diff options
| author | Matthew Garrett <mjg@redhat.com> | 2012-10-18 17:41:52 -0400 |
|---|---|---|
| committer | Matthew Garrett <mjg@redhat.com> | 2012-10-18 17:41:52 -0400 |
| commit | 9272bc5b847bf30f89d9bef49fcc5b04c780460e (patch) | |
| tree | 69ccb562f28c197e22fc83c6f26ef5908b76a71c /shim.c | |
| parent | 1bc1cd96e43f73d75b4a0346532c86260cd33748 (diff) | |
| download | efi-boot-shim-9272bc5b847bf30f89d9bef49fcc5b04c780460e.tar.gz efi-boot-shim-9272bc5b847bf30f89d9bef49fcc5b04c780460e.zip | |
Add support for disabling signature verification
Provide a mechanism for a physically present end user to disable signature
verification. This is handled by the OS passing down a variable that
contains a UINT32 and a SHA256 hash. If this variable is present, MokManager
prompts the user to choose whether to enable or disable signature validation
(depending on the value of the UINT32). They are then asked to type the
passphrase that matches the hash. This then saves a boot services variable
which is checked by shim, and if set will skip verification of signatures.
Diffstat (limited to 'shim.c')
| -rw-r--r-- | shim.c | 29 |
1 files changed, 17 insertions, 12 deletions
@@ -1033,7 +1033,7 @@ done: EFI_STATUS check_mok_request(EFI_HANDLE image_handle) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - EFI_STATUS efi_status; + EFI_STATUS moknew_status, moksb_status, efi_status; UINTN size = sizeof(UINT32); UINT32 MokNew; UINT32 attributes; @@ -1041,22 +1041,27 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (!secure_mode()) return EFI_SUCCESS; - efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokNew", - &shim_lock_guid, &attributes, - &size, (void *)&MokNew); + moknew_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokNew", + &shim_lock_guid, &attributes, + &size, (void *)&MokNew); - if (efi_status != EFI_SUCCESS && efi_status != EFI_BUFFER_TOO_SMALL) - goto done; + moksb_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSB", + &shim_lock_guid, &attributes, + &size, (void *)&MokNew); - efi_status = start_image(image_handle, MOK_MANAGER); + if (moknew_status == EFI_SUCCESS || + moknew_status == EFI_BUFFER_TOO_SMALL || + moksb_status == EFI_SUCCESS || + moksb_status == EFI_BUFFER_TOO_SMALL) { + efi_status = start_image(image_handle, MOK_MANAGER); - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to start MokManager\n"); - goto done; + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to start MokManager\n"); + return efi_status; + } } -done: - return efi_status; + return EFI_SUCCESS; } EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) |