diff options
| author | Eric Snowberg <eric.snowberg@oracle.com> | 2022-06-17 12:37:28 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-08-03 15:17:45 -0400 |
| commit | 092c2b2bbed950727e41cf450b61c794881c33e7 (patch) | |
| tree | d4e742a96f1c0b8db9e16ab969acfe8e21b6d38d | |
| parent | 0eb07e11b20680200d3ce9c5bc59299121a75388 (diff) | |
| download | efi-boot-shim-092c2b2bbed950727e41cf450b61c794881c33e7.tar.gz efi-boot-shim-092c2b2bbed950727e41cf450b61c794881c33e7.zip | |
Reference MokListRT instead of MokList
When calling back into shim from grub, the MokListRT may contain additional
entries not available in the original MokList, an example being the certs
included via user_cert. Use the MokListRT instead when calling check_db_cert
and check_db_hash.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
| -rw-r--r-- | shim.c | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -397,22 +397,22 @@ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert, } #endif - if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash, + if (check_db_hash(L"MokListRT", SHIM_LOCK_GUID, sha256hash, SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { verification_method = VERIFIED_BY_HASH; update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } else { - LogError(L"check_db_hash(MokList, sha256hash) != DATA_FOUND\n"); + LogError(L"check_db_hash(MokListRT, sha256hash) != DATA_FOUND\n"); } - if (cert && check_db_cert(L"MokList", SHIM_LOCK_GUID, cert, sha256hash) + if (cert && check_db_cert(L"MokListRT", SHIM_LOCK_GUID, cert, sha256hash) == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; } else if (cert) { - LogError(L"check_db_cert(MokList, sha256hash) != DATA_FOUND\n"); + LogError(L"check_db_cert(MokListRT, sha256hash) != DATA_FOUND\n"); } update_verification_method(VERIFIED_BY_NOTHING); |