Verify the EFI images with MOK blacklist

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2025-07-17 17:18:11 +00:00 · 2013-11-04 14:45:33 +08:00 · 2013-11-04 14:45:33 +08:00 · b8d1bc6e98
commit b8d1bc6e98
parent 9a811c3233
1 changed files with 9 additions and 0 deletions
--- a/shim.c
+++ b/shim.c
@ -519,6 +519,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 				   UINT8 *sha256hash, UINT8 *sha1hash)
 {
 	EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+	EFI_GUID shim_var = SHIM_LOCK_GUID;
 	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;

 	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
@ -542,6 +543,14 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
+	if (check_db_hash(L"MokListX", shim_var, sha256hash, SHA256_DIGEST_SIZE,
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+		return EFI_ACCESS_DENIED;
+	}
+	if (cert && check_db_cert(L"MokListX", shim_var, cert, sha256hash) ==
+				DATA_FOUND) {
+		return EFI_ACCESS_DENIED;
+	}

 	return EFI_SUCCESS;
 }