diff options
| author | Patrick Uiterwijk <patrick@puiterwijk.org> | 2018-11-05 14:51:16 +0100 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2020-07-23 20:52:12 -0400 |
| commit | ac0400b20264ef67b67891d2216edd3fe20e5571 (patch) | |
| tree | cc6609cb8d68485cd09f0556e537b16a1224121e | |
| parent | ee832f21c6706d6b3890d82f9d8bcb2bd249ee04 (diff) | |
| download | efi-boot-shim-ac0400b20264ef67b67891d2216edd3fe20e5571.tar.gz efi-boot-shim-ac0400b20264ef67b67891d2216edd3fe20e5571.zip | |
Make sure that MOK variables always get mirrored
Without this, if a Mok variable doesn't exist in Boot Services, it will also
not be copied to Runtime, even if we have data to be added to it (vendor cert).
This patch makes sure that if we have extra data to append, we still mirror
the variable.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Upstream-commit-id: 9ab0d796bdc
| -rw-r--r-- | mok.c | 20 |
1 files changed, 16 insertions, 4 deletions
@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) UINT32 attrs = 0; BOOLEAN delete = FALSE, present, addend; + addend = (v->addend_source && v->addend_size && + *v->addend_source && *v->addend_size) + ? TRUE : FALSE; + efi_status = get_variable_attr(v->name, &v->data, &v->data_size, *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) + if (efi_status == EFI_NOT_FOUND) { + if (v->rtname && addend) { + efi_status = mirror_one_mok_variable(v); + if (EFI_ERROR(efi_status) && + ret != EFI_SECURITY_VIOLATION) + ret = efi_status; + } + /* + * after possibly adding, we can continue, no + * further checks to be done. + */ continue; + } if (EFI_ERROR(efi_status)) { perror(L"Could not verify %s: %r\n", v->name, efi_status); @@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) } present = (v->data && v->data_size) ? TRUE : FALSE; - addend = (v->addend_source && v->addend_size && - *v->addend_source && *v->addend_size) - ? TRUE : FALSE; if (v->flags & MOK_VARIABLE_MEASURE && present) { /* |