diff options
| author | Gary Lin <glin@suse.com> | 2018-11-21 12:47:43 +0800 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2020-07-23 20:52:12 -0400 |
| commit | f748139695384fb4e09833898f0b8cb3ab85d810 (patch) | |
| tree | 53bbd2e4f00435c65e56fda28712b25c5d493e60 | |
| parent | ac0400b20264ef67b67891d2216edd3fe20e5571 (diff) | |
| download | efi-boot-shim-f748139695384fb4e09833898f0b8cb3ab85d810.tar.gz efi-boot-shim-f748139695384fb4e09833898f0b8cb3ab85d810.zip | |
mok: fix the mirroring of RT variables
When there is no key in MokList, import_mok_state() just skipped MokList
even though it should always mirror the vendor cert. Besides, the faulty
check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
MokSBStateRT, and MokIgnoreDB.
https://github.com/rhboot/shim/issues/154
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 4b27ae034ba
| -rw-r--r-- | mok.c | 11 |
1 files changed, 4 insertions, 7 deletions
@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) &v->data, &v->data_size, *v->guid, &attrs); if (efi_status == EFI_NOT_FOUND) { - if (v->rtname && addend) { - efi_status = mirror_one_mok_variable(v); - if (EFI_ERROR(efi_status) && - ret != EFI_SECURITY_VIOLATION) - ret = efi_status; - } + if (addend) + goto mirror_addend; /* * after possibly adding, we can continue, no * further checks to be done. @@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) } } - if (v->rtname && present && addend) { +mirror_addend: + if (v->rtname && (present || addend)) { if (v->flags & MOK_MIRROR_DELETE_FIRST) LibDeleteVariable(v->rtname, v->guid); |