Add shim's current NX_COMPAT status to HSIStatus

hughsie asked me to also make it observable at runtime whether the shim
binary that was used to boot was set as NX_COMPAT or not.

This adds that into the HSIStatus data as "shim-has-nx-compat-set".

Signed-off-by: Peter Jones <pjones@redhat.com>

3 files changed, 6 insertions, 0 deletions

diff --git a/include/mok.h b/include/mok.h
index cea4c997..89edf9de 100644
--- a/include/mok.h
+++ b/include/mok.h
@@ -147,6 +147,8 @@ extern UINTN hsi_status;
 #define SHIM_HSI_STATUS_HASDSTGMSD	0x00000020ULL
 /* platform has DST->SetMemorySpaceAttributes */
 #define SHIM_HSI_STATUS_HASDSTSMSA	0x00000040ULL
+/* This shim has the NX_COMPAT bit set */
+#define SHIM_HSI_STATUS_NX		0x00000100ULL
 
 #endif /* !SHIM_MOK_H_ */
 // vim:fenc=utf-8:tw=75:noet
diff --git a/include/pe.h b/include/pe.h
index a1eb8853..ea40184b 100644
--- a/include/pe.h
+++ b/include/pe.h
@@ -53,5 +53,8 @@ relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 	       EFI_IMAGE_SECTION_HEADER *Section,
 	       void *orig, void *data);
 
+void
+get_shim_nx_capability(EFI_HANDLE image_handle);
+
 #endif /* !PE_H_ */
 // vim:fenc=utf-8:tw=75:noet
diff --git a/include/test-data-efivars-1.h b/include/test-data-efivars-1.h
index 7a34ea70..259558e0 100644
--- a/include/test-data-efivars-1.h
+++ b/include/test-data-efivars-1.h
@@ -114,6 +114,7 @@ static const unsigned char test_data_efivars_1_HSIStatus[] =
 	"has-dxe-services-table: 0\n"
 	"has-get-memory-space-descriptor: 0\n"
 	"has-set-memory-space-attributes: 0\n"
+	"shim-has-nx-compat-set: 0\n"
 	;
 
 #endif /* !TEST_DATA_EFIVARS_1_H_ */