diff options
| author | Matthew Garrett <mjg@redhat.com> | 2012-10-30 16:14:02 -0400 |
|---|---|---|
| committer | Matthew Garrett <mjg@redhat.com> | 2012-10-30 16:14:02 -0400 |
| commit | 5a8d573fb1349a6a1e7708b97934694d5ff735c4 (patch) | |
| tree | e40d63e438ae3c06c90c806b7a981036f4432a55 | |
| parent | 0a0cd6ba771be419130419f1aeb2ca7931bf7bff (diff) | |
| download | efi-boot-shim-5a8d573fb1349a6a1e7708b97934694d5ff735c4.tar.gz efi-boot-shim-5a8d573fb1349a6a1e7708b97934694d5ff735c4.zip | |
Add documentation of the Mok variables
Brief overview of the function and format of the various variables used
by Shim and MokManager.
| -rw-r--r-- | MokVars.txt | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/MokVars.txt b/MokVars.txt new file mode 100644 index 00000000..74f09083 --- /dev/null +++ b/MokVars.txt @@ -0,0 +1,51 @@ +Variables used by Shim and Mokmanager + +Request variables: + +MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the +UCS-2 representation of the password. The user will be asked to +re-enter the password to confirm. If the hash of the entered password +matches the contents of MokPW, the user will be prompted to copy MokPW +into MokPWState. BS,RT,NV + +MokSB: Set by MokUtil when requesting a change in state of signature +validation. A packed structure as follows: + +typedef struct { + UINT32 MokSBState; + UINT32 PWLen; + CHAR16 Password[PASSWORD_MAX]; +} __attribute__ ((packed)) MokSBvar; + +If MokSBState is 0, the user will be prompted to disable signature +validation. Otherwise, the user will be prompted to enable it. PWLen +is the length of the password, in characters. Password is a UCS-2 +representation of the password. The user will be prompted to enter +three randomly chosen characters from the password. If successful, +they will then be prompted to change the signature validation +according to MokSBState. BS,RT,NV + +MokNew: Set by MokUtil when requesting the addition or removal of keys +from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI +specification. BS,RT,NV + +MokAuth: A hash dependent upon the contents of MokNew and the sealing +password. The user's password in UCS-2 form should be appended to the +contents of MokNew and a SHA-256 hash generated and stored in MokAuth. +The hash will be regenerated by MokManager after the user is requested +to enter their password to confirm enrolment of the keys. If the hash +matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV + +State variables: + +MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST +as described in the UEFI specification. BS,NV + +MokListRT: A copy of MokList made available to the kernel at runtime. RT + +MokSBState: An 8-bit unsigned integer. If 1, shim will switch to +insecure mode. BS,NV + +MokPWStore: A SHA-256 representation of the password set by the user +via MokPW. The user will be prompted to enter this password in order +to interact with MokManager. |