proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-11-04 00:19:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Don't hook system services if shim has no built-in keys

Browse Source 
Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
This commit is contained in:
Matthew Garrett 2013-11-19 10:15:55 -05:00
parent d95b24bd02
commit 8b48ec5c70
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
shim.c
View File

@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
Print(L"Booting in insecure mode\n");
uefi_call_wrapper(BS->Stall, 1, 2000000);
} else if (secure_mode()) {
/*
* Install our hooks for ExitBootServices() and StartImage()
*/
hook_system_services(systab);
loader_is_participating = 0;
if (vendor_cert_size || vendor_dbx_size) {
/*
* If shim includes its own certificates then ensure
* that anything it boots has performed some
* validation of the next image.
*/
hook_system_services(systab);
loader_is_participating = 0;
}
}
/*