Don't hook system services if shim has no built-in keys

Shim should only need to enforce its security policy when its launching binaries signed with its built-in key. Binaries signed by keys in db or Mokdb should be able to rely on their own security policy. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
author: Matthew Garrett <matthew.garrett@nebula.com> 2013-11-19 10:15:55 -0500
committer: Matthew Garrett <matthew.garrett@nebula.com> 2013-11-19 10:20:34 -0500
commit: 8b48ec5c70cd97d37f48581a4eab8139c1a95a1f (patch)
tree: a15592d978b75cc8861122be2822543f4fba39dd /shim.c
parent: d95b24bd02cf41cca9adebd95f10609d6424d2b3 (diff)
download: efi-boot-shim-8b48ec5c70cd97d37f48581a4eab8139c1a95a1f.tar.gz
efi-boot-shim-8b48ec5c70cd97d37f48581a4eab8139c1a95a1f.zip
1 files changed, 9 insertions, 5 deletions
diff --git a/shim.c b/shim.c
index 524f5fc0..cf93d654 100644
--- a/shim.c
+++ b/shim.c
@@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		Print(L"Booting in insecure mode\n");
 		uefi_call_wrapper(BS->Stall, 1, 2000000);
 	} else if (secure_mode()) {
-		/*
-		 * Install our hooks for ExitBootServices() and StartImage()
-		 */
-		hook_system_services(systab);
-		loader_is_participating = 0;
+		if (vendor_cert_size || vendor_dbx_size) {
+			/*
+			 * If shim includes its own certificates then ensure
+			 * that anything it boots has performed some
+			 * validation of the next image.
+			 */
+			hook_system_services(systab);
+			loader_is_participating = 0;
+		}
 	}
 
 	/*
author	Matthew Garrett <matthew.garrett@nebula.com>	2013-11-19 10:15:55 -0500
committer	Matthew Garrett <matthew.garrett@nebula.com>	2013-11-19 10:20:34 -0500
commit	8b48ec5c70cd97d37f48581a4eab8139c1a95a1f (patch)
tree	a15592d978b75cc8861122be2822543f4fba39dd /shim.c
parent	d95b24bd02cf41cca9adebd95f10609d6424d2b3 (diff)
download	efi-boot-shim-8b48ec5c70cd97d37f48581a4eab8139c1a95a1f.tar.gz efi-boot-shim-8b48ec5c70cd97d37f48581a4eab8139c1a95a1f.zip