diff options
| author | Peter Jones <pjones@redhat.com> | 2021-03-11 17:19:10 -0500 |
|---|---|---|
| committer | Javier Martinez Canillas <javier@dowhile0.org> | 2021-03-12 10:15:01 +0100 |
| commit | 76f35c00ef9df3958c5479d74f8d6605c32901ec (patch) | |
| tree | 2a71e29bb5b00a5ecf1b6874033798276bcf7765 | |
| parent | 076de43a0f871d9e6b6d48e013f01616e4fb1eea (diff) | |
| download | efi-boot-shim-76f35c00ef9df3958c5479d74f8d6605c32901ec.tar.gz efi-boot-shim-76f35c00ef9df3958c5479d74f8d6605c32901ec.zip | |
sbat variable: use UEFI_VAR_NV_BS_RT when we've got ENABLE_SHIM_DEVEL
This makes it so that if you build with ENABLE_SHIM_DEVEL, the SBAT we
use is named SBAT_DEVEL instead of SBAT, and it's expected to have
EFI_VARIABLE_RUNTIME_ACCESS set.
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | include/sbat.h | 17 | ||||
| -rw-r--r-- | mok.c | 8 | ||||
| -rw-r--r-- | sbat.c | 26 |
3 files changed, 40 insertions, 11 deletions
diff --git a/include/sbat.h b/include/sbat.h index 95fa6a56..5db82379 100644 --- a/include/sbat.h +++ b/include/sbat.h @@ -13,9 +13,26 @@ #define UEFI_VAR_NV_BS \ (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS) +#define UEFI_VAR_NV_BS_RT \ + (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | \ + EFI_VARIABLE_RUNTIME_ACCESS) #define UEFI_VAR_NV_BS_TIMEAUTH \ (UEFI_VAR_NV_BS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) +#if defined(ENABLE_SHIM_DEVEL) +#define SBAT_VAR_NAME L"SBAT_DEVEL" +#define SBAT_VAR_NAME8 "SBAT_DEVEL" +#define SBAT_RT_VAR_NAME L"SbatRT_DEVEL" +#define SBAT_RT_VAR_NAME8 "SbatRT_DEVEL" +#define SBAT_VAR_ATTRS UEFI_VAR_NV_BS_RT +#else +#define SBAT_VAR_NAME L"SBAT" +#define SBAT_VAR_NAME8 "SBAT" +#define SBAT_RT_VAR_NAME L"SbatRT" +#define SBAT_RT_VAR_NAME8 "SbatRT" +#define SBAT_VAR_ATTRS UEFI_VAR_NV_BS +#endif + extern UINTN _sbat, _esbat; struct sbat_var_entry { @@ -225,10 +225,10 @@ struct mok_state_variable mok_state_variables[] = { .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, .state = &ignore_db, }, - {.name = L"SBAT", - .name8 = "SBAT", - .rtname = L"SbatRT", - .rtname8 = "SbatRT", + {.name = SBAT_VAR_NAME, + .name8 = SBAT_VAR_NAME8, + .rtname = SBAT_RT_VAR_NAME, + .rtname8 = SBAT_RT_VAR_NAME8, .guid = &SHIM_LOCK_GUID, .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, @@ -280,7 +280,7 @@ parse_sbat_var(list_t *entries) if (!entries) return EFI_INVALID_PARAMETER; - efi_status = get_variable(L"SBAT", &data, &datasize, SHIM_LOCK_GUID); + efi_status = get_variable(SBAT_VAR_NAME, &data, &datasize, SHIM_LOCK_GUID); if (EFI_ERROR(efi_status)) { LogError(L"Failed to read SBAT variable\n", efi_status); return efi_status; @@ -293,6 +293,17 @@ parse_sbat_var(list_t *entries) return parse_sbat_var_data(entries, data, datasize+1); } +static bool +check_sbat_var_attributes(UINT32 attributes) +{ +#ifdef ENABLE_SHIM_DEVEL + return attributes == UEFI_VAR_NV_BS_RT; +#else + return attributes == UEFI_VAR_NV_BS || + attributes == UEFI_VAR_NV_BS_TIMEAUTH; +#endif +} + EFI_STATUS set_sbat_uefi_variable(void) { @@ -302,7 +313,7 @@ set_sbat_uefi_variable(void) UINT8 *sbat = NULL; UINTN sbatsize = 0; - efi_status = get_variable_attr(L"SBAT", &sbat, &sbatsize, + efi_status = get_variable_attr(SBAT_VAR_NAME, &sbat, &sbatsize, SHIM_LOCK_GUID, &attributes); /* * Always set the SBAT UEFI variable if it fails to read. @@ -312,8 +323,7 @@ set_sbat_uefi_variable(void) */ if (EFI_ERROR(efi_status)) { dprint(L"SBAT read failed %r\n", efi_status); - } else if ((attributes == UEFI_VAR_NV_BS || - attributes == UEFI_VAR_NV_BS_TIMEAUTH) && + } else if (check_sbat_var_attributes(attributes) && sbatsize >= strlen(SBAT_VAR_SIG "1") && strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG))) { @@ -323,7 +333,8 @@ set_sbat_uefi_variable(void) FreePool(sbat); /* delete previous variable */ - efi_status = set_variable(L"SBAT", SHIM_LOCK_GUID, attributes, 0, ""); + efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, + attributes, 0, ""); if (EFI_ERROR(efi_status)) { dprint(L"SBAT variable delete failed %r\n", efi_status); return efi_status; @@ -331,7 +342,7 @@ set_sbat_uefi_variable(void) } /* set variable */ - efi_status = set_variable(L"SBAT", SHIM_LOCK_GUID, UEFI_VAR_NV_BS, + efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, SBAT_VAR_ATTRS, sizeof(SBAT_VAR), SBAT_VAR); if (EFI_ERROR(efi_status)) { dprint(L"SBAT variable writing failed %r\n", efi_status); @@ -339,7 +350,8 @@ set_sbat_uefi_variable(void) } /* verify that the expected data is there */ - efi_status = get_variable(L"SBAT", &sbat, &sbatsize, SHIM_LOCK_GUID); + efi_status = get_variable(SBAT_VAR_NAME, &sbat, &sbatsize, + SHIM_LOCK_GUID); if (EFI_ERROR(efi_status)) { dprint(L"SBAT read failed %r\n", efi_status); return efi_status; |