diff options
| author | Peter Jones <pjones@redhat.com> | 2021-02-18 16:52:30 -0500 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2021-02-22 11:22:36 -0500 |
| commit | de9165756c5dc0ef90508e44a151619f7a3cb27f (patch) | |
| tree | 63849cd962071fbb4962cb8a2535c88455fba837 /lib/variables.c | |
| parent | 80ff1751183bd36b197ac19ed255e832af1f4fca (diff) | |
| download | efi-boot-shim-de9165756c5dc0ef90508e44a151619f7a3cb27f.tar.gz efi-boot-shim-de9165756c5dc0ef90508e44a151619f7a3cb27f.zip | |
SBAT: mirror SBAT to SbatRT and extend to PCR7 + log
This adds SBAT to our table of variables to mirror with our MoK state.
Currently it mirrors "SBAT" to a variable named "SbatRT", both using the
SHIM GUID.
Currently we enforce the current policy WRT these variables:
- we always delete SbatRT if it's present, for a couple of reasons:
- If we got here either something created it before us during boot,
which isn't a thing we believe anything should be doing, or it's an
NV variable, which it shouldn't be.
- we want to raise the error if it's NV+Authenticated
- we always delete SBAT (and do not mirror it) if it either
- doesn't have BS|NV set or
- does have RT set
- we're requiring !RT because we can't actually tell if it's an
authenticated variable or not, and we want to get the error if RT
is set and it is authenticated, because that means we've lost the
race between us and an attacker to create it.
- we always measure SBAT into PCR7 and add a log extension with the
measured hash
Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'lib/variables.c')
0 files changed, 0 insertions, 0 deletions