diff options
| author | Peter Jones <pjones@redhat.com> | 2013-09-05 16:56:03 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2013-10-01 14:03:16 -0400 |
| commit | b538992dd4f963bf1eb61246b23218f2ccc6092e (patch) | |
| tree | 6781fe9eb2d5af6635cca92a665ba0b6169fd501 | |
| parent | 39df41ceb5a793f7db9233a2741d30c55b6a8861 (diff) | |
| download | efi-boot-shim-b538992dd4f963bf1eb61246b23218f2ccc6092e.tar.gz efi-boot-shim-b538992dd4f963bf1eb61246b23218f2ccc6092e.zip | |
Include shim's vendor_cert in MokListRT
There needs to be some way to communicate to the kernel that it's a
trusted key, and since this mechanism already exists, it's by far the
easiest.
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | shim.c | 42 |
2 files changed, 38 insertions, 6 deletions
@@ -2,8 +2,6 @@ Versioned protocol: - Make shim and the bootloaders using it express how enlightened they are to one another, so we can stop earlier without tricks like the one above -MokListRT containing shim key: -- MokListRT has to contain the shim key... MokListRT signing: - For kexec and hybernate to work right, MokListRT probably needs to be an authenticated variable. It's probable this needs to be done @@ -1342,23 +1342,57 @@ EFI_STATUS mirror_mok_list() EFI_STATUS efi_status; UINT8 *Data = NULL; UINTN DataSize = 0; + void *FullData = NULL; + UINTN FullDataSize = 0; + EFI_SIGNATURE_LIST *CertList = NULL; + EFI_SIGNATURE_DATA *CertData = NULL; + uint8_t *p = NULL; efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); + if (efi_status != EFI_SUCCESS) + DataSize = 0; + + FullDataSize = DataSize + + sizeof (*CertList) + + sizeof (EFI_GUID) + + vendor_cert_size + ; + FullData = AllocatePool(FullDataSize); + if (!FullData) { + Print(L"Failed to allocate space for MokListRT\n"); + return EFI_OUT_OF_RESOURCES; + } + p = FullData; - if (efi_status != EFI_SUCCESS) { - goto done; + if (efi_status == EFI_SUCCESS && DataSize > 0) { + CopyMem(p, Data, DataSize); + p += DataSize; } + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureListSize = vendor_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, vendor_cert, vendor_cert_size); efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, - DataSize, Data); + FullDataSize, FullData); if (efi_status != EFI_SUCCESS) { Print(L"Failed to set MokListRT %d\n", efi_status); } -done: return efi_status; } |