert_size
+ sizeof (*CertList)
+ sizeof (*CertData)
-1;
CertList->SignatureHeaderSize = 0;
CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
CertData->SignatureOwner = SHIM_LOCK_GUID;
CopyMem(p, vendor_cert, vendor_cert_size);
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid, &shim_lock_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS, | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize, Data); FullDataSize, FullData);
if (efi_status != EFI_SUCCESS) { if (efi_status != EFI_SUCCESS) {
Print(L"Failed to set MokListRT %d\n", efi_status); Print(L"Failed to set MokListRT %d\n", efi_status);
} }
done:
return efi_status; return efi_status;
} }