diff options
| author | Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> | 2017-08-04 12:10:50 -0400 |
|---|---|---|
| committer | Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> | 2017-08-04 12:10:50 -0400 |
| commit | bbfd2ab18f52600aa41f061b2da9a2afe2a9d6ac (patch) | |
| tree | 56132d617fff7c4f05e67024ec872d88fcafa92d /MokVars.txt | |
| download | efi-boot-shim-upstream/0.9+1474479173.6c180c6.tar.gz efi-boot-shim-upstream/0.9+1474479173.6c180c6.zip | |
Import Upstream version 0.9+1474479173.6c180c6upstream/0.9+1474479173.6c180c6
Diffstat (limited to 'MokVars.txt')
| -rw-r--r-- | MokVars.txt | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/MokVars.txt b/MokVars.txt new file mode 100644 index 00000000..cac5349f --- /dev/null +++ b/MokVars.txt @@ -0,0 +1,74 @@ +Variables used by Shim and Mokmanager + +Request variables: + +MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the +UCS-2 representation of the password. The user will be asked to +re-enter the password to confirm. If the hash of the entered password +matches the contents of MokPW, the user will be prompted to copy MokPW +into MokPWState. BS,RT,NV + +MokSB: Set by MokUtil when requesting a change in state of signature +validation. A packed structure as follows: + +typedef struct { + UINT32 MokSBState; + UINT32 PWLen; + CHAR16 Password[PASSWORD_MAX]; +} __attribute__ ((packed)) MokSBvar; + +If MokSBState is 0, the user will be prompted to disable signature +validation. Otherwise, the user will be prompted to enable it. PWLen +is the length of the password, in characters. Password is a UCS-2 +representation of the password. The user will be prompted to enter +three randomly chosen characters from the password. If successful, +they will then be prompted to change the signature validation +according to MokSBState. BS,RT,NV + +MokDB: Set by MokUtil when requesting a change in state of validation +using db hashes and certs. A packed structure as follows: + +typedef struct { + UINT32 MokDBState; + UINT32 PWLen; + CHAR16 Password[PASSWORD_MAX]; +} __attribute__ ((packed)) MokDBvar; + +If MokDBState is 0, the user will be prompted to disable usage of db for +validation. Otherwise, the user will be prompted to allow it. PWLen +is the length of the password, in characters. Password is a UCS-2 +representation of the password. The user will be prompted to enter +three randomly chosen characters from the password. If successful, +they will then be prompted to change the signature validation +according to MokDBState. BS,RT,NV + +MokNew: Set by MokUtil when requesting the addition or removal of keys +from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI +specification. BS,RT,NV + +MokAuth: A hash dependent upon the contents of MokNew and the sealing +password. The user's password in UCS-2 form should be appended to the +contents of MokNew and a SHA-256 hash generated and stored in MokAuth. +The hash will be regenerated by MokManager after the user is requested +to enter their password to confirm enrolment of the keys. If the hash +matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV + +State variables: + +MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST +as described in the UEFI specification. BS,NV + +MokListRT: A copy of MokList made available to the kernel at runtime. RT + +MokSBState: An 8-bit unsigned integer. If 1, shim will switch to +insecure mode. BS,NV + +MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for +verification. BS,NV + +MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether +or not to import DB certs for its own verification purposes. + +MokPWStore: A SHA-256 representation of the password set by the user +via MokPW. The user will be prompted to enter this password in order +to interact with MokManager. |