Allow MokListTrusted to be enabled by default

Within previous versions of shim the MokListTrusted var did not exist. The user had to opt in to using the feature. Change the default behavior to an opt out model. Since old shims will not have the BS MokListTrusted set, use inverse logic that sets the MokListTrustedRT to 1 when the boot service variable is missing. Many Linux distros carry out of tree patches to trust the mok keys by default. These out of tree patches can be dropped when using a Linux kernel that supports MokListTrustedRT. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
author: Eric Snowberg <eric.snowberg@oracle.com> 2022-02-17 18:29:58 -0500
committer: Peter Jones <pjones@redhat.com> 2022-05-04 14:58:23 -0400
commit: 2670c6a17edb239949152c471445fc533d8525aa (patch)
tree: 02f664be337bf7da50d405077f8e96b2adb7056d /include
parent: 6aac5959bbb6adbe5f061a7f95139ab794bcfda7 (diff)
download: efi-boot-shim-2670c6a17edb239949152c471445fc533d8525aa.tar.gz
efi-boot-shim-2670c6a17edb239949152c471445fc533d8525aa.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/include/test-data-efivars-1.h b/include/test-data-efivars-1.h
index 55090ede..2831bd23 100644
--- a/include/test-data-efivars-1.h
+++ b/include/test-data-efivars-1.h
@@ -102,5 +102,9 @@ static const unsigned char test_data_efivars_1_SbatLevelRT[] = {
 	0x32, 0x31, 0x30, 0x33, 0x30, 0x32, 0x31, 0x38, 0x0a
 };
 
+static const unsigned char test_data_efivars_1_MokListTrustedRT[] ={
+	0x01
+};
+
 #endif /* !TEST_DATA_EFIVARS_1_H_ */
 // vim:fenc=utf-8:tw=75:noet
author	Eric Snowberg <eric.snowberg@oracle.com>	2022-02-17 18:29:58 -0500
committer	Peter Jones <pjones@redhat.com>	2022-05-04 14:58:23 -0400
commit	2670c6a17edb239949152c471445fc533d8525aa (patch)
tree	02f664be337bf7da50d405077f8e96b2adb7056d /include
parent	6aac5959bbb6adbe5f061a7f95139ab794bcfda7 (diff)
download	efi-boot-shim-2670c6a17edb239949152c471445fc533d8525aa.tar.gz efi-boot-shim-2670c6a17edb239949152c471445fc533d8525aa.zip