Verify the EFI images with MOK blacklist

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
author: Gary Ching-Pang Lin <glin@suse.com> 2015-06-16 11:41:32 -0400
committer: Peter Jones <pjones@redhat.com> 2015-06-16 11:41:32 -0400
commit: 894c0b99dc0fc782ddf7e8980eb9a0491a1001c5 (patch)
tree: f74316fb3fb74dd5755eef600e8b6a944bf944c9 /shim.c
parent: ed8363efd22f9ad4e29a7848615a75e471396610 (diff)
download: efi-boot-shim-894c0b99dc0fc782ddf7e8980eb9a0491a1001c5.tar.gz
efi-boot-shim-894c0b99dc0fc782ddf7e8980eb9a0491a1001c5.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/shim.c b/shim.c
index a2ca2a11..09db1502 100644
--- a/shim.c
+++ b/shim.c
@@ -519,6 +519,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 				   UINT8 *sha256hash, UINT8 *sha1hash)
 {
 	EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+	EFI_GUID shim_var = SHIM_LOCK_GUID;
 	EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
 
 	if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
@@ -542,6 +543,14 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
+	if (check_db_hash(L"MokListX", shim_var, sha256hash, SHA256_DIGEST_SIZE,
+			  EFI_CERT_SHA256_GUID) == DATA_FOUND) {
+		return EFI_ACCESS_DENIED;
+	}
+	if (cert && check_db_cert(L"MokListX", shim_var, cert, sha256hash) ==
+				DATA_FOUND) {
+		return EFI_ACCESS_DENIED;
+	}
 
 	return EFI_SUCCESS;
 }
author	Gary Ching-Pang Lin <glin@suse.com>	2015-06-16 11:41:32 -0400
committer	Peter Jones <pjones@redhat.com>	2015-06-16 11:41:32 -0400
commit	894c0b99dc0fc782ddf7e8980eb9a0491a1001c5 (patch)
tree	f74316fb3fb74dd5755eef600e8b6a944bf944c9 /shim.c
parent	ed8363efd22f9ad4e29a7848615a75e471396610 (diff)
download	efi-boot-shim-894c0b99dc0fc782ddf7e8980eb9a0491a1001c5.tar.gz efi-boot-shim-894c0b99dc0fc782ddf7e8980eb9a0491a1001c5.zip