summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--globals.c1
-rw-r--r--include/mok.h5
-rw-r--r--mok.c13
-rw-r--r--pe.c8
-rw-r--r--shim.h2
5 files changed, 26 insertions, 3 deletions
diff --git a/globals.c b/globals.c
index 30d10630..b4e80dd3 100644
--- a/globals.c
+++ b/globals.c
@@ -29,6 +29,7 @@ int loader_is_participating;
UINT8 user_insecure_mode;
UINT8 ignore_db;
UINT8 trust_mok_list;
+UINT8 mok_policy = 0;
UINT32 verbose = 0;
diff --git a/include/mok.h b/include/mok.h
index 6f99a105..fb19423b 100644
--- a/include/mok.h
+++ b/include/mok.h
@@ -100,5 +100,10 @@ struct mok_variable_config_entry {
UINT8 data[];
};
+/*
+ * bit definitions for MokPolicy
+ */
+#define MOK_POLICY_REQUIRE_NX 1
+
#endif /* !SHIM_MOK_H_ */
// vim:fenc=utf-8:tw=75:noet
diff --git a/mok.c b/mok.c
index 94101843..a8c8be6b 100644
--- a/mok.c
+++ b/mok.c
@@ -184,6 +184,19 @@ struct mok_state_variable mok_state_variable_data[] = {
.pcr = 14,
.state = &trust_mok_list,
},
+ {.name = L"MokPolicy",
+ .name8 = "MokPolicy",
+ .rtname = L"MokPolicyRT",
+ .rtname8 = "MokPolicyRT",
+ .guid = &SHIM_LOCK_GUID,
+ .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_NON_VOLATILE,
+ .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+ .flags = MOK_MIRROR_DELETE_FIRST |
+ MOK_VARIABLE_LOG,
+ .pcr = 14,
+ .state = &mok_policy,
+ },
{ NULL, }
};
size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]);
diff --git a/pe.c b/pe.c
index 9fa6fffd..5d0c6b0b 100644
--- a/pe.c
+++ b/pe.c
@@ -800,8 +800,9 @@ read_header(void *data, unsigned int datasize,
DllFlags = PEHdr->Pe32.OptionalHeader.DllCharacteristics;
}
- if (!(DllFlags & EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) {
- perror(L"Image does not support NX\n");
+ if ((mok_policy & MOK_POLICY_REQUIRE_NX) &&
+ !(DllFlags & EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) {
+ perror(L"Policy requires NX, but image does not support NX\n");
return EFI_UNSUPPORTED;
}
@@ -1203,7 +1204,8 @@ handle_image (void *data, unsigned int datasize,
if (!(Section->Characteristics & EFI_IMAGE_SCN_MEM_DISCARDABLE) &&
(Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) &&
- (Section->Characteristics & EFI_IMAGE_SCN_MEM_EXECUTE)) {
+ (Section->Characteristics & EFI_IMAGE_SCN_MEM_EXECUTE) &&
+ (mok_policy & MOK_POLICY_REQUIRE_NX)) {
perror(L"Section %d is writable and executable\n", i);
return EFI_UNSUPPORTED;
}
diff --git a/shim.h b/shim.h
index dc3cda73..b5272b9c 100644
--- a/shim.h
+++ b/shim.h
@@ -263,6 +263,8 @@ extern UINT8 *build_cert;
extern UINT8 user_insecure_mode;
extern UINT8 ignore_db;
extern UINT8 trust_mok_list;
+extern UINT8 mok_policy;
+
extern UINT8 in_protocol;
extern void *load_options;
extern UINT32 load_options_size;
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-01 00:08:49 +0000