Don't install our protocols if we're not in secure mode.

System services haven't been hooked if we're not in secure mode, so do_exit() will never be called. In this case shim never gets control once grub exits, which means if booting fails and the firmware tries another boot option, it'll attempt to talk to the shim protocol we installed. This is wrong, because it is allowed to have been cleared from ram at this time, since the task it's under has exited. So just don't install the protocols when we're not enforcing. This version also has a message and a 2-second stall after calling start_image(), so that we can tell if we are on the expected return path of our execution flow.
2025-11-04 02:26:53 +00:00 · 2015-04-13 19:55:25 -04:00 · 2015-04-13 19:55:25 -04:00 · 8d535fc962
commit 8d535fc962
parent 96cf3c015c
1 changed files with 11 additions and 0 deletions
--- a/shim.c
+++ b/shim.c
@ -1682,6 +1682,9 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
 	if (efi_status != EFI_SUCCESS)
 		efi_status = start_image(image_handle, MOK_MANAGER);

+	Print(L"start_image() returned %r\n", efi_status);
+	uefi_call_wrapper(BS->Stall, 1, 2000000);
+
 	return efi_status;
 }

@ -1985,6 +1988,10 @@ install_shim_protocols(void)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 	EFI_STATUS efi_status;
+
+	if (!secure_mode())
+		return EFI_SUCCESS;
+
 	/*
 	 * Install the protocol
 	 */
@ -2011,6 +2018,10 @@ void
 uninstall_shim_protocols(void)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+
+	if (!secure_mode())
+		return;
+
 #if defined(OVERRIDE_SECURITY_POLICY)
 	/*
 	 * Clean up the security protocol hook