Measure into the TPM even if SecureBoot is off in shim_lock verify

Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
author: Tamas K Lengyel <lengyelt@ainfosec.com> 2017-11-06 09:42:18 -0700
committer: Peter Jones <pjones@redhat.com> 2018-03-06 14:37:07 -0500
commit: 555ef92650944e5ec8ccc23d1d892e984b04afd6 (patch)
tree: 050d96f184dcfff3e01749f6d152db2db6a62e32 /shim.c
parent: 829d3c82652ff51cad8878c69956b78b5aabb86a (diff)
download: efi-boot-shim-555ef92650944e5ec8ccc23d1d892e984b04afd6.tar.gz
efi-boot-shim-555ef92650944e5ec8ccc23d1d892e984b04afd6.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/shim.c b/shim.c
index 8fe70cb8..51c58327 100644
--- a/shim.c
+++ b/shim.c
@@ -1809,9 +1809,6 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	loader_is_participating = 1;
 	in_protocol = 1;
 
-	if (!secure_mode())
-		goto done;
-
 	status = read_header(buffer, size, &context);
 	if (status != EFI_SUCCESS)
 		goto done;
@@ -1823,6 +1820,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	/* Measure the binary into the TPM */
 	tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
 
+	if (!secure_mode())
+		goto done;
+
 	status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
 
 done:
author	Tamas K Lengyel <lengyelt@ainfosec.com>	2017-11-06 09:42:18 -0700
committer	Peter Jones <pjones@redhat.com>	2018-03-06 14:37:07 -0500
commit	555ef92650944e5ec8ccc23d1d892e984b04afd6 (patch)
tree	050d96f184dcfff3e01749f6d152db2db6a62e32 /shim.c
parent	829d3c82652ff51cad8878c69956b78b5aabb86a (diff)
download	efi-boot-shim-555ef92650944e5ec8ccc23d1d892e984b04afd6.tar.gz efi-boot-shim-555ef92650944e5ec8ccc23d1d892e984b04afd6.zip