diff options
| author | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2017-12-11 17:03:32 -0500 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2018-02-01 13:50:44 -0500 |
| commit | c8ca1c569664913e580340105bceb75b5aecad57 (patch) | |
| tree | 0dbfee1f60e18349c41883c302f20390d2e2989b | |
| parent | 02e2fc61bd2fb7f0045f15db105de7b8ace3029f (diff) | |
| download | efi-boot-shim-c8ca1c569664913e580340105bceb75b5aecad57.tar.gz efi-boot-shim-c8ca1c569664913e580340105bceb75b5aecad57.zip | |
Uninstall shim protocols before re-installing them
Make sure if we chainload things, a chainloaded bootloader will be able to use
the latest systab replacements and protocols. They need to match for things
to validate correctly.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
| -rw-r--r-- | replacements.c | 13 | ||||
| -rw-r--r-- | shim.c | 22 |
2 files changed, 22 insertions, 13 deletions
diff --git a/replacements.c b/replacements.c index 898b42b1..b3b7d819 100644 --- a/replacements.c +++ b/replacements.c @@ -100,19 +100,6 @@ start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data) EFI_STATUS status; unhook_system_services(); - /* We have to uninstall shim's protocol here, because if we're - * On the fallback.efi path, then our call pathway is: - * - * shim->fallback->shim->grub - * ^ ^ ^ - * | | \- gets protocol #0 - * | \- installs its protocol (#1) - * \- installs its protocol (#0) - * and if we haven't removed this, then grub will get the *first* - * shim's protocol, but it'll get the second shim's systab - * replacements. So even though it will participate and verify - * the kernel, the systab never finds out. - */ if (image_handle == last_loaded_image) { loader_is_participating = 1; uninstall_shim_protocols(); @@ -2726,12 +2726,34 @@ EFI_STATUS install_shim_protocols(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + SHIM_LOCK *shim_lock; EFI_STATUS efi_status; if (!secure_mode()) return EFI_SUCCESS; /* + * Did another instance of shim earlier already install the + * protocol? If so, get rid of it. + * + * We have to uninstall shim's protocol here, because if we're + * On the fallback.efi path, then our call pathway is: + * + * shim->fallback->shim->grub + * ^ ^ ^ + * | | \- gets protocol #0 + * | \- installs its protocol (#1) + * \- installs its protocol (#0) + * and if we haven't removed this, then grub will get the *first* + * shim's protocol, but it'll get the second shim's systab + * replacements. So even though it will participate and verify + * the kernel, the systab never finds out. + */ + efi_status = LibLocateProtocol(&shim_lock_guid, (VOID **)&shim_lock); + if (!EFI_ERROR(efi_status)) + uninstall_shim_protocols(); + + /* * Install the protocol */ efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, |