Make EFI variable copying fatal only on secureboot enabled systems

I have come across systems that are unwilling to reserve enough memory for a MokListRT big enough for big certificates. This seems to be the case with firmware implementations that do not support secureboot, which is probably the reason they went with much lower variable storage. This patch set makes sure we can still boot on those systems, by only making the copy action fatal if the system has secure boot enabled, or if the error was anything other than EFI_INVALID_PARAMETER. Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> Upstream-commit-id: 741c61abba7
2025-08-15 00:13:55 +00:00 · 2018-12-06 10:08:45 +01:00 · 2018-12-06 10:08:45 +01:00 · 95bd1d8800
commit 95bd1d8800
parent cf3f99c3b1
1 changed files with 11 additions and 1 deletions
--- a/shim.c
+++ b/shim.c
@ -2609,7 +2609,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 * boot-services-only state variables are what we think they are.
 	 */
 	efi_status = import_mok_state(image_handle);
-	if (EFI_ERROR(efi_status)) {
+	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
+		/*
+		 * Make copy failures fatal only if secure_mode is enabled, or
+		 * the error was anything else than EFI_INVALID_PARAMETER.
+		 * There are non-secureboot firmware implementations that don't
+		 * reserve enough EFI variable memory to fit the variable.
+		 */
+		console_print(L"Importing MOK states has failed: %s: %r\n",
+			      msgs[msg], efi_status);
+		console_print(L"Continuing boot since secure mode is disabled");
+	} else if (EFI_ERROR(efi_status)) {
 die:
 		console_print(L"Something has gone seriously wrong: %s: %r\n",
 			      msgs[msg], efi_status);