Add MOK password auth

Add support for setting an MOK password. The OS passes down a password hash.
MokManager then presents an option for setting a password. Selecting it
prompts the user for the same password again. If they match, the hash is
enrolled into a boot services variable and MokManager will prompt for the
password whenever it's started.

1 files changed, 11 insertions, 5 deletions

diff --git a/shim.c b/shim.c
index 39ad9bba..dbe5e849 100644
--- a/shim.c
+++ b/shim.c
@@ -1038,23 +1038,29 @@ done:
 EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-	EFI_STATUS moknew_status, moksb_status, efi_status;
+	EFI_STATUS moknew_status, moksb_status, mokpw_status, efi_status;
 	UINTN size = sizeof(UINT32);
-	UINT32 MokNew;
+	UINT32 MokVar;
 	UINT32 attributes;
 
 	moknew_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokNew",
 					  &shim_lock_guid, &attributes,
-					  &size, (void *)&MokNew);
+					  &size, (void *)&MokVar);
 
 	moksb_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSB",
 					 &shim_lock_guid, &attributes,
-					 &size, (void *)&MokNew);
+					 &size, (void *)&MokVar);
+
+	mokpw_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPW",
+					 &shim_lock_guid, &attributes,
+					 &size, (void *)&MokVar);
 
 	if (moknew_status == EFI_SUCCESS ||
 	    moknew_status == EFI_BUFFER_TOO_SMALL ||
 	    moksb_status == EFI_SUCCESS ||
-	    moksb_status == EFI_BUFFER_TOO_SMALL) {
+	    moksb_status == EFI_BUFFER_TOO_SMALL ||
+	    mokpw_status == EFI_SUCCESS ||
+	    mokpw_status == EFI_BUFFER_TOO_SMALL) {
 		efi_status = start_image(image_handle, MOK_MANAGER);
 
 		if (efi_status != EFI_SUCCESS) {