Copy the MOK list to a RT variable

The RT variable, MokListRT, is a copy of MokList so that the runtime applications can synchronize the key list without touching the BS variable.
2025-12-25 10:31:02 +00:00 · 2012-09-11 17:43:44 +08:00 · 2012-09-11 17:43:44 +08:00 · ed2ecf8655
commit ed2ecf8655
parent 28c581335e
1 changed files with 30 additions and 0 deletions
--- a/shim.c
+++ b/shim.c
@ -1032,6 +1032,34 @@ done:
 	return efi_status;
 }

+EFI_STATUS mirror_mok_list()
+{
+	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+	EFI_STATUS efi_status;
+	UINT32 attributes;
+	void *Data = NULL;
+	UINTN DataSize = 0;
+
+	efi_status = get_variable(L"MokList", shim_lock_guid, &attributes,
+				  &DataSize, &Data);
+
+	if (efi_status != EFI_SUCCESS) {
+		goto done;
+	}
+
+	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
+				       &shim_lock_guid,
+				       EFI_VARIABLE_BOOTSERVICE_ACCESS
+				       | EFI_VARIABLE_RUNTIME_ACCESS,
+				       DataSize, Data);
+	if (efi_status != EFI_SUCCESS) {
+		Print(L"Failed to set MokListRT %d\n", efi_status);
+	}
+
+done:
+	return efi_status;
+}
+
 EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@ -1080,6 +1108,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)

 	efi_status = check_mok_request(image_handle);

+	efi_status = mirror_mok_list();
+
 	uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle,
 			  &shim_lock_guid, EFI_NATIVE_INTERFACE,
 			  &shim_lock_interface);