From bdc5d3ec9ca5e0f270dc583c86ef8916ee70ac39 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 1 Aug 2017 11:19:33 -0400
Subject: [PATCH] Always measure all of MokSBState, MokList, and MokListX

Even if errors occurred, always try to measure all of our Mok entries.
This way we won't fail on e.g. MokList not being set.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 56 +++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 37 insertions(+), 19 deletions(-)

diff --git a/shim.c b/shim.c
index ad72fbe..a9be9ac 100644
--- a/shim.c
+++ b/shim.c
@@ -1921,37 +1921,55 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
 EFI_STATUS measure_mok()
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-	EFI_STATUS efi_status;
+	EFI_STATUS efi_status, ret = EFI_SUCCESS;
 	UINT8 *Data = NULL;
 	UINTN DataSize = 0;
 
 	efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid);
-	if (efi_status != EFI_SUCCESS)
-		return efi_status;
+	if (!EFI_ERROR(efi_status)) {
+		efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
+					   DataSize, 14, (CHAR8 *)"MokList");
+		FreePool(Data);
 
-	efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
-				   DataSize, 14, (CHAR8 *)"MokList");
+		if (EFI_ERROR(efi_status))
+			ret = efi_status;
 
-	FreePool(Data);
+	} else {
+		ret = efi_status;
+	}
 
-	if (efi_status != EFI_SUCCESS)
-		return efi_status;
+	efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid);
+	if (!EFI_ERROR(efi_status)) {
+		efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
+					   DataSize, 14, (CHAR8 *)"MokListX");
+		FreePool(Data);
+
+		if (EFI_ERROR(efi_status) && !EFI_ERROR(ret))
+			ret = efi_status;
+
+	} else if (!EFI_ERROR(ret)) {
+		ret = efi_status;
+	}
 
 	efi_status = get_variable(L"MokSBState", &Data, &DataSize,
 				  shim_lock_guid);
+	if (!EFI_ERROR(efi_status)) {
+		efi_status = tpm_measure_variable(L"MokSBState",
+						  shim_lock_guid,
+						  DataSize, Data);
+		if (!EFI_ERROR(efi_status)) {
+			efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)
+						    (UINTN)Data, DataSize, 14,
+						   (CHAR8 *)"MokSBState");
+		}
 
-	if (efi_status != EFI_SUCCESS)
-		return efi_status;
+		FreePool(Data);
 
-	efi_status = tpm_measure_variable(L"MokSBState", shim_lock_guid,
-					  DataSize, Data);
-	if (efi_status != EFI_SUCCESS)
-		goto out;
-
-	efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data,
-				   DataSize, 14, (CHAR8 *)"MokSBState");
-out:
-	FreePool(Data);
+		if (EFI_ERROR(efi_status) && !EFI_ERROR(ret))
+			ret = efi_status;
+	} else if (!EFI_ERROR(ret)) {
+		ret = efi_status;
+	}
 
 	return efi_status;
 }