From e2073885773e45d112aca457cbd730dc0551b9ee Mon Sep 17 00:00:00 2001 From: Tamas K Lengyel Date: Tue, 5 Dec 2017 13:25:32 -0700 Subject: [PATCH] Install shim_lock protocol even when SecureBoot is off Currently the shim_lock protocol is only installed when SecureBoot is enabled. However, having Verify just measure into the TPM without SecureBoot is a useful feature. Signed-off-by: Tamas K Lengyel --- shim.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/shim.c b/shim.c index 90a5ea0..818eff3 100644 --- a/shim.c +++ b/shim.c @@ -2742,9 +2742,6 @@ install_shim_protocols(void) SHIM_LOCK *shim_lock; EFI_STATUS efi_status; - if (!secure_mode()) - return EFI_SUCCESS; - /* * Did another instance of shim earlier already install the * protocol? If so, get rid of it. @@ -2778,6 +2775,9 @@ install_shim_protocols(void) return efi_status; } + if (!secure_mode()) + return EFI_SUCCESS; + #if defined(OVERRIDE_SECURITY_POLICY) /* * Install the security protocol hook @@ -2793,6 +2793,12 @@ uninstall_shim_protocols(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + /* + * If we're back here then clean everything up before exiting + */ + uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle, + &shim_lock_guid, &shim_lock_interface); + if (!secure_mode()) return; @@ -2802,18 +2808,11 @@ uninstall_shim_protocols(void) */ security_policy_uninstall(); #endif - - /* - * If we're back here then clean everything up before exiting - */ - uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle, - &shim_lock_guid, &shim_lock_interface); } EFI_STATUS shim_init(void) { - EFI_STATUS status = EFI_SUCCESS; setup_console(1); setup_verbosity(); dprinta(shim_version); @@ -2834,19 +2833,20 @@ shim_init(void) hook_exit(systab); - status = install_shim_protocols(); } - return status; + + return install_shim_protocols(); } void shim_fini(void) { + /* + * Remove our protocols + */ + uninstall_shim_protocols(); + if (secure_mode()) { - /* - * Remove our protocols - */ - uninstall_shim_protocols(); /* * Remove our hooks from system services.